Date
Dec. 4, 2024, 3:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.791454] ================================================================== [ 31.792085] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 31.793161] Read of size 1 at addr fff00000c1dd4e00 by task kunit_try_catch/152 [ 31.795032] [ 31.795471] CPU: 1 UID: 0 PID: 152 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 31.796507] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.797303] Hardware name: linux,dummy-virt (DT) [ 31.797999] Call trace: [ 31.799445] show_stack+0x20/0x38 (C) [ 31.800110] dump_stack_lvl+0x8c/0xd0 [ 31.800796] print_report+0x118/0x5e0 [ 31.801484] kasan_report+0xc8/0x118 [ 31.802177] __asan_report_load1_noabort+0x20/0x30 [ 31.802991] krealloc_uaf+0x4c8/0x520 [ 31.803707] kunit_try_run_case+0x14c/0x3d0 [ 31.804410] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.805407] kthread+0x24c/0x2d0 [ 31.807147] ret_from_fork+0x10/0x20 [ 31.807767] [ 31.808127] Allocated by task 152: [ 31.808671] kasan_save_stack+0x3c/0x68 [ 31.809167] kasan_save_track+0x20/0x40 [ 31.810185] kasan_save_alloc_info+0x40/0x58 [ 31.811026] __kasan_kmalloc+0xd4/0xd8 [ 31.812160] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.812929] krealloc_uaf+0xc8/0x520 [ 31.813549] kunit_try_run_case+0x14c/0x3d0 [ 31.814290] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.815279] kthread+0x24c/0x2d0 [ 31.816536] ret_from_fork+0x10/0x20 [ 31.817128] [ 31.817580] Freed by task 152: [ 31.818106] kasan_save_stack+0x3c/0x68 [ 31.819021] kasan_save_track+0x20/0x40 [ 31.819954] kasan_save_free_info+0x4c/0x78 [ 31.820797] __kasan_slab_free+0x6c/0x98 [ 31.821417] kfree+0x114/0x3c8 [ 31.822093] krealloc_uaf+0x12c/0x520 [ 31.823726] kunit_try_run_case+0x14c/0x3d0 [ 31.824363] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.825303] kthread+0x24c/0x2d0 [ 31.826023] ret_from_fork+0x10/0x20 [ 31.826878] [ 31.827333] The buggy address belongs to the object at fff00000c1dd4e00 [ 31.827333] which belongs to the cache kmalloc-256 of size 256 [ 31.828769] The buggy address is located 0 bytes inside of [ 31.828769] freed 256-byte region [fff00000c1dd4e00, fff00000c1dd4f00) [ 31.830334] [ 31.830995] The buggy address belongs to the physical page: [ 31.831543] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101dd4 [ 31.833165] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.834138] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.835475] page_type: f5(slab) [ 31.836151] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.837047] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.838203] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.839169] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.840210] head: 0bfffe0000000001 ffffc1ffc3077501 ffffffffffffffff 0000000000000000 [ 31.841131] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 31.843080] page dumped because: kasan: bad access detected [ 31.843736] [ 31.844130] Memory state around the buggy address: [ 31.844846] fff00000c1dd4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.845802] fff00000c1dd4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.847084] >fff00000c1dd4e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.848034] ^ [ 31.848619] fff00000c1dd4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.850424] fff00000c1dd4f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.851187] ================================================================== [ 31.729674] ================================================================== [ 31.732335] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520 [ 31.733168] Read of size 1 at addr fff00000c1dd4e00 by task kunit_try_catch/152 [ 31.734120] [ 31.735100] CPU: 1 UID: 0 PID: 152 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 31.736457] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.737085] Hardware name: linux,dummy-virt (DT) [ 31.738019] Call trace: [ 31.738743] show_stack+0x20/0x38 (C) [ 