Hay
Sign in
Date
Dec. 4, 2024, 3:07 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   32.435402] ==================================================================
[   32.436489] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   32.437187] Write of size 33 at addr fff00000c66e4f00 by task kunit_try_catch/174
[   32.438501] 
[   32.439421] CPU: 0 UID: 0 PID: 174 Comm: kunit_try_catch Tainted: G    B            N 6.13.0-rc1-next-20241204 #1
[   32.440794] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.441086] Hardware name: linux,dummy-virt (DT)
[   32.441390] Call trace:
[   32.441595]  show_stack+0x20/0x38 (C)
[   32.442083]  dump_stack_lvl+0x8c/0xd0
[   32.442797]  print_report+0x118/0x5e0
[   32.444190]  kasan_report+0xc8/0x118
[   32.445008]  kasan_check_range+0x100/0x1a8
[   32.445686]  __asan_memset+0x34/0x78
[   32.446262]  kmalloc_uaf_memset+0x170/0x310
[   32.447244]  kunit_try_run_case+0x14c/0x3d0
[   32.448028]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.448742]  kthread+0x24c/0x2d0
[   32.449335]  ret_from_fork+0x10/0x20
[   32.450441] 
[   32.450734] Allocated by task 174:
[   32.451271]  kasan_save_stack+0x3c/0x68
[   32.451931]  kasan_save_track+0x20/0x40
[   32.452495]  kasan_save_alloc_info+0x40/0x58
[   32.453143]  __kasan_kmalloc+0xd4/0xd8
[   32.453746]  __kmalloc_cache_noprof+0x15c/0x3c0
[   32.454788]  kmalloc_uaf_memset+0xb8/0x310
[   32.455359]  kunit_try_run_case+0x14c/0x3d0
[   32.456015]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.457129]  kthread+0x24c/0x2d0
[   32.458049]  ret_from_fork+0x10/0x20
[   32.458790] 
[   32.459196] Freed by task 174:
[   32.459847]  kasan_save_stack+0x3c/0x68
[   32.460421]  kasan_save_track+0x20/0x40
[   32.461236]  kasan_save_free_info+0x4c/0x78
[   32.462128]  __kasan_slab_free+0x6c/0x98
[   32.462681]  kfree+0x114/0x3c8
[   32.463255]  kmalloc_uaf_memset+0x11c/0x310
[   32.463754]  kunit_try_run_case+0x14c/0x3d0
[   32.464516]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.465287]  kthread+0x24c/0x2d0
[   32.465824]  ret_from_fork+0x10/0x20
[   32.466321] 
[   32.467461] The buggy address belongs to the object at fff00000c66e4f00
[   32.467461]  which belongs to the cache kmalloc-64 of size 64
[   32.468973] The buggy address is located 0 bytes inside of
[   32.468973]  freed 64-byte region [fff00000c66e4f00, fff00000c66e4f40)
[   32.471118] 
[   32.471697] The buggy address belongs to the physical page:
[   32.472212] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066e4
[   32.473044] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.473959] page_type: f5(slab)
[   32.474688] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   32.475687] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   32.476484] page dumped because: kasan: bad access detected
[   32.478132] 
[   32.478837] Memory state around the buggy address:
[   32.479348]  fff00000c66e4e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.480972]  fff00000c66e4e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.482456] >fff00000c66e4f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.483811]                    ^
[   32.484768]  fff00000c66e4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.486435]  fff00000c66e5000: 00 00 00 fc fc fc fc fc 00 00 00 03 fc fc fc fc
[   32.488014] ==================================================================
Metadata Full log Test run details 

[   23.258142] ==================================================================
[   23.259474] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a4/0x360
[   23.260481] Write of size 33 at addr ffff88810298a800 by task kunit_try_catch/194
[   23.261041] 
[   23.261322] CPU: 1 UID: 0 PID: 194 Comm: kunit_try_catch Tainted: G    B            N 6.13.0-rc1-next-20241204 #1
[   23.262160] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.262762] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.263901] Call Trace:
[   23.264414]  <TASK>
[   23.264725]  dump_stack_lvl+0x73/0xb0
[   23.265166]  print_report+0xd1/0x640
[   23.265731]  ? __virt_addr_valid+0x1db/0x2d0
[   23.266110]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.267109]  kasan_report+0x102/0x140
[   23.267664]  ? kmalloc_uaf_memset+0x1a4/0x360
[   23.268070]  ? kmalloc_uaf_memset+0x1a4/0x360
[   23.268747]  kasan_check_range+0x10c/0x1c0
[   23.269195]  __asan_memset+0x27/0x50
[   23.269701]  kmalloc_uaf_memset+0x1a4/0x360
[   23.270163]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   23.271037]  ? __schedule+0xc3e/0x2790
[   23.271627]  ? __pfx_read_tsc+0x10/0x10
[   23.272145]  ? ktime_get_ts64+0x86/0x230
[   23.272689]  kunit_try_run_case+0x1b3/0x490
[   23.273095]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.273790]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   23.274190]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.275210]  ? __kthread_parkme+0x82/0x160
[   23.275830]  ? preempt_count_sub+0x50/0x80
[   23.276307]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.276813]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.277574]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.278065]  kthread+0x257/0x310
[   23.278978]  ? __pfx_kthread+0x10/0x10
[   23.279599]  ret_from_fork+0x41/0x80
[   23.280070]  ? __pfx_kthread+0x10/0x10
[   23.280648]  ret_from_fork_asm+0x1a/0x30
[   23.281086]  </TASK>
[   23.281597] 
[   23.281824] Allocated by task 194:
[   23.282136]  kasan_save_stack+0x3d/0x60
[   23.283488]  kasan_save_track+0x18/0x40
[   23.283866]  kasan_save_alloc_info+0x3b/0x50
[   23.284329]  __kasan_kmalloc+0xb7/0xc0
[   23.284851]  __kmalloc_cache_noprof+0x184/0x410
[   23.285456]  kmalloc_uaf_memset+0xaa/0x360
[   23.285802]  kunit_try_run_case+0x1b3/0x490
[   23.286242]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.286765]  kthread+0x257/0x310
[   23.287879]  ret_from_fork+0x41/0x80
[   23.288591]  ret_from_fork_asm+0x1a/0x30
[   23.289009] 
[   23.289211] Freed by task 194:
[   23.289477]  kasan_save_stack+0x3d/0x60
[   23.289894]  kasan_save_track+0x18/0x40
[   23.291197]  kasan_save_free_info+0x3f/0x60
[   23.291796]  __kasan_slab_free+0x56/0x70
[   23.292111]  kfree+0x123/0x3f0
[   23.292730]  kmalloc_uaf_memset+0x12c/0x360
[   23.293122]  kunit_try_run_case+0x1b3/0x490
[   23.293766]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.294950]  kthread+0x257/0x310
[   23.295466]  ret_from_fork+0x41/0x80
[   23.295855]  ret_from_fork_asm+0x1a/0x30
[   23.297179] 
[   23.297690] The buggy address belongs to the object at ffff88810298a800
[   23.297690]  which belongs to the cache kmalloc-64 of size 64
[   23.299168] The buggy address is located 0 bytes inside of
[   23.299168]  freed 64-byte region [ffff88810298a800, ffff88810298a840)
[   23.300180] 
[   23.300392] The buggy address belongs to the physical page:
[   23.300996] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10298a
[   23.302975] flags: 0x200000000000000(node=0|zone=2)
[   23.303561] page_type: f5(slab)
[   23.303816] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   23.304550] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   23.305079] page dumped because: kasan: bad access detected
[   23.305736] 
[   23.306272] Memory state around the buggy address:
[   23.307136]  ffff88810298a700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.307570]  ffff88810298a780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.308776] >ffff88810298a800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.309642]                    ^
[   23.310003]  ffff88810298a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.311254]  ffff88810298a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.312315] ==================================================================
Metadata Full log Test run details