Received: by 2002:ab2:7407:0:b0:1f4:b336:87c4 with SMTP id e7csp156764lqn; Thu, 11 Apr 2024 18:07:08 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXWQZ5SOtSHa7dQb5NFp1lKW81IaDvhUVw9LJieIRaXc1D/n9N7lWDwUPPQcsYYG4kvuB+tzDZMXNvnAgjFdI5v0f5wPKmUN0+fHhmA8w== X-Google-Smtp-Source: AGHT+IG6IvwCJe1rptdDis1jp+5983NYxvo8DN4X8HoXq2G44Zr9lO0C0JI8nV6ygaeYe0fY7ZCu X-Received: by 2002:ac8:7e8c:0:b0:436:92c7:7866 with SMTP id w12-20020ac87e8c000000b0043692c77866mr176794qtj.1.1712884028546; Thu, 11 Apr 2024 18:07:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712884028; cv=none; d=google.com; s=arc-20160816; b=JCSWB9GM0+Ni7QhKZ4CT68GEFslThohjaJEbZXtkVtMgRilQFwcOdgNeFGJYo4z90j pPHzfJ+7Cha8xEuqJOxEMHDwxaBxyU7J7RQoQY0KknS67qKoHoPp5kRdGNGafhAFz4BY 07XVS+glMORh7v6w9UkxA7Kvxz/yYusbX3rdoD7RDX5tevkDd++yQvMQttAIAl3dqkT5 E0CA71kyy7vcNVN5qWpuBdks6y7LZYP+RBU+83yR2TFiiDftBwZ3aOuDW/PfPF26OZAK a1AfxIKuRCPUyJRLHFwVJ3FyM8RzKYW1M1CtmH/0SSOM/wmE9vQn5P1CwvCbkE+7dUzV IasQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:to:message-id:date:from:in-reply-to:references:mime-version :dkim-signature:delivered-to:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=tAb7kiantWX3csU+bcqQx219QX2QFTyVWpqLfdZNxEA=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=K8W37NSx696sp+TIfv8SYowdFk2hBnRs8UStPWon6hS9LLfRdjucbFwD5xhdlBTbfG pFjg3UZ+06r9SucniAQwVsZjGUCTIDNXgVs+D4VPkNsUVoDZU2iYQPih/4fJxKmSQQrC lmBPQ8mCLVMRBj7+VAwknHZ3YMzORM8lc8GZkuI2gxRfxFW87ddiwemHagMYm13Dl/tR K1g8ShYYJjpA2LQjqEjKg5LP9wNjLyh/EpWHsTSCDoX6+h8/TwnS5ei3unLLlLWdU+Ta oieB8ioqYnN6cCf+MMLTsJp8m6TVWDwVim+adkSypDceE/T7NqQbMtGvJ3d+ZwR8HhpE f6qg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=XrU6yIN9; spf=pass (google.com: domain of oss-security-return-30012-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30012-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id z18-20020ac87f92000000b00434f050ef08si2638637qtj.539.2024.04.11.18.07.07 for ; Thu, 11 Apr 2024 18:07:08 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30012-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=XrU6yIN9; spf=pass (google.com: domain of oss-security-return-30012-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30012-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 23854 invoked by uid 550); 12 Apr 2024 01:06:33 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 5914 invoked from network); 11 Apr 2024 19:26:23 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712863575; x=1713468375; darn=lists.openwall.com; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=tAb7kiantWX3csU+bcqQx219QX2QFTyVWpqLfdZNxEA=; b=XrU6yIN9CKL87hnKBcRpXF75mbahSqY9UMkjwfzkPJtEhe2Iv7QBQ9Po5ayrmpkYDh