From ed3dcd58caab237c732ce92fd55ef5c7b394f257 Mon Sep 17 00:00:00 2001 From: yezengruan Date: Mon, 30 May 2022 18:43:29 +0800 Subject: [PATCH] fix CVE-2021-3507 and fix -acpitable regression (openeuler !300!301) Signed-off-by: yezengruan (cherry picked from commit ba8cdf7ac04fdc9e6d55cbf5e0b86b736ec57096) --- BinDir.tar.gz | Bin 1602266 -> 1602438 bytes ...U-crash-when-started-with-SLIC-table.patch | 90 ++++++++++++++ ...vent-end-of-track-overrun-CVE-2021-3.patch | 87 ++++++++++++++ qemu.spec | 16 ++- tests-acpi-SLIC-update-expected-blobs.patch | 26 +++++ tests-acpi-add-SLIC-table-test.patch | 55 +++++++++ ...list-expected-blobs-before-changing-.patch | 29 +++++ ...test-Add-a-regression-test-for-CVE-2.patch | 110 ++++++++++++++++++ 8 files changed, 412 insertions(+), 1 deletion(-) create mode 100644 acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch create mode 100644 hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch create mode 100644 tests-acpi-SLIC-update-expected-blobs.patch create mode 100644 tests-acpi-add-SLIC-table-test.patch create mode 100644 tests-acpi-whitelist-expected-blobs-before-changing-.patch create mode 100644 tests-qtest-fdc-test-Add-a-regression-test-for-CVE-2.patch diff --git a/BinDir.tar.gz b/BinDir.tar.gz index 3642262e92563a532519a197d212fa3de78d3d6e..9d090b54e78449dd0b521b29676dc5021cb7603e 100644 GIT binary patch delta 16523 zcmb`tbyStn^EZluAdMhhqJ)&7q%K-uK@3kGt0Jti5Mu@0mUG*)#jNT--MP1~vW?crWmNAbKE1;DbQSK&-%r zf!KjKfw+Nqf%t(0frNoXfsX=-14#lO2a*Po1(MfNWWE9*4-}(HnqYjBT1kD?qH+Dz zpKmETC`>zCTrWptjUv37ym=!FEEktWnW$51cbKd=A`4O}2UTR3h`6IRDTWC!F$SJ= zFk<5IpU8NmV1x)%VpAJvSErkk6VqX9pTsTmeLB#{T=E@5W-ZB!bu1_~wW*{vA)O&7 zS-O|Axd(uTtGzej93bV~f&3!XZU7tGy0+m%DpNqy&=Dt&yV=aXFsxq)^-1vyv2q~$ ze8Kw{0+4Ng46(69T9sZRUd*Y$MXkwq)1TcHvebL}G$y!IWFKf+D~m%v4v3>?P)<^J zG{y?zul<%rba!~BL!f(lz(**|1p~SZ#s@~ss zLr}^L81dN{y5-k%OoyG2DKv=EmiYY)VHdGKITtT8$9P^tySLhD1r4X+Xi#Ax`n6k8 zc=Y}L=Ik?n>Zj?)g+4EKGN5t5J#Mb2t@koYP#e&l0jv%L2R>_kLzzO^mW~kgEubA; zkRG)|w5wPLT;Yr!9TM##<`7^plm0wgK@gfD(2I~>6G;bsFi_0EbQszaC&;jx6#X^f z8~}kXWWa>C#P4M^?E8Fyg+Qi54t$zns9axQjlAP9RA{ry+`*ur8$|3j{;vC%#i_@0^vcV&Kk`O zyaT_DaL?xjG((&jnT!slMgB#f+qK2+I@r!XpKS z$L5m zLz`hafcm@pu1{QYJ0Ar-@bzG;p&#Mhd8ZBT3wsKxsXaydqQHwKU`BZ0GnoNf+7c(s zXaJ)ElSBb1)t_83ebdd8G1$KO@L41Co3L(>F8hw>*#^bX2rpq-wno>RwaK7ct$}P~EL|yo~k<5L$sCFnmu! z?liwRzXXFW0jvu@&n9<*V8H3`D@TGG5IicpmmxfW&AwMBgnH$%pywF6EJ z-*h%vod$zlnZ4_C_NNgc`jP9(-j8qw7cuq>Ahe4yA6TVcN5q33-tf`iQl}9LK#pf_ zkA5RXL00yx&mSbuSwD0HsWXQwu!#6DCp`4JP+a!nE0Tvk4*>nbg?l@om&+my?){Y+ z#X@$2tK4J!XwC)pz1F`i-?+4LZ6mVhKz#w%)-|MQSvy|2{i?!67k=C5Nxql619G^o zE&N~!tUAgP2>i9fIj_hA5U$|8@oidpd5jb*GaS7b+XL}S-ej#lQP}iDv|E=}wHnqIK%U=h%V`(S8E>RIDeWGK0dW z8!?7S!kpHUVzM{tTlozC)DYih71KK78|X z3K9=`VGmXoXD;|AEW6)T%s~oHB9#3K>VxuftbGz(41l+E3f4AHpN$lWb|JJ=WLc4c ze-vasEbAnu=Qk7Ruew&Sysq$mlZKeP2wT^jLBSv&%?+=>`m%BXP_6ilm2i6W5kYFvF z6>{*?1WUs8YSBUKw;SN?K|9u51L`vAfHJv5=#L!-!-t#iOsG z!R!O80SDRGXZ>T6HCwCr2oN-@0~ea{D})Gpm#g;VeOrmFYzAcT7Z^*EKKG+D{WF!0 zi}}@0Vpm8#C^`aYrDqgVjM2O8oL_BDx*?1O&~M#izz-k=Gu|+hgBe2Z00melk`qKF zVZ0yLZZ^Z+^IgLUcn8LayQ^4x=N(WCyNBeX&++L%wh%s|XSOhqK+x%3S`4<|L&Ps4 z{jPpXUeEd09R307AeI8q)xtY>XQX?48`-%^TpK`nUO|M^h`MYmTY7MTXkD@Ec)cAv zkK|v=P-+tBy?~0nfva>vAD!8M0YGs7Syj0{s$904Kzv_?j)Rw=4f7273qsFa+g1$A z{s!ZNBgq`H#*gkRkL7}u_=Q)(eh@Zy_H8TWvA80*oRF9P7CK13O5#HbZ^yhnnE)=@ zLJwr*#BmVx4p%_bek<+%-DOiN_lHa0(bVk>mOgjz zPbKl=Vu=#yf32{ET3`m(U>s{a0jB++uVdPkqnsuE_^i z{jcd+kT+jo=BVx^4?4;+fV})Nb@y@zi<#`x*bT*YO|~)u;j9!8u9%zahzmsQHrO)t`~VD5;^Jf z=j0CKv=bSp(u3%KGA0Q+I#2g3N;CLC=nOy;tayStDOiu36K+@UWdys3aZ4gRGsoBk zq10PQnnnIH~grF8nd*J@5_n zSOn23^4uXA0wuZxSm4Ne(>EdIy9C z+7r&{zhpgYrCw1>f9gwpWk|ng40Qf&55J|Zyo-)U2LEcle7*Fi>al16svR>UqtT!#5G*<$ zcnAb)0fCd8A)h<6<${3(D|Lr9tZ^P`+OhDq35#%C3ks+Q z8Nh&4L4zu15{iVt2*7;4hURV|<<@SiP&oPkCKY&sRJmt417)T6_-+Y`!ozRH z@iWN5;;tM7X5;V~atsZM32s5*k_^FG;qn7h!r(xM>K((Va3-JU;+G>6&M&@K+`K8h z4De&vV;Wb>LyGR2<^f2w^VgFkf5gsk_M*QcFemBJ?^^R#u}_d<@2&;beV6R_d?b+6 zlhK{tb>h!j30H!Td^u*hFz-yjWQa;$M@y_KU&ntp%)MLpohO~lM!O@Jqz|~1J7Kyr z_Q*b$oSa%iVow^PU(d+_kIzry{caA{Z1}t)2(4NC2<*tj3{otC-gelg{5)<-M@aR~cGyuG3{#@voa@vmf{h+cs3R-zx`k zHr(7OrgYu?oh!}{*TIgt72{ez$}8GhZ1;q@_42Y2AvxKOIriv|VQ=};@vbD#9`jB- zJ`3%R1vKV$N#B3XKR(8AhcnK_bSF8^lLz3P19Fq}n0McIx4gU~K z_DcXM=faXmyuIiEgy3GQ{myj*AN@J~C$U|m8cgy8LA;G5E4OF##XI+#Ji)kokS9)X zotSq?x9#--CfTmxEU{Vv3mlUXh(&PwWHkk!FMk)8y~gpOA4rxHN4vh1HN^-Nwxum~Y&Vb?w0PoO^heDhB$uOU+_`FVB>*!B((jI*F?CX>-$#pJK0zJr*U z7j8u8OtuqT2jpG0QJ0&_u^=DqA|uaVu6acFUz4l>40~V@;?CPKe7~KuNCJFdHt#6* z`qz^k-%wCKHfg0kca{~$xptOor#QC-QNk6Uob`r+?p{Q4>l+FRfWRvbJOsD_<}Mgx z<#BXW@lQL?{Z7w#N3jbAgJ`z`MCSMj!=2jq_Q>2j_SI`OCi6ElW;=lv|Q{j{d{ zhxpPDz*`NAK(B4roPArT>^*I{I?s}BkSgCQ+v8V#UPk4~5nXvz20t#Is8OdrCof7U zdJvy~YEqC!8=0tDr$Is31w13EB1+pxyq#IlF|VFyOBi_1MsD4m8U`s>9oFdIxHx+| z|INg;)~e_u&x{4bbM@fOE;Cl$sJX8@Iw@(f8oUcw@f96`{f7z*RZb=E zhsdmZtd@0 zaVP=jC0*lnuNP{gj9Q`m77&__*Uo6rhwU zD@DRMJq^Au#jKGLRHK7wg8XRCJ807dI*v~ZmmZs?vG)-qnM(1oS;?kYzn;*!7~T3= zM#?iKpOLZBj$7x1D4q?ms+Yv4$c+Jbaan6(_;EvZVkpx`8i-0$wt63P6^xoNXcFYl zQVg42P;ij3X}7{_Q*1)Fed=QP()Eo;3smc;hlGB&*F$Yc{1>Ovuml$2)z=j-e_wnb zBy$qd^oua|r8&w`KPr}Am;ajRqak0d8kRU&%G)6yP|DjQud8LnUO^kTzHpVSEKTtk zVDi+En|~)#!Z^k@SR;Q{8keA6rzOuj_fR~EQ|XOnzQCuy{BXHB$SBGATdh%!P{Cq|6wD`4TaPz zRpvg493El*2U`+JoU%UHoJO^s_pJhgRFg&TKTqORpM(EH%PR!Ut+a05!k_hi8mJ9595v1VP=fXnM8)n1%cPyq zSe2m@_-+tT3hVY`zW^}fLe?3?jQji9?wgQeHzsdCcvJe6K_iy?QN+VQEopFK?44=?dvj`5)>&<9||2ok<)o>M4n1&+x!?LahFotDk^YT!n8yy(BK`JL0(dA;D-ojpLk;7N;33AFQXHv| zPXfD@f1^yPQ{?