* crypto: GPF in scatterwalk_start
@ 2016-01-19 8:30 Dmitry Vyukov
2016-01-19 8:35 ` Herbert Xu
2016-01-19 13:23 ` Herbert Xu
0 siblings, 2 replies; 4+ messages in thread
From: Dmitry Vyukov @ 2016-01-19 8:30 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin,
Eric Dumazet
Hello,
The following program causes GPF in scatterwalk_start.
Herbert, I am on commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4 with
all your fixes applied, including the fix for out-of-bounds in
skcipher_recvmsg.
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 2 PID: 8902 Comm: syz-executor Not tainted 4.4.0+ #269
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800629f4740 ti: ffff880060f60000 task.ti: ffff880060f60000
RIP: 0010:[<ffffffff827aff31>] [<ffffffff827aff31>]
scatterwalk_pagedone.part.8+0x121/0x210
RSP: 0018:ffff880060f676a8 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff880060f678c0 RCX: ffff880060f678c8
RDX: 0000000000000002 RSI: ffff880060ead000 RDI: 0000000000000014
RBP: ffff880060f676d0 R08: ffffed000c3fc203 R09: ffff880061fe101a
R10: ffffed000c3fc204 R11: 1ffff1000c3fc202 R12: 0000000000000000
R13: ffff880064b7b5a0 R14: 0000000000001000 R15: ffff880060f678c8
FS: 0000000001eb6880(0063) GS:ffff88006d600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000002003d671 CR3: 000000006009b000 CR4: 00000000000006e0
Stack:
000000000000000b ffff880060f678c0 dffffc0000000000 000000000000000b
0000000000000005 ffff880060f67748 ffffffff827b0493 ffff8800629f59e0
ffffed000c53eb3c ffff8800629f4740 ffff880060eacff5 ffff880061fe1010
Call Trace:
[< inline >] scatterwalk_pagedone crypto/scatterwalk.c:53
[<ffffffff827b0493>] scatterwalk_copychunks+0x133/0x340
crypto/scatterwalk.c:102
[< inline >] blkcipher_next_slow crypto/blkcipher.c:175
[<ffffffff827b95ab>] blkcipher_walk_next+0xadb/0x1220 crypto/blkcipher.c:254
[<ffffffff827b861a>] blkcipher_walk_done+0x3ea/0x8a0 crypto/blkcipher.c:133
[<ffffffff82805b89>] crypto_ctr_crypt+0x2c9/0x6a0 crypto/ctr.c:147
[< inline >] skcipher_crypt_blkcipher crypto/skcipher.c:66
[<ffffffff827bb164>] skcipher_decrypt_blkcipher+0x1b4/0x260
crypto/skcipher.c:84
[< inline >] crypto_skcipher_decrypt include/crypto/skcipher.h:363
[< inline >] skcipher_recvmsg_sync crypto/algif_skcipher.c:680
[<ffffffff828ca604>] skcipher_recvmsg+0x1174/0x1bf0 crypto/algif_skcipher.c:710
[< inline >] sock_recvmsg_nosec net/socket.c:713
[<ffffffff851b9f30>] sock_recvmsg+0xa0/0xc0 net/socket.c:721
[<ffffffff851bccf9>] ___sys_recvmsg+0x259/0x540 net/socket.c:2100
[<ffffffff851beece>] __sys_recvmsg+0xce/0x170 net/socket.c:2146
[< inline >] SYSC_recvmsg net/socket.c:2158
[<ffffffff851bef9d>] SyS_recvmsg+0x2d/0x50 net/socket.c:2153
[<ffffffff863260f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 f4 00 00 00 49 8d 7c
24 14 48 b8 00 00 00 00 00 fc ff df 4c 89 23 48 89 fa 48 c1 ea 03 <0f>
b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP [< inline >] scatterwalk_start crypto/scatterwalk.c:37
RIP [<ffffffff827aff31>] scatterwalk_pagedone.part.8+0x121/0x210
crypto/scatterwalk.c:69
RSP <ffff880060f676a8>
---[ end trace 40cf1dffbe6f0df5 ]---
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
long r[68];
int main()
{
memset(r, -1, sizeof(r));
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x40000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
r[1] = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
*(uint16_t*)0x2002c02a = (uint16_t)0x26;
memcpy((void*)0x2002c02c,
"\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00",
14);
*(uint32_t*)0x2002c03a = (uint32_t)0x8;
*(uint32_t*)0x2002c03e = (uint32_t)0x88;
memcpy((void*)0x2002c042,
"\x63\x74\x72\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
64);
r[7] = syscall(SYS_bind, r[1], 0x2002c02aul, 0x58ul, 0, 0, 0);
memcpy((void*)0x20014b26, "\xd4\x4f\x77\x66\x54\xf2\x63\xd1\xbe\x5c"