31.739695] dump_stack_lvl+0x8c/0xd0 [ 31.740817] print_report+0x118/0x5e0 [ 31.741528] kasan_report+0xc8/0x118 [ 31.742577] __kasan_check_byte+0x54/0x70 [ 31.743217] krealloc_noprof+0x44/0x360 [ 31.743932] krealloc_uaf+0x180/0x520 [ 31.744568] kunit_try_run_case+0x14c/0x3d0 [ 31.745219] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.746281] kthread+0x24c/0x2d0 [ 31.747008] ret_from_fork+0x10/0x20 [ 31.747643] [ 31.748011] Allocated by task 152: [ 31.748489] kasan_save_stack+0x3c/0x68 [ 31.749603] kasan_save_track+0x20/0x40 [ 31.750789] kasan_save_alloc_info+0x40/0x58 [ 31.751374] __kasan_kmalloc+0xd4/0xd8 [ 31.751979] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.752604] krealloc_uaf+0xc8/0x520 [ 31.753280] kunit_try_run_case+0x14c/0x3d0 [ 31.753903] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.755287] kthread+0x24c/0x2d0 [ 31.755701] ret_from_fork+0x10/0x20 [ 31.756469] [ 31.757164] Freed by task 152: [ 31.758417] kasan_save_stack+0x3c/0x68 [ 31.759030] kasan_save_track+0x20/0x40 [ 31.759500] kasan_save_free_info+0x4c/0x78 [ 31.760178] __kasan_slab_free+0x6c/0x98 [ 31.760783] kfree+0x114/0x3c8 [ 31.761225] krealloc_uaf+0x12c/0x520 [ 31.761946] kunit_try_run_case+0x14c/0x3d0 [ 31.762855] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.763710] kthread+0x24c/0x2d0 [ 31.764323] ret_from_fork+0x10/0x20 [ 31.765111] [ 31.765364] The buggy address belongs to the object at fff00000c1dd4e00 [ 31.765364] which belongs to the cache kmalloc-256 of size 256 [ 31.767605] The buggy address is located 0 bytes inside of [ 31.767605] freed 256-byte region [fff00000c1dd4e00, fff00000c1dd4f00) [ 31.769213] [ 31.769535] The buggy address belongs to the physical page: [ 31.770655] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101dd4 [ 31.772144] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.773049] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.773989] page_type: f5(slab) [ 31.774787] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.775804] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.776684] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000 [ 31.777733] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.778706] head: 0bfffe0000000001 ffffc1ffc3077501 ffffffffffffffff 0000000000000000 [ 31.779618] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 31.780422] page dumped because: kasan: bad access detected [ 31.781742] [ 31.781990] Memory state around the buggy address: [ 31.782355] fff00000c1dd4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.783316] fff00000c1dd4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.785184] >fff00000c1dd4e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.786490] ^ [ 31.786991] fff00000c1dd4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.787996] fff00000c1dd4f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.788563] ==================================================================
[ 22.540608] ================================================================== [ 22.541944] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b9/0x5e0 [ 22.542722] Read of size 1 at addr ffff888100394200 by task kunit_try_catch/172 [ 22.545102] [ 22.545919] CPU: 0 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 22.547263] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.547824] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.548800] Call Trace: [ 22.549247] <TASK> [ 22.549505] dump_stack_lvl+0x73/0xb0 [ 22.551277] print_report+0xd1/0x640 [ 22.551720] ? __virt_addr_valid+0x1db/0x2d0 [ 22.552747] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.553601] kasan_report+0x102/0x140 [ 22.554122] ? krealloc_uaf+0x1b9/0x5e0 [ 22.554782] ? krealloc_uaf+0x1b9/0x5e0 [ 22.555549] ? krealloc_uaf+0x1b9/0x5e0 [ 22.556116] __kasan_check_byte+0x3d/0x50 [ 22.556510] krealloc_noprof+0x3f/0x340 [ 22.557527] ? stack_depot_save_flags+0x43d/0x7c0 [ 22.557914] krealloc_uaf+0x1b9/0x5e0 [ 22.558407] ? __pfx_krealloc_uaf+0x10/0x10 [ 