Hay
Sign in
Date
Feb. 5, 2025, 2:09 p.m.

Environment
qemu-arm64 

[  178.961704] ==================================================================
[  178.963489] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x10c/0x2c0
[  178.964836] Read of size 1 at addr ffff0000c0b82600 by task kunit_try_catch/142
[  178.967420] 
[  178.968197] CPU: 1 PID: 142 Comm: kunit_try_catch Tainted: G    B            N 6.6.76-rc1 #1
[  178.971017] Hardware name: linux,dummy-virt (DT)
[  178.972704] Call trace:
[  178.973388]  dump_backtrace+0x9c/0x128
[  178.975111]  show_stack+0x20/0x38
[  178.976363]  dump_stack_lvl+0x60/0xb0
[  178.977774]  print_report+0xf8/0x5d8
[  178.979022]  kasan_report+0xc8/0x118
[  178.980373]  __asan_load1+0x60/0x70
[  178.982018]  krealloc_uaf+0x10c/0x2c0
[  178.982828]  kunit_try_run_case+0xf8/0x260
[  178.983979]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  178.986335]  kthread+0x18c/0x1a8
[  178.987808]  ret_from_fork+0x10/0x20
[  178.988930] 
[  178.989478] Allocated by task 142:
[  178.990392]  kasan_save_stack+0x3c/0x68
[  178.991533]  kasan_set_track+0x2c/0x40
[  178.992654]  kasan_save_alloc_info+0x24/0x38
[  178.994054]  __kasan_kmalloc+0xd4/0xd8
[  178.995255]  kmalloc_trace+0x68/0x130
[  178.996143]  krealloc_uaf+0xb0/0x2c0
[  178.997027]  kunit_try_run_case+0xf8/0x260
[  178.998592]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  179.000109]  kthread+0x18c/0x1a8
[  179.001462]  ret_from_fork+0x10/0x20
[  179.002499] 
[  179.003085] Freed by task 142:
[  179.004445]  kasan_save_stack+0x3c/0x68
[  179.005550]  kasan_set_track+0x2c/0x40
[  179.006704]  kasan_save_free_info+0x38/0x60
[  179.007964]  __kasan_slab_free+0x100/0x170
[  179.009240]  __kmem_cache_free+0x170/0x2e0
[  179.010447]  kfree+0x74/0x138
[  179.011508]  krealloc_uaf+0xcc/0x2c0
[  179.012392]  kunit_try_run_case+0xf8/0x260
[  179.013957]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  179.015486]  kthread+0x18c/0x1a8
[  179.016425]  ret_from_fork+0x10/0x20
[  179.017564] 
[  179.018155] The buggy address belongs to the object at ffff0000c0b82600
[  179.018155]  which belongs to the cache kmalloc-256 of size 256
[  179.021037] The buggy address is located 0 bytes inside of
[  179.021037]  freed 256-byte region [ffff0000c0b82600, ffff0000c0b82700)
[  179.023847] 
[  179.024383] The buggy address belongs to the physical page:
[  179.025425] page:000000000369a94f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100b82
[  179.027453] head:000000000369a94f order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  179.029545] flags: 0xbfffc0000000840(slab|head|node=0|zone=2|lastcpupid=0xffff)
[  179.031590] page_type: 0xffffffff()
[  179.032682] raw: 0bfffc0000000840 ffff0000c0001b40 dead000000000122 0000000000000000
[  179.034334] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  179.035894] page dumped because: kasan: bad access detected
[  179.037259] 
[  179.038189] Memory state around the buggy address:
[  179.039907]  ffff0000c0b82500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  179.041133]  ffff0000c0b82580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  179.043166] >ffff0000c0b82600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  179.044954]                    ^
[  179.046000]  ffff0000c0b82680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  179.048425]  ffff0000c0b82700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  179.049941] ==================================================================
