[Linux Kernel Bug] KASAN: slab-out-of-bounds Write in tomoyo_write_control

From: Sam Sun
Date: Fri Mar 01 2024 - 03:32:58 EST

Next message: Javier Carrasco: "Re: [PATCH v6 7/9] usb: misc: onboard_dev: add support for non-hub devices"
Previous message: Bartosz Golaszewski: "Re: [PATCH] gpio: fix resource unwinding order in error path"
Next in thread: Tetsuo Handa: "[PATCH for 6.8] tomoyo: fix UAF write bug in tomoyo_write_control()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear developers and maintainers,

We found a slab-out-of-bounds bug in Linux kernel through
modified Syzkaller. Kernel commit is b401b621758, Linux
6.8-rc5. Kernel config and C repro is attached to this email.

KASAN report is listed below.
```
==================================================================
BUG: KASAN: slab-out-of-bounds in tomoyo_write_control+0x10cd/0x1310
security/tomoyo/common.c:2685
Write of size 1 at addr ffff88811277fc2e by task syz-executor287/8111

CPU: 0 PID: 8111 Comm: syz-executor287 Not tainted 6.7.0-rc7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc1/0x5e0 mm/kasan/report.c:475
kasan_report+0xbe/0xf0 mm/kasan/report.c:588
tomoyo_write_control+0x10cd/0x1310 security/tomoyo/common.c:2685
do_loop_readv_writev fs/read_write.c:758 [inline]
do_loop_readv_writev fs/read_write.c:743 [inline]
do_iter_write+0x556/0x7d0 fs/read_write.c:862
vfs_writev+0x1dd/0x6c0 fs/read_write.c:933
do_pwritev fs/read_write.c:1030 [inline]
__do_sys_pwritev fs/read_write.c:1077 [inline]
__se_sys_pwritev fs/read_write.c:1072 [inline]
__x64_sys_pwritev+0x226/0x300 fs/read_write.c:1072
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fd021d334ed
Code: c3 e8 37 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd021cbc1b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000128
RAX: ffffffffffffffda RBX: 00007fd021dcf218 RCX: 00007fd021d334ed
RDX: 0000000000000004 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 00007fd021dcf210 R08: 0000000000000008 R09: 00007fd021cbc640
R10: 00000000fffff552 R11: 0000000000000246 R12: 00007fd021d99078
R13: 000000000000006e R14: 00007fd021cfb5f0 R15: 00007fd021c9c000
</TASK>

Allocated by task 1:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
____kasan_kmalloc mm/kasan/common.c:333 [inline]
__kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc+0x5d/0xd0 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_number_perm+0x21c/0x550 security/tomoyo/file.c:723
security_file_ioctl+0x54/0xb0 security/security.c:2647
__do_sys_ioctl fs/ioctl.c:865 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0xb7/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Freed by task 1:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x134/0x190 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
__cache_free mm/slab.c:3370 [inline]
__do_kmem_cache_free mm/slab.c:3557 [inline]
__kmem_cache_free+0xcd/0x3c0 mm/slab.c:3564
tomoyo_realpath_from_path+0x190/0x600 security/tomoyo/realpath.c:286
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_number_perm+0x21c/0x550 security/tomoyo/file.c:723
security_file_ioctl+0x54/0xb0 security/security.c:2647
__do_sys_ioctl fs/ioctl.c:865 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0xb7/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

The buggy address belongs to the object at ffff88811277e000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3118 bytes to the right of
allocated 4096-byte region [ffff88811277e000, ffff88811277f000)

The buggy address belongs to the physical page:
page:ffffea000449df80 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x11277e
head:ffffea000449df80 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000840(slab|head|node=1|zone=2|lastcpupid=0x7ff)
page_type: 0x1()
raw: 057ff00000000840 ffff888013040900 ffffea00044f4390 ffffea000448c890
raw: 0000000000000000 ffff88811277e000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask
0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, tgid
1 (systemd), ts 105574054481, free_ts 105561505627
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d9/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xd38/0x2fa0 mm/page_alloc.c:3312
__alloc_pages+0x21d/0x21f0 mm/page_alloc.c:4568
__alloc_pages_node include/linux/gfp.h:238 [inline]
kmem_getpages mm/slab.c:1356 [inline]
cache_grow_begin+0x9b/0x3c0 mm/slab.c:2550
cache_alloc_refill+0x289/0x3a0 mm/slab.c:2923
____cache_alloc mm/slab.c:2999 [inline]
____cache_alloc mm/slab.c:2982 [inline]
__do_cache_alloc mm/slab.c:3182 [inline]
slab_alloc_node mm/slab.c:3230 [inline]
__kmem_cache_alloc_node+0x39f/0x420 mm/slab.c:3521
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0x4d/0xd0 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_number_perm+0x21c/0x550 security/tomoyo/file.c:723
security_file_ioctl+0x54/0xb0 security/security.c:2647
__do_sys_ioctl fs/ioctl.c:865 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0xb7/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x4c5/0xa60 mm/page_alloc.c:2347
free_unref_page+0x33/0x3d0 mm/page_alloc.c:2487
slab_destroy mm/slab.c:1608 [inline]
slabs_destroy+0x85/0xc0 mm/slab.c:1628
cache_flusharray mm/slab.c:3341 [inline]
___cache_free+0x2c5/0x410 mm/slab.c:3404
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x4f/0x1a0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slab.c:3237 [inline]
slab_alloc mm/slab.c:3246 [inline]
__kmem_cache_alloc_lru mm/slab.c:3423 [inline]
kmem_cache_alloc+0x2aa/0x370 mm/slab.c:3432
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:321
vfs_fstatat+0x9a/0x150 fs/stat.c:298
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:463
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
ffff88811277fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88811277fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88811277fc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88811277fc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88811277fd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
```
We analyzed cause of this bug. In function "tomoyo_write_control", if more than
one thread enter while loop in line 2662 (while (avail_len > 0)), the
kfree in line 2674
could affect other thread using pointer cp0 (like in line 2685,
cp0[head->w.avail++]),
causing concurrent UAF.
If you have any questions, please contact us.
Reported by Yue Sun <samsun1006219@xxxxxxxxx>

