From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 51E7E1F4B4 for ; Thu, 17 Sep 2020 12:41:02 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 60E0C3857C71; Thu, 17 Sep 2020 12:41:00 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 60E0C3857C71 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1600346460; bh=qI5gkC3kpyRfTZ87ehSwSxWe9fytvAoV/xa269a0Icw=; h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=F5AoGmrxYs5g+V3hmsI3dRrSTezsPkioLoHCfpI/s6HfF43kRPVVsI2jlblvFKN7T jDY5136uYgsRYpC1BgjHlTG52Rq5RWvl7yfjNCH4kqybC9vjW8biKrj7za+VfvDG/d WgAJvOVKZ+xfkx0oAidq+ykpm7X2YBHDzh730Aec= Received: from mail-il1-x142.google.com (mail-il1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) by sourceware.org (Postfix) with ESMTPS id DF4BB3857C71 for ; Thu, 17 Sep 2020 12:40:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org DF4BB3857C71 Received: by mail-il1-x142.google.com with SMTP id h2so2070375ilo.12 for ; Thu, 17 Sep 2020 05:40:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qI5gkC3kpyRfTZ87ehSwSxWe9fytvAoV/xa269a0Icw=; b=jXgYL7ML6QNOhrMb+8itQD/byDfH6wP3IPSRoZ8hXzH9a7zhlaGVXEr3CIIRIzI4Rr 7l51m8MXV8EhscYimmuJFRXN+NYeDss4CpMIq25OOYwShe9Gm2zMzyBGCy/lNfgd5+VY FiBLbTqqRQjQ9hEbLriPYDYrRhJQ1jaIKhhMikE0CZqynRX40Qd1VHO4CO30ZU6jaodP 6uyVcjjAWxGbDVRIvjSoQL3KDay7x3KVZph5ycFSciwVhjEoCq+ijxCB6UeHYA4Llip9 YvPBfJVTuUcXtqrYGEQ+lbLEB7QbzCJMMhE4ykV087XVdSolvVsZwO2tfqVesG7P4Fr5 r5OQ== X-Gm-Message-State: AOAM533ulN/vhHoWIkyig8FnSnK+pIoHmLiq4q5JmIuuI4DDmMU6iKeS GTohKQKX1upYvU4Huyn58+Y3m24q5Bszy6TKRjv541MzcO4= X-Google-Smtp-Source: ABdhPJzu5wy6K1FLOBNEHOcBH6P2Drs/DcCNX5WWdSJTPwvo9U3z5MAKH5rK6//uw7wMTqurdSDkEI9qso+PA8eE+f8= X-Received: by 2002:a92:6a0c:: with SMTP id f12mr23355285ilc.213.1600346456222; Thu, 17 Sep 2020 05:40:56 -0700 (PDT) MIME-Version: 1.0 References: <20200916234503.3553822-1-hjl.tools@gmail.com> <874knx1b7y.fsf@mid.deneb.enyo.de> In-Reply-To: <874knx1b7y.fsf@mid.deneb.enyo.de> Date: Thu, 17 Sep 2020 05:40:20 -0700 Message-ID: Subject: Re: [PATCH] x86/CET: Update vfork to prevent child return To: Florian Weimer Content-Type: multipart/mixed; boundary="0000000000000a8cbf05af81b2e0" X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: "H.J. Lu via Libc-alpha" Reply-To: "H.J. Lu" Cc: "H.J. Lu via Libc-alpha" Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" --0000000000000a8cbf05af81b2e0 Content-Type: text/plain; charset="UTF-8" On Wed, Sep 16, 2020 at 5:46 PM Florian Weimer wrote: > > * H. J. Lu