[PATCH] vgacon: fix a UAF in do_update_region()

[PATCH] vgacon: fix a UAF in do_update_region()

[Yang Yingliang]

I got a UAF report in do_update_region() when I doing fuzz test.

[   51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[   51.161918] Read of size 2 at addr ffff888000100000 by task test/295

[   51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[   51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[   51.161976] Call Trace:
[   51.162001]  dump_stack+0xc6/0x11e
[   51.162019]  ? do_update_region+0x579/0x600
[   51.162047]  print_address_description.constprop.6+0x1a/0x220
[   51.162083]  ? vprintk_func+0x66/0xed
[   51.162100]  ? do_update_region+0x579/0x600
[   51.162112]  ? do_update_region+0x579/0x600
[   51.162128]  kasan_report.cold.9+0x37/0x7c
[   51.162151]  ? do_update_region+0x579/0x600
[   51.162173]  do_update_region+0x579/0x600
[   51.162207]  ? con_get_trans_old+0x230/0x230
[   51.162229]  ? retint_kernel+0x10/0x10
[   51.162278]  csi_J+0x557/0xa00
[   51.162307]  do_con_trol+0x49af/0x5cc0
[   51.162330]  ? lock_downgrade+0x720/0x720
[   51.162347]  ? reset_palette+0x1b0/0x1b0
[   51.162369]  ? lockdep_hardirqs_on_prepare+0x379/0x540
[   51.162393]  ? notifier_call_chain+0x11b/0x160
[   51.162438]  do_con_write.part.24+0xb0a/0x1a30
[   51.162501]  ? do_con_trol+0x5cc0/0x5cc0
[   51.162522]  ? console_unlock+0x7b8/0xb00
[   51.162555]  ? __mutex_unlock_slowpath+0xd4/0x670
[   51.162574]  ? this_tty+0xe0/0xe0
[   51.162589]  ? console_unlock+0x559/0xb00
[   51.162605]  ? wait_for_completion+0x260/0x260
[   51.162638]  con_write+0x31/0xb0
[   51.162658]  n_tty_write+0x4fa/0xd40
[   51.162710]  ? n_tty_read+0x1800/0x1800
[   51.162730]  ? prepare_to_wait_exclusive+0x270/0x270
[   51.162754]  ? __might_fault+0x175/0x1b0
[   51.162783]  tty_write+0x42b/0x8d0
[   51.162795]  ? n_tty_read+0x1800/0x1800
[   51.162825]  ? tty_lookup_driver+0x450/0x450
[   51.162848]  __vfs_write+0x7c/0x100
[   51.162875]  vfs_write+0x1c9/0x510
[   51.162901]  ksys_write+0xff/0x200
[   51.162918]  ? __ia32_sys_read+0xb0/0xb0
[   51.162940]  ? do_syscall_64+0x1a/0x520
[   51.162957]  ? lockdep_hardirqs_on_prepare+0x379/0x540
[   51.162984]  do_syscall_64+0xa1/0x520
[   51.163008]  entry_SYSCALL_64_after_hwframe+0x49/0xb3

After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/video/console/vgacon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index b51ffb9a208d..2eabb86bb0dd 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
 	if (vga_is_gfx ||	/* We don't play origin tricks in graphic modes */
 	    (console_blanked && !vga_palette_blanked))	/* Nor we write to blanked screens */
 		return 0;
+
+	if (c->vc_screenbuf_size > vga_vram_size)
+		vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
 	c->vc_origin = c->vc_visible_origin = vga_vram_base;
 	vga_set_mem_top(c);
 	vga_rolled_over = 0;
-- 
2.25.1

Re: [PATCH] vgacon: fix a UAF in do_update_region()

[Sam Ravnborg]

Hi Yang.

Can you please resend and include Greg in the recipient list.
Greg is maintainer of the console subsystem these days.

	Sam

On Mon, Jul 13, 2020 at 11:04:45AM +0000, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
> 
> [   51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [   51.161918] Read of size 2 at addr ffff888000100000 by task test/295
> 
> [   51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [   51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [   51.161976] Call Trace:
> [   51.162001]  dump_stack+0xc6/0x11e
> [   51.162019]  ? do_update_region+0x579/0x600
> [   51.162047]  print_address_description.constprop.6+0x1a/0x220
> [   51.162083]  ? vprintk_func+0x66/0xed
> [   51.162100]  ? do_update_region+0x579/0x600
> [   51.162112]  ? do_update_region+0x579/0x600
> [   51.162128]  kasan_report.cold.9+0x37/0x7c
> [   51.162151]  ? do_update_region+0x579/0x600
> [   51.162173]  do_update_region+0x579/0x600
> [   51.162207]  ? con_get_trans_old+0x230/0x230
> [   51.162229]  ? retint_kernel+0x10/0x10
> [   51.162278]  csi_J+0x557/0xa00
> [   51.162307]  do_con_trol+0x49af/0x5cc0
> [   51.162330]  ? lock_downgrade+0x720/0x720
> [   51.162347]  ? reset_palette+0x1b0/0x1b0
> [   51.162369]  ? lockdep_hardirqs_on_prepare+0x379/0x540
> [   51.162393]  ? notifier_call_chain+0x11b/0x160
> [   51.162438]  do_con_write.part.24+0xb0a/0x1a30
> [   51.162501]  ? do_con_trol+0x5cc0/0x5cc0
> [   51.162522]  ? console_unlock+0x7b8/0xb00
> [   51.162555]  ? __mutex_unlock_slowpath+0xd4/0x670
> [   51.162574]  ? this_tty+0xe0/0xe0
> [   51.162589]  ? console_unlock+0x559/0xb00
> [   51.162605]  ? wait_for_completion+0x260/0x260
> [   51.162638]  con_write+0x31/0xb0
> [   51.162658]  n_tty_write+0x4fa/0xd40
> [   51.162710]  ? n_tty_read+0x1800/0x1800
> [   51.162730]  ? prepare_to_wait_exclusive+0x270/0x270
> [   51.162754]  ? __might_fault+0x175/0x1b0
> [   51.162783]  tty_write+0x42b/0x8d0
> [   51.162795]  ? n_tty_read+0x1800/0x1800
> [   51.162825]  ? tty_lookup_driver+0x450/0x450
> [   51.162848]  __vfs_write+0x7c/0x100
> [   51.162875]  vfs_write+0x1c9/0x510
> [   51.162901]  ksys_write+0xff/0x200
> [   51.162918]  ? __ia32_sys_read+0xb0/0xb0
> [   51.162940]  ? do_syscall_64+0x1a/0x520
> [   51.162957]  ? lockdep_hardirqs_on_prepare+0x379/0x540
> [   51.162984]  do_syscall_64+0xa1/0x520
> [   51.163008]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
> 
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
> 
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
> ---
>  drivers/video/console/vgacon.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
> index b51ffb9a208d..2eabb86bb0dd 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1341,6 +1341,9 @@ static int vgacon_set_origin(struct vc_data *c)
>  	if (vga_is_gfx ||	/* We don't play origin tricks in graphic modes */
>  	    (console_blanked && !vga_palette_blanked))	/* Nor we write to blanked screens */
>  		return 0;
> +
> +	if (c->vc_screenbuf_size > vga_vram_size)
> +		vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
>  	c->vc_origin = c->vc_visible_origin = vga_vram_base;
>  	vga_set_mem_top(c);
>  	vga_rolled_over = 0;
> -- 
> 2.25.1
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

[PATCH resend] vgacon: fix a UAF in do_update_region()

[Yang Yingliang]

I got a UAF report in do_update_region() when I doing fuzz test.