22.559393] ? finish_task_switch.isra.0+0x153/0x700 [ 22.560072] ? __switch_to+0x5d9/0xf60 [ 22.560496] ? __schedule+0xc3e/0x2790 [ 22.561170] ? __pfx_read_tsc+0x10/0x10 [ 22.561907] ? ktime_get_ts64+0x86/0x230 [ 22.562284] kunit_try_run_case+0x1b3/0x490 [ 22.563283] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.563755] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.564203] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.565151] ? __kthread_parkme+0x82/0x160 [ 22.565882] ? preempt_count_sub+0x50/0x80 [ 22.566301] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.567118] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.568035] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.569468] kthread+0x257/0x310 [ 22.569937] ? __pfx_kthread+0x10/0x10 [ 22.570444] ret_from_fork+0x41/0x80 [ 22.571200] ? __pfx_kthread+0x10/0x10 [ 22.571598] ret_from_fork_asm+0x1a/0x30 [ 22.572072] </TASK> [ 22.572441] [ 22.572661] Allocated by task 172: [ 22.573102] kasan_save_stack+0x3d/0x60 [ 22.573558] kasan_save_track+0x18/0x40 [ 22.574153] kasan_save_alloc_info+0x3b/0x50 [ 22.574927] __kasan_kmalloc+0xb7/0xc0 [ 22.575165] __kmalloc_cache_noprof+0x184/0x410 [ 22.575884] krealloc_uaf+0xbc/0x5e0 [ 22.576449] kunit_try_run_case+0x1b3/0x490 [ 22.577010] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.577459] kthread+0x257/0x310 [ 22.578176] ret_from_fork+0x41/0x80 [ 22.578987] ret_from_fork_asm+0x1a/0x30 [ 22.579564] [ 22.579944] Freed by task 172: [ 22.580180] kasan_save_stack+0x3d/0x60 [ 22.580543] kasan_save_track+0x18/0x40 [ 22.581437] kasan_save_free_info+0x3f/0x60 [ 22.581975] __kasan_slab_free+0x56/0x70 [ 22.582942] kfree+0x123/0x3f0 [ 22.583271] krealloc_uaf+0x13e/0x5e0 [ 22.583804] kunit_try_run_case+0x1b3/0x490 [ 22.584659] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.586963] kthread+0x257/0x310 [ 22.587357] ret_from_fork+0x41/0x80 [ 22.587735] ret_from_fork_asm+0x1a/0x30 [ 22.588189] [ 22.588360] The buggy address belongs to the object at ffff888100394200 [ 22.588360] which belongs to the cache kmalloc-256 of size 256 [ 22.589666] The buggy address is located 0 bytes inside of [ 22.589666] freed 256-byte region [ffff888100394200, ffff888100394300) [ 22.592176] [ 22.593048] The buggy address belongs to the physical page: [ 22.593788] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100394 [ 22.594666] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.595182] flags: 0x200000000000040(head|node=0|zone=2) [ 22.595899] page_type: f5(slab) [ 22.596254] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.597077] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.597913] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.598596] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.599655] head: 0200000000000001 ffffea000400e501 ffffffffffffffff 0000000000000000 [ 22.600676] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 22.601207] page dumped because: kasan: bad access detected [ 22.602157] [ 22.602519] Memory state around the buggy address: [ 22.603185] ffff888100394100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.603569] ffff888100394180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.603982] >ffff888100394200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.604759] ^ [ 22.605570] ffff888100394280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.605994] ffff888100394300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.606657] ================================================================== [ 22.607812] ================================================================== [ 22.608784] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53e/0x5e0 [ 22.609560] Read of size 1 at addr ffff888100394200 by task kunit_try_catch/172 [ 22.610235] [ 22.610511] CPU: 0 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 22.611549] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.612260] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.613038] Call Trace: [ 22.613586] <TASK> [ 