hX67LAee49Btyoxe9xGw9cgvVG03agAQ9wug+HT4OrQ3DESw9kPM9Tl6YaP01y+nCcYD qcwkhrLEldkbU9/2Z4Dh5K0J+L8Wtxccd49DFWUU1iJI1Fya3PUEiaT12LPtPQGMs6A7 DTceOaPjja+gJylafnBl5ddZlsKEX6jYPjeJDT3H97YRNFDFUSrBDH3CzrYcxoph8Xzn kBokzLQs9MKXRxT+/nxv/ZRcxvNdAebWTtKa9lZE19IrF9IlunxiAWCC7HYVWbIFEnOf Pdvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712863575; x=1713468375; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tAb7kiantWX3csU+bcqQx219QX2QFTyVWpqLfdZNxEA=; b=b0zLc4NpKDK692EQPYd7HNPw1jxC9hg3fJ7N1ICmbhDkQrSxnu3cg+fC+d1NunNZNG qI/Z7hntfqliluGjytjhVX9Sc8Tn0WrNXkuVDfZe5wiFXDmOdPRqeDP18agr3Wr/KajV f2owRORTVOzjD9eqmCDqBJY0MCnu8MPMx8TQk1DUcaxrG0u5d0QM6MJ/FeJghqQDiSYG wpONv8APXtfU3rbzziwUORVNTA1gw1aV9Y9P3GjghpYXhEtUuiT7dcmF1Cc/4T/ms7vr VjCmsylU0nskn8oAJHdygo1E3HEgTgwN4WlHUptuNNTz79Uuu22Sy+Fs2zGqQW1uNNud /h9w== X-Gm-Message-State: AOJu0Yxlawav8LH9zdOm38Ey4VCVXndU3cFFiGhJuuBV3Z0pIVk+s2Fw SOCd9oOxFJjaC8dHLId5WWHz6P3/E4yn+7aQukjQcoymZUTR5t7/75ZGcqN502pGqu3hiUaiF7n GB/yLb9kIKMYwit5qHuNMLb+bUvd6SEBR7ecwaw== X-Received: by 2002:a0c:e852:0:b0:699:2274:b229 with SMTP id l18-20020a0ce852000000b006992274b229mr780013qvo.14.1712863574431; Thu, 11 Apr 2024 12:26:14 -0700 (PDT) MIME-Version: 1.0 References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de> <20240411140654.GA24980@openwall.com> <052779d0-a3c3-4691-9491-08520952ca8e@christopher-kunz.de> In-Reply-To: <052779d0-a3c3-4691-9491-08520952ca8e@christopher-kunz.de> From: Kyle Zeng Date: Thu, 11 Apr 2024 12:25:38 -0700 Message-ID: To: oss-security@lists.openwall.com Content-Type: multipart/mixed; boundary="000000000000e7c8f70615d7207b" Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? --000000000000e7c8f70615d7207b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi there, I just did some preliminary analysis on this. There are in fact three exploits involved in this. CVE-2023-6546: https://github.com/Nassim-Asrir/ZDI-24-020/ jmpe4x's GSM exploit: https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit YuriiCrimson's GSM exploit: https://github.com/YuriiCrimson/ExploitGSM I tested all of them. All of them targeted the same subsystem (GSM), used the same KASLR leak method ("/sys/kernel/notes"). But there are two vulnerabilities involved here. In short. jmpe4x's and YuriiCrimson's exploits are the same, but the vulnerability is not CVE-2023-6546. !!!!!!!!!!!! It is a 0day that is not patched in the main tree yet. Not a patch gap. !!!!!!!!!!!! My analysis is performed on the latest commit of Linus's tree: ``` commit e8c39d0f57f358950356a8e44ee5159f57f86ec5 (HEAD -> master, origin/master, origin/HEAD) Merge: 03a55b63919 325f3fb551f Author: Linus Torvalds