Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 145.156405] ================================================================== [ 145.156944] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x11c/0x2b8 [ 145.158407] Read of size 1 at addr c4c17e00 by task kunit_try_catch/137 [ 145.159834] [ 145.160298] CPU: 0 PID: 137 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 145.161502] Hardware name: Generic DT based system [ 145.162154] unwind_backtrace from show_stack+0x18/0x1c [ 145.162912] show_stack from dump_stack_lvl+0x58/0x70 [ 145.163620] dump_stack_lvl from print_report+0x164/0x51c [ 145.164327] print_report from kasan_report+0xc8/0x104 [ 145.165077] kasan_report from krealloc_uaf+0x11c/0x2b8 [ 145.165868] krealloc_uaf from kunit_try_run_case+0x11c/0x2e4 [ 145.166712] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.167748] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 145.168741] kthread from ret_from_fork+0x14/0x30 [ 145.169406] Exception stack(0xf9f53fb0 to 0xf9f53ff8) [ 145.169985] 3fa0: 00000000 00000000 00000000 00000000 [ 145.170962] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 145.171831] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 145.172543] [ 145.172771] Allocated by task 137: [ 145.173357] kasan_set_track+0x3c/0x5c [ 145.173877] __kasan_kmalloc+0x8c/0x94 [ 145.174568] krealloc_uaf+0xac/0x2b8 [ 145.175219] kunit_try_run_case+0x11c/0x2e4 [ 145.175921] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.177530] kthread+0x184/0x1a8 [ 145.178454] ret_from_fork+0x14/0x30 [ 145.178821] [ 145.179207] Freed by task 137: [ 145.179638] kasan_set_track+0x3c/0x5c [ 145.180186] kasan_save_free_info+0x30/0x3c [ 145.180741] __kasan_slab_free+0xdc/0x124 [ 145.181424] __kmem_cache_free+0x140/0x2a8 [ 145.182073] krealloc_uaf+0xc8/0x2b8 [ 145.182501] kunit_try_run_case+0x11c/0x2e4 [ 145.183158] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.183867] kthread+0x184/0x1a8 [ 145.184327] ret_from_fork+0x14/0x30 [ 145.184800] [ 145.185114] The buggy address belongs to the object at c4c17e00 [ 145.185114] which belongs to the cache kmalloc-256 of size 256 [ 145.186232] The buggy address is located 0 bytes inside of [ 145.186232] freed 256-byte region [c4c17e00, c4c17f00) [ 145.187335] [ 145.187682] The buggy address belongs to the physical page: [ 145.188371] page:17c33a57 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x44c16 [ 145.189446] head:17c33a57 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 145.190195] flags: 0x840(slab|head|zone=0) [ 145.190735] page_type: 0xffffffff() [ 145.191339] raw: 00000840 c4801500 00000122 00000000 00000000 80100010 ffffffff 00000001 [ 145.192142] raw: 00000000 [ 145.192575] page dumped because: kasan: bad access detected [ 145.193166] [ 145.193440] Memory state around the buggy address: [ 145.193974] c4c17d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.194796] c4c17d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.195455] >c4c17e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.196387] ^ [ 145.197284] c4c17e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.198158] c4c17f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.198999] ================================================================== [ 145.109701] ================================================================== [ 145.110894] BUG: KASAN: slab-use-after-free in krealloc_uaf+0xe4/0x2b8 [ 145.111477] Read of size 1 at addr c4c17e00 by task kunit_try_catch/137 [ 145.112314] [ 145.112567] CPU: 0 PID: 137 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 145.113329] Hardware name: Generic DT based system [ 145.113963] unwind_backtrace from show_stack+0x18/0x1c [ 145.114694] show_stack from dump_stack_lvl+0x58/0x70 [ 