| Message ID | 20221123141546.238297-1-sunhao.th@gmail.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:b599:b0:88:f841:fdc9 with SMTP id
df25csp2166824dyb;
Wed, 23 Nov 2022 06:23:34 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf4DDssyU/jxZ0XIZA6A0CmS6TsmeSlMV4n368eIScYOIafJVpKfvvAlqFBQNGqxQ5OuO26c
X-Received: by 2002:a17:90b:1117:b0:218:f5d3:61f3 with SMTP id
gi23-20020a17090b111700b00218f5d361f3mr667604pjb.222.1669213414017;
Wed, 23 Nov 2022 06:23:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669213414; cv=none;
d=google.com; s=arc-20160816;
b=0Um8TUk5lXH2LtvyWD5IRWoPXVlIvyJNXh9CPNCprjndw8IMADw7Pe3thdS+NEx8Tg
Pu/VrZvT6UjeV0HjRebPFV/dTFi6n2m+Lmxsv/GOcky9qqWPLcS13FnqIdrAkgw3E62m
iO7bQhrtBGzy/AU0rN2HM0mJLE4Fa7Z/Yf5pEXrfRg6Y0HecKBbq2VsfqLJSWHw3GHmw
eEMOJhqM8mKeW3XVQm4UOZsHv98Qs86VS4/7hxnDdqmu9URI6pyOhCfJliP+TLa7o9Kv
vw1+ElfkP++YU3EG234zlNAiyB99omS3/gzKvVeS1SzVi2APA3G8tomlHjpKctoH0rTY
2KBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=ZPNZCVqx31mtDikztq211Dbc1pRPd5HGNTzUeaEK72c=;
b=dwZc7Ghb3glPJ7dyICuvQUVPu4l2ZFpcdXhXxoLqSVcbbrEcGf3Z8QezzEqkjRPEWI
TT9akzGjUmBDuZZCM8Sg2Z21wU/1jdqxBRi2WwenqxbdNIbyo2aTaF/6yUF/7vIz17Nd
qTUwv6bnL10qAQAWOTnTVBmbapy6S+7voF2k9D2KY9VgBdVNjA8xIxuohdzqSUJgMyqm
GfM9jDOJ1L+C6Gsd9VWhjCx2jugDH3Plq0CyE35FPpb4qsPb8dDj5FURv4YsuOqU7yH7
VrkoHzihks5dBbSaVl9gndoxUlzKuXiM3XWJnE6xPOe6SKbDeM5FLdmGVMU82HLTtRZo
shFg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZVfLJsgP;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
w5-20020a656945000000b00476bfca38b0si17669026pgq.71.2022.11.23.06.23.18;
Wed, 23 Nov 2022 06:23:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZVfLJsgP;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S238072AbiKWORK (ORCPT <rfc822;fengqi706@gmail.com> + 99 others);
Wed, 23 Nov 2022 09:17:10 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39700 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S237540AbiKWORC (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 23 Nov 2022 09:17:02 -0500
Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com
[IPv6:2607:f8b0:4864:20::641])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8651F2F666;
Wed, 23 Nov 2022 06:17:01 -0800 (PST)
Received: by mail-pl1-x641.google.com with SMTP id y10so15571926plp.3;
Wed, 23 Nov 2022 06:17:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=ZPNZCVqx31mtDikztq211Dbc1pRPd5HGNTzUeaEK72c=;
b=ZVfLJsgPk7f9+OMsyl4CDfSaqNupDovYHjPZt9cK2t+9yRTyjeGujKnY+1SNZLd6vd
mfDGF5Ysq1pCHqynHh3YX+3tlllzedt/xWl+K/Gw90s+9CS0p01Letxj7s7OeCtdf7zO
x0wHZhWdlk/7VnGN66CWmGs5cOnTRmIRaBnfhiXvgY6Ttfnr6Qh2RDBBrqYda1CSH0ST
+R/nyEQlYKQH6KBs9UMSu5arf9NYoMvZ3vCkFgmn0PtXZMvumADk8iLJXfddjOZY7HmY
CmxmaQc2jcgeBNt3VP1jsF38BFvIFUezQeKC5Qx1mWtKMl+yBiB19gVbblYAN0zbsmzK
0a7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=ZPNZCVqx31mtDikztq211Dbc1pRPd5HGNTzUeaEK72c=;
b=fbxaXf42jQS5xzmQtrF9H5hTul15uzcKr1HERXpS0dIDOM+Ao8c5GNW8uLpHEmZ6UQ
Nqa54gcz6eARrGWgkp8cbvlzaLLTVDGuzmUqIfCmbL4nrtVqbMA1RHD806lPuh7uBb5y
cXOUVB0HTTfBKIr370Go97WKkCt8S8+dM65Ao7s1BW+kfBDwlaaMAa34jkh0wSwDTfNM
/vLOBOXsXeVv/jcZ5cED3j6dEqljfaE18VzgViUZBp6s1ZKlp1eHujjXp7lSakGCFXmA
f4YfgVMzK8qugBotkNzfPElYnzvfxRQFmOjsdOjqxwDyGAAOFc/j8NpKEsGQsqcbImE2
x0bA==
X-Gm-Message-State: ANoB5pnu9B/Ly3U+InVxaqNgU/MqArxM8emv7MN2aow4CMYCwUpEE3DI
wN3GnGaUt0RgWBLaJd4+s8pS0R2VaDVf
X-Received: by 2002:a17:902:e484:b0:189:3b9d:59bd with SMTP id
i4-20020a170902e48400b001893b9d59bdmr5269161ple.81.1669213020727;
Wed, 23 Nov 2022 06:17:00 -0800 (PST)
Received: from pc.localdomain ([166.111.83.15])
by smtp.gmail.com with ESMTPSA id
w4-20020a170902e88400b001868ed86a95sm14371878plg.174.2022.11.23.06.16.57
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 23 Nov 2022 06:17:00 -0800 (PST)
From: Hao Sun <sunhao.th@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yhs@fb.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com,
jolsa@kernel.org, davem@davemloft.net,
