From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/14719 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: d.dorau@avm.de Newsgroups: gmane.linux.lib.musl.general Subject: Bug report: Memory corrupion due to stale robust_list.head pointer Date: Wed, 25 Sep 2019 12:05:18 +0200 Message-ID: Reply-To: musl@lists.openwall.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_mixed 00376A81C1258480_=" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="96621"; mail-complaints-to="usenet@blaine.gmane.org" To: musl@lists.openwall.com Original-X-From: musl-return-14735-gllmg-musl=m.gmane.org@lists.openwall.com Wed Sep 25 12:05:34 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1iD4Av-000P32-Fa for gllmg-musl@m.gmane.org; Wed, 25 Sep 2019 12:05:33 +0200 Original-Received: (qmail 32585 invoked by uid 550); 25 Sep 2019 10:05:30 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 32552 invoked from network); 25 Sep 2019 10:05:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=avm.de; s=mail; t=1569405918; bh=apeGBdyUVb78c8GS9nrRljtt0th1FJyWMHxUTb3PgNA=; h=To:Subject:From:Date:From; b=l+g6XlTT8Tlfu3DJAjC66lp9I2WcovcqCTCh8MSEf6oaSmdQLXDQP6fSDDU4IKLFD iQHlPhN7oBonj0l1agHdNZuZGsTGQp7AduYbQI1yyEBtiQdXLS4Xp0iU13yaeUfuSj W79Qjt1DQEb/+O1dgqEZ19AbUA/cbgwA14yaHXF4= X-KeepSent: 1FE04957:E10407EE-C1258480:00333ED5; type=4; name=$KeepSent X-Mailer: IBM Notes Release 9.0.1 October 14, 2013 X-MIMETrack: Serialize by Router on ANIS1/AVM(Release 10.0.1FP2|May 24, 2019) at 25.09.2019 12:05:18 X-purgate-ID: 149429::1569405918-0000199C-97039619/0/0 X-purgate-type: clean X-purgate-size: 20083 X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean Xref: news.gmane.org gmane.linux.lib.musl.general:14719 Archived-At: --=_mixed 00376A81C1258480_= Content-Type: multipart/alternative; boundary="=_alternative 00376A81C1258480_=" --=_alternative 00376A81C1258480_= Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I recently came across a memory corruption in the member "tsd" of struct=20 pthread in a scenario where a pthread mutex is intentionally held during fork(). I experienced this using the lastest release 1.1.23. I found that during fork musl resets self->robust=5Flist.pending and=20 self->robust=5Flist.off, but not the robust=5Flist.head. The stale pointer to the previously held an= d=20 reset mutex turned out to be the cause for the following corruption. I therefore suggest to also reset the list head on fork as such: --- a/src/process/fork.c.orig 2019-09-23 11:41:01.381626360 +0200 +++ b/src/process/fork.c 2019-09-23 11:41:26.657819473 +0200 @@ -27,6 +27,7 @@ self->tid =3D =5F=5Fsyscall(SYS=5Fgettid); self->robust=5Flist.off =3D 0; self->robust=5Flist.pending =3D 0; + self->robust=5Flist.head =3D &self->robust=5Flist.head; self->next =3D self->prev =3D self; =5F=5Fthread=5Flist=5Flock =3D 0; libc.threads=5Fminus=5F1 =3D 0; This resolves the issue. I am very well aware of the fact that aquiring a mutex during fork and=20 re-initializing=20 in the child appears to result in undefined behaviour (as of=20 pthread=5Fmutex=5Finit(3posix)) or to be controversial at least. However I believe that it should't result in a memory corruption as a=20 result. To reproduce I wrote a small example which triggers and shows the=20 curruption. It also contains a description of the program flow and memory corruption. Please find it attached to this mail. Please note that the routine to print the robust=5Flist is hacked using=20 hardcoded offsets which are aimed at my 32-Bit platform. Best regards, Daniel -- AVM Audiovisuelles Marketing und Computersysteme GmbH Alt-Moabit 95, 10559 Berlin HRB 23075 AG Charlottenburg Gesch=E4ftsf=FChrer: Johannes Nill =20 --=_alternative 00376A81C1258480_= Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Hello,

I recently came across a memory cor= ruption in the member "tsd" of struct pthread
in a scenario where a pthread mutex is intentionally held during fork().
