Hay
Sign in
Date
Nov. 28, 2024, 2:36 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   30.338874] ==================================================================
[   30.340000] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   30.340716] Read of size 1 at addr fff00000c1de8000 by task kunit_try_catch/152
[   30.342252] 
[   30.342636] CPU: 1 UID: 0 PID: 152 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241128 #1
[   30.343826] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.344436] Hardware name: linux,dummy-virt (DT)
[   30.345163] Call trace:
[   30.345593]  show_stack+0x20/0x38 (C)
[   30.346345]  dump_stack_lvl+0x8c/0xd0
[   30.346953]  print_report+0x118/0x5e0
[   30.347644]  kasan_report+0xc8/0x118
[   30.348330]  __kasan_check_byte+0x54/0x70
[   30.349104]  krealloc_noprof+0x44/0x360
[   30.349720]  krealloc_uaf+0x180/0x520
[   30.350359]  kunit_try_run_case+0x14c/0x3d0
[   30.350979]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.351839]  kthread+0x24c/0x2d0
[   30.352523]  ret_from_fork+0x10/0x20
[   30.353385] 
[   30.353789] Allocated by task 152:
[   30.354414]  kasan_save_stack+0x3c/0x68
[   30.355081]  kasan_save_track+0x20/0x40
[   30.355762]  kasan_save_alloc_info+0x40/0x58
[   30.356313]  __kasan_kmalloc+0xd4/0xd8
[   30.356790]  __kmalloc_cache_noprof+0x15c/0x3c0
[   30.357783]  krealloc_uaf+0xc8/0x520
[   30.358192]  kunit_try_run_case+0x14c/0x3d0
[   30.358629]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.359182]  kthread+0x24c/0x2d0
[   30.359724]  ret_from_fork+0x10/0x20
[   30.360989] 
[   30.361343] Freed by task 152:
[   30.362195]  kasan_save_stack+0x3c/0x68
[   30.362878]  kasan_save_track+0x20/0x40
[   30.363533]  kasan_save_free_info+0x4c/0x78
[   30.364173]  __kasan_slab_free+0x6c/0x98
[   30.364711]  kfree+0x114/0x3c8
[   30.364949]  krealloc_uaf+0x12c/0x520
[   30.365294]  kunit_try_run_case+0x14c/0x3d0
[   30.366405]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.367130]  kthread+0x24c/0x2d0
[   30.367536]  ret_from_fork+0x10/0x20
[   30.367993] 
[   30.368524] The buggy address belongs to the object at fff00000c1de8000
[   30.368524]  which belongs to the cache kmalloc-256 of size 256
[   30.369825] The buggy address is located 0 bytes inside of
[   30.369825]  freed 256-byte region [fff00000c1de8000, fff00000c1de8100)
[   30.370872] 
[   30.371187] The buggy address belongs to the physical page:
[   30.371789] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101de8
[   30.372968] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.373938] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.374638] page_type: f5(slab)
[   30.375023] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.375609] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   30.376285] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.377210] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   30.378156] head: 0bfffe0000000001 ffffc1ffc3077a01 ffffffffffffffff 0000000000000000
[   30.378941] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[   30.379819] page dumped because: kasan: bad access detected
[   30.380536] 
[   30.380700] Memory state around the buggy address:
[   30.380960]  fff00000c1de7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.381480]  fff00000c1de7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.382078] >fff00000c1de8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.382665]                    ^
[   30.383049]  fff00000c1de8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.383655]  fff00000c1de8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.384257] ==================================================================
[   30.387094] ==================================================================
[   30.387802] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   30.388657] Read of size 1 at addr fff00000c1de8000 by task kunit_try_catch/152
[   30.389336] 
[   30.389654] CPU: 1 UID: 0 PID: 152 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241128 #1
[   30.390473] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.390887] Hardware name: linux,dummy-virt (DT)