Best Regards,
Yue

Attachment: config
Description: Binary data

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#include <linux/futex.h>

static unsigned long long procid;

static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}

typedef struct {
int state;
} event_t;

static void event_init(event_t* ev)
{
ev->state = 0;
}

static void event_reset(event_t* ev)
{
ev->state = 0;
}

static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}

static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}

static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}

static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}

static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}

static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}

static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}

struct thread_t {
int created, call;
event_t ready, done;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;

static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}

static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 3; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}

int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
memcpy((void*)0x20000000, "/sys/kernel/security/tomoyo/manager\000", 36);
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
/*file=*/0x20000000ul, /*flags=*/1ul, /*mode=*/0ul);
if (res != -1)
r[0] = res;
break;
case 1:
memcpy((void*)0x20000040, "1\000", 2);
syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000040ul, /*len=*/0xfc2eul);
break;
case 2:
*(uint64_t*)0x20000240 = 0x20001ec0;
memcpy(
(void*)0x20001ec0,
"\x0a\x22\xb9\xbf\x9e\x7e\x57\x9b\x6d\x87\x62\xce\xdb\x91\xbb\x87\xf2"
"\x06\xfd\x64\xc4\x84\x69\x48\xa3\x4f\x83\xe9\xd5\x4c\x3a\x16\xb3\xe3"
"\xa9\x09\xa7\x02\x62\xdf\x28\xd7\x08\x1d\x53\x4e\xcb\xbc\xce\x86\x07"
"\x08\xe2\xdf\x0a\xdf\xcc\xdc\xe0\xf0\x84\xc8\x38\xd8\xd4\x35\xba\x39"
"\x68\xa7\xde\x55\xeb\xae\x55\x33\x52\xcd\xf7\xbe\x1c\x1f\xa9\xc5\x08"
"\x9d\x60\x42\x1a\x59\xf8\xec\x30\x5d\x68\x8a\x76\xfd\xb4\x22\xc1\x65"
"\x72\x78\x24\x55\x2e\x24\x98\x44\xf5\xb8\xd2\x06\x3c\xe8\x86\xe5\xa6"
"\x96\x7b\x6d\x1c\x82\xed\x97\x67\x95\xe9\x19\xbe\xcc\xb3\x89\x22\x8f"
"\x65\x24\x8d\xff\x1c\x7a\xe1\x26\x43\xa8\x8d\x46\x64\xd3\x99\x99\x36"
"\x11\x8b\x9b\x13\x3c\x38\xf2\xf1\x89\x4d\x04\xa8\x46\x54\x82\x7d\x6c"
"\xcc\x8f\xe4\xa9\x27\x52\x70\x38\x1c\xfb\x99\x12\x16\x74\x57\x01\x4a"
"\xe5\x9c\x23\x1f\xff\x09\x69\x7a\x96\xd5\xea\xd3\xdd\x9a\x3c\x90\x23"
"\xbb\xe3\xb3\x02\x78\x8a\xaa\x4e\xf1\x27\x53\x9e\x02\x6c\x62\x02\xf7"
"\xdc\x94\xa3\x0b\xbd\xd8\x71\x2c\xef\x4c\xe1\x94\xf6\xd0\xbe\xd7\x25"
"\xdc\x18\x8d\x69\x9a\x33\x1c\x7d\x44\x73\x3e\xa4\x1b\xc1\x80\xe2\xc0"
"\xc5\xa3\xcb\x24\xf7\x3f\x17\x4f\x04\x28\xde\x24\xb4\x23\x05\x23\xd8"
"\x29\x68\xb4\xb6\x7b\x51\xd3\x67\x2f\x38\xf0\x84\xe6\xab\xfb\x7c\xe1"