[   51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
[   51.161918] Read of size 2 at addr ffff888000100000 by task test/295

[   51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
[   51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[   51.161976] Call Trace:
[   51.162001]  dump_stack+0xc6/0x11e
[   51.162019]  ? do_update_region+0x579/0x600
[   51.162047]  print_address_description.constprop.6+0x1a/0x220
[   51.162083]  ? vprintk_func+0x66/0xed
[   51.162100]  ? do_update_region+0x579/0x600
[   51.162112]  ? do_update_region+0x579/0x600
[   51.162128]  kasan_report.cold.9+0x37/0x7c
[   51.162151]  ? do_update_region+0x579/0x600
[   51.162173]  do_update_region+0x579/0x600
[   51.162207]  ? con_get_trans_old+0x230/0x230
[   51.162229]  ? retint_kernel+0x10/0x10
[   51.162278]  csi_J+0x557/0xa00
[   51.162307]  do_con_trol+0x49af/0x5cc0
[   51.162330]  ? lock_downgrade+0x720/0x720
[   51.162347]  ? reset_palette+0x1b0/0x1b0
[   51.162369]  ? lockdep_hardirqs_on_prepare+0x379/0x540
[   51.162393]  ? notifier_call_chain+0x11b/0x160
[   51.162438]  do_con_write.part.24+0xb0a/0x1a30
[   51.162501]  ? do_con_trol+0x5cc0/0x5cc0
[   51.162522]  ? console_unlock+0x7b8/0xb00
[   51.162555]  ? __mutex_unlock_slowpath+0xd4/0x670
[   51.162574]  ? this_tty+0xe0/0xe0
[   51.162589]  ? console_unlock+0x559/0xb00
[   51.162605]  ? wait_for_completion+0x260/0x260
[   51.162638]  con_write+0x31/0xb0
[   51.162658]  n_tty_write+0x4fa/0xd40
[   51.162710]  ? n_tty_read+0x1800/0x1800
[   51.162730]  ? prepare_to_wait_exclusive+0x270/0x270
[   51.162754]  ? __might_fault+0x175/0x1b0
[   51.162783]  tty_write+0x42b/0x8d0
[   51.162795]  ? n_tty_read+0x1800/0x1800
[   51.162825]  ? tty_lookup_driver+0x450/0x450
[   51.162848]  __vfs_write+0x7c/0x100
[   51.162875]  vfs_write+0x1c9/0x510
[   51.162901]  ksys_write+0xff/0x200
[   51.162918]  ? __ia32_sys_read+0xb0/0xb0
[   51.162940]  ? do_syscall_64+0x1a/0x520
[   51.162957]  ? lockdep_hardirqs_on_prepare+0x379/0x540
[   51.162984]  do_syscall_64+0xa1/0x520
[   51.163008]  entry_SYSCALL_64_after_hwframe+0x49/0xb3

After vgacon_set_origin() is called in set_origin(), the vc_origin is
set to vga_vram_base, the vc_pos should between vga_vram_base and
vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
will cause a use-after-free(or out-of-bounds). Fix this by calling
vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.

Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
---
  drivers/video/console/vgacon.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 998b0de..2ee3d62 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
  	if (vga_is_gfx ||	/* We don't play origin tricks in graphic modes */
  	    (console_blanked && !vga_palette_blanked))	/* Nor we write to blanked screens */
  		return 0;
+
+	if (c->vc_screenbuf_size > vga_vram_size)
+		vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines);
  	c->vc_origin = c->vc_visible_origin = vga_vram_base;
  	vga_set_mem_top(c);
  	vga_rolled_over = 0;

Re: [PATCH resend] vgacon: fix a UAF in do_update_region()

[Yang Yingliang]

C reproducer:

// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_open_dev(volatile long a0, volatile long a1, volatile 
long a2)
{
     if (a0 == 0xc || a0 == 0xb) {
         char buf[128];
         sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", 
(uint8_t)a1, (uint8_t)a2);
         return open(buf, O_RDWR, 0);
     } else {
         char buf[1024];
         char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
         buf[sizeof(buf) - 1] = 0;
         while ((hash = strchr(buf, '#'))) {
             *hash = '0' + (char)(a1 % 10);
             a1 /= 10;
         }
         return open(buf, a2, 0);
     }
}

uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 
0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
         syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
                 intptr_t res = 0;
     res = syz_open_dev(0xc, 4, 1);
     if (res != -1)
         r[0] = res;
     syscall(__NR_ioctl, r[0], 0x4b3aul, 1ul);
     res = syz_open_dev(0xc, 4, 1);
     if (res != -1)
         r[1] = res;
*(uint16_t*)0x20000000 = 0x4d;
*(uint16_t*)0x20000002 = 0x1000;
*(uint16_t*)0x20000004 = 0xf1;
     syscall(__NR_ioctl, r[1], 0x5609ul, 0x20000000ul);
     res = syz_open_dev(0xc, 4, 1);
     if (res != -1)
         r[2] = res;
     syscall(__NR_ioctl, r[2], 0x4b3aul, 0ul);
     res = syz_open_dev(0xc, 4, 1);
     if (res != -1)
         r[3] = res;
*(uint8_t*)0x20000840 = 0x7f;
*(uint8_t*)0x20000841 = 0x45;
*(uint8_t*)0x20000842 = 0x4c;
*(uint8_t*)0x20000843 = 0x46;
*(uint8_t*)0x20000844 = 5;
*(uint8_t*)0x20000845 = 6;
*(uint8_t*)0x20000846 = 5;
*(uint8_t*)0x20000847 = 9;
*(uint64_t*)0x20000848 = 0xfffffffffffffffa;
*(uint16_t*)0x20000850 = 3;
*(uint16_t*)0x20000852 = 3;
*(uint32_t*)0x20000854 = 0x117;
*(uint32_t*)0x20000858 = 0x45;
*(uint32_t*)0x2000085c = 0x38;
*(uint32_t*)0x20000860 = 0x1df;
*(uint32_t*)0x20000864 = 5;
*(uint16_t*)0x20000868 = 4;
*(uint16_t*)0x2000086a = 0x20;
*(uint16_t*)0x2000086c = 2;
*(uint16_t*)0x2000086e = 0x1ff;
*(uint16_t*)0x20000870 = 0x55;
*(uint16_t*)0x20000872 = 0xfffb;
*(uint32_t*)0x20000878 = 4;
*(uint32_t*)0x2000087c = 4;
*(uint32_t*)0x20000880 = 4;
*(uint32_t*)0x20000884 = 1;
*(uint32_t*)0x20000888 = 1;
*(uint32_t*)0x2000088c = 3;
*(uint32_t*)0x20000890 = 7;
*(uint32_t*)0x20000894 = 0xfff;
*(uint32_t*)0x20000898 = 3;
*(uint32_t*)0x2000089c = 5;
*(uint32_t*)0x200008a0 = 3;
*(uint32_t*)0x200008a4 = 1;
*(uint32_t*)0x200008a8 = 0x3f;
*(uint32_t*)0x200008ac = 0x200;
*(uint32_t*)0x200008b0 = 4;
*(uint32_t*)0x200008b4 = 7;
memcpy((void*)0x200008b8, 
"\x8b\x9f\xd8\xbb\x23\x11\x17\xf4\xeb\xa2\x19\x08\xb0\xe4\xe5\xe9\x98\x81\x1b\x24\x48\xaa\xfd\x8c\x01\x15\xeb\xa2\xf6\x28\x38\xd9\xa4\xd3\x4f\xfc\x91\x7c\x66\x3e\xb0\xbf\xe0\x18\x15\xd4\xe2\x33\x5f\x2b\x09\x27\x4c\x9c\x46\x94\xae\xcd\x39\x27\xd9\x73\xf7\xfb\xb5\x31\xe9\xef\x67\x1c\xd2\x35\x0c\x03\x71\xca\xec\x86\x38\x8a\xf1\xce\xb3\x3d\xc6\x06\x43\xb9\x04\xe4\x40\x91\x0d\xf3\xc9\x97\xcf\xc2\x01\x2b\x20\xa1\x90\x65\x37\xef\x89\xca\xde\x7b\xb1\x51\x41\xc8\xe9\x97\x68\x93\x46\xe7\x1c\x49\x99\x7f\xcd\xb8\x6a\x0e\x5b\x99\xe2\x0a\xaf\x61\x3c\x07\xac\x58\x73\xc1\x9e\x10\xda\x89\x25\xeb\x77\x62\x38\x8c\xca\x50\x93\x68\x72\x53\x32\xb7\xee\xb8\x53\x2b\x32\x99\xce\x87\xe4\xcf\x1f\x57\x2a\xa9\x8c\x1b\x0f\x0b\x48\xcd\x46\x00\xab\xad\xd8\x95\xe8\xb6\x71\xb0\x47\x05\x86\x94\x5c\x4f\x88\x35\x1e\xe7\xf7\x9e\xbc\x3f\x86\xa8\x14\xbf\xe8\xbe\x20\xb1\xd0\x31\x05\x84\x8d\xce\xea\x90\xca\x8d\xd4\x2e\xbb\x57\xdc\xb7\xae\x18\x2d\x07\x79\x6a\x85\xa0\x57\x01\xff\x0f\x13\xfe\x9e\xeb\xf1\x8c\xc7\xd0\x8e\x68\xe5\
 x84\xfd\x39\x0e\x16\x77\xea\x00\x6f\x71\x94\x1b\xfc\xd5\x98\xf7\xea\x68\xbd\xd3\x8d\xbd\x39\x48\x9f\xd6\x0a\x2f\x95\x04\x28\x81\xf6\x70\xb9\xe4\xde\x90\x92\xd2\x98\xf1\x0b\x36\x27\x65\x7f\x59\xf3\xef\x43\x73\xc5\x24\x69\x05\xc0\x24\x41\x31\xc5\x93\x40\x00\x13\xbf\x5f\x66\xfb\xf6\x26\xd8\xb9\xdf\x58\xf1\xc6\x7d\x35\xcb\xbb\x8d\x28\x53\x73\xb5\xc1\x0e\x24\xab\x76\xbe\x12\x58\xfb\xd3\x66\xa7\x3b\xad\x89\x9f\xb5\x49\x5d\x8d\x3b\x29\xfd\x4e\xa2\xa8\xda\xe6\xf7\xb8\x24\x5c\x6c\x50\x40\xdb\x9e\x14\x6a\xe3\x00\x59\xee\x55\x44\x1f\x45\xcf\x37\x91\xeb\xc9\xc2\x63\xec\x18\x30\x89\x85\x00\x79\xaf\x65\xc6\xa9\x90\x04\x5e\x68\x5c\xf5\xc0\x9f\xe2\xf1\x85\xcd\xb3\xa7\x83\xb3\x85\xb0\x29\x24\x27\xf4\xbe\x72\xbd\xe3\x07\x8d\x25\x6b\x63\x58\xb7\xce\x71\xb8\x76\x09\x9d\xd0\xec\x94\x4c\x72\xa0\x17\x82\x83\x26\xee\x81\xbe\x0c\xff\x70\x16\x38\x48\xf4\x3e\xdb\xe0\x9f\x6b\x88\x95\xb2\xb6\xb7\x76\x19\xee\xa0\x91\x11\xd5\xb3\xc4\x2e\x5e\x9e\xc4\x62\x7b\xf7\x28\x14\xf9\x0a\xf0\x2b\x5c\x23\x41\x39\x3f\x38\x12\x
 e2\xf1\xa1\x70\xa6\x6b\xc8\x44\xd9\x2b\x02\x64\x69\x21\x44\x4d\xd8\x50\x0d\xf7\x01\xb2\xb0\x6a\x43\x25\x74\x78\x18\x72\x30\x42\x5e\x36\x4c\x65\x3d\xee\x51\xda\xc2\x55\x93\x65\x5b\xb4\x92\x3b\xf9\x00\x2c\x6e\x18\x04\xe8\x1b\x40\x9a\x57\x7e\xfb\x3f\xef\x89\xce\xe9\x8e\xa4\xc1\x5b\x63\xec\x26\xe6\x10\x2e\x69\x25\x84\x77\x97\xb2\xfb\x87\x0b\x11\x27\xdb\xd3\xd4\x7f\x5e\x9e\x33\x2e\xd3\xb2\x9b\x22\xeb\x29\xeb\x36\x61\xc2\xd0\x22\xaf\x79\x40\x61\xe7\xdf\xce\x88\xd6\x06\x43\x9d\xec\x6f\x57\x20\x92\x73\x38\x37\x65\x81\xd6\xe6\x27\x8a\x50\xb8\x93\x7c\xdc\x1f\xf0\xfe\x01\x3f\x9f\x3c\x6c\x1b\x7a\xa8\x93\xbf\x3a\x06\x6a\x18\x02\x79\x2f\x62\x9b\x12\x16\x5f\xaa\x80\xc7\xfe\xc2\xad\xd9\xec\xa6\x61\x7c\xda\x79\xf3\xc5\x85\x2f\x2b\xcd\xa2\x53\xbc\x71\x54\xeb\x32\x75\x82\x38\xed\xf0\x2a\x6a\xad\xc2\x56\xfe\x75\x14\x81\xee\x03\x32\x1a\xb8\xf9\x92\x5a\x06\x6f\xd4\xc0\x76\x5f\x2b\xee\x51\x68\xc4\x4c\x0f\x86\xe9\x51\x53\xe7\x8d\x60\xd2\xc8\xc2\xf7\x45\xee\xfa\x04\x6b\xa0\x61\x18\xf4\x7d\xc5\x46\x13\x52\xb
