"Use-after-free" kernel error on core181

velifire · 21 December 2023 10:30

Hello, I have just noticed the below “use-after-free” error in my daily report.

Not sure how to translate it given I see every now and then, in my IPS logs, the SERVER-OTHER RealTek UDPServer command injection attempt events, hence I wonder whether the below free-after-use was one more attempt to get into the system; something proximate to something like CVE - CVE-2022-36946

Is there anything I should do / check ?

IPFire version	IPFire 2.27 (x86_64) - core181
Pakfire version	2.27-x86_64
Kernel version	Linux 6.1.61-ipfire #1 SMP PREEMPT_DYNAMIC Tue Nov 21 17:34:19 GMT 2023 x86_64 Intel(R) Celeron(R) CPU J3455 @ 1.50GHz GenuineIntel GNU/Linux

WARNING:  Kernel Errors Present
    BUG: KFENCE: use-after-free read in ipt_do_t ...:  1 Time(s)

 2 Time(s):  ____sys_sendmsg+0x273/0x2f0
 2 Time(s):  ___sys_sendmsg+0x96/0xe0
 1 Time(s):  __alloc_skb+0x8f/0x1a0
 1 Time(s):  __do_softirq+0xf4/0x315
 1 Time(s):  __local_bh_enable_ip+0x91/0xa0
 1 Time(s):  __napi_poll+0x2b/0x170
 1 Time(s):  __pskb_pull_tail+0x4d/0x440
 2 Time(s):  __sys_sendmsg+0x72/0xd0
 1 Time(s):  do_softirq.part.0+0xab/0xe0
 2 Time(s):  do_syscall_64+0x60/0x90
 2 Time(s):  entry_SYSCALL_64_after_hwframe+0x64/0xce
 2 Time(s):  ip_output+0x145/0x1d0
 1 Time(s):  ipt_do_table+0x1a1/0x7d0
 1 Time(s):  ipt_do_table+0x2ba/0x7d0
 1 Time(s):  irq_thread+0xfe/0x1d0
 1 Time(s):  irq_thread_fn+0x23/0x60
 1 Time(s):  iwl_mvm_rx_mpdu_mq+0x17e/0x15f0 [iwlmvm]
 1 Time(s):  iwl_pcie_irq_rx_msix_handler+0x98/0xf0 [iwlwifi]
 1 Time(s):  iwl_pcie_napi_poll_msix+0x2d/0xa0 [iwlwifi]
 1 Time(s):  iwl_pcie_rx_handle+0x1da/0x8b0 [iwlwifi]
 1 Time(s):  kmalloc_reserve+0x4b/0xa0
 1 Time(s):  kthread+0xed/0x120
 1 Time(s):  match+0x18d/0x676 [xt_layer7]
 1 Time(s):  net_rx_action+0x2b6/0x370
 2 Time(s):  netlink_rcv_skb+0x55/0x100
 2 Time(s):  netlink_sendmsg+0x23e/0x4b0
 2 Time(s):  netlink_unicast+0x256/0x3a0
 2 Time(s):  nf_hook_slow+0x45/0xd0
 2 Time(s):  nf_reinject+0x12a/0x1d0
 2 Time(s):  nfnetlink_rcv_msg+0x199/0x300
 2 Time(s):  nfqnl_recv_verdict+0x310/0x54d [nfnetlink_queue]
 2 Time(s):  nfqnl_reinject+0x4e/0x60 [nfnetlink_queue]
 1 Time(s):  pskb_expand_head+0x1d5/0x340
 1 Time(s):  ret_from_fork+0x22/0x30
 2 Time(s): ==================================================================
 1 Time(s): CPU: 3 PID: 22110 Comm: W-NFQ#2 Tainted: G    B   W          6.1.61-ipfire #1
 1 Time(s): Hardware name: Default string Default string/ZimaBoard 832, BIOS 5.12 07/26/2022
 1 Time(s): Use-after-free read at 0x00000000aa60d465 (in kfence-#142):
 1 Time(s): allocated by task 864 on cpu 2 at 690078.712529s:
 1 Time(s): freed by task 22110 on cpu 3 at 690078.713423s:
 1 Time(s): kfence-#142: 0x00000000c8e9c45e-0x00000000e0351a55, size=512, cache=kmalloc-512

bonnietwin · 23 December 2023 18:42

Based on similar “use after free” kernel messages mentioned in the forum this is likely to be a bug in either the kernel directly or in a driver for one of your system components.

Basically something is trying to access memory locations after they were de-allocated.

Hopefully this will get fixed in one of the next kernel updates.

The current release CU181 has kernel 6.1.61 which was updated from 6.1.45 in CU 180.

CU 182 which is in Testing phase has kernel 6.1.62.

CU 183 which is still in build phase will currently have kernel 6.6.8

The message you are seeing is the kernel detecting that there is a problem and stopping anything using it. The KFENCE name stands for Kernel Electric Fence and you can get more details here
https://docs.kernel.org/dev-tools/kfence.html

This message has been previously flagged in the forum as related to a bug in a driver for a NIC that was then fixed by a later kernel update.

https://community.ipfire.org/t/bug-kfence-use-after-free-read-in-ipt-do-t/6888