I experienced this using the lastest release 1.1.23.

I found that during fork musl resets self->robust=5Flist.pending and self->robust=5Flist.off,
but not the robust=5Flist.head. The= stale pointer to the previously held and reset
mutex turned out to be the cause for the following corruption.

I therefore suggest to also reset t= he list head on fork as such:

--- a/src/process/fork.c.orig        2019-09-23 11:41:01.381626360 +0200
+++ b/src/process/fork.c   &nb= sp;    2019-09-23 11:41:26.657819473 +0200
@@ -27,6 +27,7 @@
                 self->tid =3D =5F=5Fsyscall(SYS=5Fgettid);
                 self->robust=5Flist.off =3D 0;
                 self->robust=5Flist.pending =3D 0;
+                self->robust=5Flist.head =3D &self->ro= bust=5Flist.head;
                 self->next =3D self->prev =3D self;
                 =5F=5Fthread=5Flist=5Flock =3D 0;
                 libc.threads=5Fminus=5F1 =3D 0;


This resolves the issue.

I am very well aware of the fact th= at aquiring a mutex during fork and re-initializing
in the child appears to result in u= ndefined behaviour (as of pthread=5Fmutex=5Finit(3posix))
or to be controversial at least.

However I believe that it should't result in a memory corruption as a result.

To reproduce I wrote a small example which triggers and shows the curruption.
It also contains a description of t= he program flow and memory corruption.

Please find it attached to this mai= l.

Please note that the routine to pri= nt the robust=5Flist is hacked using hardcoded
offsets which are aimed at my 32-Bit platform.


Best regards,
Daniel





--
AVM Audiovisuelles Marketing und Computersysteme GmbH
Alt-Moabit 95, 10559 Berlin
HRB 23075 AG Charlottenburg
Gesch=E4ftsf=FChrer: Johannes Nill
 --=_alternative 00376A81C1258480_=-- --=_mixed 00376A81C1258480_= Content-Type: application/octet-stream; name="pthread_fork_demo.c" Content-Disposition: attachment; filename="pthread_fork_demo.c" Content-Transfer-Encoding: base64 LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqCiAqCiAqICAgICAgbWFpbigpIG5lZWRzIHRvIGhvbGQg