"\x6b\x41\xbf\x83\x82\x79\xb6\xd9\x7f\x30\xf6\x02\x50\x10\x46\x51\x12"
"\x07\xe6\x82\x82\x58\xb7\x5e\xbe\x4e\xd2\x65\x2a\x5e\x25\xe8\xf4\xc0"
"\x73\x44\x72\xbf\xe6\xa1\x09\xda\x77\x55\xfb\x53\x66\x67\x8d\xc1\x58"
"\xa3\xbb\x8c\x4e\x03\xf4\xbc\xb4\x61\x12\x0a\xfc\x7f\x84\xf4\x87\x38"
"\xac\xa3\x85\xf5\xd9\x59\xc5\x97\x0c\x07\xb8\xc3\x89\xda\xfd\x52\x04"
"\x20\xc5\x96\x93\xf0\x09\xbd\x0b\xf4\x69\xd6\x53\x58\x1d\x63\x80\xf7"
"\xf3\xcb\x41\x17\x93\x6b\x9e\x35\x4c\xb8\x3b\xc0\xe0\x73\xd6\xfe\x10"
"\x62\xc8\xdd\xcb\x30\xd7\xce\xc4\xb7\x92\xd5\xab\xe6\x4e\x70\x69\xb7"
"\xa2\xe7\x8c\x00\xd5\x7a\xe5\x6c\x53\x6e\xb1\x80\x20\x5f\xfe\x25\x2b"
"\x82\x82\x4f\x54\xd1\x6d\x66\x74\x79\x0c\xf3\x1a\x40\x4d\x61\x2f\x0c"
"\x62\x65\xf6\xaa\x44\x52\x8b\xad\xae\x6f\xc3\x71\x7b\x34\x0b\x37\x37"
"\xde\x66\x6a\x06\xc9\x31\x0b\x2f\x17\x3e\x83\x4d\x61\x40\x81\x82\xad"
"\x1a\xe3\x25\x23\x9a\x04\x51\x9e\xb0\xe1\xe5\xb6\x1f\x6b\x73\xd6\xf2"
"\x93\x21\xe3\x52\x17\xd3\x2a\xee\xde\xe8\x9d\x62\x03\xde\xa4\x42\xae"
"\xdd\x54\xed\x67\x5a\xdd\x6f\xd6\xeb\x12\x32\xff\x62\x98\xd9\x7d\x5d"
"\xdb\x2a\x87\x9f\xa4\xa8\x60\xb8\x57\xb4\xa8\x46\x4a\xcf\xba\xd7\xc9"
"\xa9\xb3\xd2\xb4\x0a\xae\xb6\x4d\x8d\x8e\x1e\xc0\xc2\x16\x57\x77\x9c"
"\xb1\xdf\xa5\x3a\x0b\xde\x66\xc7\x33\xcc\x2d\xc0\xe0\xc8\xf4\xe7\xc5"
"\xdd\xea\x1c\x6a\xaa\xbf\x22\x89\x3d\x3f\x00\xdd\x5d\x88\x20\x4d\x5f"
"\xd7\xfb\x56\xf9\xd5\x66\xc2\x97\x46\x1c\x9a\xfd\x03\x7c\xe8\xb8\x0b"
"\xa2\xf5\x46\xd4\x79\xc3\x2f\x11\xd2\x22\xbb\x9c\x6d\x92\x81\x00\xb4"
"\xe4\x49\x9c\x9e\xb0\x44\x57\x88\xc7\xc2\xf0\xdd\x5c\x3b\xfc\x6e\x60"
"\xc3\xd0\xac\x31\x9b\x5b\xa4\x77\x09\x82\x72\x75\x28\x88\x52\x2c\xea"
"\xbf\xb7\xfb\x30\x98\x28\x95\xea\xe3\x60\x58\xde\x49\x47\x91\x8b\xc2"
"\xaf\x8f\x18\xe9\x68\x5f\xf1\xe2\x20\x75\x30\x16\xf2\x99\x84\x53\x53"
"\x4f\x1a\xc6\x45\x0c\xa3\x74\xa3\x5c\x00\xf2\x9a\xb1\xbc\xbb\x7e\xb2"
"\xf9\xfa\xcc\x8c\x93\x5d\x11\x57\x61\x37\x92\x53\xd7\xa0\xc2\x0b\x54"
"\xb1\xbf\x8c\xad\xaf\x56\x78\x70\x02\xb0\xd7\xb9\x5f\xed\xdc\x95\xbe"
"\xe6\x0d\xd4\xae\x71\x9f\xad\x98\xf2\x32\x5e\x51\x82\xae\x4f\x1d\xfe"
"\x44\x04\x5a\x00\x4e\xb0\xe5\x40\x63\x36\xe9\xe7\x48\xa0\x02\xc4\x41"
"\xb8\x47\xcf\x84\x3c\x44\xb0\x4d\x70\x27\xa2\x56\xbb\x45\x4c\xdc\xf5"
"\xe8\x85\x78\x79\xc7\xf8\x46\x63\x24\xb9\xb7\x9f\x23\xdf\x72\xc5\x94"
"\xa1\x1b\xdf\xc1\x01\xec\x43\xad\x1e\x4b\x65\x43\x9d\xda\xa3\xc0\x12"
"\xd0\xcd\x5d\xea\xae\x49\x83\x81\x89\xb4\xae\xee\x85\x83\x93\x18\xdf"
"\x04\xf4\x3a\x20\x93\x89\xe4\xd6\xad\x42\x62\xd9\x07\xc6\x3c\xd7\xc8"
"\xb1\xaa\x63\x85\x32\xc6\xea\xa9\x43\x41\x98\x7b\x68\x44\x3b\x6c\x3b"
"\x85\x58\xcf\xc6\x04\x6f\xc5\x7f\x22\x18\x74\xce\xa3\x53\x15\x03\x58"
"\x6b\x43\x07\xea\x71\x15\x6e\xb6\xae\xb0\xb7\xb0\x51\xa0\xae\xbc\x55"
"\x01\xcd\xaa\x24\x86\x96\xaf\x0a\xde\x97\x43\xcb\x18\xe3\x14\xa0\x2f"