=|jtN0u(2JjM3>kadh#pq4od-!gY^Xr3;=*|I%NKMQ$CrVq>xkVB ztB4dOo)7y9Qc8g10%7quIcpWD_FpPQChEJm{zP_${zN5j3?Bvp4mV*-lGf5Fd40|k zkhZ^{TrYU?a%#L#3YQ*kbbKwq1;xZvHdyO!QmO%$Mw81-5+9oNnsp%3jUnNMzaJXi~ic|F}^+9AjYnFoOts| z!^}4^?t=H^cj+*h(TH?NPioCvKMx zSsp1&n(u^R930hg%#sECFe;v{|Jq5kD*fhb5oS&phTln8iR_wtdF_zBo+Byt=XQ-L z$Ubt`&I$x<=IE-5=ZJq;C(K@q7RNgy@iEqjFf}O*BT0%V za_2h*9d6pGA}&T`Z*il?!^r%OB(1fSmv8ZzDj#QAW9N?CGkMMtW}DryQiN_?XlEcv zzR~S=Kp;eQKUq@Zw5=ZRe%PhQxgwrusVY$VSm*gL(JwsWp_agUeAIXL+mM!+VYOf$ zW)4oEiJMFCgOFYcVg?aEeymM7{I{eJwS`4&`Ynz+zB;1ETKRw1u4*GXz^!T<_kGik zt>1Tllc!xUWc=|jrB_73#A#+v2ny%T2%i_|KKFh$8aK3gw9K(?D%0wnypTn(unpVC4`2=ROLUGiixM3^;jVY7P zG_r91xKtYFZHsx19OIgl&EBs8^R-$n1-&_^JYcAUvnSG=zSn=jN0pdiOh#c1HyV)+ zVnNQQ_zlEbZ>j9^2TbVs6)9i;1tg!vm6?9~@w7|G=W%Va)JH=10FiYn9q{b>G7|BfBO%m+IElB8(S=KJKLr-@{eS6Y()c}Up~iPq0?zc zs#Kar=3@~oZ(I>Xovd9EC{K3E2?@$!v23s9(PSh9#Jf365-96zNoa=BGP$V1?s>Ob z`@DZ_3tAX8)7EYp-GILLT3ppD`K9E)WOfgpN^6GOQ$1-X6RyWEjW%A45FF zhV*}O09*_#e+=8MP*u05mLiO1l=qW6gG}g;X*I|bd`ITEf*;D|FgQ@^J(pFjZTcQ# zHkrr>qNp?IE2DG?E{^_}|6W%U(EV3s;B5FE(=D`;{VW^DrTB@ z{`qRqnf~)tK3ToZZa!YKsEe12?_)c;&~P@TuUBtB_k*{@_Wp9M(=LC|aZrkoeF(#Y z`aG3f^(NV{6@2#E7Z6*iwO3Du+<*9x54nH8Dr#lZO9vb$>^{m_zn8OCl(P;YI#yV3 zBNB_Nu#iz8F%3H8BMVyi%Fl1KbEb_oQHi09J6W9T#?|}u)zgV%TEl%5ZDw^ifX{?P zxnEZ`Vdh*tA=Il&Gkho1L4!Rzsq z8;ZFD{O-uWpm`CfiTNzGE2Wo*!++}QUaGshB0kBhll@O+j6F$#^KrDgkM_$RUT6e* zDLiX@(@V#xLtsYv#B^}-;o(>unA}7Eq9AydjH_pn@1XJ zHP2B1UX$Aqv})-MORT#UVcoJ?9?YW%enWnpbc)#TO7W4O(>{M6*O6-YP}+K0a=U-` zrDUy#Lko4HeMhcTi+`g-eA*Y7aSzvXXAXO=LOj(ZQ85|snhFn`1nciF-;qM#SBP$} z&l!tl3;oi*(|hz}4rK~z0IZsUv7y!YA#Wq1-wOK_K5kRPS!LZh35Va9AiBu74KOUI z-cfVi7pPO^x5Scp`c5V%#z$3AjFmb2F){bbvz?s8FQ;@>*h=8rqZeZ`!l+ed1XYu0 z`r4B2>sB9JUS=JgaXS9TA*ibX6_}f2l}PThZ#L@i$J36I zj|QLW0~Qzol+0iw9jTXipHx~^)-$vbF=~~Tg>Yf;ao(am6=Nr0BmS!TtrcQQ z9W%xIaPVPwB7H>T;?swO<XlgV(2>7a3P;UdlcW%Ujnb1Z^n+6Jb~0Kc>U{ zPC8O@rai~v4!Kl^?46tjS#?`kMWWAXYEWBoj@ z4nBV*8ULqX{6*scw|PZfy8=$Zsi+Zm{PL%vW2t?s`5GmWaO;@?1u)6s(h5RWax9#C zdHET&3Gqoz6VpTUZ#^^;zl?+^S|n5^?!SF~vQ=M7{L5V0$$UEY^VFA?g3jY@o!J&i z6Kdd4j5**7Tl0H!^5Vlcr20Q|aMcq&uxg^Km17p@;VU*$r8x0%Z(AD;&2%J`__MmB z52u>QLD*i&YD;6j-Ns##DXAOzBu2v_%`b5DSK`-^f1P5~Tpv#F*YT^Q2SuFWi8a3{ zVH^A-;nbC?G$o1kbJg3}oATqvb${6{>Y56GmR9^!-7;kp4R)w?qmj~8_&avfsSqv1 zV{*+$JzPJluhKsCnm^RTe498#((OrUkwRpdLiF>+r?CG~mUuw}~Pjz(sf{3=k zSM9?wDR5*?V$zzJM6xPB9BQAx-P17Xw4rPD`m~JqFJEc#r=&{tI70ppXR!xBTtkLc z{DKGo$K8HUV7BnJQum%-9nm4PghE+IA=Q#eJlmhWcZfHy6F3RHc?7QQ^h63$be?Mxw}4_(YY>DMbTQ&T*yhCJ5gr(UQYRMbr3OdoOC8jO0+ zpOnt|NfHeoRS0W(Wc$@XSB_*Ys2sE$O`7BTY++k}kTdBnVI(&0!Ow^$5cZM)?UV zQ%nN!CtA1N{>&Wrgb`2S7{uljE4KBCZf8?TiyqouXLas44J}OFCNJwaJcQ-Hhf1QNU zW~NfJE;@(1wV(*x3bf|t@?Y~Gx#{h8 z+TngZlZVWMVB5d{{*J65e7+WYpkUO3?6=(iphZUQPw{3yl;S410HGAl^wG}?7|b{0 z{!Ja#g$;+V-zyN(2sw4}){x{r9pYvf<<<_>SHl)(W!$#H?6hM7aNM?%hq~+doxO9g zW{tfE>I7L#-V!#FL0#}XYqMd_ujO3pvTvr8)%)>cjL6xGge<-~Op<*xlWWNOi8J>( z#++a=J=0;2pxWH6E8ly7+s>B1M(2}7-GEnovJ@d)xx9O@SjH)?IGl&_!x&~2HO*0G z-aZFQmD=JccIXQe09u<){i^2CNh=P)@!t@4L#5!Z9>}^IUyqyngR12X1$Xx#(TG8e zP#{z2oT^+Y!MTsTeIER2hW3%4qW*a-sxeco{v6fp6M?TeTE4 zf8_Rgf`D@|R$90+rjA;7U@?-@?5MB$1r+>g_}C7C=2-^78zvzXwLD>3N$F<9u^eMp zn&Y|ceU#YK5+D6L;?_~WA-fb?)rCxci_L7K4HW>#=AI!Ti5;pV&;8adTQ_woSL{cN zb?ZD-GQk%_+WO2ywU-6$y>B!F)!2hdk9mR|aZLvNInu$$p{~3UYbiW8NcFbQPx>SJ z2U`PIVZd*$=k#NB{u0e!ZHZfL;_^j|UkLYGp|H(`ov*hJJVX8*xv{=PvWBIxxhdB*nZ+0J}L00Waxux`j@<@pLkDh zj^6x-k&9KD5M9!dB%3=8MPb4dH-i7!dvUn+B-#kKJ;DV(A#DAY*R?~0s zF&)Y@qui45NEbCL)TvbC)S~Xc)t3bq_jFVS|9MEHFdyxKF<>Zal}*Ha#M8-`b-(M- z*^T-?bo#r~PiQKEo5&`D3GcD>$dbROFtfq8At31G(gza_*uf0S@LG!&j+LgB6m``zk zfw?5jf+UTWUoQqH8A*$~`7UO7R@isQ2xc^r3idywOg+^J+xYE%2oNBR*l({yJAhTaJLnuY0;d@BoG%>eB)5 zc+yYjZzd}GJl5CJ`QBxJXj*x$q%t~dL8wAGG(BRx`W&J>Lsp<+@i%qSSOF)1_?@G< zwS5_#9bupL2i>21UYo1+{%vDs==NfPb^I32wLdHVuCI{fe}0jDL3Y4XC8Ee3sm}?X`2x>vgtS77iu?9f|=HB z>SWV0ZC{t~ktOt;7Cffwme-CK@|r?`|F(`_i%#1+7Rn_vP5R;E_by5%3$$V7tQ^f! z6MT{8?$4VDj8KdKEw|vD1EQqmAG=KtP>tM%bx==~BB}eEOGH??6gG#j6zBinaS0Rt;SKQV$?%w}1A{7iN`+44+zi>l zCb$)Xu|3s1kB0ezP(d*vJH8uth_rjY)z75)ijvw`CZEwhU>q%x(0CzJao9Ca2V&Ms z5Y5@~8_WdlzhLp2e*UtnTh_z*okOWV(>&Sq^UILjncW3NY|2!;0@DMTZw0zl#m9o7 zcXG@tPU8ON05pkPFPAHnlMFPGO3f+ELFZ}`-Z()MRTX4sq2K;7J2lJhoq8~CqN4O? zuGF-0$$DPx=b_Z;irfhIqy&p^!K|8kr$ZKem0jH>4=i2k&^mt@^?h3~E75H3GA&7L zpN!zl_Y0C-dH+-Uy;Q7|exJO8r!2xN5frFK;FOgmlt<1qe1 zLKiCWQ~&UUmSjLd3N#*bU|BDI6scyz<>t|Hn~Qz9PZ2vN6#HYZUW&G~dP7-(`KJiD z@vGgm{%YacZ5>L=^wNm1WU1Kv?N4;kmgI!Rl$pKxjf+DjM+J@fy=k6FPYvA|M@m9} zNQeZ*4Q@))i4`l&x|Uq8^5BZRr`_ImMiVdZ5B93dA=vw!2Si<#2|`x2A<^OF)3Kf5 zqmZeQ3kB!(q=@1uP0#Hri;wi1TK7+_(qDyCP$pGWjLoG(^V1y3qK_16F3e$XY?=?= z*mw^*q`T-xD^bmvLiD3gJhw9f$S5P^H?vj9N+K0k4sXvAyeN##{fw1udv+@t2d#x= zc%&Wi-hR`N2jJG*RHxP~^|kySyQ)O~Rr%7N4G@9aMYQI~-;Xi8Ld)M;3EC%VTBx9k<{mx}PH}DCg@Mv@BM5hy~Ml3q1BZcc(Qga;3sU|ZL zce*4mKD`q}B-@>Pe0K<~V*+bO)Gq3Je;TfP4?HH^|M7btv0J2XCBhm&p1wXXemIx! zFtw++#}E^9)H`{5|4w)Ujbg z`$vwWxkPI2@jo>5RX;%0fy(52df<~6Og~u3xc^CdQ8;l18TESI;bEs;>hT*{MYcOZ zQB&GW9>l2_Nttrm|A)mzw>&X8W}lq?fQ5*2-5_E}$V2AcGjgM+TLC>Z^K zCvJ3SRQv|veg z32bfqV3<;7yKv$$WhyzH`peSFQL+`<@%E++f2m`2alZXYOQo^TUrT!%3KchninrsL z(X-w-m@=UjEq*Kv1nc(CDU275zV%f+?eX8y#d)X2kuF)LNx%V38pH!WiEWQ%UC!BK zza^)sTSzTR^>sdF;aB*O?!