via Libc-alpha: > > > Child of vfork should either call _exit or one of the exec family of > > functions. But normally there is nothing to prevent child of vfork from > > returning to caller of vfork's caller. With shadow stack enabled, we > > can introduce mismatched shadow stack in child of vfork. When the child > > returns from the function in which vfork was called, mismatched shadow > > stack will trigger SIGSEGV. > > --- > > sysdeps/unix/sysv/linux/i386/vfork.S | 6 +++ > > sysdeps/unix/sysv/linux/x86/Makefile | 5 ++ > > sysdeps/unix/sysv/linux/x86/tst-cet-vfork-1.c | 54 +++++++++++++++++++ > > sysdeps/unix/sysv/linux/x86_64/vfork.S | 6 +++ > > 4 files changed, 71 insertions(+) > > create mode 100644 sysdeps/unix/sysv/linux/x86/tst-cet-vfork-1.c > > > > diff --git a/sysdeps/unix/sysv/linux/i386/vfork.S b/sysdeps/unix/sysv/linux/i386/vfork.S > > index ceb41db0bd..e54fdb7e4c 100644 > > --- a/sysdeps/unix/sysv/linux/i386/vfork.S > > +++ b/sysdeps/unix/sysv/linux/i386/vfork.S > > @@ -91,6 +91,12 @@ ENTRY (__vfork) > > /* Normal return if shadow stack isn't in use. */ > > je L(no_shstk) > > > > + testl %eax, %eax > > + jnz 2f > > + /* NB: Jump back to caller directly with mismatched shadow stack > > + to prevent child return. */ > > + jmp *%ecx > > +2: > > Doesn't the jmp need a notrack prefix? Or does GCC generate special > code for returns_twice functions? The notrack prefix isn't needed ince GCC has /* ECF_RETURNS_TWICE is safe even for -ffreestanding. */ if (! strcmp (tname, "setjmp") || ! strcmp (tname, "sigsetjmp") || ! strcmp (name, "savectx") || ! strcmp (name, "vfork") || ! strcmp (name, "getcontext")) flags |= ECF_RETURNS_TWICE; > The comment should say that the *function* calling vfork cannot return > in the subprocess. Fixed. > > diff --git a/sysdeps/unix/sysv/linux/x86/Makefile b/sysdeps/unix/sysv/linux/x86/Makefile > > index 920edd8948..f3fae85c1e 100644 > > --- a/sysdeps/unix/sysv/linux/x86/Makefile > > +++ b/sysdeps/unix/sysv/linux/x86/Makefile > > @@ -47,6 +47,11 @@ $(objpfx)tst-cet-property-2.out: $(objpfx)tst-cet-property-2 \ > > $(evaluate-test) > > endif > > > > +ifeq ($(subdir),posix) > > +tests += tst-cet-vfork-1 > > +CFLAGS-tst-cet-vfork-1.c += -mshstk > > +endif > > Does -mshstk alter the ISA? Then I think you can't test for the > presence of support if you build the whole translation unit with > -mshstk. The only thing -mshstk does is to enable _get_ssp (). > > diff --git