Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 180.037918] ================================================================== [ 180.040167] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0xd0/0x1d8 [ 180.042028] Write of size 33 at addr ffff0000c600c980 by task kunit_try_catch/164 [ 180.043416] [ 180.043934] CPU: 1 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 180.045848] Hardware name: linux,dummy-virt (DT) [ 180.047114] Call trace: [ 180.047870] dump_backtrace+0x9c/0x128 [ 180.048773] show_stack+0x20/0x38 [ 180.050083] dump_stack_lvl+0x60/0xb0 [ 180.051532] print_report+0xf8/0x5d8 [ 180.052755] kasan_report+0xc8/0x118 [ 180.054197] kasan_check_range+0xe8/0x190 [ 180.055843] __asan_memset+0x34/0x78 [ 180.057209] kmalloc_uaf_memset+0xd0/0x1d8 [ 180.058791] kunit_try_run_case+0xf8/0x260 [ 180.060016] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 180.061556] kthread+0x18c/0x1a8 [ 180.062529] ret_from_fork+0x10/0x20 [ 180.063890] [ 180.064341] Allocated by task 164: [ 180.065449] kasan_save_stack+0x3c/0x68 [ 180.066561] kasan_set_track+0x2c/0x40 [ 180.067982] kasan_save_alloc_info+0x24/0x38 [ 180.069310] __kasan_kmalloc+0xd4/0xd8 [ 180.070701] kmalloc_trace+0x68/0x130 [ 180.071954] kmalloc_uaf_memset+0x9c/0x1d8 [ 180.073447] kunit_try_run_case+0xf8/0x260 [ 180.075008] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 180.076423] kthread+0x18c/0x1a8 [ 180.077592] ret_from_fork+0x10/0x20 [ 180.078682] [ 180.079109] Freed by task 164: [ 180.079824] kasan_save_stack+0x3c/0x68 [ 180.081677] kasan_set_track+0x2c/0x40 [ 180.083014] kasan_save_free_info+0x38/0x60 [ 180.084282] __kasan_slab_free+0x100/0x170 [ 180.085461] __kmem_cache_free+0x170/0x2e0 [ 180.086650] kfree+0x74/0x138 [ 180.087401] kmalloc_uaf_memset+0xb8/0x1d8 [ 180.088777] kunit_try_run_case+0xf8/0x260 [ 180.090180] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 180.091851] kthread+0x18c/0x1a8 [ 180.093391] ret_from_fork+0x10/0x20 [ 180.094370] [ 180.094824] The buggy address belongs to the object at ffff0000c600c980 [ 180.094824] which belongs to the cache kmalloc-64 of size 64 [ 180.098106] The buggy address is located 0 bytes inside of [ 180.098106] freed 64-byte region [ffff0000c600c980, ffff0000c600c9c0) [ 180.100896] [ 180.102893] The buggy address belongs to the physical page: [ 180.104245] page:000000007a3032c1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10600c [ 180.106347] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 180.108010] page_type: 0xffffffff() [ 180.109090] raw: 0bfffc0000000800 ffff0000c0001640 dead000000000122 0000000000000000 [ 180.111144] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 180.113307] page dumped because: kasan: bad access detected [ 180.114483] [ 180.115203] Memory state around the buggy address: [ 180.116365] ffff0000c600c880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 180.118058] ffff0000c600c900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 180.119655] >ffff0000c600c980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 180.121204] ^ [ 180.122099] ffff0000c600ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 180.123748] ffff0000c600ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 180.125563] ==================================================================