Add kernelCTF CVE-2025-38000_lts_cos_mitigation

[mingi]

No description provided.

[koczkatamas]

Hey!

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=93c276942e75de0e5bc91576300d292e968f5a02) with KASAN and run the exploit, it still crashes the kernel.

Can you help us understand why is that? Is this the right patch commit?

(This blocks the payout of the first half of the reward.)

Logs:

[    2.294229] drr_dequeue: hfsc qdisc 2: is non-work-conserving?
[    2.347588] ==================================================================
[    2.350135] BUG: KASAN: slab-use-after-free in drr_dequeue+0x53/0x470
[    2.352384] Read of size 8 at addr ffff88810476e260 by task exp/119
[    2.354556] 
[    2.355170] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.92+ #189
[    2.357206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.360498] Call Trace:
[    2.361411]  <TASK>
[    2.362215]  dump_stack_lvl+0x49/0x60
[    2.363532]  print_report+0xc5/0x650
[    2.364830]  ? preempt_count_add+0x1c/0xc0
[    2.366280]  ? preempt_count_sub+0x14/0xc0
[    2.367750]  ? __virt_addr_valid+0x128/0x1a0
[    2.369286]  ? drr_dequeue+0x53/0x470
[    2.370612]  kasan_report+0xb9/0xf0
[    2.371899]  ? drr_dequeue+0x53/0x470
[    2.373213]  drr_dequeue+0x53/0x470
[    2.374531]  __qdisc_run+0xf3/0xa20
[    2.375846]  __dev_queue_xmit+0xdc0/0x16f0
[    2.377305]  ? __check_object_size+0x269/0x400
[    2.378962]  ? __pfx___dev_queue_xmit+0x10/0x10
[    2.380595]  ? ip_generic_getfrag+0xb0/0x170
[    2.382133]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.383842]  ? chacha_block_generic+0xde/0x140
[    2.385417]  ? __pfx_chacha_block_generic+0x10/0x10
[    2.387146]  ? __rmqueue_pcplist+0x1e6/0x1170
[    2.388699]  ? __ip_append_data+0x1313/0x1d40
[    2.390264]  ip_finish_output2+0x55e/0xac0
[    2.391758]  ? __pfx_ip_skb_dst_mtu+0x10/0x10
[    2.393371]  ? __pfx_ip_finish_output2+0x10/0x10
[    2.395037]  ip_output+0xe0/0x1b0
[    2.396248]  ? __pfx_ip_output+0x10/0x10
[    2.397657]  ? __pfx_ip_finish_output+0x10/0x10
[    2.399356]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.401103]  ? __pfx_ip_make_skb+0x10/0x10
[    2.402552]  ip_send_skb+0xbd/0xd0
[    2.403802]  udp_send_skb+0x2db/0x690
[    2.405141]  udp_sendmsg+0xc85/0x12c0
[    2.406464]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.408139]  ? __pfx_udp_sendmsg+0x10/0x10
[    2.409592]  ? __orc_find+0x6c/0xd0
[    2.410861]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.412461]  ? unwind_next_frame+0x73b/0xd70
[    2.414002]  ? __orc_find+0x6c/0xd0
[    2.415262]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[    2.417153]  ? is_bpf_text_address+0x1e/0x30
[    2.418738]  ? kernel_text_address+0x11f/0x130
[    2.420352]  ? arch_stack_walk+0xa8/0x100
[    2.421771]  ? inet_send_prepare+0x2f/0x120
[    2.423258]  ? sock_write_iter+0x296/0x2e0
[    2.424738]  sock_write_iter+0x296/0x2e0
[    2.426138]  ? __pfx_sock_write_iter+0x10/0x10
[    2.427743]  ? apparmor_file_permission+0xfe/0x180
[    2.429435]  ? __pfx_sock_write_iter+0x10/0x10
[    2.431030]  vfs_write+0x5da/0x6a0
[    2.432268]  ? __pfx_vfs_write+0x10/0x10
[    2.433675]  ? __fget_light+0x1b0/0x200
[    2.435067]  ? __rcu_read_unlock+0x2f/0x70
[    2.436524]  ksys_write+0x131/0x160
[    2.437840]  ? __pfx_ksys_write+0x10/0x10
[    2.439315]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[    2.441116]  do_syscall_64+0x5e/0x90
[    2.442400]  ? release_sock+0xa0/0xd0
[    2.443727]  ? preempt_count_sub+0x14/0xc0
[    2.445194]  ? __local_bh_enable_ip+0x37/0x90
[    2.446772]  ? ip4_datagram_connect+0x31/0x40
[    2.448340]  ? __sys_connect+0x10c/0x130
[    2.449745]  ? __pfx___sys_connect+0x10/0x10
[    2.451300]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.453046]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.454749]  ? do_syscall_64+0x6a/0x90
[    2.456136]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.457861]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.459560]  ? do_syscall_64+0x6a/0x90
[    2.460910]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.462633]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.464348]  ? do_syscall_64+0x6a/0x90
[    2.465701]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.467402]  ? do_syscall_64+0x6a/0x90
