Date
Nov. 20, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 35.779585] ================================================================== [ 35.780804] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 35.781613] Read of size 1 at addr fff00000c64d0000 by task kunit_try_catch/137 [ 35.782209] [ 35.782859] CPU: 0 UID: 0 PID: 137 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 35.784176] Tainted: [B]=BAD_PAGE, [N]=TEST [ 35.785103] Hardware name: linux,dummy-virt (DT) [ 35.786057] Call trace: [ 35.786371] show_stack+0x20/0x38 (C) [ 35.786854] dump_stack_lvl+0x8c/0xd0 [ 35.787268] print_report+0x118/0x5e0 [ 35.787649] kasan_report+0xc8/0x118 [ 35.789006] __asan_report_load1_noabort+0x20/0x30 [ 35.789660] kmalloc_large_uaf+0x2cc/0x2f8 [ 35.790519] kunit_try_run_case+0x14c/0x3d0 [ 35.791183] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 35.791719] kthread+0x24c/0x2d0 [ 35.792120] ret_from_fork+0x10/0x20 [ 35.792838] [ 35.793623] The buggy address belongs to the physical page: [ 35.794954] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064d0 [ 35.796330] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 35.797113] raw: 0bfffe0000000000 ffffc1ffc3193508 fff00000da4e4f80 0000000000000000 [ 35.798216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 35.799173] page dumped because: kasan: bad access detected [ 35.799876] [ 35.800201] Memory state around the buggy address: [ 35.801131] fff00000c64cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.801876] fff00000c64cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.803266] >fff00000c64d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.803886] ^ [ 35.804321] fff00000c64d0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.805047] fff00000c64d0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.805865] ==================================================================
[ 27.010388] ================================================================== [ 27.011512] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f3/0x340 [ 27.012121] Read of size 1 at addr ffff888102320000 by task kunit_try_catch/155 [ 27.013875] [ 27.014044] CPU: 0 UID: 0 PID: 155 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 27.015113] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.015454] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.016865] Call Trace: [ 27.017567] <TASK> [ 27.017893] dump_stack_lvl+0x73/0xb0 [ 27.018797] print_report+0xd1/0x640 [ 27.019075] ? __virt_addr_valid+0x1db/0x2d0 [ 27.019992] ? kasan_addr_to_slab+0x11/0xa0 [ 27.020615] kasan_report+0x102/0x140 [ 27.021524] ? kmalloc_large_uaf+0x2f3/0x340 [ 27.022358] ? kmalloc_large_uaf+0x2f3/0x340 [ 27.023065] __asan_report_load1_noabort+0x18/0x20 [ 27.023511] kmalloc_large_uaf+0x2f3/0x340 [ 27.024442] ? __pfx_kmalloc_large_uaf+0x10/0x10 [ 27.025137] ? __schedule+0xc3e/0x2790 [ 27.026023] ? __pfx_read_tsc+0x10/0x10 [ 27.026891] ? ktime_get_ts64+0x84/0x230 [ 27.027601] kunit_try_run_case+0x1b3/0x490 [ 27.028762] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.029135] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.029808] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.030875] ? __kthread_parkme+0x82/0x160 [ 27.031683] ? preempt_count_sub+0x50/0x80 [ 27.032428] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.032904] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.033824] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.034600] kthread+0x257/0x310 [ 27.035358] ? __pfx_kthread+0x10/0x10 [ 27.036107] ret_from_fork+0x41/0x80 [ 27.036993] ? __pfx_kthread+0x10/0x10 [ 27.037541] ret_from_fork_asm+0x1a/0x30 [ 27.038085] </TASK> [ 27.038788] [ 27.038954] The buggy address belongs to the physical page: [ 27.039985] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102320 [ 27.040953] flags: 0x200000000000000(node=0|zone=2) [ 27.041814] raw: 0200000000000000 ffffea000408c908 ffff88815b03f000 0000000000000000 [ 27.042508] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 27.043234] page dumped because: kasan: bad access detected [ 27.044621] [ 27.045353] Memory state around the buggy address: [ 27.045608] ffff88810231ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.046142] ffff88810231ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.047448] >ffff888102320000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.049110] ^ [ 27.049566] ffff888102320080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.050291] ffff888102320100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.051407] ==================================================================