Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 147.120167] ================================================================== [ 147.122125] BUG: KASAN: slab-use-after-free in strcmp+0x20/0x54 [ 147.122766] Read of size 1 at addr c8fba210 by task kunit_try_catch/199 [ 147.123566] [ 147.123890] CPU: 1 PID: 199 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 147.124975] Hardware name: Generic DT based system [ 147.125604] unwind_backtrace from show_stack+0x18/0x1c [ 147.126732] show_stack from dump_stack_lvl+0x58/0x70 [ 147.127295] dump_stack_lvl from print_report+0x164/0x51c [ 147.127802] print_report from kasan_report+0xc8/0x104 [ 147.129834] kasan_report from strcmp+0x20/0x54 [ 147.130801] strcmp from kasan_strings+0x140/0x4ec [ 147.131561] kasan_strings from kunit_try_run_case+0x11c/0x2e4 [ 147.132521] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.133593] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 147.134642] kthread from ret_from_fork+0x14/0x30 [ 147.135339] Exception stack(0xfa0fbfb0 to 0xfa0fbff8) [ 147.136358] bfa0: 00000000 00000000 00000000 00000000 [ 147.137510] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 147.138570] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 147.139336] [ 147.139601] Allocated by task 199: [ 147.139973] kasan_set_track+0x3c/0x5c [ 147.140623] __kasan_kmalloc+0x8c/0x94 [ 147.141142] kasan_strings+0xa0/0x4ec [ 147.141715] kunit_try_run_case+0x11c/0x2e4 [ 147.142285] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.142922] kthread+0x184/0x1a8 [ 147.143477] ret_from_fork+0x14/0x30 [ 147.143960] [ 147.144233] Freed by task 199: [ 147.144706] kasan_set_track+0x3c/0x5c [ 147.145286] kasan_save_free_info+0x30/0x3c [ 147.145769] __kasan_slab_free+0xdc/0x124 [ 147.146818] __kmem_cache_free+0x140/0x2a8 [ 147.147375] kasan_strings+0xbc/0x4ec [ 147.147943] kunit_try_run_case+0x11c/0x2e4 [ 147.148572] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 147.149335] kthread+0x184/0x1a8 [ 147.149881] ret_from_fork+0x14/0x30 [ 147.150373] [ 147.150663] The buggy address belongs to the object at c8fba200 [ 147.150663] which belongs to the cache kmalloc-64 of size 64 [ 147.151907] The buggy address is located 16 bytes inside of [ 147.151907] freed 64-byte region [c8fba200, c8fba240) [ 147.152962] [ 147.153342] The buggy address belongs to the physical page: [ 147.154099] page:3fba6f39 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48fba [ 147.154933] flags: 0x800(slab|zone=0) [ 147.155417] page_type: 0xffffffff() [ 147.156241] raw: 00000800 c4801200 00000122 00000000 00000000 80200020 ffffffff 00000001 [ 147.157080] raw: 00000000 [ 147.157419] page dumped because: kasan: bad access detected [ 147.158047] [ 147.158419] Memory state around the buggy address: [ 147.158991] c8fba100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 147.159874] c8fba180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 147.160587] >c8fba200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 147.161317] ^ [ 147.161714] c8fba280: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 147.162416] c8fba300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc [ 147.163255] ==================================================================
