* [PATCH] vgacon: fix a UAF in do_update_region()
@ 2020-07-13 11:04 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-07-13 3:05 UTC (permalink / raw)
To: b.zolnierkie; +Cc: linux-fbdev, linux-kernel, dri-devel, yangyingliang
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index b51ffb9a208d..2eabb86bb0dd 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH] vgacon: fix a UAF in do_update_region()
@ 2020-07-13 11:04 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-07-13 11:04 UTC (permalink / raw)
To: b.zolnierkie; +Cc: dri-devel, linux-fbdev, linux-kernel, yangyingliang
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index b51ffb9a208d..2eabb86bb0dd 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH] vgacon: fix a UAF in do_update_region()
@ 2020-07-13 11:04 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-07-13 11:04 UTC (permalink / raw)
To: b.zolnierkie; +Cc: linux-fbdev, linux-kernel, dri-devel, yangyingliang
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index b51ffb9a208d..2eabb86bb0dd 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
--
2.25.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] vgacon: fix a UAF in do_update_region()
2020-07-13 11:04 ` Yang Yingliang
(?)
@ 2020-10-17 12:25 ` Sam Ravnborg
-1 siblings, 0 replies; 14+ messages in thread
From: Sam Ravnborg @ 2020-10-17 12:25 UTC (permalink / raw)
To: Yang Yingliang, Greg Kroah-Hartman
Cc: b.zolnierkie, linux-fbdev, linux-kernel, dri-devel
Hi Yang.
Can you please resend and include Greg in the recipient list.
Greg is maintainer of the console subsystem these days.
Sam
On Mon, Jul 13, 2020 at 11:04:45AM +0000, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
> index b51ffb9a208d..2eabb86bb0dd 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
> --
> 2.25.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] vgacon: fix a UAF in do_update_region()
@ 2020-10-17 12:25 ` Sam Ravnborg
0 siblings, 0 replies; 14+ messages in thread
From: Sam Ravnborg @ 2020-10-17 12:25 UTC (permalink / raw)
To: Yang Yingliang, Greg Kroah-Hartman
Cc: linux-fbdev, linux-kernel, dri-devel, b.zolnierkie
Hi Yang.
Can you please resend and include Greg in the recipient list.
Greg is maintainer of the console subsystem these days.
Sam
On Mon, Jul 13, 2020 at 11:04:45AM +0000, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
> index b51ffb9a208d..2eabb86bb0dd 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
> --
> 2.25.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] vgacon: fix a UAF in do_update_region()
@ 2020-10-17 12:25 ` Sam Ravnborg
0 siblings, 0 replies; 14+ messages in thread
From: Sam Ravnborg @ 2020-10-17 12:25 UTC (permalink / raw)
To: Yang Yingliang, Greg Kroah-Hartman
Cc: linux-fbdev, linux-kernel, dri-devel, b.zolnierkie
Hi Yang.
Can you please resend and include Greg in the recipient list.
Greg is maintainer of the console subsystem these days.
Sam
On Mon, Jul 13, 2020 at 11:04:45AM +0000, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
> index b51ffb9a208d..2eabb86bb0dd 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
> --
> 2.25.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH resend] vgacon: fix a UAF in do_update_region()
2020-10-17 12:25 ` Sam Ravnborg
(?)
@ 2020-10-20 9:02 ` Yang Yingliang
-1 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-10-20 9:02 UTC (permalink / raw)
To: Sam Ravnborg, Greg Kroah-Hartman
Cc: b.zolnierkie, linux-fbdev, linux-kernel, dri-devel, yangyingliang
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 998b0de..2ee3d62 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH resend] vgacon: fix a UAF in do_update_region()
@ 2020-10-20 9:02 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-10-20 9:02 UTC (permalink / raw)
To: Sam Ravnborg, Greg Kroah-Hartman
Cc: b.zolnierkie, linux-fbdev, linux-kernel, dri-devel, yangyingliang
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 998b0de..2ee3d62 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH resend] vgacon: fix a UAF in do_update_region()
@ 2020-10-20 9:02 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-10-20 9:02 UTC (permalink / raw)
To: Sam Ravnborg, Greg Kroah-Hartman
Cc: linux-fbdev, yangyingliang, linux-kernel, dri-devel, b.zolnierkie
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 998b0de..2ee3d62 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH resend] vgacon: fix a UAF in do_update_region()
2020-10-20 9:02 ` Yang Yingliang
(?)
@ 2020-10-20 9:20 ` Yang Yingliang
-1 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-10-20 9:20 UTC (permalink / raw)
To: Sam Ravnborg, Greg Kroah-Hartman
Cc: b.zolnierkie, linux-fbdev, linux-kernel, dri-devel
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static long syz_open_dev(volatile long a0, volatile long a1, volatile
long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
(uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
intptr_t res = 0;
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[0] = res;
syscall(__NR_ioctl, r[0], 0x4b3aul, 1ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[1] = res;
*(uint16_t*)0x20000000 = 0x4d;
*(uint16_t*)0x20000002 = 0x1000;
*(uint16_t*)0x20000004 = 0xf1;
syscall(__NR_ioctl, r[1], 0x5609ul, 0x20000000ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[2] = res;
syscall(__NR_ioctl, r[2], 0x4b3aul, 0ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[3] = res;
*(uint8_t*)0x20000840 = 0x7f;
*(uint8_t*)0x20000841 = 0x45;
*(uint8_t*)0x20000842 = 0x4c;
*(uint8_t*)0x20000843 = 0x46;
*(uint8_t*)0x20000844 = 5;
*(uint8_t*)0x20000845 = 6;
*(uint8_t*)0x20000846 = 5;
*(uint8_t*)0x20000847 = 9;
*(uint64_t*)0x20000848 = 0xfffffffffffffffa;
*(uint16_t*)0x20000850 = 3;
*(uint16_t*)0x20000852 = 3;
*(uint32_t*)0x20000854 = 0x117;
*(uint32_t*)0x20000858 = 0x45;
*(uint32_t*)0x2000085c = 0x38;
*(uint32_t*)0x20000860 = 0x1df;
*(uint32_t*)0x20000864 = 5;
*(uint16_t*)0x20000868 = 4;
*(uint16_t*)0x2000086a = 0x20;
*(uint16_t*)0x2000086c = 2;
*(uint16_t*)0x2000086e = 0x1ff;
*(uint16_t*)0x20000870 = 0x55;
*(uint16_t*)0x20000872 = 0xfffb;
*(uint32_t*)0x20000878 = 4;
*(uint32_t*)0x2000087c = 4;
*(uint32_t*)0x20000880 = 4;
*(uint32_t*)0x20000884 = 1;
*(uint32_t*)0x20000888 = 1;
*(uint32_t*)0x2000088c = 3;
*(uint32_t*)0x20000890 = 7;
*(uint32_t*)0x20000894 = 0xfff;
*(uint32_t*)0x20000898 = 3;
*(uint32_t*)0x2000089c = 5;
*(uint32_t*)0x200008a0 = 3;
*(uint32_t*)0x200008a4 = 1;
*(uint32_t*)0x200008a8 = 0x3f;
*(uint32_t*)0x200008ac = 0x200;
*(uint32_t*)0x200008b0 = 4;
*(uint32_t*)0x200008b4 = 7;
memcpy((void*)0x200008b8,
"\x8b\x9f\xd8\xbb\x23\x11\x17\xf4\xeb\xa2\x19\x08\xb0\xe4\xe5\xe9\x98\x81\x1b\x24\x48\xaa\xfd\x8c\x01\x15\xeb\xa2\xf6\x28\x38\xd9\xa4\xd3\x4f\xfc\x91\x7c\x66\x3e\xb0\xbf\xe0\x18\x15\xd4\xe2\x33\x5f\x2b\x09\x27\x4c\x9c\x46\x94\xae\xcd\x39\x27\xd9\x73\xf7\xfb\xb5\x31\xe9\xef\x67\x1c\xd2\x35\x0c\x03\x71\xca\xec\x86\x38\x8a\xf1\xce\xb3\x3d\xc6\x06\x43\xb9\x04\xe4\x40\x91\x0d\xf3\xc9\x97\xcf\xc2\x01\x2b\x20\xa1\x90\x65\x37\xef\x89\xca\xde\x7b\xb1\x51\x41\xc8\xe9\x97\x68\x93\x46\xe7\x1c\x49\x99\x7f\xcd\xb8\x6a\x0e\x5b\x99\xe2\x0a\xaf\x61\x3c\x07\xac\x58\x73\xc1\x9e\x10\xda\x89\x25\xeb\x77\x62\x38\x8c\xca\x50\x93\x68\x72\x53\x32\xb7\xee\xb8\x53\x2b\x32\x99\xce\x87\xe4\xcf\x1f\x57\x2a\xa9\x8c\x1b\x0f\x0b\x48\xcd\x46\x00\xab\xad\xd8\x95\xe8\xb6\x71\xb0\x47\x05\x86\x94\x5c\x4f\x88\x35\x1e\xe7\xf7\x9e\xbc\x3f\x86\xa8\x14\xbf\xe8\xbe\x20\xb1\xd0\x31\x05\x84\x8d\xce\xea\x90\xca\x8d\xd4\x2e\xbb\x57\xdc\xb7\xae\x18\x2d\x07\x79\x6a\x85\xa0\x57\x01\xff\x0f\x13\xfe\x9e\xeb\xf1\x8c\xc7\xd0\x8e\x68\xe5\
x84\xfd\x39\x0e\x16\x77\xea\x00\x6f\x71\x94\x1b\xfc\xd5\x98\xf7\xea\x68\xbd\xd3\x8d\xbd\x39\x48\x9f\xd6\x0a\x2f\x95\x04\x28\x81\xf6\x70\xb9\xe4\xde\x90\x92\xd2\x98\xf1\x0b\x36\x27\x65\x7f\x59\xf3\xef\x43\x73\xc5\x24\x69\x05\xc0\x24\x41\x31\xc5\x93\x40\x00\x13\xbf\x5f\x66\xfb\xf6\x26\xd8\xb9\xdf\x58\xf1\xc6\x7d\x35\xcb\xbb\x8d\x28\x53\x73\xb5\xc1\x0e\x24\xab\x76\xbe\x12\x58\xfb\xd3\x66\xa7\x3b\xad\x89\x9f\xb5\x49\x5d\x8d\x3b\x29\xfd\x4e\xa2\xa8\xda\xe6\xf7\xb8\x24\x5c\x6c\x50\x40\xdb\x9e\x14\x6a\xe3\x00\x59\xee\x55\x44\x1f\x45\xcf\x37\x91\xeb\xc9\xc2\x63\xec\x18\x30\x89\x85\x00\x79\xaf\x65\xc6\xa9\x90\x04\x5e\x68\x5c\xf5\xc0\x9f\xe2\xf1\x85\xcd\xb3\xa7\x83\xb3\x85\xb0\x29\x24\x27\xf4\xbe\x72\xbd\xe3\x07\x8d\x25\x6b\x63\x58\xb7\xce\x71\xb8\x76\x09\x9d\xd0\xec\x94\x4c\x72\xa0\x17\x82\x83\x26\xee\x81\xbe\x0c\xff\x70\x16\x38\x48\xf4\x3e\xdb\xe0\x9f\x6b\x88\x95\xb2\xb6\xb7\x76\x19\xee\xa0\x91\x11\xd5\xb3\xc4\x2e\x5e\x9e\xc4\x62\x7b\xf7\x28\x14\xf9\x0a\xf0\x2b\x5c\x23\x41\x39\x3f\x38\x12\x
e2\xf1\xa1\x70\xa6\x6b\xc8\x44\xd9\x2b\x02\x64\x69\x21\x44\x4d\xd8\x50\x0d\xf7\x01\xb2\xb0\x6a\x43\x25\x74\x78\x18\x72\x30\x42\x5e\x36\x4c\x65\x3d\xee\x51\xda\xc2\x55\x93\x65\x5b\xb4\x92\x3b\xf9\x00\x2c\x6e\x18\x04\xe8\x1b\x40\x9a\x57\x7e\xfb\x3f\xef\x89\xce\xe9\x8e\xa4\xc1\x5b\x63\xec\x26\xe6\x10\x2e\x69\x25\x84\x77\x97\xb2\xfb\x87\x0b\x11\x27\xdb\xd3\xd4\x7f\x5e\x9e\x33\x2e\xd3\xb2\x9b\x22\xeb\x29\xeb\x36\x61\xc2\xd0\x22\xaf\x79\x40\x61\xe7\xdf\xce\x88\xd6\x06\x43\x9d\xec\x6f\x57\x20\x92\x73\x38\x37\x65\x81\xd6\xe6\x27\x8a\x50\xb8\x93\x7c\xdc\x1f\xf0\xfe\x01\x3f\x9f\x3c\x6c\x1b\x7a\xa8\x93\xbf\x3a\x06\x6a\x18\x02\x79\x2f\x62\x9b\x12\x16\x5f\xaa\x80\xc7\xfe\xc2\xad\xd9\xec\xa6\x61\x7c\xda\x79\xf3\xc5\x85\x2f\x2b\xcd\xa2\x53\xbc\x71\x54\xeb\x32\x75\x82\x38\xed\xf0\x2a\x6a\xad\xc2\x56\xfe\x75\x14\x81\xee\x03\x32\x1a\xb8\xf9\x92\x5a\x06\x6f\xd4\xc0\x76\x5f\x2b\xee\x51\x68\xc4\x4c\x0f\x86\xe9\x51\x53\xe7\x8d\x60\xd2\xc8\xc2\xf7\x45\xee\xfa\x04\x6b\xa0\x61\x18\xf4\x7d\xc5\x46\x13\x52\xb
0\xe6\x8d\x4e\x53\x49\x16\x26\x9a\x07\xc1\x78\xa8\x61\x7d\x43\x5e\x14\x12\xf9\x8d\x6b\x6b\xac\xb1\x78\x86\x3f\xc6\xc2\xf2\xee\x65\x47\x12\x6f\xb2\xef\x8a\x4d\x83\xfd\xe6\x8c\xe9\x69\x22\x1b\x8b\x2b\xfa\x0d\x75\xc1\xb9\x77\x7d\x1e\x44\x03\xfa\x2e\xd8\x82\xd7\x15\x7b\x24\x7b\x65\x62\x6d\xff\x84\xba\x3c\x02\x95\xb3\xa9\x15\xc9\x12\xd5\xd7\xf7\x9d\xa1\xfc\xf0\x08\x0e\x47\xfb\xbb\xed\x26\xf5\x23\x2d\x07\x11\x76\x04\x5e\x82\x89\xef\xf0\x95\x24\x15\xe2\xeb\xf6\x49\x9e\xa2\x9f\x67\xce\x97\xf8\x84\x21\xd6\x9f\x1f\x95\x5d\xe0\xe8\xc2\xe0\x37\xf2\x0f\x64\x8c\xfe\x88\x3a\x0d\xa6\x54\x36\xb0\x24\x45\xd0\x29\x70\xb8\xfd\x4b\xa6\xe3\x44\xa8\xd7\xef\xa2\x43\x5a\x04\xc1\x64\xe1\x6d\x32\xae\xbb\xa9\xa6\x7e\x9a\x6d\x66\x0f\x29\x51\xe8\x42\xf4\x03\xdd\xdc\xe0\x4c\x82\x8b\xeb\x00\x4d\xa1\x68\x6f\xa0\x85\xf0\xb2\xd7\xdd\x2a\xfe\x33\x49\x8f\x69\xfa\xf3\xa0\x7c\xd2\x10\x74\x16\xed\x79\x0d\x56\x9c\x3d\xf5\x2d\x39\xde\x5b\x53\x72\xf5\x57\x0e\xfc\x3d\x06\xc9\xc3\x15\xba\x7f\x70\xbe\x89\xfa\xaf\x16\xd1\xea\xd5
\x6a\x84\x71\x12\x60\x4b\x77\x28\xbe\xee\x7e\xff\x62\xd4\xfc\x56\xd8\x93\x60\xb7\xcb\xe1\x05\x57\x69\x41\xd3\x04\x73\x3a\x4e\x8f\xc5\x34\x36\x8b\x69\x0a\x69\xca\x77\x6a\xb1\x5b\xdc\x24\x22\xbb\x16\x56\x2b\x5b\x0f\x65\x8f\x7d\xc9\x95\x96\xa1\x70\x48\x5a\x83\x6e\xfc\xc5\x32\x5e\x61\xf6\x6b\xca\x65\x96\x0a\x73\x6f\x2f\xf3\x38\x33\xa4\x8c\x40\xae\x36\x9c\x43\xda\xc3\x40\xc8\xdd\x64\x27\x99\xb3\x47\xf3\xc1\x0f\xcd\x57\x03\x52\x0e\xea\xd9\x8f\x43\x6c\x97\x73\xd6\x8c\xd5\xe7\xf0\x8a\x5f\x44\x71\x55\xe9\xc6\x11\x56\x83\x3b\xa0\x5a\xd9\x49\x89\x5b\x04\x69\x7a\xe0\x00\xd6\xb4\x33\xd5\xe7\xd6\xfc\x99\xf5\xb2\xfb\xb9\x95\x7a\xfd\xd9\x37\x1f\x7e\x7d\x91\xe7\xa4\x7b\xa8\xfe\xd2\x32\xf0\x14\xcf\x9f\x12\xff\x5c\xbf\xa7\x0a\xd0\x6a\x8e\xe7\x1d\x0b\x69\xdf\x7b\x58\x17\xdc\xf4\x3d\xc0\xe2\x84\x7a\x53\x19\xcc\x04\x42\x57\x24\x9b\xdd\x16\xef\x06\xc8\x17\xad\x44\x5b\x0e\xaf\xc6\xe2\xca\x57\x80\x54\x78\x88\xde\x21\xc8\xeb\xa3\xa1\xaf\xfc\x6d\x2b\xd8\xe1\x54\xe6\x5a\x3e\x78\xc9\xc6\xe9\x19\x19\x14\x1e\x38\