a/sysdeps/unix/sysv/linux/x86/tst-cet-vfork-1.c b/sysdeps/unix/sysv/linux/x86/tst-cet-vfork-1.c > > new file mode 100644 > > index 0000000000..9ca148e857 > > --- /dev/null > > +++ b/sysdeps/unix/sysv/linux/x86/tst-cet-vfork-1.c > > @@ -0,0 +1,54 @@ > > +/* Verify that child of vfork can't return with shadow stack. > > Likewise: It's the vfork-calling function that must not return. Fixed. > > +__attribute__ ((noclone, noinline)) > > +static pid_t > > +do_test_1 (void) > > +{ > > + pid_t pid; > > + > > + pid = vfork (); > > + if (pid == 0) > > + { > > + /* Child return should trigger SIGSEGV. */ > > + return 0; > > + } > > + _exit (EXIT_SUCCESS); > > + > > + return pid; > > The return statement immediately above is unreachable. Fixed. > > +static int > > +do_test (void) > > +{ > > + /* NB: This test should trigger SIGSEGV with shadow stack enabled. */ > > + if (_get_ssp () == 0) > > + return EXIT_UNSUPPORTED; > > + return do_test_1 () ? EXIT_SUCCESS : EXIT_FAILURE; > > +} > > + > > +#define EXPECTED_SIGNAL (_get_ssp () == 0 ? 0 : SIGSEGV) > > +#include > > I'm surprised EXPECTED_SIGNAL works here. I would expect that the > original test process would have to wait using xwaitpid and check for > the signal in the subprocess. > > I think it would also be good to add a check that the subprocess > actually returned from vfork without crashing, say using a pipe and a > write before the return statement. Fixed. > > diff --git a/sysdeps/unix/sysv/linux/x86_64/vfork.S b/sysdeps/unix/sysv/linux/x86_64/vfork.S > > index 776d2fc610..5dd5cb714c 100644 > > --- a/sysdeps/unix/sysv/linux/x86_64/vfork.S > > +++ b/sysdeps/unix/sysv/linux/x86_64/vfork.S > > @@ -71,6 +71,12 @@ ENTRY (__vfork) > > /* Normal return if shadow stack isn't in use. */ > > je L(no_shstk) > > > > + testl %eax, %eax > > + jnz 2f > > + /* NB: Jump back to caller directly with mismatched shadow stack > > + to prevent child return. */ > > + jmp *%rdi > > +2: > > /* Pop return address from shadow stack and jump back to caller > > directly. */ > > movl $1, %esi > > See above. Here is the updated patch to use indirect branch only for child. -- H.J. --0000000000000a8cbf05af81b2e0 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-x86-CET-Update-vfork-to-prevent-child-return.patch" Content-Disposition: attachment; filename="0001-x86-CET-Update-vfork-to-prevent-child-return.