linux-kernel@vger.kernel.org, Hao Sun <sunhao.th@gmail.com>
Subject: [PATCH bpf-next 0/3] bpf: Add LDX/STX/ST sanitize in jited BPF progs
Date: Wed, 23 Nov 2022 22:15:43 +0800
Message-Id: <20221123141546.238297-1-sunhao.th@gmail.com>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,URIBL_BLACK,
URIBL_DBL_ABUSE_REDIR autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1750297124839471741?=
X-GMAIL-MSGID: =?utf-8?q?1750297124839471741?=
|
| Series |
bpf: Add LDX/STX/ST sanitize in jited BPF progs
|
|
Message
Hao Sun
Nov. 23, 2022, 2:15 p.m. UTC
The verifier sometimes makes mistakes[1][2] that may be exploited to achieve arbitrary read/write. Currently, syzbot is continuously testing bpf, and can find memory issues in bpf syscalls, but it can hardly find mischecking/bugs in the verifier. We need runtime checks like KASAN in BPF programs for this. This patch series implements address sanitize in jited BPF progs for testing purpose, so that tools like syzbot can find interesting bugs in the verifier automatically by, if possible, generating and executing BPF programs that bypass the verifier but have memory issues, then triggering this sanitizing. The idea is to dispatch read/write addr of a BPF program to the kernel functions that are instrumented by KASAN, to achieve indirect checking. Indirect checking is adopted because this is much simple, instrument direct checking like compilers makes the jit much more complex. The main step is: back up R0&R1 and store addr in R1, and then insert the checking function before load/store insns, during bpf_misc_fixup(), and finally in the jit stage, backup R1~R5 to make sure the checking funcs won't corrupt regs states. An extra Kconfig option is used to enable this, so normal use case won't be impacted at all. Also, not all ldx/stx/st are instrumented. Insns rewrote by other fixup or conversion passes that use BPF_REG_AX are skipped, because that conflicts with us; insns whose access addr is specified by R10 are also skipped because they are trivial to verify. Patch1 sanitizes st/stx insns, and Patch2 sanitizes ldx insns, Patch3 adds selftests for instrumentation in each possible case, and all new/existing selftests for the verifier can pass. Also, a BPF prog that also exploits CVE-2022-23222 to achieve OOB read is provided[3], this can be perfertly captured with this patch series. I haven't found a better way to back up the regs before executing the checking functions, and have to store them on the stack. Comments and advice are surely welcome. [1] http://bit.do/CVE-2021-3490 [2] http://bit.do/CVE-2022-23222 [3] OOB-read: https://pastebin.com/raw/Ee1Cw492 Hao Sun (3): bpf: Sanitize STX/ST in jited BPF progs with KASAN bpf: Sanitize LDX in jited BPF progs with KASAN selftests/bpf: Add tests for LDX/STX/ST sanitize arch/x86/net/bpf_jit_comp.c | 34 ++ include/linux/bpf.h | 14 + kernel/bpf/Kconfig | 14 + kernel/bpf/verifier.c | 190 +++++++++++ .../selftests/bpf/verifier/sanitize_st_ldx.c | 323 ++++++++++++++++++ 5 files changed, 575 insertions(+) create mode 100644 tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c base-commit: 8a2162a9227dda936a21fe72014a9931a3853a7b
Comments
On 11/23/22 3:15 PM, Hao Sun wrote: > The verifier sometimes makes mistakes[1][2] that may be exploited to > achieve arbitrary read/write. Currently, syzbot is continuously testing > bpf, and can find memory issues in bpf syscalls, but it can hardly find > mischecking/bugs in the verifier. We need runtime checks like KASAN in > BPF programs for this. This patch series implements address sanitize > in jited BPF progs for testing purpose, so that tools like syzbot can > find interesting bugs in the verifier automatically by, if possible, > generating and executing BPF programs that bypass the verifier but have > memory issues, then triggering this sanitizing. > > The