回复:general protection fault in refill_obj_stock

From: Ubisectech Sirius
Date: Mon Apr 01 2024 - 21:56:50 EST


> On Mon, Apr 01, 2024 at 03:04:46PM +0800, Ubisectech Sirius wrote:
> Hello.
> We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.

> Thank you for the report!

> I tried to compile and run your test program for about half an hour
> on a virtual machine running 6.7 with enabled KASAN, but wasn't able
> to reproduce the problem.

> Can you, please, share a bit more information? How long does it take
> to reproduce? Do you mind sharing your kernel config? Is there anything special
> about your setup? What are exact steps to reproduce the problem?
> Is this problem reproducible on 6.6?

Hi.
The .config of linux kernel 6.7 has send to you as attachment. And The problem is reproducible on 6.6.

> It's interesting that the problem looks like use-after-free for the objcg pointer
> but happens in the context of udev-systemd, which I believe should be fairly stable
> and it's cgroup is not going anywhere.

> Thanks!

Attachment: .config
Description: Binary data