Date: Wed Apr 10 19:48:05 2024 -0700 ``` And jmpe4x's and YuriiCrimson's are exactly the same. The difference is mostly spaces. The diff is attached to this email. Thanks, Kyle Zeng On Thu, Apr 11, 2024 at 8:07=E2=80=AFAM Dr. Christopher Kunz wrote: > > Hi, > > > There are two exploits in Yurii's repo above, according to Yurii for tw= o > > different bugs. The above is one of them. Perhaps also try the other? > The two exploit versions are for different kernels. The 6.5 exploit > doesn't compile on the Debian 12 6.1 kernel, and no Debian version > currently distributes a 6.5 kernel, AFAICT. I used > ExploitGSM_5_15_to_6_1/ExploitGSM and it worked. > > I don't know, and apparently it'd need to be two CVEs for two bugs that > > Yurii exploits. > Possibly. I'm definitely out of my depth trying to analyze which bugs > are being exploited. > > CVE-2023-52564: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" > > https://lists.openwall.net/linux-cve-announce/2024/03/02/54 > > > > Maybe CVE-2023-52564 is one of the bugs Yurii exploits, or maybe not. > > I didn't look into this closely enough to tell. > > Apparently not. Debian 12 "Bookworm" currently runs this kernel: > > Linux debianexploitgsm 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian > 6.1.76-1 (2024-02-01) x86_64 GNU/Linux > > According to the changelog, this kernel has the fix for CVE-2023-52564 > included: > - Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" > (from > https://metadata.ftp-master.debian.org/changelogs//main/l/linux-signed-am= d64/linux-signed-amd64_6.1.76+1_changelog) > > Still, the exploit works, so it must exploit a different issue. > > Just my two cents, > > --cku > --000000000000e7c8f70615d7207b Content-Type: text/plain; charset="US-ASCII"; name="diff.txt" Content-Disposition: attachment; filename="diff.txt" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_luvmq0pb0 MGExLDIKPiAvLyBHU00gTGludXggS2VybmVsIFJhY2UgQ29uZGl0aW9uIC0+IFVBRiAwZGF5IEV4 cGxvaXQgd3JpdHRlbiBieSBqbXBlNHgKPiAKNDVhNDgKPiAjZGVmaW5lIFBBR0VfVVAoYWRkcikg ICAoKChhZGRyKSsoKFBBR0VfU0laRSktMSkpJih+KChQQUdFX1NJWkUpLTEpKSkKNDdkNDkKPCAj ZGVmaW5lIE1JTihYLCBZKSAoKChYKSA8IChZKSkgPyAoWCkgOiAoWSkpCjQ5LDUxYzUxCjwgI2Rl ZmluZSBCSVQobmFtZSkJCSgxVUxMIDw8IG5hbWUpCjwgI2RlZmluZSBIRUFQX1NQUkFZX1NJWkUg MTAyNAo8ICNkZWZpbmUgQklUU19QRVJfTE9ORyA2NAotLS0KPiAjZGVmaW5lIE1JTihYLCBZKSAo KChYKSA8IChZKSkgPyAoWCkgOiAoWSkpCjU0LDYwYzU0LDYwCjwgICAgIF9fdTMyIGNoYW5uZWw7 CQkvKiBETENJICgwIGZvciB0aGUgYXNzb2NpYXRlZCBETENJKSAqLwo8ICAgICBfX3UzMiBhZGFw dGlvbjsJCS8qIENvbnZlcmdlbmNlIGxheWVyIHR5cGUgKi8KPCAgICAgX191MzIgbXR1OwkJLyog TWF4aW11bSB0cmFuc2ZlciB1bml0ICovCjwgICAgIF9fdTMyIHByaW9yaXR5OwkJLyogUHJpb3Jp