Re: kcm: use-after-free in fput of kcm socket
On Sun, Aug 28, 2016 at 3:10 AM, Dmitry Vyukovwrote: > Hello, > > The following program triggers use-after-free: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include > #include > > int main() > { > int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0); > syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0); > return 0; > } > > > [ 367.240184] > == > [ 367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at > addr 880069bc4b30 > [ 367.241034] Read of size 2 by task a.out/4045 > [ 367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34 > [ 367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS Bochs 01/01/2011 > [ 367.241034] 884b8280 880038fb7bc0 82d1b1d9 > 00622e00 > [ 367.241034] fbfff1097050 88003e198900 880069bc4b00 > 880069bc4ec0 > [ 367.241034] 880069bc4b30 859e90a0 880038fb7be8 > 817da1fc > [ 367.241034] Call Trace: > [ 367.241034] [] dump_stack+0x12e/0x185 > [ 367.241034] [] ? sock_release+0x1d0/0x1d0 > [ 367.241034] [] kasan_object_err+0x1c/0x70 > [ 367.241034] [] kasan_report_error+0x1ae/0x490 > [ 367.241034] [] ? sock_release+0x1d0/0x1d0 > [ 367.241034] [] __asan_report_load2_noabort+0x3e/0x40 > [ 367.241034] [] ? __fput+0x65a/0x780 > [ 367.241034] [] __fput+0x65a/0x780 > [ 367.241034] [] fput+0x15/0x20 > [ 367.241034] [] task_work_run+0xf3/0x170 > [ 367.241034] [] do_exit+0x868/0x2c10 > [ 367.241034] [] ? sock_ioctl+0x1db/0x3d0 > [ 367.241034] [] ? sock_do_ioctl+0xb0/0xb0 > [ 367.241034] [] ? do_vfs_ioctl+0x430/0x1080 > [ 367.241034] [] ? mm_update_next_owner+0x640/0x640 > [ 367.241034] [] ? ioctl_preallocate+0x210/0x210 > [ 367.241034] [] ? bad_area+0x69/0x80 > [ 367.241034] [] ? exit_to_usermode_loop+0x3e/0x210 > [ 367.241034] [] ? entry_SYSCALL_64_fastpath+0x5/0xc1 > [ 367.241034] [] do_group_exit+0x108/0x330 > [ 367.241034] [] SyS_exit_group+0x1d/0x20 > [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 Hmm, we have a double free here. I have a patch to fix it, will send it out very soon. Thanks! > [ 367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960 > [ 367.241034] Allocated: > [ 367.241034] PID = 4045 > [ 367.241034] [] save_stack_trace+0x26/0x50 > [ 367.241034] [] save_stack+0x46/0xd0 > [ 367.241034] [] kasan_kmalloc+0xad/0xe0 > [ 367.241034] [] kasan_slab_alloc+0x12/0x20 > [ 367.241034] [] kmem_cache_alloc+0x12b/0x710 > [ 367.241034] [] sock_alloc_inode+0x1d/0x250 > [ 367.241034] [] alloc_inode+0x61/0x180 > [ 367.241034] [] new_inode_pseudo+0x17/0xe0 > [ 367.241034] [] sock_alloc+0x41/0x280 > [ 367.241034] [] kcm_ioctl+0x9b3/0x13e0 > [ 367.241034] [] sock_do_ioctl+0x65/0xb0 > [ 367.241034] [] sock_ioctl+0x2d2/0x3d0 > [ 367.241034] [] do_vfs_ioctl+0x18c/0x1080 > [ 367.241034] [] SyS_ioctl+0x8f/0xc0 > [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 > [ 367.241034] Freed: > [ 367.241034] PID = 4045 > [ 367.241034] [] save_stack_trace+0x26/0x50 > [ 367.241034] [] save_stack+0x46/0xd0 > [ 367.241034] [] kasan_slab_free+0x72/0xc0 > [ 367.241034] [] kmem_cache_free+0x76/0x300 > [ 367.241034] [] sock_destroy_inode+0x56/0x70 > [ 367.241034] [] destroy_inode+0xc7/0x130 > [ 367.241034] [] evict+0x329/0x500 > [ 367.241034] [] iput+0x495/0x930 > [ 367.241034] [] sock_release+0x164/0x1d0 > [ 367.241034] [] sock_close+0x16/0x20 > [ 367.241034] [] __fput+0x236/0x780 > [ 367.241034] [] fput+0x15/0x20 > [ 367.241034] [] task_work_run+0xf3/0x170 > [ 367.241034] [] do_exit+0x868/0x2c10 > [ 367.241034] [] do_group_exit+0x108/0x330 > [ 367.241034] [] SyS_exit_group+0x1d/0x20 > [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 > [ 367.241034] Memory state around the buggy address: > [ 367.241034] 880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc > fc fc fc fc > [ 367.241034] 880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc > fc fc fc fc > [ 367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 367.241034] ^ > [ 367.241034] 880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 367.241034] 880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 367.241034] > == > > > It is then followed by a bunch of other bugs, full log is here: > https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt > > > On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).
