From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763041AbdAIRJA (ORCPT ); Mon, 9 Jan 2017 12:09:00 -0500 Received: from mail-oi0-f43.google.com ([209.85.218.43]:36659 "EHLO mail-oi0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753155AbdAIRIz (ORCPT ); Mon, 9 Jan 2017 12:08:55 -0500 MIME-Version: 1.0 From: Andrey Konovalov Date: Mon, 9 Jan 2017 18:08:54 +0100 Message-ID: Subject: net/ipv6: use-after-free in sock_wfree To: "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , netdev , LKML Cc: Dmitry Vyukov , Kostya Serebryany , Eric Dumazet , syzkaller Content-Type: multipart/mixed; boundary=001a1140831e2619fd0545ac6c55 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --001a1140831e2619fd0545ac6c55 Content-Type: text/plain; charset=UTF-8 Hi! I've got the following error report while running the syzkaller fuzzer. On commit a121103c922847ba5010819a3f250f1f7fc84ab8 (4.10-rc3). A reproducer is attached. ================================================================== BUG: KASAN: use-after-free in sock_wfree+0x118/0x120 Read of size 8 at addr ffff880062da0060 by task a.out/4140 page:ffffea00018b6800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x100000000008100(slab|head) raw: 0100000000008100 0000000000000000 0000000000000000 0000000180130013 raw: dead000000000100 dead000000000200 ffff88006741f140 0000000000000000 page dumped because: kasan: bad access detected CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:15 dump_stack+0x292/0x398 lib/dump_stack.c:51 describe_address mm/kasan/report.c:262 kasan_report_error+0x121/0x560 mm/kasan/report.c:370 kasan_report mm/kasan/report.c:392 __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413 sock_flag ./arch/x86/include/asm/bitops.h:324 sock_wfree+0x118/0x120 net/core/sock.c:1631 skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655 skb_release_all+0x15/0x60 net/core/skbuff.c:668 __kfree_skb+0x15/0x20 net/core/skbuff.c:684 kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705 inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304 inet_frag_put ./include/net/inet_frag.h:133 nf_ct_frag6_gather+0x1125/0x38b0 net/ipv6/netfilter/nf_conntrack_reasm.c:617 ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 nf_hook_entry_hookfn ./include/linux/netfilter.h:102 nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310 nf_hook ./include/linux/netfilter.h:212 __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160 ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170 ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722 ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742 rawv6_push_pending_frames net/ipv6/raw.c:613 rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 sock_sendmsg_nosec net/socket.c:635 sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x326/0x620 net/socket.c:848 new_sync_write fs/read_write.c:499 __vfs_write+0x483/0x760 fs/read_write.c:512 vfs_write+0x187/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 SyS_write+0xfb/0x230 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 RIP: 0033:0x7ff26e6f5b79 RSP: 002b:00007ff268e0ed98 EFLAGS: 00000206 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ff268e0f9c0 RCX: 00007ff26e6f5b79 RDX: 0000000000000010 RSI: 0000000020f50fe1 RDI: 0000000000000003 RBP: 00007ff26ebc1220 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 00007ff268e0f9c0 R14: 00007ff26efec040 R15: 0000000000000003 The buggy address belongs to the object at ffff880062da0000 which belongs to the cache RAWv6 of size 1504 The buggy address ffff880062da0060 is located 96 bytes inside of 1504-byte region [ffff880062da0000, ffff880062da05e0) Freed by task 4113: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:502 set_track mm/kasan/kasan.c:514 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578 slab_free_hook mm/slub.c:1352 slab_free_freelist_hook mm/slub.c:1374 slab_free mm/slub.c:2951 kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973 sk_prot_free net/core/sock.c:1377 __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452 sk_destruct+0x47/0x80 net/core/sock.c:1460 __sk_free+0x57/0x230 net/core/sock.c:1468 sk_free+0x23/0x30 net/core/sock.c:1479 sock_put ./include/net/sock.h:1638 sk_common_release+0x31e/0x4e0 net/core/sock.c:2782 rawv6_close+0x54/0x80 net/ipv6/raw.c:1214 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431 sock_release+0x8d/0x1e0 net/socket.c:599 sock_close+0x16/0x20 net/socket.c:1063 __fput+0x332/0x7f0 fs/file_table.c:208 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x19b/0x270 kernel/task_work.c:116 exit_task_work ./include/linux/task_work.h:21 do_exit+0x186b/0x2800 kernel/exit.c:839 do_group_exit+0x149/0x420 kernel/exit.c:943 SYSC_exit_group kernel/exit.c:954 SyS_exit_group+0x1d/0x20 kernel/exit.c:952 entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 Allocated by task 