"\x6b\xac\xa6\x65\xc1\x0f\x2f\xbd\xea\x09"
"\x2e\x44",
22);
r[9] = syscall(SYS_setsockopt, r[1], 0x117ul, 0x1ul, 0x20014b26ul,
0x16ul, 0);
r[10] =
syscall(SYS_accept4, r[1], 0x0ul, 0x2001f000ul, 0x80800ul, 0, 0);
memcpy((void*)0x2003ef64,
"\x87\x58\xd9\x05\x97\xe4\x75\xad\xbf\x84\x1d\xdf\xc5\x99\x9d"
"\xd5\xa4\xe4\x93\x17\x48\xbe\x4a\x7a\xe0\x1e\xab\xd6\x7b\x3d"
"\x05\x9b\xb9\xf5\x4e\xcd\x3c\xb5\x7d\x9b\x90\x9b\x35\xaf\x32"
"\xc0\x5e\xa2\x72\x06\x35\x5c\x9e\xee\x4a\x06\xa3\x02\x1c\xe1"
"\xfa\x53\x9a\x94\x0f\xe2\x7a\x17\x0e\x09\xff\xf4\xb4\xb7\x33"
"\x6e\x97\xed\xaa\x8b\xe3\x71\x04\xcd\x16\x23\xff\xb9\x2f\x05"
"\xb0\xc3\x26\x26\x80\x2b\xec\x2d\x34\x16\x24\xc7\x0f\x80\x83"
"\xa3\x07\x27\x8d\x2c\xe8\xeb\x05\xc0\x9e\x04\x2c\x91\xc3\x5b"
"\x64\x07\x0e\xbe\x3a\x32\xeb\x15\xed\x4e\x39\x94\x8a\x2f\x32"
"\xad\x4f\x8c\xba\x40\x7c\x6d\xb6\x83\x81\x2b\x12\x2a\x9b\x72"
"\xab\xc1\x98\xe5\xc7\x9c",
156);
memcpy((void*)0x2003e000, "\x03\x00", 2);
r[13] = syscall(SYS_sendto, r[10], 0x2003ef64ul, 0x9cul, 0xc800ul,
0x2003e000ul, 0x2ul);
*(uint64_t*)0x20021fd6 = (uint64_t)0x20034cd9;
*(uint32_t*)0x20021fde = (uint32_t)0x80;
*(uint64_t*)0x20021fe6 = (uint64_t)0x20017b32;
*(uint64_t*)0x20021fee = (uint64_t)0x4;
*(uint64_t*)0x20021ff6 = (uint64_t)0x20034000;
*(uint64_t*)0x20021ffe = (uint64_t)0x3;
*(uint32_t*)0x20022006 = (uint32_t)0x4840;
memcpy((void*)0x20034cd9,
"\x02\x00\xab\x0b\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00",
128);
*(uint64_t*)0x20017b32 = (uint64_t)0x20034000;
*(uint64_t*)0x20017b3a = (uint64_t)0xac;
*(uint64_t*)0x20017b42 = (uint64_t)0x20034cfa;
*(uint64_t*)0x20017b4a = (uint64_t)0xa9;
*(uint64_t*)0x20017b52 = (uint64_t)0x20034000;
*(uint64_t*)0x20017b5a = (uint64_t)0x1000;
*(uint64_t*)0x20017b62 = (uint64_t)0x20034084;
*(uint64_t*)0x20017b6a = (uint64_t)0x3e;
memcpy((void*)0x20034000,
"\x07\x1e\x93\xc9\xc1\xf6\xd4\xc2\x5a\x07\xbf\xbe\x5a\x8e\x52"
"\xfe\x10\x5c\xb5\x6c\xd9\xc4\x47\x27\x76\x5f\x2f\xb3\xd4\x5e"
"\x6f\x42\x3f\xf8\xbf\x6a\xc3\x4d\x8f\xb4\xe6\x40\x4f\xd5\xb6"
"\x1b\xb9\xde\x02\xe3\xd2\xe4\x83\x48\x9b\x0e\x47\xd5\x5a\x77"
"\x3a\xad\x6c\xb8\xbd\x21\x8f\x75\x00\x1d\xb1\xf3\x36\x4a\x93"
"\xd3\xbf\x60\x1f\xfc\x07\xb3\x9b\xaa\x65\x6e\x98\x39\x66\xc1"
"\xcc\xf0\x2c\xc6\x87\xbd\xa7\xe8\x16\x3c\xf5\x57\xc0\x82\xa3"
"\x81\xb9\x05\xfa\x80\xc2\x94\x37\x1a\x73\x9e\xd7\x7c\xd3\x58"
"\xaf\x74\x3e\x8c\xe2\x78\x0a\xf5\xbb\xb1\x79\x47\x96\x46\x20"
"\x51\x86\x0a\x53\x9b\x03\x39\xb6\x88\x9f\xcb\xf0\x48\xf6\x04"
"\x04\x2b\x3a\xee\x7d\xc6\x38\x2d\xa0\x94\xbb\x17\x2e\x13\x97"
"\xe0\x6d\x86\x3c\x72\x63\xc1",
172);
memcpy((void*)0x20034cfa,
"\x65\x9c\xf6\xb5\x82\xbf\x22\x6f\x46\xf8\xfd\x00\x3e\x6f\xb8"
"\x27\x7a\x06\x4f\x28\x31\xc8\x6a\x7a\xb4\xd7\x00\x56\x91\x8f"
"\xc6\xfd\xa7\x26\xac\x84\x9e\xa5\x1b\x8b\xd1\xf4\x6e\x60\x87"
"\x17\x33\xd3\xbf\x5a\x9e\x93\x20\x63\xb1\x42\x7f\x9c\xd9\xfc"
"\x19\x8c\x45\x33\x0d\x08\x47\xba\xd1\x29\xb6\xa0\x6b\x28\xb2"
"\x46\x5d\xc9\x62\xb1\x23\x7f\xb8\x4e\xb9\xfb\x89\xec\x66\x21"
"\xa4\x88\xf9\x1e\xbc\x75\x4f\x22\xff\xa1\x36\x04\x63\x4b\x2b"
"\x43\x05\x2e\xeb\xb3\xdf\x07\x73\xe2\x0b\xd3\x9b\x85\x6d\x0d"
"\x79\xb4\xfb\xce\x8e\xce\x4d\x89\x97\x1d\xf0\x1a\x02\xb7\x52"
"\x71\xc8\xfe\xe2\x6e\x6b\x5b\x60\x93\x8a\x4c\x99\x70\x37\x32"
"\x20\xec\x66\xea\xb4\x7b\x61\x0a\x0a\x27\x00\x2e\x11\x8b\xf7"
"\x6e\x8a\x4e\x0e",
169);
memcpy(
(void*)0x20034000,
"\x8a\x4d\x72\x9b\x60\x7a\xd7\x99\x48\x01\xdf\x70\x86\x4b\x56\x5b"
"\xd4\xbb\x69\xe4\xbb\xa2\x21\x5e\x65\x93\x1a\x6e\xfe\xe6\xd7\x54"
"\x14\x62\xd3\x37\xcc\x1d\x83\x43\x6c\xe9\x40\x17\x2f\xa8\x19\x40"
"\x18\xf3\x6d\x65\xd7\x21\xc7\x0a\xde\x1c\x9d\x06\x00\x5b\xdc\xa0"
"\x17\xec\xe9\xe0\x44\x3d\x6f\x39\xc0\xa5\x5c\x60\x41\x42\x38\x77"
"\xd2\x53\xcf\xa3\xf4\xce\x5e\xd6\xf6\xd1\xf8\xb0\x29\x7a\x64\xad"
"\xaf\x5c\x41\x08\xaf\xba\x8a\xc6\xe4\x8a\xa7\x78\x04\x5a\x9c\x41"