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_kf6spv3k0 RnJvbSA0MzIwYTk5ZGEzMDU1YWVkODEzZmUwOWUyNDBkN2NlMjkxOTU1Y2Q2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiAiSC5KLiBMdSIgPGhqbC50b29sc0BnbWFpbC5jb20+CkRhdGU6 IFdlZCwgMTYgU2VwIDIwMjAgMTY6MDA6MTQgLTA3MDAKU3ViamVjdDogW1BBVENIXSB4ODYvQ0VU OiBVcGRhdGUgdmZvcmsgdG8gcHJldmVudCBjaGlsZCByZXR1cm4KCkNoaWxkIG9mIHZmb3JrIHNo b3VsZCBlaXRoZXIgY2FsbCBfZXhpdCBvciBvbmUgb2YgdGhlIGV4ZWMgZmFtaWx5IG9mCmZ1bmN0 aW9ucy4gIEJ1dCBub3JtYWxseSB0aGVyZSBpcyBub3RoaW5nIHRvIHByZXZlbnQgY2hpbGQgb2Yg dmZvcmsgZnJvbQpyZXR1cm4gb2YgdGhlIHZmb3JrLWNhbGxpbmcgZnVuY3Rpb24uICBTaW1waWxm eSB4ODYgdmZvcmsgd2hlbiBzaGFkb3cKc3RhY2sgaXMgaW4gdXNlIHRvIGludHJvZHVjZSBtaXNt YXRjaGVkIHNoYWRvdyBzdGFjayBpbiBjaGlsZCBvZiB2Zm9yawp0byB0cmlnZ2VyIFNJR1NFR1Yg d2hlbiB0aGUgY2hpbGQgcmV0dXJucyBmcm9tIHRoZSBmdW5jdGlvbiBpbiB3aGljaAp2Zm9yayB3 YXMgY2FsbGVkLgotLS0KIHN5c2RlcHMvdW5peC9zeXN2L2xpbnV4L2kzODYvdmZvcmsuUyAgICAg ICAgICB8IDU0ICsrLS0tLS0tLS0tLQogc3lzZGVwcy91bml4L3N5c3YvbGludXgveDg2L01ha2Vm aWxlICAgICAgICAgIHwgIDUgKysKIHN5c2RlcHMvdW5peC9zeXN2L2xpbnV4L3g4Ni90c3QtY2V0 LXZmb3JrLTEuYyB8IDg4ICsrKysrKysrKysrKysrKysrKysKIHN5c2RlcHMvdW5peC9zeXN2L2xp bnV4L3g4Nl82NC92Zm9yay5TICAgICAgICB8IDM1ICsrLS0tLS0tCiA0IGZpbGVzIGNoYW5nZWQs IDExMSBpbnNlcnRpb25zKCspLCA3MSBkZWxldGlvbnMoLSkKIGNyZWF0ZSBtb2RlIDEwMDY0NCBz eXNkZXBzL3VuaXgvc3lzdi9saW51eC94ODYvdHN0LWNldC12Zm9yay0xLmMKCmRpZmYgLS1naXQg YS9zeXNkZXBzL3VuaXgvc3lzdi9saW51eC9pMzg2L3Zmb3JrLlMgYi9zeXNkZXBzL3VuaXgvc3lz di9saW51eC9pMzg2L3Zmb3JrLlMKaW5kZXggY2ViNDFkYjBiZC4uMWJlZTQ5YzJjYSAxMDA2NDQK LS0tIGEvc3lzZGVwcy91bml4L3N5c3YvbGludXgvaTM4Ni92Zm9yay5TCisrKyBiL3N5c2RlcHMv dW5peC9zeXN2L2xpbnV4L2kzODYvdmZvcmsuUwpAQCAtMjEsMzkgKzIxLDYgQEAKICNpbmNsdWRl IDxiaXRzL2Vycm5vLmg+CiAjaW5jbHVkZSA8dGNiLW9mZnNldHMuaD4KIAotI2lmIFNIU1RLX0VO QUJMRUQKLS8qIFRoZSBzaGFkb3cgc3RhY2sgcHJldmVudHMgdXMgZnJvbSBwdXNoaW5nIHRoZSBz YXZlZCByZXR1cm4gUEMgb250bwotICAgdGhlIHN0YWNrIGFuZCByZXR1cm5pbmcgbm9ybWFsbHku ICBJbnN0ZWFkIHdlIHBvcCB0aGUgc2hhZG93IHN0YWNrCi0gICBhbmQgcmV0dXJuIGRpcmVjdGx5 LiAgVGhpcyBpcyB0aGUgc2FmZXN0IHdheSB0byByZXR1cm4gYW5kIGVuc3VyZXMKLSAgIGFueSBz dGFjayBtYW5pcHVsYXRpb25zIGRvbmUgYnkgdGhlIHZmb3JrJ2QgY2hpbGQgZG9lc24ndCBjYXVz ZSB0aGUKLSAgIHBhcmVudCB0byB0ZXJtaW5hdGUgd2hlbiBDRVQgaXMgZW5hYmxlZC4gICovCi0j IHVuZGVmIFNZU0NBTExfRVJST1JfSEFORExFUgotIyBpZmRlZiBQSUMKLSMgIGRlZmluZSBTWVND QUxMX0VSUk9SX0hBTkRMRVIJCQkJXAotMDoJCQkJCQkJXAotICBjYWxsbCAuTDE7CQkJCQkJXAot LkwxOgkJCQkJCQlcCi0gIHBvcGwgJWVkeDsJCQkJCQlcCi0uTDI6CQkJCQkJCVwKLSAgYWRkbCAk X0dMT0JBTF9PRkZTRVRfVEFCTEVfICsgKC5MMiAtIC5MMSksICVlZHg7CVwKLSAgbW92bCBfX2xp YmNfZXJybm9AZ290bnRwb2ZmKCVlZHgpLCAlZWR4OwkJXAotICBuZWdsICVlYXg7CQkJCQkJXAot