4115: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:502 set_track mm/kasan/kasan.c:514 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544 slab_post_alloc_hook mm/slab.h:432 slab_alloc_node mm/slub.c:2708 slab_alloc mm/slub.c:2716 kmem_cache_alloc+0x1af/0x250 mm/slub.c:2721 sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334 sk_alloc+0x105/0x1010 net/core/sock.c:1396 inet6_create+0x44d/0x1150 net/ipv6/af_inet6.c:183 __sock_create+0x4f6/0x880 net/socket.c:1199 sock_create net/socket.c:1239 SYSC_socket net/socket.c:1269 SyS_socket+0xf9/0x230 net/socket.c:1249 entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 Memory state around the buggy address: ffff880062d9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880062d9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff880062da0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880062da0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880062da0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== --001a1140831e2619fd0545ac6c55 Content-Type: text/x-csrc; charset=US-ASCII; name="ipv6-wfree-uaf-poc.c" Content-Disposition: attachment; filename="ipv6-wfree-uaf-poc.c" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ixqcd9w70 Ly8gYXV0b2dlbmVyYXRlZCBieSBzeXprYWxsZXIgKGh0dHA6Ly9naXRodWIuY29tL2dvb2dsZS9z eXprYWxsZXIpCgojaWZuZGVmIF9fTlJfaW9jdGwKI2RlZmluZSBfX05SX2lvY3RsIDE2CiNlbmRp ZgojaWZuZGVmIF9fTlJfbW1hcAojZGVmaW5lIF9fTlJfbW1hcCA5CiNlbmRpZgojaWZuZGVmIF9f TlJfc29ja2V0CiNkZWZpbmUgX19OUl9zb2NrZXQgNDEKI2VuZGlmCiNpZm5kZWYgX19OUl9jb25u ZWN0CiNkZWZpbmUgX19OUl9jb25uZWN0IDQyCiNlbmRpZgojaWZuZGVmIF9fTlJfYmluZAojZGVm aW5lIF9fTlJfYmluZCA0OQojZW5kaWYKI2lmbmRlZiBfX05SX3NlbmR0bwojZGVmaW5lIF9fTlJf c2VuZHRvIDQ0CiNlbmRpZgojaWZuZGVmIF9fTlJfcmVjdmZyb20KI2RlZmluZSBfX05SX3JlY3Zm cm9tIDQ1CiNlbmRpZgojaWZuZGVmIF9fTlJfd3JpdGUKI2RlZmluZSBfX05SX3dyaXRlIDEKI2Vu ZGlmCgojZGVmaW5lIF9HTlVfU09VUkNFCgojaW5jbHVkZSA8c3lzL2lvY3RsLmg+CiNpbmNsdWRl IDxzeXMvbW1hbi5oPgojaW5jbHVkZSA8c3lzL21vdW50Lmg+CiNpbmNsdWRlIDxzeXMvcHJjdGwu aD4KI2luY2x1ZGUgPHN5cy9yZXNvdXJjZS5oPgojaW5jbHVkZSA8c3lzL3NvY2tldC5oPgojaW5j bHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPHN5cy9zeXNjYWxsLmg+CiNpbmNsdWRlIDxzeXMv dGltZS5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMvd2FpdC5oPgoKI2lu Y2x1ZGUgPGxpbnV4L2NhcGFiaWxpdHkuaD4KI2luY2x1ZGUgPGxpbnV4L2lmLmg+CiNpbmNsdWRl IDxsaW51eC9pZl90dW4uaD4KI2luY2x1ZGUgPGxpbnV4L3NjaGVkLmg+CiNpbmNsdWRlIDxuZXQv aWZfYXJwLmg+CgojaW5jbHVkZSA8YXNzZXJ0Lmg+CiNpbmNsdWRlIDxkaXJlbnQuaD4KI2luY2x1 