"\xde\x7b\x6b\x5c\x43\xa3\x24\x14\x6f\xd8\xe8\x90\x8a\xec\xcc\x87\x64"
"\x1b\x74\x27\x25\xf1\x21\x23\x7b\xbd\x1e\xc7\x34\x37\xb7\x2f\x17\x43"
"\x5c\x0d\x26\xba\xaf\xe3\xf6\xcd\xc0\xc0\x80\xe9\x8e\x7d\xfd\xd2\x11"
"\x1d\x97\x2f\x19\x44\xcf\x1e\xf1\xcb\x38\x35\xa3\xb5\x9f\x7d\x8d\x3c"
"\x2b\x7f\x83\x43\x40\x84\x01\x5e\xbf\x72\x19\x8f\x5c\x46\x7a\xdc\x6b"
"\x39\xcb\x7a\x27\x1d\x22\x1f\xcd\xf7\xf1\x58\x8a\xd3\x04\xfe\xa4\xee"
"\x6c\xaa\x78\xd4\x0c\x42\xcb\x26\x8d\xc4\x65\xf5\x4a\xad\x97\xac\x08"
"\x94\x43\xf4\x7d\xf4\x00\xb6\x2c\x81\x7c\x5e\xda\x34\x21\xaf\x52\xa5"
"\x27\xf3\xb4\x8f\xb8\x4a\x45\xa8\xa3\xa6\x3c\x65\xba\x06\x04\x95\x60"
"\x99\xf3\xba\x8f\xa2\xe7\xa2\x63\x18\x91\x22\x57\xd7\xbf\xbe\xf6\xd8"
"\xe5\xfb\xbc\x3b\xd3\x4c\xab\x87\x60\x2e\xf6\x5d\xcb\xda\x71\xfa\x73"
"\xbc\x73\xcb\x25\x33\xc6\x88\x47\x6e\x86\xc0\xbf\xb4\x31\x4e\xdc\x7c"
"\x70\x11\x62\xba\x3a\xda\x0d\x35\x78\xfd\x18\x62\x25\x1b\x17\xef\x76"
"\xe9\x3b\xa6\x5c\x54\x22\x30\x88\x95\x7a\x90\x11\x7f\x83\xf9\x4f\x0f"
"\x37\xd1\x0a\x3a\xb7\x9e\xd5\x4e\x7e\xa3\x97\x7d\x8d\x3b\xbc\x18\x67"
"\x14\x23\x56\xe7\x63\x87\x74\x0d\x92\xff\xe4\xa2\xa2\x14\x3a\x0d\x76"
"\x95\xa1\x13\xb2\x79\xdd\xa1\x28\x90\x58\x91\xf3\x32\x80\x32\xa0\x00"
"\x28\x4a\x86\xf9\x47\xad\xbd\x90\x0d\x3f\x1e\x7c\x18\x80\x54\xce\xc7"
"\x88\xb4\x96\xee\x7d\x9f\xc0\x52\x08\xbd\x2e\xe1\xad\x5e\x29\x2f\x6d"
"\x6d\xc2\x0f\x39\x9c\xb7\x44\x46\x79\x1d\x64\x1f\x63\x6c\x9a\xae\x26"
"\x64\xc0\x6a\x67\xa4\x98\x63\x4b\xa6\x50\xfe\xdb\x3f\xec\x5e\x64\x44"
"\xca\x2b\xae\x9b\x9d\x4d\x39\x11\x67\x7b\x44\xab\xd9\xee\xca\x43\xb0"
"\x91\xe1\x4d\xd4\xd4\xff\xdc\x7c\xe3\x49\x43\x18\xef\x45\x7a\x24\x40"
"\x66\xa5\x9b\x56\xb4\x87\x53\x8d\xcc\x43\x87\xb2\x8c\xf4\xad\x5d\x01"
"\xfb\x9f\x64\xb7\x3f\x8f\x04\xa4\x96\x80\x3b\xfb\x4b\xc7\xda\xb2\x07"
"\xff\x47\x8b\xad\xc2\x01\x38\x24\x11\x68\xae\x21\x9c\xdb\x1a\xbe\x44"
"\x89\xcb\x3b\x1f\x72\xbd\x33\xf3\x28\x62\xf2\x38\x15\x13\xa9\xf5\x37"
"\xb8\x6c\xc0\x3b\x4d\xd6\x1c\x43\x8d\xba\x62\xb5\xa7\x3a\xa9\xc7\xa3"
"\x74\xb7\x75\x86\x73\xf2\x7a\x30\x14\xeb\xc3\xad\x03\x41\xfb\xd8\xf1"
"\x63\x2d\xe9\xc4\xa7\xba\x66\xce\x63\x39\x3b\xa2\xe1\x4d\xe1\xe4\xfe"
"\x59\xba\x53\x93\xef\x66\x8d\x5b\xd2\x12\xbc\x76\x81\x82\x76\xdd\xac"
"\xf0\xf9\xf9\x03\x2a\xc6\x60\x7b\xd3\xce\xd7\xad\x54\x4d\x77\xc0\x40"
"\x3d\x80\x4a\x56\xf4\x12\x58\x09\x6d\xcc\xc4\xcc\x78\x8b\x4f\xf9\xa5"
"\x6f\xed\xca\xa9\x12\xbc\x7b\x61\xe4\x23\x43\x76\xe8\x5b\x87\x3f\x3f"
"\xdd\xf6\x6a\x45\x9f\x35\x50\x11\xf2\xb6\x79\x83\xe2\x7a\x08\x4e\xb5"
"\x04\x1c\xcc\xee\xd1\xdf\x83\x5d\x2a\x8d\xbe\x94\xfe\xde\xd8\xf7\xf1"
"\xca\x88\xd4\xda\x3f\x8c\x29\xed\x37\x72\xd7\x62\xf7\xb4\x13\x84\x55"
"\x66\xee\xa6\x6b\xb9\x65\x82\x70\xc9\x96\x93\x88\x08\xe7\x15\x85\xf3"
"\x93\x87\xae\x0e\x95\x55\xe9\x6b\xfa\xe1\x1b\x55\x35\x87\x75\x94\x68"