ICBtb3ZsICVlYXgsICVnczooJWVkeCk7CQkJCVwKLSAgb3JsICQtMSwgJWVheDsJCQkJCVwKLSAg am1wIDFiOwotIyBlbHNlCi0jICBkZWZpbmUgU1lTQ0FMTF9FUlJPUl9IQU5ETEVSCQkJCVwKLTA6 CQkJCQkJCVwKLSAgbW92bCBfX2xpYmNfZXJybm9AaW5kbnRwb2ZmLCAlZWR4OwkJCVwKLSAgbmVn bCAlZWF4OwkJCQkJCVwKLSAgbW92bCAlZWF4LCAlZ3M6KCVlZHgpOwkJCQlcCi0gIG9ybCAkLTEs ICVlYXg7CQkJCQlcCi0gIGptcCAxYjsKLSMgZW5kaWYKLSMgdW5kZWYgU1lTQ0FMTF9FUlJPUl9M QUJFTAotIyBkZWZpbmUgU1lTQ0FMTF9FUlJPUl9MQUJFTCAwZgotI2VuZGlmCi0KIC8qIENsb25l IHRoZSBjYWxsaW5nIHByb2Nlc3MsIGJ1dCB3aXRob3V0IGNvcHlpbmcgdGhlIHdob2xlIGFkZHJl c3Mgc3BhY2UuCiAgICBUaGUgY2FsbGluZyBwcm9jZXNzIGlzIHN1c3BlbmRlZCB1bnRpbCB0aGUg bmV3IHByb2Nlc3MgZXhpdHMgb3IgaXMKICAgIHJlcGxhY2VkIGJ5IGEgY2FsbCB0byBgZXhlY3Zl Jy4gIFJldHVybiAtMSBmb3IgZXJyb3JzLCAwIHRvIHRoZSBuZXcgcHJvY2VzcywKQEAgLTcwLDIw ICszNywxNyBAQCBFTlRSWSAoX192Zm9yaykKIAltb3ZsCSRTWVNfaWZ5ICh2Zm9yayksICVlYXgK IAlpbnQJJDB4ODAKIAotI2lmICFTSFNUS19FTkFCTEVECiAJLyogSnVtcCB0byB0aGUgcmV0dXJu IFBDLiAgRG9uJ3QganVtcCBkaXJlY3RseSBzaW5jZSB0aGlzCiAJICAgZGlzdHVyYnMgdGhlIGJy YW5jaCB0YXJnZXQgY2FjaGUuICBJbnN0ZWFkIHB1c2ggdGhlIHJldHVybgogCSAgIGFkZHJlc3Mg YmFjayBvbiB0aGUgc3RhY2suICAqLwogCXB1c2hsCSVlY3gKIAljZmlfYWRqdXN0X2NmYV9vZmZz ZXQgKDQpCi0jZW5kaWYKIAogCWNtcGwJJC00MDk1LCAlZWF4CiAJLyogQnJhbmNoIGZvcndhcmQg aWYgaXQgZmFpbGVkLiAgKi8KIAlqYWUJU1lTQ0FMTF9FUlJPUl9MQUJFTAogCiAjaWYgU0hTVEtf RU5BQkxFRAotMToKIAkvKiBDaGVjayBpZiBzaGFkb3cgc3RhY2sgaXMgaW4gdXNlLiAgKi8KIAl4 b3JsCSVlZHgsICVlZHgKIAlyZHNzcGQJJWVkeApAQCAtOTEsMTggKzU1LDE4IEBAIEVOVFJZIChf X3Zmb3JrKQogCS8qIE5vcm1hbCByZXR1cm4gaWYgc2hhZG93IHN0YWNrIGlzbid0IGluIHVzZS4g ICovCiAJamUJTChub19zaHN0aykKIAotCS8qIFBvcCByZXR1cm4gYWRkcmVzcyBmcm9tIHNoYWRv dyBzdGFjayBhbmQganVtcCBiYWNrIHRvIGNhbGxlcgotCSAgIGRpcmVjdGx5LiAgKi8KLQltb3Zs CSQxLCAlZWR4Ci0JaW5jc3NwZAklZWR4CisJdGVzdGwJJWVheCwgJWVheAorCS8qIEluIHBhcmVu dCwgbm9ybWFsIHJldHVybi4gICovCisJam56CUwobm9fc2hzdGspCisKKwkvKiBOQjogSW4gY2hp bGQsIGp1bXAgYmFjayB0byBjYWxsZXIgZGlyZWN0bHkgd2l0aCBtaXNtYXRjaGVkCisJICAgc2hh ZG93IHN0YWNrIHRvIHByZXZlbnQgY2hpbGQgZnJvbSByZXR1cm4gb2YgdGhlIHZmb3JrLWNhbGxp bmcKKwkgICBmdW5jdGlvbi4gICovCisJcG9wbAklZWN4CisJY2ZpX2FkanVzdF9jZmFfb2Zmc2V0 ICgtNCkKIAlqbXAJKiVlY3gKIAogTChub19zaHN0ayk6Ci0JLyogSnVtcCB0byB0aGUgcmV0dXJu IFBDLiAgRG9uJ3QganVtcCBkaXJlY3RseSBzaW5jZSB0aGlzCi0JICAgZGlzdHVyYnMgdGhlIGJy YW5jaCB0YXJnZXQgY2FjaGUuICBJbnN0ZWFkIHB1c2ggdGhlIHJldHVybgotCSAgIGFkZHJlc3Mg YmFjayBvbiB0aGUgc3RhY2suICAqLwotCXB1c2hsCSVlY3gKLQljZmlfYWRqdXN0X2NmYV9vZmZz