ZGUgPGVycm5vLmg+CiNpbmNsdWRlIDxmY250bC5oPgojaW5jbHVkZSA8Z3JwLmg+CiNpbmNsdWRl IDxwdGhyZWFkLmg+CiNpbmNsdWRlIDxzZXRqbXAuaD4KI2luY2x1ZGUgPHNpZ25hbC5oPgojaW5j bHVkZSA8c3RkYXJnLmg+CiNpbmNsdWRlIDxzdGRib29sLmg+CiNpbmNsdWRlIDxzdGRkZWYuaD4K I2luY2x1ZGUgPHN0ZGludC5oPgojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0ZGxpYi5o PgojaW5jbHVkZSA8c3RyaW5nLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KCmNvbnN0IGludCBrRmFp bFN0YXR1cyA9IDY3Owpjb25zdCBpbnQga0Vycm9yU3RhdHVzID0gNjg7CmNvbnN0IGludCBrUmV0 cnlTdGF0dXMgPSA2OTsKCl9fYXR0cmlidXRlX18oKG5vcmV0dXJuKSkgdm9pZCBkb2V4aXQoaW50 IHN0YXR1cykKewogIHN5c2NhbGwoX19OUl9leGl0X2dyb3VwLCBzdGF0dXMpOwogIHZvbGF0aWxl IHVuc2lnbmVkIGkgPSAwOwogIGZvciAoaSA9IDA7OyBpKyspIHsKICB9Cn0KCl9fYXR0cmlidXRl X18oKG5vcmV0dXJuKSkgdm9pZCBmYWlsKGNvbnN0IGNoYXIqIG1zZywgLi4uKQp7CiAgaW50IGUg PSBlcnJubzsKICBmZmx1c2goc3Rkb3V0KTsKICB2YV9saXN0IGFyZ3M7CiAgdmFfc3RhcnQoYXJn cywgbXNnKTsKICB2ZnByaW50ZihzdGRlcnIsIG1zZywgYXJncyk7CiAgdmFfZW5kKGFyZ3MpOwog IGZwcmludGYoc3RkZXJyLCAiIChlcnJubyAlZClcbiIsIGUpOwogIGRvZXhpdChlID09IEVOT01F TSA/IGtSZXRyeVN0YXR1cyA6IGtGYWlsU3RhdHVzKTsKfQoKX19hdHRyaWJ1dGVfXygobm9yZXR1 cm4pKSB2b2lkIGV4aXRmKGNvbnN0IGNoYXIqIG1zZywgLi4uKQp7CiAgaW50IGUgPSBlcnJubzsK ICBmZmx1c2goc3Rkb3V0KTsKICB2YV9saXN0IGFyZ3M7CiAgdmFfc3RhcnQoYXJncywgbXNnKTsK ICB2ZnByaW50ZihzdGRlcnIsIG1zZywgYXJncyk7CiAgdmFfZW5kKGFyZ3MpOwogIGZwcmludGYo c3RkZXJyLCAiIChlcnJubyAlZClcbiIsIGUpOwogIGRvZXhpdChrUmV0cnlTdGF0dXMpOwp9Cgpz dGF0aWMgaW50IGZsYWdfZGVidWc7Cgp2b2lkIGRlYnVnKGNvbnN0IGNoYXIqIG1zZywgLi4uKQp7 CiAgaWYgKCFmbGFnX2RlYnVnKQogICAgcmV0dXJuOwogIHZhX2xpc3QgYXJnczsKICB2YV9zdGFy dChhcmdzLCBtc2cpOwogIHZmcHJpbnRmKHN0ZG91dCwgbXNnLCBhcmdzKTsKICB2YV9lbmQoYXJn cyk7CiAgZmZsdXNoKHN0ZG91dCk7Cn0KCl9fdGhyZWFkIGludCBza2lwX3NlZ3Y7Cl9fdGhyZWFk IGptcF9idWYgc2Vndl9lbnY7CgpzdGF0aWMgdm9pZCBzZWd2X2hhbmRsZXIoaW50IHNpZywgc2ln aW5mb190KiBpbmZvLCB2b2lkKiB1Y3R4KQp7CiAgaWYgKF9fYXRvbWljX2xvYWRfbigmc2tpcF9z ZWd2LCBfX0FUT01JQ19SRUxBWEVEKSkKICAgIF9sb25nam1wKHNlZ3ZfZW52LCAxKTsKICBkb2V4 aXQoc2lnKTsKICBmb3IgKDs7KSB7CiAgfQp9CgpzdGF0aWMgdm9pZCBpbnN0YWxsX3NlZ3ZfaGFu ZGxlcigpCnsKICBzdHJ1Y3Qgc2lnYWN0aW9uIHNhOwogIG1lbXNldCgmc2EsIDAsIHNpemVvZihz YSkpOwogIHNhLnNhX3NpZ2FjdGlvbiA9IHNlZ3ZfaGFuZGxlcjsKICBzYS5zYV9mbGFncyA9IFNB X05PREVGRVIgfCBTQV9TSUdJTkZPOwogIHNpZ2FjdGlvbihTSUdTRUdWLCAmc2EsIE5VTEwpOwog IHNpZ2FjdGlvbihTSUdCVVMsICZzYSwgTlVMTCk7Cn0KCiNkZWZpbmUgTk9ORkFJTElORyguLi4p ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogIHsgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIFwKICAgIF9fYXRvbWljX2ZldGNoX2FkZCgmc2tpcF9zZWd2LCAxLCBfX0FUT01JQ19T RVFfQ1NUKTsgICAgICAgICAgICAgICBcCiAgICBpZiAoX3NldGptcChzZWd2X2VudikgPT0gMCkg eyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICBfX1ZBX0FSR1Nf XzsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwK ICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBcCiAgICBfX2F0b21pY19mZXRjaF9zdWIoJnNraXBfc2VndiwgMSwgX19B VE9NSUNfU0VRX0NTVCk7ICAgICAgICAgICAgICAgXAogIH0KCnN0YXRpYyB1aW50cHRyX3QgZXhl Y3V0ZV9zeXNjYWxsKGludCBuciwgdWludHB0cl90IGEwLCB1aW50cHRyX3QgYTEsCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnRwdHJfdCBhMiwgdWludHB0cl90IGEzLAogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1aW50cHRyX3QgYTQsIHVpbnRwdHJfdCBhNSwK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdWludHB0cl90IGE2LCB1aW50cHRyX3Qg YTcsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnRwdHJfdCBhOCkKewogIHN3 aXRjaCAobnIpIHsKICBkZWZhdWx0OgogICAgcmV0dXJuIHN5c2NhbGwobnIsIGEwLCBhMSwgYTIs IGEzLCBhNCwgYTUpOwogIH0KfQoKc3RhdGljIHZvaWQgc2V0dXBfbWFpbl9wcm9jZXNzKHVpbnQ2 NF90IHBpZCwgYm9vbCBlbmFibGVfdHVuKQp7CiAgc3RydWN0IHNpZ2FjdGlvbiBzYTsKICBtZW1z ZXQoJnNhLCAwLCBzaXplb2Yoc2EpKTsKICBzYS5zYV9oYW5kbGVyID0gU0lHX0lHTjsKICBzeXNj YWxsKFNZU19ydF9zaWdhY3Rpb24sIDB4MjAsICZzYSwgTlVMTCwgOCk7CiAgc3lzY2FsbChTWVNf cnRfc2lnYWN0aW9uLCAweDIxLCAmc2EsIE5VTEwsIDgpOwogIGluc3RhbGxfc2Vndl9oYW5kbGVy KCk7CgogIGNoYXIgdG1wZGlyX3RlbXBsYXRlW10gPSAiLi9zeXprYWxsZXIuWFhYWFhYIjsKICBj aGFyKiB0bXBkaXIgPSBta2R0ZW1wKHRtcGRpcl90ZW1wbGF0ZSk7CiAgaWYgKCF0bXBkaXIpCiAg ICBmYWlsKCJmYWlsZWQgdG8gbWtkdGVtcCIpOwogIGlmIChjaG1vZCh0bXBkaXIsIDA3NzcpKQog ICAgZmFpbCgiZmFpbGVkIHRvIGNobW9kIik7CiAgaWYgKGNoZGlyKHRtcGRpcikpCiAgICBmYWls KCJmYWlsZWQgdG8gY2hkaXIiKTsKfQoKc3RhdGljIHZvaWQgbG9vcCgpOwoKc3RhdGljIHZvaWQg c2FuZGJveF9jb21tb24oKQp7CiAgcHJjdGwoUFJfU0VUX1BERUFUSFNJRywgU0lHS0lMTCwgMCwg MCwgMCk7CiAgc2V0cGdycCgpOwogIHNldHNpZCgpOwoKICBzdHJ1Y3QgcmxpbWl0IHJsaW07CiAg cmxpbS5ybGltX2N1ciA9IHJsaW0ucmxpbV9tYXggPSAxMjggPDwgMjA7CiAgc2V0cmxpbWl0KFJM SU1JVF9BUywgJnJsaW0pOwogIHJsaW0ucmxpbV9jdXIgPSBybGltLnJsaW1fbWF4ID0gMSA8PCAy MDsKICBzZXRybGltaXQoUkxJTUlUX0ZTSVpFLCAmcmxpbSk7CiAgcmxpbS5ybGltX2N1ciA9IHJs aW0ucmxpbV9tYXggPSAxIDw8IDIwOwogIHNldHJsaW1pdChSTElNSVRfU1RBQ0ssICZybGltKTsK ICBybGltLnJsaW1fY3VyID0gcmxpbS5ybGltX21heCA9IDA7CiAgc2V0cmxpbWl0KFJMSU1JVF9D T1JFLCAmcmxpbSk7CgogIHVuc2hhcmUoQ0xPTkVfTkVXTlMpOwogIHVuc2hhcmUoQ0xPTkVfTkVX