YSBtdXRleCBvbiBhIHJlc291cmNlIHdoaWxlIGZvcmtpbmcuCiAqICAgICAgVGhlcmVmb3JlIGl0 IHV0aWxpemVzIHB0aHJlYWRfYXRmb3JrIHRvIGFxdWlyZSB0aGUgbXV0ZXggYmVmb3JlCiAqICAg ICAgZm9yaygpIGFuZCB0byByZWxlYXNlIGl0IGFmdGVyd2FyZHMgaW4gdGhlIHBhcmVudCBwcm9j ZXNzLgogKgogKiAgICAgIFNpbmNlIHRoYXQgbXV0ZXggaXMgbm90IHZhbGlkIGFueSBsb25nZXIg aW4gdGhlIGNoaWxkIHByb2Nlc3MgYWZ0ZXIKICogICAgICBmb3JrLCBpdCBuZWVkcyB0byBiZSBy ZWluaXRpYWxpemVkIHVzaW5nIHB0aHJlYWRfbXV0ZXhfaW5pdC4KICogICAgICBCZWNhdXNlIHRo ZSBjaGlsZHMgcm9idXN0IGxpc3QgaGVhZCBpcyBub3QgY2xlYXJlZCBkdXJpbmcgZm9yaywKICog ICAgICBpdCBzdGlsbCBob2xkcyBhIHN0YWxlIHJlZmVyZW5jZSB0byBtdXRleCBNMS4KICoKICog ICAgICBJZiBhIHNlY29uZCB0aHJlYWQgaXMgdGhlbiBjcmVhdGVkIHdoaWNoIGFxdWlyZXMgdGhp cyBtdXRleCBNMSwKICogICAgICBpbiBhbHRlcm5hdGlvbiB3aXRoIHRoZSBtYWluIHRocmVhZCB1 c2luZyBtdXRleCBNMiwgdGhpcyBzdGFsZQogKiAgICAgIGxpbmsgd2lsbCBldmVudHVhbGx5IGxl YWQgdG8gY29ycnVwdGlvbiBvZiB0aGUgc2Vjb25kcyB0aHJlYWQncwogKiAgICAgIHRzZCBtZW1i ZXIgYmVjYXVzZSB0aGUgbWFpbiB0aHJlYWQncyBwdGhyZWFkX211dGV4X3VubG9jayBjYWxsCiAq ICAgICAgZG9lcyBub3QgcmVjb2duaXplIHRoZSBzZWNvbmQncyB0aHJlYWQgcm9idXN0IGxpc3Qg aGVhZC4KICoKICogICAgICBQbGVhc2UgZm9sbG93IHRoZSBmb2xsb3dpbmcgZmxvdyB3aGljaCBp bGx1c3RyYXRlcyBob3cgdGhlCiAqICAgICAgbGlua2VkIGxpc3RzIGxlYWQgdG8gdGhlIG1lbW9y eSBjb3JydXB0aW9uLgogKgogKiAgICAgIFRoZSBleGFtcGxlIHByb2dyYW0gYmVsb3cgY29udGFp bnMgYSBoZWxwZXIgZnVuY3Rpb24KICogICAgICBwcmludF9yb2J1c3RfbGlzdCgpIHdoaWNoIHBy aW50cyB0aGUgcm9idXN0IGxpc3QgaW4gb3JkZXIgdG8gc2hvdwogKiAgICAgIHRoZSBsaW5rcy4K ICogICAgICBUaGUgc2xlZXAoKSBjYWxscyBpbiB0aGUgZXhhbXBsZSBwcm9ncmFtIGFyZSBpbmNs dWRlZCB0bwogKiAgICAgIGRvIHRoZSBtdXRleCBsb2NrL3VubG9jayBjYWxscyBpbiB0aGUgb3Jk ZXIgYmVsb3c6CiAqCiAqCiAqICAgICAgTWFpbiBUaHJlYWQgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgU2Vjb25kIFRocmVhZAogKiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgLS0tIGlzIGxpbmsgdmlhIG5leHQKICogICAgICAgICAgICAgICAgICAg ICAgICAgICAgID09PSBpcyBsaW5rIHZpYSBwcmV2CiAqCiAqICAgICAgYWZ0ZXIgZm9yaygpOgog KiAgICAgIFJMIC0tPiBNMQogKgogKiAgICAgIGFmdGVyIHB0aHJlYWRfY3JlYXRlKCk6CiAqICAg ICAgUkwgLS0+IE0xICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgUkwKICoKICogICAgICBhZnRlciBzZWNvbmQgdGhyZWFkIGxvY2tzIE0xOgogKiAgICAg