 0\xe6\x8d\x4e\x53\x49\x16\x26\x9a\x07\xc1\x78\xa8\x61\x7d\x43\x5e\x14\x12\xf9\x8d\x6b\x6b\xac\xb1\x78\x86\x3f\xc6\xc2\xf2\xee\x65\x47\x12\x6f\xb2\xef\x8a\x4d\x83\xfd\xe6\x8c\xe9\x69\x22\x1b\x8b\x2b\xfa\x0d\x75\xc1\xb9\x77\x7d\x1e\x44\x03\xfa\x2e\xd8\x82\xd7\x15\x7b\x24\x7b\x65\x62\x6d\xff\x84\xba\x3c\x02\x95\xb3\xa9\x15\xc9\x12\xd5\xd7\xf7\x9d\xa1\xfc\xf0\x08\x0e\x47\xfb\xbb\xed\x26\xf5\x23\x2d\x07\x11\x76\x04\x5e\x82\x89\xef\xf0\x95\x24\x15\xe2\xeb\xf6\x49\x9e\xa2\x9f\x67\xce\x97\xf8\x84\x21\xd6\x9f\x1f\x95\x5d\xe0\xe8\xc2\xe0\x37\xf2\x0f\x64\x8c\xfe\x88\x3a\x0d\xa6\x54\x36\xb0\x24\x45\xd0\x29\x70\xb8\xfd\x4b\xa6\xe3\x44\xa8\xd7\xef\xa2\x43\x5a\x04\xc1\x64\xe1\x6d\x32\xae\xbb\xa9\xa6\x7e\x9a\x6d\x66\x0f\x29\x51\xe8\x42\xf4\x03\xdd\xdc\xe0\x4c\x82\x8b\xeb\x00\x4d\xa1\x68\x6f\xa0\x85\xf0\xb2\xd7\xdd\x2a\xfe\x33\x49\x8f\x69\xfa\xf3\xa0\x7c\xd2\x10\x74\x16\xed\x79\x0d\x56\x9c\x3d\xf5\x2d\x39\xde\x5b\x53\x72\xf5\x57\x0e\xfc\x3d\x06\xc9\xc3\x15\xba\x7f\x70\xbe\x89\xfa\xaf\x16\xd1\xea\xd5
 \x6a\x84\x71\x12\x60\x4b\x77\x28\xbe\xee\x7e\xff\x62\xd4\xfc\x56\xd8\x93\x60\xb7\xcb\xe1\x05\x57\x69\x41\xd3\x04\x73\x3a\x4e\x8f\xc5\x34\x36\x8b\x69\x0a\x69\xca\x77\x6a\xb1\x5b\xdc\x24\x22\xbb\x16\x56\x2b\x5b\x0f\x65\x8f\x7d\xc9\x95\x96\xa1\x70\x48\x5a\x83\x6e\xfc\xc5\x32\x5e\x61\xf6\x6b\xca\x65\x96\x0a\x73\x6f\x2f\xf3\x38\x33\xa4\x8c\x40\xae\x36\x9c\x43\xda\xc3\x40\xc8\xdd\x64\x27\x99\xb3\x47\xf3\xc1\x0f\xcd\x57\x03\x52\x0e\xea\xd9\x8f\x43\x6c\x97\x73\xd6\x8c\xd5\xe7\xf0\x8a\x5f\x44\x71\x55\xe9\xc6\x11\x56\x83\x3b\xa0\x5a\xd9\x49\x89\x5b\x04\x69\x7a\xe0\x00\xd6\xb4\x33\xd5\xe7\xd6\xfc\x99\xf5\xb2\xfb\xb9\x95\x7a\xfd\xd9\x37\x1f\x7e\x7d\x91\xe7\xa4\x7b\xa8\xfe\xd2\x32\xf0\x14\xcf\x9f\x12\xff\x5c\xbf\xa7\x0a\xd0\x6a\x8e\xe7\x1d\x0b\x69\xdf\x7b\x58\x17\xdc\xf4\x3d\xc0\xe2\x84\x7a\x53\x19\xcc\x04\x42\x57\x24\x9b\xdd\x16\xef\x06\xc8\x17\xad\x44\x5b\x0e\xaf\xc6\xe2\xca\x57\x80\x54\x78\x88\xde\x21\xc8\xeb\xa3\xa1\xaf\xfc\x6d\x2b\xd8\xe1\x54\xe6\x5a\x3e\x78\xc9\xc6\xe9\x19\x19\x14\x1e\x38\
 xdf\x9a\xf3\xae\x62\x72\x88\xa5\xd0\xc6\x04\xca\x80\xd3\x82\xe9\xed\xec\x95\xc2\x2c\x30\x95\x56\x31\x82\x34\xbf\x39\x38\x1e\x89\x3a\xc9\xf8\xf3\x28\x59\x2c\x82\xa5\x36\xb3\x73\x3c\x35\xf1\x8a\xde\xc3\x0b\xf1\x63\x65\xb8\x3d\x87\x8b\x34\x01\x7d\x8b\x57\xcd\xa9\x85\x69\x55\x6f\x7e\x29\x2a\xeb\x16\xa1\xba\x3a\x53\xe1\xe6\x8e\xe2\xa5\x27\x59\x9a\xae\x6b\xfb\x5c\x97\xfa\x20\x58\x3c\x5a\xc5\x6a\x01\xaa\xd4\x88\x23\x71\xfd\x79\xb8\xde\xf1\x94\xc4\xea\x97\x23\xd9\x67\x63\xe4\x26\xa0\x41\x15\xc4\x37\x1f\x24\xdf\x50\x90\xbd\x79\x96\x8b\x07\xc9\xab\x5e\x36\xc9\x7a\x3b\x2e\x02\xfa\x12\x34\xfb\xa2\x6d\xc4\xf7\xe3\x6d\xa4\xc2\x75\x65\x75\x83\x68\x79\x2a\x33\x57\x7e\xf5\xf9\x37\xd0\x16\xae\x7e\x71\x0a\x2e\x20\x34\xfb\xdc\x6a\xd9\xbc\xda\xbb\x80\x27\x9a\x4d\x91\x72\x10\xa8\x09\xe7\xb1\x70\x9b\x03\x07\x6b\x06\xa3\xc5\xbd\x90\x84\x0a\x4b\x13\x7a\x55\x80\xb7\x99\x65\xe4\x2d\x55\x07\x99\x5c\x3f\x10\x15\xa3\xe5\xf7\x8c\x69\x74\x0f\x73\x28\x9e\xb7\xcd\xda\xb9\xee\x98\x88\xc2\x01\x4a\x8f\xb9\x04\x87\x67\x
 5c\xd6\x91\xf7\xd8\x60\x21\xb3\xfc\x01\x52\x0c\xe4\xa6\xe4\x5c\x0d\x6e\xc1\x08\xbc\x57\x78\x3c\xa0\xff\xd4\x1c\x94\x21\x44\x4e\x77\x45\x9e\x37\xe7\xe2\xab\x3b\xd6\x2e\x89\xc5\x09\x0d\x76\xa2\xb4\x0e\x1f\xc0\x87\xda\x87\xf9\xda\x4f\xe8\xa5\x00\x37\x57\x80\xd9\x80\x43\xdd\x37\x28\x92\x06\xb1\xd3\x80\x08\x51\xde\xc6\x93\x24\xc8\x29\x2f\xb7\x69\xb2\x21\x1b\x7b\xc0\x63\x6b\xbb\x2f\xf4\xae\x2c\x5c\x3a\xab\x11\x6a\xe0\x3e\xf8\x77\x12\x2f\x05\x33\xdc\x0d\xbd\xe3\x71\x49\x16\x2b\xd9\xc4\xcd\xd5\xa7\x2b\x60\xb7\xd1\xb5\x45\x99\xe4\x49\xfd\x05\xbe\x9b\x97\x14\xb5\xf2\xaa\x5b\xd6\xcd\x7e\xcf\xa0\xea\x9b\x4a\x01\xec\x9a\x9e\xb9\x46\x1e\x1f\xd7\xb9\x46\x2e\x0a\xb8\xf8\x98\x90\xb4\xa4\x44\xfd\xf0\x32\xf4\xa8\x9f\x02\x23\x6c\xd1\x3f\xe9\xfe\x83\x9e\xa2\x86\x71\x2d\x2c\xdb\x5c\x56\x5c\xb5\x0d\x4d\x08\xe3\x74\xc3\xba\xcf\x00\x55\x8e\x03\x73\xe8\xa9\x1a\xe8\x76\x63\xb6\xf3\xc1\x41\xb3\x08\x9b\x7b\x42\x92\x78\xac\xad\x1a\xe4\x4f\xbc\x68\x64\x1c\x91\x0d\x1d\xa1\x84\x88\x2f\x51\x23\xb7\x43\x79\x8f\x83\xe
 5\xce\x41\x9d\x4a\xf6\x49\x25\x38\xac\x80\xd6\x72\x83\x12\x86\x9c\x39\x69\x0d\x36\x96\x6e\x0b\xd8\x7f\x8f\xc9\x0a\x50\x35\x82\x9c\x14\x51\x69\xa3\x4d\xee\x2c\x78\xfd\xa8\x26\xc8\xc1\x57\xb8\xf8\x16\xb0\x10\xd1\xe1\x26\xd3\xf1\x99\xb8\x04\xec\x24\x03\x5f\x72\x0b\xa0\xb5\x10\xd5\x8d\x50\xf9\x6a\x2e\x70\x4d\xbc\x51\x51\x5a\xa4\x60\x2e\xdf\x59\x1f\x6c\x7c\x21\xf2\xd9\xa4\x54\x6a\xe7\x05\xba\xda\x46\xc9\xa8\x8d\x7d\x3d\xe2\x3e\x4d\xef\x48\x4d\x14\xca\xdd\x33\xec\x11\x8c\xf6\xf8\x78\xad\x2f\xbc\x95\xff\x56\x76\x00\x25\xa8\xa7\x85\x36\xb6\x10\xcc\xf7\x1b\x90\xd2\x50\xf5\xd1\xb8\xf5\x2f\xd3\xad\x06\xed\x85\x29\x82\xce\xd5\xd3\xdc\xc9\xca\x8d\xfa\x7a\x6e\x30\x31\xe6\x0b\xce\xfc\x5a\xf7\xb7\x44\xd0\x6b\x41\x09\x1c\xe2\x70\x09\x36\x79\x74\x81\x82\xeb\x9e\x86\x7a\x35\xdb\xfd\xde\xab\x5b\x2e\x51\x40\x99\x23\x7c\xa8\x2b\x05\x54\x00\x2d\x73\x2a\xaa\xe3\x2b\xa5\x93\x3b\x47\xf0\x79\xf8\xe4\x2c\xbd\xdc\x26\x9f\xf6\xa0\x97\xa3\xc8\xaa\x08\xce\xfa\x39\x06\x21\x30\x8a\x4c\x49\x7d\xb3\xf9\xb2\x0c\x0d\xb3