dHkgKDAgZm9yIGRlZmF1bHQgdmFsdWUpICovCjwgICAgIF9fdTMyIGk7CQkvKiBGcmFtZSB0eXBl ICgxID0gVUlILCAyID0gVUkpICovCjwgICAgIF9fdTMyIGs7CQkvKiBXaW5kb3cgc2l6ZSAoMCBm b3IgZGVmYXVsdCB2YWx1ZSkgKi8KPCAgICAgX191MzIgcmVzZXJ2ZWRbOF07CS8qIEZvciBmdXR1 cmUgdXNlLCBtdXN0IGJlIGluaXRpYWxpemVkIHRvIHplcm8gKi8KLS0tCj4gICAgIF9fdTMyIGNo YW5uZWw7ICAgICAgICAgICAgICAvKiBETENJICgwIGZvciB0aGUgYXNzb2NpYXRlZCBETENJKSAq Lwo+ICAgICBfX3UzMiBhZGFwdGlvbjsgICAgICAgICAgICAgLyogQ29udmVyZ2VuY2UgbGF5ZXIg dHlwZSAqLwo+ICAgICBfX3UzMiBtdHU7ICAgICAgICAgIC8qIE1heGltdW0gdHJhbnNmZXIgdW5p dCAqLwo+ICAgICBfX3UzMiBwcmlvcml0eTsgICAgICAgICAgICAgLyogUHJpb3JpdHkgKDAgZm9y IGRlZmF1bHQgdmFsdWUpICovCj4gICAgIF9fdTMyIGk7ICAgICAgICAgICAgLyogRnJhbWUgdHlw ZSAoMSA9IFVJSCwgMiA9IFVJKSAqLwo+ICAgICBfX3UzMiBrOyAgICAgICAgICAgIC8qIFdpbmRv dyBzaXplICgwIGZvciBkZWZhdWx0IHZhbHVlKSAqLwo+ICAgICBfX3UzMiByZXNlcnZlZFs4XTsg IC8qIEZvciBmdXR1cmUgdXNlLCBtdXN0IGJlIGluaXRpYWxpemVkIHRvIHplcm8gKi8KNjMsNjRj NjMsNjQKPCAjZGVmaW5lIEdTTUlPQ19HRVRDT05GX0RMQ0kJX0lPV1IoJ0cnLCA3LCBzdHJ1Y3Qg Z3NtX2RsY2lfY29uZmlnKQo8ICNkZWZpbmUgR1NNSU9DX1NFVENPTkZfRExDSQlfSU9XKCdHJywg OCwgc3RydWN0IGdzbV9kbGNpX2NvbmZpZykKLS0tCj4gI2RlZmluZSBHU01JT0NfR0VUQ09ORl9E TENJICAgICBfSU9XUignRycsIDcsIHN0cnVjdCBnc21fZGxjaV9jb25maWcpCj4gI2RlZmluZSBH U01JT0NfU0VUQ09ORl9ETENJICAgICBfSU9XKCdHJywgOCwgc3RydWN0IGdzbV9kbGNpX2NvbmZp ZykKNzJjNzIKPCBjb25zdCB1bnNpZ25lZCBjaGFyIENNRF9NU0MJPSAgIDB4NzE7Ci0tLQo+IGNv bnN0IHVuc2lnbmVkIGNoYXIgQ01EX01TQyAgICAgPSAgIDB4NzE7CjgyYTgzLDkxCj4gY29uc3Qg aW50IEtFUk5FTF9QQVRIX1JFQURfT0ZGU0VUID0gMTE7Cj4gY29uc3QgaW50IFNFQ1RPUl9TSVpF ID0gNTEyOwo+IGNvbnN0IGludCBCT09UX0VOVFJZX09GRlNFVCA9IFNFQ1RPUl9TSVpFOwo+IGNv bnN0IGludCBCT09UX1NFQ1RPUl9DT1VOVCA9IDE7Cj4gY29uc3QgaW50IEJPT1RfRkxBRyA9IDB4 QUE1NTsKPiBjb25zdCBpbnQgVU5DT01QUkVTU0VEX0tFUk5FTF9TSVpFX09GRlNFVCA9IDQ7Cj4g Y29uc3QgaW50IFNFVFVQX0hFQURFUl9PRkZTRVQgPSBCT09UX0VOVFJZX09GRlNFVCAtIDE1Owo+ IGNvbnN0IGludCBBU0NJSV9PRkZTRVQgPSA0ODsKPiBjb25zdCBpbnQgV1FfRkxBR19CT09LTUFS SyA9IDB4MDQ7Cjg0YTk0Cj4gI2RlZmluZSBCSVQobmFtZSkgICAgICAgICAgICAgICAoMVVMTCA8 PCBuYW1lKQo4NWE5Niw5Nwo+IAo+ICNkZWZpbmUgSEVBUF9TUFJBWV9TSVpFIDEwMjQKODdhMTAw LDEwMQo+ICNkZWZpbmUgQklUU19QRVJfTE9ORyA2NAo+IAo4OSw5MmMxMDMsMTA2CjwgICAgIFdP UktfU1RSVUNUX1BFTkRJTkdfQklUCT0gMCwJLyogd29yayBpdGVtIGlzIHBlbmRpbmcgZXhlY3V0 aW9uICovCjwgICAgIFdPUktfU1RSVUNUX0lOQUNUSVZFX0JJVD0gMSwJLyogd29yayBpdGVtIGlz IGluYWN0aXZlICovCjwgICAgIFdPUktfU1RSVUNUX1BXUV9CSVQJPSAyLAkvKiBkYXRhIHBvaW50 cyB0byBwd3EgKi8KPCAgICAgV09SS19TVFJVQ1RfTElOS0VEX0JJVAk9IDMsCS8qIG5leHQgd29y ayBpcyBsaW5rZWQgdG8gdGhpcyBvbmUgKi8KLS0tCj4gICAgIFdPUktfU1RSVUNUX1BFTkRJTkdf QklUICAgICA9IDAsICAgIC8qIHdvcmsgaXRlbSBpcyBwZW5kaW5nIGV4ZWN1dGlvbiAqLwo+ICAg