qemu: fix CVE-2022-0216

Backport required patches to fix CVE-2022-0216. (From OE-Core rev: 938c69e9ca550038fdb2ee3a39d20b58bb98417d) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2022-08-22 15:15:37 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-08-23 15:24:11 +0100
commit: dfc3931eb060336279e6e5ce9c254166d453cb91 (patch)
tree: f9e8364dfbdb430c3a2ca913a82aeefd0de078db
parent: 469171399184dbb03d46617ebe6e66aae3f330f7 (diff)
download: poky-dfc3931eb060336279e6e5ce9c254166d453cb91.tar.gz
3 files changed, 190 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 9fdb8c6428..56fc7aaf55 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2022-35414.patch \
           file://CVE-2021-3507_1.patch \
           file://CVE-2021-3507_2.patch \
+           file://CVE-2022-0216_1.patch \
+           file://CVE-2022-0216_2.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
new file mode 100644
index 0000000000..56fc34ce5a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
@@ -0,0 +1,42 @@
+From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+Set current_req->req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
+CVE: CVE-2022-0216
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index c8773f73f..99ea42d49 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
+         case 0x0d:
+             /* The ABORT TAG message clears the current I/O process only. */
+             trace_lsi_do_msgout_abort(current_tag);
+-            if (current_req) {
+            if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+                current_req->req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+-- 
+2.33.0
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
new file mode 100644
index 0000000000..f332154b6a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
@@ -0,0 +1,146 @@
+From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Mon, 11 Jul 2022 14:33:16 +0200
+Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in
+ lsi_do_msgout (CVE-2022-0216)
+Set current_req to NULL, not current_req->req, to prevent reusing a free'd
+buffer in case of repeated SCSI cancel requests.  Also apply the fix to
+CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
+the request.
+Thanks to Alexander Bulekov for providing a reproducer.
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
+CVE: CVE-2022-0216
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/lsi53c895a.c               |  3 +-
+ tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++
+ 2 files changed, 78 insertions(+), 1 deletion(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 99ea42d49..ad5f5e5f3 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
+             trace_lsi_do_msgout_abort(current_tag);
+             if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+-                current_req->req = NULL;
+                current_req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
+             /* clear the current I/O process */
+             if (s->current) {
+                 scsi_req_cancel(s->current->req);
+                current_req = NULL;
+             }
+ 
+             /* As the current implemented devices scsi_disk and scsi_generic
+diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
+index ba5d46897..c1af0ab1c 100644
+--- a/tests/qtest/fuzz-lsi53c895a-test.c
+++ b/tests/qtest/fuzz-lsi53c895a-test.c
+@@ -8,6 +8,79 @@
+ #include "qemu/osdep.h"
+ #include "libqos/libqtest.h"
+ 
+/*
+ * This used to trigger a UAF in lsi_do_msgout()
+ * https://gitlab.com/qemu-project/qemu/-/issues/972
+ */
+static void test_lsi_do_msgout_cancel_req(void)
+{