 \xda\xb0\x14\xf6\x83\xb7\x0b\xd1\xe1\x89\xf1\x8b\x45\x47\xfe\x95\xc6\xa7\x20\xbc\xa4\xc2\xdb\x64\xc3\x3a\xd4\x1a\x0c\xf7\xa3\xa9\xb6\xae\xf6\xa6\x7e\xee\xf1\x75\xf6\x43\xc9\xb6\xbd\x08\x58\x69\xf1\xa0\x71\x13\x38\xe7\xf2\x38\x18\x59\xd5\xaa\xf0\xb3\xe9\x08\x81\xb3\x71\xdb\x3b\xad\x38\xb0\xb0\x16\xf5\xfe\x37\x2e\x6d\x4e\xd8\xc9\x1a\x8f\x09\xfb\xec\xdc\x80\xaf\x28\x39\x74\x45\x1d\xd4\x23\x1c\x08\xd6\x7f\x52\x9b\xea\x5d\x65\xb5\x46\xb5\xf6\xfe\x73\xfa\x52\xfa\x58\x50\x6c\x3a\x11\x9f\x81\x2b\x25\xb6\xfb\x3e\x45\x9e\x96\xc6\x2c\xe9\x4c\xe8\xe6\x71\x54\x30\x60\x03\x3b\x97\xb0\x94\x11\x67\xd0\xd6\x85\x00\xc6\x2e\xb5\x1d\x28\xeb\xc4\x30\x8c\x7e\xf5\x17\xcc\x2b\x44\xb9\x5d\xf6\x66\x2a\x2e\xe0\x6d\xc8\x06\xb9\xf6\x67\xd9\x8d\x9d\x4a\x96\x4c\x59\x34\xc3\x56\xaf\x34\xfd\xb3\xc4\xaa\xd8\x60\x4b\x2c\xa5\x75\xd8\x12\x65\xb7\x63\xd5\xae\x2c\x93\x56\x7f\xc5\x73\xad\xee\x2d\xe3\xdf\x38\x3b\x0e\x24\x0b\x6c\x92\xd4\x04\xc9\x21\xd5\xd5\x9e\x8b\x61\xb5\xe1\xeb\x2d\x1f\x90\xed\x7f\xb6\x80\xc3\xd1\x91\x19\
 x49\x51\x77\x64\x22\x97\x4a\xf2\x69\x45\x3b\xf3\xbc\xcf\x43\x92\x67\x9d\x8b\xb2\xf8\x3a\x17\x6c\xd3\x48\xa4\xaa\x27\xfb\x09\xc2\x14\x7d\x99\x2a\x48\x6b\x6a\x66\x05\x90\x1f\x40\x43\x65\x62\xd5\xf1\x66\xaf\x76\x63\x53\x59\xb7\x04\xb7\xda\x1b\x42\xa9\xc0\x76\x4c\xd1\xcc\x2a\xa6\xb2\x73\x51\x68\x04\x28\x07\xfa\x28\xa6\x40\xb3\xd5\x18\x3d\x68\x60\x96\x23\x66\x03\x2d\x44\xa0\xc9\xca\xbe\xcd\xb7\x79\x87\x66\x7f\x90\x05\x1b\x42\xaa\x13\xef\xc9\x2e\x79\xcb\xa6\x71\x5e\xad\xf1\x9d\xaa\x95\xa0\x1a\x5c\x1c\x8c\x04\xf8\x94\xfb\x23\x51\x8d\x75\x8d\x3d\x04\xa3\x2f\xda\xec\x81\x8c\x7b\x43\xce\x19\x51\x2e\xf9\xe7\x6c\x66\x57\x1e\xe4\xe2\x62\x99\xf7\x43\x35\x57\x33\xf5\xd5\x4f\xb4\x81\x36\x6b\x30\x48\x90\xa1\x7b\x3f\x8b\xab\x79\xe4\x2e\x5e\xfc\xcc\xb2\x68\x1d\x86\xe9\x19\x8c\xd5\xc0\x4a\x9a\x5c\x8f\xba\xe0\x5e\x4a\xd2\xc0\x92\x58\x25\xdd\x15\x01\xc1\x40\x93\x91\x73\x4b\xa2\x0d\xf8\xec\x2a\x29\x5f\x91\x87\x65\x08\x5d\x30\x10\x05\x6a\xc1\x93\xac\xf6\xc6\x98\x55\x95\xb2\x1a\x95\x48\x08\x05\x40\x9b\x3f\x
 e3\xc9\xd6\x81\x17\x05\xa8\x4c\x92\x4f\x3b\x0a\x6d\xfb\xf5\x63\xca\x48\x80\x0d\xbe\x4c\xff\x49\x7b\x37\x82\x33\x1e\xf2\x42\xaa\xae\x15\xa6\x34\xc6\xeb\x26\x03\x70\xd3\x04\x26\x79\xbc\x03\x0b\x5a\xc3\xda\x86\x25\xda\xb5\x1d\x42\xcf\xda\xc4\x6c\xe7\x13\x92\x0b\xe4\x1f\x6e\xb6\x90\x0c\xb9\x1d\x0c\x43\xb1\xaa\x43\xd2\xaf\xe9\xe3\x97\xf7\x69\x48\xb7\x17\xe3\x75\x94\xd4\xaf\x80\x6d\x8b\x6f\x25\x59\x92\x47\x71\x24\xf4\xac\x87\x24\x4b\x1c\x3b\x46\x37\x5c\x86\xe5\x50\x71\xab\x54\xaf\x58\xfd\xc1\x85\xfb\x45\x37\x26\xd8\xe7\x6d\xee\x53\x8d\x68\x4d\xe5\xb3\x69\x02\x57\xa8\x4c\xa1\x3c\x1f\x09\x4d\x92\x82\x48\xc1\x4b\xb9\x2c\xaa\xf7\x67\x2e\xaf\x18\xdb\x16\xcd\x24\x99\xe5\x51\xed\xbe\xcd\x3a\x37\x7b\x9b\xdd\x42\x93\xcb\x1d\x92\x13\xaf\xec\x42\x6c\x85\xa0\x43\xad\x18\xce\x11\x3f\x66\x1c\x24\x11\x51\xa4\x79\x00\xf0\x96\xb8\x52\x7b\x05\xa2\x32\xbb\xb9\x70\x47\x7f\x41\x1b\x76\x40\x98\xd0\x89\x0d\xdb\xb6\x9b\x3f\xfb\xa4\xf7\xa6\x08\x3b\xb8\xbd\x7f\xd9\x30\x09\x12\xcf\xf7\x44\xd5\x11\x9b\xb4\xc1\xe7\x6
 9\x44\xf4\xe0\xa5\x17\xd2\x92\x69\x32\xf7\x8c\xc7\x0b\xb3\xdb\x05\x5a\x78\x95\x83\x36\xb3\x0c\x0e\x0e\x8f\xdf\x0d\x6c\xd3\x7a\x72\xbd\x03\x11\x26\xf2\x5d\x3c\x57\xe5\xca\xa3\x0a\xa5\x34\x0d\xd1\xe7\xb7\x30\xd1\xb7\xed\x83\x0f\x61\xd2\xd9\x3b\xc4\x38\x68\x28\x36\xda\xd5\xa6\x50\x59\x8a\x1f\x36\x87\x75\x52\xbe\x94\x55\x7d\xdd\xfe\xcf\xd8\x7a\xe7\x96\xd4\x06\xf5\x43\x54\x1c\x6e\x6e\xfe\xf8\x70\xd1\x3b\x31\x51\x66\x69\xa7\x69\x89\x83\x91\x08\x8e\x48\x97\x2b\x1f\xa2\xe9\xb2\xc6\x62\xe1\x28\xd6\xda\xd8\xc1\x7f\x5f\x7f\x5f\x62\x88\x0e\x8f\xdc\x07\xae\xe1\x59\x33\xbf\xd2\x49\x83\x45\x2c\xef\x62\x4b\xc8\x45\x18\x2a\xd2\x51\x29\x7f\xcf\xfd\x5c\x16\xbd\x5b\x0e\xac\x03\x7b\x58\x62\xb2\x0e\x08\xce\x1a\x8d\x75\x5f\xde\x1d\x49\xcf\x32\xd8\x1f\xd6\x3f\x74\x65\x4d\xba\x69\x2b\x27\x2d\xd1\x5a\xe1\x9e\x0b\x87\x33\x95\xe8\x50\xe0\x66\x66\xc9\xd3\x04\x31\x49\xc9\x5b\x79\x24\x2f\x2f\x4a\x9d\xdc\xf7\x16\xd7\xae\xe1\x34\x63\xe8\x1c\x1f\xff\x4e\x47\xbe\x68\xdb\x7a\x65\x6c\x04\xb6\x26\x0d\x8d\xb0\x0b\x90\x87
 \xc0\x87\x20\x3a\x74\x21\x8c\xe6\xb7\x67\x45\x97\x60\x30\xb3\xd9\xa7\x6e\x08\xde\xe9\x19\x1a\x5e\x19\x44\x95\x26\x4d\x3d\xc2\xb1\xc3\x98\x08\x06\x96\x5f\x54\xea\x88\xd7\x92\x50\xe8\x1c\x2a\x94\xf7\xa9\x6b\xe3\x2c\x1d\x15\xcf\x4c\xbe\xf1\x85\x3d\x30\xfd\xea\x3d\xef\x80\x20\xa6\xf6\x4e\x64\x79\x2a\x7c\x74\xc4\xe5\x70\x3a\x8a\x32\x6b\xc2\x2a\x41\xc6\x58\x47\xdf\x3f\x68\xe4\x06\x81\xe5\xce\xdd\x0b\x05\xd8\x2a\x9e\x85\xe3\x3f\x6b\x18\x5e\xb1\x6c\x56\x1e\xfa\xec\xa1\xae\xbe\xa9\x09\x65\x6b\xc7\x9e\xfc\x9a\xe7\x76\x65\xb5\x89\xcc\x0c\x40\x11\x7b\xb5\x1d\x62\x4d\x98\xc8\x6c\x97\xa8\x14\xfc\xde\x48\x94\x84\x86\xf9\x1b\x66\x93\x68\x52\xb7\x8e\xd4\xbc\x0f\x51\x01\xa1\x23\x47\xb1\x14\x03\xf4\x56\xad\x64\x86\xe0\x63\x5e\xe3\x9c\xdc\x40\x0e\xc1\x00\x2e\xbe\x95\xe7\x13\x50\xcb\xfa\xc5\x20\xb2\x90\x21\x4a\x0f\x5e\x8b\xd4\x3e\x58\x31\xb2\x1d\xb0\x98\x59\xfa\x42\x8d\x76\x43\x69\x18\x92\x3e\x25\xf1\xd7\xa5\x40\x3c\xff\x39\x63\x27\x4e\xcf\x4a\x68\x70\xa1\x43\xe6\x13\x83\xbd\xb3\xea\xc2\xab\x7f\xda\x05\