ICBXT1JLX1NUUlVDVF9JTkFDVElWRV9CSVQ9IDEsICAgICAgICAvKiB3b3JrIGl0ZW0gaXMgaW5h Y3RpdmUgKi8KPiAgICAgV09SS19TVFJVQ1RfUFdRX0JJVCA9IDIsICAgIC8qIGRhdGEgcG9pbnRz IHRvIHB3cSAqLwo+ICAgICBXT1JLX1NUUlVDVF9MSU5LRURfQklUICAgICAgPSAzLCAgICAvKiBu ZXh0IHdvcmsgaXMgbGlua2VkIHRvIHRoaXMgb25lICovCjk0LDk1YzEwOCwxMDkKPCAgICAgV09S S19TVFJVQ1RfU1RBVElDX0JJVAk9IDQsCS8qIHN0YXRpYyBpbml0aWFsaXplciAoZGVidWdvYmpl Y3RzKSAqLwo8ICAgICBXT1JLX1NUUlVDVF9DT0xPUl9TSElGVAk9IDUsCS8qIGNvbG9yIGZvciB3 b3JrcXVldWUgZmx1c2hpbmcgKi8KLS0tCj4gICAgIFdPUktfU1RSVUNUX1NUQVRJQ19CSVQgICAg ICA9IDQsICAgIC8qIHN0YXRpYyBpbml0aWFsaXplciAoZGVidWdvYmplY3RzKSAqLwo+ICAgICBX T1JLX1NUUlVDVF9DT0xPUl9TSElGVCAgICAgPSA1LCAgICAvKiBjb2xvciBmb3Igd29ya3F1ZXVl IGZsdXNoaW5nICovCjk3YzExMQo8ICAgICBXT1JLX1NUUlVDVF9DT0xPUl9TSElGVAk9IDQsCS8q IGNvbG9yIGZvciB3b3JrcXVldWUgZmx1c2hpbmcgKi8KLS0tCj4gICAgIFdPUktfU1RSVUNUX0NP TE9SX1NISUZUICAgICA9IDQsICAgIC8qIGNvbG9yIGZvciB3b3JrcXVldWUgZmx1c2hpbmcgKi8K MTAwYzExNAo8ICAgICBXT1JLX1NUUlVDVF9DT0xPUl9CSVRTCT0gNCwKLS0tCj4gICAgIFdPUktf U1RSVUNUX0NPTE9SX0JJVFMgICAgICA9IDQsCjEwMiwxMDVjMTE2LDExOQo8ICAgICBXT1JLX1NU UlVDVF9QRU5ESU5HCT0gMSA8PCBXT1JLX1NUUlVDVF9QRU5ESU5HX0JJVCwKPCAgICAgV09SS19T VFJVQ1RfSU5BQ1RJVkUJPSAxIDw8IFdPUktfU1RSVUNUX0lOQUNUSVZFX0JJVCwKPCAgICAgV09S S19TVFJVQ1RfUFdRCQk9IDEgPDwgV09SS19TVFJVQ1RfUFdRX0JJVCwKPCAgICAgV09SS19TVFJV Q1RfTElOS0VECT0gMSA8PCBXT1JLX1NUUlVDVF9MSU5LRURfQklULAotLS0KPiAgICAgV09SS19T VFJVQ1RfUEVORElORyA9IDEgPDwgV09SS19TVFJVQ1RfUEVORElOR19CSVQsCj4gICAgIFdPUktf U1RSVUNUX0lOQUNUSVZFICAgICAgICA9IDEgPDwgV09SS19TVFJVQ1RfSU5BQ1RJVkVfQklULAo+ ICAgICBXT1JLX1NUUlVDVF9QV1EgICAgICAgICAgICAgPSAxIDw8IFdPUktfU1RSVUNUX1BXUV9C SVQsCj4gICAgIFdPUktfU1RSVUNUX0xJTktFRCAgPSAxIDw8IFdPUktfU1RSVUNUX0xJTktFRF9C SVQsCjEwN2MxMjEKPCAgICAgV09SS19TVFJVQ1RfU1RBVElDCT0gMSA8PCBXT1JLX1NUUlVDVF9T VEFUSUNfQklULAotLS0KPiAgICAgV09SS19TVFJVQ1RfU1RBVElDICA9IDEgPDwgV09SS19TVFJV Q1RfU1RBVElDX0JJVCwKMTA5YzEyMwo8ICAgICBXT1JLX1NUUlVDVF9TVEFUSUMJPSAwLAotLS0K PiAgICAgV09SS19TVFJVQ1RfU1RBVElDICA9IDAsCjExMmMxMjYKPCAgICAgV09SS19OUl9DT0xP UlMJCT0gKDEgPDwgV09SS19TVFJVQ1RfQ09MT1JfQklUUyksCi0tLQo+ICAgICBXT1JLX05SX0NP TE9SUyAgICAgICAgICAgICAgPSAoMSA8PCBXT1JLX1NUUlVDVF9DT0xPUl9CSVRTKSwKMTE1YzEy OQo8ICAgICBXT1JLX0NQVV9VTkJPVU5ECT0gODE5MiwKLS0tCj4gICAgIFdPUktfQ1BVX1VOQk9V TkQgICAgPSA4MTkyLAoxMjJjMTM2CjwgICAgIFdPUktfU1RSVUNUX0ZMQUdfQklUUwk9IFdPUktf U1RSVUNUX0NPTE9SX1NISUZUICsKLS0tCj4gICAgIFdPUktfU1RSVUNUX0ZMQUdfQklUUyAgICAg ICA9IFdPUktfU1RSVUNUX0NPTE9SX1NISUZUICsKMTI2YzE0MAo8ICAgICBXT1JLX09GRlFfRkxB R19CQVNFCT0gV09SS19TVFJVQ1RfQ09MT1JfU0hJRlQsCi0tLQo+ICAgICBXT1JLX09GRlFfRkxB R19CQVNFID0gV09SS19TVFJVQ1RfQ09MT1JfU0hJRlQsCjEyOGMxNDIKPCAgICAgX19XT1JLX09G RlFfQ0FOQ0VMSU5HCT0gV09SS19PRkZRX0ZMQUdfQkFTRSwKLS0tCj4gICAgIF9fV09SS19PRkZR