[   30.391353] Call trace:
[   30.391683]  show_stack+0x20/0x38 (C)
[   30.392164]  dump_stack_lvl+0x8c/0xd0
[   30.392804]  print_report+0x118/0x5e0
[   30.393457]  kasan_report+0xc8/0x118
[   30.394160]  __asan_report_load1_noabort+0x20/0x30
[   30.394965]  krealloc_uaf+0x4c8/0x520
[   30.395530]  kunit_try_run_case+0x14c/0x3d0
[   30.396078]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.396435]  kthread+0x24c/0x2d0
[   30.396678]  ret_from_fork+0x10/0x20
[   30.396926] 
[   30.397072] Allocated by task 152:
[   30.397421]  kasan_save_stack+0x3c/0x68
[   30.397959]  kasan_save_track+0x20/0x40
[   30.398638]  kasan_save_alloc_info+0x40/0x58
[   30.399328]  __kasan_kmalloc+0xd4/0xd8
[   30.400090]  __kmalloc_cache_noprof+0x15c/0x3c0
[   30.400845]  krealloc_uaf+0xc8/0x520
[   30.401455]  kunit_try_run_case+0x14c/0x3d0
[   30.402240]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.402972]  kthread+0x24c/0x2d0
[   30.403545]  ret_from_fork+0x10/0x20
[   30.404183] 
[   30.404594] Freed by task 152:
[   30.405135]  kasan_save_stack+0x3c/0x68
[   30.405765]  kasan_save_track+0x20/0x40
[   30.406373]  kasan_save_free_info+0x4c/0x78
[   30.407003]  __kasan_slab_free+0x6c/0x98
[   30.407692]  kfree+0x114/0x3c8
[   30.408222]  krealloc_uaf+0x12c/0x520
[   30.408826]  kunit_try_run_case+0x14c/0x3d0
[   30.409505]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.410241]  kthread+0x24c/0x2d0
[   30.410776]  ret_from_fork+0x10/0x20
[   30.411405] 
[   30.411864] The buggy address belongs to the object at fff00000c1de8000
[   30.411864]  which belongs to the cache kmalloc-256 of size 256
[   30.413299] The buggy address is located 0 bytes inside of
[   30.413299]  freed 256-byte region [fff00000c1de8000, fff00000c1de8100)
[   30.414224] 
[   30.414505] The buggy address belongs to the physical page:
[   30.414986] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101de8
[   30.415736] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.416668] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.417615] page_type: f5(slab)
[   30.418267] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.418647] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   30.419009] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.419564] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   30.420222] head: 0bfffe0000000001 ffffc1ffc3077a01 ffffffffffffffff 0000000000000000
[   30.420866] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[   30.421504] page dumped because: kasan: bad access detected
[   30.422268] 
[   30.422614] Memory state around the buggy address:
[   30.423215]  fff00000c1de7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.423817]  fff00000c1de7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.424595] >fff00000c1de8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.425354]                    ^
[   30.425764]  fff00000c1de8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.426579]  fff00000c1de8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.427295] ==================================================================
Metadata Full log Test run details 

[   21.286769] ==================================================================
[   21.288834] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53e/0x5e0
[   21.290371] Read of size 1 at addr ffff888100a96800 by task kunit_try_catch/172
[   21.290946] 
[   21.291281] CPU: 1 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241128 #1
[   21.292752] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.293691] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   21.295039] Call Trace:
[   21.295233]  <TASK>
[   21.295394]  dump_stack_lvl+0x73/0xb0
[   21.295905]  print_report+0xd1/0x640
[   21.296816]  ? __virt_addr_valid+0x1db/0x2d0
[   21.297470]  ? kasan_complete_mode_report_info+0x64/0x200
[   21.298064]  kasan_report+0x102/0x140
[   21.298734]  ? krealloc_uaf+0x53e/0x5e0
[   21.299298]  ? krealloc_uaf+0x53e/0x5e0
[   21.299899]  __asan_report_load1_noabort+0x18/0x20
[   21.300619]  krealloc_uaf+0x53e/0x5e0
[   21.300920]  ? __pfx_krealloc_uaf+0x10/0x10