xdf\x9a\xf3\xae\x62\x72\x88\xa5\xd0\xc6\x04\xca\x80\xd3\x82\xe9\xed\xec\x95\xc2\x2c\x30\x95\x56\x31\x82\x34\xbf\x39\x38\x1e\x89\x3a\xc9\xf8\xf3\x28\x59\x2c\x82\xa5\x36\xb3\x73\x3c\x35\xf1\x8a\xde\xc3\x0b\xf1\x63\x65\xb8\x3d\x87\x8b\x34\x01\x7d\x8b\x57\xcd\xa9\x85\x69\x55\x6f\x7e\x29\x2a\xeb\x16\xa1\xba\x3a\x53\xe1\xe6\x8e\xe2\xa5\x27\x59\x9a\xae\x6b\xfb\x5c\x97\xfa\x20\x58\x3c\x5a\xc5\x6a\x01\xaa\xd4\x88\x23\x71\xfd\x79\xb8\xde\xf1\x94\xc4\xea\x97\x23\xd9\x67\x63\xe4\x26\xa0\x41\x15\xc4\x37\x1f\x24\xdf\x50\x90\xbd\x79\x96\x8b\x07\xc9\xab\x5e\x36\xc9\x7a\x3b\x2e\x02\xfa\x12\x34\xfb\xa2\x6d\xc4\xf7\xe3\x6d\xa4\xc2\x75\x65\x75\x83\x68\x79\x2a\x33\x57\x7e\xf5\xf9\x37\xd0\x16\xae\x7e\x71\x0a\x2e\x20\x34\xfb\xdc\x6a\xd9\xbc\xda\xbb\x80\x27\x9a\x4d\x91\x72\x10\xa8\x09\xe7\xb1\x70\x9b\x03\x07\x6b\x06\xa3\xc5\xbd\x90\x84\x0a\x4b\x13\x7a\x55\x80\xb7\x99\x65\xe4\x2d\x55\x07\x99\x5c\x3f\x10\x15\xa3\xe5\xf7\x8c\x69\x74\x0f\x73\x28\x9e\xb7\xcd\xda\xb9\xee\x98\x88\xc2\x01\x4a\x8f\xb9\x04\x87\x67\x
5c\xd6\x91\xf7\xd8\x60\x21\xb3\xfc\x01\x52\x0c\xe4\xa6\xe4\x5c\x0d\x6e\xc1\x08\xbc\x57\x78\x3c\xa0\xff\xd4\x1c\x94\x21\x44\x4e\x77\x45\x9e\x37\xe7\xe2\xab\x3b\xd6\x2e\x89\xc5\x09\x0d\x76\xa2\xb4\x0e\x1f\xc0\x87\xda\x87\xf9\xda\x4f\xe8\xa5\x00\x37\x57\x80\xd9\x80\x43\xdd\x37\x28\x92\x06\xb1\xd3\x80\x08\x51\xde\xc6\x93\x24\xc8\x29\x2f\xb7\x69\xb2\x21\x1b\x7b\xc0\x63\x6b\xbb\x2f\xf4\xae\x2c\x5c\x3a\xab\x11\x6a\xe0\x3e\xf8\x77\x12\x2f\x05\x33\xdc\x0d\xbd\xe3\x71\x49\x16\x2b\xd9\xc4\xcd\xd5\xa7\x2b\x60\xb7\xd1\xb5\x45\x99\xe4\x49\xfd\x05\xbe\x9b\x97\x14\xb5\xf2\xaa\x5b\xd6\xcd\x7e\xcf\xa0\xea\x9b\x4a\x01\xec\x9a\x9e\xb9\x46\x1e\x1f\xd7\xb9\x46\x2e\x0a\xb8\xf8\x98\x90\xb4\xa4\x44\xfd\xf0\x32\xf4\xa8\x9f\x02\x23\x6c\xd1\x3f\xe9\xfe\x83\x9e\xa2\x86\x71\x2d\x2c\xdb\x5c\x56\x5c\xb5\x0d\x4d\x08\xe3\x74\xc3\xba\xcf\x00\x55\x8e\x03\x73\xe8\xa9\x1a\xe8\x76\x63\xb6\xf3\xc1\x41\xb3\x08\x9b\x7b\x42\x92\x78\xac\xad\x1a\xe4\x4f\xbc\x68\x64\x1c\x91\x0d\x1d\xa1\x84\x88\x2f\x51\x23\xb7\x43\x79\x8f\x83\xe
5\xce\x41\x9d\x4a\xf6\x49\x25\x38\xac\x80\xd6\x72\x83\x12\x86\x9c\x39\x69\x0d\x36\x96\x6e\x0b\xd8\x7f\x8f\xc9\x0a\x50\x35\x82\x9c\x14\x51\x69\xa3\x4d\xee\x2c\x78\xfd\xa8\x26\xc8\xc1\x57\xb8\xf8\x16\xb0\x10\xd1\xe1\x26\xd3\xf1\x99\xb8\x04\xec\x24\x03\x5f\x72\x0b\xa0\xb5\x10\xd5\x8d\x50\xf9\x6a\x2e\x70\x4d\xbc\x51\x51\x5a\xa4\x60\x2e\xdf\x59\x1f\x6c\x7c\x21\xf2\xd9\xa4\x54\x6a\xe7\x05\xba\xda\x46\xc9\xa8\x8d\x7d\x3d\xe2\x3e\x4d\xef\x48\x4d\x14\xca\xdd\x33\xec\x11\x8c\xf6\xf8\x78\xad\x2f\xbc\x95\xff\x56\x76\x00\x25\xa8\xa7\x85\x36\xb6\x10\xcc\xf7\x1b\x90\xd2\x50\xf5\xd1\xb8\xf5\x2f\xd3\xad\x06\xed\x85\x29\x82\xce\xd5\xd3\xdc\xc9\xca\x8d\xfa\x7a\x6e\x30\x31\xe6\x0b\xce\xfc\x5a\xf7\xb7\x44\xd0\x6b\x41\x09\x1c\xe2\x70\x09\x36\x79\x74\x81\x82\xeb\x9e\x86\x7a\x35\xdb\xfd\xde\xab\x5b\x2e\x51\x40\x99\x23\x7c\xa8\x2b\x05\x54\x00\x2d\x73\x2a\xaa\xe3\x2b\xa5\x93\x3b\x47\xf0\x79\xf8\xe4\x2c\xbd\xdc\x26\x9f\xf6\xa0\x97\xa3\xc8\xaa\x08\xce\xfa\x39\x06\x21\x30\x8a\x4c\x49\x7d\xb3\xf9\xb2\x0c\x0d\xb3
\xda\xb0\x14\xf6\x83\xb7\x0b\xd1\xe1\x89\xf1\x8b\x45\x47\xfe\x95\xc6\xa7\x20\xbc\xa4\xc2\xdb\x64\xc3\x3a\xd4\x1a\x0c\xf7\xa3\xa9\xb6\xae\xf6\xa6\x7e\xee\xf1\x75\xf6\x43\xc9\xb6\xbd\x08\x58\x69\xf1\xa0\x71\x13\x38\xe7\xf2\x38\x18\x59\xd5\xaa\xf0\xb3\xe9\x08\x81\xb3\x71\xdb\x3b\xad\x38\xb0\xb0\x16\xf5\xfe\x37\x2e\x6d\x4e\xd8\xc9\x1a\x8f\x09\xfb\xec\xdc\x80\xaf\x28\x39\x74\x45\x1d\xd4\x23\x1c\x08\xd6\x7f\x52\x9b\xea\x5d\x65\xb5\x46\xb5\xf6\xfe\x73\xfa\x52\xfa\x58\x50\x6c\x3a\x11\x9f\x81\x2b\x25\xb6\xfb\x3e\x45\x9e\x96\xc6\x2c\xe9\x4c\xe8\xe6\x71\x54\x30\x60\x03\x3b\x97\xb0\x94\x11\x67\xd0\xd6\x85\x00\xc6\x2e\xb5\x1d\x28\xeb\xc4\x30\x8c\x7e\xf5\x17\xcc\x2b\x44\xb9\x5d\xf6\x66\x2a\x2e\xe0\x6d\xc8\x06\xb9\xf6\x67\xd9\x8d\x9d\x4a\x96\x4c\x59\x34\xc3\x56\xaf\x34\xfd\xb3\xc4\xaa\xd8\x60\x4b\x2c\xa5\x75\xd8\x12\x65\xb7\x63\xd5\xae\x2c\x93\x56\x7f\xc5\x73\xad\xee\x2d\xe3\xdf\x38\x3b\x0e\x24\x0b\x6c\x92\xd4\x04\xc9\x21\xd5\xd5\x9e\x8b\x61\xb5\xe1\xeb\x2d\x1f\x90\xed\x7f\xb6\x80\xc3\xd1\x91\x19\
x49\x51\x77\x64\x22\x97\x4a\xf2\x69\x45\x3b\xf3\xbc\xcf\x43\x92\x67\x9d\x8b\xb2\xf8\x3a\x17\x6c\xd3\x48\xa4\xaa\x27\xfb\x09\xc2\x14\x7d\x99\x2a\x48\x6b\x6a\x66\x05\x90\x1f\x40\x43\x65\x62\xd5\xf1\x66\xaf\x76\x63\x53\x59\xb7\x04\xb7\xda\x1b\x42\xa9\xc0\x76\x4c\xd1\xcc\x2a\xa6\xb2\x73\x51\x68\x04\x28\x07\xfa\x28\xa6\x40\xb3\xd5\x18\x3d\x68\x60\x96\x23\x66\x03\x2d\x44\xa0\xc9\xca\xbe\xcd\xb7\x79\x87\x66\x7f\x90\x05\x1b\x42\xaa\x13\xef\xc9\x2e\x79\xcb\xa6\x71\x5e\xad\xf1\x9d\xaa\x95\xa0\x1a\x5c\x1c\x8c\x04\xf8\x94\xfb\x23\x51\x8d\x75\x8d\x3d\x04\xa3\x2f\xda\xec\x81\x8c\x7b\x43\xce\x19\x51\x2e\xf9\xe7\x6c\x66\x57\x1e\xe4\xe2\x62\x99\xf7\x43\x35\x57\x33\xf5\xd5\x4f\xb4\x81\x36\x6b\x30\x48\x90\xa1\x7b\x3f\x8b\xab\x79\xe4\x2e\x5e\xfc\xcc\xb2\x68\x1d\x86\xe9\x19\x8c\xd5\xc0\x4a\x9a\x5c\x8f\xba\xe0\x5e\x4a\xd2\xc0\x92\x58\x25\xdd\x15\x01\xc1\x40\x93\x91\x73\x4b\xa2\x0d\xf8\xec\x2a\x29\x5f\x91\x87\x65\x08\x5d\x30\x10\x05\x6a\xc1\x93\xac\xf6\xc6\x98\x55\x95\xb2\x1a\x95\x48\x08\x05\x40\x9b\x3f\x
e3\xc9\xd6\x81\x17\x05\xa8\x4c\x92\x4f\x3b\x0a\x6d\xfb\xf5\x63\xca\x48\x80\x0d\xbe\x4c\xff\x49\x7b\x37\x82\x33\x1e\xf2\x42\xaa\xae\x15\xa6\x34\xc6\xeb\x26\x03\x70\xd3\x04\x26\x79\xbc\x03\x0b\x5a\xc3\xda\x86\x25\xda\xb5\x1d\x42\xcf\xda\xc4\x6c\xe7\x13\x92\x0b\xe4\x1f\x6e\xb6\x90\x0c\xb9\x1d\x0c\x43\xb1\xaa\x43\xd2\xaf\xe9\xe3\x97\xf7\x69\x48\xb7\x17\xe3\x75\x94\xd4\xaf\x80\x6d\x8b\x6f\x25\x59\x92\x47\x71\x24\xf4\xac\x87\x24\x4b\x1c\x3b\x46\x37\x5c\x86\xe5\x50\x71\xab\x54\xaf\x58\xfd\xc1\x85\xfb\x45\x37\x26\xd8\xe7\x6d\xee\x53\x8d\x68\x4d\xe5\xb3\x69\x02\x57\xa8\x4c\xa1\x3c\x1f\x09\x4d\x92\x82\x48\xc1\x4b\xb9\x2c\xaa\xf7\x67\x2e\xaf\x18\xdb\x16\xcd\x24\x99\xe5\x51\xed\xbe\xcd\x3a\x37\x7b\x9b\xdd\x42\x93\xcb\x1d\x92\x13\xaf\xec\x42\x6c\x85\xa0\x43\xad\x18\xce\x11\x3f\x66\x1c\x24\x11\x51\xa4\x79\x00\xf0\x96\xb8\x52\x7b\x05\xa2\x32\xbb\xb9\x70\x47\x7f\x41\x1b\x76\x40\x98\xd0\x89\x0d\xdb\xb6\x9b\x3f\xfb\xa4\xf7\xa6\x08\x3b\xb8\xbd\x7f\xd9\x30\x09\x12\xcf\xf7\x44\xd5\x11\x9b\xb4\xc1\xe7\x6
9\x44\xf4\xe0\xa5\x17\xd2\x92\x69\x32\xf7\x8c\xc7\x0b\xb3\xdb\x05\x5a\x78\x95\x83\x36\xb3\x0c\x0e\x0e\x8f\xdf\x0d\x6c\xd3\x7a\x72\xbd\x03\x11\x26\xf2\x5d\x3c\x57\xe5\xca\xa3\x0a\xa5\x34\x0d\xd1\xe7\xb7\x30\xd1\xb7\xed\x83\x0f\x61\xd2\xd9\x3b\xc4\x38\x68\x28\x36\xda\xd5\xa6\x50\x59\x8a\x1f\x36\x87\x75\x52\xbe\x94\x55\x7d\xdd\xfe\xcf\xd8\x7a\xe7\x96\xd4\x06\xf5\x43\x54\x1c\x6e\x6e\xfe\xf8\x70\xd1\x3b\x31\x51\x66\x69\xa7\x69\x89\x83\x91\x08\x8e\x48\x97\x2b\x1f\xa2\xe9\xb2\xc6\x62\xe1\x28\xd6\xda\xd8\xc1\x7f\x5f\x7f\x5f\x62\x88\x0e\x8f\xdc\x07\xae\xe1\x59\x33\xbf\xd2\x49\x83\x45\x2c\xef\x62\x4b\xc8\x45\x18\x2a\xd2\x51\x29\x7f\xcf\xfd\x5c\x16\xbd\x5b\x0e\xac\x03\x7b\x58\x62\xb2\x0e\x08\xce\x1a\x8d\x75\x5f\xde\x1d\x49\xcf\x32\xd8\x1f\xd6\x3f\x74\x65\x4d\xba\x69\x2b\x27\x2d\xd1\x5a\xe1\x9e\x0b\x87\x33\x95\xe8\x50\xe0\x66\x66\xc9\xd3\x04\x31\x49\xc9\x5b\x79\x24\x2f\x2f\x4a\x9d\xdc\xf7\x16\xd7\xae\xe1\x34\x63\xe8\x1c\x1f\xff\x4e\x47\xbe\x68\xdb\x7a\x65\x6c\x04\xb6\x26\x0d\x8d\xb0\x0b\x90\x87
\xc0\x87\x20\x3a\x74\x21\x8c\xe6\xb7\x67\x45\x97\x60\x30\xb3\xd9\xa7\x6e\x08\xde\xe9\x19\x1a\x5e\x19\x44\x95\x26\x4d\x3d\xc2\xb1\xc3\x98\x08\x06\x96\x5f\x54\xea\x88\xd7\x92\x50\xe8\x1c\x2a\x94\xf7\xa9\x6b\xe3\x2c\x1d\x15\xcf\x4c\xbe\xf1\x85\x3d\x30\xfd\xea\x3d\xef\x80\x20\xa6\xf6\x4e\x64\x79\x2a\x7c\x74\xc4\xe5\x70\x3a\x8a\x32\x6b\xc2\x2a\x41\xc6\x58\x47\xdf\x3f\x68\xe4\x06\x81\xe5\xce\xdd\x0b\x05\xd8\x2a\x9e\x85\xe3\x3f\x6b\x18\x5e\xb1\x6c\x56\x1e\xfa\xec\xa1\xae\xbe\xa9\x09\x65\x6b\xc7\x9e\xfc\x9a\xe7\x76\x65\xb5\x89\xcc\x0c\x40\x11\x7b\xb5\x1d\x62\x4d\x98\xc8\x6c\x97\xa8\x14\xfc\xde\x48\x94\x84\x86\xf9\x1b\x66\x93\x68\x52\xb7\x8e\xd4\xbc\x0f\x51\x01\xa1\x23\x47\xb1\x14\x03\xf4\x56\xad\x64\x86\xe0\x63\x5e\xe3\x9c\xdc\x40\x0e\xc1\x00\x2e\xbe\x95\xe7\x13\x50\xcb\xfa\xc5\x20\xb2\x90\x21\x4a\x0f\x5e\x8b\xd4\x3e\x58\x31\xb2\x1d\xb0\x98\x59\xfa\x42\x8d\x76\x43\x69\x18\x92\x3e\x25\xf1\xd7\xa5\x40\x3c\xff\x39\x63\x27\x4e\xcf\x4a\x68\x70\xa1\x43\xe6\x13\x83\xbd\xb3\xea\xc2\xab\x7f\xda\x05\
x8a\x81\x04\x24\x3b\x28\x4d\xe0\xca\x06\x2a\x27\x33\x91\x16\xfb\x1d\x55\xbd\xa6\x8c\x21\x5e\xac\x5a\x6d\x71\x28\x33\xef\xc7\x1d\x32\x03\x23\xda\xf3\xfc\xd1\x6c\xba\x1e\xf5\x21\x56\x9f\xbb\xa2\xc7\x5d\x64\x37\x8d\xa3\xdf\xd6\xd4\xe9\xac\x7f\x97\x4f\xeb\xa3\xdb\x52\x97\xf2\x1b\xd7\xe3\x05\x3e\x28\xad\xfe\xa2\x5e\xae\x9f\xd6\xcc\xcd\x3b\xd8\x6f\xf8\x8f\x35\x96\x89\x5b\x5e\xb4\xcd\x3d\xa9\x33\x8e\x43\xbb\x2a\x45\x4b\x25\xe6\x2d\xa9\x93\x85\xbb\x38\xec\xf6\x11\xfa\x4d\x38\x78\x72\x95\xe8\xbe\xe0\xde\x84\x17\x1b\x66\x75\x1e\x24\x6c\xbf\xfc\x36\x2c\x66\xbf\x1c\x20\x7b\xad\x1a\x8c\x5e\x25\xdb\x53\x7f\xb2\x1a\x70\x5a\xbd\xd9\xdd\x27\xc8\xac\x87\xd5\x4f\xd0\xa7\x29\x3f\x71\xe3\xd9\x34\x47\x71\xcb\x5f\x5b\x9f\x6c\xbf\x1e\x88\x88\x3e\x04\x27\x7a\xa3\xa7\x7f\x7e\x22\x16\x8a\x8e\xeb\x8b\x2b\xb3\x5a\xc9\x35\x80\xcd\x51\x9a\xd4\xb0\xdf\xfc\x32\x7f\x24\xff\x8e\x7c\xd9\x4e\x8c\xce\xaf\xfa\x27\x4d\x6a\xb1\x48\x3e\x9a\xa0\x3a\x5a\x88\xf8\x88\x59\xd9\x59\xc1\xed\xd9\xcc\x78\xa8\x6e\x46\xd3\xd3\x31\xd8\x
00\x0e\x48\xbc\xa9\x54\x3e\x31\x95\x30\xb5\xba\x6d\xb8\x64\xac\x3c\x83\xe7\x1f\xc2\x3c\x35\x13\x36\x84\x80\x7d\x9d\xdb\x5c\xe9\x98\x21\xb8\x9d\x93\x6f\x34\x45\xed\x88\x95\xc5\x62\x61\xd2\x11\xa7\x28\xdb\x53\x5b\x1c\x99\x78\x13\xa1\x2f\x61\x27\x91\xb9\xbc\x9b\x84\x5b\xea\x29\xa3\xec\xec\x90\xb8\xdd\x5c\xbc\xd3\x2a\x73\xb1\xe1\xc2\x57\x45\x31\x20\x06\xc3\x6e\xb6\xf1\x69\x1f\xa1\x6e\x1a\xa3\x12\x6b\xa7\x14\xd5\xad\x64\x7c\xd8\xcc\x60\x30\x80\xb0\x6f\x0a\xaa\xe7\x45\x6b\x35\x83\x41\x94\xbe\xf7\x95\xd2\xb4\x54\x04\xd0\x46\xc4\xf2\x9f\x00\xce\x13\x44\x4f\xbc\xff\xfb\x11\x7a\x9c\x7f\x1e\x35\xc9\x0d\xee\xad\xb7\x5d\x3a\x4e\x01\xb7\xa5\xa1\x0f\x93\xdd\x31\xef\xc8\x6c\x0c\x11\x9b\x55\xd8\x3e\xbd\xa2\x9a\x90\x01\xb3\x28\x42\xa0\xf2\x28\xfc\x99\x35\x40\xe1\xb4\x72\xdc\xa6\x03\x75\x0d\xc9\x13\x3f\x9b\x07\x50\xc5\x9f\x6e\x57\x1b\x0f\x2c\x53\xcd\x45\x04\x61\x61\x82\xa3\xed\x9c\xf8\x81\xd2\x54\xb5\xd7\x2e\x8b\xfb\xa3\x3a\x1c\xa7\x9b\x2e\x19\x0b\x75\xf4\x31\x63\x1b\x98\x0e\xc0\x75\xdd\x6b\xcc\xff\xe
1\x06\x07\x37\xe2\x6f\x84\xd6\xd1\xee\x5d\xe0\xba\x08\x3f\x5f\xe1\xfa\x25\xd4\xa8\x8f\x40\x2a\x01\xaf\x6c\x03\x5b\x68\x41\x25\xeb\xdd\x1a\x40\x4e\x1c\xc3\x90\xd8\x5f\x28\x2d\x83\x3d\x63\xd1\xcc\x6b\x93\xcd\x69\xd6\x21\x09\x4a\xb1\xda\xe7\xa3\xce\xbf\x19\x2b\xe1\xc7\x78\x80\x11\x6a\x6b\xa1\x6a\x69\xc9\x9f\x86\xb2\x0a\x51\xc7\x20\x38\xcc\xd2\xf5\xbc\xd5\xe8\x83\x39\xf8\xee\x55\x5c\x32\xfb\xc3\x6f\x40\x90\xde\x5e\x74\x8d\x41\x31\x4a\xbb\xa1\x0b\xe7\xa9\xdf\x3f\x4a\xe9\xa8\x98\x42\xd7\xa3\x82\xa2\x31\x2b\x6a\x0a\x08\xfa\x2a\x0d\x8a\xed\x22\x98\x3e\x9a\xaf\x63\x9d\x38\xa6\x1b\x88\xba\xc9\x01\x8d\xd2\x49\x26\x26\xe5\x7f\x94\x66\x5d\x32\x4b\xd1\xf3\x9c\xd5\xd0\xfa\x26\x1b\x16\x6d\x20\x6c\xe8\x40\x44\xa9\x79\x12\x32\x07\xf6\xce\x4e\x0d\x36\x3b\xe0\x8f\x9e\x38\xd9\x4d\x73\xc5\xd1\xce\xf2\x38\x23\xeb\x60\x67\xf5\x7f\x4a\x26\xb7\x3f\x55\x5f\x86\x2d\xda\x59\x09\x50\x97\xfb\xc9\x02\x00\x36\xad\x01\x9e\xfe\x18\xe0\xec\x04\xce\x0d\x32\x52\x5d\x20\xc8\xd6\xa0\xc8\x59\x5c\xf4\xb8\xfe\xbb\x75\xf3\x4f