SVBDKTsKICB1bnNoYXJlKENMT05FX0lPKTsKfQoKc3RhdGljIGludCBkb19zYW5kYm94X25vbmUo KQp7CiAgaW50IHBpZCA9IGZvcmsoKTsKICBpZiAocGlkKQogICAgcmV0dXJuIHBpZDsKICBzYW5k Ym94X2NvbW1vbigpOwogIGxvb3AoKTsKICBkb2V4aXQoMSk7Cn0KCmxvbmcgcls1Nl07CnZvaWQq IHRocih2b2lkKiBhcmcpCnsKICBzd2l0Y2ggKChsb25nKWFyZykgewogIGNhc2UgMDoKICAgIHJb MF0gPQogICAgICAgIGV4ZWN1dGVfc3lzY2FsbChfX05SX21tYXAsIDB4MjAwMDAwMDB1bCwgMHhm NTUwMDB1bCwgMHgzdWwsCiAgICAgICAgICAgICAgICAgICAgICAgIDB4MzJ1bCwgMHhmZmZmZmZm ZmZmZmZmZmZmdWwsIDB4MHVsLCAwLCAwLCAwKTsKICAgIGJyZWFrOwogIGNhc2UgMToKICAgIHJb MV0gPSBleGVjdXRlX3N5c2NhbGwoX19OUl9zb2NrZXQsIDB4YXVsLCAweDN1bCwgMHgyY3VsLCAw LCAwLCAwLAogICAgICAgICAgICAgICAgICAgICAgICAgICAwLCAwLCAwKTsKICAgIGJyZWFrOwog IGNhc2UgMjoKICAgIE5PTkZBSUxJTkcoKih1aW50MTZfdCopMHgyMDAxNjAwMCA9ICh1aW50MTZf dCkweGEpOwogICAgTk9ORkFJTElORygqKHVpbnQxNl90KikweDIwMDE2MDAyID0gKHVpbnQxNl90 KTB4MjA0ZSk7CiAgICBOT05GQUlMSU5HKCoodWludDMyX3QqKTB4MjAwMTYwMDQgPSAodWludDMy X3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50NjRfdCopMHgyMDAxNjAwOCA9ICh1aW50NjRf dCkweDApOwogICAgTk9ORkFJTElORygqKHVpbnQ2NF90KikweDIwMDE2MDEwID0gKHVpbnQ2NF90 KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDMyX3QqKTB4MjAwMTYwMTggPSAodWludDMyX3Qp MHgwKTsKICAgIHJbOF0gPSBleGVjdXRlX3N5c2NhbGwoX19OUl9jb25uZWN0LCByWzFdLCAweDIw MDE2MDAwdWwsIDB4MjB1bCwgMCwKICAgICAgICAgICAgICAgICAgICAgICAgICAgMCwgMCwgMCwg MCwgMCk7CiAgICBicmVhazsKICBjYXNlIDM6CiAgICBOT05GQUlMSU5HKCoodWludDE2X3QqKTB4 MjAzNzMwMDAgPSAodWludDE2X3QpMHgyKTsKICAgIE5PTkZBSUxJTkcoKih1aW50MTZfdCopMHgy MDM3MzAwMiA9ICh1aW50MTZfdCkweDIwNGUpOwogICAgTk9ORkFJTElORygqKHVpbnQ4X3QqKTB4 MjAzNzMwMDQgPSAodWludDhfdCkweGMwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIw MzczMDA1ID0gKHVpbnQ4X3QpMHhhOCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgyMDM3 MzAwNiA9ICh1aW50OF90KTB4ZGEpOwogICAgTk9ORkFJTElORygqKHVpbnQ4X3QqKTB4MjAzNzMw MDcgPSAodWludDhfdCkweGFhKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDA4 ID0gKHVpbnQ4X3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDA5ID0g KHVpbnQ4X3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDBhID0gKHVp bnQ4X3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDBiID0gKHVpbnQ4 X3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDBjID0gKHVpbnQ4X3Qp MHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDBkID0gKHVpbnQ4X3QpMHgw KTsKICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDBlID0gKHVpbnQ4X3QpMHgwKTsK ICAgIE5PTkZBSUxJTkcoKih1aW50OF90KikweDIwMzczMDBmID0gKHVpbnQ4X3QpMHgwKTsKICAg