}Kmb&BhZyDol#BdHgq_A>E`5~%=l2UpQ0buD@w+Y4HLg?;@nc(a|{2X5kbx-Qz@;+*`M6CIEJfLb-b@ce*+3-@&wl(0Ra+-$DK2 zN+dZUx_n?!YthJ#^Z55~W6P`2@#n_AgyVS8FJz~`Xs0cu8!=@k#+4?Rjck@?hUUP)!;*+bn=`jg6jVPsbK-OR1qqiH{xpgzpX!9Fq~ z17@?Nze~C zr^RMdJJ9#x73xG*tS}h1?%9X1rRHDNDy`Kva}^Mxub=I+?~*nId99kqnx2aF&vxNP z1saHZbcZz_Q;W6zV8Iu)+GUkeq4ZiDpZX?dw2S^t?B`r}c!cQ1pM6IEuhDOagL=E2 z_nST%2B-~h`tce98F&?(U9<=9nyR%^v@`H4rU)Tkb&D<@&%;*_OGl-X(^j^J1zwaY zDg^_YNgM4q=Q_2(UG?x(7ofl1&Zm?=d@5i-Mbyr4+n}?S<-w?tP2iRM-hj!1tR(x+ zKyRM_*=msqEn_;cxNe4gKw7qw_qT7A933D5U&<`;lytz*t5e?Np{`$NMN!n-UwHU< zZ-MRy$ae>RLaDO(-zM9{x0r6tOdJLd=&$&;yOX4>f!&kKBr@`)sK4_$94PZ=rxAbc6A#&ZETJbH4)atU}n;Y*M$LeS%g`?+2tS+!{HkYUpu6?S;H zBsb!sYXHmLTej&t7q(m8l|5vkk<}FPS?cG#vu$)3Py1)u;sC5ED@$Y{=2RJiP*`l8 z5Ra(~p>oScVYg#_IrBU>}6V?Q55l)9CkO6Q*Ihu@xpxcV4?hv^_A56s`~!d zloz|ry5xUX79Cm*4@z2&SN@!Yg8xCW=xFfIYBOL!;?xy>h^!Nvg`6Mem#p%LbJw05 z7-ZM}oUhxOn)$RnrM;CuiZG;PH_MK@6OUEyJ_U>h=noH(D!n;E@QpwAnvy5TDnIWl ze=XnTh4xQQncH)1wM$6$#{KOY7%uJwHJM+Lka9KhrfB+!4}zLT_A2uZS)}!m1#nmY z1t9IIvIe3wuKNS@erRn$kt?CYmA9`k33a1&N-+Z6%}1x_j;{%{x@Ui;<)L8H@||eBI@zA`?6Qtt5Ukr$nBe9 z`1i?*tdbM@!Gs0@#AQ*l-7<2KY=%eO9xkdJ`WX#Z;YQPFRlHDn8Vm?tFVzsJ6LV8ysUCI^fZfhAB**EZZ$oK(u2~jRyMI;SCsfkm}_Kf0!1?w zYK^qQ$em~IM<;t?XH9p;d<`d;Eqm7`g_ip~Y|v}EnPSpJdzH)Ss?M7Nui4qwy}Ft8 z!AHHN_FCIVzWom_l~iU7eVeVvYu%fxJy*^QF5FLk>}`4<2q<5a{w;9J%%^E73VknL zjyO0d+h*%M-n1q;0spnBy`f&O2(aji^t1NNd#~T%W|F6Rv41n2-Ep(wCL!;BFZiV0a~lroIiCsFJaar$hi{n8Ukq}yiKv}t zkYQT#=)W|P8l!w^GSf8rICYO;2)o$rbBoBMZv?f)w(siMPCnEC-XFHHN!ArYUSL-Z zNn8a|XoTbi?rJl=Y{GvxX_oi4&pNcK&nQpvosOA{LPQ&pvLdh2v`r#tu2%>Ij4*u zPs4LeIm>*@!w-&uR6Ng&@??s1{611RPhRM|2R_Baw1EpGl@U>(XR=Z^l zEqb!qLyKB6ZM22ws@=-BkMxF@8l&o*X>FiFD-hR~OwrPR1P;IzRc={*i=I^WP^*^A z18_x+TRHSdZ*0j^$OgIx8iBcGL6$r*ZJ?AuX{IG;vUACk*#?>lPR`u22A39w7yl7B zSZegIb4Is;Vy-~&TQaG&g$1hJ?6!`64=j0-*+8|y6{l`ly-N%Ii~k55EP3+VKo>v( zXk~P%F|^K^#0JW|0#RzogjTv`buW4n*h62pWTu0A)c|gGJ4e4qmONkBKpRUlp`iKU zB~LmVs3$l9ckW+;^UgxR1Bpd8z`)Z$YuvKN7Cpu6q41VW@=7;@jz!OV_Rt65q}t73 zV9}Go9vTErs@x2E7Cj%?L#3NCo9)$n&F95O4~DjU@pHZ@osXj**BwB+0G$CbXcM^7z!F(Ag5TUm0IIX(75 z2v|Bf(i`;o+q*jN+>gjQ9%rBg5c<>zr5SZe$7y-_A9fnZ3%xvq_^kI>EWBKk&1mb0 ze#vF*(GmG@>prrHjs5NlfdvV1RSyMxfK^zo_icX`oh7X92N!Z~s6(k&AOqIW>)am0 z$zN#Sl=C`6zag@{Fo82;E3PbVmCo=NUw=f?=jNZ#+qmQlob`Mizyru%ZS*+MYjJ(C zB1CSV8QuWt)rD@9IiLRJaz34%(;X(TY}vH@Irz)=)LeE~*von>tStl9vKsMX-+=sB z|KLKZxs^rvc4NrnqG$U@zKt(Tz5Y**^c|4jgwe9u_)f8w_h~dq70E7=jf*0DdD|x_ zvX9Yr>!V87qSy!eKwSWuW9tL^iIugv6jf;8-I&I`oHaHxKc!mafssK+r4?Lp?4?Yz zI8eexjqmMp)Rc9s-;h-hw&24gKD+8J$w~ilZbsesvTEg-z{&B4IqwS2BM!n#Ubp3> z*5~Qt@p+E6p+9CBtyr5Km*CLzjHwzgDZ{aEOIjr;?ca6ID^S=t72G?B4mRdKkyaZyUmm;4&I#JKL+v>T?t9a-y!(e|XoXhup zo#!ozhLJ@I%}{aqeCvyBJnNc_^SfxqHY8t+a-Q%QAVM0xzgZCkXo~jV-O9}ETphj{ zX1jaWdf`aej(5zSkWALas{_-L>0f+x|i)(eLRip*}zB*O8bnS(tL zGZV{KRXnNlsfxD^+^G~wx2~@LT?W@|&iIUgYJTV!w?weS%9g-aKSJ-2g%*1wNS7Tz z2qvBh&xYKpSRx8}kW;D1{~a6nr@oQ@-<5{j3%2u4kQ^hNhb2fS*9MWq=eUtPv$o1;wn9#@ z<3CNOi{zymq@*$m3nom$cB8n`exmE@+Ltz)3DXsw#d|rYY8y@zsXSZ>SghR}zq>Xj zBkyj=H21Lxj*bk|bPYsmd3hQRJ2~6cE;!r!J{4(cq-HmjTf)kh>LdB!+M)D!7DtD_ z*Wn@BBS2)bx5i1+MYV>vQ&>Zj79HIIA(9#&Nv&pMx~{XguY)Yt<$ACh(NI>HQZd~W z7IZ4FS*3^96b4V8ZE{;)wEr-J$*H^*@TXnAzWs#5RYmPCuXLze_?Y(OwXLS6BS&-h z!Eot^rJ2f^*5&4`qR%YKEt_FCZtQh!y7!_pT>-}OMj@xs<8rTrKJ@gc3))b%57uM* zUJ3J)$K~LHvM2q`*I9-fn#KB<^@svr0}PQP+375=vD8IxcS8&3m%kAQ9ZS2`_T?X(z|G^UDaz|&E@jGG1cELQmh?K zw0CypUUqjBM1<+j-*e?-(_MD4609s|89hYZ1vdA( zA!X9bQA2XCK+2!j#IbK?;G_Gug*i=THBDO;bxoC~U9^rfRawt&TIPz&geo+er=^O; z>5m<5x}FuvTek81I3^M%+0V?caY=$qY6~e??s5D-PlhXu;q9Ew<7sGr1knC3g1LO1 delta 16435 zcma*N1yoeg_b)CXh?IhKiIlW-g96f_l$5lfbmLGLq@^3_5RsOa96Cfm8tERo281DI z-W|U0_kZuL-+#UJ);ipE&pG?-{G7e_okb|je0IY;AQ&SUGZ-rvJNRxePB3opyClLV6nKME!bCJ&~lrOe_77Vm1rls3UD<9n+GQyi4(2dj@Q z?^s4*j8874$G20S>72i(Rv)Qt_E8b$|1hLFrcbRdKs}&2Q*YiO8e_>NLHXcu(49oe zXEQAfE9NAR7emx%Hj-JI4LliF;^Q_@Y$z0Ui%043ejChd#36)ud5`rigOT>R*Dzwy zZFkWda9=1na5!AKJbX`d!Qi|#ZHN3~43uv!;jJ0FwWFknZpOblUEZ07s$3Q=_MIIj zO8XE`qbRmhJ0bgfK+e{#f6i{vHAWr&sd^Q1oUH-k+nD6;6tMfocK8lVXFvuwlWHuZ zy)j-?eR=*Rva21EF$~)_26SL>_hAG-0vBjUqzvPV0!45PjYAqzl%(^e^7%48JC6_3 z2Ap6Rf`_085P0EDD(cq#0Taf0!hkVMC(iJ3^z!F0>`Nxx{A7tJlXu5A08W=h?2OF5 zRt#KQ&_uKo#z&uPOH;TFyA43^rBTE$Vh`(r3~Y!I&_|+*?$XYd8yZ<7HKH&8<75dV zlNimRNStB$ngtPy0aFxb`1zt{RXu5hCDUyO+UZY z_yPvEA4W)>L@U36Q4<0B5Shs{ApBi@2;h)G0EwnOw`SRxZh zc^F)B7(s+E#mZy=IgGnSonQ?2T1KD-1KjXHBT~tQD2V|uLMEW@5(6m1W!iC2_cr2f zUmjSd3=1k13r2%>49G5%%t`$kz!jxY0wu2$Iu-hww2SewqQsq5K;s1DGFhD+AEOr9 z8{dMWX_vmim0gCJ)@ANy@@|3dKz3p5aduPd>JfiXmT^a8`SudtiO$Z z+=(3@Xp;8P1dqI1hu+DY-Ub=yfefVOk+^|yNEY$@d*nA@*e2Y~Ukw@AjtBv_1PYq!EAtKh_m|kx6O>## zf(G2moysmTvL-;%>lYhrc{Vb+s3xRWt`pbi+k}V9)T7J_16{hk{Cm>c8`%$dR zEqX94Qi48rY2M9D;sn%CJ0cT2yz~b&LUA3ych3HUXqWE^B~2Ph&V=ugMxZzY1>`}r zv!KJFj;zE4hDo;R)jrNwz#(|BmgMVWFV98rz7A8kgNl5s@S-_K<=s9*HiJ;1UJn_r zc_D9BW8nrtUwxdr-baa=#JGLyU%I42BNUPa3h(P@$Pw{T0%4LZT?wb!%yioF?m+c5 znH-rOJFa#S7Dpel`rny$T8|xxbzlMh3mc`oAvF3TJKpf4#_a3k#?*!#??8BX1%;^T z6TnwvF9W=`5C4&7X<|rEL&J9NqSO!bK(>(e!w$k~T7(bNJfH>d0HB*efHr)k_it-D zH0uhg2=73RrxPOq4dg{8!gSYrMPW{6$6HYhc8XhUas+_XI=mN7i~zA?dvgC0XD9MI zVi}MJPZ5o21|SvQ^3MP8$*DLmoJYYy15n>8D6WCBv(%2WeV<~JpB)X`tvZK92SDSL zmx~{bOL{xr02D9t#<0@uh8)D#(-zHXiQb!~qO;OQq!=2ziJ(D%Dssx_*E&k*NM@H9 zAiYt{HC1WyO4_9glRgPkZoRlRQ3A0qPW)aY!p)Hd@by0=L<5f=3>lpLq;F}##~5_3 z8p;qRFf1m+hQbeU+hKSO!hSgx%phL}7@&PVX(0GpOw?(eKDm+iGc4JC1n;G&B07)7 zUE>D8`9S5`Z_dSY_yO3p$O$0sj4T2P?CA5sM6@CoA>+?