\x07\xa9\xbe\xc6\x7b\xcc\x76\x82\x99\xbe\x8f\x64\x8c\x20\xf5\x76\x35\x88\x22\x64\x40\x1c\xcf\x88\x2f\x47\xa9\xc6\x49\xb8\x1d\x42\xba\xbc\x3b\x5a\x75\xfe\x7d\x69\x83\x64\xd9\xcf\x09\xe4\xd1\x80\x2e\x8f\x1a\xe6\xf7\x2c\xb0\x16\x91\x74\x0a\x84\x9c\x90\xe1\x72\x34\xd9\x0d\x80\x70\xe3\xf6\xcb\xfa\x0f\xa7\xb7\x62\xef\xb8\x45\xd9\x27\x52\x55\x16\xfd\xb4\xcc\x1b\x22\x00\x78\x9a\xc4\x44\xfb\x2c\x56\xa3\x6b\xfe\x5a\x79\x97\x9b\xf3\x69\xa5",
4096);
*(uint64_t*)0x200018b8 = 0;
*(uint64_t*)0x200018c0 = 0;
*(uint64_t*)0x200018c8 = 0;
*(uint64_t*)0x200018d0 = 0;
*(uint64_t*)0x200018d8 = 0;
*(uint64_t*)0x200018e0 = 0;
*(uint64_t*)0x200018e8 = 0;
*(uint64_t*)0x200018f0 = 0;
*(uint64_t*)0x200018f8 = 0;
*(uint64_t*)0x20001900 = 0;
*(uint64_t*)0x20001908 = 0;
*(uint64_t*)0x20001910 = 0;
*(uint64_t*)0x20001918 = 0;
*(uint64_t*)0x20001920 = 0;
*(uint64_t*)0x20001928 = 0;
*(uint64_t*)0x20001930 = 0;
*(uint64_t*)0x20001938 = 0;
*(uint64_t*)0x20001940 = 0;
*(uint64_t*)0x20001948 = 0;
*(uint64_t*)0x20001950 = 0;
*(uint64_t*)0x20001958 = 0;
*(uint64_t*)0x20001960 = 0;
*(uint64_t*)0x20001968 = 0;
*(uint64_t*)0x20001970 = 0;
*(uint64_t*)0x20001978 = 0;
*(uint64_t*)0x20001980 = 0;
*(uint64_t*)0x20001988 = 0;
*(uint64_t*)0x20001990 = 0;
*(uint64_t*)0x20001998 = 0;
*(uint64_t*)0x200019a0 = 0;
*(uint64_t*)0x200019a8 = 0;
*(uint64_t*)0x200019b0 = 0;
*(uint64_t*)0x200019b8 = 0;
*(uint64_t*)0x200019c0 = 0;
*(uint64_t*)0x200019c8 = 0;
*(uint64_t*)0x200019d0 = 0;
*(uint64_t*)0x200019d8 = 0;
*(uint64_t*)0x200019e0 = 0;
*(uint64_t*)0x200019e8 = 0;
*(uint64_t*)0x200019f0 = 0;
*(uint64_t*)0x200019f8 = 0;
*(uint64_t*)0x20001a00 = 0;
*(uint64_t*)0x20001a08 = 0;
*(uint64_t*)0x20001a10 = 0;
*(uint64_t*)0x20001a18 = 0;
*(uint64_t*)0x20001a20 = 0;
*(uint64_t*)0x20001a28 = 0;
*(uint64_t*)0x20001a30 = 0;
*(uint64_t*)0x20001a38 = 0;
*(uint64_t*)0x20001a40 = 0;
*(uint64_t*)0x20001a48 = 0;
*(uint64_t*)0x20001a50 = 0;
*(uint64_t*)0x20001a58 = 0;
*(uint64_t*)0x20001a60 = 0;
*(uint64_t*)0x20001a68 = 0;
*(uint64_t*)0x20001a70 = 0;
*(uint64_t*)0x20001a78 = 0;
*(uint64_t*)0x20001a80 = 0;
*(uint64_t*)0x20001a88 = 0;
*(uint64_t*)0x20001a90 = 0;
*(uint64_t*)0x20001a98 = 0;
*(uint64_t*)0x20001aa0 = 0;
*(uint64_t*)0x20001aa8 = 0;
*(uint64_t*)0x20001ab0 = 0;
*(uint64_t*)0x20001ab8 = 0;
*(uint64_t*)0x20001ac0 = 0;
*(uint64_t*)0x20001ac8 = 0;
*(uint64_t*)0x20001ad0 = 0;
*(uint64_t*)0x20001ad8 = 0;
*(uint64_t*)0x20001ae0 = 0;
*(uint64_t*)0x20001ae8 = 0;
*(uint64_t*)0x20001af0 = 0;
*(uint64_t*)0x20001af8 = 0;
*(uint64_t*)0x20001b00 = 0;
*(uint64_t*)0x20001b08 = 0;
*(uint64_t*)0x20001b10 = 0;
*(uint64_t*)0x20001b18 = 0;
*(uint64_t*)0x20001b20 = 0;
*(uint64_t*)0x20001b28 = 0;
*(uint64_t*)0x20001b30 = 0;
*(uint64_t*)0x20001b38 = 0;
*(uint64_t*)0x20001b40 = 0;
*(uint64_t*)0x20001b48 = 0;
*(uint64_t*)0x20001b50 = 0;
*(uint64_t*)0x20001b58 = 0;
*(uint64_t*)0x20001b60 = 0;
*(uint64_t*)0x20001b68 = 0;
*(uint64_t*)0x20001b70 = 0;
*(uint64_t*)0x20001b78 = 0;
*(uint64_t*)0x20001b80 = 0;
*(uint64_t*)0x20001b88 = 0;
*(uint64_t*)0x20001b90 = 0;
*(uint64_t*)0x20001b98 = 0;
*(uint64_t*)0x20001ba0 = 0;
*(uint64_t*)0x20001ba8 = 0;
*(uint64_t*)0x20001bb0 = 0;
*(uint64_t*)0x20001bb8 = 0;
*(uint64_t*)0x20001bc0 = 0;
*(uint64_t*)0x20001bc8 = 0;
*(uint64_t*)0x20001bd0 = 0;
*(uint64_t*)0x20001bd8 = 0;
*(uint64_t*)0x20001be0 = 0;
*(uint64_t*)0x20001be8 = 0;
*(uint64_t*)0x20001bf0 = 0;
*(uint64_t*)0x20001bf8 = 0;
*(uint64_t*)0x20001c00 = 0;
*(uint64_t*)0x20001c08 = 0;
*(uint64_t*)0x20001c10 = 0;
*(uint64_t*)0x20001c18 = 0;
*(uint64_t*)0x20001c20 = 0;
*(uint64_t*)0x20001c28 = 0;
*(uint64_t*)0x20001c30 = 0;
*(uint64_t*)0x20001c38 = 0;
*(uint64_t*)0x20001c40 = 0;
*(uint64_t*)0x20001c48 = 0;
*(uint64_t*)0x20001c50 = 0;
*(uint64_t*)0x20001c58 = 0;
*(uint64_t*)0x20001c60 = 0;
*(uint64_t*)0x20001c68 = 0;
*(uint64_t*)0x20001c70 = 0;
*(uint64_t*)0x20001c78 = 0;
*(uint64_t*)0x20001c80 = 0;
*(uint64_t*)0x20001c88 = 0;
*(uint64_t*)0x20001c90 = 0;
*(uint64_t*)0x20001c98 = 0;
*(uint64_t*)0x20001ca0 = 0;
*(uint64_t*)0x20001ca8 = 0;
*(uint64_t*)0x20001cb0 = 0;
*(uint64_t*)0x20001cb8 = 0;
*(uint64_t*)0x20001cc0 = 0;
*(uint64_t*)0x20001cc8 = 0;
*(uint64_t*)0x20001cd0 = 0;
*(uint64_t*)0x20001cd8 = 0;
*(uint64_t*)0x20001ce0 = 0;
*(uint64_t*)0x20001ce8 = 0;
*(uint64_t*)0x20001cf0 = 0;
*(uint64_t*)0x20001cf8 = 0;
*(uint64_t*)0x20001d00 = 0;
*(uint64_t*)0x20001d08 = 0;
*(uint64_t*)0x20001d10 = 0;
*(uint64_t*)0x20001d18 = 0;
*(uint64_t*)0x20001d20 = 0;
*(uint64_t*)0x20001d28 = 0;
*(uint64_t*)0x20001d30 = 0;
*(uint64_t*)0x20001d38 = 0;
*(uint64_t*)0x20001d40 = 0;
*(uint64_t*)0x20001d48 = 0;
*(uint64_t*)0x20001d50 = 0;
*(uint64_t*)0x20001d58 = 0;
*(uint64_t*)0x20001d60 = 0;
*(uint64_t*)0x20001d68 = 0;
*(uint64_t*)0x20001d70 = 0;
*(uint64_t*)0x20001d78 = 0;
*(uint64_t*)0x20001d80 = 0;
*(uint64_t*)0x20001d88 = 0;
*(uint64_t*)0x20001d90 = 0;
*(uint64_t*)0x20001d98 = 0;
*(uint64_t*)0x20001da0 = 0;
*(uint64_t*)0x20001da8 = 0;
*(uint64_t*)0x20001db0 = 0;
*(uint64_t*)0x20001db8 = 0;
*(uint64_t*)0x20001dc0 = 0;
*(uint64_t*)0x20001dc8 = 0;
*(uint64_t*)0x20001dd0 = 0;
*(uint64_t*)0x20001dd8 = 0;
*(uint64_t*)0x20001de0 = 0;
*(uint64_t*)0x20001de8 = 0;
*(uint64_t*)0x20001df0 = 0;
*(uint64_t*)0x20001df8 = 0;
*(uint64_t*)0x20001e00 = 0;
*(uint64_t*)0x20001e08 = 0;
*(uint64_t*)0x20001e10 = 0;
*(uint64_t*)0x20001e18 = 0;
*(uint64_t*)0x20001e20 = 0;
*(uint64_t*)0x20001e28 = 0;
*(uint64_t*)0x20001e30 = 0;
*(uint64_t*)0x20001e38 = 0;
*(uint64_t*)0x20001e40 = 0;
*(uint64_t*)0x20001e48 = 0;
*(uint64_t*)0x20001e50 = 0;
*(uint64_t*)0x20001e58 = 0;
*(uint64_t*)0x20001e60 = 0;
*(uint64_t*)0x20001e68 = 0;
*(uint64_t*)0x20001e70 = 0;
*(uint64_t*)0x20001e78 = 0;
*(uint64_t*)0x20001e80 = 0;
*(uint64_t*)0x20001e88 = 0;
*(uint64_t*)0x20001e90 = 0;
*(uint64_t*)0x20001e98 = 0;
*(uint64_t*)0x20001ea0 = 0;
*(uint64_t*)0x20001ea8 = 0;
*(uint64_t*)0x20001eb0 = 0;
*(uint64_t*)0x20001eb8 = 0;
*(uint64_t*)0x20001ec0 = 0;
*(uint64_t*)0x20001ec8 = 0;
*(uint64_t*)0x20001ed0 = 0;
*(uint64_t*)0x20001ed8 = 0;
*(uint64_t*)0x20001ee0 = 0;
*(uint64_t*)0x20001ee8 = 0;
*(uint64_t*)0x20001ef0 = 0;
*(uint64_t*)0x20001ef8 = 0;
*(uint64_t*)0x20001f00 = 0;
*(uint64_t*)0x20001f08 = 0;
*(uint64_t*)0x20001f10 = 0;
*(uint64_t*)0x20001f18 = 0;
*(uint64_t*)0x20001f20 = 0;
*(uint64_t*)0x20001f28 = 0;
*(uint64_t*)0x20001f30 = 0;
*(uint64_t*)0x20001f38 = 0;
*(uint64_t*)0x20001f40 = 0;
*(uint64_t*)0x20001f48 = 0;
*(uint64_t*)0x20001f50 = 0;
*(uint64_t*)0x20001f58 = 0;
*(uint64_t*)0x20001f60 = 0;
*(uint64_t*)0x20001f68 = 0;
*(uint64_t*)0x20001f70 = 0;
*(uint64_t*)0x20001f78 = 0;
*(uint64_t*)0x20001f80 = 0;
*(uint64_t*)0x20001f88 = 0;
*(uint64_t*)0x20001f90 = 0;
*(uint64_t*)0x20001f98 = 0;
*(uint64_t*)0x20001fa0 = 0;
*(uint64_t*)0x20001fa8 = 0;
*(uint64_t*)0x20001fb0 = 0;
*(uint64_t*)0x20001fb8 = 0;
*(uint64_t*)0x20001fc0 = 0;
*(uint64_t*)0x20001fc8 = 0;
*(uint64_t*)0x20001fd0 = 0;
*(uint64_t*)0x20001fd8 = 0;
*(uint64_t*)0x20001fe0 = 0;
*(uint64_t*)0x20001fe8 = 0;
*(uint64_t*)0x20001ff0 = 0;
*(uint64_t*)0x20001ff8 = 0;
*(uint64_t*)0x20002000 = 0;
*(uint64_t*)0x20002008 = 0;
*(uint64_t*)0x20002010 = 0;
*(uint64_t*)0x20002018 = 0;
*(uint64_t*)0x20002020 = 0;
*(uint64_t*)0x20002028 = 0;
*(uint64_t*)0x20002030 = 0;
*(uint64_t*)0x20002038 = 0;
*(uint64_t*)0x20002040 = 0;
*(uint64_t*)0x20002048 = 0;
*(uint64_t*)0x20002050 = 0;
*(uint64_t*)0x20002058 = 0;
*(uint64_t*)0x20002060 = 0;
*(uint64_t*)0x20002068 = 0;
*(uint64_t*)0x20002070 = 0;
*(uint64_t*)0x20002078 = 0;
*(uint64_t*)0x20002080 = 0;
*(uint64_t*)0x20002088 = 0;
*(uint64_t*)0x20002090 = 0;
*(uint64_t*)0x20002098 = 0;
*(uint64_t*)0x200020a0 = 0;
*(uint64_t*)0x200020a8 = 0;
*(uint64_t*)0x200020b0 = 0;
syscall(__NR_write, r[3], 0x20000840ul, 0x1878ul);
return 0;
}
On 2020/10/20 17:02, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c
> b/drivers/video/console/vgacon.c
> index 998b0de..2ee3d62 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic
> modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write
> to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols,
> screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
>
> .
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] vgacon: fix a UAF in do_update_region()
@ 2020-10-20 9:20 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-10-20 9:20 UTC (permalink / raw)
To: Sam Ravnborg, Greg Kroah-Hartman
Cc: b.zolnierkie, linux-fbdev, linux-kernel, dri-devel
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static long syz_open_dev(volatile long a0, volatile long a1, volatile
long a2)
{
if (a0 = 0xc || a0 = 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 = 0xc ? "char" : "block",
(uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
intptr_t res = 0;
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[0] = res;
syscall(__NR_ioctl, r[0], 0x4b3aul, 1ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[1] = res;
*(uint16_t*)0x20000000 = 0x4d;
*(uint16_t*)0x20000002 = 0x1000;
*(uint16_t*)0x20000004 = 0xf1;
syscall(__NR_ioctl, r[1], 0x5609ul, 0x20000000ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[2] = res;
syscall(__NR_ioctl, r[2], 0x4b3aul, 0ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[3] = res;
*(uint8_t*)0x20000840 = 0x7f;
*(uint8_t*)0x20000841 = 0x45;
*(uint8_t*)0x20000842 = 0x4c;
*(uint8_t*)0x20000843 = 0x46;
*(uint8_t*)0x20000844 = 5;
*(uint8_t*)0x20000845 = 6;
*(uint8_t*)0x20000846 = 5;
*(uint8_t*)0x20000847 = 9;
*(uint64_t*)0x20000848 = 0xfffffffffffffffa;
*(uint16_t*)0x20000850 = 3;
*(uint16_t*)0x20000852 = 3;
*(uint32_t*)0x20000854 = 0x117;
*(uint32_t*)0x20000858 = 0x45;
*(uint32_t*)0x2000085c = 0x38;
*(uint32_t*)0x20000860 = 0x1df;
*(uint32_t*)0x20000864 = 5;
*(uint16_t*)0x20000868 = 4;
*(uint16_t*)0x2000086a = 0x20;
*(uint16_t*)0x2000086c = 2;
*(uint16_t*)0x2000086e = 0x1ff;
*(uint16_t*)0x20000870 = 0x55;
*(uint16_t*)0x20000872 = 0xfffb;
*(uint32_t*)0x20000878 = 4;
*(uint32_t*)0x2000087c = 4;
*(uint32_t*)0x20000880 = 4;
*(uint32_t*)0x20000884 = 1;
*(uint32_t*)0x20000888 = 1;
*(uint32_t*)0x2000088c = 3;
*(uint32_t*)0x20000890 = 7;
*(uint32_t*)0x20000894 = 0xfff;
*(uint32_t*)0x20000898 = 3;
*(uint32_t*)0x2000089c = 5;
*(uint32_t*)0x200008a0 = 3;
*(uint32_t*)0x200008a4 = 1;
*(uint32_t*)0x200008a8 = 0x3f;
*(uint32_t*)0x200008ac = 0x200;
*(uint32_t*)0x200008b0 = 4;
*(uint32_t*)0x200008b4 = 7;
memcpy((void*)0x200008b8,