"\x0d\x4c\xcd\x48\xb0\x53\x1b\x18\x06\x3f\x4a\x5d\xab\x5c\xcd\x73"
"\xd2\x9a\xac\x64\x3e\x48\xf7\xb4\xf5\x8d\xa3\xc8\xc0\x40\x73\xe0"
"\x36\x94\x9b\x34\x94\x58\x4c\xe7\x43\x01\x3c\xa9\xd4\xc3\xa5\xd1"
"\xca\xe0\x0e\xc4\xfb\x2f\xe5\xa9\x3f\x4e\xdf\x64\xdf\x24\x38\xa6"
"\x20\x57\x42\x87\xeb\xfd\x86\xdd\x46\x12\x31\x63\x36\x1a\x78\x16"
"\xce\x70\x1a\x0c\xc5\x74\x5c\xb9\x44\x17\x90\x97\x34\xb0\xf5\xa2"
"\xf5\x54\xfc\x88\xc4\xec\xbc\x20\x9e\xb6\x1c\x8f\xe7\x99\xdf\x64"
"\x38\x05\xe1\xf2\x62\x4d\xc8\x01\x83\x40\x37\x34\xe6\xc8\xb9\xc7"
"\x14\xb3\xf2\x11\x47\x96\x98\x58\x16\x68\xf6\x18\x0e\xd9\x8d\xa5"
"\x9f\xb6\x11\x46\x93\xf8\xd2\x81\xcc\x31\xe4\x56\xcd\x30\x36\x89"
"\xee\x89\x5d\xce\x51\xcd\x54\x9b\xe1\x70\x78\x3f\x9f\x3a\x20\xb4"
"\xca\x17\xfa\x61\xa4\x25\x65\x6f\xee\x19\x79\x5a\xbd\xd3\x9c\xf2"
"\x0d\xf2\x64\xb6\x09\xb1\xa0\xcc\xde\x7b\x31\x15\x71\xa6\xe3\xc6"
"\xad\xd1\xb1\x8e\xf4\x4d\x21\xe5\xbc\xd2\x53\xe7\x9a\xd3\x1a\x3d"
"\xc0\x14\xf3\x9c\x7c\xee\xa3\xdd\xd2\xf9\x0b\x1d\x2d\x32\x6f\xff"
"\xff\x8f\xfb\xb8\xba\x31\xc4\xb5\x96\x78\x74\x7a\x6a\x2e\x74\xe5"
"\x70\x43\x94\x5c\x7c\x4e\x92\x06\x99\x3d\x3a\x1c\xb6\x91\x3c\x14"
"\x4c\x03\x07\x7e\xc1\xf8\xe9\x62\x38\x57\xc6\x55\xb0\x47\x5f\x06"
"\x2a\x5a\x3a\x77\x54\x86\x3f\xfb\xb9\x21\xc7\x92\x46\x86\x78\xa0"
"\x81\xca\x50\xb2\x63\xa8\xef\x2d\x55\xca\x3d\xaf\x0d\x96\x34\x42"
"\x9f\x73\x46\xaa\xba\xb0\xb1\xa5\xcc\xae\x94\xd7\x62\xe0\x62\xa7"
"\x5f\x47\xd1\x48\xd6\x14\x2f\x4f\x47\xc1\xc6\x09\x63\x8d\xab\x07"
"\xdc\xcc\x17\x40\xb8\x49\x12\x02\xd5\xd0\xe8\x85\x06\x95\x38\x0d"
"\xd5\xc9\x14\x56\x27\x57\x0d\x1f\xd1\xe0\x35\xb9\x69\xe3\xb2\x6c"
"\xaa\x6b\x13\xea\x3a\x1c\x1f\xf1\xb8\x24\xac\x60\xe6\x2c\x26\x82"
"\x2a\xc5\xd6\x71\xca\x95\x50\x94\xe1\x03\xcf\x18\xbc\x97\xd3\xac"
"\x62\x15\x06\x33\x45\x34\x2e\xd7\xe5\x17\x5d\x28\x5c\xfb\x1b\xea"
"\x69\xf5\xfc\x40\xda\x25\x68\xd9\x08\xee\xe9\x2d\x3a\x6d\xc8\xee"
"\x02\x54\xae\x17\x51\xbe\x27\x1d\xc2\x5f\xe2\x78\x3d\x2c\x3e\xf7"
"\x53\xa1\x7d\xb1\x50\x79\xe8\xd3\xec\xcb\xe1\x1b\xca\xed\x07\xed"
"\xd1\xd5\xd1\xdf\x9f\x80\x44\x90\x6f\x0a\xe0\xc4\xc3\x95\x6f\xa5"
"\x8a\x33\xaf\x54\x16\x54\x88\xeb\xdf\xb1\x6a\x92\x69\x83\x8d\x44"
"\xbb\x68\x73\xb6\x5a\xdc\x8f\x29\x48\xb1\xe7\x72\x60\x41\x83\x89"
"\x47\x44\x7a\x60\x7a\xff\x91\xfe\xf0\xda\x54\x69\xc4\xd0\xd1\x55"
"\x08\xb9\x68\xde\x9f\x89\x02\xc8\x7e\xd6\x5d\xc6\xb0\x8c\xe7\x77"
"\xf3\x13\x3a\x7e\xb5\xc4\xbf\xff\xa1\x15\x81\x09\xd5\x7f\xfe\x4a"
"\xf4\x51\x6e\x45\x80\xc1\x7f\xe6\xfe\x4e\x7b\x66\x29\x71\x43\xe4"
"\x9f\xe0\x7c\xf6\x65\x44\x76\x96\x30\x73\x27\x99\x31\xfe\x22\x70"
"\xf4\x2c\x90\x82\x9b\xf2\x2c\x35\x8e\x92\x1e\x71\x65\x30\x01\x7d"
"\xa2\x88\x30\x55\x88\xb0\xfd\x07\x90\x79\x99\xa9\xc5\x79\x76\x6e"
"\xa2\x70\xfe\xa9\xaf\x74\x3f\x50\x20\x0e\x89\x09\x7c\x0f\xb5\x7d"
"\x4d\xb8\x2f\x0f\x19\x20\xc6\x5e\x3f\x97\x88\x8c\x84\x1e\xd2\x46"
"\xda\x6c\x4d\xc2\x6f\x51\x73\x97\xa6\x12\x66\x06\x32\x34\xad\xa1"
"\x1c\x7d\x21\xcb\xa8\xa2\xee\x73\xee\x76\xaf\x91\xd9\x51\x9d\x11"
"\x3f\x65\x7e\xc1\x2c\x97\x45\x06\x90\x25\x7e\xd0\xc6\x1a\xd2\x00"
"\xf4\xe3\x47\x11\x65\x19\xc0\xab\x5e\xf9\x93\xc8\x40\xf6\xf3\x53"
"\xaa\x46\xb2\xc4\x48\xe9\xd2\xff\x3b\xe2\xe3\xf0\xf5\x58\x92\xa7"
"\xa4\xe2\x1b\x65\xd7\x71\x02\x11\xc1\x54\x60\xad\xf4\xfa\x1e\x5e"
"\x2f\xe8\x02\x01\x22\x6b\xef\x6a\x5c\x58\xf0\x09\xcc\x89\x38\x58"
"\x5c\xb6\xc9\x18\xdc\xc0\x4b\x7e\x43\xc2\x0b\xa4\x46\xfc\x34\x91"
"\x7c\xac\xfb\x84\x12\x1b\xcb\x70\x7a\x21\xef\xc6\x0f\xa8\x97\x7e"
"\x27\xb9\x47\x5d\x2b\xc1\x6e\xbf\x9a\xd2\xbd\xf8\x9a\xcb\xc9\xa7"
"\x8b\xe7\xaf\xb7\x6d\x58\xa2\x92\xf8\xad\x33\xaf\x3b\x45\x7e\xfd"
"\xd9\xf0\x09\x28\x76\x44\x76\x16\x5f\x72\xc8\xe5\x95\x9e\x56\xb4"
"\x27\x33\x3d\xf9\x44\xf7\x4b\x10\xd3\x6a\x90\xde\x2a\x6e\x13\x6e"
"\x73\xfb\xab\x51\x7a\x85\x54\x65\x8d\x54\xe7\xce\xb8\xc5\x37\x2c"
"\xd8\xdc\x00\x85\xdc\xc7\xac\xb6\x29\x57\x0b\xe0\x30\x3e\x19\xf8"