[    2.468737]  ? do_syscall_64+0x6a/0x90
[    2.470077]  ? clear_bhb_loop+0x60/0xb0
[    2.471451]  ? clear_bhb_loop+0x60/0xb0
[    2.472831]  ? clear_bhb_loop+0x60/0xb0
[    2.474484]  ? clear_bhb_loop+0x60/0xb0
[    2.476370]  ? clear_bhb_loop+0x60/0xb0
[    2.477957]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.479767] RIP: 0033:0x466d37
[    2.480889] Code: 48 89 fa 4c 89 df e8 98 1d 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[    2.487236] RSP: 002b:00007fff9b4ab9f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.489842] RAX: ffffffffffffffda RBX: 000000003bf8b3c0 RCX: 0000000000466d37
[    2.492320] RDX: 0000000000000001 RSI: 00007fff9b4aba50 RDI: 0000000000000013
[    2.494792] RBP: 00007fff9b4bba80 R08: 0000000000000000 R09: 0000000000000000
[    2.497302] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9b4bbff8
[    2.499813] R13: 0000000000000002 R14: 00000000004cd760 R15: 0000000000000002
[    2.502291]  </TASK>
[    2.503132] 
[    2.503735] Allocated by task 119:
[    2.504973]  kasan_save_stack+0x2c/0x50
[    2.506352]  kasan_set_track+0x21/0x30
[    2.507719]  __kasan_kmalloc+0x8b/0x90
[    2.509066]  drr_change_class+0x24b/0x650
[    2.510484]  tc_ctl_tclass+0x28d/0x770
[    2.511841]  rtnetlink_rcv_msg+0x206/0x580
[    2.513285]  netlink_rcv_skb+0xdd/0x210
[    2.514658]  netlink_unicast+0x392/0x4e0
[    2.516063]  netlink_sendmsg+0x3ce/0x6f0
[    2.517464]  ____sys_sendmsg+0x594/0x5d0
[    2.518931]  ___sys_sendmsg+0xfd/0x170
[    2.520285]  __sys_sendmsg+0x163/0x1b0
[    2.521625]  do_syscall_64+0x5e/0x90
[    2.522936]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.524708] 
[    2.525309] Freed by task 119:
[    2.526425]  kasan_save_stack+0x2c/0x50
[    2.527838]  kasan_set_track+0x21/0x30
[    2.529171]  kasan_save_free_info+0x27/0x50
[    2.530718]  ____kasan_slab_free+0x11f/0x1a0
[    2.532271]  __kmem_cache_free+0x164/0x300
[    2.533739]  drr_delete_class+0x1cb/0x2d0
[    2.535174]  tc_ctl_tclass+0x61c/0x770
[    2.536530]  rtnetlink_rcv_msg+0x206/0x580
[    2.537978]  netlink_rcv_skb+0xdd/0x210
[    2.539342]  netlink_unicast+0x392/0x4e0
[    2.540727]  netlink_sendmsg+0x3ce/0x6f0
[    2.542124]  ____sys_sendmsg+0x594/0x5d0
[    2.543540]  ___sys_sendmsg+0xfd/0x170
[    2.544918]  __sys_sendmsg+0x163/0x1b0
[    2.546257]  do_syscall_64+0x5e/0x90
[    2.547547]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.549338] 
[    2.549949] The buggy address belongs to the object at ffff88810476e200
[    2.549949]  which belongs to the cache kmalloc-128 of size 128
[    2.554204] The buggy address is located 96 bytes inside of
[    2.554204]  freed 128-byte region [ffff88810476e200, ffff88810476e280)
[    2.558361] 
[    2.559064] The buggy address belongs to the physical page:
[    2.561032] page:00000000383a559e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10476e
[    2.564278] flags: 0x100000000000800(slab|node=0|zone=2)
[    2.566121] page_type: 0xffffffff()
[    2.567400] raw: 0100000000000800 ffff8881000418c0 dead000000000122 0000000000000000
[    2.570086] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[    2.572768] page dumped because: kasan: bad access detected
[    2.574726] 
[    2.575339] Memory state around the buggy address:
[    2.577028]  ffff88810476e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.579537]  ffff88810476e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.582063] >ffff88810476e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.584570]                                                        ^
[    2.586773]  ffff88810476e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.589286]  ffff88810476e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.591844] ==================================================================
[    2.594407] Kernel panic - not syncing: kasan.fault=panic set ...
[    2.596553] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.92+ #189
[    2.598631] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.601919] Call Trace:
[    2.602821]  <TASK>
[    2.603639]  dump_stack_lvl+0x49/0x60
[    2.604953]  panic+0x216/0x410
[    2.606072]  ? __pfx_panic+0x10/0x10
[    2.607379]  ? drr_dequeue+0x53/0x470