145.115426] dump_stack_lvl from print_report+0x164/0x51c [ 145.116119] print_report from kasan_report+0xc8/0x104 [ 145.116973] kasan_report from __kasan_check_byte+0x34/0x3c [ 145.118077] __kasan_check_byte from krealloc+0x30/0x134 [ 145.118970] krealloc from krealloc_uaf+0xe4/0x2b8 [ 145.119679] krealloc_uaf from kunit_try_run_case+0x11c/0x2e4 [ 145.120456] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.121504] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 145.122346] kthread from ret_from_fork+0x14/0x30 [ 145.122911] Exception stack(0xf9f53fb0 to 0xf9f53ff8) [ 145.123769] 3fa0: 00000000 00000000 00000000 00000000 [ 145.124777] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 145.125975] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 145.126690] [ 145.127049] Allocated by task 137: [ 145.127721] kasan_set_track+0x3c/0x5c [ 145.128450] __kasan_kmalloc+0x8c/0x94 [ 145.129105] krealloc_uaf+0xac/0x2b8 [ 145.129710] kunit_try_run_case+0x11c/0x2e4 [ 145.130358] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.131122] kthread+0x184/0x1a8 [ 145.131600] ret_from_fork+0x14/0x30 [ 145.132198] [ 145.132499] Freed by task 137: [ 145.132833] kasan_set_track+0x3c/0x5c [ 145.133456] kasan_save_free_info+0x30/0x3c [ 145.134170] __kasan_slab_free+0xdc/0x124 [ 145.134741] __kmem_cache_free+0x140/0x2a8 [ 145.135394] krealloc_uaf+0xc8/0x2b8 [ 145.136283] kunit_try_run_case+0x11c/0x2e4 [ 145.136995] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 145.137847] kthread+0x184/0x1a8 [ 145.138525] ret_from_fork+0x14/0x30 [ 145.139031] [ 145.139325] The buggy address belongs to the object at c4c17e00 [ 145.139325] which belongs to the cache kmalloc-256 of size 256 [ 145.140773] The buggy address is located 0 bytes inside of [ 145.140773] freed 256-byte region [c4c17e00, c4c17f00) [ 145.142080] [ 145.142416] The buggy address belongs to the physical page: [ 145.143166] page:17c33a57 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x44c16 [ 145.144170] head:17c33a57 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 145.145029] flags: 0x840(slab|head|zone=0) [ 145.145672] page_type: 0xffffffff() [ 145.146277] raw: 00000840 c4801500 00000122 00000000 00000000 80100010 ffffffff 00000001 [ 145.147536] raw: 00000000 [ 145.148034] page dumped because: kasan: bad access detected [ 145.148690] [ 145.149011] Memory state around the buggy address: [ 145.149589] c4c17d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.150512] c4c17d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.151417] >c4c17e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.152220] ^ [ 145.152658] c4c17e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.153486] c4c17f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 145.154272] ==================================================================
[ 47.875030] ================================================================== [ 47.875591] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x131/0x2e0 [ 47.876379] Read of size 1 at addr ffff888102857a00 by task kunit_try_catch/160 [ 47.877110] [ 47.877410] CPU: 1 PID: 160 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 47.878468] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 47.879458] Call Trace: [ 47.879702] <TASK> [ 47.880327] dump_stack_lvl+0x4e/0x90 [ 47.881055] print_report+0xd2/0x660 [ 47.881666] ? __virt_addr_valid+0x156/0x1e0 [ 47.882295] ? kasan_complete_mode_report_info+0x64/0x200 [ 47.882951] kasan_report+0xff/0x140 [ 47.883385] ? krealloc_uaf+0x131/0x2e0 [ 47.884348] ? krealloc_uaf+0x131/0x2e0 [ 47.885009] __asan_load1+0x66/0x70 [ 47.885598] krealloc_uaf+0x131/0x2e0 [ 47.886147] ? __pfx_krealloc_uaf+0x10/0x10 [ 47.886827] ? sysvec_apic_timer_interrupt+0x94/0xa0 [ 