X0NBTkNFTElORyAgICAgICA9IFdPUktfT0ZGUV9GTEFHX0JBU0UsCjEzNSwxMzhjMTQ5LDE1Mgo8 ICAgICBXT1JLX09GRlFfRkxBR19CSVRTCT0gMSwKPCAgICAgV09SS19PRkZRX1BPT0xfU0hJRlQJ PSBXT1JLX09GRlFfRkxBR19CQVNFICsgV09SS19PRkZRX0ZMQUdfQklUUywKPCAgICAgV09SS19P RkZRX0xFRlQJCT0gQklUU19QRVJfTE9ORyAtIFdPUktfT0ZGUV9QT09MX1NISUZULAo8ICAgICBX T1JLX09GRlFfUE9PTF9CSVRTCT0gV09SS19PRkZRX0xFRlQgPD0gMzEgPyBXT1JLX09GRlFfTEVG VCA6IDMxLAotLS0KPiAgICAgV09SS19PRkZRX0ZMQUdfQklUUyA9IDEsCj4gICAgIFdPUktfT0ZG UV9QT09MX1NISUZUICAgICAgICA9IFdPUktfT0ZGUV9GTEFHX0JBU0UgKyBXT1JLX09GRlFfRkxB R19CSVRTLAo+ICAgICBXT1JLX09GRlFfTEVGVCAgICAgICAgICAgICAgPSBCSVRTX1BFUl9MT05H IC0gV09SS19PRkZRX1BPT0xfU0hJRlQsCj4gICAgIFdPUktfT0ZGUV9QT09MX0JJVFMgPSBXT1JL X09GRlFfTEVGVCA8PSAzMSA/IFdPUktfT0ZGUV9MRUZUIDogMzEsCjE0MSwxNDJjMTU1LDE1Ngo8 ICAgICBXT1JLX0JVU1lfUEVORElORwk9IDEgPDwgMCwKPCAgICAgV09SS19CVVNZX1JVTk5JTkcJ PSAxIDw8IDEsCi0tLQo+ICAgICBXT1JLX0JVU1lfUEVORElORyAgID0gMSA8PCAwLAo+ICAgICBX T1JLX0JVU1lfUlVOTklORyAgID0gMSA8PCAxLAoxNDVjMTU5CjwgICAgIFdPUktFUl9ERVNDX0xF TgkJPSAyNCwKLS0tCj4gICAgIFdPUktFUl9ERVNDX0xFTiAgICAgICAgICAgICA9IDI0LAoxNDgs MTQ5YzE2MiwxNjMKPCAjZGVmaW5lIFdPUktfT0ZGUV9QT09MX05PTkUJKCgxdWwgPDwgV09SS19P RkZRX1BPT0xfQklUUykgLSAxKQo8ICNkZWZpbmUgV09SS19TVFJVQ1RfTk9fUE9PTAkoV09SS19P RkZRX1BPT0xfTk9ORSA8PCBXT1JLX09GRlFfUE9PTF9TSElGVCkKLS0tCj4gI2RlZmluZSBXT1JL X09GRlFfUE9PTF9OT05FICAgICAoKDF1bCA8PCBXT1JLX09GRlFfUE9PTF9CSVRTKSAtIDEpCj4g I2RlZmluZSBXT1JLX1NUUlVDVF9OT19QT09MICAgICAoV09SS19PRkZRX1BPT0xfTk9ORSA8PCBX T1JLX09GRlFfUE9PTF9TSElGVCkKMTU0LDE1NmMxNjgsMTcwCjwgI2RlZmluZSBVTEwoeCkJCShf VUxMKHgpKQo8ICNkZWZpbmUgQklUX1VMTChucikJCShVTEwoMSkgPDwgKG5yKSkKPCAjZGVmaW5l IENBUF9WQUxJRF9NQVNLCSAoQklUX1VMTChDQVBfTEFTVF9DQVArMSktMSkKLS0tCj4gI2RlZmlu ZSBVTEwoeCkgICAgICAgICAgKF9VTEwoeCkpCj4gI2RlZmluZSBCSVRfVUxMKG5yKSAgICAgICAg ICAgICAoVUxMKDEpIDw8IChucikpCj4gI2RlZmluZSBDQVBfVkFMSURfTUFTSyAgIChCSVRfVUxM KENBUF9MQVNUX0NBUCsxKS0xKQoxNjQsMTY4YzE3OCwxODIKPCAgICAgRExDSV9XQUlUSU5HX0NP TkZJRywJLyogV2FpdGluZyBmb3IgRExDSSBjb25maWd1cmF0aW9uIGZyb20gdXNlciAqLwo8ICAg ICBETENJX0NPTkZJR1VSRSwJCS8qIFNlbmRpbmcgUE4gKGZvciBhZGFwdGlvbiA+IDEpICovCjwg ICAgIERMQ0lfT1BFTklORywJCS8qIFNlbmRpbmcgU0FCTSBub3Qgc2VlbiBVQSAqLwo8ICAgICBE TENJX09QRU4sCQkvKiBTQUJNL1VBIGNvbXBsZXRlICovCjwgICAgIERMQ0lfQ0xPU0lORywJCS8q IFNlbmRpbmcgRElTQyBub3Qgc2VlbiBVQS9ETSAqLwotLS0KPiAgICAgRExDSV9XQUlUSU5HX0NP TkZJRywgICAgICAgIC8qIFdhaXRpbmcgZm9yIERMQ0kgY29uZmlndXJhdGlvbiBmcm9tIHVzZXIg Ki8KPiAgICAgRExDSV9DT05GSUdVUkUsICAgICAgICAgICAgIC8qIFNlbmRpbmcgUE4gKGZvciBh ZGFwdGlvbiA+IDEpICovCj4gICAgIERMQ0lfT1BFTklORywgICAgICAgICAgICAgICAvKiBTZW5k aW5nIFNBQk0gbm90IHNlZW4gVUEgKi8KPiAgICAgRExDSV9PUEVOLCAgICAgICAgICAvKiBTQUJN