 x8a\x81\x04\x24\x3b\x28\x4d\xe0\xca\x06\x2a\x27\x33\x91\x16\xfb\x1d\x55\xbd\xa6\x8c\x21\x5e\xac\x5a\x6d\x71\x28\x33\xef\xc7\x1d\x32\x03\x23\xda\xf3\xfc\xd1\x6c\xba\x1e\xf5\x21\x56\x9f\xbb\xa2\xc7\x5d\x64\x37\x8d\xa3\xdf\xd6\xd4\xe9\xac\x7f\x97\x4f\xeb\xa3\xdb\x52\x97\xf2\x1b\xd7\xe3\x05\x3e\x28\xad\xfe\xa2\x5e\xae\x9f\xd6\xcc\xcd\x3b\xd8\x6f\xf8\x8f\x35\x96\x89\x5b\x5e\xb4\xcd\x3d\xa9\x33\x8e\x43\xbb\x2a\x45\x4b\x25\xe6\x2d\xa9\x93\x85\xbb\x38\xec\xf6\x11\xfa\x4d\x38\x78\x72\x95\xe8\xbe\xe0\xde\x84\x17\x1b\x66\x75\x1e\x24\x6c\xbf\xfc\x36\x2c\x66\xbf\x1c\x20\x7b\xad\x1a\x8c\x5e\x25\xdb\x53\x7f\xb2\x1a\x70\x5a\xbd\xd9\xdd\x27\xc8\xac\x87\xd5\x4f\xd0\xa7\x29\x3f\x71\xe3\xd9\x34\x47\x71\xcb\x5f\x5b\x9f\x6c\xbf\x1e\x88\x88\x3e\x04\x27\x7a\xa3\xa7\x7f\x7e\x22\x16\x8a\x8e\xeb\x8b\x2b\xb3\x5a\xc9\x35\x80\xcd\x51\x9a\xd4\xb0\xdf\xfc\x32\x7f\x24\xff\x8e\x7c\xd9\x4e\x8c\xce\xaf\xfa\x27\x4d\x6a\xb1\x48\x3e\x9a\xa0\x3a\x5a\x88\xf8\x88\x59\xd9\x59\xc1\xed\xd9\xcc\x78\xa8\x6e\x46\xd3\xd3\x31\xd8\x
 00\x0e\x48\xbc\xa9\x54\x3e\x31\x95\x30\xb5\xba\x6d\xb8\x64\xac\x3c\x83\xe7\x1f\xc2\x3c\x35\x13\x36\x84\x80\x7d\x9d\xdb\x5c\xe9\x98\x21\xb8\x9d\x93\x6f\x34\x45\xed\x88\x95\xc5\x62\x61\xd2\x11\xa7\x28\xdb\x53\x5b\x1c\x99\x78\x13\xa1\x2f\x61\x27\x91\xb9\xbc\x9b\x84\x5b\xea\x29\xa3\xec\xec\x90\xb8\xdd\x5c\xbc\xd3\x2a\x73\xb1\xe1\xc2\x57\x45\x31\x20\x06\xc3\x6e\xb6\xf1\x69\x1f\xa1\x6e\x1a\xa3\x12\x6b\xa7\x14\xd5\xad\x64\x7c\xd8\xcc\x60\x30\x80\xb0\x6f\x0a\xaa\xe7\x45\x6b\x35\x83\x41\x94\xbe\xf7\x95\xd2\xb4\x54\x04\xd0\x46\xc4\xf2\x9f\x00\xce\x13\x44\x4f\xbc\xff\xfb\x11\x7a\x9c\x7f\x1e\x35\xc9\x0d\xee\xad\xb7\x5d\x3a\x4e\x01\xb7\xa5\xa1\x0f\x93\xdd\x31\xef\xc8\x6c\x0c\x11\x9b\x55\xd8\x3e\xbd\xa2\x9a\x90\x01\xb3\x28\x42\xa0\xf2\x28\xfc\x99\x35\x40\xe1\xb4\x72\xdc\xa6\x03\x75\x0d\xc9\x13\x3f\x9b\x07\x50\xc5\x9f\x6e\x57\x1b\x0f\x2c\x53\xcd\x45\x04\x61\x61\x82\xa3\xed\x9c\xf8\x81\xd2\x54\xb5\xd7\x2e\x8b\xfb\xa3\x3a\x1c\xa7\x9b\x2e\x19\x0b\x75\xf4\x31\x63\x1b\x98\x0e\xc0\x75\xdd\x6b\xcc\xff\xe
 1\x06\x07\x37\xe2\x6f\x84\xd6\xd1\xee\x5d\xe0\xba\x08\x3f\x5f\xe1\xfa\x25\xd4\xa8\x8f\x40\x2a\x01\xaf\x6c\x03\x5b\x68\x41\x25\xeb\xdd\x1a\x40\x4e\x1c\xc3\x90\xd8\x5f\x28\x2d\x83\x3d\x63\xd1\xcc\x6b\x93\xcd\x69\xd6\x21\x09\x4a\xb1\xda\xe7\xa3\xce\xbf\x19\x2b\xe1\xc7\x78\x80\x11\x6a\x6b\xa1\x6a\x69\xc9\x9f\x86\xb2\x0a\x51\xc7\x20\x38\xcc\xd2\xf5\xbc\xd5\xe8\x83\x39\xf8\xee\x55\x5c\x32\xfb\xc3\x6f\x40\x90\xde\x5e\x74\x8d\x41\x31\x4a\xbb\xa1\x0b\xe7\xa9\xdf\x3f\x4a\xe9\xa8\x98\x42\xd7\xa3\x82\xa2\x31\x2b\x6a\x0a\x08\xfa\x2a\x0d\x8a\xed\x22\x98\x3e\x9a\xaf\x63\x9d\x38\xa6\x1b\x88\xba\xc9\x01\x8d\xd2\x49\x26\x26\xe5\x7f\x94\x66\x5d\x32\x4b\xd1\xf3\x9c\xd5\xd0\xfa\x26\x1b\x16\x6d\x20\x6c\xe8\x40\x44\xa9\x79\x12\x32\x07\xf6\xce\x4e\x0d\x36\x3b\xe0\x8f\x9e\x38\xd9\x4d\x73\xc5\xd1\xce\xf2\x38\x23\xeb\x60\x67\xf5\x7f\x4a\x26\xb7\x3f\x55\x5f\x86\x2d\xda\x59\x09\x50\x97\xfb\xc9\x02\x00\x36\xad\x01\x9e\xfe\x18\xe0\xec\x04\xce\x0d\x32\x52\x5d\x20\xc8\xd6\xa0\xc8\x59\x5c\xf4\xb8\xfe\xbb\x75\xf3\x4f
 \x07\xa9\xbe\xc6\x7b\xcc\x76\x82\x99\xbe\x8f\x64\x8c\x20\xf5\x76\x35\x88\x22\x64\x40\x1c\xcf\x88\x2f\x47\xa9\xc6\x49\xb8\x1d\x42\xba\xbc\x3b\x5a\x75\xfe\x7d\x69\x83\x64\xd9\xcf\x09\xe4\xd1\x80\x2e\x8f\x1a\xe6\xf7\x2c\xb0\x16\x91\x74\x0a\x84\x9c\x90\xe1\x72\x34\xd9\x0d\x80\x70\xe3\xf6\xcb\xfa\x0f\xa7\xb7\x62\xef\xb8\x45\xd9\x27\x52\x55\x16\xfd\xb4\xcc\x1b\x22\x00\x78\x9a\xc4\x44\xfb\x2c\x56\xa3\x6b\xfe\x5a\x79\x97\x9b\xf3\x69\xa5", 
4096);
*(uint64_t*)0x200018b8 = 0;
*(uint64_t*)0x200018c0 = 0;
*(uint64_t*)0x200018c8 = 0;
*(uint64_t*)0x200018d0 = 0;
*(uint64_t*)0x200018d8 = 0;
*(uint64_t*)0x200018e0 = 0;
*(uint64_t*)0x200018e8 = 0;
*(uint64_t*)0x200018f0 = 0;
*(uint64_t*)0x200018f8 = 0;
*(uint64_t*)0x20001900 = 0;
*(uint64_t*)0x20001908 = 0;
*(uint64_t*)0x20001910 = 0;
*(uint64_t*)0x20001918 = 0;
*(uint64_t*)0x20001920 = 0;
*(uint64_t*)0x20001928 = 0;
*(uint64_t*)0x20001930 = 0;
*(uint64_t*)0x20001938 = 0;
*(uint64_t*)0x20001940 = 0;
*(uint64_t*)0x20001948 = 0;
*(uint64_t*)0x20001950 = 0;
*(uint64_t*)0x20001958 = 0;
*(uint64_t*)0x20001960 = 0;
*(uint64_t*)0x20001968 = 0;
*(uint64_t*)0x20001970 = 0;
*(uint64_t*)0x20001978 = 0;
*(uint64_t*)0x20001980 = 0;
*(uint64_t*)0x20001988 = 0;
*(uint64_t*)0x20001990 = 0;
*(uint64_t*)0x20001998 = 0;
*(uint64_t*)0x200019a0 = 0;
*(uint64_t*)0x200019a8 = 0;
*(uint64_t*)0x200019b0 = 0;
*(uint64_t*)0x200019b8 = 0;
*(uint64_t*)0x200019c0 = 0;
*(uint64_t*)0x200019c8 = 0;
*(uint64_t*)0x200019d0 = 0;
*(uint64_t*)0x200019d8 = 0;
*(uint64_t*)0x200019e0 = 0;
*(uint64_t*)0x200019e8 = 0;
*(uint64_t*)0x200019f0 = 0;
*(uint64_t*)0x200019f8 = 0;
*(uint64_t*)0x20001a00 = 0;
*(uint64_t*)0x20001a08 = 0;
*(uint64_t*)0x20001a10 = 0;
*(uint64_t*)0x20001a18 = 0;
*(uint64_t*)0x20001a20 = 0;
*(uint64_t*)0x20001a28 = 0;
*(uint64_t*)0x20001a30 = 0;
*(uint64_t*)0x20001a38 = 0;
*(uint64_t*)0x20001a40 = 0;
*(uint64_t*)0x20001a48 = 0;
*(uint64_t*)0x20001a50 = 0;
*(uint64_t*)0x20001a58 = 0;
*(uint64_t*)0x20001a60 = 0;
*(uint64_t*)0x20001a68 = 0;
*(uint64_t*)0x20001a70 = 0;
*(uint64_t*)0x20001a78 = 0;
*(uint64_t*)0x20001a80 = 0;
*(uint64_t*)0x20001a88 = 0;
*(uint64_t*)0x20001a90 = 0;
*(uint64_t*)0x20001a98 = 0;
*(uint64_t*)0x20001aa0 = 0;
*(uint64_t*)0x20001aa8 = 0;
*(uint64_t*)0x20001ab0 = 0;
*(uint64_t*)0x20001ab8 = 0;
*(uint64_t*)0x20001ac0 = 0;
*(uint64_t*)0x20001ac8 = 0;
*(uint64_t*)0x20001ad0 = 0;
*(uint64_t*)0x20001ad8 = 0;
*(uint64_t*)0x20001ae0 = 0;
*(uint64_t*)0x20001ae8 = 0;
*(uint64_t*)0x20001af0 = 0;
*(uint64_t*)0x20001af8 = 0;
*(uint64_t*)0x20001b00 = 0;
*(uint64_t*)0x20001b08 = 0;
*(uint64_t*)0x20001b10 = 0;