IFJMIC0tPiAgTTEgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0+IFJMCiAqICAgICAgICAgICAgICAgICA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT4KICogICAgICAgICAgICAgICAgIDwtLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogKgogKgogKiAgICAgIGFmdGVyIG1haW4gdGhy ZWFkIGxvY2tzIE0yOgogKiAgICAgIFJMIC0tPiAgTTIgIC0tPiAgTTEgIC0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+IFJMCiAqICAgICAgICAgPD09ICAgICAgPD09ICAgICAg PC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogKgogKgogKiAgICAgIGFmdGVy IHNlY29uZCB0aHJlYWQgdW5sb2NrcyBNMToKICogICAgICBSTCAtLT4gIE0yICAtLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPiBSTCAtLS0+IE0xCiAqICAgICAg ICAgPD09ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgPC0tLQogKiAgICAgICAgICAgICAgICAgIDw9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KICoKICoKICogICAgICBhZnRlciBtYWluIHRo cmVhZCB1bmxvY2tzIE0yOgogKiAgICAgIFJMIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+IFJMCiAqICAgICAgICAgPD09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQogKgogKiAgICAgIFRoZSBs YXN0IHN0ZXAgb3ZlcndyaXRlcyB0aHJlYWQtPnRzZCBvZiB0aGUgc2Vjb25kIHRocmVhZCB3aXRo CiAqICAgICAgdGhlIGFkZHJlc3Mgb2YgdGhlIG1haW4gdGhyZWFkJ3Mgcm9idXN0IGxpc3QgaGVh ZC4KICoKICoKICogICAgICBPVVRQVVQ6CiAqICAgICAgUnVubmluZyB0aGUgZXhhbXBsZSBwcm9n cmFtIHNob3dzIHRoZSBmb2xsb3dpbmcgb3V0cHV0OgogKgogKiAgICAgIGluaXQgbXV0ZXgKICog ICAgICBpbml0IG11dGV4CiAqICAgICAgcHJlcGFyZSBmb3JrCiAqICAgICAgYWZ0ZXIgZm9yayBw YXJlbnQKICogICAgICBhZnRlciBmb3JrIGNoaWxkCiAqICAgICAgaW5pdCBtdXRleAogKiAgICAg IG1hbGxvYz0weDU2NGJlMTgwCiAqICAgICAgcHRocmVhZF9zZXRzcGVjaWZpYyBkb25lIGtleT0w CiAqICAgICAgdHNkPTc3MjE0ZTAwIHRzZFswXT01NjRiZTE4MAogKiAgICAgIHRocmVhZF9mdW5j OiBsb2NrICZtdXRleF9vbmUKICogICAgICByb2J1c3QgbGlzdCBvZiB0aHJlYWRfZnVuYwogKiAg ICAgICZoZWFkPTB4NzcyMTRkY2MgaGVhZD0weDU2NGJlMTQwIG9mZnNldD0wCiAqICAgICAgbXV0 ZXggcHRyPTB4NTY0YmUxNDAKICogICAgICAgICAgICB0eXBlPTEKICogICAgICAgICAgICBsb2Nr PTM3MTkKICogICAgICAgICAgICBjb3VudD0wCiAqICAgICAgICAgICAgcHJldj03NzIxNGRjYwog KiAgICAgIG1haW46IGxvY2sgJm11dGV4X3R3bwogKiAgICAgIHJvYnVzdCBsaXN0IG9mIHRocmVh ZF9mdW5jCiAqICAgICAgJmhlYWQ9MHg3NzIxNGRjYyBoZWFkPTB4NTY0YmUxNDAgb2Zmc2V0PTAK