IHJbMjNdID0gZXhlY3V0ZV9zeXNjYWxsKF9fTlJfYmluZCwgMHhmZmZmZmZmZmZmZmZmZmZmdWws CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAweDIwMzczMDAwdWwsIDB4MTB1bCwgMCwgMCwg MCwgMCwgMCwgMCk7CiAgICBicmVhazsKICBjYXNlIDQ6CiAgICBOT05GQUlMSU5HKCoodWludDE2 X3QqKTB4MjBmNGEwMDAgPSAodWludDE2X3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50MTZf dCopMHgyMGY0YTAwMiA9ICh1aW50MTZfdCkweDIwNGUpOwogICAgTk9ORkFJTElORygqKHVpbnQz Ml90KikweDIwZjRhMDA0ID0gKHVpbnQzMl90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhf dCopMHgyMGY0YTAwOCA9ICh1aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCop MHgyMGY0YTAwOSA9ICh1aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgy MGY0YTAwYSA9ICh1aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgyMGY0 YTAwYiA9ICh1aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgyMGY0YTAw YyA9ICh1aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgyMGY0YTAwZCA9 ICh1aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgyMGY0YTAwZSA9ICh1 aW50OF90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDhfdCopMHgyMGY0YTAwZiA9ICh1aW50 OF90KTB4MCk7CiAgICByWzM1XSA9IGV4ZWN1dGVfc3lzY2FsbChfX05SX2Nvbm5lY3QsIDB4ZmZm ZmZmZmZmZmZmZmZmZnVsLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgMHgyMGY0YTAwMHVs LCAweDEwdWwsIDAsIDAsIDAsIDAsIDAsIDApOwogICAgYnJlYWs7CiAgY2FzZSA1OgogICAgTk9O RkFJTElORygqKHVpbnQxNl90KikweDIwZjRjZmUwID0gKHVpbnQxNl90KTB4YSk7CiAgICBOT05G QUlMSU5HKCoodWludDE2X3QqKTB4MjBmNGNmZTIgPSAodWludDE2X3QpMHgyMDRlKTsKICAgIE5P TkZBSUxJTkcoKih1aW50MzJfdCopMHgyMGY0Y2ZlNCA9ICh1aW50MzJfdCkweDApOwogICAgTk9O RkFJTElORygqKHVpbnQ2NF90KikweDIwZjRjZmU4ID0gKHVpbnQ2NF90KTB4MCk7CiAgICBOT05G QUlMSU5HKCoodWludDY0X3QqKTB4MjBmNGNmZjAgPSAodWludDY0X3QpMHgxMDAwMDAwMDAwMDAw MDApOwogICAgTk9ORkFJTElORygqKHVpbnQzMl90KikweDIwZjRjZmY4ID0gKHVpbnQzMl90KTB4 NSk7CiAgICByWzQyXSA9CiAgICAgICAgZXhlY3V0ZV9zeXNjYWxsKF9fTlJfc2VuZHRvLCAweGZm ZmZmZmZmZmZmZmZmZmZ1bCwgMHgyMDAwNjAwMHVsLAogICAgICAgICAgICAgICAgICAgICAgICAw eDB1bCwgMHgwdWwsIDB4MjBmNGNmZTB1bCwgMHgyMHVsLCAwLCAwLCAwKTsKICAgIGJyZWFrOwog IGNhc2UgNjoKICAgIHJbNDNdID0gZXhlY3V0ZV9zeXNjYWxsKF9fTlJfcmVjdmZyb20sIDB4ZmZm ZmZmZmZmZmZmZmZmZnVsLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgMHgyMDE0NGYyOHVs LCAweDB1bCwgMHgxMDAwMHVsLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgMHgyMGY0ZTAw MHVsLCAweDB1bCwgMCwgMCwgMCk7CiAgICBicmVhazsKICBjYXNlIDc6CiAgICByWzQ0XSA9IGV4 ZWN1dGVfc3lzY2FsbChfX05SX3NvY2tldCwgMHgxZnVsLCAweDV1bCwgMHgydWwsIDAsIDAsIDAs CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAwLCAwLCAwKTsKICAgIGJyZWFrOwogIGNhc2Ug ODoKICAgIHJbNDVdID0gZXhlY3V0ZV9zeXNjYWxsKF9fTlJfd3JpdGUsIHJbMV0sIDB4MjBhYTRm ZGF1bCwgMHhmZmZmdWwsIDAsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAwLCAwLCAwLCAw LCAwKTsKICAgIGJyZWFrOwogIGNhc2UgOToKICAgIE5PTkZBSUxJTkcoKih1aW50MzJfdCopMHgy MGY1NDAwMCA9ICh1aW50MzJfdCkweDApOwogICAgTk9ORkFJTElORygqKHVpbnQzMl90KikweDIw ZjU0MDA0ID0gKHVpbnQzMl90KTB4MCk7CiAgICBOT05GQUlMSU5HKCoodWludDY0X3QqKTB4MjBm NTQwMDggPSAodWludDY0X3QpMHgwKTsKICAgIHJbNDldID0KICAgICAgICBleGVjdXRlX3N5c2Nh bGwoX19OUl9pb2N0bCwgMHhmZmZmZmZmZmZmZmZmZmZmdWwsIDB4YzAxMDY0MGJ1bCwKICAgICAg ICAgICAgICAgICAgICAgICAgMHgyMGY1NDAwMHVsLCAwLCAwLCAwLCAwLCAwLCAwKTsKICAgIGJy ZWFrOwogIGNhc2UgMTA6CiAgICBOT05GQUlMSU5HKCoodWludDMyX3QqKTB4MjBmNTQwMDAgPSAo dWludDMyX3QpMHgwKTsKICAgIE5PTkZBSUxJTkcoKih1aW50MzJfdCopMHgyMGY1NDAwNCA9ICh1 aW50MzJfdCkweDApOwogICAgTk9ORkFJTElORygqKHVpbnQ2NF90KikweDIwZjU0MDA4ID0gKHVp bnQ2NF90KTB4ZmM1MSk7CiAgICByWzUzXSA9CiAgICAgICAgZXhlY3V0ZV9zeXNjYWxsKF9fTlJf aW9jdGwsIDB4ZmZmZmZmZmZmZmZmZmZmZnVsLCAweGMwMTA2NDBidWwsCiAgICAgICAgICAgICAg ICAgICAgICAgIDB4MjBmNTQwMDB1bCwgMCwgMCwgMCwgMCwgMCwgMCk7CiAgICBicmVhazsKICBj YXNlIDExOgogICAgTk9ORkFJTElORyhtZW1jcHkoKHZvaWQqKTB4MjBmNTBmZTEsICJceDFmXHgw MFx4MDBceDgwXHgwMVx4MDBceDAwIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICJceDE2XHgwMFx4MDBceDAwXHg5YVx4YzdceDAwIgogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICJceDAwXHgwNiIsCiAgICAgICAgICAgICAgICAgICAgICAx NikpOwogICAgcls1NV0gPSBleGVjdXRlX3N5c2NhbGwoX19OUl93cml0ZSwgclsxXSwgMHgyMGY1 MGZlMXVsLCAweDEwdWwsIDAsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAwLCAwLCAwLCAw LCAwKTsKICAgIGJyZWFrOwogIH0KICByZXR1cm4gMDsKfQoKdm9pZCBsb29wKCkKewogIGxvbmcg aTsKICBwdGhyZWFkX3QgdGhbMjRdOwoKICBtZW1zZXQociwgLTEsIHNpemVvZihyKSk7CiAgc3Jh bmQoZ2V0cGlkKCkpOwogIGZvciAoaSA9IDA7IGkgPCAxMjsgaSsrKSB7CiAgICBwdGhyZWFkX2Ny ZWF0ZSgmdGhbaV0sIDAsIHRociwgKHZvaWQqKWkpOwogICAgdXNsZWVwKDEwMDAwKTsKICB9CiAg Zm9yIChpID0gMDsgaSA8IDEyOyBpKyspIHsKICAgIHB0aHJlYWRfY3JlYXRlKCZ0aFsxMiArIGld LCAwLCB0aHIsICh2b2lkKilpKTsKICAgIGlmIChyYW5kKCkgJSAyKQogICAgICB1c2xlZXAocmFu ZCgpICUgMTAwMDApOwogIH0KICB1c2xlZXAoMTAwMDAwKTsKfQoKaW50IG1haW4oKQp7CiAgc2V0 dXBfbWFpbl9wcm9jZXNzKDAsIGZhbHNlKTsKICBpbnQgcGlkID0gZG9fc2FuZGJveF9ub25lKCk7 CiAgaW50IHN0YXR1cyA9IDA7CiAgd2hpbGUgKHdhaXRwaWQocGlkLCAmc3RhdHVzLCBfX1dBTEwp ICE9IHBpZCkgewogIH0KICByZXR1cm4gMDsKfQo= --001a1140831e2619fd0545ac6c55--