*(uint64_t*)0x20001b18 = 0;
*(uint64_t*)0x20001b20 = 0;
*(uint64_t*)0x20001b28 = 0;
*(uint64_t*)0x20001b30 = 0;
*(uint64_t*)0x20001b38 = 0;
*(uint64_t*)0x20001b40 = 0;
*(uint64_t*)0x20001b48 = 0;
*(uint64_t*)0x20001b50 = 0;
*(uint64_t*)0x20001b58 = 0;
*(uint64_t*)0x20001b60 = 0;
*(uint64_t*)0x20001b68 = 0;
*(uint64_t*)0x20001b70 = 0;
*(uint64_t*)0x20001b78 = 0;
*(uint64_t*)0x20001b80 = 0;
*(uint64_t*)0x20001b88 = 0;
*(uint64_t*)0x20001b90 = 0;
*(uint64_t*)0x20001b98 = 0;
*(uint64_t*)0x20001ba0 = 0;
*(uint64_t*)0x20001ba8 = 0;
*(uint64_t*)0x20001bb0 = 0;
*(uint64_t*)0x20001bb8 = 0;
*(uint64_t*)0x20001bc0 = 0;
*(uint64_t*)0x20001bc8 = 0;
*(uint64_t*)0x20001bd0 = 0;
*(uint64_t*)0x20001bd8 = 0;
*(uint64_t*)0x20001be0 = 0;
*(uint64_t*)0x20001be8 = 0;
*(uint64_t*)0x20001bf0 = 0;
*(uint64_t*)0x20001bf8 = 0;
*(uint64_t*)0x20001c00 = 0;
*(uint64_t*)0x20001c08 = 0;
*(uint64_t*)0x20001c10 = 0;
*(uint64_t*)0x20001c18 = 0;
*(uint64_t*)0x20001c20 = 0;
*(uint64_t*)0x20001c28 = 0;
*(uint64_t*)0x20001c30 = 0;
*(uint64_t*)0x20001c38 = 0;
*(uint64_t*)0x20001c40 = 0;
*(uint64_t*)0x20001c48 = 0;
*(uint64_t*)0x20001c50 = 0;
*(uint64_t*)0x20001c58 = 0;
*(uint64_t*)0x20001c60 = 0;
*(uint64_t*)0x20001c68 = 0;
*(uint64_t*)0x20001c70 = 0;
*(uint64_t*)0x20001c78 = 0;
*(uint64_t*)0x20001c80 = 0;
*(uint64_t*)0x20001c88 = 0;
*(uint64_t*)0x20001c90 = 0;
*(uint64_t*)0x20001c98 = 0;
*(uint64_t*)0x20001ca0 = 0;
*(uint64_t*)0x20001ca8 = 0;
*(uint64_t*)0x20001cb0 = 0;
*(uint64_t*)0x20001cb8 = 0;
*(uint64_t*)0x20001cc0 = 0;
*(uint64_t*)0x20001cc8 = 0;
*(uint64_t*)0x20001cd0 = 0;
*(uint64_t*)0x20001cd8 = 0;
*(uint64_t*)0x20001ce0 = 0;
*(uint64_t*)0x20001ce8 = 0;
*(uint64_t*)0x20001cf0 = 0;
*(uint64_t*)0x20001cf8 = 0;
*(uint64_t*)0x20001d00 = 0;
*(uint64_t*)0x20001d08 = 0;
*(uint64_t*)0x20001d10 = 0;
*(uint64_t*)0x20001d18 = 0;
*(uint64_t*)0x20001d20 = 0;
*(uint64_t*)0x20001d28 = 0;
*(uint64_t*)0x20001d30 = 0;
*(uint64_t*)0x20001d38 = 0;
*(uint64_t*)0x20001d40 = 0;
*(uint64_t*)0x20001d48 = 0;
*(uint64_t*)0x20001d50 = 0;
*(uint64_t*)0x20001d58 = 0;
*(uint64_t*)0x20001d60 = 0;
*(uint64_t*)0x20001d68 = 0;
*(uint64_t*)0x20001d70 = 0;
*(uint64_t*)0x20001d78 = 0;
*(uint64_t*)0x20001d80 = 0;
*(uint64_t*)0x20001d88 = 0;
*(uint64_t*)0x20001d90 = 0;
*(uint64_t*)0x20001d98 = 0;
*(uint64_t*)0x20001da0 = 0;
*(uint64_t*)0x20001da8 = 0;
*(uint64_t*)0x20001db0 = 0;
*(uint64_t*)0x20001db8 = 0;
*(uint64_t*)0x20001dc0 = 0;
*(uint64_t*)0x20001dc8 = 0;
*(uint64_t*)0x20001dd0 = 0;
*(uint64_t*)0x20001dd8 = 0;
*(uint64_t*)0x20001de0 = 0;
*(uint64_t*)0x20001de8 = 0;
*(uint64_t*)0x20001df0 = 0;
*(uint64_t*)0x20001df8 = 0;
*(uint64_t*)0x20001e00 = 0;
*(uint64_t*)0x20001e08 = 0;
*(uint64_t*)0x20001e10 = 0;
*(uint64_t*)0x20001e18 = 0;
*(uint64_t*)0x20001e20 = 0;
*(uint64_t*)0x20001e28 = 0;
*(uint64_t*)0x20001e30 = 0;
*(uint64_t*)0x20001e38 = 0;
*(uint64_t*)0x20001e40 = 0;
*(uint64_t*)0x20001e48 = 0;
*(uint64_t*)0x20001e50 = 0;
*(uint64_t*)0x20001e58 = 0;
*(uint64_t*)0x20001e60 = 0;
*(uint64_t*)0x20001e68 = 0;
*(uint64_t*)0x20001e70 = 0;
*(uint64_t*)0x20001e78 = 0;
*(uint64_t*)0x20001e80 = 0;
*(uint64_t*)0x20001e88 = 0;
*(uint64_t*)0x20001e90 = 0;
*(uint64_t*)0x20001e98 = 0;
*(uint64_t*)0x20001ea0 = 0;
*(uint64_t*)0x20001ea8 = 0;
*(uint64_t*)0x20001eb0 = 0;
*(uint64_t*)0x20001eb8 = 0;
*(uint64_t*)0x20001ec0 = 0;
*(uint64_t*)0x20001ec8 = 0;
*(uint64_t*)0x20001ed0 = 0;
*(uint64_t*)0x20001ed8 = 0;
*(uint64_t*)0x20001ee0 = 0;
*(uint64_t*)0x20001ee8 = 0;
*(uint64_t*)0x20001ef0 = 0;
*(uint64_t*)0x20001ef8 = 0;
*(uint64_t*)0x20001f00 = 0;
*(uint64_t*)0x20001f08 = 0;
*(uint64_t*)0x20001f10 = 0;
*(uint64_t*)0x20001f18 = 0;
*(uint64_t*)0x20001f20 = 0;
*(uint64_t*)0x20001f28 = 0;
*(uint64_t*)0x20001f30 = 0;
*(uint64_t*)0x20001f38 = 0;
*(uint64_t*)0x20001f40 = 0;
*(uint64_t*)0x20001f48 = 0;
*(uint64_t*)0x20001f50 = 0;
*(uint64_t*)0x20001f58 = 0;
*(uint64_t*)0x20001f60 = 0;
*(uint64_t*)0x20001f68 = 0;
*(uint64_t*)0x20001f70 = 0;
*(uint64_t*)0x20001f78 = 0;
*(uint64_t*)0x20001f80 = 0;
*(uint64_t*)0x20001f88 = 0;
*(uint64_t*)0x20001f90 = 0;
*(uint64_t*)0x20001f98 = 0;
*(uint64_t*)0x20001fa0 = 0;
*(uint64_t*)0x20001fa8 = 0;
*(uint64_t*)0x20001fb0 = 0;
*(uint64_t*)0x20001fb8 = 0;
*(uint64_t*)0x20001fc0 = 0;
*(uint64_t*)0x20001fc8 = 0;
*(uint64_t*)0x20001fd0 = 0;
*(uint64_t*)0x20001fd8 = 0;
*(uint64_t*)0x20001fe0 = 0;
*(uint64_t*)0x20001fe8 = 0;
*(uint64_t*)0x20001ff0 = 0;
*(uint64_t*)0x20001ff8 = 0;
*(uint64_t*)0x20002000 = 0;
*(uint64_t*)0x20002008 = 0;
*(uint64_t*)0x20002010 = 0;
*(uint64_t*)0x20002018 = 0;
*(uint64_t*)0x20002020 = 0;
*(uint64_t*)0x20002028 = 0;
*(uint64_t*)0x20002030 = 0;
*(uint64_t*)0x20002038 = 0;
*(uint64_t*)0x20002040 = 0;
*(uint64_t*)0x20002048 = 0;
*(uint64_t*)0x20002050 = 0;
*(uint64_t*)0x20002058 = 0;
*(uint64_t*)0x20002060 = 0;
*(uint64_t*)0x20002068 = 0;
*(uint64_t*)0x20002070 = 0;
*(uint64_t*)0x20002078 = 0;
*(uint64_t*)0x20002080 = 0;
*(uint64_t*)0x20002088 = 0;
*(uint64_t*)0x20002090 = 0;
*(uint64_t*)0x20002098 = 0;
*(uint64_t*)0x200020a0 = 0;
*(uint64_t*)0x200020a8 = 0;
*(uint64_t*)0x200020b0 = 0;
     syscall(__NR_write, r[3], 0x20000840ul, 0x1878ul);
     return 0;
}