"\x10\x84\x96\x66\x8e\xea\x2a\x08\x2c\x4a\xd1\xc3\xdd\x0c\x78\xf0\x9e"
"\x86\xfd\xfd\x23\x2a\x59\x1f\x61\xeb\x10\x5c\xa6\x34\x17\x42\x02\xd0"
"\x29\x1e\x14\x83\x9e\x1b\x8b\x0c\x29\x10\x0c\x9d\x8e\x46\x54\xee\xcb"
"\x86\x54\xf2\xc9\xe4\xd7\xb3\x7e\xa1\xbf\x0f\xfa\xcc\x59\x08\x27\xe9"
"\x37\x6f\x99\x42\xb7\xac\xb0\x51\x65\x3d\x0d\x08\xdc\x9b\xef\x39\x80"
"\xed\xb9\x5f\x19\x2c\xb0\x57\x34\x37\x18\x81\x23\x47\xf7\xfb\x8b\x7b"
"\xd8\x05\x90\x01\x56\xca\x12\x3d\x8e\x21\x2f\x13\x88\xdd\x0a\x1c\xb7"
"\x4a\x05\x41\xb4\xc1\xe5\xc3\x59\x35\x43\x0d\x2f\x33\xf5\x4d\x9c\x10"
"\x72\x79\x40\x68\x8a\xea\x86\x15\xad\x22\xaa\x53\x1d\x65\xb0\x32\xfb"
"\x1b\x4b\xb6\xc3\x54\x0d\x74\x7e\x25\x84\xbb\x3b\xb6\xb4\x31\xab\x4e"
"\xc7\xa0\x75\x5f\x24\xa2\xcd\xfb\xe5\xde\x73\x52\xad\xba\x66\xc2\xf6"
"\xde\xb3\x45\xe9\xe8\x36\xb2\xde\x4d\xaf\xcf\xe0\x98\x06\xd1\xf0\xb2"
"\x3d\x79\x29\x5e\xed\xb6\x82\x26\x71\x65\x9b\x35\x2a\x9f\xf1\x8a\x71"
"\xce\x6b\xb1\x64\x33\xd0\x80\x5c\x6e\x6a\x13\xd7\x8a\x42\x3b\x0d\xcb"
"\x03\x23\x7e\xb4\xaa\xd7\xe1\x9a\xf0\x1d\x64\x5b\x10\xbc\x7e\x03\x03"
"\x92\x54\xda\xb7\xcb\xc3\x36\x96\xc9\x24\x10\x88\xc2\xf7\x96\xaf\x30"
"\x20\x54\xca\x10\x84\xf3\x0a\x8d\x74\xc7\xf8\xf8\x27\x9d\x76\xdf\x95"
"\x36\xe9\x48\xa3\x73\x28\x34\x5e\x4e\x49\x74\xa1\x71\x60\xc5\xdd\x9f"
"\x1d\x63\x2f\x7c\xfe\xe3\xc6\x65\xfb\xf3\x53\xbd\x2e\x6f\x94\x29\xc2"
"\xca\x62\xd1\xd5\x12\x28\xef\xa2\xc4\x1c\xe3\x4f\x60\x71\xf4\x5e\xdb"
"\x70\x8b\xfc\x65\x85\x3f\x5e\x3c\x45\x12\x9a\x0f\x03\x7b\xff\xa6\x78"
"\x0f\xf2\x5e\xf6\x99\x68\xab\xa3\xfc\x11\xcb\x88\x23\x8f\x82\xa8\x4e"
"\x7c\x11\x2a\xa2\x6a\x05\xec\xae\x19\xa8\xdf\x73\x9d\x54\x18\x29\x8e"
"\x74\x7e\xf9\x69\x16\xb4\x1e\xd9\x6c\xde\x38\x45\xe8\xa0\xb6\x89\xe9"
"\xe6\x8e\xbd\xce\x22\xec\x9f\x2e\x4f\x57\xea\x4e\xc8\xd5\xdb\x37\xa6"
"\xed\x95\x7b\xca\xae\x17\xbb\x78\xbf\x21\x5c\xad\x9e\xe3\x9d\xf6\x53"
"\x08\x2e\x6f\xd8\x99\x5f\x45\xaf\x49\xc6\xc2\x71\xab\x67\x0d\xf9\xb1"
"\x5c\x6b\x0e\x18\xfb\xa4\xad\x34\x60\xc4\x8d\x7b\xd1\x91\xff\xd5\x1a"
"\x78\x9e\xf4\xfd\x2d\xc5\x63\xd6\x73\xe9\x25\xdc\x72\xaa\xe9\x48\x7f"
"\x83\x27\x75\x1e\x30\xf8\x9c\xf9\xe7\xbe\x63\xb8\x47\x78\x0c\xe4\x20"
"\x87\x7f\x85\x63\xd7\xed\x4e\xca\xf6\x78\x5d\xa4\x38\x07\x26\xc3\xa2"
"\x38\xe3\x66\xcd\x6e\x45\x47\x19\x11\xd2\x72\xc6\x8d\xdf\xc4\x84\x81"
"\x10\xa3\xb2\xf5\x9e\x42\x87\x08\x6c\x4d\xbf\xea\xc3\xb0\x72\x51\x1f"
"\x21\x60\xd7\x80\x16\x4b\x8b\x2c\x12\x62\xcd\xca\x07\x5f\x06\x30\x96"
"\x05\x9f\xd3\xf9\x12\x92\x6b\xce\x4d\x10\x79\x46\x50\xb6\x1d\xa3\xbe"
"\x17\xb4\xce\xcc\xb6\x2e\x7d\x25\x29\x3a\xb1\x4c\x5f\xe4\x08\x5b\xed"
"\xc6\x9b\x93\x29\xaf\x57\x02\x3c\x48\xbd\x03\x38\x96\x01\x79\x23\xd1"
"\xd1\x2e\x53\x49\x06\xf5\x0f\xe0\xba\x3e\x14\x9b\xb2\x41\xa4\x05\x47"
"\x69\x08\x1e\x53\xb2\x77\xa2\x7a\xf4\x6d\x96\xaa\xfa\xf2\x46\xe2\x0e"
"\x66\x27\xfd\x9b\x29\x25\xae\xea\x32\x74\x06\x22\x7c\x57\x39\xf8\x41"
