Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 181.716233] ================================================================== [ 181.718005] BUG: KASAN: slab-use-after-free in ksize_uaf+0xe8/0x2f0 [ 181.719526] Read of size 1 at addr ffff0000c170c100 by task kunit_try_catch/192 [ 181.721995] [ 181.722383] CPU: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 181.724585] Hardware name: linux,dummy-virt (DT) [ 181.726493] Call trace: [ 181.727188] dump_backtrace+0x9c/0x128 [ 181.728318] show_stack+0x20/0x38 [ 181.730011] dump_stack_lvl+0x60/0xb0 [ 181.731097] print_report+0xf8/0x5d8 [ 181.732325] kasan_report+0xc8/0x118 [ 181.733776] __asan_load1+0x60/0x70 [ 181.735061] ksize_uaf+0xe8/0x2f0 [ 181.736141] kunit_try_run_case+0xf8/0x260 [ 181.737526] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.738818] kthread+0x18c/0x1a8 [ 181.740168] ret_from_fork+0x10/0x20 [ 181.741666] [ 181.742352] Allocated by task 192: [ 181.743181] kasan_save_stack+0x3c/0x68 [ 181.744363] kasan_set_track+0x2c/0x40 [ 181.745822] kasan_save_alloc_info+0x24/0x38 [ 181.747088] __kasan_kmalloc+0xd4/0xd8 [ 181.748257] kmalloc_trace+0x68/0x130 [ 181.749740] ksize_uaf+0x9c/0x2f0 [ 181.750862] kunit_try_run_case+0xf8/0x260 [ 181.752069] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.753656] kthread+0x18c/0x1a8 [ 181.754743] ret_from_fork+0x10/0x20 [ 181.755734] [ 181.756346] Freed by task 192: [ 181.757272] kasan_save_stack+0x3c/0x68 [ 181.758478] kasan_set_track+0x2c/0x40 [ 181.759641] kasan_save_free_info+0x38/0x60 [ 181.761106] __kasan_slab_free+0x100/0x170 [ 181.762613] __kmem_cache_free+0x170/0x2e0 [ 181.763877] kfree+0x74/0x138 [ 181.764863] ksize_uaf+0xb8/0x2f0 [ 181.765937] kunit_try_run_case+0xf8/0x260 [ 181.767134] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.768589] kthread+0x18c/0x1a8 [ 181.769802] ret_from_fork+0x10/0x20 [ 181.770800] [ 181.771269] The buggy address belongs to the object at ffff0000c170c100 [ 181.771269] which belongs to the cache kmalloc-128 of size 128 [ 181.774302] The buggy address is located 0 bytes inside of [ 181.774302] freed 128-byte region [ffff0000c170c100, ffff0000c170c180) [ 181.776611] [ 181.777366] The buggy address belongs to the physical page: [ 181.779523] page:00000000265a4d16 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10170c [ 181.781949] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 181.783489] page_type: 0xffffffff() [ 181.784897] raw: 0bfffc0000000800 ffff0000c00018c0 dead000000000122 0000000000000000 [ 181.786767] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 181.788368] page dumped because: kasan: bad access detected [ 181.790089] [ 181.790903] Memory state around the buggy address: [ 181.792308] ffff0000c170c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 181.793986] ffff0000c170c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.795644] >ffff0000c170c100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 181.797162] ^ [ 181.798414] ffff0000c170c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.799670] ffff0000c170c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.801510] ================================================================== [ 181.805619] ================================================================== [ 181.807192] BUG: KASAN: slab-use-after-free in ksize_uaf+0x10c/0x2f0 [ 181.808689] Read of size 1 at addr ffff0000c170c178 by task kunit_try_catch/192 [ 181.810464] [ 181.811075] CPU: 1 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 181.812899] Hardware name: linux,dummy-virt (DT) [ 181.814056] Call trace: [ 181.814789] dump_backtrace+0x9c/0x128 [ 181.815902] show_stack+0x20/0x38 [ 181.816912] dump_stack_lvl+0x60/0xb0 [ 181.818457] print_report+0xf8/0x5d8 [ 181.820087] kasan_report+0xc8/0x118 [ 181.822207] __asan_load1+0x60/0x70 [ 181.823332] ksize_uaf+0x10c/0x2f0 [ 181.824425] kunit_try_run_case+0xf8/0x260 [ 181.825664] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.827206] kthread+0x18c/0x1a8 [ 181.828173] ret_from_fork+0x10/0x20 [ 181.829278] [ 181.829853] Allocated by task 192: [ 181.830786] kasan_save_stack+0x3c/0x68 [ 181.831956] kasan_set_track+0x2c/0x40 [ 181.833109] kasan_save_alloc_info+0x24/0x38 [ 181.834419] __kasan_kmalloc+0xd4/0xd8 [ 181.835595] kmalloc_trace+0x68/0x130 [ 181.836618] ksize_uaf+0x9c/0x2f0 [ 181.837637] kunit_try_run_case+0xf8/0x260 [ 181.838836] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.840295] kthread+0x18c/0x1a8 [ 181.841275] ret_from_fork+0x10/0x20 [ 181.842357] [ 181.842933] Freed by task 192: [ 181.843773] kasan_save_stack+0x3c/0x68 [ 181.844925] kasan_set_track+0x2c/0x40 [ 181.846084] kasan_save_free_info+0x38/0x60 [ 181.847345] __kasan_slab_free+0x100/0x170 [ 181.848559] __kmem_cache_free+0x170/0x2e0 [ 181.849782] kfree+0x74/0x138 [ 181.850688] ksize_uaf+0xb8/0x2f0 [ 181.851717] kunit_try_run_case+0xf8/0x260 [ 181.852909] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.854381] kthread+0x18c/0x1a8 [ 181.855368] ret_from_fork+0x10/0x20 [ 181.856448] [ 181.857032] The buggy address belongs to the object at ffff0000c170c100 [ 181.857032] which belongs to the cache kmalloc-128 of size 128 [ 181.859451] The buggy address is located 120 bytes inside of [ 181.859451] freed 128-byte region [ffff0000c170c100, ffff0000c170c180) [ 181.861912] [ 181.862523] The buggy address belongs to the physical page: [ 181.863896] page:00000000265a4d16 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10170c [ 181.865863] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 181.867444] page_type: 0xffffffff() [ 181.868506] raw: 0bfffc0000000800 ffff0000c00018c0 dead000000000122 0000000000000000 [ 181.870228] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 181.871847] page dumped because: kasan: bad access detected [ 181.873101] [ 181.873766] Memory state around the buggy address: [ 181.874922] ffff0000c170c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 181.876495] ffff0000c170c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.878122] >ffff0000c170c100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 181.879660] ^ [ 181.881266] ffff0000c170c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.882863] ffff0000c170c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.884388] ================================================================== [ 181.620012] ================================================================== [ 181.622251] BUG: KASAN: slab-use-after-free in ksize_uaf+0xc8/0x2f0 [ 181.624688] Read of size 1 at addr ffff0000c170c100 by task kunit_try_catch/192 [ 181.627154] [ 181.627924] CPU: 1 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 181.630056] Hardware name: linux,dummy-virt (DT) [ 181.631114] Call trace: [ 181.631758] dump_backtrace+0x9c/0x128 [ 181.632867] show_stack+0x20/0x38 [ 181.634019] dump_stack_lvl+0x60/0xb0 [ 181.635363] print_report+0xf8/0x5d8 [ 181.636538] kasan_report+0xc8/0x118 [ 181.637955] __kasan_check_byte+0x54/0x70 [ 181.638997] ksize+0x30/0x88 [ 181.639963] ksize_uaf+0xc8/0x2f0 [ 181.640719] kunit_try_run_case+0xf8/0x260 [ 181.642290] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.643828] kthread+0x18c/0x1a8 [ 181.644812] ret_from_fork+0x10/0x20 [ 181.646019] [ 181.646542] Allocated by task 192: [ 181.647453] kasan_save_stack+0x3c/0x68 [ 181.649916] kasan_set_track+0x2c/0x40 [ 181.651066] kasan_save_alloc_info+0x24/0x38 [ 181.652292] __kasan_kmalloc+0xd4/0xd8 [ 181.653524] kmalloc_trace+0x68/0x130 [ 181.654696] ksize_uaf+0x9c/0x2f0 [ 181.656563] kunit_try_run_case+0xf8/0x260 [ 181.657838] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.659549] kthread+0x18c/0x1a8 [ 181.660541] ret_from_fork+0x10/0x20 [ 181.662709] [ 181.663211] Freed by task 192: [ 181.664203] kasan_save_stack+0x3c/0x68 [ 181.665883] kasan_set_track+0x2c/0x40 [ 181.667163] kasan_save_free_info+0x38/0x60 [ 181.668411] __kasan_slab_free+0x100/0x170 [ 181.669808] __kmem_cache_free+0x170/0x2e0 [ 181.671327] kfree+0x74/0x138 [ 181.672287] ksize_uaf+0xb8/0x2f0 [ 181.673846] kunit_try_run_case+0xf8/0x260 [ 181.675166] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 181.676658] kthread+0x18c/0x1a8 [ 181.677639] ret_from_fork+0x10/0x20 [ 181.679097] [ 181.679720] The buggy address belongs to the object at ffff0000c170c100 [ 181.679720] which belongs to the cache kmalloc-128 of size 128 [ 181.682412] The buggy address is located 0 bytes inside of [ 181.682412] freed 128-byte region [ffff0000c170c100, ffff0000c170c180) [ 181.686688] [ 181.687339] The buggy address belongs to the physical page: [ 181.688286] page:00000000265a4d16 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10170c [ 181.690330] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 181.691915] page_type: 0xffffffff() [ 181.693108] raw: 0bfffc0000000800 ffff0000c00018c0 dead000000000122 0000000000000000 [ 181.695126] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 181.696874] page dumped because: kasan: bad access detected [ 181.698387] [ 181.698910] Memory state around the buggy address: [ 181.699933] ffff0000c170c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 181.701960] ffff0000c170c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.703775] >ffff0000c170c100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 181.705515] ^ [ 181.707010] ffff0000c170c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.708560] ffff0000c170c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 181.710366] ==================================================================