"\x39\xf3\x23\x61\x52\x9f\xa1\x94\x1b\x5e\xbe\x97\x9f\xb1\x52\x54"
"\xf1\x93\x62\xea\xbf\xcb\xc5\x93\x0d\xd4\x6e\xea\x6c\xe7\xc6\x32"
"\x8e\xac\xb5\x24\xd6\x9e\xa0\xbb\x58\x6d\x1b\xc9\x94\xde\x3c\x89"
"\x6d\x34\xbd\xda\x14\xba\xa4\xc3\x43\xd7\xfb\xb5\x27\x11\x5f\x73"
"\xdb\x53\xbc\xa5\x19\x3a\xb6\x17\xe6\xc5\xde\xe8\xb4\x79\x87\x7c"
"\x6c\x08\xcd\x81\x2e\x84\x0b\x78\xcf\x0b\x59\x7a\xf4\x67\x79\x1d"
"\x19\x81\xb7\x7d\x5a\x98\x7d\xb3\x02\x0b\xfb\xa0\x87\xc9\x04\xf5"
"\xbc\xaa\x16\x61\x9a\x06\x48\xe7\x28\x1e\x7d\xbc\xa9\x10\xe4\x88"
"\x54\x2b\x28\xdc\x27\x8a\x44\xf8\x59\x45\x85\x2b\x77\x94\x78\x3a"
"\xad\x0a\xce\x1a\xd7\x04\xde\x0d\xdd\x25\x3b\x48\xd1\x85\xf4\x88"
"\x32\xf9\x5e\x4b\xfe\xfa\xee\xb8\x3b\x5c\x3d\xba\xb3\x17\x95\x68"
"\x53\xf8\x99\xe7\xdd\x70\x52\xde\xc9\x7a\x96\x80\x8d\x0a\x71\x54"
"\xda\x3b\x3b\xc6\x0b\xf6\x43\x81\x43\x63\x3f\x9d\x32\xc9\x8a\x39"
"\x65\x4d\xa6\x64\x05\x06\x6e\xbf\xc7\x46\xe5\x29\x27\x19\x28\x9e"
"\xf8\xa2\x94\xb7\xf9\xd6\xf6\x3b\xea\x28\xd3\x54\xae\xfb\xc4\x1b"
"\x27\xdb\xda\x4b\xda\x7d\x4d\xd3\x3c\xeb\x1b\x97\x5b\xa0\x3c\x2a"
"\x3f\x13\x5a\xb5\x49\x9c\xc7\x4e\xcc\xaa\x61\xe0\x5f\x2e\x88\x0e"
"\x49\xa8\x38\xa4\x22\xd1\x85\x9f\xe2\x96\xc5\xe8\x08\xe3\x95\xf1"
"\x35\x6d\x89\xc8\x2e\x36\x61\xf5\x07\x34\x6d\xa0\xe8\x8e\x57\xba"
"\x5f\x1e\x2f\x51\x17\x03\xd4\x2f\x4d\x77\xde\x81\xfa\x95\x5c\xde"
"\x11\x9e\x8a\x46\x8a\x12\xc2\x34\x3c\xdd\x80\xc1\x2e\x9e\x80\x02"
"\xe4\xd9\xfd\x6c\x19\x58\x8b\xd7\x25\x70\xcf\x5b\xf7\x6a\xf7\xd4"
"\x35\x9c\x17\xe6\xa2\xf4\xe2\x4a\x0f\x57\x97\xde\x98\xc7\xad\x54"
"\x8a\x66\x44\x27\xce\xcd\x2f\x23\xc6\x69\x12\x2d\xd5\x34\x6b\x20"
"\x72\xde\x75\xbe\x03\x89\x79\x37\x5d\xd8\xb0\x56\x0e\x47\x22\x23"
"\xee\xd2\xed\x55\x74\x6c\x91\xd4\x1d\xd8\x16\x4c\x46\x4a\x95\x6d"
"\x1d\xf4\x1b\x33\x34\x97\xaf\x3c\x07\x71\xed\x7b\x3f\xc4\xd8\x9f"
"\xce\xe5\xbe\xa6\x35\xd0\xf9\x2a\x9a\x1f\x4c\x33\x12\x46\xbf\x3a"
"\x4b\x6f\x5e\x71\x58\xdf\x82\x14\x32\x2a\x28\x8b\x7a\xab\x68\xa0"
"\x3d\xdd\x3c\x5d\x31\xfb\x60\x9f\xd9\x34\x6d\x0c\x27\x6a\x21\xe6"
"\xf0\x2e\x65\x83\x24\x50\x85\xb1\x81\xd3\xeb\x2c\x25\x5c\xab\xa4"
"\x4a\xf3\x26\xa6\xd3\xc4\x47\x70\x5d\xda\xef\xe3\xfd\x46\x7a\xeb"
"\xd5\x6f\x39\x06\x0d\x49\x3c\xe8\xa5\xf9\xe3\xb6\x63\x25\x48\xc8"
"\x11\xef\xca\xc7\x0d\xeb\x2e\xc0\xfb\x00\x5a\x9d\x26\xdd\x2c\x61"
"\xfe\x53\xd1\xaf\xe8\x99\xe8\xe4\x12\xab\x7c\x5b\x86\x5f\x98\xbd"
"\x24\x73\x66\xce\xc0\x7a\x47\x35\x60\x97\x12\x98\x0f\xfc\xfd\xca"
"\xb5\x0a\x70\xa9\xd6\x6c\x69\x61\x83\x34\x46\x97\x47\x31\xc1\x34"
"\xbb\x12\x23\x66\x0e\x37\xc9\xeb\x8c\x48\xbd\xb0\xff\x48\x96\xba"
"\xf5\x08\x3b\x4f\x0b\xba\xec\xa6\x36\xe4\x07\x6f\x0c\x49\xbe\xe8"
"\x68\x98\x86\xd7\xb1\x67\x87\xef\x1f\x7e\x41\x03\xc5\x5f\xf9\x3c"
"\x00\x3f\x8b\x1a\xc5\x6f\x88\x87\x90\xe2\x32\xa6\x0c\x11\xbd\xd8"
"\x55\x30\xb8\x8a\x79\xa8\x4c\xbd\x0e\x58\x8e\xd8\x68\x6e\xba\xfd"
"\x77\xab\x78\x06\x8f\x2a\x83\x78\x9a\xfc\xc0\xcb\xc6\xcd\xc7\x02"
"\x76\xeb\x76\x49\xb7\x3f\x0f\x7e\x47\x61\xeb\xe2\xe2\xb8\xe2\xf2"
"\x20\x86\x62\x18\x3e\xb2\x83\xfc\x35\x95\xbf\xd3\xfc\x16\x3c\x7c"
"\xe4\x62\xd0\xf8\x77\xa1\xc7\xaa\x33\xb0\xe6\xd2\x9c\x5f\x34\xbc"
"\xcc\x65\xba\x64\xe8\x76\xf4\xb9\xe5\x5f\x60\xe5\xa1\x9f\xa5\xcf"
"\xf0\xbe\x49\x3c\x87\x02\x5e\x63\xd6\xbd\x1c\xbc\xb1\x1a\xe4\xde"
"\x9e\xa9\x3f\x24\xa0\xc1\x7c\x82\xcd\x9b\x94\xa3\xfb\x92\xae\xce"
"\xe3\x6f\x56\x17\x77\x5f\x27\x06\x63\x3c\x7a\x70\xc1\xd4\x7a\x23"
"\x03\x4d\xb6\xd6\xbd\x51\x6c\x71\x23\x3b\x9d\x8c\x66\xb0\x17\x91"
"\xaf\xa5\xb7\xd6\xb6\x57\x58\xaf\x2a\xf7\xd4\xa4\x74\xae\xfd\x91"
"\x5f\xb8\x2a\x5f\xa4\xb7\xb6\x31\x5e\x34\xeb\xc1\x94\xd3\x18\x24"
"\xa6\x90\x56\x4b\x27\x24\x3f\xa5\x4c\x9f\xcc\xa1\x37\x84\x5b\x01"
"\x47\x15\xc7\x6c\x02\xd5\x85\x96\x96\xee\x29\x1c\xdf\x87\x57\xe0"
"\x62\x2e\xac\x5d\x21\x90\x5a\xcf\x3c\xfb\xcc\x10\x53\xa2\x3b\xf3"
"\x56\xf2\x60\xb5\x0e\x13\x5d\x8f\x24\x8d\x1f\x2a\x92\x1d\x19\x58"