"\x95\x97\xe0\x22\x0b\x2f\xf4\x7c\xc9\x3f\x90\x6a\x3c\x81\x34\xf4\x64"
"\x56\x44\xca\xb2\xe3\x2f\x3a\x03\x6f\xba\xac\xd8\x85\xa4\x74\x9f\x4c"
"\x1e\x1a\x6b\xfd\xfa\xc9\x72\xce\x8c\x53\xe3\x79\xbb\xb1\xa9\xc1\xbb"
"\x97\x20\xc5\x43\x5b\x09\xd4\xe0\x29\xae\x60\x9d\xee\x4a\xd2\x68\x5f"
"\x04\xff\xb3\xa2\x1f\xd7\x18\x81\x3c\x23\x1b\x20\xf7\xbd\x60\xad\x9c"
"\x8c\xf8\xa5\x9b\xa2\xec\x34\x53\xad\x19\x6a\xb1\x80\xe8\xee\x6c\x08"
"\xc2\x55\x7a\x6a\x41\x4a\x40\xfb\x84\x5c\x3a\x54\x82\xeb\x4d\x0f\xab"
"\xd9\xeb\xc1\xb4\x7d\x3d\x25\xe0\x1f\xe2\xc2\x24\x03\x06\x09\x22\x71"
"\x37\x92\xc9\x24\x5a\x39\x78\xb1\xa7\x5d\xd8\x30\xb8\x2e\x62\xd7\x84"
"\xf0\xa1\xbc\x46\xea\x29\x22\x16\x6e\x4d\x6f\x99\xcd\x2b\xde\xba\xdb"
"\x6e\xe7\x3a\xc4\x17\x77\xee\x7c\x8a\xcb\x13\x7c\xd9\xa5\x90\xd4\x6e"
"\x82\x4e\x4b\x97\xf0\xc7\xb7\x3f\x1d\xbf\xe9\xe2\x6d\xb4\xaf\x18\xdf"
"\xe1\xd0\x29\x08\xf1\xa8\x50\x2a\xda\xbf\x9d\x98\x6f\x7f\x4a\x1d\x96"
"\xf9\x06\x8d\xa1\x93\x7b\x96\x81\x40\x7f\x1b\xb4\xb9\x15\x71\x20\x04"
"\x2a\x2f\x6e\x19\x46\x06\x34\xd1\xe9\x89\x96\x58\x75\x5d\xc4\x1c\xf5"
"\x36\x56\xc9\xc1\xb7\x0d\x74\x0f\x5c\x27\xd3\xe1\x93\x07\x53\x9f\x7e"
"\x80\xf4\xd4\x25\x34\xa6\x3f\xf8\xf7\xc9\xe5\x09\x79\x2e\xdf\x2b\x8d"
"\xcc\x02\xe7\xc7\xc4\xaf\xb7\x5e\x92\xf1\x63\xfa\x54\x97\xce\x17\x0a"
"\x51\x0a\xc8\x84\xa5\xd9\x3c\x10\x22\xa5\x7c\x71\xed\x39\xaa\x13\xd8"
"\x70\xb5\xf9\x31\x22\x93\x4e\xbc\x80\xdf\x38\x4a\x84\x7d\x07\xa0\x8a"
"\x4c\xa3\x2d\x03\xf9\x09\x26\xe0\x56\x17\x5a\xc1\x0d\x8d\x39\x2b\x5b"
"\xb3\x47\x70\x64\xbc\xff\x9a\xd3\x36\x4b\x0f\xbe\xba\xae\x57\xc7\x05"
"\x68\x08\x04\xc3\x31\x03\xbb\xec\x63\x91\x56\xec\xb1\xee\xfa\x65\x0b"
"\x4f\x87\x1f\x22\x79\x0a\xb9\xf7\x71\x1f\xb8\xdc\x9d\xa1\xfb\x06\x4f"
"\x36\x9a\x69\x3d\x0d\x7f\x16\xeb\x5c\x91\xa5\x57\xb4\xe0\xa4\x80\x08"
"\x7d\x8d\x9a\xa3\x04\x4d\xe1\x6a\x8e\x7b\x32\x8f\x21\x4c\xb1\x41\x92"
"\xc9\xbc\xb1\x30\x3c\x74\x1c\x26\x83\xb1\x8e\xb6\xb5\xbd\x0c\x5e\x42"
"\xb3\xc9\x67\x5c\x6a\x62\x8d\x44\x1f\xe1\x44\x6a\xf2\x10\x66\xa4\xb6"
"\x22\x69\xd8\x95\x55\xb0\x92\x13\xdb\x4c\x11\xbd\xba\xcf\x57\xca\x33"
"\xe1\x85\x33\x9f\x03\x61\x45\x9e\xe0\x47\xb0\xb2\xb9\x58\xe9\x6a\x33"
"\x97\x96\xfe\xbb\x29\xc0\x4d\x85\x87\x06\x2d\x55\x70\x29\x2b\x90\xd3"
"\x23\xb3\x7b\xf3\xfb\x69\x5a\xd4\xf3\x64\x82\xc1\xa7\x2f\x9b\x7d\x4f"
"\xd5\x83\x31\x1d\xe3\x38\xdf\xd5\xfa\x71\xec\xb6\xdb\xa8\x82\x29\x31"
"\x82\xdc\xe2\xa1\x05\xd9\x4a\x6a\x9f\x36\xf7\xaa\x63\x5d\xb5\x21\xca"
"\x81\xf4\x84\xbd\xf2\x3b\x83\x37\x02\x68\x88\x8b\xd8\x15\x36\x45\x3c"
"\xfd\x1e\xa0\x2c\xa6\x28\xb6\xcb\x13\xba\xd7\x79\xe0\x1c\x5d\x29\xab"
"\xba\x41\x20\xf7\x42\x89\x73\x62\x62\x8a\x0b\xbe\x18\x52\x58\xec\x0f"
"\x8b\xee\x4a\xdf\x1f\x69\xd7\x1f\x77\xab\xeb\x5b\xdc\xd4\x19\x54\xc1"
"\xce\xdb\xd6\x91\x16\x14\x7c\x77\x9d\x0d\x53\x12\x83\xd1\xb3\x3d\xc0"