*u>l5{NmP^ekYl(p^!oVf z15DWo6Sf3iLpNT;8a#&$%(QX{Qt_PoFkcWih!N-*h&t3Li2p;s2pMSvz!BmnC1|L`~2h$)he>jDh5QQb8-J1@&7pe$`3O3^2>MYlCc%yU3 z3^P9UFQK>=SYN_MJv;%k6QVAi!4>r;PDZ)`QVROhY2pkM#(2^P6P76iIUWEN@V^6M zOVekcP^2JN0GY#lnU!04b!QS^WGm+^up7Y7gqo-|dGSsUb_2JCLnP3xW-1VV1%hl8 zrSbMqXdcC6h{F2WHVK+E*JQGM9d|nS0#*1A7g-WUdV_u8B%(#LIyiiW_+J!yP!=QHEYS)N*fDq{baKQ)4OOSz8BSjFkF^^iZmA-(!1W%Zc9p1eW z_{xBF!zs>?7J#T2hI#!&X?jR6LwDqoh%a)^8CScyf8+Nr1??^dTxTrH6yF?%jnI7s z=tRS4k(E=3z0K>ZT9o4f%5m&X5K3iNhVw@;bhh* zpMU#_oL78`V!x1-MXDbWgXl(HDMRV%=eTDXPOoS$eTo;SpCcKj5naJkZ#$=?>nQK#vK!}o@Crl`vw`3V?MD$U+k-V051LBa zm$8<~a)NrhJpT>MS~p-dYl*!E3ucjr^fQ+W3h^ANOgPpFN^1GK00g*=Z!lOQ1!O?; z?q(8ziSIc;96hqNjnoIfa%!|OneYh#1diV`HrvI6L_qL^pz-V7Y$Da^h0dh zE2!1ySoZKU;kB`BNGFV8H}ImeDT1Do zJ(0ml<&vU&0&IIzG@?*Nh-K&jX*VuPRXYBHAxsii`P|IH2h8DE6}$Z?jOCV3r>xE< z==9Hb0^mB+gEbZ#0rQZqT+VcgLrDa}{lFaNp9k)TYO*5P0^kH=Qfcp(PLzMyM7XJ} zqj;8EGC>YR4~y_J=LXQ-f+<*@{vA#O2-?+5-Z+#`035{p@^v(*KXd{F2C7%{b?cyW zPT*->F7!eh57ru|8F9*bWD`D)JxmBD_aIEKZC@fclve_Z;YDlg7FZPCz2$XoQ$-SE zz}UcUaXI&VJZa?Nu-N%{1nMdPPK&NXcwj0njz?XAEk_eBG0!~k72ZgH&=7|LbDt+@ zgLD~a!yEV3quegAC^!YIrERt(@6yO5ZZ!mDGu}A<8T`6Le2KZ;_W~Mpiu*$5#bsA6 z5PBLLh*Tew!M~J=L$dstM!Mt!gr};?D2y%0n9qt-9s5{AAnL4&{*1yN)!Yxon?qqE zfbeFY*aYC9BZ$?MF~*Atc1?zm!OVn?gNY?+L`xbBYfS{IpuG`nSLpTsD$pLX4u4@r z5o6iJfSz=m0?8atQ1_f;c72ySQo(-6aWhkf2^EV8lR!IC2khK*b5yToa5AI6`W)RE zf=eqR<~zm2PEexG6;Ht8+KTS20rC?Rw(|klxdw?I{z0@PxJj!ZbFhbV(7kaEy63<> zK|ONT^UXd9#Pt^T%RYgSWkUN=ZS`fH2rwGbCny4EN3fp=dI5%H`DPUz5-iw5 z(4B2)cX}zyOs!vPDx2b8rt>mi-r1r^Fu{?MyIcyARsb%EpXV@1-92RDO+-H3a(aBj z_h(76&%#(b0k%0)K6xKpkR;M3`J0McWO;qJ}V*CnL4C^Ql2ab$Yd zBY$`oK-DN8;@(({W#pQ^06A*LwcTCx@uS*?{IOBu4O)DBWBAAP<)!qWLuNm!Q;~Qi z^&bZJb;ND99seqWeVM9cN_e>9pL(jEi^^Ke&IJ*1{`{~A(!~&nv>(g4kg6a~Kn6Ac zM7nz)k}Wy;NpIieI-#$<4SOXh9jApciz z^Xx)p(0+2HUCB70sd&;S7>J_!iGK70$IE3K`9VV4#SdhQ$I)d!bqiuP-J$U5z*p&6= z&ejr>pU~D~Dk-pl)tUodapDAN{7a27Cybj1+jB8pi11UB3uMZ9B2r-4H~th%D5lC# zhEvl7e~~R4KbFzhKxrj(tkX~H;$Y@u3^+HAV~4$-@&1@?shg!=E3t0azAk}qlTkgD zcmYj2wakr8Kt9;=QI~^FN1-H`=+-=+lu;$gs<%gV>))<*~}UH!gl}aW4T@KZY$CmK&R+R(+JxCBN^; z@106kZy8_Sp>btkmEzAKaQ+fz?Xh@Fa^o_VLxHG_6hiinkcT1d!w%HxM4b`&6gr$| z-c`cJl^gX9_#1|KZ=Y^Po&7Q9r3q2CY*pDcuaM?{&HkGG4Kdr`TA?vFrFxQUxd|#**O*Ltc|VNzmlbvNVwCaeQ43+jcS;V7SGpuruTv3*NZBX5_0X7RU?&IE&hqw zT>V$oJayA{Jz9BM)8*jL<6oI$PTIg%+r*v$Zx^y z>dSat9l6)sfz)&}WgiR8Ysa1mKl#=(J8rT6K_Og&Ru&mb{h5PAffcwf{Ft0inmh!1 z%mVWRA4VSDoZ|lNf#6vIi+!r9e^KgBW25E*^t&(gACdHb#QemF567qBXdE#rF#Mj*^Cv-n%pIX$t?$+?^{LgSa3|?5oYi=bK zW}m2Frx5piyZR>&PJ-K~1kYj`@`|bbhY=?2q8OF6zlKc#$SHRp-OH(7BPGL#_#Ava zcpsDTb$r}+rL=pB*s}Rgz{xW)o`)o4coDWvxW#1XXCv9ms@nmP=*}4`RF9_&E{~^t zpc^4QVVI^bFVAIh;mpIpFv2ZA7?76I@#`xG;WJOkySkM5ZKCpiF5&mDlmz!c=J(}v z9s}|;hL4#`{;*>*QhS1;Ll`+8ds!SZC6vXABG z-k?uWU^33Op-;6vxHtNbtRZOPGkV+pB-+%_}P+?>V+l8#_PT+%f?L+ zPC*!9FCq{Zv$M(O$n&KAx_f~{mmPC1JOzV~JLm^Rf6+q9iy4abaYuh&*(UPOy7(le zm@mY2drF?iX?U)Yj$sJv-TmYqPM;G;gkQz+00>?Pe7pFGBl8r(Ing)c8WCd0Uduv2 zu-D#BL{Rqp-^0|%Jm#H|{^KM)X1ypHrElc-sk>uRb~ZYHl2vTHO2ObaiP0-1mmkdI z!U|q$F|&9YvG44`AbsgexA!VhmlcyBZ_q671o1g&vReN~%H0pP^{<2L2>NZQ9uywP zrMLl@CGVc=3fw9%D8dlI&{h%?glY7Mh0VR6TT$F zyIv%F6W@Ml{2_Vi=PC!ujDPvJtV!tp!q_WWRrA+nE8iZ?YWY-WY1AK6I=&-7-+^E! z?>O#oCQ^7@w>-WXeN0pl&W@ExL;g5@HqgBo$dDb39^!}rTaPfTCE>`^dV^p~HUrj& zwqAP17|b6^^1eUmpyziW!{Z8jMn7cEE>2#%`UUhvq^{fXgLI`l?y7b^%W!Iy_w16B z{0d*Nx?kx(nv>3J)eh^_SZMmh!y2~#kIr2%m?tP;)z5(n`_bX?#TQC%{X!jpyZ&_w zqdOII5(LkI2K_82oUD?~vv*MfZM|1$<{oxesrwZPqa;KacTE|+7Dz`wQx!<3FX;G~ zpZk#@=M;s7ALA57ljfFa-k`pj>m~*6!*tmOWt`PlvWW!UD@kd47(MRz?}#~?v^ve- z{UYz7HgsosPssDlh|&iLVDWzZ0yE-)(u(LGf=SF}v+)vM65sgcNIGuMs+mSDuL;@$ zd73?*Vlf4!wg=+++>v+f47g^M99@4WXPDQ7hYnf9q<$u{7_>MxB#-PJIelzI>#txp zkT;7d%nW9lCp2+pWvike1Hc?2PwmL^BV2G^rK(5TK8@dXFGvC4GU_9cdl~G}9j<#7 zVE(KB2Qftz?Y-dV_lSe_C3R|FM)hLdjc9vxpt{mFQKaRha`V1VL9T-G(cZ^$Cb?Zb zw);#a%u$62&psz)&E99D!eib=tWM2L*!2csCvfkXx$%cdJp0cGBKn<+C9u{0+skZI z;u#z>QDzgP8hE)%{1KZv$D)r~m6)!n=a`OmspFU~voVJ&z38h5^hI0f~O{@OOnv z;%0V^+FQZ~&r`^L-7fe)n=biZEBA;1O!nDe(hajGPLj-4RI;fZAr=e=bb1s?e!r)A z!|o~PgV->Bs-#uhlpAL?o6Jm&Ci%qtvK0TmvbFL5xjps2Z`&?--^YL9>Zwa{?2Afb4HfkEV= zuL6S#q#uUoreG*@2SuN}eYzBK@;0bjNZMFVZd0G3fRK#p8Z%eaBp(>Y|Uy5H|dA_)xb7t*2>!>L96@cVI zoaDmZq{7g9D`1rISC~Q!pBZLTa^g(uKeEP`mdeR2*CqHjiV|E6kL1wB5m|#i|&pK93G@mvsx`qjv5+-bK_UN zlc?vIFe2M2zkimZc+yiMWmrr5i~o7=*v7+|92PLPf3bME30rCfkH+?;(oG07d06w4 z`PP0u{tIFwQknC~_zwfME^9u-7YwV&?h&HPRv#@SfKBd_y#d~h4H2%!r%wmqKP#V{-N8q85(h80+xrJigq2{7vT`?7q_eV`bsX9OM{XI2+jW-93SzSF#Kgy>`MvXqDO7o_m|i= z4sK6D#ZY5y2I6KoCk z9Tu1d3O^Q^Ho+|afXLERHIMu6*`-!%n+~tLxU@}w&npr>$)rv>cJQ&EHSFDlr=t%1 zAr3eY{3oW3f0xkm?;v)rg``h%ZejJ?>mPHs;fVCrynC)U_}D#;*AqRQNXw=Tu<;YhQVj_3b8>zV3P+BpQ*Iyh!)?B? zBrf!)-~~<|`%3lSEeJ_KJZl>SqRgH#`MOFr-Jg|qv^2uOt|yoh?xy&J9a%?q9Fm(7 z!tlJ?rsu^=S^eRvX^1_Rt04{}mHE$;Aig(q*ee}pEf>q)Cce&6ywX3jDHx1LB8e+9 zj7@)cP`EuajQ8bDG8{dmqfE>pvYQ#TO*|uFNmMUY7cN)Qi#3}#(GX0F2MDc$X-vD@ z1-mIt8~icy&H7=^W}Yt}p29#tAh z^#)6z0>|2z@b^#ZG#8N{37p9rWfnn6y7td?@_zc&>WxH`=XYpXxQ#m!2hY*#53Yao zE7Rw=AMIomH(ReS7MW4?*s<%=PmI#SDsPC7)OR(?H=l?~>rDAdCxw!MeY*a6TMv>N zL$PU&mv)_|f}r*a-6usqe|~=K|AK7UE?+klOmYu&E7S-mtkTS7GtFgln{wGBTI%n* zIN*;R5pcd$#a*qdy}r-*E04?QL3SAWjkVjGlbg3KIfY_LWiZmIaHFST>}1vG!=9bK z?kJaeDKmq8{yNh%3*aO+&RPROo>2VCqy1HV*SrDqr!C`*dO*Elh^A0|53BCVc=UCM z>r*4zf7XuI3qL=q@zuTh^Reu*3z`}Ywlzk07qXabaRDP>m4%opEm9<$Z>;-?K}Xp9SW|7qeu1kB*ALP2xP5mgCWW_&cpw-LZ zng`w+B<{cV=;Fp*HzLx1sVqac{O93!kM&2TXYs2uX#|!E%=}CiUV51hB5L7+YWH-e z&38s$MgZ?;AAFcC!