On 2020/10/20 17:02, Yang Yingliang wrote:
> I got a UAF report in do_update_region() when I doing fuzz test.
>
> [   51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600
> [   51.161918] Read of size 2 at addr ffff888000100000 by task test/295
>
> [   51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975
> [   51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [   51.161976] Call Trace:
> [   51.162001]  dump_stack+0xc6/0x11e
> [   51.162019]  ? do_update_region+0x579/0x600
> [   51.162047]  print_address_description.constprop.6+0x1a/0x220
> [   51.162083]  ? vprintk_func+0x66/0xed
> [   51.162100]  ? do_update_region+0x579/0x600
> [   51.162112]  ? do_update_region+0x579/0x600
> [   51.162128]  kasan_report.cold.9+0x37/0x7c
> [   51.162151]  ? do_update_region+0x579/0x600
> [   51.162173]  do_update_region+0x579/0x600
> [   51.162207]  ? con_get_trans_old+0x230/0x230
> [   51.162229]  ? retint_kernel+0x10/0x10
> [   51.162278]  csi_J+0x557/0xa00
> [   51.162307]  do_con_trol+0x49af/0x5cc0
> [   51.162330]  ? lock_downgrade+0x720/0x720
> [   51.162347]  ? reset_palette+0x1b0/0x1b0
> [   51.162369]  ? lockdep_hardirqs_on_prepare+0x379/0x540
> [   51.162393]  ? notifier_call_chain+0x11b/0x160
> [   51.162438]  do_con_write.part.24+0xb0a/0x1a30
> [   51.162501]  ? do_con_trol+0x5cc0/0x5cc0
> [   51.162522]  ? console_unlock+0x7b8/0xb00
> [   51.162555]  ? __mutex_unlock_slowpath+0xd4/0x670
> [   51.162574]  ? this_tty+0xe0/0xe0
> [   51.162589]  ? console_unlock+0x559/0xb00
> [   51.162605]  ? wait_for_completion+0x260/0x260
> [   51.162638]  con_write+0x31/0xb0
> [   51.162658]  n_tty_write+0x4fa/0xd40
> [   51.162710]  ? n_tty_read+0x1800/0x1800
> [   51.162730]  ? prepare_to_wait_exclusive+0x270/0x270
> [   51.162754]  ? __might_fault+0x175/0x1b0
> [   51.162783]  tty_write+0x42b/0x8d0
> [   51.162795]  ? n_tty_read+0x1800/0x1800
> [   51.162825]  ? tty_lookup_driver+0x450/0x450
> [   51.162848]  __vfs_write+0x7c/0x100
> [   51.162875]  vfs_write+0x1c9/0x510
> [   51.162901]  ksys_write+0xff/0x200
> [   51.162918]  ? __ia32_sys_read+0xb0/0xb0
> [   51.162940]  ? do_syscall_64+0x1a/0x520
> [   51.162957]  ? lockdep_hardirqs_on_prepare+0x379/0x540
> [   51.162984]  do_syscall_64+0xa1/0x520
> [   51.163008]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> After vgacon_set_origin() is called in set_origin(), the vc_origin is
> set to vga_vram_base, the vc_pos should between vga_vram_base and
> vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size
> is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it
> will cause a use-after-free(or out-of-bounds). Fix this by calling
> vc_resize() if vga_vram_size is smaller than vc_screenbuf_size.
>
> Signed-off-by: Yang Yingliang<yangyingliang@huawei.com>
> ---
>  drivers/video/console/vgacon.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/console/vgacon.c 
> b/drivers/video/console/vgacon.c
> index 998b0de..2ee3d62 100644
> --- a/drivers/video/console/vgacon.c
> +++ b/drivers/video/console/vgacon.c
> @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c)
>      if (vga_is_gfx ||    /* We don't play origin tricks in graphic 
> modes */
>          (console_blanked && !vga_palette_blanked))    /* Nor we write 
> to blanked screens */
>          return 0;
> +
> +    if (c->vc_screenbuf_size > vga_vram_size)
> +        vc_resize(c, screen_info.orig_video_cols, 
> screen_info.orig_video_lines);
>      c->vc_origin = c->vc_visible_origin = vga_vram_base;
>      vga_set_mem_top(c);
>      vga_rolled_over = 0;
>
> .