"\x14\x24\x67\x49\xd1\xd9\xa8\xa7\x41\x43\x87\x18\xe0\x9c\x55\x9d\x26"
"\x27\x4f\x1b\xa6\x61\x29\xa0\x0e\xa8\xbd\x3e\x41\xe3\xac\x85\x3f\x22"
"\xf4\xb1\xe0\x48\xbc\x6e\xff\x62\x52\x7c\xe7\x3b\x52\x77\xc7\x1c\x82"
"\xdc\x0a\xb8\x35\x8d\x77\xc9\x9f\x12\xd1\xc1\x39\x90\xa0\x7e\xc0\xdb"
"\x80\xd9\xa9\x86\x3f\x2c\x87\x91\x4a\x28\x04\xb6\xa2\x85\xda\x8a\xff"
"\xf0\x9a\x1b\x80\xf3\x2d\xe1\x4b\x42\x3d\x24\x95\xad\x5b\x8b\x9e\xb4"
"\x5d\x04\x9b\xa1\xed\x73\xfa\x13\xca\xbf\x02\x8c\x21\xa0\x93\xae\x82"
"\xab\x85\x12\x89\x86\x3d\x3c\x27\x2a\x18\xdb\x9b\xd7\xbf\x74\xc3\x80"
"\x9a\xdb\xf3\x99\xb3\xe5\x4b\xc7\x88\xa3\x7d\x62\xa2\x77\x58\xa3\x6e"
"\xf7\x26\xae\x0c\xdc\x80\xd1\x4f\x55\x44\x8e\x83\xb0\xe1\x35\x24\xbc"
"\xac\x19\x5d\x23\x21\x21\x8d\x04\x80\x11\x56\xfb\xd5\x93\xcc\xce\x68"
"\xd1\xb5\xc5\x6e\x47\x89\x94\xf9\x94\xc6\x84\x7d\xc1\x2e\xdf\xf8\xfd"
"\x4a\x72\x2d\xfc\x54\x7a\x0a\x49\xd3\x67\x59\x56\xfa\xd5\xf0\x82\x5e"
"\x52\xfa\x3a\x17\xc0\x28\x92\xed\x90\x42\xb6\x99\x8b\x1a\x3a\x1f\xb1"
"\xbe\x43\x4c\xdd\xd1\x83\x63\x2c\xb7\x46\xc3\xf5\xad\xe7\x9c\x9e\xfa"
"\x9a\x0b\xeb\xf9\x36\x93\x86\x6a\xb1\x48\x20\x2c\x82\x39\xcb\xe5\x60"
"\x54\x63\xe0\xe8\x28\x09\x24\x2d\x24\x48\xe3\x12\x64\x84\xc9\x58\x96"
"\x2f\x4d\x30\x71\xbd\xbb\xeb\xae\x9b\xe2\xe9\x9a\xf5\x2b\x1c\xea\xfc"
"\x21\x8f\x84\x17\x94\xcb\x2c\xb9\x10\xa9\x43\xed\xa3\x5b\x7c\x8b\x4d"
"\x86\x98\xf6\x1c\xc7\xe3\x63\x7a\x8d\x0d\x36\xcc\x89\x17\xc0\xa1\x39"
"\xe5\x3a\xd0\x1b\xa6\xf7\x08\x25\x32\x45\x2f\x53\xec\x3c\xef\x17\x98"
"\x7e\x07\x85\x77\x11\x99\x85\x95\x2b\xe6\xbe\x2c\x13\x3a\xf6\x2f\xa2"
"\x02\x3f\x6e\x2a\x1d\x1f\x03\x1c\x5f\x7b\x01\x94\x55\xde\x51\xc4\xeb"
"\xf6\xc7\xac\x96\x3a\x15\xf4\xf1\xe4\x37\x76\x1e\x4f\xa1\x26\xd1\x2d"
"\xe3\x28\x1f\x13\x7b\xf7\x50\x3e\xd8\xef\x48\x34\x84\x0b\x50\xee\xf9"
"\x1e\x8a\x39\x8a\x59\xed\x3e\x8b\x1e\xac\x0f\xc2\x65\x35\x15\xd5\x28"
"\x1d\xf2\xb8\x3e\x6a\xd2\xd4\x47\x5c\x69\x7c\x89\x92\x6b\x92\x87\xf8"
"\x28\x1e\x3b\x4c\x75\x74\xde\x05\x22\xc0\x56\x57\xa1\x75\xaa\xd2\xf4"
"\x66\xa4\x47\x21\x61\xd7\x3b\xb2\x78\x6e\xe4\xa8\x2c\x7d\x06\x0d\x66"
"\x97\x31\xcf\x34\x88\xad\xdf\x6d\x96\x13\x6b\xe7\x1b\x67\xfc\xdc\x25"
"\x8a\x09\xad\xec\x13\xc8\x2d\xc7\x89\x6c\x67\x8d\x76\xa1\x6b\x5a\x91"
"\x36\x1e\x43\xed\x61\xbe\x1e\x5e\x7f\xe7\x8d\x5c\x2a\xa0\xd9\xf8\x8b"
"\x89\x0a\x2e\xf4\xa2\x00\x83\x04\x49\x82\x72\x8f\xcd\xa6\xa4\xc1\x9a"
"\x20\xa3\xaf\x92\xfc\xc9\x7a\x03\x01\xf4\xcf\xf8\x25\xe3\x76\xfc\x0a"
"\x65\xf8\xaf\xfc\xc2\x7f\x27\x09\x8e\x2a\xfe\x05\xbc\x7f\x32\x0d\xa2"
"\x61\x02\x0f\x94\x29\x1b\xf5\xe7\x4c\x40\x4a\xf7\xe1\xad\x7e\x09\x72"
"\x13\x8e\xe1\x12\x5f\x2d\x10\xe9\xc1\x87\xe3\x55\x7b\x3c\x58\x95\x78"
"\xc2\x1f\x15\x2e\x35\x50\xdb\x68\x42\xb0\x25\xe0\x20\xc4\x1b\x3e\xec"
"\x11\x02\xa1\xc0\xa6\x05\x5b\x56\x93\x27\x97\x84\x71\x5f\x96\x87\x51"
"\x62\xbf\x66\xbe\x67\xfc\x4f\x84\x92\x63\xf7\x52\x9e\x29\x4a\xad\x10"