*EvDHC>Eg3dksDY#+jGSvy*_##nR-csVyOR!@*2R7OCROq=JXljIcp_y)w2qe=W}(OCljbWS~G# z{g6Vv1OIsPyE#??I!HBBQuKy(IN68&JaXmiz%&(u1mzi~= zaM_Aw9R`Lyy6NdSBc#ddJ3(Ky>m(Ov26s4w=Tv_)%K$38(>F?pc| z;wO~WcqaEgX*hRrbr8CR{eBx}-8IkXHf{c8$MZi6&Lwk@ZjpUD*VNd5`#V{_ znfZ5KwY<0EaO?fj=xAF(fuEw{RZPr3I=X!c@mVkTT5!X3?|+W}MPZ?MbvueSVl)Qn zvQi|(_qVoc3kt?#Vl*Vg|NCTS^g~s_xP@X79bJ~EyZh`Y@Lvl(F~j|IS@9C$OkVE2 zqoY)ciZ--#SuXDXeNt5*V4-N!9WyK{F21(46;<$G^KiPXWC?LjFL%9zt+IlGnwXej zadGk8t^Ym&&x7(l(`9)8?(S2gqXwX~|16M+H=XUKoLwk#4LK&L<;^kQnRGI53g^xU zu>WgsJ(^|ppHU^3&_kq5F2PKNIw=bJTmScWy}DU7G2M53E+6l~Y^=J|KY2`SDgtSg zWUoW9x3f%MLeEow7YD`t(l{QBTNc|w1ldI?vd&uP7Ung2**hLmSPF4V=Y z=F6n4K~K62AmrdTdr)yAF+87d6h6$HFGNMk()L(bMBd|u_~SHPQ*_;`{gHyv|aR|JG9(S z&NKPlhELy9+W8hd8Gkl)f%CGQtas1b68zMNTHxt+q_Ak1t74I;wNgykYqu~Hsi&NY z=Em`~G)Q#=e~q{=0tB=yUK-tYI4`*d)dBtpr4*YJ&aGq9wJ2=crzOwL2An}cKl5*k z9CUn+IXkZR-i^zksxjr6!S5&QN6@31MHgrkJ?=$q7}#rAe{`tL&o)pDU<|9a zmpvgZGc{%Vr!wfkprdB1=2|6E|hM=!iDNancuBCGvLC(^Uz zrNm@@oy+eWS3scfPm2Ds2AskQO+y3-u3SF(pIXY|&t$gozM+v4$+&~xohjDSFUm9eBB4Ew@{ zSOGVBmF(s+;8ui*cBg;$^M8Xa--2(#1NU$t>UdY9fFoM1hl_f|e~ZcYbt0#F`2Y&^ zVZLWOjFOnlB>$M`G48+7oMj7EzEXP@Q55j>s%4?~b|^@C{m2;>WFhFLCdI=Fp~m+# z>mcHq38J-AW2Rl#i{4BwWnX#R*Z%%u*2trKv4n}T-+yHx>6xxwX}Zjwqe>bFPBpOP zCc>gdhV^&kX9meZ?7yBMP@Qd0?anIOTbm4NVAS(s7A&=o-kTxc>0u>5nk8|h+PjhO zv7nAD||PV5v&>?X_By|SZ#*R5!snp?SkEL$Gp(d3=5 zp&-^|NGly-kmUC;^RHi=kr)I{{ldB@xup~;`ahxgVlk(CK-?w`Pnpy2ZAh@b?M-rir;Vxw(Cm-zF3SFFB?{cXvu{ zTHgHTrmf)RRTrAkOEb-`;Qh@YEp{H50#2^E58<^NpKoSf^eo3ISg>OE1A#F z33$c1&Ne)tc#`wwro4oS;(Kx%MW2N4GZpX3hh=i76tJTo#)bMcXWvpbQ_o*3Sq6TN zeu~g@-@~oiFmw;sB?chTz`NF}e8L%?-waXr_Veil)Bk?%TZ{#SdLwa`%J?p$#?BNz zc-z)X`&j*Y_02lwLczter0rRqWX(uYjK0>RB>vBX+CIC{?|q&PSI^4sk7iug6Q26< z+-pVLn_5gOAI)!@4fD}V3i4$J+xo#;#ZKK7r#_Q(_UDNTa{JN4@;#%dig2Kllb5Do>)IHCt_K03i3#KgOZKZcqOFVj8qwg7(ziZ9aEH~=$VDR9T zJ6$Jwxxwr&-RBCUTWVS~wRqG!ucu8oXlgrpG#&RX1rxaNX?OEcN>*MG zTM0dARw9;YRzV

U(2KQrXQPXcf%S5{25)1n^s?7-*(FS$|rg`MYNK2Zvt`PWGX9 z$8UFW(7QtxXigbbscPon$DA8_WA_zy|^se=-ibJ>OAKw}mj9zxUbx6al5V2c_P@<(0-s&rfrZc?N*M-gfurd_beeYPt ziePWu&>5g$TZg~0SRpGK)AwYxXtYM3c=Nlnm4UkAm@uUC=ei23CDY#blnsXmRJkXN zT+N9enqww78lUeSbz}Z6*Y}(btUyb2>%|F&PO8jf{u*8!@(F0gx9 z*!%m`owG#PxNNh;!e?N@l`!bUs*20ep15J&up66-x)laV0~^4#+P-v-)V8h;BoGaSMvusN&x`{~oxooUUR1 zm&&&B@;1)Yw{gA=r@?Iq1a9LKj*btJ`7I_v=Q=bWlmWrEvpSO19Qe;bAWX*#>`=y! zh*#xp)XUM8VY(Etkm_WElBjNRI_p^;6Q!=F*fW?nGv+B6+gB5bI~g^+I%ez#sq!D6 zAG27HRE_7AAR(XVe)Tk4c3}PZ2{FSY>u!_o&F+`G^xtDnPQ(HjrW55_4PS@3J8Jb^ zc>=Vs!?H)cJ@`8_%PiKg51W^Tjqg=^b=gW=PUHnjG@ZEu*K5_On5PNCDx7|c7{Ush zT*x)|RBNK;HbbU7r$eUxRj&wdH_>MZR`g{y(=Wj}Ah_JZl*z0zIb3=)87+Sia@srQ z!5fGWvATzA&`s9TL)xL_ZoUUJv+QKHlYm`!X;$~x;&Qy|Yi!mO;VKUV>AOPDq#HL? z+%xa1c*29Gm8`uS_}vx#T@t{dKiDF$&%r(`MO4hluT z^LjrA+B%bM^|`OnR>@8;9UphHfNJ!@v}trLu#;sfg)3!2>_3TOuA(R5<0~L`-SfOp zb6;gmnX09mKrvJg%JZ@rxwzgQS5|_Br62twyFGZn`tIOCZ{Dun?d1!*jpF|W3Qa=j z3%g>-9*&!&^bN+Cvg;-=eufnpN!VUgwO2v(R^S#S{z!lS016dqc-z34lljp>jWrj<`&<0~JzMs)_W5xz4?F_o^TkqT^Htt*3{oexQqShQ6k+O@vtW0}n(Y>AaeuMsf zKn6X2{&2UHY9#)S6fWzmlfw)Sa;g`3cO`^ytwzSjsOw|3kvGey1K-*u?PsDYf@^0I zc*^$xxsH3|I0AwYGDbYXC9P+jB!3BPp{{0P4eHjwAWMQ^;>Vg2ScaYpM`6N$7~ zQ>*YdlcgNTzkcVjocRZN=IXH&GFdCPs`3F=pVex9*PQi^SQsllVZE_vIW)6MTQ^&u z_ODqv`oyFE`fG+u7}4(`q1l|2^WVHf?{*?6@ke3X>t~;KiFgHD-ZLr0*F@rL!*PMu z_fWB)W%$Puc(~ToVKAG?{mL(0xZm>4B?}J97^3*a1t}bk{uUR~?8Zknc)38Tq@|!A zpGtR)8Q}{)Y_vfx`?}wyhHAN3<#{yl89G3N9xgculFgMlVmj-dT}Y-T#a8ss>d%@v zav#jkn%i6q{Sh_yBmP4W%d0dIV2}>XWmvG}B#)IPnHO?#I#?IJ(4)2}t7-_8fj9vCueJkaO*O12YibO9Bjk(mok*am~ur5TJ~1|qtJJ53nIS0 za+);Wvws9av-wWT@@xqGYVw?fPhYgszqQ)?ApeGq{gLmZv8P=0U$mzSFR3#Pvrh{U zt5)s~5BK#&#*&9Rf3MoRXZbr%l};BG$Qhhi+xYRcO`P(`xUY4dOt_zV0T6aXvu0(_ z)pTXEB=;qh?Gn&c-FCTFPhst@j76HVJLmW^zs@1@j(ugqXr1ys=f*^9CmIP1QI8m@ zPpO}JMHe7P{COjQfj1JULhyNu~`oT`rAS;pCxkMT&f#9s_4Iww8SxrVv!A2GY@; zeXhpk;}gnqqNp&0MX}(s+zQLEN*>&u!={MAit;yMyUmU?ja=1l^rjUf5#w$z8Yw+Y zW_NkBr0CasHJp;}7tUwD9XfV($%oad`}wtwdb7Ma`Ios_KIgIfLB&+egod4Huj$P9 zoxWH)11EvbeRII$xzrnxX9=bDPDoVIL6e7^eR&jFFD~mzqai%Ch+gJ!3!}0MS=Q#k z)&@Pe>-2H%d6>izu8mYYLKESP~g&u7M*6oZ*cwU5ALM5)+p>q%BkIPpr8I%BT zZ}6WbyS;bvggP$Ap$$kvC;ffGGCz3sLf?qr#;DYy6rgy%|1YLe%sb1=;^tTOMNW1v zMzVpWN#WE_jSbK1>x|gNI%wtj*6u&W$@#V=_&1u$?CcM}zh~0;=#-}Dw)wSc_u(F9 z>=-Q^eS0$<%BJ|JrpiC0;hc_QUPNm0gs^}CEl4Ps>!>}a7QXn__z(R`_HG8bJCD!cB@EF;d7l(DVsuxP-T_o&4;H9 zA4pG6?e!-MBv;F8uVNN#>pxWIAz%MkvpW={=48v4r>UHyqr0mkp~sMQl2pB0w%~{5 z;`v&fiETpWhPPNTxl)fX!||iQq0*V4j<7(p?&&dbrbu=sSgAP2pzr0I{7Id6NNtEV zeNn1)w;tZtrDN+Mm0EdfhVSFK;Aw7kW@)$d8F@B8-|(cWi1bQju+6oOI^3=mb+TTJ zn)jJTAtKi<04x6w2oX<=BTi!!A)$jtF&y>E*6sWnrNfnVDO1UFhZ_7Z^(GH@Y1EaR z+!x?0O2mf0II6M&g?lr!07q$8f0ssXzRYe|bxMRo#bLw*?FiH)sx*w}jtQk&l9oHN zGD)Fe5#Bm^HeexrDe_%sI%nEz*lxO8q+{yiuH@laX-hV}N92Km)3k$;f+r4>@}6$U znAODD_EQdV?b9ssySRQ7iZqluysYOu)b=`G z{iV&?nfgGA#3Cf{2#>Gq!3Vt223dZsa*{_v<|63gU{{RP zBBdzlpsK%C1fQdHNi54dC3bf_u58O4V&5XQ5n7LrH-iTFtZ1Q zDBDC;t}dAspdBCc1|Ed5FDVOJ7Ib`!ABgMQHjDtj7>v#N*Im4uxJ*G>r{ zT-rK*j-g-GB3$x1K1QHv#UuF4p4ERLfMiyrQjR>M6iZ}`9VaANvk2m|M>9z2{@HDY zjl;wpJMJIhQryv>0g`3|+6GujZ) z>y7`SSKR0P_KW=G{;Enriphuo|JIo|!L*5HgBHb*XLjc-wIEUT#6GyB&Zgu@ADJ2gC6mQ@OocmwyWFyA-snr#eia3gfGVX(U$;ENON z19+m!GrM;VLhS@IoEokx1G4NO64NK1*~7CCaXZ*HC1J`Iwobk%=ifYwEi2a430jo+=kvn9 z2=G0fD7c!4>Z}09y!d6HTh|W24>z&%zZ8Jw2;J3{H&Ync8+e?GjK8|u^O}7x0QuW zX)aHIO2@Y1(@-~Lz54;hCoQ|nZ*19Je?8_de15$+W(HF2Cp-VGca{rTPrRFZ=?6<~ zZRb=-wZ$4u_CH@O_c@+w{kUt=;=#MvMB%g$*>KP^Co|Gx1Qv{EnQ)EFJl3^(mQ=?0 z!