oss-sec mailing list archives
Re: Type Confusion in Linux Kernel
From: Kyle Zeng <zengyhkyle () gmail com>
Date: Tue, 10 Jan 2023 15:07:44 -0700
Hi John, A crash report is attached to this email. I hope this helps evaluate the security implication of the bug. Best, Kyle Zeng ================================================================== BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x9d8/0x1fc0 Read of size 1 at addr ffff88806bfd40aa by task sd-resolve/250 CPU: 2 PID: 250 Comm: sd-resolve Not tainted 5.4.188 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack+0x19d/0x1e7 print_address_description+0xd7/0xca0 __kasan_report+0x1e0/0x270 kasan_report+0x30/0x60 cbq_enqueue+0x9d8/0x1fc0 __dev_queue_xmit+0x2238/0x49f0 ip_finish_output2+0x1529/0x2430 ip_output+0x358/0x3f0 ip_send_skb+0xec/0x220 udp_send_skb+0xd4f/0x1710 udp_sendmsg+0x3889/0x4ee0 ____sys_sendmsg+0x1083/0x1240 __sys_sendmmsg+0x88d/0xe90 __x64_sys_sendmmsg+0xa1/0xb0 do_syscall_64+0x32f/0x3e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f188612135f Code: 89 f5 55 53 89 cd 41 89 d4 89 fb 48 83 ec 18 e8 b7 b1 00 00 44 89 e2 41 89 c0 48 63 fb 4c 63 d5 4c 89 ee b8 33 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 1b 44 89 c7 89 44 24 0c e8 ed b1 00 00 8b 44 RSP: 002b:00007f1883b5fc10 EFLAGS: 00000293 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f188612135f RDX: 0000000000000002 RSI: 00007f1883b5fdb0 RDI: 000000000000000d RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000004 R10: 0000000000004000 R11: 0000000000000293 R12: 0000000000000002 R13: 00007f1883b5fdb0 R14: 0000000008ce68e8 R15: 00007f1883b67db8 Allocated by task 1285: __kasan_kmalloc+0x1d9/0xdf0 tc_new_tfilter+0x1f2e/0x41f0 rtnetlink_rcv_msg+0x777/0x12d0 netlink_rcv_skb+0x39b/0x870 netlink_unicast+0xb45/0xf90 netlink_sendmsg+0x1477/0x1830 ____sys_sendmsg+0x1206/0x1240 __sys_sendmsg+0x48d/0x570 do_syscall_64+0x32f/0x3e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 106: __kasan_slab_free+0x293/0xe30 kfree+0x33e/0x1010 process_one_work+0xea3/0x17b0 worker_thread+0xecc/0x1a00 kthread+0x33b/0x3a0 ret_from_fork+0x35/0x40 The buggy address belongs to the object at ffff88806bfd4000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 42 bytes to the right of 128-byte region [ffff88806bfd4000, ffff88806bfd4080) The buggy address belongs to the page: page:ffffea0001aff500 refcount:1 mapcount:0 mapping:ffff88806bc03200 index:0x0 flags: 0x100000000000200(slab) raw: 0100000000000200 ffffea0001a50b40 0000000400000004 ffff88806bc03200 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88806bfd3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806bfd4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
ffff88806bfd4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^ ffff88806bfd4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806bfd4180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
Current thread:
- Type Confusion in Linux Kernel Kyle Zeng (Jan 10)
- Re: Type Confusion in Linux Kernel John Helmert III (Jan 10)
- Re: Type Confusion in Linux Kernel Kyle Zeng (Jan 10)
- Re: Type Confusion in Linux Kernel John Helmert III (Jan 10)