ZXQgKDQpCiAjZW5kaWYKIAogCXJldApkaWZmIC0tZ2l0IGEvc3lzZGVwcy91bml4L3N5c3YvbGlu dXgveDg2L01ha2VmaWxlIGIvc3lzZGVwcy91bml4L3N5c3YvbGludXgveDg2L01ha2VmaWxlCmlu ZGV4IDkyMGVkZDg5NDguLmYzZmFlODVjMWUgMTAwNjQ0Ci0tLSBhL3N5c2RlcHMvdW5peC9zeXN2 L2xpbnV4L3g4Ni9NYWtlZmlsZQorKysgYi9zeXNkZXBzL3VuaXgvc3lzdi9saW51eC94ODYvTWFr ZWZpbGUKQEAgLTQ3LDYgKzQ3LDExIEBAICQob2JqcGZ4KXRzdC1jZXQtcHJvcGVydHktMi5vdXQ6 ICQob2JqcGZ4KXRzdC1jZXQtcHJvcGVydHktMiBcCiAJICAkKGV2YWx1YXRlLXRlc3QpCiBlbmRp ZgogCitpZmVxICgkKHN1YmRpcikscG9zaXgpCit0ZXN0cyArPSB0c3QtY2V0LXZmb3JrLTEKK0NG TEFHUy10c3QtY2V0LXZmb3JrLTEuYyArPSAtbXNoc3RrCitlbmRpZgorCiBpZmVxICgkKHN1YmRp ciksc3RkbGliKQogdGVzdHMgKz0gdHN0LWNldC1zZXRjb250ZXh0LTEKIENGTEFHUy10c3QtY2V0 LXNldGNvbnRleHQtMS5jICs9IC1tc2hzdGsKZGlmZiAtLWdpdCBhL3N5c2RlcHMvdW5peC9zeXN2 L2xpbnV4L3g4Ni90c3QtY2V0LXZmb3JrLTEuYyBiL3N5c2RlcHMvdW5peC9zeXN2L2xpbnV4L3g4 Ni90c3QtY2V0LXZmb3JrLTEuYwpuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAw Li41YjlmYzhjMTcwCi0tLSAvZGV2L251bGwKKysrIGIvc3lzZGVwcy91bml4L3N5c3YvbGludXgv eDg2L3RzdC1jZXQtdmZvcmstMS5jCkBAIC0wLDAgKzEsODggQEAKKy8qIFZlcmlmeSB0aGF0IGNo aWxkIG9mIHRoZSB2Zm9yay1jYWxsaW5nIGZ1bmN0aW9uIGNhbid0IHJldHVybiB3aGVuCisgICBz aGFkb3cgc3RhY2sgaXMgaW4gdXNlLgorICAgQ29weXJpZ2h0IChDKSAyMDIwIEZyZWUgU29mdHdh cmUgRm91bmRhdGlvbiwgSW5jLgorICAgVGhpcyBmaWxlIGlzIHBhcnQgb2YgdGhlIEdOVSBDIExp YnJhcnkuCisKKyAgIFRoZSBHTlUgQyBMaWJyYXJ5IGlzIGZyZWUgc29mdHdhcmU7IHlvdSBjYW4g cmVkaXN0cmlidXRlIGl0IGFuZC9vcgorICAgbW9kaWZ5IGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0 aGUgR05VIExlc3NlciBHZW5lcmFsIFB1YmxpYworICAgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkg dGhlIEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbjsgZWl0aGVyCisgICB2ZXJzaW9uIDIuMSBvZiB0 aGUgTGljZW5zZSwgb3IgKGF0IHlvdXIgb3B0aW9uKSBhbnkgbGF0ZXIgdmVyc2lvbi4KKworICAg VGhlIEdOVSBDIExpYnJhcnkgaXMgZGlzdHJpYnV0ZWQgaW4gdGhlIGhvcGUgdGhhdCBpdCB3aWxs IGJlIHVzZWZ1bCwKKyAgIGJ1dCBXSVRIT1VUIEFOWSBXQVJSQU5UWTsgd2l0aG91dCBldmVuIHRo ZSBpbXBsaWVkIHdhcnJhbnR5IG9mCisgICBNRVJDSEFOVEFCSUxJVFkgb3IgRklUTkVTUyBGT1Ig QSBQQVJUSUNVTEFSIFBVUlBPU0UuICBTZWUgdGhlIEdOVQorICAgTGVzc2VyIEdlbmVyYWwgUHVi bGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KKworICAgWW91IHNob3VsZCBoYXZlIHJlY2Vp dmVkIGEgY29weSBvZiB0aGUgR05VIExlc3NlciBHZW5lcmFsIFB1YmxpYworICAgTGljZW5zZSBh bG9uZyB3aXRoIHRoZSBHTlUgQyBMaWJyYXJ5OyBpZiBub3QsIHNlZQorICAgPGh0dHBzOi8vd3d3 LmdudS5vcmcvbGljZW5zZXMvPi4gICovCisKKyNpbmNsdWRlIDxzdGRpby5oPgorI2luY2x1ZGUg PHN0ZGxpYi5oPgorI2luY2x1ZGUgPHVuaXN0ZC5oPgorI2luY2x1ZGUgPGVycm5vLmg+CisjaW5j