"\x8b\x9f\xd8\xbb\x23\x11\x17\xf4\xeb\xa2\x19\x08\xb0\xe4\xe5\xe9\x98\x81\x1b\x24\x48\xaa\xfd\x8c\x01\x15\xeb\xa2\xf6\x28\x38\xd9\xa4\xd3\x4f\xfc\x91\x7c\x66\x3e\xb0\xbf\xe0\x18\x15\xd4\xe2\x33\x5f\x2b\x09\x27\x4c\x9c\x46\x94\xae\xcd\x39\x27\xd9\x73\xf7\xfb\xb5\x31\xe9\xef\x67\x1c\xd2\x35\x0c\x03\x71\xca\xec\x86\x38\x8a\xf1\xce\xb3\x3d\xc6\x06\x43\xb9\x04\xe4\x40\x91\x0d\xf3\xc9\x97\xcf\xc2\x01\x2b\x20\xa1\x90\x65\x37\xef\x89\xca\xde\x7b\xb1\x51\x41\xc8\xe9\x97\x68\x93\x46\xe7\x1c\x49\x99\x7f\xcd\xb8\x6a\x0e\x5b\x99\xe2\x0a\xaf\x61\x3c\x07\xac\x58\x73\xc1\x9e\x10\xda\x89\x25\xeb\x77\x62\x38\x8c\xca\x50\x93\x68\x72\x53\x32\xb7\xee\xb8\x53\x2b\x32\x99\xce\x87\xe4\xcf\x1f\x57\x2a\xa9\x8c\x1b\x0f\x0b\x48\xcd\x46\x00\xab\xad\xd8\x95\xe8\xb6\x71\xb0\x47\x05\x86\x94\x5c\x4f\x88\x35\x1e\xe7\xf7\x9e\xbc\x3f\x86\xa8\x14\xbf\xe8\xbe\x20\xb1\xd0\x31\x05\x84\x8d\xce\xea\x90\xca\x8d\xd4\x2e\xbb\x57\xdc\xb7\xae\x18\x2d\x07\x79\x6a\x85\xa0\x57\x01\xff\x0f\x13\xfe\x9e\xeb\xf1\x8c\xc7\xd0\x8e\x68\xe5\x84\xfd\x39\x0e\x16\x77\xea\x00\x6f\x71\x94\x1b\xfc\xd5\x98\xf7\xea\x68\xbd\xd3\x8d\xbd\x39\x48\x9f\xd6\x0a\x2f\x95\x04\x28\x81\xf6\x70\xb9\xe4\xde\x90\x92\xd2\x98\xf1\x0b\x36\x27\x65\x7f\x59\xf3\xef\x43\x73\xc5\x24\x69\x05\xc0\x24\x41\x31\xc5\x93\x40\x00\x13\xbf\x5f\x66\xfb\xf6\x26\xd8\xb9\xdf\x58\xf1\xc6\x7d\x35\xcb\xbb\x8d\x28\x53\x73\xb5\xc1\x0e\x24\xab\x76\xbe\x12\x58\xfb\xd3\x66\xa7\x3b\xad\x89\x9f\xb5\x49\x5d\x8d\x3b\x29\xfd\x4e\xa2\xa8\xda\xe6\xf7\xb8\x24\x5c\x6c\x50\x40\xdb\x9e\x14\x6a\xe3\x00\x59\xee\x55\x44\x1f\x45\xcf\x37\x91\xeb\xc9\xc2\x63\xec\x18\x30\x89\x85\x00\x79\xaf\x65\xc6\xa9\x90\x04\x5e\x68\x5c\xf5\xc0\x9f\xe2\xf1\x85\xcd\xb3\xa7\x83\xb3\x85\xb0\x29\x24\x27\xf4\xbe\x72\xbd\xe3\x07\x8d\x25\x6b\x63\x58\xb7\xce\x71\xb8\x76\x09\x9d\xd0\xec\x94\x4c\x72\xa0\x17\x82\x83\x26\xee\x81\xbe\x0c\xff\x70\x16\x38\x48\xf4\x3e\xdb\xe0\x9f\x6b\x88\x95\xb2\xb6\xb7\x76\x19\xee\xa0\x91\x11\xd5\xb3\xc4\x2e\x5e\x9e\xc4\x62\x7b\xf7\x28\x14\xf9\x0a\xf0\x2b\x5c\x23\x41\x39\x3f\x38\x12\xe2\xf1\xa1\x70\xa6\x6b\xc8\x44\xd9\x2b\x02\x64\x69\x21\x44\x4d\xd8\x50\x0d\xf7\x01\xb2\xb0\x6a\x43\x25\x74\x78\x18\x72\x30\x42\x5e\x36\x4c\x65\x3d\xee\x51\xda\xc2\x55\x93\x65\x5b\xb4\x92\x3b\xf9\x00\x2c\x6e\x18\x04\xe8\x1b\x40\x9a\x57\x7e\xfb\x3f\xef\x89\xce\xe9\x8e\xa4\xc1\x5b\x63\xec\x26\xe6\x10\x2e\x69\x25\x84\x77\x97\xb2\xfb\x87\x0b\x11\x27\xdb\xd3\xd4\x7f\x5e\x9e\x33\x2e\xd3\xb2\x9b\x22\xeb\x29\xeb\x36\x61\xc2\xd0\x22\xaf\x79\x40\x61\xe7\xdf\xce\x88\xd6\x06\x43\x9d\xec\x6f\x57\x20\x92\x73\x38\x37\x65\x81\xd6\xe6\x27\x8a\x50\xb8\x93\x7c\xdc\x1f\xf0\xfe\x01\x3f\x9f\x3c\x6c\x1b\x7a\xa8\x93\xbf\x3a\x06\x6a\x18\x02\x79\x2f\x62\x9b\x12\x16\x5f\xaa\x80\xc7\xfe\xc2\xad\xd9\xec\xa6\x61\x7c\xda\x79\xf3\xc5\x85\x2f\x2b\xcd\xa2\x53\xbc\x71\x54\xeb\x32\x75\x82\x38\xed\xf0\x2a\x6a\xad\xc2\x56\xfe\x75\x14\x81\xee\x03\x32\x1a\xb8\xf9\x92\x5a\x06\x6f\xd4\xc0\x76\x5f\x2b\xee\x51\x68\xc4\x4c\x0f\x86\xe9\x51\x53\xe7\x8d\x60\xd2\xc8\xc2\xf7\x45\xee\xfa\x04\x6b\xa0\x61\x18\xf4\x7d\xc5\x46\x13\x52\xb0\xe6\x8d\x4e\x53\x49\x16\x26\x9a\x07\xc1\x78\xa8\x61\x7d\x43\x5e\x14\x12\xf9\x8d\x6b\x6b\xac\xb1\x78\x86\x3f\xc6\xc2\xf2\xee\x65\x47\x12\x6f\xb2\xef\x8a\x4d\x83\xfd\xe6\x8c\xe9\x69\x22\x1b\x8b\x2b\xfa\x0d\x75\xc1\xb9\x77\x7d\x1e\x44\x03\xfa\x2e\xd8\x82\xd7\x15\x7b\x24\x7b\x65\x62\x6d\xff\x84\xba\x3c\x02\x95\xb3\xa9\x15\xc9\x12\xd5\xd7\xf7\x9d\xa1\xfc\xf0\x08\x0e\x47\xfb\xbb\xed\x26\xf5\x23\x2d\x07\x11\x76\x04\x5e\x82\x89\xef\xf0\x95\x24\x15\xe2\xeb\xf6\x49\x9e\xa2\x9f\x67\xce\x97\xf8\x84\x21\xd6\x9f\x1f\x95\x5d\xe0\xe8\xc2\xe0\x37\xf2\x0f\x64\x8c\xfe\x88\x3a\x0d\xa6\x54\x36\xb0\x24\x45\xd0\x29\x70\xb8\xfd\x4b\xa6\xe3\x44\xa8\xd7\xef\xa2\x43\x5a\x04\xc1\x64\xe1\x6d\x32\xae\xbb\xa9\xa6\x7e\x9a\x6d\x66\x0f\x29\x51\xe8\x42\xf4\x03\xdd\xdc\xe0\x4c\x82\x8b\xeb\x00\x4d\xa1\x68\x6f\xa0\x85\xf0\xb2\xd7\xdd\x2a\xfe\x33\x49\x8f\x69\xfa\xf3\xa0\x7c\xd2\x10\x74\x16\xed\x79\x0d\x56\x9c\x3d\xf5\x2d\x39\xde\x5b\x53\x72\xf5\x57\x0e\xfc\x3d\x06\xc9\xc3\x15\xba\x7f\x70\xbe\x89\xfa\xaf\x16\xd1\xea\xd5\x6a\x84\x71\x12\x60\x4b\x77\x28\xbe\xee\x7e\xff\x62\xd4\xfc\x56\xd8\x93\x60\xb7\xcb\xe1\x05\x57\x69\x41\xd3\x04\x73\x3a\x4e\x8f\xc5\x34\x36\x8b\x69\x0a\x69\xca\x77\x6a\xb1\x5b\xdc\x24\x22\xbb\x16\x56\x2b\x5b\x0f\x65\x8f\x7d\xc9\x95\x96\xa1\x70\x48\x5a\x83\x6e\xfc\xc5\x32\x5e\x61\xf6\x6b\xca\x65\x96\x0a\x73\x6f\x2f\xf3\x38\x33\xa4\x8c\x40\xae\x36\x9c\x43\xda\xc3\x40\xc8\xdd\x64\x27\x99\xb3\x47\xf3\xc1\x0f\xcd\x57\x03\x52\x0e\xea\xd9\x8f\x43\x6c\x97\x73\xd6\x8c\xd5\xe7\xf0\x8a\x5f\x44\x71\x55\xe9\xc6\x11\x56\x83\x3b\xa0\x5a\xd9\x49\x89\x5b\x04\x69\x7a\xe0\x00\xd6\xb4\x33\xd5\xe7\xd6\xfc\x99\xf5\xb2\xfb\xb9\x95\x7a\xfd\xd9\x37\x1f\x7e\x7d\x91\xe7\xa4\x7b\xa8\xfe\xd2\x32\xf0\x14\xcf\x9f\x12\xff\x5c\xbf\xa7\x0a\xd0\x6a\x8e\xe7\x1d\x0b\x69\xdf\x7b\x58\x17\xdc\xf4\x3d\xc0\xe2\x84\x7a\x53\x19\xcc\x04\x42\x57\x24\x9b\xdd\x16\xef\x06\xc8\x17\xad\x44\x5b\x0e\xaf\xc6\xe2\xca\x57\x80\x54\x78\x88\xde\x21\xc8\xeb\xa3\xa1\xaf\xfc\x6d\x2b\xd8\xe1\x54\xe6\x5a\x3e\x78\xc9\xc6\xe9\x19\x19\x14\x1e\x38\xdf\x9a\xf3\xae\x62\x72\x88\xa5\xd0\xc6\x04\xca\x80\xd3\x82\xe9\xed\xec\x95\xc2\x2c\x30\x95\x56\x31\x82\x34\xbf\x39\x38\x1e\x89\x3a\xc9\xf8\xf3\x28\x59\x2c\x82\xa5\x36\xb3\x73\x3c\x35\xf1\x8a\xde\xc3\x0b\xf1\x63\x65\xb8\x3d\x87\x8b\x34\x01\x7d\x8b\x57\xcd\xa9\x85\x69\x55\x6f\x7e\x29\x2a\xeb\x16\xa1\xba\x3a\x53\xe1\xe6\x8e\xe2\xa5\x27\x59\x9a\xae\x6b\xfb\x5c\x97\xfa\x20\x58\x3c\x5a\xc5\x6a\x01\xaa\xd4\x88\x23\x71\xfd\x79\xb8\xde\xf1\x94\xc4\xea\x97\x23\xd9\x67\x63\xe4\x26\xa0\x41\x15\xc4\x37\x1f\x24\xdf\x50\x90\xbd\x79\x96\x8b\x07\xc9\xab\x5e\x36\xc9\x7a\x3b\x2e\x02\xfa\x12\x34\xfb\xa2\x6d\xc4\xf7\xe3\x6d\xa4\xc2\x75\x65\x75\x83\x68\x79\x2a\x33\x57\x7e\xf5\xf9\x37\xd0\x16\xae\x7e\x71\x0a\x2e\x20\x34\xfb\xdc\x6a\xd9\xbc\xda\xbb\x80\x27\x9a\x4d\x91\x72\x10\xa8\x09\xe7\xb1\x70\x9b\x03\x07\x6b\x06\xa3\xc5\xbd\x90\x84\x0a\x4b\x13\x7a\x55\x80\xb7\x99\x65\xe4\x2d\x55\x07\x99\x5c\x3f\x10\x15\xa3\xe5\xf7\x8c\x69\x74\x0f\x73\x28\x9e\xb7\xcd\xda\xb9\xee\x98\x88\xc2\x01\x4a\x8f\xb9\x04\x87\x67\x5c\xd6\x91\xf7\xd8\x60\x21\xb3\xfc\x01\x52\x0c\xe4\xa6\xe4\x5c\x0d\x6e\xc1\x08\xbc\x57\x78\x3c\xa0\xff\xd4\x1c\x94\x21\x44\x4e\x77\x45\x9e\x37\xe7\xe2\xab\x3b\xd6\x2e\x89\xc5\x09\x0d\x76\xa2\xb4\x0e\x1f\xc0\x87\xda\x87\xf9\xda\x4f\xe8\xa5\x00\x37\x57\x80\xd9\x80\x43\xdd\x37\x28\x92\x06\xb1\xd3\x80\x08\x51\xde\xc6\x93\x24\xc8\x29\x2f\xb7\x69\xb2\x21\x1b\x7b\xc0\x63\x6b\xbb\x2f\xf4\xae\x2c\x5c\x3a\xab\x11\x6a\xe0\x3e\xf8\x77\x12\x2f\x05\x33\xdc\x0d\xbd\xe3\x71\x49\x16\x2b\xd9\xc4\xcd\xd5\xa7\x2b\x60\xb7\xd1\xb5\x45\x99\xe4\x49\xfd\x05\xbe\x9b\x97\x14\xb5\xf2\xaa\x5b\xd6\xcd\x7e\xcf\xa0\xea\x9b\x4a\x01\xec\x9a\x9e\xb9\x46\x1e\x1f\xd7\xb9\x46\x2e\x0a\xb8\xf8\x98\x90\xb4\xa4\x44\xfd\xf0\x32\xf4\xa8\x9f\x02\x23\x6c\xd1\x3f\xe9\xfe\x83\x9e\xa2\x86\x71\x2d\x2c\xdb\x5c\x56\x5c\xb5\x0d\x4d\x08\xe3\x74\xc3\xba\xcf\x00\x55\x8e\x03\x73\xe8\xa9\x1a\xe8\x76\x63\xb6\xf3\xc1\x41\xb3\x08\x9b\x7b\x42\x92\x78\xac\xad\x1a\xe4\x4f\xbc\x68\x64\x1c\x91\x0d\x1d\xa1\x84\x88\x2f\x51\x23\xb7\x43\x79\x8f\x83\xe5\xce\x41\x9d\x4a\xf6\x49\x25\x38\xac\x80\xd6\x72\x83\x12\x86\x9c\x39\x69\x0d\x36\x96\x6e\x0b\xd8\x7f\x8f\xc9\x0a\x50\x35\x82\x9c\x14\x51\x69\xa3\x4d\xee\x2c\x78\xfd\xa8\x26\xc8\xc1\x57\xb8\xf8\x16\xb0\x10\xd1\xe1\x26\xd3\xf1\x99\xb8\x04\xec\x24\x03\x5f\x72\x0b\xa0\xb5\x10\xd5\x8d\x50\xf9\x6a\x2e\x70\x4d\xbc\x51\x51\x5a\xa4\x60\x2e\xdf\x59\x1f\x6c\x7c\x21\xf2\xd9\xa4\x54\x6a\xe7\x05\xba\xda\x46\xc9\xa8\x8d\x7d\x3d\xe2\x3e\x4d\xef\x48\x4d\x14\xca\xdd\x33\xec\x11\x8c\xf6\xf8\x78\xad\x2f\xbc\x95\xff\x56\x76\x00\x25\xa8\xa7\x85\x36\xb6\x10\xcc\xf7\x1b\x90\xd2\x50\xf5\xd1\xb8\xf5\x2f\xd3\xad\x06\xed\x85\x29\x82\xce\xd5\xd3\xdc\xc9\xca\x8d\xfa\x7a\x6e\x30\x31\xe6\x0b\xce\xfc\x5a\xf7\xb7\x44\xd0\x6b\x41\x09\x1c\xe2\x70\x09\x36\x79\x74\x81\x82\xeb\x9e\x86\x7a\x35\xdb\xfd\xde\xab\x5b\x2e\x51\x40\x99\x23\x7c\xa8\x2b\x05\x54\x00\x2d\x73\x2a\xaa\xe3\x2b\xa5\x93\x3b\x47\xf0\x79\xf8\xe4\x2c\xbd\xdc\x26\x9f\xf6\xa0\x97\xa3\xc8\xaa\x08\xce\xfa\x39\x06\x21\x30\x8a\x4c\x49\x7d\xb3\xf9\xb2\x0c\x0d\xb3\xda\xb0\x14\xf6\x83\xb7\x0b\xd1\xe1\x89\xf1\x8b\x45\x47\xfe\x95\xc6\xa7\x20\xbc\xa4\xc2\xdb\x64\xc3\x3a\xd4\x1a\x0c\xf7\xa3\xa9\xb6\xae\xf6\xa6\x7e\xee\xf1\x75\xf6\x43\xc9\xb6\xbd\x08\x58\x69\xf1\xa0\x71\x13\x38\xe7\xf2\x38\x18\x59\xd5\xaa\xf0\xb3\xe9\x08\x81\xb3\x71\xdb\x3b\xad\x38\xb0\xb0\x16\xf5\xfe\x37\x2e\x6d\x4e\xd8\xc9\x1a\x8f\x09\xfb\xec\xdc\x80\xaf\x28\x39\x74\x45\x1d\xd4\x23\x1c\x08\xd6\x7f\x52\x9b\xea\x5d\x65\xb5\x46\xb5\xf6\xfe\x73\xfa\x52\xfa\x58\x50\x6c\x3a\x11\x9f\x81\x2b\x25\xb6\xfb\x3e\x45\x9e\x96\xc6\x2c\xe9\x4c\xe8\xe6\x71\x54\x30\x60\x03\x3b\x97\xb0\x94\x11\x67\xd0\xd6\x85\x00\xc6\x2e\xb5\x1d\x28\xeb\xc4\x30\x8c\x7e\xf5\x17\xcc\x2b\x44\xb9\x5d\xf6\x66\x2a\x2e\xe0\x6d\xc8\x06\xb9\xf6\x67\xd9\x8d\x9d\x4a\x96\x4c\x59\x34\xc3\x56\xaf\x34\xfd\xb3\xc4\xaa\xd8\x60\x4b\x2c\xa5\x75\xd8\x12\x65\xb7\x63\xd5\xae\x2c\x93\x56\x7f\xc5\x73\xad\xee\x2d\xe3\xdf\x38\x3b\x0e\x24\x0b\x6c\x92\xd4\x04\xc9\x21\xd5\xd5\x9e\x8b\x61\xb5\xe1\xeb\x2d\x1f\x90\xed\x7f\xb6\x80\xc3\xd1\x91\x19\x49\x51\x77\x64\x22\x97\x4a\xf2\x69\x45\x3b\xf3\xbc\xcf\x43\x92\x67\x9d\x8b\xb2\xf8\x3a\x17\x6c\xd3\x48\xa4\xaa\x27\xfb\x09\xc2\x14\x7d\x99\x2a\x48\x6b\x6a\x66\x05\x90\x1f\x40\x43\x65\x62\xd5\xf1\x66\xaf\x76\x63\x53\x59\xb7\x04\xb7\xda\x1b\x42\xa9\xc0\x76\x4c\xd1\xcc\x2a\xa6\xb2\x73\x51\x68\x04\x28\x07\xfa\x28\xa6\x40\xb3\xd5\x18\x3d\x68\x60\x96\x23\x66\x03\x2d\x44\xa0\xc9\xca\xbe\xcd\xb7\x79\x87\x66\x7f\x90\x05\x1b\x42\xaa\x13\xef\xc9\x2e\x79\xcb\xa6\x71\x5e\xad\xf1\x9d\xaa\x95\xa0\x1a\x5c\x1c\x8c\x04\xf8\x94\xfb\x23\x51\x8d\x75\x8d\x3d\x04\xa3\x2f\xda\xec\x81\x8c\x7b\x43\xce\x19\x51\x2e\xf9\xe7\x6c\x66\x57\x1e\xe4\xe2\x62\x99\xf7\x43\x35\x57\x33\xf5\xd5\x4f\xb4\x81\x36\x6b\x30\x48\x90\xa1\x7b\x3f\x8b\xab\x79\xe4\x2e\x5e\xfc\xcc\xb2\x68\x1d\x86\xe9\x19\x8c\xd5\xc0\x4a\x9a\x5c\x8f\xba\xe0\x5e\x4a\xd2\xc0\x92\x58\x25\xdd\x15\x01\xc1\x40\x93\x91\x73\x4b\xa2\x0d\xf8\xec\x2a\x29\x5f\x91\x87\x65\x08\x5d\x30\x10\x05\x6a\xc1\x93\xac\xf6\xc6\x98\x55\x95\xb2\x1a\x95\x48\x08\x05\x40\x9b\x3f\xe3\xc9\xd6\x81\x17\x05\xa8\x4c\x92\x4f\x3b\x0a\x6d\xfb\xf5\x63\xca\x48\x80\x0d\xbe\x4c\xff\x49\x7b\x37\x82\x33\x1e\xf2\x42\xaa\xae\x15\xa6\x34\xc6\xeb\x26\x03\x70\xd3\x04\x26\x79\xbc\x03\x0b\x5a\xc3\xda\x86\x25\xda\xb5\x1d\x42\xcf\xda\xc4\x6c\xe7\x13\x92\x0b\xe4\x1f\x6e\xb6\x90\x0c\xb9\x1d\x0c\x43\xb1\xaa\x43\xd2\xaf\xe9\xe3\x97\xf7\x69\x48\xb7\x17\xe3\x75\x94\xd4\xaf\x80\x6d\x8b\x6f\x25\x59\x92\x47\x71\x24\xf4\xac\x87\x24\x4b\x1c\x3b\x46\x37\x5c\x86\xe5\x50\x71\xab\x54\xaf\x58\xfd\xc1\x85\xfb\x45\x37\x26\xd8\xe7\x6d\xee\x53\x8d\x68\x4d\xe5\xb3\x69\x02\x57\xa8\x4c\xa1\x3c\x1f\x09\x4d\x92\x82\x48\xc1\x4b\xb9\x2c\xaa\xf7\x67\x2e\xaf\x18\xdb\x16\xcd\x24\x99\xe5\x51\xed\xbe\xcd\x3a\x37\x7b\x9b\xdd\x42\x93\xcb\x1d\x92\x13\xaf\xec\x42\x6c\x85\xa0\x43\xad\x18\xce\x11\x3f\x66\x1c\x24\x11\x51\xa4\x79\x00\xf0\x96\xb8\x52\x7b\x05\xa2\x32\xbb\xb9\x70\x47\x7f\x41\x1b\x76\x40\x98\xd0\x89\x0d\xdb\xb6\x9b\x3f\xfb\xa4\xf7\xa6\x08\x3b\xb8\xbd\x7f\xd9\x30\x09\x12\xcf\xf7\x44\xd5\x11\x9b\xb4\xc1\xe7\x69\x44\xf4\xe0\xa5\x17\xd2\x92\x69\x32\xf7\x8c\xc7\x0b\xb3\xdb\x05\x5a\x78\x95\x83\x36\xb3\x0c\x0e\x0e\x8f\xdf\x0d\x6c\xd3\x7a\x72\xbd\x03\x11\x26\xf2\x5d\x3c\x57\xe5\xca\xa3\x0a\xa5\x34\x0d\xd1\xe7\xb7\x30\xd1\xb7\xed\x83\x0f\x61\xd2\xd9\x3b\xc4\x38\x68\x28\x36\xda\xd5\xa6\x50\x59\x8a\x1f\x36\x87\x75\x52\xbe\x94\x55\x7d\xdd\xfe\xcf\xd8\x7a\xe7\x96\xd4\x06\xf5\x43\x54\x1c\x6e\x6e\xfe\xf8\x70\xd1\x3b\x31\x51\x66\x69\xa7\x69\x89\x83\x91\x08\x8e\x48\x97\x2b\x1f\xa2\xe9\xb2\xc6\x62\xe1\x28\xd6\xda\xd8\xc1\x7f\x5f\x7f\x5f\x62\x88\x0e\x8f\xdc\x07\xae\xe1\x59\x33\xbf\xd2\x49\x83\x45\x2c\xef\x62\x4b\xc8\x45\x18\x2a\xd2\x51\x29\x7f\xcf\xfd\x5c\x16\xbd\x5b\x0e\xac\x03\x7b\x58\x62\xb2\x0e\x08\xce\x1a\x8d\x75\x5f\xde\x1d\x49\xcf\x32\xd8\x1f\xd6\x3f\x74\x65\x4d\xba\x69\x2b\x27\x2d\xd1\x5a\xe1\x9e\x0b\x87\x33\x95\xe8\x50\xe0\x66\x66\xc9\xd3\x04\x31\x49\xc9\x5b\x79\x24\x2f\x2f\x4a\x9d\xdc\xf7\x16\xd7\xae\xe1\x34\x63\xe8\x1c\x1f\xff\x4e\x47\xbe\x68\xdb\x7a\x65\x6c\x04\xb6\x26\x0d\x8d\xb0\x0b\x90\x87\xc0\x87\x20\x3a\x74\x21\x8c\xe6\xb7\x67\x45\x97\x60\x30\xb3\xd9\xa7\x6e\x08\xde\xe9\x19\x1a\x5e\x19\x44\x95\x26\x4d\x3d\xc2\xb1\xc3\x98\x08\x06\x96\x5f\x54\xea\x88\xd7\x92\x50\xe8\x1c\x2a\x94\xf7\xa9\x6b\xe3\x2c\x1d\x15\xcf\x4c\xbe\xf1\x85\x3d\x30\xfd\xea\x3d\xef\x80\x20\xa6\xf6\x4e\x64\x79\x2a\x7c\x74\xc4\xe5\x70\x3a\x8a\x32\x6b\xc2\x2a\x41\xc6\x58\x47\xdf\x3f\x68\xe4\x06\x81\xe5\xce\xdd\x0b\x05\xd8\x2a\x9e\x85\xe3\x3f\x6b\x18\x5e\xb1\x6c\x56\x1e\xfa\xec\xa1\xae\xbe\xa9\x09\x65\x6b\xc7\x9e\xfc\x9a\xe7\x76\x65\xb5\x89\xcc\x0c\x40\x11\x7b\xb5\x1d\x62\x4d\x98\xc8\x6c\x97\xa8\x14\xfc\xde\x48\x94\x84\x86\xf9\x1b\x66\x93\x68\x52\xb7\x8e\xd4\xbc\x0f\x51\x01\xa1\x23\x47\xb1\x14