"\x59\x6b\xb9\x6a\x3b\x7f\xad\xf2\xc3\xb2\x7a\x47\x25\x1f\x26\xd0\xe2"
"\x27\x00\xd5\x7b\xc8\x7d\x83\xeb\xe7\xaa\x4b\xc4\x1f\x69\xd1\xb6\xc2"
"\x9b\x18\x05\x82\xfd\x6d\x5e\xf5\xe7\xf0\x18\xfe\x34\x18\x7d\x1b\x0e"
"\x36\x65\x46\x66\x64\x50\x10\xb5\xc4\x97\x83\xd6\xf2\x7c\x69\x43\x85"
"\xd9\xb1\x6b\xcf\xc5\xde\x39\xde\x29\xd1\x12\x52\xa0\x52\x2c\x13\xea"
"\xe6\x68\x80\x24\x79\x17\x31\x8f\x4f\xcb\x37\x27\x94\x35\xc4\x1f\xfd"
"\x46\x18\x0d\x2d\xfd\x69\xc4\x02\x5b\x55\x3a\xd0\x5e\x2c\x66\xda\xa1"
"\x1a\xca\x17\xd8\xb3\xe6\x3c\xe0\x8d\x5e\xe0\x8a\xa6\x9c\xce\xd5\x4d"
"\x05\x93\x54\x01\x5b\xfc\x57\x7d\xd9\x39\x04\xd0\xe1\xc7\xe0\xbc\x82"
"\xc2\xb3\x91\x40\xd5\xb2\x62\x06\x1d\x3b\x13\x80\xb6\x68\x30\x53\xcd"
"\x8d\xc8\x25\x66\x42\x86\x75\xd4\xf0\x2a\xc9\xf8\xa0\xc8\x6a\x2b\x44"
"\x36\xe8\x6c\xc1\xdc\x49\x47\x78\x20\x18\x26\xab\x4b\x44\x8e\x67\x32"
"\x7b\x37\xbb\x06\x5b\x42\x3f\x75\x6e\x8b\xe0\x7a\x85\xc9\x6d\xc9\x52"
"\x34\xad\xcd\xb1\x11\x1e\xeb\xd0\x94\x5f\x9b\x21\x02\xaf\x49\x32\xd2"
"\xb8\x3e\xbb\xb1\x6a\xea\xf2\xff\xb1\x10\xb2\xe5\x0a\x09\x56\xb3\x4e"
"\x35\xc6\x3a\xf3\xcb\x9d\xc8\xd9\x9b\x53\x04\x31\x38\xd9\xfa\x66\x53"
"\x08\x62\x90\xeb\xaf\x6a\xd3\x9a\x2f\xb2\xca\x12\xc6\x2c\xa5\x9e\xe2"
"\x7b\xac\x96\x01\x61\x86\xa9\x97\x26\xdd\xd9\xed\xc7\x5f\xd8\xfb\xd4"
"\xe2\x9f\x34\x65\xfe\xff\x01\xb4\xd3\x39\xb4\x03\xf4\xfc\xc4\x13\x56"
"\x23\x2a\x57\x2a\x9d\xdb\x6f\x60\x56\xeb\x68\xb0\xba\x1a\x9c\x7c\xbf"
"\x7d\x2a\xef\x43\xbe\x0d\x13\xbe\xe9\x7a\xbf\x0c\x71\x2b\x8b\xb6\x6c"
"\xd8\x25\xf4\x9f\xd1\x89\xd9\x96\xc5\x64\xa0\x5f\x45\x86\xee\x03\x8a"
"\xd0\x1b\x5f\x6a\x97\x79\xf3\x57\x6d\xed\xdd\x33\xf9\x7d\x67\xb3\x4f"
"\x16\xf8\xd0\x3a\x98\x09\x3e\xde\x56\x37\x31\xd4\xf1\x4b\xe4\xf0\x37"
"\x24\x41\x45\xcc\x6f\x40\xa5\x83\xfa\xe0\x47\x6b\x68\x12\x96\x15\x45"
"\x2f\xa2\x21\x27\x53\x41\x9a\x7e\x6e\x19\x17\x38\x0b\xc0\x16\x1c\x66"
"\x96\xbb\x90\xae\xd2\xaa\x13\xec\x76\x5c\x85\x5a\x2f\xbe\x0b\x57",
4096);
*(uint64_t*)0x20000248 = 0x1000;
*(uint64_t*)0x20000250 = 0;
*(uint64_t*)0x20000258 = 0;
*(uint64_t*)0x20000260 = 0;
*(uint64_t*)0x20000268 = 0;
*(uint64_t*)0x20000270 = 0;
*(uint64_t*)0x20000278 = 0;
syscall(__NR_pwritev, /*fd=*/r[0], /*vec=*/0x20000240ul, /*vlen=*/4ul,
/*off_low=*/0xfffff552, /*off_high=*/8);
break;
}
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
for (procid = 0; procid < 4; procid++) {
if (fork() == 0) {
loop();
}
}
sleep(1000000);
return 0;
}

Next message: Javier Carrasco: "Re: [PATCH v6 7/9] usb: misc: onboard_dev: add support for non-hub devices"
Previous message: Bartosz Golaszewski: "Re: [PATCH] gpio: fix resource unwinding order in error path"
Next in thread: Tetsuo Handa: "[PATCH for 6.8] tomoyo: fix UAF write bug in tomoyo_write_control()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]