Hay
Sign in
Date
Nov. 22, 2024, 6:35 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   34.110508] ==================================================================
[   34.111558] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   34.112473] Write of size 33 at addr fff00000c63c3780 by task kunit_try_catch/175
[   34.113316] 
[   34.113825] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241122 #1
[   34.115053] Tainted: [B]=BAD_PAGE, [N]=TEST
[   34.116184] Hardware name: linux,dummy-virt (DT)
[   34.117176] Call trace:
[   34.117602]  show_stack+0x20/0x38 (C)
[   34.118312]  dump_stack_lvl+0x8c/0xd0
[   34.119075]  print_report+0x118/0x5e0
[   34.119778]  kasan_report+0xc8/0x118
[   34.120306]  kasan_check_range+0x100/0x1a8
[   34.121489]  __asan_memset+0x34/0x78
[   34.122091]  kmalloc_uaf_memset+0x170/0x310
[   34.122828]  kunit_try_run_case+0x14c/0x3d0
[   34.123570]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   34.124909]  kthread+0x24c/0x2d0
[   34.125455]  ret_from_fork+0x10/0x20
[   34.126125] 
[   34.126424] Allocated by task 175:
[   34.126872]  kasan_save_stack+0x3c/0x68
[   34.127587]  kasan_save_track+0x20/0x40
[   34.128342]  kasan_save_alloc_info+0x40/0x58
[   34.129821]  __kasan_kmalloc+0xd4/0xd8
[   34.130559]  __kmalloc_cache_noprof+0x15c/0x3c8
[   34.131360]  kmalloc_uaf_memset+0xb8/0x310
[   34.131896]  kunit_try_run_case+0x14c/0x3d0
[   34.133057]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   34.133839]  kthread+0x24c/0x2d0
[   34.134356]  ret_from_fork+0x10/0x20
[   34.135001] 
[   34.135338] Freed by task 175:
[   34.135880]  kasan_save_stack+0x3c/0x68
[   34.136494]  kasan_save_track+0x20/0x40
[   34.137072]  kasan_save_free_info+0x4c/0x78
[   34.138181]  __kasan_slab_free+0x6c/0x98
[   34.138944]  kfree+0x114/0x3d0
[   34.139563]  kmalloc_uaf_memset+0x11c/0x310
[   34.140209]  kunit_try_run_case+0x14c/0x3d0
[   34.141512]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   34.142385]  kthread+0x24c/0x2d0
[   34.142883]  ret_from_fork+0x10/0x20
[   34.143552] 
[   34.143830] The buggy address belongs to the object at fff00000c63c3780
[   34.143830]  which belongs to the cache kmalloc-64 of size 64
[   34.145698] The buggy address is located 0 bytes inside of
[   34.145698]  freed 64-byte region [fff00000c63c3780, fff00000c63c37c0)
[   34.147187] 
[   34.147637] The buggy address belongs to the physical page:
[   34.148382] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063c3
[   34.150500] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   34.151204] page_type: f5(slab)
[   34.152002] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   34.153063] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[   34.154656] page dumped because: kasan: bad access detected
[   34.155373] 
[   34.155611] Memory state around the buggy address:
[   34.156356]  fff00000c63c3680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.157836]  fff00000c63c3700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.158666] >fff00000c63c3780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.160091]                    ^
[   34.160891]  fff00000c63c3800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.162674]  fff00000c63c3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.163259] ==================================================================
Metadata Full log Test run details 

[   25.500235] ==================================================================
[   25.500890] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a4/0x360
[   25.501664] Write of size 33 at addr ffff888101aad680 by task kunit_try_catch/194
[   25.502854] 
[   25.503049] CPU: 0 UID: 0 PID: 194 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241122 #1
[   25.504422] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.504784] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.505261] Call Trace:
[   25.505611]  <TASK>
[   25.506119]  dump_stack_lvl+0x73/0xb0
[   25.506673]  print_report+0xd1/0x640
[   25.507300]  ? __virt_addr_valid+0x1db/0x2d0
[   25.507772]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.508507]  kasan_report+0x102/0x140
[   25.508849]  ? kmalloc_uaf_memset+0x1a4/0x360
[   25.509158]  ? kmalloc_uaf_memset+0x1a4/0x360
[   25.509609]  kasan_check_range+0x10c/0x1c0
[   25.510395]  __asan_memset+0x27/0x50
[   25.510789]  kmalloc_uaf_memset+0x1a4/0x360
[   25.511371]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   25.511734]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   25.512506]  kunit_try_run_case+0x1b3/0x490
[   25.512920]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.513223]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   25.515170]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.515793]  ? __kthread_parkme+0x82/0x160
[   25.516251]  ? preempt_count_sub+0x50/0x80
[   25.516953]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.517679]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.518619]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.519399]  kthread+0x257/0x310
[   25.519720]  ? __pfx_kthread+0x10/0x10
[   25.519993]  ret_from_fork+0x41/0x80
[   25.520478]  ? __pfx_kthread+0x10/0x10
[   25.521215]  ret_from_fork_asm+0x1a/0x30
[   25.522336]  </TASK>
[   25.522658] 
[   25.523027] Allocated by task 194:
[   25.523447]  kasan_save_stack+0x3d/0x60
[   25.524024]  kasan_save_track+0x18/0x40
[   25.524705]  kasan_save_alloc_info+0x3b/0x50
[   25.525230]  __kasan_kmalloc+0xb7/0xc0
[   25.525930]  __kmalloc_cache_noprof+0x184/0x410
[   25.526516]  kmalloc_uaf_memset+0xaa/0x360
[   25.527001]  kunit_try_run_case+0x1b3/0x490
[   25.527460]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.528445]  kthread+0x257/0x310
[   25.528815]  ret_from_fork+0x41/0x80
[   25.529256]  ret_from_fork_asm+0x1a/0x30
[   25.530257] 
[   25.530472] Freed by task 194:
[   25.530788]  kasan_save_stack+0x3d/0x60
[   25.531076]  kasan_save_track+0x18/0x40
[   25.531701]  kasan_save_free_info+0x3f/0x60
[   25.532283]  __kasan_slab_free+0x56/0x70
[   25.532724]  kfree+0x123/0x3f0
[   25.533133]  kmalloc_uaf_memset+0x12c/0x360
[   25.533750]  kunit_try_run_case+0x1b3/0x490
[   25.534395]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.534990]  kthread+0x257/0x310
[   25.535528]  ret_from_fork+0x41/0x80
[   25.535784]  ret_from_fork_asm+0x1a/0x30
[   25.536401] 
[   25.536632] The buggy address belongs to the object at ffff888101aad680
[   25.536632]  which belongs to the cache kmalloc-64 of size 64
[   25.537985] The buggy address is located 0 bytes inside of
[   25.537985]  freed 64-byte region [ffff888101aad680, ffff888101aad6c0)
[   25.539264] 
[   25.539507] The buggy address belongs to the physical page:
[   25.540391] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101aad
[   25.541460] flags: 0x200000000000000(node=0|zone=2)
[   25.541770] page_type: f5(slab)
[   25.542055] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   25.542945] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[   25.543771] page dumped because: kasan: bad access detected
[   25.544488] 
[   25.544701] Memory state around the buggy address:
[   25.545290]  ffff888101aad580: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   25.545723]  ffff888101aad600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.546326] >ffff888101aad680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.546944]                    ^
[   25.547170]  ffff888101aad700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.547981]  ffff888101aad780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.548517] ==================================================================
Metadata Full log Test run details