+    QTestState *s;
+
+    if (sizeof(void *) == 4) {
+        g_test_skip("memory size too big for 32-bit build");
+        return;
+    }
+
+    s = qtest_init("-M q35 -m 4G -display none -nodefaults "
+                   "-device lsi53c895a,id=scsi "
+                   "-device scsi-hd,drive=disk0 "
+                   "-drive file=null-co://,id=disk0,if=none,format=raw");
+
+    qtest_outl(s, 0xcf8, 0x80000810);
+    qtest_outl(s, 0xcf8, 0xc000);
+    qtest_outl(s, 0xcf8, 0x80000810);
+    qtest_outw(s, 0xcfc, 0x7);
+    qtest_outl(s, 0xcf8, 0x80000810);
+    qtest_outl(s, 0xcfc, 0xc000);
+    qtest_outl(s, 0xcf8, 0x80000804);
+    qtest_outw(s, 0xcfc, 0x05);
+    qtest_writeb(s, 0x69736c10, 0x08);
+    qtest_writeb(s, 0x69736c13, 0x58);
+    qtest_writeb(s, 0x69736c1a, 0x01);
+    qtest_writeb(s, 0x69736c1b, 0x06);
+    qtest_writeb(s, 0x69736c22, 0x01);
+    qtest_writeb(s, 0x69736c23, 0x07);
+    qtest_writeb(s, 0x69736c2b, 0x02);
+    qtest_writeb(s, 0x69736c48, 0x08);
+    qtest_writeb(s, 0x69736c4b, 0x58);
+    qtest_writeb(s, 0x69736c52, 0x04);
+    qtest_writeb(s, 0x69736c53, 0x06);
+    qtest_writeb(s, 0x69736c5b, 0x02);
+    qtest_outl(s, 0xc02d, 0x697300);
+    qtest_writeb(s, 0x5a554662, 0x01);
+    qtest_writeb(s, 0x5a554663, 0x07);
+    qtest_writeb(s, 0x5a55466a, 0x10);
+    qtest_writeb(s, 0x5a55466b, 0x22);
+    qtest_writeb(s, 0x5a55466c, 0x5a);
+    qtest_writeb(s, 0x5a55466d, 0x5a);
+    qtest_writeb(s, 0x5a55466e, 0x34);
+    qtest_writeb(s, 0x5a55466f, 0x5a);
+    qtest_writeb(s, 0x5a345a5a, 0x77);
+    qtest_writeb(s, 0x5a345a5b, 0x55);
+    qtest_writeb(s, 0x5a345a5c, 0x51);
+    qtest_writeb(s, 0x5a345a5d, 0x27);
+    qtest_writeb(s, 0x27515577, 0x41);
+    qtest_outl(s, 0xc02d, 0x5a5500);
+    qtest_writeb(s, 0x364001d0, 0x08);
+    qtest_writeb(s, 0x364001d3, 0x58);
+    qtest_writeb(s, 0x364001da, 0x01);
+    qtest_writeb(s, 0x364001db, 0x26);
+    qtest_writeb(s, 0x364001dc, 0x0d);
+    qtest_writeb(s, 0x364001dd, 0xae);
+    qtest_writeb(s, 0x364001de, 0x41);
+    qtest_writeb(s, 0x364001df, 0x5a);
+    qtest_writeb(s, 0x5a41ae0d, 0xf8);
+    qtest_writeb(s, 0x5a41ae0e, 0x36);
+    qtest_writeb(s, 0x5a41ae0f, 0xd7);
+    qtest_writeb(s, 0x5a41ae10, 0x36);
+    qtest_writeb(s, 0x36d736f8, 0x0c);
+    qtest_writeb(s, 0x36d736f9, 0x80);
+    qtest_writeb(s, 0x36d736fa, 0x0d);
+    qtest_outl(s, 0xc02d, 0x364000);
+
+    qtest_quit(s);
+}
+
+ /*
+  * This used to trigger the assert in lsi_do_dma()
+  * https://bugs.launchpad.net/qemu/+bug/697510
+@@ -48,5 +121,8 @@ int main(int argc, char **argv)
+                        test_lsi_do_dma_empty_queue);
+     }
+ 
+    qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
+                   test_lsi_do_msgout_cancel_req);
+
+     return g_test_run();
+ }
+-- 
+2.33.0
author	Sakib Sajal <sakib.sajal@windriver.com>	2022-08-22 15:15:37 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-08-23 15:24:11 +0100
commit	dfc3931eb060336279e6e5ce9c254166d453cb91 (patch)
tree	f9e8364dfbdb430c3a2ca913a82aeefd0de078db
parent	469171399184dbb03d46617ebe6e66aae3f330f7 (diff)
download	poky-dfc3931eb060336279e6e5ce9c254166d453cb91.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 9fdb8c6428..56fc7aaf55 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
31	file://CVE-2022-35414.patch \	31	file://CVE-2022-35414.patch \
32	file://CVE-2021-3507_1.patch \	32	file://CVE-2021-3507_1.patch \
33	file://CVE-2021-3507_2.patch \	33	file://CVE-2021-3507_2.patch \
		34	file://CVE-2022-0216_1.patch \
		35	file://CVE-2022-0216_2.patch \
34	"	36	"
35	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	37	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