[ 50.349712] ================================================================== [ 50.351699] BUG: KASAN: slab-use-after-free in strcmp+0x26/0x60 [ 50.352687] Read of size 1 at addr ffff8881028cedd0 by task kunit_try_catch/222 [ 50.353957] [ 50.354700] CPU: 1 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 50.355432] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 50.356386] Call Trace: [ 50.357016] <TASK> [ 50.357326] dump_stack_lvl+0x4e/0x90 [ 50.357897] print_report+0xd2/0x660 [ 50.358448] ? __virt_addr_valid+0x156/0x1e0 [ 50.359065] ? kasan_complete_mode_report_info+0x64/0x200 [ 50.359926] kasan_report+0xff/0x140 [ 50.360776] ? strcmp+0x26/0x60 [ 50.361449] ? strcmp+0x26/0x60 [ 50.361966] __asan_load1+0x66/0x70 [ 50.362504] strcmp+0x26/0x60 [ 50.362950] kasan_strings+0x161/0x510 [ 50.363634] ? __pfx_kasan_strings+0x10/0x10 [ 50.364494] ? __schedule+0x70b/0x1190 [ 50.365115] ? ktime_get_ts64+0x118/0x140 [ 50.365564] kunit_try_run_case+0x126/0x290 [ 50.366450] ? __pfx_kunit_try_run_case+0x10/0x10 [ 50.367264] ? __kasan_check_write+0x18/0x20 [ 50.367648] ? trace_preempt_on+0x20/0xa0 [ 50.368469] ? __kthread_parkme+0x4f/0xd0 [ 50.368888] ? preempt_count_sub+0x50/0x80 [ 50.369654] ? __pfx_kunit_try_run_case+0x10/0x10 [ 50.370453] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 50.371458] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 50.372496] kthread+0x19e/0x1e0 [ 50.373078] ? __pfx_kthread+0x10/0x10 [ 50.373703] ret_from_fork+0x41/0x70 [ 50.374469] ? __pfx_kthread+0x10/0x10 [ 50.375192] ret_from_fork_asm+0x1b/0x30 [ 50.375830] </TASK> [ 50.376168] [ 50.376431] Allocated by task 222: [ 50.376932] kasan_save_stack+0x3c/0x60 [ 50.377514] kasan_set_track+0x29/0x40 [ 50.378181] kasan_save_alloc_info+0x22/0x30 [ 50.378888] __kasan_kmalloc+0xb7/0xc0 [ 50.379555] kmalloc_trace+0x4c/0xb0 [ 50.380217] kasan_strings+0x9f/0x510 [ 50.380836] kunit_try_run_case+0x126/0x290 [ 50.381578] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 50.382369] kthread+0x19e/0x1e0 [ 50.383067] ret_from_fork+0x41/0x70 [ 50.383720] ret_from_fork_asm+0x1b/0x30 [ 50.384477] [ 50.384976] Freed by task 222: [ 50.385707] kasan_save_stack+0x3c/0x60 [ 50.386179] kasan_set_track+0x29/0x40 [ 50.386588] kasan_save_free_info+0x2f/0x50 [ 50.387715] ____kasan_slab_free+0x172/0x1d0 [ 50.388468] __kasan_slab_free+0x16/0x20 [ 50.389295] __kmem_cache_free+0x190/0x310 [ 50.390124] kfree+0x7c/0x120 [ 50.390619] kasan_strings+0xc3/0x510 [ 50.391653] kunit_try_run_case+0x126/0x290 [ 50.392317] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 50.393282] kthread+0x19e/0x1e0 [ 50.393872] ret_from_fork+0x41/0x70 [ 50.394628] ret_from_fork_asm+0x1b/0x30 [ 50.395410] [ 50.395771] The buggy address belongs to the object at ffff8881028cedc0 [ 50.395771] which belongs to the cache kmalloc-32 of size 32 [ 50.397245] The buggy address is located 16 bytes inside of [ 50.397245] freed 32-byte region [ffff8881028cedc0, ffff8881028cede0) [ 50.398602] [ 50.399247] The buggy address belongs to the physical page: [ 50.400051] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028ce [ 50.401193] flags: 0x200000000000800(slab|node=0|zone=2) [ 50.401944] page_type: 0xffffffff() [ 50.402962] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000 [ 50.404095] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 50.405211] page dumped because: kasan: bad access detected [ 50.405890] [ 50.406636] Memory state around the buggy address: [ 50.407593] ffff8881028cec80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 50.408319] ffff8881028ced00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 50.409411] >ffff8881028ced80: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 50.410348] ^ [ 50.411305] ffff8881028cee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.412500] ffff8881028cee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.413498] ==================================================================