22.613917] dump_stack_lvl+0x73/0xb0 [ 22.614504] print_report+0xd1/0x640 [ 22.614976] ? __virt_addr_valid+0x1db/0x2d0 [ 22.615299] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.615660] kasan_report+0x102/0x140 [ 22.616348] ? krealloc_uaf+0x53e/0x5e0 [ 22.617143] ? krealloc_uaf+0x53e/0x5e0 [ 22.617829] __asan_report_load1_noabort+0x18/0x20 [ 22.618529] krealloc_uaf+0x53e/0x5e0 [ 22.619126] ? __pfx_krealloc_uaf+0x10/0x10 [ 22.619449] ? finish_task_switch.isra.0+0x153/0x700 [ 22.620200] ? __switch_to+0x5d9/0xf60 [ 22.620693] ? __schedule+0xc3e/0x2790 [ 22.621232] ? __pfx_read_tsc+0x10/0x10 [ 22.621846] ? ktime_get_ts64+0x86/0x230 [ 22.622167] kunit_try_run_case+0x1b3/0x490 [ 22.622994] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.623638] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.624255] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.624808] ? __kthread_parkme+0x82/0x160 [ 22.625435] ? preempt_count_sub+0x50/0x80 [ 22.625968] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.626533] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.627161] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.627570] kthread+0x257/0x310 [ 22.628278] ? __pfx_kthread+0x10/0x10 [ 22.628944] ret_from_fork+0x41/0x80 [ 22.629406] ? __pfx_kthread+0x10/0x10 [ 22.629893] ret_from_fork_asm+0x1a/0x30 [ 22.630219] </TASK> [ 22.630763] [ 22.631050] Allocated by task 172: [ 22.631467] kasan_save_stack+0x3d/0x60 [ 22.632021] kasan_save_track+0x18/0x40 [ 22.632408] kasan_save_alloc_info+0x3b/0x50 [ 22.633107] __kasan_kmalloc+0xb7/0xc0 [ 22.633682] __kmalloc_cache_noprof+0x184/0x410 [ 22.634091] krealloc_uaf+0xbc/0x5e0 [ 22.634521] kunit_try_run_case+0x1b3/0x490 [ 22.634874] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.635376] kthread+0x257/0x310 [ 22.635889] ret_from_fork+0x41/0x80 [ 22.636329] ret_from_fork_asm+0x1a/0x30 [ 22.636714] [ 22.636979] Freed by task 172: [ 22.637434] kasan_save_stack+0x3d/0x60 [ 22.637959] kasan_save_track+0x18/0x40 [ 22.638320] kasan_save_free_info+0x3f/0x60 [ 22.638786] __kasan_slab_free+0x56/0x70 [ 22.639192] kfree+0x123/0x3f0 [ 22.639703] krealloc_uaf+0x13e/0x5e0 [ 22.640118] kunit_try_run_case+0x1b3/0x490 [ 22.640660] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.641401] kthread+0x257/0x310 [ 22.641816] ret_from_fork+0x41/0x80 [ 22.642368] ret_from_fork_asm+0x1a/0x30 [ 22.642839] [ 22.643107] The buggy address belongs to the object at ffff888100394200 [ 22.643107] which belongs to the cache kmalloc-256 of size 256 [ 22.644055] The buggy address is located 0 bytes inside of [ 22.644055] freed 256-byte region [ffff888100394200, ffff888100394300) [ 22.645947] [ 22.646200] The buggy address belongs to the physical page: [ 22.647214] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100394 [ 22.648188] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.651178] flags: 0x200000000000040(head|node=0|zone=2) [ 22.651481] page_type: f5(slab) [ 22.651642] raw: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.652328] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.653706] head: 0200000000000040 ffff888100041b40 dead000000000122 0000000000000000 [ 22.655261] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.656931] head: 0200000000000001 ffffea000400e501 ffffffffffffffff 0000000000000000 [ 22.657318] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 22.658136] page dumped because: kasan: bad access detected [ 22.659362] [ 22.659651] Memory state around the buggy address: [ 22.660489] ffff888100394100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.661982] ffff888100394180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.662846] >ffff888100394200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.663231] ^ [ 22.663722] ffff888100394280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.665022] ffff888100394300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.666764] ==================================================================