idea is to dispatch read/write addr of a BPF program to the kernel > functions that are instrumented by KASAN, to achieve indirect checking. > Indirect checking is adopted because this is much simple, instrument > direct checking like compilers makes the jit much more complex. The > main step is: back up R0&R1 and store addr in R1, and then insert the > checking function before load/store insns, during bpf_misc_fixup(), and > finally in the jit stage, backup R1~R5 to make sure the checking funcs > won't corrupt regs states. An extra Kconfig option is used to enable > this, so normal use case won't be impacted at all. Thanks for looking into this! It's a bit unfortunate that this will need changes in every BPF JIT. Have you thought about a generic solution which would not require changes in JITs? Given this is for debugging and finding mischecking/bugs in the verifier, can't we reuse interpreter for this and only implement it there? I would be curious if we could achieve the same result from [3] with such approach. > Also, not all ldx/stx/st are instrumented. Insns rewrote by other fixup > or conversion passes that use BPF_REG_AX are skipped, because that > conflicts with us; insns whose access addr is specified by R10 are also > skipped because they are trivial to verify. > > Patch1 sanitizes st/stx insns, and Patch2 sanitizes ldx insns, Patch3 adds > selftests for instrumentation in each possible case, and all new/existing > selftests for the verifier can pass. Also, a BPF prog that also exploits > CVE-2022-23222 to achieve OOB read is provided[3], this can be perfertly > captured with this patch series. > > I haven't found a better way to back up the regs before executing the > checking functions, and have to store them on the stack. Comments and > advice are surely welcome. > > [1] http://bit.do/CVE-2021-3490 > [2] http://bit.do/CVE-2022-23222 > [3] OOB-read: https://pastebin.com/raw/Ee1Cw492 > > Hao Sun (3): > bpf: Sanitize STX/ST in jited BPF progs with KASAN > bpf: Sanitize LDX in jited BPF progs with KASAN > selftests/bpf: Add tests for LDX/STX/ST sanitize > > arch/x86/net/bpf_jit_comp.c | 34 ++ > include/linux/bpf.h | 14 + > kernel/bpf/Kconfig | 14 + > kernel/bpf/verifier.c | 190 +++++++++++ > .../selftests/bpf/verifier/sanitize_st_ldx.c | 323 ++++++++++++++++++ > 5 files changed, 575 insertions(+) > create mode 100644 tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c > > > base-commit: 8a2162a9227dda936a21fe72014a9931a3853a7b > Thanks, Daniel
Daniel Borkmann <daniel@iogearbox.net> 于2022年11月24日周四 07:41写道: > > On 11/23/22 3:15 PM, Hao Sun wrote: > > The verifier sometimes makes mistakes[1][2] that may be exploited to > > achieve arbitrary read/write. Currently, syzbot is continuously testing > > bpf, and can find memory issues in bpf syscalls, but it can hardly find > > mischecking/bugs in the verifier. We need runtime checks like KASAN in > > BPF programs for this. This patch series implements address sanitize > > in jited BPF progs for testing purpose, so that tools like syzbot can > > find interesting bugs in the verifier automatically by, if possible, > > generating and executing BPF programs that bypass the verifier but have > > memory issues, then triggering this sanitizing. > > > > The idea is to dispatch read/write addr of a BPF program to the kernel > > functions that are instrumented by KASAN, to achieve indirect checking. > > Indirect checking is adopted because this is much simple, instrument > > direct checking like compilers makes the jit much more complex. The > > main step is: back up R0&R1 and store addr in R1, and then insert the > > checking function before load/store insns, during bpf_misc_fixup(), and > > finally in the jit stage, backup R1~R5 to make sure the checking funcs > > won't corrupt regs states. An extra Kconfig option is used to enable > > this, so normal