Re: kcm: use-after-free in fput of kcm socket
On Sun, Aug 28, 2016 at 3:10 AM, Dmitry Vyukov wrote: > Hello, > > The following program triggers use-after-free: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include > #include > > int main() > { > int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0); > syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0); > return 0; > } > > > [ 367.240184] > == > [ 367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at > addr 880069bc4b30 > [ 367.241034] Read of size 2 by task a.out/4045 > [ 367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34 > [ 367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS Bochs 01/01/2011 > [ 367.241034] 884b8280 880038fb7bc0 82d1b1d9 > 00622e00 > [ 367.241034] fbfff1097050 88003e198900 880069bc4b00 > 880069bc4ec0 > [ 367.241034] 880069bc4b30 859e90a0 880038fb7be8 > 817da1fc > [ 367.241034] Call Trace: > [ 367.241034] [] dump_stack+0x12e/0x185 > [ 367.241034] [] ? sock_release+0x1d0/0x1d0 > [ 367.241034] [] kasan_object_err+0x1c/0x70 > [ 367.241034] [] kasan_report_error+0x1ae/0x490 > [ 367.241034] [] ? sock_release+0x1d0/0x1d0 > [ 367.241034] [] __asan_report_load2_noabort+0x3e/0x40 > [ 367.241034] [] ? __fput+0x65a/0x780 > [ 367.241034] [] __fput+0x65a/0x780 > [ 367.241034] [] fput+0x15/0x20 > [ 367.241034] [] task_work_run+0xf3/0x170 > [ 367.241034] [] do_exit+0x868/0x2c10 > [ 367.241034] [] ? sock_ioctl+0x1db/0x3d0 > [ 367.241034] [] ? sock_do_ioctl+0xb0/0xb0 > [ 367.241034] [] ? do_vfs_ioctl+0x430/0x1080 > [ 367.241034] [] ? mm_update_next_owner+0x640/0x640 > [ 367.241034] [] ? ioctl_preallocate+0x210/0x210 > [ 367.241034] [] ? bad_area+0x69/0x80 > [ 367.241034] [] ? exit_to_usermode_loop+0x3e/0x210 > [ 367.241034] [] ? entry_SYSCALL_64_fastpath+0x5/0xc1 > [ 367.241034] [] do_group_exit+0x108/0x330 > [ 367.241034] [] SyS_exit_group+0x1d/0x20 > [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 Hmm, we have a double free here. I have a patch to fix it, will send it out very soon. Thanks! > [ 367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960 > [ 367.241034] Allocated: > [ 367.241034] PID = 4045 > [ 367.241034] [] save_stack_trace+0x26/0x50 > [ 367.241034] [] save_stack+0x46/0xd0 > [ 367.241034] [] kasan_kmalloc+0xad/0xe0 > [ 367.241034] [] kasan_slab_alloc+0x12/0x20 > [ 367.241034] [] kmem_cache_alloc+0x12b/0x710 > [ 367.241034] [] sock_alloc_inode+0x1d/0x250 > [ 367.241034] [] alloc_inode+0x61/0x180 > [ 367.241034] [] new_inode_pseudo+0x17/0xe0 > [ 367.241034] [] sock_alloc+0x41/0x280 > [ 367.241034] [] kcm_ioctl+0x9b3/0x13e0 > [ 367.241034] [] sock_do_ioctl+0x65/0xb0 > [ 367.241034] [] sock_ioctl+0x2d2/0x3d0 > [ 367.241034] [] do_vfs_ioctl+0x18c/0x1080 > [ 367.241034] [] SyS_ioctl+0x8f/0xc0 > [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 > [ 367.241034] Freed: > [ 367.241034] PID = 4045 > [ 367.241034] [] save_stack_trace+0x26/0x50 > [ 367.241034] [] save_stack+0x46/0xd0 > [ 367.241034] [] kasan_slab_free+0x72/0xc0 > [ 367.241034] [] kmem_cache_free+0x76/0x300 > [ 367.241034] [] sock_destroy_inode+0x56/0x70 > [ 367.241034] [] destroy_inode+0xc7/0x130 > [ 367.241034] [] evict+0x329/0x500 > [ 367.241034] [] iput+0x495/0x930 > [ 367.241034] [] sock_release+0x164/0x1d0 > [ 367.241034] [] sock_close+0x16/0x20 > [ 367.241034] [] __fput+0x236/0x780 > [ 367.241034] [] fput+0x15/0x20 > [ 367.241034] [] task_work_run+0xf3/0x170 > [ 367.241034] [] do_exit+0x868/0x2c10 > [ 367.241034] [] do_group_exit+0x108/0x330 > [ 367.241034] [] SyS_exit_group+0x1d/0x20 > [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 > [ 367.241034] Memory state around the buggy address: > [ 367.241034] 880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc > fc fc fc fc > [ 367.241034] 880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc > fc fc fc fc > [ 367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 367.241034] ^ > [ 367.241034] 880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 367.241034] 880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 367.241034] > == > > > It is then followed by a bunch of other bugs, full log is here: > https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt > > > On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).