>wY!!AsX+I8xpB^?B3#L&H)AS=00NL}&}Yf#1nV|5#1^*;60)(R^g9)?3WQV`C;( zlk}>-L?D863-yGTQnfW%HaWUi&|zK8^w+Gk3xm87EZ@NwUIssP=+mxjHC9h^EGZ*|kd3L{PJp4?a5QG}} zXs59qSy6iB|B%jdShv-QXfB}XI;Y9q8(CmnF^L?=B^p%DMyb6UySP5zwC9-fL#`F; z13C-<_hs{{*a1w&TbRX$!cgyf>et~tyIx-9FJUk1Du#L*c%sEeK4w0rlcGtT`8kg789bNd^_-@cCtYtO`k~8s_ zqoWimnf|2U26!rt?S76bvUu%xUA9#N%zv(Q|A;JYY`(gFbB?GyfSWGBpiLuyM-FO7 z8a3&M+%+8s*9N)|tSr3vt0cb6WU1|GuzIqQHYY})s98zZBB0s-`yLOhTNA>fNjdbwWb%cNCGvUh1woQxx;`axD2p>$oc1CZ#yCPmHH zs)ibu$dS(Z&bHplH+{;RfUpxit^Ek9dkH0#Mz=GJl4Ob8Sz{XQ+4#)hnTBdS>-zr= z|DS?ymt*6B7ynJA|2hB@5k)2LUUC0MMV+OSKBtLYY>{YkZ25PWQ}<=zsOzf|oVBTz zS9{YGZ++f?xN5R( zd0)HmV(my|U=dyP-1wG+w$I_ghy%yVIe_r8f=3spro5wRENCNDQ+nW^4Tm(Oz$@(j zo&=MMCzrtj@Sr?~wKO$~tk&D0R%NGG>%dlPBvMb2ro=}l&X7twH*|-UELX4hk(Kg* z?aQ7LS$nS52;p*q-c-lxo`4Ntr%)5xuU8;CqfQwU_PW3~;@4^-1-p zj8x_GvzHg%)!qt^R7+_JXm<#8YxqT01)o^TZ4|530z=78b{@~>02e`|iqs4Sp%BO1 zg8K)-AGWP2<1N(g(Yq7hRgJH59!8H&+#lqlZ;DWLcQ@4KD9zZmg(@$^sX&g2>V(hh z>V}X4lLuQ_uYzR%7F1LJVw*_IcTIB8i9tpW?iO@;I28WUAUhv2rGUs&eZSPIlAT19 z?_3w<+cmkDHk~@vHGQ|tr*r8!ZY#KInJy_8uhjFID3M{ +Date: Mon, 27 Dec 2021 14:31:17 -0500 +Subject: [PATCH 1/6] acpi: fix QEMU crash when started with SLIC table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +if QEMU is started with used provided SLIC table blob, + + -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null +it will assert with: + + hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen) + +and following backtrace: + + ... + build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61 + acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727 + build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064 + ... + +which happens due to acpi_table_begin() expecting NULL terminated +oem_id and oem_table_id strings, which is normally the case, but +in case of user provided SLIC table, oem_id points to table's blob +directly and as result oem_id became longer than expected. + +Fix issue by handling oem_id consistently and make acpi_get_slic_oem() +return NULL terminated strings. + +PS: +After [1] refactoring, oem_id semantics became inconsistent, where +NULL terminated string was coming from machine and old way pointer +into byte array coming from -acpitable option. That used to work +since build_header() wasn't expecting NULL terminated string and +blindly copied the 1st 6 bytes only. + +However commit [2] broke that by replacing build_header() with +acpi_table_begin(), which was expecting NULL terminated string +and was checking oem_id size. + +1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed") +2) +Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786 +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-2-imammedo@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Denis Lisov +Tested-by: Alexander Tsoy +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/acpi/core.c | 4 ++-- + hw/i386/acpi-build.c | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index eb631caa91..a2d790d432 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -346,8 +346,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem) + struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length)); + + if (memcmp(hdr->sig, "SLIC", 4) == 0) { +- oem->id = hdr->oem_id; +- oem->table_id = hdr->oem_table_id; ++ oem->id = g_strndup(hdr->oem_id, 6); ++ oem->table_id = g_strndup(hdr->oem_table_id, 8); + return 0; + } + } +diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c +index 1ce2d67c2e..0ec2932ec2 100644 +--- a/hw/i386/acpi-build.c ++++ b/hw/i386/acpi-build.c +@@ -2721,6 +2721,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) + + /* Cleanup memory that's no longer used. */ + g_array_free(table_offsets, true); ++ g_free(slic_oem.id); ++ g_free(slic_oem.table_id); + } + + static void acpi_ram_update(MemoryRegion *mr, GArray *data) +-- +2.27.0 + diff --git a/hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch b/hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch new file mode 100644 index 00000000..99c174c7 --- /dev/null +++ b/hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch @@ -0,0 +1,87 @@ +From 4c72f406e3ff02844977fcd8bc696080088d3d08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:32 +0100 +Subject: [PATCH 5/6] hw/block/fdc: Prevent end-of-track overrun + (CVE-2021-3507) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the 82078 datasheet, if the end-of-track (EOT byte in +the FIFO) is more than the number of sectors per side, the +command is terminated unsuccessfully: + +* 5.2.5 DATA TRANSFER TERMINATION + + The 82078 supports terminal count explicitly through + the TC pin and implicitly through the underrun/over- + run and end-of-track (EOT) functions. For full sector + transfers, the EOT parameter can define the last + sector to be transferred in a single or multisector + transfer. If the last sector to be transferred is a par- + tial sector, the host can stop transferring the data in + mid-sector, and the 82078 will continue to complete + the sector as if a hardware TC was received. The + only difference between these implicit functions and + TC is that they