ICogICAgICBtdXRleCBwdHI9MHg1NjRiZTE0MAogKiAgICAgICAgICAgIHR5cGU9MQogKiAgICAg ICAgICAgIGxvY2s9MzcxOQogKiAgICAgICAgICAgIGNvdW50PTAKICogICAgICAgICAgICBwcmV2 PTU2NGJlMTcwICAgICA8LS0gTTEgcHJldiBpcyBjaGFuZ2VkIGJ5IHRoZSBtYWluCiAqICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRocmVhZCBhcXVpcmluZyBNMgogKiAgICAgIHB0 aHJlYWRfZ2V0c3BlY2lmaWMgPSAweDU2NGJlMTgwCiAqICAgICAgdHNkPTc3MjE0ZTAwIHRzZFsw XT01NjRiZTE4MAogKiAgICAgIHRocmVhZF9mdW5jOiB1bmxvY2sgJm11dGV4X29uZQogKiAgICAg IHJvYnVzdCBsaXN0IG9mIHRocmVhZF9mdW5jCiAqICAgICAgJmhlYWQ9MHg3NzIxNGRjYyBoZWFk PTB4NTY0YmUxNDAgb2Zmc2V0PTAKICogICAgICBtdXRleCBwdHI9MHg1NjRiZTE0MAogKiAgICAg ICAgICAgIHR5cGU9MQogKiAgICAgICAgICAgIGxvY2s9MAogKiAgICAgICAgICAgIGNvdW50PTAK ICogICAgICAgICAgICBwcmV2PTU2NGJlMTcwCiAqICAgICAgbWFpbjogdW5sb2NrICZtdXRleF90 d28KICogICAgICBwdGhyZWFkX2dldHNwZWNpZmljID0gMHg3NzIxNGRjYyAgICA8LS0tIFNlY29u ZCB0aHJlYWQncyB0c2QgaXMgY29ycnVwdGVkCiAqICAgICAgdHNkPTc3MmU0ZThjIHRzZFswXT03 NzIxNGRjYwogKiAgICAgIGRlc3RydWN0b3IgZm9yIDB4NzcyMTRkY2MKICoKICoKICogICAgICBU aGUgcHJvcG9zZWQgc29sdXRpb24gaXMgdG8gY2xlYXIgdGhlIHJvYnVzdCBsaXN0IGR1cmluZyBm b3JrKCkuCiAqCiAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLwoKCgojZGVmaW5lIF9HTlVfU09VUkNF CiNpbmNsdWRlIDxwdGhyZWFkLmg+CiNpbmNsdWRlIDxzdGRpby5oPgojaW5jbHVkZSA8c3lzL3R5 cGVzLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KI2luY2x1ZGUgPGVycm5vLmg+CiNpbmNsdWRlIDxz dGRsaWIuaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5oPgoKCnB0aHJlYWRfbXV0ZXhfdCBtdXRleF9v bmUsIG11dGV4X3R3bywgbXV0ZXhfdGhyZWU7CnB0aHJlYWRfdCB0aHJlYWQ7CnB0aHJlYWRfa2V5 X3Qga2V5OwpwdGhyZWFkX29uY2VfdCBrZXlfb25jZSA9IFBUSFJFQURfT05DRV9JTklUOwoKCiNk ZWZpbmUgbG9jayhtdXRleCkgZG9sb2NrKG11dGV4LCBfX2Z1bmNfXywgI211dGV4KQp2b2lkIGRv bG9jayhwdGhyZWFkX211dGV4X3QgKm11dGV4LCBjb25zdCBjaGFyICpmdW5jLCBjaGFyICpuYW1l KQp7CiAgICBpbnQgcmV0OwoKICAgIHByaW50ZigiJXM6IGxvY2sgJXNcbiIsIGZ1bmMsIG5hbWUp OwogICAgcmV0ID0gcHRocmVhZF9tdXRleF9sb2NrKG11dGV4KTsKICAgIGlmIChyZXQgIT0gMCkg ewogICAgICAgIHByaW50ZigicHRocmVhZF9tdXRleF9sb2NrICVzIGZhaWxlZCglZClcbiIsIG5h bWUsIGVycm5vKTsKICAgIH0KfQoKI2RlZmluZSB1bmxvY2sobXV0ZXgpIGRvdW5sb2NrKG11dGV4 