2024-01-22 01:59:38

by Ubisectech Sirius

[permalink] [raw]
Subject: WARNING in depot_fetch_stack

Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7.0-g052d534373b7. Attached to the email were a POC file of the issue.
Stack dump:
[ 154.711833][ T8003] ------------[ cut here ]------------
[ 154.711851][ T8003] pool index 81727 out of bounds (941) for stack id 3f3f3f3f
[ 154.712204][ T8003] WARNING: CPU: 1 PID: 8003 at lib/stackdepot.c:410 depot_fetch_stack (lib/stackdepot.c:410 (discriminator 1))
[ 154.712267][ T8003] Modules linked in:
[ 154.712284][ T8003] CPU: 1 PID: 8003 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20
[ 154.712302][ T8003] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 154.712315][ T8003] RIP: 0010:depot_fetch_stack (lib/stackdepot.c:410 (discriminator 1))
[ 154.712491][ T8003] Call Trace:
[ 154.712496][ T8003] <TASK>
[ 154.712766][ T8003] stack_depot_put (lib/stackdepot.c:632 lib/stackdepot.c:620)
[ 154.712788][ T8003] kasan_release_object_meta (mm/kasan/generic.c:511 mm/kasan/generic.c:543)
[ 154.712807][ T8003] qlist_free_all (./arch/x86/include/asm/jump_label.h:27 mm/kasan/../slab.h:646 mm/kasan/quarantine.c:156 mm/kasan/quarantine.c:176)
[ 154.712823][ T8003] kasan_quarantine_reduce (./include/linux/srcu.h:285 mm/kasan/quarantine.c:284)
[ 154.712843][ T8003] __kasan_slab_alloc (mm/kasan/common.c:326)
[ 154.712867][ T8003] kmalloc_trace (mm/slub.c:3814 mm/slub.c:3860 mm/slub.c:4007)
[ 154.712888][ T8003] bdev_open_by_dev (block/bdev.c:822)
[ 154.712908][ T8003] blkdev_open (block/fops.c:617 (discriminator 4))
[ 154.712926][ T8003] do_dentry_open (fs/open.c:954)
[ 154.712969][ T8003] path_openat (fs/namei.c:3642 fs/namei.c:3798)
[ 154.713068][ T8003] do_filp_open (fs/namei.c:3826)
[ 154.713216][ T8003] do_sys_openat2 (fs/open.c:1405)
[ 154.713306][ T8003] __x64_sys_openat (fs/open.c:1430)
[ 154.713351][ T8003] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 154.713375][ T8003] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
[ 154.713396][ T8003] RIP: 0033:0x7f8bc3aa9127
[ 154.713485][ T8003] </TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
Ubisectech Sirius Team
Web: http://www.ubisectech.com
Email: [email protected]


Attachments:
poc.c (23.80 kB)