return "abnormal termination" result + status. Such status indications can be ignored if they + were expected. + +* 6.1.3 READ TRACK + + This command terminates when the EOT specified + number of sectors have been read. If the 82078 + does not find an I D Address Mark on the diskette + after the second· occurrence of a pulse on the + INDX# pin, then it sets the IC code in Status Regis- + ter 0 to "01" (Abnormal termination), sets the MA bit + in Status Register 1 to "1", and terminates the com- + mand. + +* 6.1.6 VERIFY + + Refer to Table 6-6 and Table 6-7 for information + concerning the values of MT and EC versus SC and + EOT value. + +* Table 6·6. Result Phase Table + +* Table 6-7. Verify Command Result Phase Table + +Fix by aborting the transfer when EOT > # Sectors Per Side. + +Cc: qemu-stable@nongnu.org +Cc: Hervé Poussineau +Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") +Reported-by: Alexander Bulekov +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211118115733.4038610-2-philmd@redhat.com> +Reviewed-by: Hanna Reitz +Signed-off-by: Kevin Wolf +--- + hw/block/fdc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 21d18ac2e3..24b05406e6 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1529,6 +1529,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) + int tmp; + fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); + tmp = (fdctrl->fifo[6] - ks + 1); ++ if (tmp < 0) { ++ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); ++ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); ++ fdctrl->fifo[3] = kt; ++ fdctrl->fifo[4] = kh; ++ fdctrl->fifo[5] = ks; ++ return; ++ } + if (fdctrl->fifo[0] & 0x80) + tmp += fdctrl->fifo[6]; + fdctrl->data_len *= tmp; +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 922f74df..09f6d140 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 6.2.0 -Release: 37 +Release: 38 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -248,6 +248,12 @@ Patch0234: hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch Patch0235: softmmu-physmem-Simplify-flatview_write-and-address_.patch Patch0236: softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch Patch0237: acpi-modify-build_ppt-del-macro-add-arm-build_pptt.patch +Patch0238: acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch +Patch0239: tests-acpi-whitelist-expected-blobs-before-changing-.patch +Patch0240: tests-acpi-add-SLIC-table-test.patch +Patch0241: tests-acpi-SLIC-update-expected-blobs.patch +Patch0242: hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch +Patch0243: tests-qtest-fdc-test-Add-a-regression-test-for-CVE-2.patch BuildRequires: flex BuildRequires: gcc @@ -739,6 +745,14 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 30 2022 yezengruan - 2:6.2.0-38 +- acpi: fix QEMU crash when started with SLIC table +- tests: acpi: whitelist expected blobs before changing them +- tests: acpi: add SLIC table test +- tests: acpi: SLIC: update expected blobs +- hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) +- tests/qtest/fdc-test: Add a regression test for CVE-2021-3507 + * Mon May 30 2022 zhangziyang - 2:6.2.0-37 - add qemu-system-x86_64, qemu-system-aarch64, qemu-system-arm rpm package build diff --git a/tests-acpi-SLIC-update-expected-blobs.patch b/tests-acpi-SLIC-update-expected-blobs.patch new file mode 100644 index 00000000..ba1f9bc7 --- /dev/null +++ b/tests-acpi-SLIC-update-expected-blobs.patch @@ -0,0 +1,26 @@ +From 86392e80092e62197f51507513ee09100f9c1653 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:20 -0500 +Subject: [PATCH 4/6] tests: acpi: SLIC: update expected blobs + +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-5-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes + tests/data/acpi/q35/SLIC.slic | Bin 0 -> 36 bytes + tests/qtest/bios-tables-test-allowed-diff.h | 2 -- + 3 files changed, 2 deletions(-) + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index 49dbf8fa3e..dfb8523c8b 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1,3 +1 @@ + /* List of comma-separated changed AML files to ignore */ +-"tests/data/acpi/q35/FACP.slic", +-"tests/data/acpi/q35/SLIC.slic", +-- +2.27.0 + diff --git a/tests-acpi-add-SLIC-table-test.patch b/tests-acpi-add-SLIC-table-test.patch new file mode 100644 index 00000000..f0b1a6ec --- /dev/null +++ b/tests-acpi-add-SLIC-table-test.patch @@ -0,0 +1,55 @@ +From b9c96b0a111e5333857682a5dc9770cbebcbabea Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:19 -0500 +Subject: [PATCH 3/6] tests: acpi: add SLIC table test + +When user uses '-acpitable' to add SLIC table, some ACPI +tables (FADT) will change its 'Oem ID'/'Oem Table ID' fields to +match that of SLIC. Test makes sure thati QEMU handles +those fields correctly when SLIC table is added with +'-acpitable' option. + +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-4-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + tests/qtest/bios-tables-test.