Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 23.048400] ================================================================== [ 23.049586] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 23.050857] Read of size 1 at addr fff00000c570be88 by task kunit_try_catch/173 [ 23.051780] [ 23.052295] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 23.052548] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.052611] Hardware name: linux,dummy-virt (DT) [ 23.052654] Call trace: [ 23.052682] show_stack+0x20/0x38 (C) [ 23.052751] dump_stack_lvl+0x8c/0xd0 [ 23.052810] print_report+0x118/0x608 [ 23.052868] kasan_report+0xdc/0x128 [ 23.052965] __asan_report_load1_noabort+0x20/0x30 [ 23.053075] kmalloc_uaf+0x300/0x338 [ 23.053232] kunit_try_run_case+0x170/0x3f0 [ 23.053364] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.053490] kthread+0x318/0x620 [ 23.053598] ret_from_fork+0x10/0x20 [ 23.053716] [ 23.059857] Allocated by task 173: [ 23.060407] kasan_save_stack+0x3c/0x68 [ 23.061341] kasan_save_track+0x20/0x40 [ 23.061897] kasan_save_alloc_info+0x40/0x58 [ 23.062534] __kasan_kmalloc+0xd4/0xd8 [ 23.063083] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.063707] kmalloc_uaf+0xb8/0x338 [ 23.064289] kunit_try_run_case+0x170/0x3f0 [ 23.064797] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.065833] kthread+0x318/0x620 [ 23.066364] ret_from_fork+0x10/0x20 [ 23.066965] [ 23.067270] Freed by task 173: [ 23.067761] kasan_save_stack+0x3c/0x68 [ 23.068186] kasan_save_track+0x20/0x40 [ 23.068744] kasan_save_free_info+0x4c/0x78 [ 23.070270] __kasan_slab_free+0x6c/0x98 [ 23.070871] kfree+0x214/0x3c8 [ 23.071370] kmalloc_uaf+0x11c/0x338 [ 23.071964] kunit_try_run_case+0x170/0x3f0 [ 23.072520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.073425] kthread+0x318/0x620 [ 23.073997] ret_from_fork+0x10/0x20 [ 23.074703] [ 23.075046] The buggy address belongs to the object at fff00000c570be80 [ 23.075046] which belongs to the cache kmalloc-16 of size 16 [ 23.076039] The buggy address is located 8 bytes inside of [ 23.076039] freed 16-byte region [fff00000c570be80, fff00000c570be90) [ 23.077395] [ 23.078027] The buggy address belongs to the physical page: [ 23.078603] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10570b [ 23.079424] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.080125] page_type: f5(slab) [ 23.080598] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 23.081793] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.082530] page dumped because: kasan: bad access detected [ 23.082992] [ 23.083336] Memory state around the buggy address: [ 23.083859] fff00000c570bd80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.084555] fff00000c570be00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.085440] >fff00000c570be80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.086548] ^ [ 23.086878] fff00000c570bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.087655] fff00000c570bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.088295] ==================================================================
[ 17.929946] ================================================================== [ 17.931078] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 17.931298] Read of size 1 at addr ffff8881024b0188 by task kunit_try_catch/192 [ 17.932113] [ 17.932432] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 17.932555] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.932585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.932632] Call Trace: [ 17.932665] <TASK> [ 17.932707] dump_stack_lvl+0x73/0xb0 [ 17.932791] print_report+0xd1/0x650 [ 17.932851] ? __virt_addr_valid+0x1db/0x2d0 [ 17.932928] ? kmalloc_uaf+0x322/0x380 [ 17.932977] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.933038] ? kmalloc_uaf+0x322/0x380 [ 17.933091] kasan_report+0x140/0x180 [ 17.933147] ? kmalloc_uaf+0x322/0x380 [ 17.933211] __asan_report_load1_noabort+0x18/0x20 [ 17.933271] kmalloc_uaf+0x322/0x380 [ 17.933315] ? __pfx_kmalloc_uaf+0x10/0x10 [ 17.933362] ? __pfx_kmalloc_uaf+0x10/0x10 [ 17.933401] kunit_try_run_case+0x1a6/0x480 [ 17.933438] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.933465] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 17.933497] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.933526] ? __kthread_parkme+0x82/0x160 [ 17.933555] ? preempt_count_sub+0x50/0x80 [ 17.933588] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.933616] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.933648] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.933679] kthread+0x324/0x6e0 [ 17.933706] ? trace_preempt_on+0x20/0xc0 [ 17.933736] ? __pfx_kthread+0x10/0x10 [ 17.933764] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.933791] ? calculate_sigpending+0x7b/0xa0 [ 17.933819] ? __pfx_kthread+0x10/0x10 [ 17.933846] ret_from_fork+0x41/0x80 [ 17.933917] ? __pfx_kthread+0x10/0x10 [ 17.933966] ret_from_fork_asm+0x1a/0x30 [ 17.934015] </TASK> [ 17.934032] [ 17.949878] Allocated by task 192: [ 17.950281] kasan_save_stack+0x45/0x70 [ 17.950599] kasan_save_track+0x18/0x40 [ 17.950993] kasan_save_alloc_info+0x3b/0x50 [ 17.951301] __kasan_kmalloc+0xb7/0xc0 [ 17.951668] __kmalloc_cache_noprof+0x18a/0x420 [ 17.952762] kmalloc_uaf+0xab/0x380 [ 17.953065] kunit_try_run_case+0x1a6/0x480 [ 17.953765] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.954344] kthread+0x324/0x6e0 [ 17.954961] ret_from_fork+0x41/0x80 [ 17.955714] ret_from_fork_asm+0x1a/0x30 [ 17.956021] [ 17.956152] Freed by task 192: [ 17.957166] kasan_save_stack+0x45/0x70 [ 17.957606] kasan_save_track+0x18/0x40 [ 17.957836] kasan_save_free_info+0x3f/0x60 [ 17.958275] __kasan_slab_free+0x56/0x70 [ 17.959114] kfree+0x224/0x3f0 [ 17.959657] kmalloc_uaf+0x12d/0x380 [ 17.960121] kunit_try_run_case+0x1a6/0x480 [ 17.960542] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.961155] kthread+0x324/0x6e0 [ 17.961827] ret_from_fork+0x41/0x80 [ 17.962157] ret_from_fork_asm+0x1a/0x30 [ 17.962593] [ 17.962812] The buggy address belongs to the object at ffff8881024b0180 [ 17.962812] which belongs to the cache kmalloc-16 of size 16 [ 17.963613] The buggy address is located 8 bytes inside of [ 17.963613] freed 16-byte region [ffff8881024b0180, ffff8881024b0190) [ 17.964406] [ 17.964626] The buggy address belongs to the physical page: [ 17.965955] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024b0 [ 17.966775] flags: 0x200000000000000(node=0|zone=2) [ 17.967270] page_type: f5(slab) [ 17.967669] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 17.968137] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 17.968686] page dumped because: kasan: bad access detected [ 17.969041] [ 17.969169] Memory state around the buggy address: [ 17.970296] ffff8881024b0080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 17.970783] ffff8881024b0100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 17.971949] >ffff8881024b0180: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.972498] ^ [ 17.972787] ffff8881024b0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.973466] ffff8881024b0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.974472] ==================================================================