\x03\xf4\x56\xad\x64\x86\xe0\x63\x5e\xe3\x9c\xdc\x40\x0e\xc1\x00\x2e\xbe\x95\xe7\x13\x50\xcb\xfa\xc5\x20\xb2\x90\x21\x4a\x0f\x5e\x8b\xd4\x3e\x58\x31\xb2\x1d\xb0\x98\x59\xfa\x42\x8d\x76\x43\x69\x18\x92\x3e\x25\xf1\xd7\xa5\x40\x3c\xff\x39\x63\x27\x4e\xcf\x4a\x68\x70\xa1\x43\xe6\x13\x83\xbd\xb3\xea\xc2\xab\x7f\xda\x05\x8a\x81\x04\x24\x3b\x28\x4d\xe0\xca\x06\x2a\x27\x33\x91\x16\xfb\x1d\x55\xbd\xa6\x8c\x21\x5e\xac\x5a\x6d\x71\x28\x33\xef\xc7\x1d\x32\x03\x23\xda\xf3\xfc\xd1\x6c\xba\x1e\xf5\x21\x56\x9f\xbb\xa2\xc7\x5d\x64\x37\x8d\xa3\xdf\xd6\xd4\xe9\xac\x7f\x97\x4f\xeb\xa3\xdb\x52\x97\xf2\x1b\xd7\xe3\x05\x3e\x28\xad\xfe\xa2\x5e\xae\x9f\xd6\xcc\xcd\x3b\xd8\x6f\xf8\x8f\x35\x96\x89\x5b\x5e\xb4\xcd\x3d\xa9\x33\x8e\x43\xbb\x2a\x45\x4b\x25\xe6\x2d\xa9\x93\x85\xbb\x38\xec\xf6\x11\xfa\x4d\x38\x78\x72\x95\xe8\xbe\xe0\xde\x84\x17\x1b\x66\x75\x1e\x24\x6c\xbf\xfc\x36\x2c\x66\xbf\x1c\x20\x7b\xad\x1a\x8c\x5e\x25\xdb\x53\x7f\xb2\x1a\x70\x5a\xbd\xd9\xdd\x27\xc8\xac\x87\xd5\x4f\xd0\xa7\x29\x3f\x71\xe3\xd9\x34\x47\x71\xcb\x5f\x5b\x9f\x6c\xbf\x1e\x88\x88\x3e\x04\x27\x7a\xa3\xa7\x7f\x7e\x22\x16\x8a\x8e\xeb\x8b\x2b\xb3\x5a\xc9\x35\x80\xcd\x51\x9a\xd4\xb0\xdf\xfc\x32\x7f\x24\xff\x8e\x7c\xd9\x4e\x8c\xce\xaf\xfa\x27\x4d\x6a\xb1\x48\x3e\x9a\xa0\x3a\x5a\x88\xf8\x88\x59\xd9\x59\xc1\xed\xd9\xcc\x78\xa8\x6e\x46\xd3\xd3\x31\xd8\x00\x0e\x48\xbc\xa9\x54\x3e\x31\x95\x30\xb5\xba\x6d\xb8\x64\xac\x3c\x83\xe7\x1f\xc2\x3c\x35\x13\x36\x84\x80\x7d\x9d\xdb\x5c\xe9\x98\x21\xb8\x9d\x93\x6f\x34\x45\xed\x88\x95\xc5\x62\x61\xd2\x11\xa7\x28\xdb\x53\x5b\x1c\x99\x78\x13\xa1\x2f\x61\x27\x91\xb9\xbc\x9b\x84\x5b\xea\x29\xa3\xec\xec\x90\xb8\xdd\x5c\xbc\xd3\x2a\x73\xb1\xe1\xc2\x57\x45\x31\x20\x06\xc3\x6e\xb6\xf1\x69\x1f\xa1\x6e\x1a\xa3\x12\x6b\xa7\x14\xd5\xad\x64\x7c\xd8\xcc\x60\x30\x80\xb0\x6f\x0a\xaa\xe7\x45\x6b\x35\x83\x41\x94\xbe\xf7\x95\xd2\xb4\x54\x04\xd0\x46\xc4\xf2\x9f\x00\xce\x13\x44\x4f\xbc\xff\xfb\x11\x7a\x9c\x7f\x1e\x35\xc9\x0d\xee\xad\xb7\x5d\x3a\x4e\x01\xb7\xa5\xa1\x0f\x93\xdd\x31\xef\xc8\x6c\x0c\x11\x9b\x55\xd8\x3e\xbd\xa2\x9a\x90\x01\xb3\x28\x42\xa0\xf2\x28\xfc\x99\x35\x40\xe1\xb4\x72\xdc\xa6\x03\x75\x0d\xc9\x13\x3f\x9b\x07\x50\xc5\x9f\x6e\x57\x1b\x0f\x2c\x53\xcd\x45\x04\x61\x61\x82\xa3\xed\x9c\xf8\x81\xd2\x54\xb5\xd7\x2e\x8b\xfb\xa3\x3a\x1c\xa7\x9b\x2e\x19\x0b\x75\xf4\x31\x63\x1b\x98\x0e\xc0\x75\xdd\x6b\xcc\xff\xe1\x06\x07\x37\xe2\x6f\x84\xd6\xd1\xee\x5d\xe0\xba\x08\x3f\x5f\xe1\xfa\x25\xd4\xa8\x8f\x40\x2a\x01\xaf\x6c\x03\x5b\x68\x41\x25\xeb\xdd\x1a\x40\x4e\x1c\xc3\x90\xd8\x5f\x28\x2d\x83\x3d\x63\xd1\xcc\x6b\x93\xcd\x69\xd6\x21\x09\x4a\xb1\xda\xe7\xa3\xce\xbf\x19\x2b\xe1\xc7\x78\x80\x11\x6a\x6b\xa1\x6a\x69\xc9\x9f\x86\xb2\x0a\x51\xc7\x20\x38\xcc\xd2\xf5\xbc\xd5\xe8\x83\x39\xf8\xee\x55\x5c\x32\xfb\xc3\x6f\x40\x90\xde\x5e\x74\x8d\x41\x31\x4a\xbb\xa1\x0b\xe7\xa9\xdf\x3f\x4a\xe9\xa8\x98\x42\xd7\xa3\x82\xa2\x31\x2b\x6a\x0a\x08\xfa\x2a\x0d\x8a\xed\x22\x98\x3e\x9a\xaf\x63\x9d\x38\xa6\x1b\x88\xba\xc9\x01\x8d\xd2\x49\x26\x26\xe5\x7f\x94\x66\x5d\x32\x4b\xd1\xf3\x9c\xd5\xd0\xfa\x26\x1b\x16\x6d\x20\x6c\xe8\x40\x44\xa9\x79\x12\x32\x07\xf6\xce\x4e\x0d\x36\x3b\xe0\x8f\x9e\x38\xd9\x4d\x73\xc5\xd1\xce\xf2\x38\x23\xeb\x60\x67\xf5\x7f\x4a\x26\xb7\x3f\x55\x5f\x86\x2d\xda\x59\x09\x50\x97\xfb\xc9\x02\x00\x36\xad\x01\x9e\xfe\x18\xe0\xec\x04\xce\x0d\x32\x52\x5d\x20\xc8\xd6\xa0\xc8\x59\x5c\xf4\xb8\xfe\xbb\x75\xf3\x4f\x07\xa9\xbe\xc6\x7b\xcc\x76\x82\x99\xbe\x8f\x64\x8c\x20\xf5\x76\x35\x88\x22\x64\x40\x1c\xcf\x88\x2f\x47\xa9\xc6\x49\xb8\x1d\x42\xba\xbc\x3b\x5a\x75\xfe\x7d\x69\x83\x64\xd9\xcf\x09\xe4\xd1\x80\x2e\x8f\x1a\xe6\xf7\x2c\xb0\x16\x91\x74\x0a\x84\x9c\x90\xe1\x72\x34\xd9\x0d\x80\x70\xe3\xf6\xcb\xfa\x0f\xa7\xb7\x62\xef\xb8\x45\xd9\x27\x52\x55\x16\xfd\xb4\xcc\x1b\x22\x00\x78\x9a\xc4\x44\xfb\x2c\x56\xa3\x6b\xfe\x5a\x79\x97\x9b\xf3\x69\xa5",
4096);
*(uint64_t*)0x200018b8 = 0;
*(uint64_t*)0x200018c0 = 0;
*(uint64_t*)0x200018c8 = 0;
*(uint64_t*)0x200018d0 = 0;
*(uint64_t*)0x200018d8 = 0;
*(uint64_t*)0x200018e0 = 0;
*(uint64_t*)0x200018e8 = 0;
*(uint64_t*)0x200018f0 = 0;
*(uint64_t*)0x200018f8 = 0;
*(uint64_t*)0x20001900 = 0;
*(uint64_t*)0x20001908 = 0;
*(uint64_t*)0x20001910 = 0;
*(uint64_t*)0x20001918 = 0;
*(uint64_t*)0x20001920 = 0;
*(uint64_t*)0x20001928 = 0;
*(uint64_t*)0x20001930 = 0;
*(uint64_t*)0x20001938 = 0;
*(uint64_t*)0x20001940 = 0;
*(uint64_t*)0x20001948 = 0;
*(uint64_t*)0x20001950 = 0;
*(uint64_t*)0x20001958 = 0;
*(uint64_t*)0x20001960 = 0;
*(uint64_t*)0x20001968 = 0;
*(uint64_t*)0x20001970 = 0;
*(uint64_t*)0x20001978 = 0;
*(uint64_t*)0x20001980 = 0;
*(uint64_t*)0x20001988 = 0;
*(uint64_t*)0x20001990 = 0;
*(uint64_t*)0x20001998 = 0;
*(uint64_t*)0x200019a0 = 0;
*(uint64_t*)0x200019a8 = 0;
*(uint64_t*)0x200019b0 = 0;
*(uint64_t*)0x200019b8 = 0;
*(uint64_t*)0x200019c0 = 0;
*(uint64_t*)0x200019c8 = 0;
*(uint64_t*)0x200019d0 = 0;
*(uint64_t*)0x200019d8 = 0;
*(uint64_t*)0x200019e0 = 0;
*(uint64_t*)0x200019e8 = 0;
*(uint64_t*)0x200019f0 = 0;
*(uint64_t*)0x200019f8 = 0;
*(uint64_t*)0x20001a00 = 0;
*(uint64_t*)0x20001a08 = 0;
*(uint64_t*)0x20001a10 = 0;
*(uint64_t*)0x20001a18 = 0;
*(uint64_t*)0x20001a20 = 0;
*(uint64_t*)0x20001a28 = 0;
*(uint64_t*)0x20001a30 = 0;
*(uint64_t*)0x20001a38 = 0;
*(uint64_t*)0x20001a40 = 0;
*(uint64_t*)0x20001a48 = 0;
*(uint64_t*)0x20001a50 = 0;
*(uint64_t*)0x20001a58 = 0;
*(uint64_t*)0x20001a60 = 0;
*(uint64_t*)0x20001a68 = 0;
*(uint64_t*)0x20001a70 = 0;
*(uint64_t*)0x20001a78 = 0;
*(uint64_t*)0x20001a80 = 0;
*(uint64_t*)0x20001a88 = 0;
*(uint64_t*)0x20001a90 = 0;
*(uint64_t*)0x20001a98 = 0;
*(uint64_t*)0x20001aa0 = 0;
*(uint64_t*)0x20001aa8 = 0;
*(uint64_t*)0x20001ab0 = 0;
*(uint64_t*)0x20001ab8 = 0;
*(uint64_t*)0x20001ac0 = 0;
*(uint64_t*)0x20001ac8 = 0;
*(uint64_t*)0x20001ad0 = 0;
*(uint64_t*)0x20001ad8 = 0;
*(uint64_t*)0x20001ae0 = 0;
*(uint64_t*)0x20001ae8 = 0;
*(uint64_t*)0x20001af0 = 0;
*(uint64_t*)0x20001af8 = 0;
*(uint64_t*)0x20001b00 = 0;
*(uint64_t*)0x20001b08 = 0;
*(uint64_t*)0x20001b10 = 0;
*(uint64_t*)0x20001b18 = 0;
*(uint64_t*)0x20001b20 = 0;
*(uint64_t*)0x20001b28 = 0;
*(uint64_t*)0x20001b30 = 0;
*(uint64_t*)0x20001b38 = 0;
*(uint64_t*)0x20001b40 = 0;
*(uint64_t*)0x20001b48 = 0;
*(uint64_t*)0x20001b50 = 0;
*(uint64_t*)0x20001b58 = 0;
*(uint64_t*)0x20001b60 = 0;
*(uint64_t*)0x20001b68 = 0;
*(uint64_t*)0x20001b70 = 0;
*(uint64_t*)0x20001b78 = 0;
*(uint64_t*)0x20001b80 = 0;
*(uint64_t*)0x20001b88 = 0;
*(uint64_t*)0x20001b90 = 0;
*(uint64_t*)0x20001b98 = 0;
*(uint64_t*)0x20001ba0 = 0;
*(uint64_t*)0x20001ba8 = 0;
*(uint64_t*)0x20001bb0 = 0;
*(uint64_t*)0x20001bb8 = 0;
*(uint64_t*)0x20001bc0 = 0;
*(uint64_t*)0x20001bc8 = 0;
*(uint64_t*)0x20001bd0 = 0;
*(uint64_t*)0x20001bd8 = 0;
*(uint64_t*)0x20001be0 = 0;
*(uint64_t*)0x20001be8 = 0;
*(uint64_t*)0x20001bf0 = 0;
*(uint64_t*)0x20001bf8 = 0;
*(uint64_t*)0x20001c00 = 0;
*(uint64_t*)0x20001c08 = 0;
*(uint64_t*)0x20001c10 = 0;
*(uint64_t*)0x20001c18 = 0;
*(uint64_t*)0x20001c20 = 0;
*(uint64_t*)0x20001c28 = 0;
*(uint64_t*)0x20001c30 = 0;
*(uint64_t*)0x20001c38 = 0;
*(uint64_t*)0x20001c40 = 0;
*(uint64_t*)0x20001c48 = 0;
*(uint64_t*)0x20001c50 = 0;
*(uint64_t*)0x20001c58 = 0;
*(uint64_t*)0x20001c60 = 0;
*(uint64_t*)0x20001c68 = 0;
*(uint64_t*)0x20001c70 = 0;
*(uint64_t*)0x20001c78 = 0;
*(uint64_t*)0x20001c80 = 0;
*(uint64_t*)0x20001c88 = 0;
*(uint64_t*)0x20001c90 = 0;
*(uint64_t*)0x20001c98 = 0;
*(uint64_t*)0x20001ca0 = 0;
*(uint64_t*)0x20001ca8 = 0;
*(uint64_t*)0x20001cb0 = 0;
*(uint64_t*)0x20001cb8 = 0;
*(uint64_t*)0x20001cc0 = 0;
*(uint64_t*)0x20001cc8 = 0;
*(uint64_t*)0x20001cd0 = 0;
*(uint64_t*)0x20001cd8 = 0;
*(uint64_t*)0x20001ce0 = 0;
*(uint64_t*)0x20001ce8 = 0;
*(uint64_t*)0x20001cf0 = 0;
*(uint64_t*)0x20001cf8 = 0;
*(uint64_t*)0x20001d00 = 0;
*(uint64_t*)0x20001d08 = 0;
*(uint64_t*)0x20001d10 = 0;
*(uint64_t*)0x20001d18 = 0;
*(uint64_t*)0x20001d20 = 0;
*(uint64_t*)0x20001d28 = 0;
*(uint64_t*)0x20001d30 = 0;
*(uint64_t*)0x20001d38 = 0;
*(uint64_t*)0x20001d40 = 0;
*(uint64_t*)0x20001d48 = 0;
*(uint64_t*)0x20001d50 = 0;
*(uint64_t*)0x20001d58 = 0;
*(uint64_t*)0x20001d60 = 0;
*(uint64_t*)0x20001d68 = 0;
*(uint64_t*)0x20001d70 = 0;
*(uint64_t*)0x20001d78 = 0;
*(uint64_t*)0x20001d80 = 0;
*(uint64_t*)0x20001d88 = 0;
*(uint64_t*)0x20001d90 = 0;
*(uint64_t*)0x20001d98 = 0;
*(uint64_t*)0x20001da0 = 0;
*(uint64_t*)0x20001da8 = 0;
*(uint64_t*)0x20001db0 = 0;
*(uint64_t*)0x20001db8 = 0;
*(uint64_t*)0x20001dc0 = 0;
*(uint64_t*)0x20001dc8 = 0;
*(uint64_t*)0x20001dd0 = 0;
*(uint64_t*)0x20001dd8 = 0;
*(uint64_t*)0x20001de0 = 0;
*(uint64_t*)0x20001de8 = 0;
*(uint64_t*)0x20001df0 = 0;
*(uint64_t*)0x20001df8 = 0;
*(uint64_t*)0x20001e00 = 0;
*(uint64_t*)0x20001e08 = 0;
*(uint64_t*)0x20001e10 = 0;
*(uint64_t*)0x20001e18 = 0;
*(uint64_t*)0x20001e20 = 0;
*(uint64_t*)0x20001e28 = 0;
*(uint64_t*)0x20001e30 = 0;
*(uint64_t*)0x20001e38 = 0;
*(uint64_t*)0x20001e40 = 0;
*(uint64_t*)0x20001e48 = 0;
*(uint64_t*)0x20001e50 = 0;
*(uint64_t*)0x20001e58 = 0;
*(uint64_t*)0x20001e60 = 0;
*(uint64_t*)0x20001e68 = 0;
*(uint64_t*)0x20001e70 = 0;
*(uint64_t*)0x20001e78 = 0;
*(uint64_t*)0x20001e80 = 0;
*(uint64_t*)0x20001e88 = 0;
*(uint64_t*)0x20001e90 = 0;
*(uint64_t*)0x20001e98 = 0;
*(uint64_t*)0x20001ea0 = 0;
*(uint64_t*)0x20001ea8 = 0;
*(uint64_t*)0x20001eb0 = 0;
*(uint64_t*)0x20001eb8 = 0;
*(uint64_t*)0x20001ec0 = 0;
*(uint64_t*)0x20001ec8 = 0;
*(uint64_t*)0x20001ed0 = 0;
*(uint64_t*)0x20001ed8 = 0;
*(uint64_t*)0x20001ee0 = 0;
*(uint64_t*)0x20001ee8 = 0;
*(uint64_t*)0x20001ef0 = 0;
*(uint64_t*)0x20001ef8 = 0;
*(uint64_t*)0x20001f00 = 0;
*(uint64_t*)0x20001f08 = 0;
*(uint64_t*)0x20001f10 = 0;
*(uint64_t*)0x20001f18 = 0;
*(uint64_t*)0x20001f20 = 0;
*(uint64_t*)0x20001f28 = 0;
*(uint64_t*)0x20001f30 = 0;
*(uint64_t*)0x20001f38 = 0;
*(uint64_t*)0x20001f40 = 0;
*(uint64_t*)0x20001f48 = 0;
*(uint64_t*)0x20001f50 = 0;
*(uint64_t*)0x20001f58 = 0;
*(uint64_t*)0x20001f60 = 0;
*(uint64_t*)0x20001f68 = 0;
*(uint64_t*)0x20001f70 = 0;
*(uint64_t*)0x20001f78 = 0;
*(uint64_t*)0x20001f80 = 0;
*(uint64_t*)0x20001f88 = 0;
*(uint64_t*)0x20001f90 = 0;
*(uint64_t*)0x20001f98 = 0;
*(uint64_t*)0x20001fa0 = 0;
*(uint64_t*)0x20001fa8 = 0;
*(uint64_t*)0x20001fb0 = 0;
*(uint64_t*)0x20001fb8 = 0;
*(uint64_t*)0x20001fc0 = 0;
*(uint64_t*)0x20001fc8 = 0;
*(uint64_t*)0x20001fd0 = 0;
*(uint64_t*)0x20001fd8 = 0;
*(uint64_t*)0x20001fe0 = 0;
*(uint64_t*)0x20001fe8 = 0;
*(uint64_t*)0x20001ff0 = 0;
*(uint64_t*)0x20001ff8 = 0;
*(uint64_t*)0x20002000 = 0;
*(uint64_t*)0x20002008 = 0;
*(uint64_t*)0x20002010 = 0;
*(uint64_t*)0x20002018 = 0;
*(uint64_t*)0x20002020 = 0;
*(uint64_t*)0x20002028 = 0;
*(uint64_t*)0x20002030 = 0;
*(uint64_t*)0x20002038 = 0;
*(uint64_t*)0x20002040 = 0;
*(uint64_t*)0x20002048 = 0;
*(uint64_t*)0x20002050 = 0;
*(uint64_t*)0x20002058 = 0;
*(uint64_t*)0x20002060 = 0;
*(uint64_t*)0x20002068 = 0;
*(uint64_t*)0x20002070 = 0;
*(uint64_t*)0x20002078 = 0;
*(uint64_t*)0x20002080 = 0;
*(uint64_t*)0x20002088 = 0;
*(uint64_t*)0x20002090 = 0;
*(uint64_t*)0x20002098 = 0;
*(uint64_t*)0x200020a0 = 0;
*(uint64_t*)0x200020a8 = 0;
*(uint64_t*)0x200020b0 = 0;
syscall(__NR_write, r[3], 0x20000840ul, 0x1878ul);
return 0;
}
On 2020/10/20 17:02, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c
> b/drivers/video/console/vgacon.c
> index 998b0de..2ee3d62 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic
> modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write
> to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols,
> screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
>
> .