47.887430] ? asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 47.888556] ? __pfx_krealloc_uaf+0x10/0x10 [ 47.889246] ? kunit_try_run_case+0x11b/0x290 [ 47.890006] kunit_try_run_case+0x126/0x290 [ 47.890599] ? __pfx_kunit_try_run_case+0x10/0x10 [ 47.891299] ? __kasan_check_write+0x18/0x20 [ 47.892071] ? trace_preempt_on+0x20/0xa0 [ 47.892728] ? __kthread_parkme+0x4f/0xd0 [ 47.893645] ? preempt_count_sub+0x50/0x80 [ 47.894331] ? __pfx_kunit_try_run_case+0x10/0x10 [ 47.895359] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 47.896179] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 47.897314] kthread+0x19e/0x1e0 [ 47.897786] ? __pfx_kthread+0x10/0x10 [ 47.898363] ret_from_fork+0x41/0x70 [ 47.899224] ? __pfx_kthread+0x10/0x10 [ 47.899770] ret_from_fork_asm+0x1b/0x30 [ 47.900272] </TASK> [ 47.900548] [ 47.901538] Allocated by task 160: [ 47.902078] kasan_save_stack+0x3c/0x60 [ 47.902630] kasan_set_track+0x29/0x40 [ 47.903347] kasan_save_alloc_info+0x22/0x30 [ 47.903939] __kasan_kmalloc+0xb7/0xc0 [ 47.904454] kmalloc_trace+0x4c/0xb0 [ 47.905135] krealloc_uaf+0xb0/0x2e0 [ 47.905621] kunit_try_run_case+0x126/0x290 [ 47.906708] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 47.907502] kthread+0x19e/0x1e0 [ 47.908185] ret_from_fork+0x41/0x70 [ 47.908698] ret_from_fork_asm+0x1b/0x30 [ 47.909268] [ 47.909540] Freed by task 160: [ 47.910416] kasan_save_stack+0x3c/0x60 [ 47.911370] kasan_set_track+0x29/0x40 [ 47.911811] kasan_save_free_info+0x2f/0x50 [ 47.912501] ____kasan_slab_free+0x172/0x1d0 [ 47.913194] __kasan_slab_free+0x16/0x20 [ 47.913704] __kmem_cache_free+0x190/0x310 [ 47.914215] kfree+0x7c/0x120 [ 47.914754] krealloc_uaf+0xd0/0x2e0 [ 47.915680] kunit_try_run_case+0x126/0x290 [ 47.916408] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 47.917188] kthread+0x19e/0x1e0 [ 47.917420] ret_from_fork+0x41/0x70 [ 47.917647] ret_from_fork_asm+0x1b/0x30 [ 47.918609] [ 47.919279] The buggy address belongs to the object at ffff888102857a00 [ 47.919279] which belongs to the cache kmalloc-256 of size 256 [ 47.920323] The buggy address is located 0 bytes inside of [ 47.920323] freed 256-byte region [ffff888102857a00, ffff888102857b00) [ 47.921330] [ 47.921517] The buggy address belongs to the physical page: [ 47.922358] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102856 [ 47.923458] head:(____ptrval____) order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.924677] flags: 0x200000000000840(slab|head|node=0|zone=2) [ 47.925398] page_type: 0xffffffff() [ 47.925959] raw: 0200000000000840 ffff888100041b40 dead000000000122 0000000000000000 [ 47.926826] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 47.928169] page dumped because: kasan: bad access detected [ 47.928852] [ 47.929046] Memory state around the buggy address: [ 47.929540] ffff888102857900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.930403] ffff888102857980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.931044] >ffff888102857a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.932117] ^ [ 47.932476] ffff888102857a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.933518] ffff888102857b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.934699] ================================================================== [ 47.814314] ================================================================== [ 47.815692] BUG: KASAN: slab-use-after-free in krealloc_uaf+0xf1/0x2e0 [ 47.816447] Read of size 1 at addr ffff888102857a00 by task kunit_try_catch/160 [ 47.817157] [ 47.817863] CPU: 1 PID: 160 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 47.818919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 47.819812] Call Trace: [ 47.820202] <TASK> [ 47.820648] dump_stack_lvl+0x4e/0x90 [ 47.821250] print_report+0xd2/0x660 [ 47.821697] ? __virt_addr_valid+0x156/0x1e0 [ 47.822469] ? kasan_complete_mode_report_info+0x64/0x200 [ 47.823135] kasan_report+0xff/0x140 [ 47.823389] ? krealloc_uaf+0xf1/0x2e0 [ 47.823626] ? krealloc_uaf+0xf1/0x2e0 [ 47.824717] ? krealloc_uaf+0xf1/0x2e0 [ 47.825336] __kasan_check_byte+0x3d/0x50 [ 47.826062] krealloc+0x35/0x140 [ 47.826787] krealloc_uaf+0xf1/0x2e0 [ 47.827338] ? __pfx_krealloc_uaf+0x10/0x10 [ 47.827923] ? sysvec_apic_timer_interrupt+0x94/0xa0 [ 47.828446] ? asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 47.829187] ? __pfx_krealloc_uaf+0x10/0x10 [ 47.829904] ? kunit_try_run_case+0x11b/0x290 [ 47.830617] kunit_try_run_case+0x126/0x290 [ 47.831345] ? __pfx_kunit_try_run_case+0x10/0x10 [ 47.832063] ? __kasan_check_write+0x18/0x20 [ 47.832788] ? trace_preempt_on+0x20/0xa0 [ 47.833252] ? __kthread_parkme+0x4f/0xd0 [ 47.833514] ? preempt_count_sub+0x50/0x80 [ 47.833871] ? __pfx_kunit_try_run_case+0x10/0x10 [ 47.834522] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 47.835415] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 47.836200] kthread+0x19e/0x1e0 [ 47.836818] ? __pfx_kthread+0x10/0x10 [ 47.837420] ret_from_fork+0x41/0x70 [ 47.838099] ? __pfx_kthread+0x10/0x10 [ 47.838733] ret_from_fork_asm+0x1b/0x30 [ 47.839448] </TASK> [ 47.839956] [ 47.840393] Allocated by task 160: [ 47.840958] kasan_save_stack+0x3c/0x60 [ 47.841396] kasan_set_track+0x29/0x40 [ 47.842278] kasan_save_alloc_info+0x22/0x30 [ 47.842765] __kasan_kmalloc+0xb7/0xc0 [ 47.843469] kmalloc_trace+0x4c/0xb0 [ 47.844188] krealloc_uaf+0xb0/0x2e0 [ 47.844893] kunit_try_run_case+0x126/0x290 [ 47.845626] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 47.846456] kthread+0x19e/0x1e0 [ 47.847144] ret_from_fork+0x41/0x70 [ 47.847888] ret_from_fork_asm+0x1b/0x30 [ 47.848650] [ 47.849159] Freed by task 160: [ 47.849509] kasan_save_stack+0x3c/0x60 [ 47.850281] kasan_set_track+0x29/0x40 [ 47.850925] kasan_save_free_info+0x2f/0x50 [ 47.851583] ____kasan_slab_free+0x172/0x1d0 [ 47.852480] __kasan_slab_free+0x16/0x20 [ 47.853206] __kmem_cache_free+0x190/0x310 [ 47.853806] kfree+0x7c/0x120 [ 47.854539] krealloc_uaf+0xd0/0x2e0 [ 47.855089] kunit_try_run_case+0x126/0x290 [ 47.855750] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 47.856309] kthread+0x19e/0x1e0 [ 47.856813] ret_from_fork+0x41/0x70 [ 47.857304] ret_from_fork_asm+0x1b/0x30 [ 47.857926] [ 47.858225] The buggy address belongs to the object at ffff888102857a00 [ 47.858225] which belongs to the cache kmalloc-256 of size 256 [ 47.859170] The buggy address is located 0 bytes inside of [ 47.859170] freed 256-byte region [ffff888102857a00, ffff888102857b00) [ 47.860509] [ 47.860798] The buggy address belongs to the physical page: [ 47.861451] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102856 [ 47.862588] head:(____ptrval____) order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.863424] flags: 0x200000000000840(slab|head|node=0|zone=2) [ 47.864157] page_type: 0xffffffff() [ 47.864591] raw: 0200000000000840 ffff888100041b40 dead000000000122 0000000000000000 [ 47.865610] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 47.866236] page dumped because: kasan: bad access detected [ 47.866485] [ 47.866604] Memory state around the buggy address: [ 47.867038] ffff888102857900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.868253] ffff888102857980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.868893] >ffff888102857a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.869662] ^ [ 47.870140] ffff888102857a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.870954] ffff888102857b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.871662] ==================================================================