[   21.301494]  ? ktime_get_ts64+0xf6/0x230
[   21.302140]  ? ktime_get_ts64+0x84/0x230
[   21.302602]  kunit_try_run_case+0x1b3/0x490
[   21.303166]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.303809]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   21.304295]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   21.304763]  ? __kthread_parkme+0x82/0x160
[   21.305324]  ? preempt_count_sub+0x50/0x80
[   21.305805]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.306383]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   21.307096]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.308578]  kthread+0x257/0x310
[   21.309024]  ? __pfx_kthread+0x10/0x10
[   21.309450]  ret_from_fork+0x41/0x80
[   21.310048]  ? __pfx_kthread+0x10/0x10
[   21.310802]  ret_from_fork_asm+0x1a/0x30
[   21.311841]  </TASK>
[   21.312161] 
[   21.312377] Allocated by task 172:
[   21.312829]  kasan_save_stack+0x3d/0x60
[   21.313361]  kasan_save_track+0x18/0x40
[   21.314521]  kasan_save_alloc_info+0x3b/0x50
[   21.314782]  __kasan_kmalloc+0xb7/0xc0
[   21.315063]  __kmalloc_cache_noprof+0x184/0x410
[   21.316435]  krealloc_uaf+0xbc/0x5e0
[   21.316885]  kunit_try_run_case+0x1b3/0x490
[   21.317319]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.318169]  kthread+0x257/0x310
[   21.318803]  ret_from_fork+0x41/0x80
[   21.319522]  ret_from_fork_asm+0x1a/0x30
[   21.319990] 
[   21.320396] Freed by task 172:
[   21.320873]  kasan_save_stack+0x3d/0x60
[   21.321716]  kasan_save_track+0x18/0x40
[   21.322410]  kasan_save_free_info+0x3f/0x60
[   21.322991]  __kasan_slab_free+0x56/0x70
[   21.323698]  kfree+0x123/0x3f0
[   21.324155]  krealloc_uaf+0x13e/0x5e0
[   21.324790]  kunit_try_run_case+0x1b3/0x490
[   21.325066]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.326050]  kthread+0x257/0x310
[   21.326838]  ret_from_fork+0x41/0x80
[   21.327538]  ret_from_fork_asm+0x1a/0x30
[   21.327984] 
[   21.328229] The buggy address belongs to the object at ffff888100a96800
[   21.328229]  which belongs to the cache kmalloc-256 of size 256
[   21.330287] The buggy address is located 0 bytes inside of
[   21.330287]  freed 256-byte region [ffff888100a96800, ffff888100a96900)
[   21.331649] 
[   21.331932] The buggy address belongs to the physical page:
[   21.332548] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a96
[   21.333455] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   21.334101] flags: 0x200000000000040(head|node=0|zone=2)
[   21.334624] page_type: f5(slab)
[   21.335023] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   21.336241] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   21.337076] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   21.337970] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   21.338745] head: 0200000000000001 ffffea000402a581 ffffffffffffffff 0000000000000000
[   21.339698] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[   21.340416] page dumped because: kasan: bad access detected
[   21.340873] 
[   21.341713] Memory state around the buggy address:
[   21.342095]  ffff888100a96700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.342761]  ffff888100a96780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.343514] >ffff888100a96800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.343972]                    ^
[   21.344361]  ffff888100a96880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.344805]  ffff888100a96900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.345667] ==================================================================
[   21.229966] ==================================================================
[   21.231170] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b9/0x5e0
[   21.232268] Read of size 1 at addr ffff888100a96800 by task kunit_try_catch/172
[   21.232975] 
[   21.233272] CPU: 1 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G    B            N 6.12.0-next-20241128 #1
[   21.234597] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.234931] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   21.235830] Call Trace:
[   21.236149]  <TASK>