L1VBIGNvbXBsZXRlICovCj4gICAgIERMQ0lfQ0xPU0lORywgICAgICAgICAgICAgICAvKiBTZW5k aW5nIERJU0Mgbm90IHNlZW4gVUEvRE0gKi8KMTcwYTE4NSwxODgKPiBjb25zdCBjaGFyKiBLQUxM U1lNU19QQVRIID0gIi9wcm9jL2thbGxzeW1zIjsKPiBjb25zdCBjaGFyKiBLUFRSX1JFU1RSSUNU X1BBVEggPSAiL3Byb2Mvc3lzL2tlcm5lbC9rcHRyX3Jlc3RyaWN0IjsKPiBjb25zdCBjaGFyKiBQ RVJGX0VWRU5UX1BBUkFOT0lEX1BBVEggPSAiL3Byb2Mvc3lzL2tlcm5lbC9wZXJmX2V2ZW50X3Bh cmFub2lkIjsKPiBjb25zdCBjaGFyKiBDTURMSU5FX1BBVEggPSAiL3Byb2MvY21kbGluZSI7CjI2 NywyODFjMjg1LDI5OQo8ICAgICBpbnQgICAgIAl1c2FnZTsKPCAgICAga3VpZF90CQl1aWQ7CQkv KiByZWFsIFVJRCBvZiB0aGUgdGFzayAqLwo8ICAgICBrZ2lkX3QJCWdpZDsJCS8qIHJlYWwgR0lE IG9mIHRoZSB0YXNrICovCjwgICAgIGt1aWRfdAkJc3VpZDsJCS8qIHNhdmVkIFVJRCBvZiB0aGUg dGFzayAqLwo8ICAgICBrZ2lkX3QJCXNnaWQ7CQkvKiBzYXZlZCBHSUQgb2YgdGhlIHRhc2sgKi8K PCAgICAga3VpZF90CQlldWlkOwkJLyogZWZmZWN0aXZlIFVJRCBvZiB0aGUgdGFzayAqLwo8ICAg ICBrZ2lkX3QJCWVnaWQ7CQkvKiBlZmZlY3RpdmUgR0lEIG9mIHRoZSB0YXNrICovCjwgICAgIGt1 aWRfdAkJZnN1aWQ7CQkvKiBVSUQgZm9yIFZGUyBvcHMgKi8KPCAgICAga2dpZF90CQlmc2dpZDsJ CS8qIEdJRCBmb3IgVkZTIG9wcyAqLwo8ICAgICB1bnNpZ25lZAlzZWN1cmViaXRzOwkvKiBTVUlE LWxlc3Mgc2VjdXJpdHkgbWFuYWdlbWVudCAqLwo8ICAgICBrZXJuZWxfY2FwX3QJY2FwX2luaGVy aXRhYmxlOyAvKiBjYXBzIG91ciBjaGlsZHJlbiBjYW4gaW5oZXJpdCAqLwo8ICAgICBrZXJuZWxf Y2FwX3QJY2FwX3Blcm1pdHRlZDsJLyogY2FwcyB3ZSdyZSBwZXJtaXR0ZWQgKi8KPCAgICAga2Vy bmVsX2NhcF90CWNhcF9lZmZlY3RpdmU7CS8qIGNhcHMgd2UgY2FuIGFjdHVhbGx5IHVzZSAqLwo8 ICAgICBrZXJuZWxfY2FwX3QJY2FwX2JzZXQ7CS8qIGNhcGFiaWxpdHkgYm91bmRpbmcgc2V0ICov CjwgICAgIGtlcm5lbF9jYXBfdAljYXBfYW1iaWVudDsJLyogQW1iaWVudCBjYXBhYmlsaXR5IHNl dCAqLwotLS0KPiAgICAgaW50ICAgICAgICAgdXNhZ2U7Cj4gICAgIGt1aWRfdCAgICAgICAgICAg ICAgdWlkOyAgICAgICAgICAgIC8qIHJlYWwgVUlEIG9mIHRoZSB0YXNrICovCj4gICAgIGtnaWRf dCAgICAgICAgICAgICAgZ2lkOyAgICAgICAgICAgIC8qIHJlYWwgR0lEIG9mIHRoZSB0YXNrICov Cj4gICAgIGt1aWRfdCAgICAgICAgICAgICAgc3VpZDsgICAgICAgICAgIC8qIHNhdmVkIFVJRCBv ZiB0aGUgdGFzayAqLwo+ICAgICBrZ2lkX3QgICAgICAgICAgICAgIHNnaWQ7ICAgICAgICAgICAv KiBzYXZlZCBHSUQgb2YgdGhlIHRhc2sgKi8KPiAgICAga3VpZF90ICAgICAgICAgICAgICBldWlk OyAgICAgICAgICAgLyogZWZmZWN0aXZlIFVJRCBvZiB0aGUgdGFzayAqLwo+ICAgICBrZ2lkX3Qg ICAgICAgICAgICAgIGVnaWQ7ICAgICAgICAgICAvKiBlZmZlY3RpdmUgR0lEIG9mIHRoZSB0YXNr ICovCj4gICAgIGt1aWRfdCAgICAgICAgICAgICAgZnN1aWQ7ICAgICAgICAgIC8qIFVJRCBmb3Ig VkZTIG9wcyAqLwo+ICAgICBrZ2lkX3QgICAgICAgICAgICAgIGZzZ2lkOyAgICAgICAgICAvKiBH SUQgZm9yIFZGUyBvcHMgKi8KPiAgICAgdW5zaWduZWQgICAgc2VjdXJlYml0czsgICAgIC8qIFNV SUQtbGVzcyBzZWN1cml0eSBtYW5hZ2VtZW50ICovCj4gICAgIGtlcm5lbF9jYXBfdCAgICAgICAg Y2FwX2luaGVyaXRhYmxlOyAvKiBjYXBzIG91ciBjaGlsZHJlbiBjYW4gaW5oZXJpdCAqLwo+ICAg ICBrZXJuZWxfY2FwX3QgICAgICAgIGNhcF9wZXJtaXR0ZWQ7ICAvKiBjYXBzIHdlJ3JlIHBlcm1p