"\x5a\x2f\x91\xa2\x1d\x99\x9e\xd6\xff\x6f\x63\x2d\x3b\x68\xf0\xcf"
"\x77\xdf\x76\x43\x9d\x3b\xdd\x89\x9a\x8e\x1a\xbc\x76\xe9\x70\x9f"
"\xd7\x74\x17\x92\x5e\x1a\x02\xa9\xe8\x6a\x57\xb8\x35\xbd\xa2\xfc"
"\x9e\x8d\xd2\x18\x3e\x99\x89\x1f\xd5\xde\x3f\x84\xa9\x90\x0d\x6c"
"\x58\x64\xad\x31\xe6\x6d\xd6\x49\x65\x48\xc3\x94\x08\x68\x37\xaf"
"\x5a\x5a\x20\xd4\x81\xf1\xd8\x24\x83\xe3\x07\xf5\x19\xbe\x82\x23"
"\x8f\xb9\xbb\x2e\xd0\x79\x4b\x12\x91\xfc\xab\xa6\x2f\x37\x0d\xc3"
"\xc3\x0c\xf1\x7d\xd3\x36\x3f\x66\xd4\xc4\x38\x5b\x80\x89\xb9\xb3"
"\xc3\x5d\x4f\x74\xf4\x9a\xec\x17\xa2\x19\xcf\xa6\xea\xba\xcc\xfa"
"\x3d\x42\xe1\xaf\xf7\xf9\x73\x5a\x30\x8c\xc8\xf5\x1c\x29\x74\xb7"
"\x00\x40\xab\xe8\xd2\x1e\xf1\x46\xa6\x90\x47\xc4\xf7\x88\x96\x07"
"\xc0\x14\x28\xdb\x27\x3b\x08\xda\x82\x15\x23\xfa\x00\x20\x53\x48"
"\x85\x85\x5f\xfe\x24\xeb\x28\x14\x0b\x4d\x17\xe8\x07\x0e\xbe\xed"
"\x94\xe0\x96\x63\x94\x63\x0d\xe5\x9f\x30\x56\x30\xc7\x7f\x4c\x6d"
"\xf0\x12\xdd\xd5\x58\x30\x95\x80\x96\xf0\x8b\x4f\xfa\x0b\xe9\x55"
"\x33\x34\xde\x95\xf6\x09\x74\x6c\x7b\xb9\x57\x53\x6f\xec\x5f\x5f"
"\x66\xbd\xc0\x21\x2f\x55\x49\xbd\x26\x37\x25\x2e\x27\x8f\xe7\xcf"
"\x63\xca\xd9\x67\x0e\x87\xfb\x22\x0b\x45\x06\xab\x5e\xfc\x9d\xab"
"\xe1\x9a\x46\x84\x7a\x67\x27\x69\xd2\x58\x3f\x19\x05\x0c\xa3\x65"
"\xa7\x12\xc3\x22\x4d\x4b\xc1\x38\x8e\xf0\xda\x64\x02\xf3\xa6\x0a"
"\x95\x24\x65\x84\x80\xc6\x89\xa9\x9d\x17\xe2\x04\xe3\xa3\xcc\x0d"
"\xac\xe4\x7f\x73\xa0\x6f\xf5\x67\x2b\x98\xee\xcf\xa5\xc6\x41\x8c"
"\xdf\x12\xe4\x9a\x7c\xce\xae\xe7\x7d\x11\xbc\x70\x63\xd3\xbc\xfa"
"\xce\x08\xc0\x4b\x59\x54\xf1\xe5\x0e\x52\xc7\x72\x74\xf7\x39\x83"
"\xae\x3a\x55\xa8\xbc\xe3\xb4\x87\xc7\xc0\xa6\x1b\x14\x63\x7c\xda"
"\x39\x26\x76\x8d\x27\x78\x97\x22\xad\x61\xec\xcc\xbd\x26\x36\xb1"
"\x5c\x0e\x3a\x59\x51\xbe\xa4\xa6\x0a\x16\x5e\x64\x54\x51\xe6\x40"
"\x1d\xba\xa4\x93\x5e\xc6\xd8\xd7\xa5\x06\x75\xe8\x64\x9c\x57\x87"
"\xc5\x0a\x51\xb0\xde\x86\x9e\xde\x97\x9f\xd1\xd4\x14\xe5\xfe\xf1"
"\xf1\xc5\xaa\x00\xbf\xa1\x6e\xf5\xaf\x9f\xf1\x13\x7b\xb6\xdc\xa2"
"\x5d\xeb\xf8\x0d\xc2\xbb\x6a\x70\x21\x19\xa0\x17\x04\x41\xa2\x4f"
"\xba\xa7\xe9\x9b\x26\xc5\xa2\xb9\xbc\x34\x7d\xf2\xff\x11\x9d\x98"
"\xfb\xea\x0a\x94\xec\x4f\xb9\x9f\x63\x4f\x5d\xcb\x02\x6d\x7d\xbf"
"\x18\x91\x1d\x65\xd8\xe6\x86\xa7\xf1\x12\xf8\xb9\x02\x3f\xb3\x8e"
"\x5f\xb9\x15\x00\x8c\x4e\x2c\x48\xc1\xd8\xe7\x3e\x2f\xba\xfe\xe4"
"\xc1\xa9\x07\x48\x59\xff\xfd\xbe\x58\xfb\x74\x1e\xa1\x5d\xec\x06"
"\x94\x53\x70\xe4\xb3\xa7\x1b\xfe\x34\x5a\x01\x2e\x06\x3d\xe7\xfc"
"\xfc\xf5\xda\x73\x97\xdd\x55\xae\x36\xbc\x42\x74\x22\xfc\xfc\x27"
"\x3d\x3d\x86\x9d\x0d\x3e\x45\xf5\xd6\x8f\xc5\x29\x38\x96\x95\xb8"
"\x6c\x56\x56\x81\xd6\x59\x58\x49\x75\x97\xce\x33\x59\xd3\x73\x93"
"\x6e\xe5\x9b\x1f\x66\x5b\xfe\xda\x50\x65\x0a\xfc\x2f\x16\xf4\xd8"
"\x11\x80\x53\x94\x42\x46\x02\x8a\x66\x06\x44\x50\xac\x21\xd0\xd4"
"\x3f\xe6\x57\x5c\xfb\xfd\xc2\xfc\x6a\x71\xf5\xf4\x34\xf5\xd6\x91"
"\x0b\x7c\xe3\xbc\x4a\x2a\xe3\x27\x8a\x11\x0c\x77\x22\xd7\x74\x76"
"\xfa\xd8\xe8\x75\x0d\xa9\xd9\x69\xd3\x51\xad\xa5\x20\x71\x60\x1b"
"\x93\xb7\x88\x25\xe6\x1e\xec\x73\xa3\xd0\xfa\x52\x5e\xce\x98\xc1"
"\x4e\x41\x3a\x9e\x9a\xab\xb9\x10\x0e\x7f\x46\xdb\xce\x48\xb0\x1a"
"\xe4\x3e\x9a\xef\x06\x36\x15\x9a\xfc\xe9\x0e\xbd\x41\x79\xf8\xa3"
"\x90\x65\x8f\xbb\xb9\x17\x0c\x48\x49\x03\xf8\x74\x7a\x96\x19\x5e"
"\xad\x24\xc6\x32\xd0\xf4\x29\x3c\xb5\x87\x4a\x5d\xec\x55\xb6\x03"
"\x45\x77\x8f\x41\x50\x00\xfa\x92\xf5\x09\xfb\xff\xc8\xc1\x2d\x48"
"\x6e\xf5\x1c\xa9\x64\x99\x33\xcb\x78\x17\x08\xae\xbe\x7b\x27\xee"
"\xf6\x9e\x7e\x60\x79\xef\x80\x94\xaf\xe3\x4a\x6e\x29\x8a\xb3\x20"
"\x3b\x72\xe8\x67\xee\x27\x14\x96\xb7\x8b\xae\x70\x1a\x66\x9c\x4e"
"\xb9\xbd\x16\x09\xc9\xe0\x9b\x7b\xe5\x5b\xeb\x69\x03\x09\xcc\x5f"
"\xf1\x16\xa5\x95\x24\x08\x60\x51\x3a\xdd\x3a\x23\x26\xd5\x41\x77"
"\x52\xb2\xdb\xd0\xe9\xfd\xc3\x2a\xa1\xb5\xb1\xd4\x3f\xfd\x39\x1a"