[   21.236654]  dump_stack_lvl+0x73/0xb0
[   21.236974]  print_report+0xd1/0x640
[   21.237658]  ? __virt_addr_valid+0x1db/0x2d0
[   21.238133]  ? kasan_complete_mode_report_info+0x64/0x200
[   21.238625]  kasan_report+0x102/0x140
[   21.239081]  ? krealloc_uaf+0x1b9/0x5e0
[   21.239537]  ? krealloc_uaf+0x1b9/0x5e0
[   21.240039]  ? krealloc_uaf+0x1b9/0x5e0
[   21.240649]  __kasan_check_byte+0x3d/0x50
[   21.241015]  krealloc_noprof+0x3f/0x340
[   21.241660]  krealloc_uaf+0x1b9/0x5e0
[   21.242080]  ? __pfx_krealloc_uaf+0x10/0x10
[   21.242741]  ? ktime_get_ts64+0xf6/0x230
[   21.243122]  ? ktime_get_ts64+0x84/0x230
[   21.243768]  kunit_try_run_case+0x1b3/0x490
[   21.244475]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.244934]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   21.245439]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   21.246050]  ? __kthread_parkme+0x82/0x160
[   21.246535]  ? preempt_count_sub+0x50/0x80
[   21.246862]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.247325]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   21.248771]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.249583]  kthread+0x257/0x310
[   21.250040]  ? __pfx_kthread+0x10/0x10
[   21.250719]  ret_from_fork+0x41/0x80
[   21.251158]  ? __pfx_kthread+0x10/0x10
[   21.251978]  ret_from_fork_asm+0x1a/0x30
[   21.252700]  </TASK>
[   21.252930] 
[   21.253436] Allocated by task 172:
[   21.253742]  kasan_save_stack+0x3d/0x60
[   21.254424]  kasan_save_track+0x18/0x40
[   21.254948]  kasan_save_alloc_info+0x3b/0x50
[   21.255468]  __kasan_kmalloc+0xb7/0xc0
[   21.255858]  __kmalloc_cache_noprof+0x184/0x410
[   21.256263]  krealloc_uaf+0xbc/0x5e0
[   21.257144]  kunit_try_run_case+0x1b3/0x490
[   21.257869]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.258781]  kthread+0x257/0x310
[   21.259048]  ret_from_fork+0x41/0x80
[   21.259603]  ret_from_fork_asm+0x1a/0x30
[   21.259917] 
[   21.260149] Freed by task 172:
[   21.260604]  kasan_save_stack+0x3d/0x60
[   21.261073]  kasan_save_track+0x18/0x40
[   21.261689]  kasan_save_free_info+0x3f/0x60
[   21.261983]  __kasan_slab_free+0x56/0x70
[   21.262259]  kfree+0x123/0x3f0
[   21.262729]  krealloc_uaf+0x13e/0x5e0
[   21.263606]  kunit_try_run_case+0x1b3/0x490
[   21.264138]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.264625]  kthread+0x257/0x310
[   21.264869]  ret_from_fork+0x41/0x80
[   21.265834]  ret_from_fork_asm+0x1a/0x30
[   21.266415] 
[   21.266909] The buggy address belongs to the object at ffff888100a96800
[   21.266909]  which belongs to the cache kmalloc-256 of size 256
[   21.269018] The buggy address is located 0 bytes inside of
[   21.269018]  freed 256-byte region [ffff888100a96800, ffff888100a96900)
[   21.269894] 
[   21.270148] The buggy address belongs to the physical page:
[   21.270733] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a96
[   21.271479] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   21.271912] flags: 0x200000000000040(head|node=0|zone=2)
[   21.272576] page_type: f5(slab)
[   21.272984] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   21.275044] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   21.275865] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000
[   21.276723] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
[   21.277618] head: 0200000000000001 ffffea000402a581 ffffffffffffffff 0000000000000000
[   21.278569] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[   21.279577] page dumped because: kasan: bad access detected
[   21.280086] 
[   21.280284] Memory state around the buggy address:
[   21.280760]  ffff888100a96700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.281221]  ffff888100a96780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.281851] >ffff888100a96800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.282635]                    ^
[   21.283058]  ffff888100a96880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.283517]  ffff888100a96900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.284477] ==================================================================
Metadata Full log Test run details