dHRlZCAqLwo+ICAgICBrZXJuZWxfY2FwX3QgICAgICAgIGNhcF9lZmZlY3RpdmU7ICAvKiBjYXBz IHdlIGNhbiBhY3R1YWxseSB1c2UgKi8KPiAgICAga2VybmVsX2NhcF90ICAgICAgICBjYXBfYnNl dDsgICAgICAgLyogY2FwYWJpbGl0eSBib3VuZGluZyBzZXQgKi8KPiAgICAga2VybmVsX2NhcF90 ICAgICAgICBjYXBfYW1iaWVudDsgICAgLyogQW1iaWVudCBjYXBhYmlsaXR5IHNldCAqLwoyOTIs MjkzYzMxMCwzMTEKPCAgICAgdWludDhfdAludW1fcGFyZW50czsKPCAgICAgdWludDhfdAluZXdf cGFyZW50X2luZGV4OwotLS0KPiAgICAgdWludDhfdCAgICAgbnVtX3BhcmVudHM7Cj4gICAgIHVp bnQ4X3QgICAgIG5ld19wYXJlbnRfaW5kZXg7CjMwN2MzMjUKPCAgICAgaW50MzJfdAlwaGFzZTsK LS0tCj4gICAgIGludDMyX3QgICAgIHBoYXNlOwozMTAsMzExYzMyOCwzMjkKPCAgICAgc3RydWN0 IGhsaXN0X25vZGUJY2hpbGRfbm9kZTsKPCAgICAgdWludDY0X3QJY2xrczsKLS0tCj4gICAgIHN0 cnVjdCBobGlzdF9ub2RlICAgY2hpbGRfbm9kZTsKPiAgICAgdWludDY0X3QgICAgY2xrczsKMzI0 LDMyNWMzNDIsMzQzCjwgICAgIHVpbnQ4X3QJbnVtX3BhcmVudHM7CjwgICAgIHVpbnQ4X3QJbmV3 X3BhcmVudF9pbmRleDsKLS0tCj4gICAgIHVpbnQ4X3QgICAgIG51bV9wYXJlbnRzOwo+ICAgICB1 aW50OF90ICAgICBuZXdfcGFyZW50X2luZGV4OwozNDBjMzU4CjwgICAgIGludDMyX3QJcGhhc2U7 Ci0tLQo+ICAgICBpbnQzMl90ICAgICBwaGFzZTsKMzQzLDM0NGMzNjEsMzYyCjwgICAgIHN0cnVj dCBobGlzdF9ub2RlCWNoaWxkX25vZGU7CjwgICAgIHVpbnQ2NF90CWNsa3M7Ci0tLQo+ICAgICBz dHJ1Y3QgaGxpc3Rfbm9kZSAgIGNoaWxkX25vZGU7Cj4gICAgIHVpbnQ2NF90ICAgIGNsa3M7CjM3 NmMzOTQKPCBjb25zdCBpbnQgUVVBTlRJVFlfS0VSTkVMUyA9IDI7Ci0tLQo+IGNvbnN0IGludCBR VUFOVElUWV9LRVJORUxTID0gMzsKMzc5LDM4MWMzOTcsMzk5CjwgeyJ1YnVudHUiLCAiNi41LjAt MjUtZ2VuZXJpYyIsIGZhbHNlLCBmYWxzZSwgZmFsc2UsIHRydWUsIGZhbHNlLCAweDI2OTMzYzAs IDB4MzkxMGQwMCwgMHhhMjI2MzAsIDB4MTI3NGMwLCAweDEzM2ViMCwgMHgxMTIwYTIwfSwKPCB7 ImZlZG9yYSIsICI2LjUuNi0zMDAuZmMzOS54ODZfNjQiLCBmYWxzZSwgZmFsc2UsIGZhbHNlLCB0 cnVlLCBmYWxzZSwgMHgyYWQ3ZWIwLCAweDNjZmNjNjAsIDB4OWI0YTMwLCAweDEzYzNkMCwgMHgx NDg3ODAsIDB4ZmJiZTIwfQo8IH07Ci0tLQo+IC8veyJ1YnVudHUiLCAiNi41LjAtMjUtZ2VuZXJp YyIsIGZhbHNlLCBmYWxzZSwgZmFsc2UsIHRydWUsIGZhbHNlLCAweDI2OTMzYzAsIDB4MzkxMGQw MCwgMHhhMjI2MzAsIDB4MTI3NGMwLCAweDEzM2ViMCwgMHgxMTIwYTIwfSwKPiB7ImZlZG9yYSIs ICI2LjUuNi0zMDAuZmMzOS54ODZfNjQiLCBmYWxzZSwgZmFsc2UsIGZhbHNlLCB0cnVlLCBmYWxz ZSwgMHgyYWQ3ZWIwLCAweDNjZmNjNjAsIDB4OWI0YTMwLCAweDEzYzNkMCwgMHgxNDg3ODAsIDB4 ZmJiZTIwfSwKPiB7InVidW50dSIsICI2LjUuMC0yNi1nZW5lcmljIiwgZmFsc2UsIGZhbHNlLCBm YWxzZSwgdHJ1ZSwgZmFsc2UsIDB4MjY5MzNjMCwgMHgzOTEwZDAwLCAweGEyMjYzMCwgMHgxMjc0 YzAsIDB4MTMzZWIwLCAweDExMjBhMjB9fTsKNTM0LDUzNWM1NTIsNTUzCjwgICAgICAgICAvL2lm IChzdHJjbXAoaXRlcl9rZXJuZWwtPm9zX25hbWUsIGFyZ3ZbMV0pIHx8IHN0cmNtcChpdGVyX2tl cm5lbC0+a2VybmVsLCBrZXJuZWxfaW5mby5yZWxlYXNlKSkKPCAgICAgICAgIC8vICAgIGNvbnRp bnVlOwotLS0KPiAgICAgICAgIGlmIChzdHJjbXAoaXRlcl9rZXJuZWwtPm9zX25hbWUsIGFyZ3Zb MV0pIHx8IHN0cmNtcChpdGVyX2tlcm5lbC0+a2VybmVsLCBrZXJuZWxfaW5mby5yZWxlYXNlKSkK PiAgICAgICAgICAgICBjb250aW51ZTsK --000000000000e7c8f70615d7207b--