bHVkZSA8c3lzL3R5cGVzLmg+CisjaW5jbHVkZSA8c3lzL3dhaXQuaD4KKyNpbmNsdWRlIDx4ODZp bnRyaW4uaD4KKyNpbmNsdWRlIDxzdXBwb3J0L3Rlc3QtZHJpdmVyLmg+CisjaW5jbHVkZSA8c3Vw cG9ydC94c2lnbmFsLmg+CisjaW5jbHVkZSA8c3VwcG9ydC94dW5pc3RkLmg+CisKK19fYXR0cmli dXRlX18gKChub2Nsb25lLCBub2lubGluZSkpCitzdGF0aWMgdm9pZAorZG9fdGVzdF8xICh2b2lk KQoreworICBwaWRfdCBwMTsKKyAgaW50IGZkWzJdOworCisgIGlmIChwaXBlIChmZCkgPT0gLTEp CisgICAgeworICAgICAgcHV0cyAoInBpcGUgZmFpbGVkIik7CisgICAgICBfZXhpdCAoRVhJVF9G QUlMVVJFKTsKKyAgICB9CisKKyAgaWYgKChwMSA9IHZmb3JrICgpKSA9PSAwKQorICAgIHsKKyAg ICAgIHBpZF90IHAgPSBnZXRwaWQgKCk7CisgICAgICBURU1QX0ZBSUxVUkVfUkVUUlkgKHdyaXRl IChmZFsxXSwgJnAsIHNpemVvZiAocCkpKTsKKyAgICAgIC8qIENoaWxkIHJldHVybiBzaG91bGQg dHJpZ2dlciBTSUdTRUdWLiAgKi8KKyAgICAgIHJldHVybjsKKyAgICB9CisgIGVsc2UgaWYgKHAx ID09IC0xKQorICAgIHsKKyAgICAgIHB1dHMgKCJ2Zm9yayBmYWlsZWQiKTsKKyAgICAgIF9leGl0 IChFWElUX0ZBSUxVUkUpOworICAgIH0KKworICBwaWRfdCBwMiA9IDA7CisgIGlmIChURU1QX0ZB SUxVUkVfUkVUUlkgKHJlYWQgKGZkWzBdLCAmcDIsIHNpemVvZiAocGlkX3QpKSkKKyAgICAgICE9 IHNpemVvZiAocGlkX3QpKQorICAgIHB1dHMgKCJwaXBkIHJlYWQgZmFpbGVkIik7CisgIGVsc2UK KyAgICB7CisgICAgICBpbnQgcjsKKyAgICAgIGlmIChURU1QX0ZBSUxVUkVfUkVUUlkgKHdhaXRw aWQgKHAxLCAmciwgMCkpICE9IHAxKQorCXB1dHMgKCJ3YWl0cGlkIGZhaWxlZCIpOworICAgICAg ZWxzZSBpZiAociAhPSAwKQorCXB1dHMgKCJwaXAgd3JpdGUgaW4gY2hpbGQgZmFpbGVkIik7Cisg ICAgfQorCisgIC8qIFBhcmVudCBleGl0cyBpbW1lZGlhdGVseSBzbyB0aGF0IHBhcmVudCByZXR1 cm5zIHdpdGhvdXQgdHJpZ2dlcmluZworICAgICBTSUdTRUdWIHdoZW4gc2hhZG93IHN0YWNrIGlz bid0IGluIHVzZS4gICovCisgIF9leGl0IChFWElUX0ZBSUxVUkUpOworfQorCitzdGF0aWMgaW50 Citkb190ZXN0ICh2b2lkKQoreworICAvKiBOQjogVGhpcyB0ZXN0IHNob3VsZCB0cmlnZ2VyIFNJ R1NFR1Ygd2l0aCBzaGFkb3cgc3RhY2sgZW5hYmxlZC4gICovCisgIGlmIChfZ2V0X3NzcCAoKSA9 PSAwKQorICAgIHJldHVybiBFWElUX1VOU1VQUE9SVEVEOworICBkb190ZXN0XzEgKCk7CisgIC8q IENoaWxkIGV4aXRzIGltbWVkaWF0ZWx5IHNvIHRoYXQgY2hpbGQgcmV0dXJucyB3aXRob3V0IHRy aWdnZXJpbmcKKyAgICAgU0lHU0VHViB3aGVuIHNoYWRvdyBzdGFjayBpc24ndCBpbiB1c2UuICAq LworICBfZXhpdCAoRVhJVF9GQUlMVVJFKTsKK30KKworI2RlZmluZSBFWFBFQ1RFRF9TSUdOQUwg KF9nZXRfc3NwICgpID09IDAgPyAwIDogU0lHU0VHVikKKyNpbmNsdWRlIDxzdXBwb3J0L3Rlc3Qt ZHJpdmVyLmM+CmRpZmYgLS1naXQgYS9zeXNkZXBzL3VuaXgvc3lzdi9saW51eC94ODZfNjQvdmZv cmsuUyBiL3N5c2RlcHMvdW5peC9zeXN2L2xpbnV4L3g4Nl82NC92Zm9yay5TCmluZGV4IDc3NmQy ZmM2MTAuLjE2MzIyMDMxZmMgMTAwNjQ0Ci0tLSBhL3N5c2RlcHMvdW5peC9zeXN2L2xpbnV4L3g4 Nl82NC92Zm9yay5TCisrKyBiL3N5c2RlcHMvdW5peC9zeXN2L2xpbnV4L3g4Nl82NC92Zm9yay5T CkBAIC0yMCwyMiArMjAsNiBAQAogI2luY2x1ZGUgPGJpdHMvZXJybm8uaD4KICNpbmNsdWRlIDx0 