[  178.869815] ==================================================================
[  178.872139] BUG: KASAN: slab-use-after-free in krealloc_uaf+0xe4/0x2c0
[  178.874404] Read of size 1 at addr ffff0000c0b82600 by task kunit_try_catch/142
[  178.876148] 
[  178.876707] CPU: 1 PID: 142 Comm: kunit_try_catch Tainted: G    B            N 6.6.76-rc1 #1
[  178.878534] Hardware name: linux,dummy-virt (DT)
[  178.879701] Call trace:
[  178.880333]  dump_backtrace+0x9c/0x128
[  178.881457]  show_stack+0x20/0x38
[  178.882731]  dump_stack_lvl+0x60/0xb0
[  178.883918]  print_report+0xf8/0x5d8
[  178.885118]  kasan_report+0xc8/0x118
[  178.886778]  __kasan_check_byte+0x54/0x70
[  178.887999]  krealloc+0x48/0x1a0
[  178.889153]  krealloc_uaf+0xe4/0x2c0
[  178.890396]  kunit_try_run_case+0xf8/0x260
[  178.891605]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  178.893681]  kthread+0x18c/0x1a8
[  178.894621]  ret_from_fork+0x10/0x20
[  178.895706] 
[  178.896225] Allocated by task 142:
[  178.897533]  kasan_save_stack+0x3c/0x68
[  178.898652]  kasan_set_track+0x2c/0x40
[  178.899816]  kasan_save_alloc_info+0x24/0x38
[  178.901148]  __kasan_kmalloc+0xd4/0xd8
[  178.902317]  kmalloc_trace+0x68/0x130
[  178.903373]  krealloc_uaf+0xb0/0x2c0
[  178.904434]  kunit_try_run_case+0xf8/0x260
[  178.905833]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  178.907367]  kthread+0x18c/0x1a8
[  178.908383]  ret_from_fork+0x10/0x20
[  178.909907] 
[  178.910368] Freed by task 142:
[  178.911221]  kasan_save_stack+0x3c/0x68
[  178.912381]  kasan_set_track+0x2c/0x40
[  178.913559]  kasan_save_free_info+0x38/0x60
[  178.915346]  __kasan_slab_free+0x100/0x170
[  178.916553]  __kmem_cache_free+0x170/0x2e0
[  178.917974]  kfree+0x74/0x138
[  178.919009]  krealloc_uaf+0xcc/0x2c0
[  178.920057]  kunit_try_run_case+0xf8/0x260
[  178.921533]  kunit_generic_run_threadfn_adapter+0x38/0x60
[  178.923182]  kthread+0x18c/0x1a8
[  178.924063]  ret_from_fork+0x10/0x20
[  178.925604] 
[  178.926242] The buggy address belongs to the object at ffff0000c0b82600
[  178.926242]  which belongs to the cache kmalloc-256 of size 256
[  178.928560] The buggy address is located 0 bytes inside of
[  178.928560]  freed 256-byte region [ffff0000c0b82600, ffff0000c0b82700)
[  178.931211] 
[  178.931741] The buggy address belongs to the physical page:
[  178.933132] page:000000000369a94f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100b82
[  178.935624] head:000000000369a94f order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  178.937596] flags: 0xbfffc0000000840(slab|head|node=0|zone=2|lastcpupid=0xffff)
[  178.939266] page_type: 0xffffffff()
[  178.940318] raw: 0bfffc0000000840 ffff0000c0001b40 dead000000000122 0000000000000000
[  178.942211] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  178.943959] page dumped because: kasan: bad access detected
[  178.945281] 
[  178.945876] Memory state around the buggy address:
[  178.947333]  ffff0000c0b82500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  178.948688]  ffff0000c0b82580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  178.950747] >ffff0000c0b82600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  178.952352]                    ^
[  178.953781]  ffff0000c0b82680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  178.955100]  ffff0000c0b82700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  178.956538] ==================================================================
Metadata Full log Test run details