kcm: use-after-free in fput of kcm socket
Hello, The following program triggers use-after-free: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include int main() { int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0); syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0); return 0; } [ 367.240184] == [ 367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at addr 880069bc4b30 [ 367.241034] Read of size 2 by task a.out/4045 [ 367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34 [ 367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 367.241034] 884b8280 880038fb7bc0 82d1b1d9 00622e00 [ 367.241034] fbfff1097050 88003e198900 880069bc4b00 880069bc4ec0 [ 367.241034] 880069bc4b30 859e90a0 880038fb7be8 817da1fc [ 367.241034] Call Trace: [ 367.241034] [] dump_stack+0x12e/0x185 [ 367.241034] [] ? sock_release+0x1d0/0x1d0 [ 367.241034] [] kasan_object_err+0x1c/0x70 [ 367.241034] [] kasan_report_error+0x1ae/0x490 [ 367.241034] [] ? sock_release+0x1d0/0x1d0 [ 367.241034] [] __asan_report_load2_noabort+0x3e/0x40 [ 367.241034] [] ? __fput+0x65a/0x780 [ 367.241034] [] __fput+0x65a/0x780 [ 367.241034] [] fput+0x15/0x20 [ 367.241034] [] task_work_run+0xf3/0x170 [ 367.241034] [] do_exit+0x868/0x2c10 [ 367.241034] [] ? sock_ioctl+0x1db/0x3d0 [ 367.241034] [] ? sock_do_ioctl+0xb0/0xb0 [ 367.241034] [] ? do_vfs_ioctl+0x430/0x1080 [ 367.241034] [] ? mm_update_next_owner+0x640/0x640 [ 367.241034] [] ? ioctl_preallocate+0x210/0x210 [ 367.241034] [] ? bad_area+0x69/0x80 [ 367.241034] [] ? exit_to_usermode_loop+0x3e/0x210 [ 367.241034] [] ? entry_SYSCALL_64_fastpath+0x5/0xc1 [ 367.241034] [] do_group_exit+0x108/0x330 [ 367.241034] [] SyS_exit_group+0x1d/0x20 [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960 [ 367.241034] Allocated: [ 367.241034] PID = 4045 [ 367.241034] [] save_stack_trace+0x26/0x50 [ 367.241034] [] save_stack+0x46/0xd0 [ 367.241034] [] kasan_kmalloc+0xad/0xe0 [ 367.241034] [] kasan_slab_alloc+0x12/0x20 [ 367.241034] [] kmem_cache_alloc+0x12b/0x710 [ 367.241034] [] sock_alloc_inode+0x1d/0x250 [ 367.241034] [] alloc_inode+0x61/0x180 [ 367.241034] [] new_inode_pseudo+0x17/0xe0 [ 367.241034] [] sock_alloc+0x41/0x280 [ 367.241034] [] kcm_ioctl+0x9b3/0x13e0 [ 367.241034] [] sock_do_ioctl+0x65/0xb0 [ 367.241034] [] sock_ioctl+0x2d2/0x3d0 [ 367.241034] [] do_vfs_ioctl+0x18c/0x1080 [ 367.241034] [] SyS_ioctl+0x8f/0xc0 [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 367.241034] Freed: [ 367.241034] PID = 4045 [ 367.241034] [] save_stack_trace+0x26/0x50 [ 367.241034] [] save_stack+0x46/0xd0 [ 367.241034] [] kasan_slab_free+0x72/0xc0 [ 367.241034] [] kmem_cache_free+0x76/0x300 [ 367.241034] [] sock_destroy_inode+0x56/0x70 [ 367.241034] [] destroy_inode+0xc7/0x130 [ 367.241034] [] evict+0x329/0x500 [ 367.241034] [] iput+0x495/0x930 [ 367.241034] [] sock_release+0x164/0x1d0 [ 367.241034] [] sock_close+0x16/0x20 [ 367.241034] [] __fput+0x236/0x780 [ 367.241034] [] fput+0x15/0x20 [ 367.241034] [] task_work_run+0xf3/0x170 [ 367.241034] [] do_exit+0x868/0x2c10 [ 367.241034] [] do_group_exit+0x108/0x330 [ 367.241034] [] SyS_exit_group+0x1d/0x20 [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 367.241034] Memory state around the buggy address: [ 367.241034] 880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 367.241034] 880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 367.241034] ^ [ 367.241034] 880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 367.241034] 880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 367.241034] == It is then followed by a bunch of other bugs, full log is here: https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).