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] vgacon: fix a UAF in do_update_region()
@ 2020-10-20 9:20 ` Yang Yingliang
0 siblings, 0 replies; 14+ messages in thread
From: Yang Yingliang @ 2020-10-20 9:20 UTC (permalink / raw)
To: Sam Ravnborg, Greg Kroah-Hartman
Cc: linux-fbdev, linux-kernel, dri-devel, b.zolnierkie
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static long syz_open_dev(volatile long a0, volatile long a1, volatile
long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
(uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
intptr_t res = 0;
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[0] = res;
syscall(__NR_ioctl, r[0], 0x4b3aul, 1ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[1] = res;
*(uint16_t*)0x20000000 = 0x4d;
*(uint16_t*)0x20000002 = 0x1000;
*(uint16_t*)0x20000004 = 0xf1;
syscall(__NR_ioctl, r[1], 0x5609ul, 0x20000000ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[2] = res;
syscall(__NR_ioctl, r[2], 0x4b3aul, 0ul);
res = syz_open_dev(0xc, 4, 1);
if (res != -1)
r[3] = res;
*(uint8_t*)0x20000840 = 0x7f;
*(uint8_t*)0x20000841 = 0x45;
*(uint8_t*)0x20000842 = 0x4c;
*(uint8_t*)0x20000843 = 0x46;
*(uint8_t*)0x20000844 = 5;
*(uint8_t*)0x20000845 = 6;
*(uint8_t*)0x20000846 = 5;
*(uint8_t*)0x20000847 = 9;
*(uint64_t*)0x20000848 = 0xfffffffffffffffa;
*(uint16_t*)0x20000850 = 3;
*(uint16_t*)0x20000852 = 3;
*(uint32_t*)0x20000854 = 0x117;
*(uint32_t*)0x20000858 = 0x45;
*(uint32_t*)0x2000085c = 0x38;
*(uint32_t*)0x20000860 = 0x1df;
*(uint32_t*)0x20000864 = 5;
*(uint16_t*)0x20000868 = 4;
*(uint16_t*)0x2000086a = 0x20;
*(uint16_t*)0x2000086c = 2;
*(uint16_t*)0x2000086e = 0x1ff;
*(uint16_t*)0x20000870 = 0x55;
*(uint16_t*)0x20000872 = 0xfffb;
*(uint32_t*)0x20000878 = 4;
*(uint32_t*)0x2000087c = 4;
*(uint32_t*)0x20000880 = 4;
*(uint32_t*)0x20000884 = 1;
*(uint32_t*)0x20000888 = 1;
*(uint32_t*)0x2000088c = 3;
*(uint32_t*)0x20000890 = 7;
*(uint32_t*)0x20000894 = 0xfff;
*(uint32_t*)0x20000898 = 3;
*(uint32_t*)0x2000089c = 5;
*(uint32_t*)0x200008a0 = 3;
*(uint32_t*)0x200008a4 = 1;
*(uint32_t*)0x200008a8 = 0x3f;
*(uint32_t*)0x200008ac = 0x200;
*(uint32_t*)0x200008b0 = 4;
*(uint32_t*)0x200008b4 = 7;
memcpy((void*)0x200008b8,
"\x8b\x9f\xd8\xbb\x23\x11\x17\xf4\xeb\xa2\x19\x08\xb0\xe4\xe5\xe9\x98\x81\x1b\x24\x48\xaa\xfd\x8c\x01\x15\xeb\xa2\xf6\x28\x38\xd9\xa4\xd3\x4f\xfc\x91\x7c\x66\x3e\xb0\xbf\xe0\x18\x15\xd4\xe2\x33\x5f\x2b\x09\x27\x4c\x9c\x46\x94\xae\xcd\x39\x27\xd9\x73\xf7\xfb\xb5\x31\xe9\xef\x67\x1c\xd2\x35\x0c\x03\x71\xca\xec\x86\x38\x8a\xf1\xce\xb3\x3d\xc6\x06\x43\xb9\x04\xe4\x40\x91\x0d\xf3\xc9\x97\xcf\xc2\x01\x2b\x20\xa1\x90\x65\x37\xef\x89\xca\xde\x7b\xb1\x51\x41\xc8\xe9\x97\x68\x93\x46\xe7\x1c\x49\x99\x7f\xcd\xb8\x6a\x0e\x5b\x99\xe2\x0a\xaf\x61\x3c\x07\xac\x58\x73\xc1\x9e\x10\xda\x89\x25\xeb\x77\x62\x38\x8c\xca\x50\x93\x68\x72\x53\x32\xb7\xee\xb8\x53\x2b\x32\x99\xce\x87\xe4\xcf\x1f\x57\x2a\xa9\x8c\x1b\x0f\x0b\x48\xcd\x46\x00\xab\xad\xd8\x95\xe8\xb6\x71\xb0\x47\x05\x86\x94\x5c\x4f\x88\x35\x1e\xe7\xf7\x9e\xbc\x3f\x86\xa8\x14\xbf\xe8\xbe\x20\xb1\xd0\x31\x05\x84\x8d\xce\xea\x90\xca\x8d\xd4\x2e\xbb\x57\xdc\xb7\xae\x18\x2d\x07\x79\x6a\x85\xa0\x57\x01\xff\x0f\x13\xfe\x9e\xeb\xf1\x8c\xc7\xd0\x8e\x68\xe5\x84\xfd\x39\x0e\x16\x77\xea\x00\x6f\x71\x94\x1b\xfc\xd5\x98\xf7\xea\x68\xbd\xd3\x8d\xbd\x39\x48\x9f\xd6\x0a\x2f\x95\x04\x28\x81\xf6\x70\xb9\xe4\xde\x90\x92\xd2\x98\xf1\x0b\x36\x27\x65\x7f\x59\xf3\xef\x43\x73\xc5\x24\x69\x05\xc0\x24\x41\x31\xc5\x93\x40\x00\x13\xbf\x5f\x66\xfb\xf6\x26\xd8\xb9\xdf\x58\xf1\xc6\x7d\x35\xcb\xbb\x8d\x28\x53\x73\xb5\xc1\x0e\x24\xab\x76\xbe\x12\x58\xfb\xd3\x66\xa7\x3b\xad\x89\x9f\xb5\x49\x5d\x8d\x3b\x29\xfd\x4e\xa2\xa8\xda\xe6\xf7\xb8\x24\x5c\x6c\x50\x40\xdb\x9e\x14\x6a\xe3\x00\x59\xee\x55\x44\x1f\x45\xcf\x37\x91\xeb\xc9\xc2\x63\xec\x18\x30\x89\x85\x00\x79\xaf\x65\xc6\xa9\x90\x04\x5e\x68\x5c\xf5\xc0\x9f\xe2\xf1\x85\xcd\xb3\xa7\x83\xb3\x85\xb0\x29\x24\x27\xf4\xbe\x72\xbd\xe3\x07\x8d\x25\x6b\x63\x58\xb7\xce\x71\xb8\x76\x09\x9d\xd0\xec\x94\x4c\x72\xa0\x17\x82\x83\x26\xee\x81\xbe\x0c\xff\x70\x16\x38\x48\xf4\x3e\xdb\xe0\x9f\x6b\x88\x95\xb2\xb6\xb7\x76\x19\xee\xa0\x91\x11\xd5\xb3\xc4\x2e\x5e\x9e\xc4\x62\x7b\xf7\x28\x14\xf9\x0a\xf0\x2b\x5c\x23\x41\x39\x3f\x38\x12\xe2\xf1\xa1\x70\xa6\x6b\xc8\x44\xd9\x2b\x02\x64\x69\x21\x44\x4d\xd8\x50\x0d\xf7\x01\xb2\xb0\x6a\x43\x25\x74\x78\x18\x72\x30\x42\x5e\x36\x4c\x65\x3d\xee\x51\xda\xc2\x55\x93\x65\x5b\xb4\x92\x3b\xf9\x00\x2c\x6e\x18\x04\xe8\x1b\x40\x9a\x57\x7e\xfb\x3f\xef\x89\xce\xe9\x8e\xa4\xc1\x5b\x63\xec\x26\xe6\x10\x2e\x69\x25\x84\x77\x97\xb2\xfb\x87\x0b\x11\x27\xdb\xd3\xd4\x7f\x5e\x9e\x33\x2e\xd3\xb2\x9b\x22\xeb\x29\xeb\x36\x61\xc2\xd0\x22\xaf\x79\x40\x61\xe7\xdf\xce\x88\xd6\x06\x43\x9d\xec\x6f\x57\x20\x92\x73\x38\x37\x65\x81\xd6\xe6\x27\x8a\x50\xb8\x93\x7c\xdc\x1f\xf0\xfe\x01\x3f\x9f\x3c\x6c\x1b\x7a\xa8\x93\xbf\x3a\x06\x6a\x18\x02\x79\x2f\x62\x9b\x12\x16\x5f\xaa\x80\xc7\xfe\xc2\xad\xd9\xec\xa6\x61\x7c\xda\x79\xf3\xc5\x85\x2f\x2b\xcd\xa2\x53\xbc\x71\x54\xeb\x32\x75\x82\x38\xed\xf0\x2a\x6a\xad\xc2\x56\xfe\x75\x14\x81\xee\x03\x32\x1a\xb8\xf9\x92\x5a\x06\x6f\xd4\xc0\x76\x5f\x2b\xee\x51\x68\xc4\x4c\x0f\x86\xe9\x51\x53\xe7\x8d\x60\xd2\xc8\xc2\xf7\x45\xee\xfa\x04\x6b\xa0\x61\x18\xf4\x7d\xc5\x46\x13\x52\xb0\xe6\x8d\x4e\x53\x49\x16\x26\x9a\x07\xc1\x78\xa8\x61\x7d\x43\x5e\x14\x12\xf9\x8d\x6b\x6b\xac\xb1\x78\x86\x3f\xc6\xc2\xf2\xee\x65\x47\x12\x6f\xb2\xef\x8a\x4d\x83\xfd\xe6\x8c\xe9\x69\x22\x1b\x8b\x2b\xfa\x0d\x75\xc1\xb9\x77\x7d\x1e\x44\x03\xfa\x2e\xd8\x82\xd7\x15\x7b\x24\x7b\x65\x62\x6d\xff\x84\xba\x3c\x02\x95\xb3\xa9\x15\xc9\x12\xd5\xd7\xf7\x9d\xa1\xfc\xf0\x08\x0e\x47\xfb\xbb\xed\x26\xf5\x23\x2d\x07\x11\x76\x04\x5e\x82\x89\xef\xf0\x95\x24\x15\xe2\xeb\xf6\x49\x9e\xa2\x9f\x67\xce\x97\xf8\x84\x21\xd6\x9f\x1f\x95\x5d\xe0\xe8\xc2\xe0\x37\xf2\x0f\x64\x8c\xfe\x88\x3a\x0d\xa6\x54\x36\xb0\x24\x45\xd0\x29\x70\xb8\xfd\x4b\xa6\xe3\x44\xa8\xd7\xef\xa2\x43\x5a\x04\xc1\x64\xe1\x6d\x32\xae\xbb\xa9\xa6\x7e\x9a\x6d\x66\x0f\x29\x51\xe8\x42\xf4\x03\xdd\xdc\xe0\x4c\x82\x8b\xeb\x00\x4d\xa1\x68\x6f\xa0\x85\xf0\xb2\xd7\xdd\x2a\xfe\x33\x49\x8f\x69\xfa\xf3\xa0\x7c\xd2\x10\x74\x16\xed\x79\x0d\x56\x9c\x3d\xf5\x2d\x39\xde\x5b\x53\x72\xf5\x57\x0e\xfc\x3d\x06\xc9\xc3\x15\xba\x7f\x70\xbe\x89\xfa\xaf\x16\xd1\xea\xd5\x6a\x84\x71\x12\x60\x4b\x77\x28\xbe\xee\x7e\xff\x62\xd4\xfc\x56\xd8\x93\x60\xb7\xcb\xe1\x05\x57\x69\x41\xd3\x04\x73\x3a\x4e\x8f\xc5\x34\x36\x8b\x69\x0a\x69\xca\x77\x6a\xb1\x5b\xdc\x24\x22\xbb\x16\x56\x2b\x5b\x0f\x65\x8f\x7d\xc9\x95\x96\xa1\x70\x48\x5a\x83\x6e\xfc\xc5\x32\x5e\x61\xf6\x6b\xca\x65\x96\x0a\x73\x6f\x2f\xf3\x38\x33\xa4\x8c\x40\xae\x36\x9c\x43\xda\xc3\x40\xc8\xdd\x64\x27\x99\xb3\x47\xf3\xc1\x0f\xcd\x57\x03\x52\x0e\xea\xd9\x8f\x43\x6c\x97\x73\xd6\x8c\xd5\xe7\xf0\x8a\x5f\x44\x71\x55\xe9\xc6\x11\x56\x83\x3b\xa0\x5a\xd9\x49\x89\x5b\x04\x69\x7a\xe0\x00\xd6\xb4\x33\xd5\xe7\xd6\xfc\x99\xf5\xb2\xfb\xb9\x95\x7a\xfd\xd9\x37\x1f\x7e\x7d\x91\xe7\xa4\x7b\xa8\xfe\xd2\x32\xf0\x14\xcf\x9f\x12\xff\x5c\xbf\xa7\x0a\xd0\x6a\x8e\xe7\x1d\x0b\x69\xdf\x7b\x58\x17\xdc\xf4\x3d\xc0\xe2\x84\x7a\x53\x19\xcc\x04\x42\x57\x24\x9b\xdd\x16\xef\x06\xc8\x17\xad\x44\x5b\x0e\xaf\xc6\xe2\xca\x57\x80\x54\x78\x88\xde\x21\xc8\xeb\xa3\xa1\xaf\xfc\x6d\x2b\xd8\xe1\x54\xe6\x5a\x3e\x78\xc9\xc6\xe9\x19\x19\x14\x1e\x38\xdf\x9a\xf3\xae\x62\x72\x88\xa5\xd0\xc6\x04\xca\x80\xd3\x82\xe9\xed\xec\x95\xc2\x2c\x30\x95\x56\x31\x82\x34\xbf\x39\x38\x1e\x89\x3a\xc9\xf8\xf3\x28\x59\x2c\x82\xa5\x36\xb3\x73\x3c\x35\xf1\x8a\xde\xc3\x0b\xf1\x63\x65\xb8\x3d\x87\x8b\x34\x01\x7d\x8b\x57\xcd\xa9\x85\x69\x55\x6f\x7e\x29\x2a\xeb\x16\xa1\xba\x3a\x53\xe1\xe6\x8e\xe2\xa5\x27\x59\x9a\xae\x6b\xfb\x5c\x97\xfa\x20\x58\x3c\x5a\xc5\x6a\x01\xaa\xd4\x88\x23\x71\xfd\x79\xb8\xde\xf1\x94\xc4\xea\x97\x23\xd9\x67\x63\xe4\x26\xa0\x41\x15\xc4\x37\x1f\x24\xdf\x50\x90\xbd\x79\x96\x8b\x07\xc9\xab\x5e\x36\xc9\x7a\x3b\x2e\x02\xfa\x12\x34\xfb\xa2\x6d\xc4\xf7\xe3\x6d\xa4\xc2\x75\x65\x75\x83\x68\x79\x2a\x33\x57\x7e\xf5\xf9\x37\xd0\x16\xae\x7e\x71\x0a\x2e\x20\x34\xfb\xdc\x6a\xd9\xbc\xda\xbb\x80\x27\x9a\x4d\x91\x72\x10\xa8\x09\xe7\xb1\x70\x9b\x03\x07\x6b\x06\xa3\xc5\xbd\x90\x84\x0a\x4b\x13\x7a\x55\x80\xb7\x99\x65\xe4\x2d\x55\x07\x99\x5c\x3f\x10\x15\xa3\xe5\xf7\x8c\x69\x74\x0f\x73\x28\x9e\xb7\xcd\xda\xb9\xee\x98\x88\xc2\x01\x4a\x8f\xb9\x04\x87\x67\x5c\xd6\x91\xf7\xd8\x60\x21\xb3\xfc\x01\x52\x0c\xe4\xa6\xe4\x5c\x0d\x6e\xc1\x08\xbc\x57\x78\x3c\xa0\xff\xd4\x1c\x94\x21\x44\x4e\x77\x45\x9e\x37\xe7\xe2\xab\x3b\xd6\x2e\x89\xc5\x09\x0d\x76\xa2\xb4\x0e\x1f\xc0\x87\xda\x87\xf9\xda\x4f\xe8\xa5\x00\x37\x57\x80\xd9\x80\x43\xdd\x37\x28\x92\x06\xb1\xd3\x80\x08\x51\xde\xc6\x93\x24\xc8\x29\x2f\xb7\x69\xb2\x21\x1b\x7b\xc0\x63\x6b\xbb\x2f\xf4\xae\x2c\x5c\x3a\xab\x11\x6a\xe0\x3e\xf8\x77\x12\x2f\x05\x33\xdc\x0d\xbd\xe3\x71\x49\x16\x2b\xd9\xc4\xcd\xd5\xa7\x2b\x60\xb7\xd1\xb5\x45\x99\xe4\x49\xfd\x05\xbe\x9b\x97\x14\xb5\xf2\xaa\x5b\xd6\xcd\x7e\xcf\xa0\xea\x9b\x4a\x01\xec\x9a\x9e\xb9\x46\x1e\x1f\xd7\xb9\x46\x2e\x0a\xb8\xf8\x98\x90\xb4\xa4\x44\xfd\xf0\x32\xf4\xa8\x9f\x02\x23\x6c\xd1\x3f\xe9\xfe\x83\x9e\xa2\x86\x71\x2d\x2c\xdb\x5c\x56\x5c\xb5\x0d\x4d\x08\xe3\x74\xc3\xba\xcf\x00\x55\x8e\x03\x73\xe8\xa9\x1a\xe8\x76\x63\xb6\xf3\xc1\x41\xb3\x08\x9b\x7b\x42\x92\x78\xac\xad\x1a\xe4\x4f\xbc\x68\x64\x1c\x91\x0d\x1d\xa1\x84\x88\x2f\x51\x23\xb7\x43\x79\x8f\x83\xe5\xce\x41\x9d\x4a\xf6\x49\x25\x38\xac\x80\xd6\x72\x83\x12\x86\x9c\x39\x69\x0d\x36\x96\x6e\x0b\xd8\x7f\x8f\xc9\x0a\x50\x35\x82\x9c\x14\x51\x69\xa3\x4d\xee\x2c\x78\xfd\xa8\x26\xc8\xc1\x57\xb8\xf8\x16\xb0\x10\xd1\xe1\x26\xd3\xf1\x99\xb8\x04\xec\x24\x03\x5f\x72\x0b\xa0\xb5\x10\xd5\x8d\x50\xf9\x6a\x2e\x70\x4d\xbc\x51\x51\x5a\xa4\x60\x2e\xdf\x59\x1f\x6c\x7c\x21\xf2\xd9\xa4\x54\x6a\xe7\x05\xba\xda\x46\xc9\xa8\x8d\x7d\x3d\xe2\x3e\x4d\xef\x48\x4d\x14\xca\xdd\x33\xec\x11\x8c\xf6\xf8\x78\xad\x2f\xbc\x95\xff\x56\x76\x00\x25\xa8\xa7\x85\x36\xb6\x10\xcc\xf7\x1b\x90\xd2\x50\xf5\xd1\xb8\xf5\x2f\xd3\xad\x06\xed\x85\x29\x82\xce\xd5\xd3\xdc\xc9\xca\x8d\xfa\x7a\x6e\x30\x31\xe6\x0b\xce\xfc\x5a\xf7\xb7\x44\xd0\x6b\x41\x09\x1c\xe2\x70\x09\x36\x79\x74\x81\x82\xeb\x9e\x86\x7a\x35\xdb\xfd\xde\xab\x5b\x2e\x51\x40\x99\x23\x7c\xa8\x2b\x05\x54\x00\x2d\x73\x2a\xaa\xe3\x2b\xa5\x93\x3b\x47\xf0\x79\xf8\xe4\x2c\xbd\xdc\x26\x9f\xf6\xa0\x97\xa3\xc8\xaa\x08\xce\xfa\x39\x06\x21\x30\x8a\x4c\x49\x7d\xb3\xf9\xb2\x0c\x0d\xb3\xda\xb0\x14\xf6\x83\xb7\x0b\xd1\xe1\x89\xf1\x8b\x45\x47\xfe\x95\xc6\xa7\x20\xbc\xa4\xc2\xdb\x64\xc3\x3a\xd4\x1a\x0c\xf7\xa3\xa9\xb6\xae\xf6\xa6\x7e\xee\xf1\x75\xf6\x43\xc9\xb6\xbd\x08\x58\x69\xf1\xa0\x71\x13\x38\xe7\xf2\x38\x18\x59\xd5\xaa\xf0\xb3\xe9\x08\x81\xb3\x71\xdb\x3b\xad\x38\xb0\xb0\x16\xf5\xfe\x37\x2e\x6d\x4e\xd8\xc9\x1a\x8f\x09\xfb\xec\xdc\x80\xaf\x28\x39\x74\x45\x1d\xd4\x23\x1c\x08\xd6\x7f\x52\x9b\xea\x5d\x65\xb5\x46\xb5\xf6\xfe\x73\xfa\x52\xfa\x58\x50\x6c\x3a\x11\x9f\x81\x2b\x25\xb6\xfb\x3e\x45\x9e\x96\xc6\x2c\xe9\x4c\xe8\xe6\x71\x54\x30\x60\x03\x3b\x97\xb0\x94\x11\x67\xd0\xd6\x85\x00\xc6\x2e\xb5\x1d\x28\xeb\xc4\x30\x8c\x7e\xf5\x17\xcc\x2b\x44\xb9\x5d\xf6\x66\x2a\x2e\xe0\x6d\xc8\x06\xb9\xf6\x67\xd9\x8d\x9d\x4a\x96\x4c\x59\x34\xc3\x56\xaf\x34\xfd\xb3\xc4\xaa\xd8\x60\x4b\x2c\xa5\x75\xd8\x12\x65\xb7\x63\xd5\xae\x2c\x93\x56\x7f\xc5\x73\xad\xee\x2d\xe3\xdf\x38\x3b\x0e\x24\x0b\x6c\x92\xd4\x04\xc9\x21\xd5\xd5\x9e\x8b\x61\xb5\xe1\xeb\x2d\x1f\x90\xed\x7f\xb6\x80\xc3\xd1\x91\x19\x49\x51\x77\x64\x22\x97\x4a\xf2\x69\x45\x3b\xf3\xbc\xcf\x43\x92\x67\x9d\x8b\xb2\xf8\x3a\x17\x6c\xd3\x48\xa4\xaa\x27\xfb\x09\xc2\x14\x7d\x99\x2a\x48\x6b\x6a\x66\x05\x90\x1f\x40\x43\x65\x62\xd5\xf1\x66\xaf\x76\x63\x53\x59\xb7\x04\xb7\xda\x1b\x42\xa9\xc0\x76\x4c\xd1\xcc\x2a\xa6\xb2\x73\x51\x68\x04\x28\x07\xfa\x28\xa6\x40\xb3\xd5\x18\x3d\x68\x60\x96\x23\x66\x03\x2d\x44\xa0\xc9\xca\xbe\xcd\xb7\x79\x87\x66\x7f\x90\x05\x1b\x42\xaa\x13\xef\xc9\x2e\x79\xcb\xa6\x71\x5e\xad\xf1\x9d\xaa\x95\xa0\x1a\x5c\x1c\x8c\x04\xf8\x94\xfb\x23\x51\x8d\x75\x8d\x3d\x04\xa3\x2f\xda\xec\x81\x8c\x7b\x43\xce\x19\x51\x2e\xf9\xe7\x6c\x66\x57\x1e\xe4\xe2\x62\x99\xf7\x43\x35\x57\x33\xf5\xd5\x4f\xb4\x81\x36\x6b\x30\x48\x90\xa1\x7b\x3f\x8b\xab\x79\xe4\x2e\x5e\xfc\xcc\xb2\x68\x1d\x86\xe9\x19\x8c\xd5\xc0\x4a\x9a\x5c\x8f\xba\xe0\x5e\x4a\xd2\xc0\x92\x58\x25\xdd\x15\x01\xc1\x40\x93\x91\x73\x4b\xa2\x0d\xf8\xec\x2a\x29\x5f\x91\x87\x65\x08\x5d\x30\x10\x05\x6a\xc1\x93\xac\xf6\xc6\x98\x55\x95\xb2\x1a\x95\x48\x08\x05\x40\x9b\x3f\xe3\xc9\xd6\x81\x17\x05\xa8\x4c\x92\x4f\x3b\x0a\x6d\xfb\xf5\x63\xca\x48\x80\x0d\xbe\x4c\xff\x49\x7b\x37\x82\x33\x1e\xf2\x42\xaa\xae\x15\xa6\x34\xc6\xeb\x26\x03\x70\xd3\x04\x26\x79\xbc\x03\x0b\x5a\xc3\xda\x86\x25\xda\xb5\x1d\x42\xcf\xda\xc4\x6c\xe7\x13\x92\x0b\xe4\x1f\x6e\xb6\x90\x0c\xb9\x1d\x0c\x43\xb1\xaa\x43\xd2\xaf\xe9\xe3\x97\xf7\x69\x48\xb7\x17\xe3\x75\x94\xd4\xaf\x80\x6d\x8b\x6f\x25\x59\x92\x47\x71\x24\xf4\xac\x87\x24\x4b\x1c\x3b\x46\x37\x5c\x86\xe5\x50\x71\xab\x54\xaf\x58\xfd\xc1\x85\xfb\x45\x37\x26\xd8\xe7\x6d\xee\x53\x8d\x68\x4d\xe5\xb3\x69\x02\x57\xa8\x4c\xa1\x3c\x1f\x09\x4d\x92\x82\x48\xc1\x4b\xb9\x2c\xaa\xf7\x67\x2e\xaf\x18\xdb\x16\xcd\x24\x99\xe5\x51\xed\xbe\xcd\x3a\x37\x7b\x9b\xdd\x42\x93\xcb\x1d\x92\x13\xaf\xec\x42\x6c\x85\xa0\x43\xad\x18\xce\x11\x3f\x66\x1c\x24\x11\x51\xa4\x79\x00\xf0\x96\xb8\x52\x7b\x05\xa2\x32\xbb\xb9\x70\x47\x7f\x41\x1b\x76\x40\x98\xd0\x89\x0d\xdb\xb6\x9b\x3f\xfb\xa4\xf7\xa6\x08\x3b\xb8\xbd\x7f\xd9\x30\x09\x12\xcf\xf7\x44\xd5\x11\x9b\xb4\xc1\xe7\x69\x44\xf4\xe0\xa5\x17\xd2\x92\x69\x32\xf7\x8c\xc7\x0b\xb3\xdb\x05\x5a\x78\x95\x83\x36\xb3\x0c\x0e\x0e\x8f\xdf\x0d\x6c\xd3\x7a\x72\xbd\x03\x11\x26\xf2\x5d\x3c\x57\xe5\xca\xa3\x0a\xa5\x34\x0d\xd1\xe7\xb7\x30\xd1\xb7\xed\x83\x0f\x61\xd2\xd9\x3b\xc4\x38\x68\x28\x36\xda\xd5\xa6\x50\x59\x8a\x1f\x36\x87\x75\x52\xbe\x94\x55\x7d\xdd\xfe\xcf\xd8\x7a\xe7\x96\xd4\x06\xf5\x43\x54\x1c\x6e\x6e\xfe\xf8\x70\xd1\x3b\x31\x51\x66\x69\xa7\x69\x89\x83\x91\x08\x8e\x48\x97\x2b\x1f\xa2\xe9\xb2\xc6\x62\xe1\x28\xd6\xda\xd8\xc1\x7f\x5f\x7f\x5f\x62\x88\x0e\x8f\xdc\x07\xae\xe1\x59\x33\xbf\xd2\x49\x83\x45\x2c\xef\x62\x4b\xc8\x45\x18\x2a\xd2\x51\x29\x7f\xcf\xfd\x5c\x16\xbd\x5b\x0e\xac\x03\x7b\x58\x62\xb2\x0e\x08\xce\x1a\x8d\x75\x5f\xde\x1d\x49\xcf\x32\xd8\x1f\xd6\x3f\x74\x65\x4d\xba\x69\x2b\x27\x2d\xd1\x5a\xe1\x9e\x0b\x87\x33\x95\xe8\x50\xe0\x66\x66\xc9\xd3\x04\x31\x49\xc9\x5b\x79\x24\x2f\x2f\x4a\x9d\xdc\xf7\x16\xd7\xae\xe1\x34\x63\xe8\x1c\x1f\xff\x4e\x47\xbe\x68\xdb\x7a\x65\x6c\x04\xb6\x26\x0d\x8d\xb0\x0b\x90\x87\xc0\x87\x20\x3a\x74\x21\x8c\xe6\xb7\x67\x45\x97\x60\x30\xb3\xd9\xa7\x6e\x08\xde\xe9\x19\x1a\x5e\x19\x44\x95\x26\x4d\x3d\xc2\xb1\xc3\x98\x08\x06\x96\x5f\x54\xea\x88\xd7\x92\x50\xe8\x1c\x2a\x94\xf7\xa9\x6b\xe3\x2c\x1d\x15\xcf\x4c\xbe\xf1\x85\x3d\x30\xfd\xea\x3d\xef\x80\x20\xa6\xf6\x4e\x64\x79\x2a\x7c\x74\xc4\xe5\x70\x3a\x8a\x32\x6b\xc2\x2a\x41\xc6\x58\x47\xdf\x3f\x68\xe4\x06\x81\xe5\xce\xdd\x0b\x05\xd8\x2a\x9e\x85\xe3\x3f\x6b\x18\x5e\xb1\x6c\x56\x1e\xfa\xec\xa1\xae\xbe\xa9\x09\x65\x6b\xc7\x9e\xfc\x9a\xe7\x76\x65\xb5\x89\xcc\x0c\x40\x11\x7b\xb5\x1d\x62\x4d\x98\xc8\x6c\x97\xa8\x14\xfc\xde\x48\x94\x84\x86\xf9\x1b\x66\x93\x68\x52\xb7\x8e\xd4\xbc\x0f\x51\x01\xa1\x23\x47\xb1\x14\x03\xf4\x56\xad\x64\x86\xe0\x63\x5e\xe3\x9c\xdc\x40\x0e\xc1\x00\x2e\xbe\x95\xe7\x13\x50\xcb\xfa\xc5\x20\xb2\x90\x21\x4a\x0f\x5e\x8b\xd4\x3e\x58\x31\xb2\x1d\xb0\x98\x59\xfa\x42\x8d\x76\x43\x69\x18\x92\x3e\x25\xf1\xd7\xa5\x40\x3c\xff\x39\x63\x27\x4e\xcf\x4a\x68\x70\xa1\x43\xe6\x13\x83\xbd\xb3\xea\xc2\xab\x7f\xda\x05\x8a\x81\x04\x24\x3b\x28\x4d\xe0\xca\x06\x2a\x27\x33\x91\x16\xfb\x1d\x55\xbd\xa6\x8c\x21\x5e\xac\x5a\x6d\x71\x28\x33\xef\xc7\x1d\x32\x03\x23\xda\xf3\xfc\xd1\x6c\xba\x1e\xf5\x21\x56\x9f\xbb\xa2\xc7\x5d\x64\x37\x8d\xa3\xdf\xd6\xd4\xe9\xac\x7f\x97\x4f\xeb\xa3\xdb\x52\x97\xf2\x1b\xd7\xe3\x05\x3e\x28\xad\xfe\xa2\x5e\xae\x9f\xd6\xcc\xcd\x3b\xd8\x6f\xf8\x8f\x35\x96\x89\x5b\x5e\xb4\xcd\x3d\xa9\x33\x8e\x43\xbb\x2a\x45\x4b\x25\xe6\x2d\xa9\x93\x85\xbb\x38\xec\xf6\x11\xfa\x4d\x38\x78\x72\x95\xe8\xbe\xe0\xde\x84\x17\x1b\x66\x75\x1e\x24\x6c\xbf\xfc\x36\x2c\x66\xbf\x1c\x20\x7b\xad\x1a\x8c\x5e\x25\xdb\x53\x7f\xb2\x1a\x70\x5a\xbd\xd9\xdd\x27\xc8\xac\x87\xd5\x4f\xd0\xa7\x29\x3f\x71\xe3\xd9\x34\x47\x71\xcb\x5f\x5b\x9f\x6c\xbf\x1e\x88\x88\x3e\x04\x27\x7a\xa3\xa7\x7f\x7e\x22\x16\x8a\x8e\xeb\x8b\x2b\xb3\x5a\xc9\x35\x80\xcd\x51\x9a\xd4\xb0\xdf\xfc\x32\x7f\x24\xff\x8e\x7c\xd9\x4e\x8c\xce\xaf\xfa\x27\x4d\x6a\xb1\x48\x3e\x9a\xa0\x3a\x5a\x88\xf8\x88\x59\xd9\x59\xc1\xed\xd9\xcc\x78\xa8\x6e\x46\xd3\xd3\x31\xd8\x00\x0e\x48\xbc\xa9\x54\x3e\x31\x95\x30\xb5\xba\x6d\xb8\x64\xac\x3c\x83\xe7\x1f\xc2\x3c\x35\x13\x36\x84\x80\x7d\x9d\xdb\x5c\xe9\x98\x21\xb8\x9d\x93\x6f\x34\x45\xed\x88\x95\xc5\x62\x61\xd2\x11\xa7\x28\xdb\x53\x5b\x1c\x99\x78\x13\xa1\x2f\x61\x27\x91\xb9\xbc\x9b\x84\x5b\xea\x29\xa3\xec\xec\x90\xb8\xdd\x5c\xbc\xd3\x2a\x73\xb1\xe1\xc2\x57\x45\x31\x20\x06\xc3\x6e\xb6\xf1\x69\x1f\xa1\x6e\x1a\xa3\x12\x6b\xa7\x14\xd5\xad\x64\x7c\xd8\xcc\x60\x30\x80\xb0\x6f\x0a\xaa\xe7\x45\x6b\x35\x83\x41\x94\xbe\xf7\x95\xd2\xb4\x54\x04\xd0\x46\xc4\xf2\x9f\x00\xce\x13\x44\x4f\xbc\xff\xfb\x11\x7a\x9c\x7f\x1e\x35\xc9\x0d\xee\xad\xb7\x5d\x3a\x4e\x01\xb7\xa5\xa1\x0f\x93\xdd\x31\xef\xc8\x6c\x0c\x11\x9b\x55\xd8\x3e\xbd\xa2\x9a\x90\x01\xb3\x28\x42\xa0\xf2\x28\xfc\x99\x35\x40\xe1\xb4\x72\xdc\xa6\x03\x75\x0d\xc9\x13\x3f\x9b\x07\x50\xc5\x9f\x6e\x57\x1b\x0f\x2c\x53\xcd\x45\x04\x61\x61\x82\xa3\xed\x9c\xf8\x81\xd2\x54\xb5\xd7\x2e\x8b\xfb\xa3\x3a\x1c\xa7\x9b\x2e\x19\x0b\x75\xf4\x31\x63\x1b\x98\x0e\xc0\x75\xdd\x6b\xcc\xff\xe1\x06\x07\x37\xe2\x6f\x84\xd6\xd1\xee\x5d\xe0\xba\x08\x3f\x5f\xe1\xfa\x25\xd4\xa8\x8f\x40\x2a\x01\xaf\x6c\x03\x5b\x68\x41\x25\xeb\xdd\x1a\x40\x4e\x1c\xc3\x90\xd8\x5f\x28\x2d\x83\x3d\x63\xd1\xcc\x6b\x93\xcd\x69\xd6\x21\x09\x4a\xb1\xda\xe7\xa3\xce\xbf\x19\x2b\xe1\xc7\x78\x80\x11\x6a\x6b\xa1\x6a\x69\xc9\x9f\x86\xb2\x0a\x51\xc7\x20\x38\xcc\xd2\xf5\xbc\xd5\xe8\x83\x39\xf8\xee\x55\x5c\x32\xfb\xc3\x6f\x40\x90\xde\x5e\x74\x8d\x41\x31\x4a\xbb\xa1\x0b\xe7\xa9\xdf\x3f\x4a\xe9\xa8\x98\x42\xd7\xa3\x82\xa2\x31\x2b\x6a\x0a\x08\xfa\x2a\x0d\x8a\xed\x22\x98\x3e\x9a\xaf\x63\x9d\x38\xa6\x1b\x88\xba\xc9\x01\x8d\xd2\x49\x26\x26\xe5\x7f\x94\x66\x5d\x32\x4b\xd1\xf3\x9c\xd5\xd0\xfa\x26\x1b\x16\x6d\x20\x6c\xe8\x40\x44\xa9\x79\x12\x32\x07\xf6\xce\x4e\x0d\x36\x3b\xe0\x8f\x9e\x38\xd9\x4d\x73\xc5\xd1\xce\xf2\x38\x23\xeb\x60\x67\xf5\x7f\x4a\x26\xb7\x3f\x55\x5f\x86\x2d\xda\x59\x09\x50\x97\xfb\xc9\x02\x00\x36\xad\x01\x9e\xfe\x18\xe0\xec\x04\xce\x0d\x32\x52\x5d\x20\xc8\xd6\xa0\xc8\x59\x5c\xf4\xb8\xfe\xbb\x75\xf3\x4f\x07\xa9\xbe\xc6\x7b\xcc\x76\x82\x99\xbe\x8f\x64\x8c\x20\xf5\x76\x35\x88\x22\x64\x40\x1c\xcf\x88\x2f\x47\xa9\xc6\x49\xb8\x1d\x42\xba\xbc\x3b\x5a\x75\xfe\x7d\x69\x83\x64\xd9\xcf\x09\xe4\xd1\x80\x2e\x8f\x1a\xe6\xf7\x2c\xb0\x16\x91\x74\x0a\x84\x9c\x90\xe1\x72\x34\xd9\x0d\x80\x70\xe3\xf6\xcb\xfa\x0f\xa7\xb7\x62\xef\xb8\x45\xd9\x27\x52\x55\x16\xfd\xb4\xcc\x1b\x22\x00\x78\x9a\xc4\x44\xfb\x2c\x56\xa3\x6b\xfe\x5a\x79\x97\x9b\xf3\x69\xa5",
4096);
*(uint64_t*)0x200018b8 = 0;
*(uint64_t*)0x200018c0 = 0;
*(uint64_t*)0x200018c8 = 0;
*(uint64_t*)0x200018d0 = 0;
*(uint64_t*)0x200018d8 = 0;
*(uint64_t*)0x200018e0 = 0;
*(uint64_t*)0x200018e8 = 0;
*(uint64_t*)0x200018f0 = 0;
*(uint64_t*)0x200018f8 = 0;
*(uint64_t*)0x20001900 = 0;
*(uint64_t*)0x20001908 = 0;
*(uint64_t*)0x20001910 = 0;
*(uint64_t*)0x20001918 = 0;
*(uint64_t*)0x20001920 = 0;
*(uint64_t*)0x20001928 = 0;
*(uint64_t*)0x20001930 = 0;
*(uint64_t*)0x20001938 = 0;
*(uint64_t*)0x20001940 = 0;
*(uint64_t*)0x20001948 = 0;
*(uint64_t*)0x20001950 = 0;
*(uint64_t*)0x20001958 = 0;
*(uint64_t*)0x20001960 = 0;
*(uint64_t*)0x20001968 = 0;
*(uint64_t*)0x20001970 = 0;
*(uint64_t*)0x20001978 = 0;
*(uint64_t*)0x20001980 = 0;
*(uint64_t*)0x20001988 = 0;
*(uint64_t*)0x20001990 = 0;
*(uint64_t*)0x20001998 = 0;
*(uint64_t*)0x200019a0 = 0;
*(uint64_t*)0x200019a8 = 0;
*(uint64_t*)0x200019b0 = 0;
*(uint64_t*)0x200019b8 = 0;
*(uint64_t*)0x200019c0 = 0;
*(uint64_t*)0x200019c8 = 0;
*(uint64_t*)0x200019d0 = 0;
*(uint64_t*)0x200019d8 = 0;
*(uint64_t*)0x200019e0 = 0;
*(uint64_t*)0x200019e8 = 0;
*(uint64_t*)0x200019f0 = 0;
*(uint64_t*)0x200019f8 = 0;
*(uint64_t*)0x20001a00 = 0;
*(uint64_t*)0x20001a08 = 0;
*(uint64_t*)0x20001a10 = 0;
*(uint64_t*)0x20001a18 = 0;
*(uint64_t*)0x20001a20 = 0;
*(uint64_t*)0x20001a28 = 0;
*(uint64_t*)0x20001a30 = 0;
*(uint64_t*)0x20001a38 = 0;
*(uint64_t*)0x20001a40 = 0;
*(uint64_t*)0x20001a48 = 0;
*(uint64_t*)0x20001a50 = 0;
*(uint64_t*)0x20001a58 = 0;
*(uint64_t*)0x20001a60 = 0;
*(uint64_t*)0x20001a68 = 0;
*(uint64_t*)0x20001a70 = 0;
*(uint64_t*)0x20001a78 = 0;
*(uint64_t*)0x20001a80 = 0;
*(uint64_t*)0x20001a88 = 0;
*(uint64_t*)0x20001a90 = 0;
*(uint64_t*)0x20001a98 = 0;
*(uint64_t*)0x20001aa0 = 0;
*(uint64_t*)0x20001aa8 = 0;
*(uint64_t*)0x20001ab0 = 0;
*(uint64_t*)0x20001ab8 = 0;
*(uint64_t*)0x20001ac0 = 0;
*(uint64_t*)0x20001ac8 = 0;
*(uint64_t*)0x20001ad0 = 0;
*(uint64_t*)0x20001ad8 = 0;
*(uint64_t*)0x20001ae0 = 0;
*(uint64_t*)0x20001ae8 = 0;
*(uint64_t*)0x20001af0 = 0;
*(uint64_t*)0x20001af8 = 0;
*(uint64_t*)0x20001b00 = 0;
*(uint64_t*)0x20001b08 = 0;
*(uint64_t*)0x20001b10 = 0;
*(uint64_t*)0x20001b18 = 0;
*(uint64_t*)0x20001b20 = 0;
*(uint64_t*)0x20001b28 = 0;
*(uint64_t*)0x20001b30 = 0;
*(uint64_t*)0x20001b38 = 0;
*(uint64_t*)0x20001b40 = 0;
*(uint64_t*)0x20001b48 = 0;
*(uint64_t*)0x20001b50 = 0;
*(uint64_t*)0x20001b58 = 0;
*(uint64_t*)0x20001b60 = 0;
*(uint64_t*)0x20001b68 = 0;
*(uint64_t*)0x20001b70 = 0;
*(uint64_t*)0x20001b78 = 0;
*(uint64_t*)0x20001b80 = 0;
*(uint64_t*)0x20001b88 = 0;
*(uint64_t*)0x20001b90 = 0;
*(uint64_t*)0x20001b98 = 0;
*(uint64_t*)0x20001ba0 = 0;
*(uint64_t*)0x20001ba8 = 0;
*(uint64_t*)0x20001bb0 = 0;
*(uint64_t*)0x20001bb8 = 0;
*(uint64_t*)0x20001bc0 = 0;
*(uint64_t*)0x20001bc8 = 0;
*(uint64_t*)0x20001bd0 = 0;
*(uint64_t*)0x20001bd8 = 0;
*(uint64_t*)0x20001be0 = 0;
*(uint64_t*)0x20001be8 = 0;
*(uint64_t*)0x20001bf0 = 0;
*(uint64_t*)0x20001bf8 = 0;
*(uint64_t*)0x20001c00 = 0;
*(uint64_t*)0x20001c08 = 0;
*(uint64_t*)0x20001c10 = 0;
*(uint64_t*)0x20001c18 = 0;
*(uint64_t*)0x20001c20 = 0;
*(uint64_t*)0x20001c28 = 0;
*(uint64_t*)0x20001c30 = 0;
*(uint64_t*)0x20001c38 = 0;
*(uint64_t*)0x20001c40 = 0;
*(uint64_t*)0x20001c48 = 0;
*(uint64_t*)0x20001c50 = 0;
*(uint64_t*)0x20001c58 = 0;
*(uint64_t*)0x20001c60 = 0;