"\xa6\x32\x08\xe8\x6a\x27\x94\x8c\xcb\x2a\xc9\x0c\xf0\xd6\x21\x89"
"\xfd\x76\x04\xd3\x5a\xcc\xf0\xa0\xa1\x48\x0b\x28\xf4\x79\x2f\x7c"
"\xb9\xbe\x59\xf7\xcc\xf1\x64\xee\x95\x58\x41\x9b\xba\x75\x82\xb5"
"\xa3\xf0\x17\x5f\x8b\xf9\x11\x61\x39\x47\x81\x6f\x4a\xdf\xd1\x42"
"\x7f\xba\x23\x41\xc9\xff\x8f\xe7\xbc\x9a\xc3\x21\x9c\x59\xf5\x0f"
"\x56\xe9\x5f\x44\x08\x9b\xa6\xb3\x33\x4a\xec\x0f\xb6\xda\xa8\xd1"
"\xe7\xc4\xcf\x61\x17\x31\xcd\x67\x71\xfb\x4b\x04\x01\x04\xfa\x0c"
"\x29\x1f\x98\xec\xae\xab\xdd\x20\xb1\x5a\x4e\x63\x0e\x27\xba\x16"
"\x5d\x34\xf9\xee\x82\x91\xee\xb1\x4f\xbf\xec\x5c\x11\xd2\x1d\xde"
"\x68\xfe\xd4\xa4\xb8\x6f\xd3\xc0\xdb\x86\x5c\x5f\x43\xea\x47\xa8"
"\xc8\xef\x77\x4f\xe3\xbf\xf5\xaa\x32\xe6\x1c\x77\xb6\xa5\x64\x8a"
"\x33\x66\x03\xdf\x65\xce\x0a\x55\xe5\x19\x2f\x0c\xf0\x61\xcb\xe1"
"\x96\xe0\x3a\xa4\x25\x1b\xa8\x3c\xc8\x2c\xd5\x4a\x7f\xc7\x23\xae"
"\x0a\x45\x07\xd5\xb6\xa7\xc7\x78\xe6\x14\x57\xb0\xde\x98\x25\xb5"
"\xe0\xd6\x22\xee\xef\x50\x87\x8c\x8d\xdd\x15\xed\xa8\xb7\x98\x2b"
"\x18\x07\x17\x32\xe3\x50\x51\x22\x29\x22\x1c\x6a\xdd\x24\xb9\x03"
"\x20\x5a\xfb\x35\xd0\xe6\xbc\x1b\x25\x15\xd3\x52\x31\x2c\x04\xcd"
"\x6e\x16\x17\xbb\x90\x86\x25\xc8\xe7\xcc\x58\xd0\x49\xd8\xd2\x1e"
"\x7f\xd7\xea\x9c\xb1\xaf\x7a\x26\x5c\xe4\xbd\x2d\x25\xf0\xa0\x6c"
"\xba\x40\x5c\x67\x35\x12\xe6\x3b\x7d\x5a\x81\x79\x31\x50\x2d\xee"
"\x0c\xf9\x71\xed\xb9\xe3\x42\x87\xf9\x07\x7a\xdb\x42\xbe\x72\x3f"
"\x28\x1a\xd9\x89\x9d\xc8\xd9\xdf\x4d\xc6\x97\xf3\x38\x91\x31\x06"
"\x8f\xa9\x7d\xa2\x8b\x0b\x25\x0c\xba\x78\x9b\x98\x31\x86\xaf\xe8"
"\xb8\x3f\x21\xca\x5f\xd9\x2e\x38\xd8\x67\xf0\x7f\xf9\xd7\x95\x05"
"\x89\x0c\xdc\xe2\x16\x92\xd2\x67\x31\xbd\xd1\x71\x3a\x83\x9e\xb4"
"\xee\x46\xa9\x06\x98\x5b\xfb\xc2\x02\xfc\x64\x0c\xce\x72\xee\xb0"
"\x96\xf0\x24\xbb\xc3\xa5\xe3\x76\x91\xd6\xd9\xbb\x2d\xdb\xab\x96"
"\xe9\x02\x8e\x12\xfb\x9d\xcf\x03\x29\x78\xc1\xea\xbf\x66\xbf\x48"
"\xc9\xce\x56\x0a\x15\x7a\x69\x06\x3f\xf3\xd7\x70\x86\xe9\x04\x5c"
"\x47\x26\x9b\xf4\xbc\x31\x64\xf2\x40\xc1\xa1\x50\xe0\x98\x25\xd0"
"\xd2\xd0\x78\xd7\xc9\xe0\xe3\x7c\xff\x31\x72\x43\x06\x94\x9b\x6b"
"\x2c\x70\x18\x73\xef\xe9\xe2\x7d\x96\x88\xdd\xdd\xae\xd6\xff\x07"
"\x21\x35\xb1\x7c\xcb\x17\x1c\xc9\x3a\x31\xd1\xda\xe6\x05\x13\xb0"
"\xa1\x9f\xba\x74\x24\x50\x7b\x6b\xff\x70\x84\xfd\xdc\xe4\x4c\x3f"
"\x40\x56\x7d\x05\xe3\xa5\x1d\xdd\x53\x95\x3d\x73\x36\xe6\x26\x8c"
"\xdb\x96\xe0\xb3\x7d\x4c\x2b\x60\x82\x47\x4e\xc0\x37\xf1\x4f\x91"
"\x83\x60\xd5\x80\x6f\x96\x63\x20\x19\xb8\x7e\xa8\x4e\x73\xc8\x80"
"\xa1\xe7\xca\x5a\xeb\x7c\x0d\xe3\x3c\xaa\xdb\xb9\xd8\x7b\xd8\x19"
"\x71\x30\x03\x44\xb1\x31\x54\xa4\x0a\x17\xd3\x87\xc9\x5a\x1b\x2e"
"\x7c\x94\x7d\xd7\x6f\x7b\xab\xc7\x55\xc5\xa1\x8f\x11\x60\x03\x69"
"\xa7\x12\x36\xed\xbb\xc4\xc7\xc4\x90\x19\x02\xab\xf5\x7b\x8d\x39"
"\xf5\xa0\x6c\x67\xdb\x27\xf3\x0c\xae\xb3\x2c\x1c\x50\x0b\xc5\x1e"
"\x6e\x12\x87\x73\x05\x28\x43\xb7\x5d\xc6\x1d\x01\x66\xc3\x81\x44"
"\x9a\xf6\x35\x2c\x56\x69\x58\x17\xc1\x7d\xe5\x8f\x95\xd6\xac\x93"
"\x5b\xb8\x64\xa5\x44\xc9\x04\x41\xff\x74\x7c\xc3\xef\xba\x73\xe9"
"\x68\x61\xba\x05\xb5\xf2\x9a\x1a\x61\x8d\x57\xe6\x98\x40\xff\x61"
"\x90\x40\x14\x1d\x86\xab\xe3\xb3\xb1\x2c\x1e\xb3\x22\xfe\x77\x8d"
"\xcf\xa7\x75\x30\x47\x9d\xa0\xbe\x03\x5b\x90\xb5\x2d\x4d\x3c\x64"
"\x5a\xa4\xbf\xfc\x32\xe4\x94\x14\x63\xb2\x00\x93\x82\x12\x60\x32"
"\x6e\x25\x14\x16\x4b\xd5\x6c\x01\xe3\x69\x3e\xc1\x3b\xb1\xe6\xaa"
"\x90\xdc\x44\xe0\x90\xcd\x8d\x44\x98\xd4\xba\x04\xc4\x00\x93\x57"
"\x85\x47\x2b\x34\xac\xaa\x1d\x03\xf2\xaa\x46\x1b\x0c\x5c\x9b\x07"
"\x62\xfe\x85\xd0\x03\x05\xd9\xb9\x3d\x97\x35\xf7\x77\xcf\x1d\x68"
"\x99\x9b\x92\xb9\xd0\xc0\xb8\x8d\x43\x35\x22\x5c\xcd\x08\x76\xe9"
"\xdb\x9c\x1c\x9a\x41\xa7\x98\x33\xf9\x0f\xfc\x0d\xe6\xdd\x49\x46"
"\x2f\x89\xeb\x94\xca\xd7\xf9\x3c\x71\x63\xe7\x1c\x60\x9c\x79\x9a"
"\x05\x66\x31\x2e\x87\xe9\xa2\x08\xab\x12\xf3\xc6\x7f\xb1\xcd\xbe"