LCBfX2Z1bmNfXywgI211dGV4KQp2b2lkIGRvdW5sb2NrKHB0aHJlYWRfbXV0ZXhfdCAqbXV0ZXgs IGNvbnN0IGNoYXIgKmZ1bmMsIGNoYXIgKm5hbWUpCnsKICAgIGludCByZXQ7CgogICAgcHJpbnRm KCIlczogdW5sb2NrICVzXG4iLCBmdW5jLCBuYW1lKTsKICAgIHJldCA9IHB0aHJlYWRfbXV0ZXhf dW5sb2NrKG11dGV4KTsKICAgIGlmIChyZXQgIT0gMCkgewogICAgICAgIHByaW50ZigicHRocmVh ZF9tdXRleF91bmxvY2sgJXMgZmFpbGVkKCVkKVxuIiwgbmFtZSwgZXJybm8pOwogICAgfQp9CgoK dm9pZCBpbml0X211dGV4KHB0aHJlYWRfbXV0ZXhfdCAqbG9jaykKewogICAgaW50IHJldDsKCiAg ICBwcmludGYoImluaXQgbXV0ZXhcbiIpOwogICAgcHRocmVhZF9tdXRleGF0dHJfdCBhdHRyOwog ICAgcmV0ID0gcHRocmVhZF9tdXRleGF0dHJfaW5pdCgmYXR0cik7CiAgICBpZiAocmV0ICE9IDAp IHsKICAgICAgICBwcmludGYoInB0aHJlYWRfbXV0ZXhhdHRyX2luaXQgZmFpbGVkICglZClcbiIs IGVycm5vKTsKICAgICAgICByZXR1cm47CiAgICB9CiAgICByZXQgPSBwdGhyZWFkX211dGV4YXR0 cl9zZXR0eXBlKCZhdHRyLCBQVEhSRUFEX01VVEVYX0VSUk9SQ0hFQ0spOwogICAgaWYgKHJldCAh PSAwKSB7CiAgICAgICAgcHJpbnRmKCJwdGhyZWFkX211dGV4YXR0cl9zZXR0eXBlIGZhaWxlZCAo JWQpXG4iLCBlcnJubyk7CiAgICAgICAgcmV0dXJuOwogICAgfQogICAgcmV0ID0gcHRocmVhZF9t dXRleF9pbml0KGxvY2ssICZhdHRyKTsKICAgIGlmIChyZXQgIT0gMCkgewogICAgICAgIHByaW50 ZigicHRocmVhZF9tdXRleF9pbml0IGZhaWxlZCAoJWQpXG4iLCBlcnJubyk7CiAgICAgICAgcmV0 dXJuOwogICAgfQogICAgcHRocmVhZF9tdXRleGF0dHJfZGVzdHJveSgmYXR0cik7Cn0KCnZvaWQg cHJlcGFyZV9mb3JrKHZvaWQpCnsKICAgIGludCByZXQ7CgogICAgcHJpbnRmKCJwcmVwYXJlIGZv cmtcbiIpOwogICAgcmV0ID0gcHRocmVhZF9tdXRleF9sb2NrKCZtdXRleF9vbmUpOwogICAgaWYg KHJldCAhPSAwKSB7CiAgICAgICAgcHJpbnRmKCJsb2NrIG11dGV4X29uZSBmYWlsZWQgKCVkKVxu IiwgZXJybm8pOwogICAgfQp9Cgp2b2lkIGFmdGVyX2ZvcmtfcGFyZW50KHZvaWQpCnsKICAgIGlu dCByZXQ7CgogICAgcHJpbnRmKCJhZnRlciBmb3JrIHBhcmVudFxuIik7CiAgICByZXQgPSBwdGhy ZWFkX211dGV4X3VubG9jaygmbXV0ZXhfb25lKTsKICAgIGlmIChyZXQgIT0gMCkgewogICAgICAg IHByaW50ZigicGFyZW50IHVubG9jayBtdXRleF9vbmUgZmFpbGVkICglZClcbiIsIGVycm5vKTsK ICAgIH0KfQoKdm9pZCBhZnRlcl9mb3JrX2NoaWxkKHZvaWQpCnsKICAgIHByaW50ZigiYWZ0ZXIg Zm9yayBjaGlsZFxuIik7CiAgICBpbml0X211dGV4KCZtdXRleF9vbmUpOwp9Cgp2b2lkIGRlc3Ry dWN0b3Iodm9pZCogcHRyKQp7CiAgICBwcmludGYoImRlc3RydWN0b3IgZm9yICVwXG4iLCBwdHIp OwogICAgZnJlZShwdHIpOwp9Cgp2b2lkIG1ha2Vfa2V5KHZvaWQpCnsKICAgIGludCByZXQ7CiAg