36		38


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 0000000000..56fc34ce5a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
@@ -0,0 +1,42 @@
		1	From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001
		2	From: Mauro Matteo Cascella <mcascell@redhat.com>
		3	Date: Tue, 5 Jul 2022 22:05:43 +0200
		4	Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
		5	(CVE-2022-0216)
		6
		7	Set current_req->req to NULL to prevent reusing a free'd buffer in case of
		8	repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
		9
		10	Fixes: CVE-2022-0216
		11	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
		12	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
		13	Reviewed-by: Thomas Huth <thuth@redhat.com>
		14	Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
		15	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		16
		17	Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
		18	CVE: CVE-2022-0216
		19
		20	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		21	---
		22	hw/scsi/lsi53c895a.c \| 3 ++-
		23	1 file changed, 2 insertions(+), 1 deletion(-)
		24
		25	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
		26	index c8773f73f..99ea42d49 100644
		27	--- a/hw/scsi/lsi53c895a.c
		28	+++ b/hw/scsi/lsi53c895a.c
		29	@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
		30	case 0x0d:
		31	/* The ABORT TAG message clears the current I/O process only. */
		32	trace_lsi_do_msgout_abort(current_tag);
		33	- if (current_req) {
		34	+ if (current_req && current_req->req) {
		35	scsi_req_cancel(current_req->req);
		36	+ current_req->req = NULL;
		37	}
		38	lsi_disconnect(s);
		39	break;
		40	--
		41	2.33.0
		42


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch new file mode 100644 index 0000000000..f332154b6a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
@@ -0,0 +1,146 @@
		1	From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001
		2	From: Mauro Matteo Cascella <mcascell@redhat.com>
		3	Date: Mon, 11 Jul 2022 14:33:16 +0200
		4	Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in
		5	lsi_do_msgout (CVE-2022-0216)
		6
		7	Set current_req to NULL, not current_req->req, to prevent reusing a free'd
		8	buffer in case of repeated SCSI cancel requests. Also apply the fix to
		9	CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
		10	the request.
		11
		12	Thanks to Alexander Bulekov for providing a reproducer.
		13
		14	Fixes: CVE-2022-0216
		15	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
		16	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
		17	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		18	Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
		19	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		20
		21	Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
		22	CVE: CVE-2022-0216
		23
		24	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		25	---
		26	hw/scsi/lsi53c895a.c \| 3 +-
		27	tests/qtest/fuzz-lsi53c895a-test.c \| 76 ++++++++++++++++++++++++++++++
		28	2 files changed, 78 insertions(+), 1 deletion(-)
		29
		30	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
		31	index 99ea42d49..ad5f5e5f3 100644
		32	--- a/hw/scsi/lsi53c895a.c
		33	+++ b/hw/scsi/lsi53c895a.c
		34	@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
		35	trace_lsi_do_msgout_abort(current_tag);
		36	if (current_req && current_req->req) {
		37	scsi_req_cancel(current_req->req);
		38	- current_req->req = NULL;
		39	+ current_req = NULL;
		40	}
		41	lsi_disconnect(s);
		42	break;
		43	@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