Y2Itb2Zmc2V0cy5oPgogCi0jaWYgU0hTVEtfRU5BQkxFRAotLyogVGhlIHNoYWRvdyBzdGFjayBw cmV2ZW50cyB1cyBmcm9tIHB1c2hpbmcgdGhlIHNhdmVkIHJldHVybiBQQyBvbnRvCi0gICB0aGUg c3RhY2sgYW5kIHJldHVybmluZyBub3JtYWxseS4gIEluc3RlYWQgd2UgcG9wIHRoZSBzaGFkb3cg c3RhY2sKLSAgIGFuZCByZXR1cm4gZGlyZWN0bHkuICBUaGlzIGlzIHRoZSBzYWZlc3Qgd2F5IHRv IHJldHVybiBhbmQgZW5zdXJlcwotICAgYW55IHN0YWNrIG1hbmlwdWxhdGlvbnMgZG9uZSBieSB0 aGUgdmZvcmsnZCBjaGlsZCBkb2Vzbid0IGNhdXNlIHRoZQotICAgcGFyZW50IHRvIHRlcm1pbmF0 ZSB3aGVuIENFVCBpcyBlbmFibGVkLiAgKi8KLSMgdW5kZWYgU1lTQ0FMTF9FUlJPUl9IQU5ETEVS Ci0jIGRlZmluZSBTWVNDQUxMX0VSUk9SX0hBTkRMRVIJCQlcCi0wOgkJCQkJCVwKLSAgU1lTQ0FM TF9TRVRfRVJSTk87CQkJCVwKLSAgb3IgJC0xLCAlUkFYX0xQOwkJCQlcCi0gIGptcCAxYjsKLSMg dW5kZWYgU1lTQ0FMTF9FUlJPUl9MQUJFTAotIyBkZWZpbmUgU1lTQ0FMTF9FUlJPUl9MQUJFTCAw ZgotI2VuZGlmCi0KIC8qIENsb25lIHRoZSBjYWxsaW5nIHByb2Nlc3MsIGJ1dCB3aXRob3V0IGNv cHlpbmcgdGhlIHdob2xlIGFkZHJlc3Mgc3BhY2UuCiAgICBUaGUgY2FsbGluZyBwcm9jZXNzIGlz IHN1c3BlbmRlZCB1bnRpbCB0aGUgbmV3IHByb2Nlc3MgZXhpdHMgb3IgaXMKICAgIHJlcGxhY2Vk IGJ5IGEgY2FsbCB0byBgZXhlY3ZlJy4gIFJldHVybiAtMSBmb3IgZXJyb3JzLCAwIHRvIHRoZSBu ZXcgcHJvY2VzcywKQEAgLTUzLDE3ICszNywxNCBAQCBFTlRSWSAoX192Zm9yaykKIAltb3ZsCSRT WVNfaWZ5ICh2Zm9yayksICVlYXgKIAlzeXNjYWxsCiAKLSNpZiAhU0hTVEtfRU5BQkxFRAogCS8q IFB1c2ggYmFjayB0aGUgcmV0dXJuIFBDLiAgKi8KIAlwdXNocQklcmRpCiAJY2ZpX2FkanVzdF9j ZmFfb2Zmc2V0KDgpCi0jZW5kaWYKIAogCWNtcGwJJC00MDk1LCAlZWF4CiAJamFlIFNZU0NBTExf RVJST1JfTEFCRUwJCS8qIEJyYW5jaCBmb3J3YXJkIGlmIGl0IGZhaWxlZC4gICovCiAKICNpZiBT SFNUS19FTkFCTEVECi0xOgogCS8qIENoZWNrIGlmIHNoYWRvdyBzdGFjayBpcyBpbiB1c2UuICAq LwogCXhvcmwJJWVzaSwgJWVzaQogCXJkc3NwcQklcnNpCkBAIC03MSwxNiArNTIsMTggQEAgRU5U UlkgKF9fdmZvcmspCiAJLyogTm9ybWFsIHJldHVybiBpZiBzaGFkb3cgc3RhY2sgaXNuJ3QgaW4g dXNlLiAgKi8KIAlqZQlMKG5vX3Noc3RrKQogCi0JLyogUG9wIHJldHVybiBhZGRyZXNzIGZyb20g c2hhZG93IHN0YWNrIGFuZCBqdW1wIGJhY2sgdG8gY2FsbGVyCi0JICAgZGlyZWN0bHkuICAqLwot CW1vdmwJJDEsICVlc2kKLQlpbmNzc3BxCSVyc2kKKwl0ZXN0bAklZWF4LCAlZWF4CisJLyogSW4g cGFyZW50LCBub3JtYWwgcmV0dXJuLiAgKi8KKwlqbnoJTChub19zaHN0aykKKworCS8qIE5COiBJ biBjaGlsZCwganVtcCBiYWNrIHRvIGNhbGxlciBkaXJlY3RseSB3aXRoIG1pc21hdGNoZWQKKwkg ICBzaGFkb3cgc3RhY2sgdG8gcHJldmVudCBjaGlsZCBmcm9tIHJldHVybiBvZiB0aGUgdmZvcmst Y2FsbGluZworCSAgIGZ1bmN0aW9uLiAgKi8KKwlwb3BxCSVyZGkKKwljZmlfYWRqdXN0X2NmYV9v ZmZzZXQoLTgpCiAJam1wCSolcmRpCiAKIEwobm9fc2hzdGspOgotCS8qIFB1c2ggYmFjayB0aGUg cmV0dXJuIFBDLiAgKi8KLQlwdXNocQklcmRpCi0JY2ZpX2FkanVzdF9jZmFfb2Zmc2V0KDgpCiAj ZW5kaWYKIAogCS8qIE5vcm1hbCByZXR1cm4uICAqLwotLSAKMi4yNi4yCgo= --0000000000000a8cbf05af81b2e0--