ICByZXQgPSBwdGhyZWFkX2tleV9jcmVhdGUoJmtleSwgZGVzdHJ1Y3Rvcik7CiAgICBpZiAocmV0 ICE9IDApIHsKICAgICAgICBwcmludGYoInB0aHJlYWRfa2V5X2NyZWF0ZSBmYWlsZWQgKCVkKVxu IiwgZXJybm8pOwogICAgfQp9CgoKLyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKlwKICog Tm90ZTogb2Zmc2V0cyBpbiBzdHJ1Y3QgcHRocmVhZCBoYXJkY29kZWQgZnJvbSBwdGhyZWFkX2lt cGwuaCBhc3N1bWluZyBhIDMyIGJpdAogKiBzeXN0ZW0uClwqLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLSovCnZvaWQgcHJpbnRfcm9idXN0X2xpc3QocHRocmVhZF90IHRocmVhZCwgY29uc3Qg Y2hhciogZnVuYykKewogICAgdm9pZCogaGVhZDsKICAgIHZvaWQqIG5leHQ7CgogICAgcHJpbnRm KCJyb2J1c3QgbGlzdCBvZiAlc1xuIiwgZnVuYyk7CiAgICBoZWFkID0gKCh2b2lkKiopdGhyZWFk KVsyMF07CgogICAgcHJpbnRmKCImaGVhZD0lcCBoZWFkPSVwXG4iLCAmKCh2b2lkKiopdGhyZWFk KVsyMF0sIGhlYWQpOwoKICAgIG5leHQgPSBoZWFkOwogICAgd2hpbGUgKG5leHQgIT0gKHZvaWQq KSYoKHVuc2lnbmVkIGludCopdGhyZWFkKVsyMF0pIHsKICAgICAgICBwcmludGYoIm11dGV4IHB0 cj0lcFxuIiwgbmV4dCk7CiAgICAgICAgcHJpbnRmKCIgICAgICB0eXBlPSVkXG4iLCAoKGludCop bmV4dClbLTRdKTsKICAgICAgICBwcmludGYoIiAgICAgIGxvY2s9JWRcbiIsICgoaW50KiluZXh0 KVstM10pOwogICAgICAgIHByaW50ZigiICAgICAgY291bnQ9JWRcbiIsICgoaW50KiluZXh0KVsx XSk7CiAgICAgICAgcHJpbnRmKCIgICAgICBwcmV2PSV4XG4iLCAoKGludCopbmV4dClbLTFdKTsK ICAgICAgICBuZXh0ID0gKih2b2lkKiopKG5leHQpOwogICAgfQp9CgoKLyotLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tKlwKXCotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKi8Kdm9pZCAq dGhyZWFkX2Z1bmModm9pZCogYXJnKQp7CiAgICB2b2lkICpwdHI7CgogICAgcHRocmVhZF9vbmNl KCZrZXlfb25jZSwgbWFrZV9rZXkpOwogICAgaWYgKChwdHIgPSBwdGhyZWFkX2dldHNwZWNpZmlj KGtleSkpID09IE5VTEwpIHsKICAgICAgICBwdHIgPSBtYWxsb2MoNTEyKTsKICAgICAgICBwcmlu dGYoIm1hbGxvYz0lcFxuIiwgcHRyKTsKICAgIH0KICAgIHB0aHJlYWRfc2V0c3BlY2lmaWMoa2V5 LCBwdHIpOwogICAgcHJpbnRmKCJwdGhyZWFkX3NldHNwZWNpZmljIGRvbmUga2V5PSV1XG4iLCAo dW5zaWduZWQpa2V5KTsKICAgIHByaW50ZigidHNkPSV4IHRzZFswXT0leFxuIiwgKCh1bnNpZ25l ZCBpbnQqKXB0aHJlYWRfc2VsZigpKVsxOV0sICgodW5zaWduZWQgaW50KikoKHVuc2lnbmVkIGlu dCopcHRocmVhZF9zZWxmKCkpWzE5XSlbKHVuc2lnbmVkKWtleV0pOwoKICAgIGxvY2soJm11dGV4 X29uZSk7CiAgICBwcmludF9yb2J1c3RfbGlzdChwdGhyZWFkX3NlbGYoKSwgX19mdW5jX18pOwoK ICAgIHNsZWVwKDIpOwoKICAgIHByaW50X3JvYnVzdF9saXN0KHB0aHJlYWRfc2VsZigpLCBfX2Z1 