		44	/* clear the current I/O process */
		45	if (s->current) {
		46	scsi_req_cancel(s->current->req);
		47	+ current_req = NULL;
		48	}
		49
		50	/* As the current implemented devices scsi_disk and scsi_generic
		51	diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
		52	index ba5d46897..c1af0ab1c 100644
		53	--- a/tests/qtest/fuzz-lsi53c895a-test.c
		54	+++ b/tests/qtest/fuzz-lsi53c895a-test.c
		55	@@ -8,6 +8,79 @@
		56	#include "qemu/osdep.h"
		57	#include "libqos/libqtest.h"
		58
		59	+/*
		60	+ * This used to trigger a UAF in lsi_do_msgout()
		61	+ * https://gitlab.com/qemu-project/qemu/-/issues/972
		62	+ */
		63	+static void test_lsi_do_msgout_cancel_req(void)
		64	+{
		65	+ QTestState *s;
		66	+
		67	+ if (sizeof(void *) == 4) {
		68	+ g_test_skip("memory size too big for 32-bit build");
		69	+ return;
		70	+ }
		71	+
		72	+ s = qtest_init("-M q35 -m 4G -display none -nodefaults "
		73	+ "-device lsi53c895a,id=scsi "
		74	+ "-device scsi-hd,drive=disk0 "
		75	+ "-drive file=null-co://,id=disk0,if=none,format=raw");
		76	+
		77	+ qtest_outl(s, 0xcf8, 0x80000810);
		78	+ qtest_outl(s, 0xcf8, 0xc000);
		79	+ qtest_outl(s, 0xcf8, 0x80000810);
		80	+ qtest_outw(s, 0xcfc, 0x7);
		81	+ qtest_outl(s, 0xcf8, 0x80000810);
		82	+ qtest_outl(s, 0xcfc, 0xc000);
		83	+ qtest_outl(s, 0xcf8, 0x80000804);
		84	+ qtest_outw(s, 0xcfc, 0x05);
		85	+ qtest_writeb(s, 0x69736c10, 0x08);
		86	+ qtest_writeb(s, 0x69736c13, 0x58);
		87	+ qtest_writeb(s, 0x69736c1a, 0x01);
		88	+ qtest_writeb(s, 0x69736c1b, 0x06);
		89	+ qtest_writeb(s, 0x69736c22, 0x01);
		90	+ qtest_writeb(s, 0x69736c23, 0x07);
		91	+ qtest_writeb(s, 0x69736c2b, 0x02);
		92	+ qtest_writeb(s, 0x69736c48, 0x08);
		93	+ qtest_writeb(s, 0x69736c4b, 0x58);
		94	+ qtest_writeb(s, 0x69736c52, 0x04);
		95	+ qtest_writeb(s, 0x69736c53, 0x06);
		96	+ qtest_writeb(s, 0x69736c5b, 0x02);
		97	+ qtest_outl(s, 0xc02d, 0x697300);
		98	+ qtest_writeb(s, 0x5a554662, 0x01);
		99	+ qtest_writeb(s, 0x5a554663, 0x07);
		100	+ qtest_writeb(s, 0x5a55466a, 0x10);
		101	+ qtest_writeb(s, 0x5a55466b, 0x22);
		102	+ qtest_writeb(s, 0x5a55466c, 0x5a);
		103	+ qtest_writeb(s, 0x5a55466d, 0x5a);
		104	+ qtest_writeb(s, 0x5a55466e, 0x34);
		105	+ qtest_writeb(s, 0x5a55466f, 0x5a);
		106	+ qtest_writeb(s, 0x5a345a5a, 0x77);
		107	+ qtest_writeb(s, 0x5a345a5b, 0x55);
		108	+ qtest_writeb(s, 0x5a345a5c, 0x51);
		109	+ qtest_writeb(s, 0x5a345a5d, 0x27);
		110	+ qtest_writeb(s, 0x27515577, 0x41);
		111	+ qtest_outl(s, 0xc02d, 0x5a5500);
		112	+ qtest_writeb(s, 0x364001d0, 0x08);
		113	+ qtest_writeb(s, 0x364001d3, 0x58);
		114	+ qtest_writeb(s, 0x364001da, 0x01);
		115	+ qtest_writeb(s, 0x364001db, 0x26);
		116	+ qtest_writeb(s, 0x364001dc, 0x0d);
		117	+ qtest_writeb(s, 0x364001dd, 0xae);
		118	+ qtest_writeb(s, 0x364001de, 0x41);
		119	+ qtest_writeb(s, 0x364001df, 0x5a);
		120	+ qtest_writeb(s, 0x5a41ae0d, 0xf8);
		121	+ qtest_writeb(s, 0x5a41ae0e, 0x36);
		122	+ qtest_writeb(s, 0x5a41ae0f, 0xd7);
		123	+ qtest_writeb(s, 0x5a41ae10, 0x36);
		124	+ qtest_writeb(s, 0x36d736f8, 0x0c);
		125	+ qtest_writeb(s, 0x36d736f9, 0x80);
		126	+ qtest_writeb(s, 0x36d736fa, 0x0d);
		127	+ qtest_outl(s, 0xc02d, 0x364000);
		128	+
		129	+ qtest_quit(s);
		130	+}
		131	+
		132	/*
		133	* This used to trigger the assert in lsi_do_dma()
		134	* https://bugs.launchpad.net/qemu/+bug/697510
		135	@@ -48,5 +121,8 @@ int main(int argc, char **argv)
		136	test_lsi_do_dma_empty_queue);
		137	}
		138
		139	+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
		140	+ test_lsi_do_msgout_cancel_req);
		141	+
		142	return g_test_run();
		143	}
		144	--
		145	2.33.0
		146