*(uint64_t*)0x20001c68 = 0;
*(uint64_t*)0x20001c70 = 0;
*(uint64_t*)0x20001c78 = 0;
*(uint64_t*)0x20001c80 = 0;
*(uint64_t*)0x20001c88 = 0;
*(uint64_t*)0x20001c90 = 0;
*(uint64_t*)0x20001c98 = 0;
*(uint64_t*)0x20001ca0 = 0;
*(uint64_t*)0x20001ca8 = 0;
*(uint64_t*)0x20001cb0 = 0;
*(uint64_t*)0x20001cb8 = 0;
*(uint64_t*)0x20001cc0 = 0;
*(uint64_t*)0x20001cc8 = 0;
*(uint64_t*)0x20001cd0 = 0;
*(uint64_t*)0x20001cd8 = 0;
*(uint64_t*)0x20001ce0 = 0;
*(uint64_t*)0x20001ce8 = 0;
*(uint64_t*)0x20001cf0 = 0;
*(uint64_t*)0x20001cf8 = 0;
*(uint64_t*)0x20001d00 = 0;
*(uint64_t*)0x20001d08 = 0;
*(uint64_t*)0x20001d10 = 0;
*(uint64_t*)0x20001d18 = 0;
*(uint64_t*)0x20001d20 = 0;
*(uint64_t*)0x20001d28 = 0;
*(uint64_t*)0x20001d30 = 0;
*(uint64_t*)0x20001d38 = 0;
*(uint64_t*)0x20001d40 = 0;
*(uint64_t*)0x20001d48 = 0;
*(uint64_t*)0x20001d50 = 0;
*(uint64_t*)0x20001d58 = 0;
*(uint64_t*)0x20001d60 = 0;
*(uint64_t*)0x20001d68 = 0;
*(uint64_t*)0x20001d70 = 0;
*(uint64_t*)0x20001d78 = 0;
*(uint64_t*)0x20001d80 = 0;
*(uint64_t*)0x20001d88 = 0;
*(uint64_t*)0x20001d90 = 0;
*(uint64_t*)0x20001d98 = 0;
*(uint64_t*)0x20001da0 = 0;
*(uint64_t*)0x20001da8 = 0;
*(uint64_t*)0x20001db0 = 0;
*(uint64_t*)0x20001db8 = 0;
*(uint64_t*)0x20001dc0 = 0;
*(uint64_t*)0x20001dc8 = 0;
*(uint64_t*)0x20001dd0 = 0;
*(uint64_t*)0x20001dd8 = 0;
*(uint64_t*)0x20001de0 = 0;
*(uint64_t*)0x20001de8 = 0;
*(uint64_t*)0x20001df0 = 0;
*(uint64_t*)0x20001df8 = 0;
*(uint64_t*)0x20001e00 = 0;
*(uint64_t*)0x20001e08 = 0;
*(uint64_t*)0x20001e10 = 0;
*(uint64_t*)0x20001e18 = 0;
*(uint64_t*)0x20001e20 = 0;
*(uint64_t*)0x20001e28 = 0;
*(uint64_t*)0x20001e30 = 0;
*(uint64_t*)0x20001e38 = 0;
*(uint64_t*)0x20001e40 = 0;
*(uint64_t*)0x20001e48 = 0;
*(uint64_t*)0x20001e50 = 0;
*(uint64_t*)0x20001e58 = 0;
*(uint64_t*)0x20001e60 = 0;
*(uint64_t*)0x20001e68 = 0;
*(uint64_t*)0x20001e70 = 0;
*(uint64_t*)0x20001e78 = 0;
*(uint64_t*)0x20001e80 = 0;
*(uint64_t*)0x20001e88 = 0;
*(uint64_t*)0x20001e90 = 0;
*(uint64_t*)0x20001e98 = 0;
*(uint64_t*)0x20001ea0 = 0;
*(uint64_t*)0x20001ea8 = 0;
*(uint64_t*)0x20001eb0 = 0;
*(uint64_t*)0x20001eb8 = 0;
*(uint64_t*)0x20001ec0 = 0;
*(uint64_t*)0x20001ec8 = 0;
*(uint64_t*)0x20001ed0 = 0;
*(uint64_t*)0x20001ed8 = 0;
*(uint64_t*)0x20001ee0 = 0;
*(uint64_t*)0x20001ee8 = 0;
*(uint64_t*)0x20001ef0 = 0;
*(uint64_t*)0x20001ef8 = 0;
*(uint64_t*)0x20001f00 = 0;
*(uint64_t*)0x20001f08 = 0;
*(uint64_t*)0x20001f10 = 0;
*(uint64_t*)0x20001f18 = 0;
*(uint64_t*)0x20001f20 = 0;
*(uint64_t*)0x20001f28 = 0;
*(uint64_t*)0x20001f30 = 0;
*(uint64_t*)0x20001f38 = 0;
*(uint64_t*)0x20001f40 = 0;
*(uint64_t*)0x20001f48 = 0;
*(uint64_t*)0x20001f50 = 0;
*(uint64_t*)0x20001f58 = 0;
*(uint64_t*)0x20001f60 = 0;
*(uint64_t*)0x20001f68 = 0;
*(uint64_t*)0x20001f70 = 0;
*(uint64_t*)0x20001f78 = 0;
*(uint64_t*)0x20001f80 = 0;
*(uint64_t*)0x20001f88 = 0;
*(uint64_t*)0x20001f90 = 0;
*(uint64_t*)0x20001f98 = 0;
*(uint64_t*)0x20001fa0 = 0;
*(uint64_t*)0x20001fa8 = 0;
*(uint64_t*)0x20001fb0 = 0;
*(uint64_t*)0x20001fb8 = 0;
*(uint64_t*)0x20001fc0 = 0;
*(uint64_t*)0x20001fc8 = 0;
*(uint64_t*)0x20001fd0 = 0;
*(uint64_t*)0x20001fd8 = 0;
*(uint64_t*)0x20001fe0 = 0;
*(uint64_t*)0x20001fe8 = 0;
*(uint64_t*)0x20001ff0 = 0;
*(uint64_t*)0x20001ff8 = 0;
*(uint64_t*)0x20002000 = 0;
*(uint64_t*)0x20002008 = 0;
*(uint64_t*)0x20002010 = 0;
*(uint64_t*)0x20002018 = 0;
*(uint64_t*)0x20002020 = 0;
*(uint64_t*)0x20002028 = 0;
*(uint64_t*)0x20002030 = 0;
*(uint64_t*)0x20002038 = 0;
*(uint64_t*)0x20002040 = 0;
*(uint64_t*)0x20002048 = 0;
*(uint64_t*)0x20002050 = 0;
*(uint64_t*)0x20002058 = 0;
*(uint64_t*)0x20002060 = 0;
*(uint64_t*)0x20002068 = 0;
*(uint64_t*)0x20002070 = 0;
*(uint64_t*)0x20002078 = 0;
*(uint64_t*)0x20002080 = 0;
*(uint64_t*)0x20002088 = 0;
*(uint64_t*)0x20002090 = 0;
*(uint64_t*)0x20002098 = 0;
*(uint64_t*)0x200020a0 = 0;
*(uint64_t*)0x200020a8 = 0;
*(uint64_t*)0x200020b0 = 0;
syscall(__NR_write, r[3], 0x20000840ul, 0x1878ul);
return 0;
}
On 2020/10/20 17:02, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c
> b/drivers/video/console/vgacon.c
> index 998b0de..2ee3d62 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic
> modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write
> to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols,
> screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
>
> .
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] vgacon: fix a UAF in do_update_region()
2020-06-04 14:38 ` [PATCH] " Yang Yingliang
@ 2020-07-10 10:47 ` Bartlomiej Zolnierkiewicz
0 siblings, 0 replies; 14+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2020-07-10 10:47 UTC (permalink / raw)
To: Yang Yingliang; +Cc: linux-kernel
Hi,
Please re-send adding the correct mailing lists:
* dri-devel@lists.freedesktop.org
* linux-fbdev@vger.kernel.org
to Cc: so the patch can be reviewed/merged.
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
On 6/4/20 4:38 PM, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [ 51.161976] Call Trace:
> [ 51.162001] dump_stack+0xc6/0x11e
> [ 51.162019] ? do_update_region+0x579/0x600
> [ 51.162047] print_address_description.constprop.6+0x1a/0x220
> [ 51.162083] ? vprintk_func+0x66/0xed
> [ 51.162100] ? do_update_region+0x579/0x600
> [ 51.162112] ? do_update_region+0x579/0x600
> [ 51.162128] kasan_report.cold.9+0x37/0x7c
> [ 51.162151] ? do_update_region+0x579/0x600
> [ 51.162173] do_update_region+0x579/0x600
> [ 51.162207] ? con_get_trans_old+0x230/0x230
> [ 51.162229] ? retint_kernel+0x10/0x10
> [ 51.162278] csi_J+0x557/0xa00
> [ 51.162307] do_con_trol+0x49af/0x5cc0
> [ 51.162330] ? lock_downgrade+0x720/0x720
> [ 51.162347] ? reset_palette+0x1b0/0x1b0
> [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162393] ? notifier_call_chain+0x11b/0x160
> [ 51.162438] do_con_write.part.24+0xb0a/0x1a30
> [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
> [ 51.162522] ? console_unlock+0x7b8/0xb00
> [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
> [ 51.162574] ? this_tty+0xe0/0xe0
> [ 51.162589] ? console_unlock+0x559/0xb00
> [ 51.162605] ? wait_for_completion+0x260/0x260
> [ 51.162638] con_write+0x31/0xb0
> [ 51.162658] n_tty_write+0x4fa/0xd40
> [ 51.162710] ? n_tty_read+0x1800/0x1800
> [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
> [ 51.162754] ? __might_fault+0x175/0x1b0
> [ 51.162783] tty_write+0x42b/0x8d0
> [ 51.162795] ? n_tty_read+0x1800/0x1800
> [ 51.162825] ? tty_lookup_driver+0x450/0x450
> [ 51.162848] __vfs_write+0x7c/0x100
> [ 51.162875] vfs_write+0x1c9/0x510
> [ 51.162901] ksys_write+0xff/0x200
> [ 51.162918] ? __ia32_sys_read+0xb0/0xb0
> [ 51.162940] ? do_syscall_64+0x1a/0x520
> [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
> [ 51.162984] do_syscall_64+0xa1/0x520
> [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
> ---
> drivers/video/console/vgacon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
> index 998b0de..2ee3d62 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
> if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
> (console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
> return 0;
> +
> + if (c->vc_screenbuf_size > vga_vram_size)
> + vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
> c->vc_origin = c->vc_visible_origin = vga_vram_base;
> vga_set_mem_top(c);
> vga_rolled_over = 0;
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] vgacon: fix a UAF in do_update_region()
@ 2020-06-04 14:38 ` Yang Yingliang
2020-07-10 10:47 ` Bartlomiej Zolnierkiewicz
0 siblings, 1 reply; 14+ messages in thread
From: Yang Yingliang @ 2020-06-04 14:38 UTC (permalink / raw)
To: b.zolnierkie, linux-kernel; +Cc: yangyingliang
I got a UAF report in do_update_region() when I doing fuzz test.
[ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[ 51.161918] Read of size 2 at addr ffff888000100000 by task test/295
[ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 51.161976] Call Trace:
[ 51.162001] dump_stack+0xc6/0x11e
[ 51.162019] ? do_update_region+0x579/0x600
[ 51.162047] print_address_description.constprop.6+0x1a/0x220
[ 51.162083] ? vprintk_func+0x66/0xed
[ 51.162100] ? do_update_region+0x579/0x600
[ 51.162112] ? do_update_region+0x579/0x600
[ 51.162128] kasan_report.cold.9+0x37/0x7c
[ 51.162151] ? do_update_region+0x579/0x600
[ 51.162173] do_update_region+0x579/0x600
[ 51.162207] ? con_get_trans_old+0x230/0x230
[ 51.162229] ? retint_kernel+0x10/0x10
[ 51.162278] csi_J+0x557/0xa00
[ 51.162307] do_con_trol+0x49af/0x5cc0
[ 51.162330] ? lock_downgrade+0x720/0x720
[ 51.162347] ? reset_palette+0x1b0/0x1b0
[ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162393] ? notifier_call_chain+0x11b/0x160
[ 51.162438] do_con_write.part.24+0xb0a/0x1a30
[ 51.162501] ? do_con_trol+0x5cc0/0x5cc0
[ 51.162522] ? console_unlock+0x7b8/0xb00
[ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670
[ 51.162574] ? this_tty+0xe0/0xe0
[ 51.162589] ? console_unlock+0x559/0xb00
[ 51.162605] ? wait_for_completion+0x260/0x260
[ 51.162638] con_write+0x31/0xb0
[ 51.162658] n_tty_write+0x4fa/0xd40
[ 51.162710] ? n_tty_read+0x1800/0x1800
[ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270
[ 51.162754] ? __might_fault+0x175/0x1b0
[ 51.162783] tty_write+0x42b/0x8d0
[ 51.162795] ? n_tty_read+0x1800/0x1800
[ 51.162825] ? tty_lookup_driver+0x450/0x450
[ 51.162848] __vfs_write+0x7c/0x100
[ 51.162875] vfs_write+0x1c9/0x510
[ 51.162901] ksys_write+0xff/0x200
[ 51.162918] ? __ia32_sys_read+0xb0/0xb0
[ 51.162940] ? do_syscall_64+0x1a/0x520
[ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540
[ 51.162984] do_syscall_64+0xa1/0x520
[ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3
After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
drivers/video/console/vgacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 998b0de..2ee3d62 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
if (vga_is_gfx || /* We don't play origin tricks in graphic modes */
(console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */
return 0;
+
+ if (c->vc_screenbuf_size > vga_vram_size)
+ vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
c->vc_origin = c->vc_visible_origin = vga_vram_base;
vga_set_mem_top(c);
vga_rolled_over = 0;
--
1.8.3
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2020-10-21 7:17 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-13 3:05 [PATCH] vgacon: fix a UAF in do_update_region() Yang Yingliang
2020-07-13 11:04 ` Yang Yingliang
2020-07-13 11:04 ` Yang Yingliang
2020-10-17 12:25 ` Sam Ravnborg
2020-10-17 12:25 ` Sam Ravnborg
2020-10-17 12:25 ` Sam Ravnborg
2020-10-20 9:02 ` [PATCH resend] " Yang Yingliang
2020-10-20 9:02 ` Yang Yingliang
2020-10-20 9:02 ` Yang Yingliang
2020-10-20 9:20 ` Yang Yingliang
2020-10-20 9:20 ` Yang Yingliang
2020-10-20 9:20 ` Yang Yingliang
[not found] <CGME20200604141553eucas1p185479b18995247931b3e79288f2496a9@eucas1p1.samsung.com>
2020-06-04 14:38 ` [PATCH] " Yang Yingliang
2020-07-10 10:47 ` Bartlomiej Zolnierkiewicz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.