use case won't be impacted at all. > > Thanks for looking into this! It's a bit unfortunate that this will need > changes in every BPF JIT. Have you thought about a generic solution which > would not require changes in JITs? Given this is for debugging and finding > mischecking/bugs in the verifier, can't we reuse interpreter for this and > only implement it there? I would be curious if we could achieve the same > result from [3] with such approach. > Hi Daniel, Thanks for taking a look. The reason I choose to do this in jited progs is because JIT is used in most real cases, so does testing/fuzzing, e.g., syzbot test BPF with JIT_ALWAYS_ON=y. Also, a BPF program generated by fuzzers or other tools is likely need to be run hundred times with random inputs to trigger potential issues in it and be captured by sanitize, so JIT makes this much faster. We don't need changes in every BPF JIT I believe, supporting X86_64 and Arm64 would be enough, and the only thing need to be done there is to backup regs on stack before calling checking functions. Also, I'm wondering if anyone knows how to better make sure the checking function won't corrupt scratch regs' states, e.g., a flag to force compiler to push scratch regs before using them, during gen code for those funcs. If this is feasible, the changes to JIT can be completely removed, and fixup in the verifier would be enough. Regards Hao > > Also, not all ldx/stx/st are instrumented. Insns rewrote by other fixup > > or conversion passes that use BPF_REG_AX are skipped, because that > > conflicts with us; insns whose access addr is specified by R10 are also > > skipped because they are trivial to verify. > > > > Patch1 sanitizes st/stx insns, and Patch2 sanitizes ldx insns, Patch3 adds > > selftests for instrumentation in each possible case, and all new/existing > > selftests for the verifier can pass. Also, a BPF prog that also exploits > > CVE-2022-23222 to achieve OOB read is provided[3], this can be perfertly > > captured with this patch series. > > > > I haven't found a better way to back up the regs before executing the > > checking functions, and have to store them on the stack. Comments and > > advice are surely welcome. > > > > [1] http://bit.do/CVE-2021-3490 > > [2] http://bit.do/CVE-2022-23222 > > [3] OOB-read: https://pastebin.com/raw/Ee1Cw492 > > > > Hao Sun (3): > > bpf: Sanitize STX/ST in jited BPF progs with KASAN > > bpf: Sanitize LDX in jited BPF progs with KASAN > > selftests/bpf: Add tests for LDX/STX/ST sanitize > > > > arch/x86/net/bpf_jit_comp.c | 34 ++ > > include/linux/bpf.h | 14 + > > kernel/bpf/Kconfig | 14 + > > kernel/bpf/verifier.c | 190 +++++++++++ > > .../selftests/bpf/verifier/sanitize_st_ldx.c | 323 ++++++++++++++++++ > > 5 files changed, 575 insertions(+) > > create mode 100644 tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c > > > > > > base-commit: 8a2162a9227dda936a21fe72014a9931a3853a7b > > > > Thanks, > Daniel
Hao Sun <sunhao.th@gmail.com> 于2022年11月24日周四 11:05写道: > > Daniel Borkmann <daniel@iogearbox.net> 于2022年11月24日周四 07:41写道: > > > > On 11/23/22 3:15 PM, Hao Sun wrote: > > > The verifier sometimes makes mistakes[1][2] that may be exploited to > > > achieve arbitrary read/write. Currently, syzbot is continuously testing > > > bpf, and can find memory issues in bpf syscalls, but it can hardly find > > > mischecking/bugs in the verifier. We need runtime checks like KASAN in > > > BPF programs for this. This patch series implements address sanitize > > > in jited BPF progs for testing purpose, so that tools like syzbot can > > > find interesting bugs in the verifier automatically by, if possible, > > > generating and executing BPF programs that bypass the verifier but have > > > memory issues, then triggering this sanitizing. > > > > > > The idea is to dispatch read/write addr of a BPF program to the kernel > > > functions that are instrumented by KASAN, to achieve indirect checking. > > > Indirect checking is adopted because this is much simple, instrument > > > direct checking like compilers makes the jit much more complex. The > > > main step is: back up R0&R1 and store addr in R1, and then insert the > > > checking function before load/store insns, during bpf_misc_fixup(), and > > > finally in the jit stage, backup R1~R5 to make sure the checking funcs > > > won't corrupt regs states. An extra Kconfig option is used to enable > > > this, so normal use case won't be impacted at all. > > > > Thanks for looking into this! It's a bit unfortunate that this will need > > changes in every BPF JIT. Have you thought about a generic solution which > > would not require changes in JITs? Given this is for debugging and finding > > mischecking/bugs in the verifier, can't we reuse interpreter for this and > > only implement it there? I would be curious if we could achieve the same > > result from [3] with such approach. > > > > Hi Daniel, > > Thanks for taking a look. The reason I choose to do this in jited progs is > because JIT is used in most real cases, so does testing/fuzzing, e.g., > syzbot test BPF with JIT_ALWAYS_ON=y. Also, a BPF program generated > by fuzzers or other tools is likely need to be run hundred times with random > inputs to trigger potential issues in it and be captured by sanitize, so JIT > makes this much faster. > > We don't need changes in every BPF JIT I believe, supporting X86_64 > and Arm64 would be enough, and the only thing need to be done there > is to backup regs on stack before calling checking functions. > Also, I'm wondering if anyone knows how to better make sure the checking > function won't corrupt scratch regs' states, e.g., a flag to force compiler to > push scratch regs before using them, during gen code for those funcs. > If this is feasible, the changes to JIT can be completely removed, and > fixup in the verifier would be enough. > I think we can extend BPF prog's stack size in this mode, then backup all the scratch regs to those free space. This way, everything just happens in BPF insn level, we don't need to change JIT at all. I will send patch v2 for this. > Regards > Hao > > > > Also, not all ldx/stx/st are instrumented. Insns rewrote by other fixup > > > or conversion passes that use BPF_REG_AX are skipped, because that > > > conflicts with us; insns whose access addr is specified by R10 are also > > > skipped because they are trivial to verify. > > > > > > Patch1 sanitizes st/stx insns, and Patch2 sanitizes ldx insns, Patch3 adds > > > selftests for instrumentation in each possible case, and all new/existing > > > selftests for the verifier can pass. Also, a BPF prog that also exploits > > > CVE-2022-23222 to achieve OOB read is provided[3], this can be perfertly > > > captured with this patch series. > > > > > > I haven't found a better way to back up the regs before executing the > > > checking functions, and have to store them on the stack. Comments and > > > advice are surely welcome. > > > > > > [1] http://bit.do/CVE-2021-3490 > > > [2] http://bit.do/CVE-2022-23222 > > > [3] OOB-read: https://pastebin.com/raw/Ee1Cw492 > > > > > > Hao Sun (3): > > > bpf: Sanitize STX/ST in jited BPF progs with KASAN > > > bpf: Sanitize LDX in jited BPF progs with KASAN > > > selftests/bpf: Add tests for LDX/STX/ST sanitize > > > > > > arch/x86/net/bpf_jit_comp.c | 34 ++ > > > include/linux/bpf.h | 14 + > > > kernel/bpf/Kconfig | 14 + > > > kernel/bpf/verifier.c | 190 +++++++++++ > > > .../selftests/bpf/verifier/sanitize_st_ldx.c | 323 ++++++++++++++++++ > > > 5 files changed, 575 insertions(+) > > > create mode 100644 tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c > > > > > > > > > base-commit: 8a2162a9227dda936a21fe72014a9931a3853a7b > > > > > > > Thanks, > > Daniel