Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 145.252637] ================================================================== [ 145.253800] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x100/0x240 [ 145.254493] Read of size 16 at addr c4fcf280 by task kunit_try_catch/141 [ 145.255303] [ 145.255730] CPU: 0 PID: 141 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 145.257125] Hardware name: Generic DT based system [ 145.258121] unwind_backtrace from show_stack+0x18/0x1c [ 145.259149] show_stack from dump_stack_lvl+0x58/0x70 [ 145.260011] dump_stack_lvl from print_report+0x164/0x51c [ 145.260821] print_report from kasan_report+0xc8/0x104 [ 145.261547] kasan_report from kmalloc_uaf_16+0x100/0x240 [ 145.262225] kmalloc_uaf_16 from kunit_try_run_case+0x11c/0x2e4 [ 145.263028] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.264008] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 145.264878] kthread from ret_from_fork+0x14/0x30 [ 145.265538] Exception stack(0xf9f6bfb0 to 0xf9f6bff8) [ 145.266405] bfa0: 00000000 00000000 00000000 00000000 [ 145.267433] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 145.268390] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 145.269126] [ 145.269413] Allocated by task 141: [ 145.269774] kasan_set_track+0x3c/0x5c [ 145.270409] __kasan_kmalloc+0x8c/0x94 [ 145.270974] kmalloc_uaf_16+0xc8/0x240 [ 145.271553] kunit_try_run_case+0x11c/0x2e4 [ 145.272119] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.272900] kthread+0x184/0x1a8 [ 145.273337] ret_from_fork+0x14/0x30 [ 145.273807] [ 145.274135] Freed by task 141: [ 145.274463] kasan_set_track+0x3c/0x5c [ 145.275089] kasan_save_free_info+0x30/0x3c [ 145.275933] __kasan_slab_free+0xdc/0x124 [ 145.276484] __kmem_cache_free+0x140/0x2a8 [ 145.277043] kmalloc_uaf_16+0xe4/0x240 [ 145.277513] kunit_try_run_case+0x11c/0x2e4 [ 145.278289] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.278934] kthread+0x184/0x1a8 [ 145.279443] ret_from_fork+0x14/0x30 [ 145.279937] [ 145.280251] The buggy address belongs to the object at c4fcf280 [ 145.280251] which belongs to the cache kmalloc-64 of size 64 [ 145.281294] The buggy address is located 0 bytes inside of [ 145.281294] freed 64-byte region [c4fcf280, c4fcf2c0) [ 145.282485] [ 145.282841] The buggy address belongs to the physical page: [ 145.283591] page:8516b471 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x44fcf [ 145.284374] flags: 0x800(slab|zone=0) [ 145.284902] page_type: 0xffffffff() [ 145.285357] raw: 00000800 c4801200 00000122 00000000 00000000 80200020 ffffffff 00000001 [ 145.286422] raw: 00000000 [ 145.286862] page dumped because: kasan: bad access detected [ 145.287535] [ 145.287767] Memory state around the buggy address: [ 145.288416] c4fcf180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 145.289127] c4fcf200: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.289995] >c4fcf280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 145.290715] ^ [ 145.291033] c4fcf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.291871] c4fcf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.292567] ==================================================================