[    2.608685]  ? check_panic_on_warn+0x2b/0x80
[    2.610209]  ? drr_dequeue+0x53/0x470
[    2.611536]  end_report+0xe3/0xf0
[    2.612858]  kasan_report+0xc9/0xf0
[    2.614144]  ? drr_dequeue+0x53/0x470
[    2.615478]  drr_dequeue+0x53/0x470
[    2.616742]  __qdisc_run+0xf3/0xa20
[    2.618038]  __dev_queue_xmit+0xdc0/0x16f0
[    2.619509]  ? __check_object_size+0x269/0x400
[    2.621094]  ? __pfx___dev_queue_xmit+0x10/0x10
[    2.622730]  ? ip_generic_getfrag+0xb0/0x170
[    2.624278]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.625943]  ? chacha_block_generic+0xde/0x140
[    2.627549]  ? __pfx_chacha_block_generic+0x10/0x10
[    2.629270]  ? __rmqueue_pcplist+0x1e6/0x1170
[    2.630843]  ? __ip_append_data+0x1313/0x1d40
[    2.632428]  ip_finish_output2+0x55e/0xac0
[    2.633900]  ? __pfx_ip_skb_dst_mtu+0x10/0x10
[    2.635474]  ? __pfx_ip_finish_output2+0x10/0x10
[    2.637111]  ip_output+0xe0/0x1b0
[    2.638317]  ? __pfx_ip_output+0x10/0x10
[    2.639739]  ? __pfx_ip_finish_output+0x10/0x10
[    2.641338]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.643019]  ? __pfx_ip_make_skb+0x10/0x10
[    2.644461]  ip_send_skb+0xbd/0xd0
[    2.645683]  udp_send_skb+0x2db/0x690
[    2.647024]  udp_sendmsg+0xc85/0x12c0
[    2.648334]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.649999]  ? __pfx_udp_sendmsg+0x10/0x10
[    2.651448]  ? __orc_find+0x6c/0xd0
[    2.652709]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.654282]  ? unwind_next_frame+0x73b/0xd70
[    2.655866]  ? __orc_find+0x6c/0xd0
[    2.657141]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[    2.659024]  ? is_bpf_text_address+0x1e/0x30
[    2.660546]  ? kernel_text_address+0x11f/0x130
[    2.662127]  ? arch_stack_walk+0xa8/0x100
[    2.663551]  ? inet_send_prepare+0x2f/0x120
[    2.665039]  ? sock_write_iter+0x296/0x2e0
[    2.666532]  sock_write_iter+0x296/0x2e0
[    2.667958]  ? __pfx_sock_write_iter+0x10/0x10
[    2.669527]  ? apparmor_file_permission+0xfe/0x180
[    2.671236]  ? __pfx_sock_write_iter+0x10/0x10
[    2.672815]  vfs_write+0x5da/0x6a0
[    2.674047]  ? __pfx_vfs_write+0x10/0x10
[    2.675445]  ? __fget_light+0x1b0/0x200
[    2.676825]  ? __rcu_read_unlock+0x2f/0x70
[    2.678273]  ksys_write+0x131/0x160
[    2.679547]  ? __pfx_ksys_write+0x10/0x10
[    2.680987]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[    2.682801]  do_syscall_64+0x5e/0x90
[    2.684095]  ? release_sock+0xa0/0xd0
[    2.685407]  ? preempt_count_sub+0x14/0xc0
[    2.686863]  ? __local_bh_enable_ip+0x37/0x90
[    2.688415]  ? ip4_datagram_connect+0x31/0x40
[    2.689965]  ? __sys_connect+0x10c/0x130
[    2.691356]  ? __pfx___sys_connect+0x10/0x10
[    2.692885]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.694591]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.696284]  ? do_syscall_64+0x6a/0x90
[    2.697626]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.699327]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.701018]  ? do_syscall_64+0x6a/0x90
[    2.702352]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.704067]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.705768]  ? do_syscall_64+0x6a/0x90
[    2.707117]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.708810]  ? do_syscall_64+0x6a/0x90
[    2.710165]  ? do_syscall_64+0x6a/0x90
[    2.711520]  ? clear_bhb_loop+0x60/0xb0
[    2.712915]  ? clear_bhb_loop+0x60/0xb0
[    2.714284]  ? clear_bhb_loop+0x60/0xb0
[    2.715653]  ? clear_bhb_loop+0x60/0xb0
[    2.717012]  ? clear_bhb_loop+0x60/0xb0
[    2.718418]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.720245] RIP: 0033:0x466d37
[    2.721359] Code: 48 89 fa 4c 89 df e8 98 1d 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[    2.727663] RSP: 002b:00007fff9b4ab9f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.730266] RAX: ffffffffffffffda RBX: 000000003bf8b3c0 RCX: 0000000000466d37
[    2.732762] RDX: 0000000000000001 RSI: 00007fff9b4aba50 RDI: 0000000000000013
[    2.735217] RBP: 00007fff9b4bba80 R08: 0000000000000000 R09: 0000000000000000
[    2.737684] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9b4bbff8
[    2.740166] R13: 0000000000000002 R14: 00000000004cd760 R15: 0000000000000002
[    2.742645]  </TASK>
[    2.744179] Kernel Offset: disabled