"\xa9\x03\x79\x6c\x00\xa1\xff\x45\x1f\x12\x93\x34\xfb\x22\x6a\x9a"
"\x33\x67\x8e\x25\x4a\x1d\xae\xec\x13\x28\x8f\x6f\xda\xc3\x4b\xed"
"\x38\x48\x9c\x24\x3b\xdf\x08\x91\x7e\xf4\xb9\x56\x92\x97\xc9\x11"
"\xed\x17\x98\xc1\x38\x7b\x76\x12\x90\x5c\x15\x16\x15\x45\xbf\x65"
"\xd2\x7c\x83\xc3\x7f\x73\x01\xdd\xa8\xef\xf4\x76\x9b\x85\xbf\xfc"
"\xf5\x44\x44\xd0\x97\x88\x5a\xcc\xd7\x32\xfe\x91\x69\x36\xf4\xed"
"\xa7\x3a\x47\xad\x79\x81\x6e\xe6\xb0\x15\x39\xec\x25\x10\xaf\x0d"
"\x7e\xf4\x62\x38\xd5\x2a\x13\x32\x94\xdc\x16\xbd\x91\xd9\xe3\x26"
"\x67\xe9\xb6\xbb\x99\x02\xe8\xbd\x8d\x24\x9d\xbf\xfa\x42\x5b\x2a"
"\x00\xc4\x2f\x2a\x91\xb4\xdc\xab\xf5\xbb\xd9\xc4\xab\x3f\x0d\x2e"
"\xd0\x2c\xd0\x01\x11\xf4\xbf\xcd\x05\x3a\x25\x9b\x9d\xe9\xd1\x66"
"\x27\xfd\x1f\xf5\x14\x90\x26\x1c\x34\x65\xee\x4c\xb0\xa7\xc8\xc8"
"\x77\x7b\x71\x74\xba\xe5\x82\x70\x42\x1b\x75\xe3\xcd\x77\xd6\x3e"
"\x9d\x4a\x17\x5e\xd0\xed\x8a\xf3\xbf\x14\x0f\x08\x62\xe1\xb9\x18"
"\x88\x95\x10\x40\xeb\xbd\x13\x97\xa3\x7d\x0c\xd9\xf2\x33\x1c\x89"
"\x9d\xad\x8e\xce\x39\xe8\xb4\x4c\xd2\xae\xd6\x1e\x03\x86\x28\x55"
"\x30\xe6\x1a\xae\x7b\xb3\x49\x24\x50\xfa\xd3\x2a\xb7\xcf\x43\x51"
"\x1e\x7e\x84\xe9\x02\x63\xc2\x18\xfd\x9d\xbb\xe1\xa8\xc4\xa3\x0b"
"\x81\xfe\xc2\x79\xa2\x58\x01\xea\x96\xef\xe2\x68\xeb\xb3\xdc\xbc"
"\x1e\x3c\x8c\x4d\x55\x90\x84\x12\xa8\x51\x7c\x83\xb0\xae\xc6\x46"
"\xa5\x6a\xef\x07\x3c\xe3\x43\xcc\xd8\x31\xeb\x27\x77\x19\xae"
"\x66",
4096);
memcpy((void*)0x20034084,
"\x87\x46\x37\x92\xf6\xab\x9a\xe9\xf1\x29\xbf\xb5\x9d\x61\xab"
"\x1f\xf8\x8a\x94\x08\x80\x04\x4f\x4e\x9c\x2f\x54\x63\x00\x2f"
"\xae\x4d\xd5\xbd\x39\xcb\xac\xce\x17\x9f\xb0\xa6\x55\x49\x03"
"\xb4\x20\xb9\xa2\x2e\x42\xd5\xaf\x7a\x6c\xac\x94\x3e\x6d\x3f"
"\xde\xcc",
62);
*(uint64_t*)0x20034000 = (uint64_t)0x12;
*(uint32_t*)0x20034008 = (uint32_t)0x9;
*(uint32_t*)0x2003400c = (uint32_t)0x5;
*(uint8_t*)0x20034010 = (uint8_t)0x8;
*(uint8_t*)0x20034011 = (uint8_t)0xfffffffffffffff9;
*(uint64_t*)0x20034012 = (uint64_t)0x12;
*(uint32_t*)0x2003401a = (uint32_t)0xf63;
*(uint32_t*)0x2003401e = (uint32_t)0xe7;
*(uint8_t*)0x20034022 = (uint8_t)0x2;
*(uint8_t*)0x20034023 = (uint8_t)0xd931;
*(uint64_t*)0x20034024 = (uint64_t)0x12;
*(uint32_t*)0x2003402c = (uint32_t)0x9;
*(uint32_t*)0x20034030 = (uint32_t)0x3;
*(uint8_t*)0x20034034 = (uint8_t)0xac5;
*(uint8_t*)0x20034035 = (uint8_t)0x6;
r[49] = syscall(SYS_sendmsg, r[10], 0x20021fd6ul, 0x1ul, 0, 0, 0);
*(uint64_t*)0x20006ff8 = (uint64_t)0x2003dfec;
*(uint32_t*)0x20007000 = (uint32_t)0x14;
*(uint64_t*)0x20007008 = (uint64_t)0x2003d671;
*(uint64_t*)0x20007010 = (uint64_t)0x5;
*(uint64_t*)0x20007018 = (uint64_t)0x20015f4c;
*(uint64_t*)0x20007020 = (uint64_t)0xb4;
*(uint32_t*)0x20007028 = (uint32_t)0x7;
*(uint64_t*)0x2003d671 = (uint64_t)0x2003dfdb;
*(uint64_t*)0x2003d679 = (uint64_t)0x25;
*(uint64_t*)0x2003d681 = (uint64_t)0x20000000;
*(uint64_t*)0x2003d689 = (uint64_t)0x0;
*(uint64_t*)0x2003d691 = (uint64_t)0x2003de92;
*(uint64_t*)0x2003d699 = (uint64_t)0x1000;
*(uint64_t*)0x2003d6a1 = (uint64_t)0x2003dffb;
*(uint64_t*)0x2003d6a9 = (uint64_t)0xe;
*(uint64_t*)0x2003d6b1 = (uint64_t)0x2003dfc5;
*(uint64_t*)0x2003d6b9 = (uint64_t)0x67;
r[67] = syscall(SYS_recvmsg, r[10], 0x20006ff8ul, 0x1ul, 0, 0, 0);
return 0;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: crypto: GPF in scatterwalk_start
2016-01-19 8:30 crypto: GPF in scatterwalk_start Dmitry Vyukov
@ 2016-01-19 8:35 ` Herbert Xu
2016-01-19 8:55 ` Dmitry Vyukov
2016-01-19 13:23 ` Herbert Xu
1 sibling, 1 reply; 4+ messages in thread
From: Herbert Xu @ 2016-01-19 8:35 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: David S. Miller, linux-crypto, LKML, syzkaller,
Kostya Serebryany, Alexander Potapenko, Sasha Levin,
Eric Dumazet
On Tue, Jan 19, 2016 at 09:30:40AM +0100, Dmitry Vyukov wrote:
> Hello,
>
> The following program causes GPF in scatterwalk_start.