[ 47.995357] ================================================================== [ 47.996212] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x108/0x250 [ 47.998374] Read of size 16 at addr ffff88810273e080 by task kunit_try_catch/164 [ 47.999222] [ 47.999501] CPU: 1 PID: 164 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 48.000752] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 48.001591] Call Trace: [ 48.001943] <TASK> [ 48.002278] dump_stack_lvl+0x4e/0x90 [ 48.003527] print_report+0xd2/0x660 [ 48.004077] ? __virt_addr_valid+0x156/0x1e0 [ 48.004607] ? kasan_complete_mode_report_info+0x64/0x200 [ 48.005322] kasan_report+0xff/0x140 [ 48.006115] ? kmalloc_uaf_16+0x108/0x250 [ 48.006593] ? kmalloc_uaf_16+0x108/0x250 [ 48.007325] __asan_load16+0x69/0x90 [ 48.007886] kmalloc_uaf_16+0x108/0x250 [ 48.008972] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 48.009345] ? __schedule+0x70b/0x1190 [ 48.009910] ? ktime_get_ts64+0x118/0x140 [ 48.010450] kunit_try_run_case+0x126/0x290 [ 48.011420] ? __pfx_kunit_try_run_case+0x10/0x10 [ 48.012255] ? __kasan_check_write+0x18/0x20 [ 48.012882] ? trace_preempt_on+0x20/0xa0 [ 48.013418] ? __kthread_parkme+0x4f/0xd0 [ 48.014024] ? preempt_count_sub+0x50/0x80 [ 48.014548] ? __pfx_kunit_try_run_case+0x10/0x10 [ 48.015563] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 48.016353] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 48.017353] kthread+0x19e/0x1e0 [ 48.017915] ? __pfx_kthread+0x10/0x10 [ 48.018649] ret_from_fork+0x41/0x70 [ 48.019285] ? __pfx_kthread+0x10/0x10 [ 48.019862] ret_from_fork_asm+0x1b/0x30 [ 48.020839] </TASK> [ 48.021122] [ 48.021449] Allocated by task 164: [ 48.022076] kasan_save_stack+0x3c/0x60 [ 48.022624] kasan_set_track+0x29/0x40 [ 48.023150] kasan_save_alloc_info+0x22/0x30 [ 48.023768] __kasan_kmalloc+0xb7/0xc0 [ 48.024505] kmalloc_trace+0x4c/0xb0 [ 48.025201] kmalloc_uaf_16+0xc9/0x250 [ 48.026078] kunit_try_run_case+0x126/0x290 [ 48.026829] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 48.027831] kthread+0x19e/0x1e0 [ 48.028528] ret_from_fork+0x41/0x70 [ 48.029299] ret_from_fork_asm+0x1b/0x30 [ 48.029848] [ 48.030179] Freed by task 164: [ 48.030533] kasan_save_stack+0x3c/0x60 [ 48.031070] kasan_set_track+0x29/0x40 [ 48.031670] kasan_save_free_info+0x2f/0x50 [ 48.032836] ____kasan_slab_free+0x172/0x1d0 [ 48.033552] __kasan_slab_free+0x16/0x20 [ 48.034298] __kmem_cache_free+0x190/0x310 [ 48.034912] kfree+0x7c/0x120 [ 48.035451] kmalloc_uaf_16+0xe9/0x250 [ 48.036012] kunit_try_run_case+0x126/0x290 [ 48.036479] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 48.037171] kthread+0x19e/0x1e0 [ 48.037675] ret_from_fork+0x41/0x70 [ 48.039012] ret_from_fork_asm+0x1b/0x30 [ 48.039491] [ 48.039767] The buggy address belongs to the object at ffff88810273e080 [ 48.039767] which belongs to the cache kmalloc-16 of size 16 [ 48.041176] The buggy address is located 0 bytes inside of [ 48.041176] freed 16-byte region [ffff88810273e080, ffff88810273e090) [ 48.042263] [ 48.042542] The buggy address belongs to the physical page: [ 48.043353] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10273e [ 48.044611] flags: 0x200000000000800(slab|node=0|zone=2) [ 48.045166] page_type: 0xffffffff() [ 48.045605] raw: 0200000000000800 ffff8881000413c0 dead000000000122 0000000000000000 [ 48.046235] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 [ 48.047367] page dumped because: kasan: bad access detected [ 48.047924] [ 48.048388] Memory state around the buggy address: [ 48.049150] ffff88810273df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.050470] ffff88810273e000: 00 04 fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 48.051148] >ffff88810273e080: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.052147] ^ [ 48.052588] ffff88810273e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.053424] ffff88810273e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.054326] ==================================================================