kcm: use-after-free in fput of kcm socket
Hello, The following program triggers use-after-free: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include int main() { int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0); syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0); return 0; } [ 367.240184] == [ 367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at addr 880069bc4b30 [ 367.241034] Read of size 2 by task a.out/4045 [ 367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34 [ 367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 367.241034] 884b8280 880038fb7bc0 82d1b1d9 00622e00 [ 367.241034] fbfff1097050 88003e198900 880069bc4b00 880069bc4ec0 [ 367.241034] 880069bc4b30 859e90a0 880038fb7be8 817da1fc [ 367.241034] Call Trace: [ 367.241034] [] dump_stack+0x12e/0x185 [ 367.241034] [] ? sock_release+0x1d0/0x1d0 [ 367.241034] [] kasan_object_err+0x1c/0x70 [ 367.241034] [] kasan_report_error+0x1ae/0x490 [ 367.241034] [] ? sock_release+0x1d0/0x1d0 [ 367.241034] [] __asan_report_load2_noabort+0x3e/0x40 [ 367.241034] [] ? __fput+0x65a/0x780 [ 367.241034] [] __fput+0x65a/0x780 [ 367.241034] [] fput+0x15/0x20 [ 367.241034] [] task_work_run+0xf3/0x170 [ 367.241034] [] do_exit+0x868/0x2c10 [ 367.241034] [] ? sock_ioctl+0x1db/0x3d0 [ 367.241034] [] ? sock_do_ioctl+0xb0/0xb0 [ 367.241034] [] ? do_vfs_ioctl+0x430/0x1080 [ 367.241034] [] ? mm_update_next_owner+0x640/0x640 [ 367.241034] [] ? ioctl_preallocate+0x210/0x210 [ 367.241034] [] ? bad_area+0x69/0x80 [ 367.241034] [] ? exit_to_usermode_loop+0x3e/0x210 [ 367.241034] [] ? entry_SYSCALL_64_fastpath+0x5/0xc1 [ 367.241034] [] do_group_exit+0x108/0x330 [ 367.241034] [] SyS_exit_group+0x1d/0x20 [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960 [ 367.241034] Allocated: [ 367.241034] PID = 4045 [ 367.241034] [] save_stack_trace+0x26/0x50 [ 367.241034] [] save_stack+0x46/0xd0 [ 367.241034] [] kasan_kmalloc+0xad/0xe0 [ 367.241034] [] kasan_slab_alloc+0x12/0x20 [ 367.241034] [] kmem_cache_alloc+0x12b/0x710 [ 367.241034] [] sock_alloc_inode+0x1d/0x250 [ 367.241034] [] alloc_inode+0x61/0x180 [ 367.241034] [] new_inode_pseudo+0x17/0xe0 [ 367.241034] [] sock_alloc+0x41/0x280 [ 367.241034] [] kcm_ioctl+0x9b3/0x13e0 [ 367.241034] [] sock_do_ioctl+0x65/0xb0 [ 367.241034] [] sock_ioctl+0x2d2/0x3d0 [ 367.241034] [] do_vfs_ioctl+0x18c/0x1080 [ 367.241034] [] SyS_ioctl+0x8f/0xc0 [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 367.241034] Freed: [ 367.241034] PID = 4045 [ 367.241034] [] save_stack_trace+0x26/0x50 [ 367.241034] [] save_stack+0x46/0xd0 [ 367.241034] [] kasan_slab_free+0x72/0xc0 [ 367.241034] [] kmem_cache_free+0x76/0x300 [ 367.241034] [] sock_destroy_inode+0x56/0x70 [ 367.241034] [] destroy_inode+0xc7/0x130 [ 367.241034] [] evict+0x329/0x500 [ 367.241034] [] iput+0x495/0x930 [ 367.241034] [] sock_release+0x164/0x1d0 [ 367.241034] [] sock_close+0x16/0x20 [ 367.241034] [] __fput+0x236/0x780 [ 367.241034] [] fput+0x15/0x20 [ 367.241034] [] task_work_run+0xf3/0x170 [ 367.241034] [] do_exit+0x868/0x2c10 [ 367.241034] [] do_group_exit+0x108/0x330 [ 367.241034] [] SyS_exit_group+0x1d/0x20 [ 367.241034] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 367.241034] Memory state around the buggy address: [ 367.241034] 880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 367.241034] 880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 367.241034] ^ [ 367.241034] 880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 367.241034] 880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 367.241034] == It is then followed by a bunch of other bugs, full log is here: https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).