>
> Herbert, I am on commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4 with
> all your fixes applied, including the fix for out-of-bounds in
> skcipher_recvmsg.
Does it happen without the out-of-bounds patch?
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: crypto: GPF in scatterwalk_start
2016-01-19 8:35 ` Herbert Xu
@ 2016-01-19 8:55 ` Dmitry Vyukov
0 siblings, 0 replies; 4+ messages in thread
From: Dmitry Vyukov @ 2016-01-19 8:55 UTC (permalink / raw)
To: syzkaller
Cc: David S. Miller, linux-crypto, LKML, Kostya Serebryany,
Alexander Potapenko, Sasha Levin, Eric Dumazet
On Tue, Jan 19, 2016 at 9:35 AM, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Tue, Jan 19, 2016 at 09:30:40AM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program causes GPF in scatterwalk_start.
>>
>> Herbert, I am on commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4 with
>> all your fixes applied, including the fix for out-of-bounds in
>> skcipher_recvmsg.
>
> Does it happen without the out-of-bounds patch?
Yes, also happens on e31835ad3abc6809703d3bbd2400bdd6285f8fea of
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git
BUG: unable to handle kernel NULL pointer dereference at 0000000000000014
IP: [< inline >] scatterwalk_start crypto/scatterwalk.c:35
IP: [<ffffffff817d8880>] scatterwalk_pagedone.part.8+0x30/0x50
crypto/scatterwalk.c:69
PGD 33f70067 PUD 3a328067 PMD 0
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in:
CPU: 0 PID: 6290 Comm: a.out Not tainted 4.4.0+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88007979ad80 ti: ffff880076618000 task.ti: ffff880076618000
RIP: 0010:[<ffffffff817d8880>] [<ffffffff817d8880>]
scatterwalk_pagedone.part.8+0x30/0x50
RSP: 0018:ffff88007661ba88 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88007661bbb0 RCX: 0000000000000000
RDX: 0000000000001000 RSI: ffff88003607f000 RDI: ffff88003499b3d8
RBP: ffff88007661ba90 R08: ffff88003499b3d8 R09: 0000000000000e62
R10: 0000000000000003 R11: 00000000f5dacfff R12: 000000000000000b
R13: 000000000000000b R14: ffff88007979ad80 R15: ffff88007661bbb0
FS: 00000000017c4880(0063) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000014 CR3: 0000000036024000 CR4: 00000000000006f0
Stack:
0000000000000005 ffff88007661bad8 ffffffff817d8ac1 000000007661bb90
ffff8800371f301b ffff88007661bb90 0000000000000003 0000000000000010
ffff88007661bc60 0000000000000010 ffff88007661bb10 ffffffff817db557
Call Trace:
[< inline >] scatterwalk_pagedone crypto/scatterwalk.c:82
[<ffffffff817d8ac1>] scatterwalk_copychunks+0x31/0x100 crypto/scatterwalk.c:102
[< inline >] blkcipher_next_slow crypto/blkcipher.c:175
[<ffffffff817db557>] blkcipher_walk_next+0x327/0x3a0 crypto/blkcipher.c:254
[<ffffffff817db0a3>] blkcipher_walk_done+0x113/0x2a0 crypto/blkcipher.c:133
[<ffffffff817f64fd>] crypto_ctr_crypt+0x11d/0x2a0 crypto/ctr.c:147
[< inline >] skcipher_crypt_blkcipher crypto/skcipher.c:66
[<ffffffff817db8de>] skcipher_decrypt_blkcipher+0x3e/0x40 crypto/skcipher.c:84
[< inline >] crypto_skcipher_decrypt include/crypto/skcipher.h:363
[< inline >] skcipher_recvmsg_sync crypto/algif_skcipher.c:680
[<ffffffff8181cb1f>] skcipher_recvmsg+0x6ef/0x8b0 crypto/algif_skcipher.c:710
[< inline >] sock_recvmsg_nosec net/socket.c:713
[<ffffffff823208a6>] sock_recvmsg+0x36/0x40 net/socket.c:721
[<ffffffff82321793>] ___sys_recvmsg+0xc3/0x1c0 net/socket.c:2099
[<ffffffff8232251d>] __sys_recvmsg+0x3d/0x70 net/socket.c:2145
[< inline >] SYSC_recvmsg net/socket.c:2157
[<ffffffff8232255d>] SyS_recvmsg+0xd/0x20 net/socket.c:2152
[<ffffffff82876076>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: 8b 47 08 48 89 fb 05 ff 0f 00 00 25 00 f0 ff ff 89 47 08 48 8b
3f 8b 57 14 03 57 10 39 d0 73 03 5b 5d c3 e8 93 fe 08 00 48 89 03 <8b>
50 14 85 d2 74 09 8b 40 10 89 43 08 5b 5d c3 e8 7d a2 04 00
RIP [< inline >] scatterwalk_start crypto/scatterwalk.c:35
RIP [<ffffffff817d8880>] scatterwalk_pagedone.part.8+0x30/0x50
crypto/scatterwalk.c:69
RSP <ffff88007661ba88>
CR2: 0000000000000014
---[ end trace 1b3652d0252e863c ]---
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: crypto: GPF in scatterwalk_start
2016-01-19 8:30 crypto: GPF in scatterwalk_start Dmitry Vyukov
2016-01-19 8:35 ` Herbert Xu
@ 2016-01-19 13:23 ` Herbert Xu
1 sibling, 0 replies; 4+ messages in thread
From: Herbert Xu @ 2016-01-19 13:23 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: David S. Miller, linux-crypto, LKML, syzkaller,
Kostya Serebryany, Alexander Potapenko, Sasha Levin,
Eric Dumazet, Tadeusz Struk
On Tue, Jan 19, 2016 at 09:30:40AM +0100, Dmitry Vyukov wrote:
>
> The following program causes GPF in scatterwalk_start.
>
> Herbert, I am on commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4 with
> all your fixes applied, including the fix for out-of-bounds in
> skcipher_recvmsg.
OK this is an off-by-one bug in skcipher_sendmsg.
---8<---
Subject: crypto: algif_skcipher - sendmsg SG marking is off by one
We mark the end of the SG list in sendmsg and sendpage and unmark
it on the next send call. Unfortunately the unmarking in sendmsg
is off-by-one, leading to an SG list that is too short.
Fixes: 0f477b655a52 ("crypto: algif - Mark sgl end at the end of data")
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 76ecb40..38c1aa8 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -392,7 +392,8 @@ static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg,
sgl = list_entry(ctx->tsgl.prev, struct skcipher_sg_list, list);
sg = sgl->sg;
- sg_unmark_end(sg + sgl->cur);
+ if (sgl->cur)
+ sg_unmark_end(sg + sgl->cur - 1);
do {
i = sgl->cur;
plen = min_t(size_t, len, PAGE_SIZE);
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-19 13:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-19 8:30 crypto: GPF in scatterwalk_start Dmitry Vyukov
2016-01-19 8:35 ` Herbert Xu
2016-01-19 8:55 ` Dmitry Vyukov
2016-01-19 13:23 ` Herbert Xu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.