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c +index 258874167e..184937e6ca 100644 +--- a/tests/qtest/bios-tables-test.c ++++ b/tests/qtest/bios-tables-test.c +@@ -1465,6 +1465,20 @@ static void test_acpi_virt_tcg(void) + free_test_data(&data); + } + ++static void test_acpi_q35_slic(void) ++{ ++ test_data data = { ++ .machine = MACHINE_Q35, ++ .variant = ".slic", ++ }; ++ ++ test_acpi_one("-acpitable sig=SLIC,oem_id='CRASH ',oem_table_id='ME'," ++ "oem_rev=00002210,asl_compiler_id='qemu'," ++ "asl_compiler_rev=00000000,data=/dev/null", ++ &data); ++ free_test_data(&data); ++} ++ + static void test_oem_fields(test_data *data) + { + int i; +@@ -1639,6 +1653,7 @@ int main(int argc, char *argv[]) + qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic); + qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar); + } ++ qtest_add_func("acpi/q35/slic", test_acpi_q35_slic); + } else if (strcmp(arch, "aarch64") == 0) { + if (has_tcg) { + qtest_add_func("acpi/virt", test_acpi_virt_tcg); +-- +2.27.0 + diff --git a/tests-acpi-whitelist-expected-blobs-before-changing-.patch b/tests-acpi-whitelist-expected-blobs-before-changing-.patch new file mode 100644 index 00000000..075361b2 --- /dev/null +++ b/tests-acpi-whitelist-expected-blobs-before-changing-.patch @@ -0,0 +1,29 @@ +From 83229a5034161d021ac21f7c7f921d4398d388c6 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:18 -0500 +Subject: [PATCH 2/6] tests: acpi: whitelist expected blobs before changing + them + +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-3-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + tests/data/acpi/q35/FACP.slic | Bin 0 -> 244 bytes + tests/data/acpi/q35/SLIC.slic | 0 + tests/qtest/bios-tables-test-allowed-diff.h | 2 ++ + 3 files changed, 2 insertions(+) + create mode 100644 tests/data/acpi/q35/FACP.slic + create mode 100644 tests/data/acpi/q35/SLIC.slic + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index dfb8523c8b..49dbf8fa3e 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1 +1,3 @@ + /* List of comma-separated changed AML files to ignore */ ++"tests/data/acpi/q35/FACP.slic", ++"tests/data/acpi/q35/SLIC.slic", +-- +2.27.0 + diff --git a/tests-qtest-fdc-test-Add-a-regression-test-for-CVE-2.patch b/tests-qtest-fdc-test-Add-a-regression-test-for-CVE-2.patch new file mode 100644 index 00000000..d089fbbf --- /dev/null +++ b/tests-qtest-fdc-test-Add-a-regression-test-for-CVE-2.patch @@ -0,0 +1,110 @@ +From c3ed2f4828e29f5ac82efd6a32117e9b17180dd1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:33 +0100 +Subject: [PATCH 6/6] tests/qtest/fdc-test: Add a regression test for + CVE-2021-3507 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 + +Without the previous commit, when running 'make check-qtest-i386' +with QEMU configured with '--enable-sanitizers' we get: + + ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 + READ of size 786432 at 0x619000062a00 thread T0 + #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) + #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 + #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 + #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 + #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 + #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 + #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 + #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 + #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 + #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 + #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 + #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 + #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 + + 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) + allocated by thread T0 here: + #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) + #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 + #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 + #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 + #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 + #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 + + SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy + Shadow bytes around the buggy address: + 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Heap left redzone: fa + Freed heap region: fd + ==4028352==ABORTING + +[ kwolf: Added snapshot=on to prevent write file lock failure ] + +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alexander Bulekov +Signed-off-by: Kevin Wolf +--- + tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c +index 8f6eee84a4..6f5850354f 100644 +--- a/tests/qtest/fdc-test.c ++++ b/tests/qtest/fdc-test.c +@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) + qtest_quit(s); + } + ++static void test_cve_2021_3507(void) ++{ ++ QTestState *s; ++ ++ s = qtest_initf("-nographic -m 32M -nodefaults " ++ "-drive file=%s,format=raw,if=floppy,snapshot=on", ++ test_image); ++ qtest_outl(s, 0x9, 0x0a0206); ++ qtest_outw(s, 0x3f4, 0x1600); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0200); ++ qtest_outw(s, 0x3f4, 0x0200); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_quit(s); ++} ++ + int main(int argc, char **argv) + { + int fd; +@@ -614,6 +634,7 @@ int main(int argc, char **argv) + qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); + qtest_add_func("/fdc/fuzz-registers", fuzz_registers); + qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); ++ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); + + ret = g_test_run(); + +-- +2.27.0 + -- Gitee