bmNfXyk7CiAgICBwcmludGYoInB0aHJlYWRfZ2V0c3BlY2lmaWMgPSAlcFxuIiwgcHRocmVhZF9n ZXRzcGVjaWZpYyhrZXkpKTsKICAgIHByaW50ZigidHNkPSV4IHRzZFswXT0leFxuIiwgKCh1bnNp Z25lZCBpbnQqKXB0aHJlYWRfc2VsZigpKVsxOV0sICgodW5zaWduZWQgaW50KikoKHVuc2lnbmVk IGludCopcHRocmVhZF9zZWxmKCkpWzE5XSlbKHVuc2lnbmVkKWtleV0pOwoKICAgIHVubG9jaygm bXV0ZXhfb25lKTsKICAgIHByaW50X3JvYnVzdF9saXN0KHB0aHJlYWRfc2VsZigpLCBfX2Z1bmNf Xyk7CgogICAgc2xlZXAoNCk7CgogICAgcHJpbnRmKCJwdGhyZWFkX2dldHNwZWNpZmljID0gJXBc biIsIHB0aHJlYWRfZ2V0c3BlY2lmaWMoa2V5KSk7CiAgICBwcmludGYoInRzZD0leCB0c2RbMF09 JXhcbiIsICgodW5zaWduZWQgaW50KilwdGhyZWFkX3NlbGYoKSlbMTldLCAoKHVuc2lnbmVkIGlu dCopKCh1bnNpZ25lZCBpbnQqKXB0aHJlYWRfc2VsZigpKVsxOV0pWyh1bnNpZ25lZClrZXldKTsK ICAgIHJldHVybiBOVUxMOwp9CgoKLyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKlwKXCot LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKi8KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFy Z3ZbXSkKewogICAgaW50IHJldDsKICAgIHBpZF90IGNoaWxkOwoKICAgIGluaXRfbXV0ZXgoJm11 dGV4X29uZSk7CgogICAgcmV0ID0gcHRocmVhZF9hdGZvcmsocHJlcGFyZV9mb3JrLCBhZnRlcl9m b3JrX3BhcmVudCwgYWZ0ZXJfZm9ya19jaGlsZCk7CgogICAgaWYgKHJldCAhPSAwKSB7CiAgICAg ICAgcHJpbnRmKCJwdGhyZWFkX2F0Zm9yayBmYWlsZWQgKCVkKVxuIiwgZXJybm8pOwogICAgICAg IHJldHVybiAwOwogICAgfQoKICAgIGNoaWxkID0gZm9yaygpOwogICAgaWYgKGNoaWxkIDwgMCkg ewogICAgICAgIHByaW50ZigiZm9yayBmYWlsZWQgKCVkKVxuIiwgZXJybm8pOwogICAgICAgIHJl dHVybiAwOwogICAgfQogICAgaWYgKGNoaWxkID4gMCkgewogICAgICAgIHNsZWVwKDEwKTsgIC8q IGRvIG5vdCBjbHV0dGVyIGRlYnVnIG91dHB1dCB3aXRoIHByb21wdCAqLwogICAgICAgIHJldHVy biAwOwogICAgfQoKICAgIGluaXRfbXV0ZXgoJm11dGV4X3R3byk7CgogICAgcmV0ID0gcHRocmVh ZF9jcmVhdGUoJnRocmVhZCwgTlVMTCwgdGhyZWFkX2Z1bmMsIE5VTEwpOwogICAgaWYgKHJldCAh PSAwKSB7CiAgICAgICAgcHJpbnRmKCJwdGhyZWFkX2NyZWF0ZSBmYWlsZWQgKCVkKVxuIiwgZXJy bm8pOwogICAgICAgIHJldHVybiAwOwogICAgfQoKICAgIHNsZWVwKDIpOwoKICAgIGxvY2soJm11 dGV4X3R3byk7CgogICAgc2xlZXAoMik7CgogICAgdW5sb2NrKCZtdXRleF90d28pOwoKICAgIHJl dCA9IHB0aHJlYWRfam9pbih0aHJlYWQsIE5VTEwpOwogICAgaWYgKHJldCAhPSAwKSB7CiAgICAg ICAgcHJpbnRmKCJwdGhyZWFkX2pvaW4gZmFpbGVkICglZClcbiIsIGVycm5vKTsKICAgIH0KCiAg ICByZXR1cm4gMDsKfQo= --=_mixed 00376A81C1258480_=--