INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.156602] ================================================================== [ 38.164051] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x275e/0x3210 [ 38.170610] Read of size 2081 at addr ffff8801c65a4558 by task syzkaller072907/4473 [ 38.178378] [ 38.179987] CPU: 0 PID: 4473 Comm: syzkaller072907 Not tainted 4.16.0+ #1 [ 38.186889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.196227] Call Trace: [ 38.198797] dump_stack+0x1b9/0x29f [ 38.202402] ? arch_local_irq_restore+0x52/0x52 [ 38.207053] ? printk+0x9e/0xba [ 38.210319] ? show_regs_print_info+0x18/0x18 [ 38.214965] ? kasan_check_write+0x14/0x20 [ 38.219210] print_address_description+0x6c/0x20b [ 38.224044] ? pfkey_add+0x275e/0x3210 [ 38.227910] kasan_report.cold.7+0xac/0x2f5 [ 38.232211] check_memory_region+0x13e/0x1b0 [ 38.236609] memcpy+0x23/0x50 [ 38.239705] pfkey_add+0x275e/0x3210 [ 38.243621] ? pfkey_acquire+0x270/0x270 [ 38.247672] ? iov_iter_advance+0x2e4/0x14c0 [ 38.252064] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 38.257234] ? pfkey_acquire+0x270/0x270 [ 38.261277] pfkey_process+0x7cc/0x8a0 [ 38.265145] ? pfkey_send_new_mapping+0x1260/0x1260 [ 38.270285] pfkey_sendmsg+0x5f4/0x1050 [ 38.274237] ? _copy_from_user+0xdf/0x150 [ 38.278393] ? pfkey_spdget+0xb10/0xb10 [ 38.283236] ? security_socket_sendmsg+0x9b/0xd0 [ 38.287987] ? pfkey_spdget+0xb10/0xb10 [ 38.291951] sock_sendmsg+0xd5/0x120 [ 38.295645] ___sys_sendmsg+0x805/0x940 [ 38.299597] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.305117] ? copy_msghdr_from_user+0x560/0x560 [ 38.310005] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 38.314739] ? graph_lock+0x170/0x170 [ 38.318519] ? graph_lock+0x170/0x170 [ 38.322302] ? find_held_lock+0x36/0x1c0 [ 38.326343] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.331861] ? __fget_light+0x2ef/0x430 [ 38.335823] ? fget_raw+0x20/0x20 [ 38.339259] ? find_held_lock+0x36/0x1c0 [ 38.343307] ? lock_downgrade+0x8e0/0x8e0 [ 38.347444] ? handle_mm_fault+0x8c0/0xc70 [ 38.351664] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.357181] ? sockfd_lookup_light+0xc5/0x160 [ 38.361662] __sys_sendmsg+0x115/0x270 [ 38.365532] ? SyS_shutdown+0x30/0x30 [ 38.369326] ? __do_page_fault+0x441/0xe40 [ 38.373538] ? fd_install+0x4d/0x60 [ 38.377152] SyS_sendmsg+0x29/0x30 [ 38.380676] ? __sys_sendmsg+0x270/0x270 [ 38.384716] do_syscall_64+0x29e/0x9d0 [ 38.388580] ? vmalloc_sync_all+0x30/0x30 [ 38.392725] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.397471] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.402391] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.407302] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.412948] ? retint_user+0x18/0x18 [ 38.416643] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.421478] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.426646] RIP: 0033:0x43fdd9 [ 38.429968] RSP: 002b:00007ffc4a5ac668 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 38.437878] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 38.445137] RDX: 0000000000000000 RSI: 0000000020f56000 RDI: 0000000000000003 [ 38.452562] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 38.459811] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401700 [ 38.467061] R13: 0000000000401790 R14: 0000000000000000 R15: 0000000000000000 [ 38.474319] [ 38.475926] Allocated by task 4473: [ 38.479533] save_stack+0x43/0xd0 [ 38.482964] kasan_kmalloc+0xc4/0xe0 [ 38.486655] __kmalloc_node_track_caller+0x47/0x70 [ 38.491567] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 38.496302] __alloc_skb+0x14d/0x780 [ 38.499994] pfkey_sendmsg+0x250/0x1050 [ 38.503946] sock_sendmsg+0xd5/0x120 [ 38.507645] ___sys_sendmsg+0x805/0x940 [ 38.511596] __sys_sendmsg+0x115/0x270 [ 38.515461] SyS_sendmsg+0x29/0x30 [ 38.518980] do_syscall_64+0x29e/0x9d0 [ 38.522857] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.528118] [ 38.529724] Freed by task 2857: [ 38.532988] save_stack+0x43/0xd0 [ 38.536424] __kasan_slab_free+0x11a/0x170 [ 38.540640] kasan_slab_free+0xe/0x10 [ 38.544418] kfree+0xd9/0x260 [ 38.547505] load_elf_binary+0x253b/0x55e0 [ 38.551844] search_binary_handler+0x17d/0x570 [ 38.556415] do_execveat_common.isra.34+0x1574/0x23f0 [ 38.561852] SyS_execve+0x39/0x50 [ 38.565290] do_syscall_64+0x29e/0x9d0 [ 38.569163] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.574353] [ 38.575973] The buggy address belongs to the object at ffff8801c65a4540 [ 38.575973] which belongs to the cache kmalloc-512 of size 512 [ 38.588615] The buggy address is located 24 bytes inside of [ 38.588615] 512-byte region [ffff8801c65a4540, ffff8801c65a4740) [ 38.600391] The buggy address belongs to the page: [ 38.605304] page:ffffea0007196900 count:1 mapcount:0 mapping:ffff8801c65a4040 index:0x0 [ 38.613434] flags: 0x2fffc0000000100(slab) [ 38.617653] raw: 02fffc0000000100 ffff8801c65a4040 0000000000000000 0000000100000006 [ 38.625512] raw: ffffea0006c14760 ffffea0006c01920 ffff8801dac00940 0000000000000000 [ 38.633365] page dumped because: kasan: bad access detected [ 38.639052] [ 38.640660] Memory state around the buggy address: [ 38.645568] ffff8801c65a4600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.652907] ffff8801c65a4680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.660247] >ffff8801c65a4700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 38.667581] ^ [ 38.673007] ffff8801c65a4780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 38.680343] ffff8801c65a4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.687676] ================================================================== [ 38.695007] Disabling lock debugging due to kernel taint [ 38.700503] Kernel panic - not syncing: panic_on_warn set ... [ 38.700503] [ 38.707850] CPU: 0 PID: 4473 Comm: syzkaller072907 Tainted: G B 4.16.0+ #1 [ 38.716064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.725396] Call Trace: [ 38.727964] dump_stack+0x1b9/0x29f [ 38.731581] ? arch_local_irq_restore+0x52/0x52 [ 38.736227] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.740964] ? pfkey_add+0x2730/0x3210 [ 38.744824] panic+0x22f/0x4de [ 38.747998] ? add_taint.cold.5+0x16/0x16 [ 38.752126] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.756510] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.760892] ? pfkey_add+0x275e/0x3210 [ 38.764756] kasan_end_report+0x47/0x4f [ 38.768716] kasan_report.cold.7+0xc9/0x2f5 [ 38.773014] check_memory_region+0x13e/0x1b0 [ 38.777395] memcpy+0x23/0x50 [ 38.780475] pfkey_add+0x275e/0x3210 [ 38.784185] ? pfkey_acquire+0x270/0x270 [ 38.788222] ? iov_iter_advance+0x2e4/0x14c0 [ 38.792610] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 38.797776] ? pfkey_acquire+0x270/0x270 [ 38.801813] pfkey_process+0x7cc/0x8a0 [ 38.805684] ? pfkey_send_new_mapping+0x1260/0x1260 [ 38.810682] pfkey_sendmsg+0x5f4/0x1050 [ 38.814636] ? _copy_from_user+0xdf/0x150 [ 38.818765] ? pfkey_spdget+0xb10/0xb10 [ 38.822807] ? security_socket_sendmsg+0x9b/0xd0 [ 38.827539] ? pfkey_spdget+0xb10/0xb10 [ 38.831520] sock_sendmsg+0xd5/0x120 [ 38.835212] ___sys_sendmsg+0x805/0x940 [ 38.839178] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.844693] ? copy_msghdr_from_user+0x560/0x560 [ 38.849430] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 38.854168] ? graph_lock+0x170/0x170 [ 38.857946] ? graph_lock+0x170/0x170 [ 38.861726] ? find_held_lock+0x36/0x1c0 [ 38.865765] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.871278] ? __fget_light+0x2ef/0x430 [ 38.875228] ? fget_raw+0x20/0x20 [ 38.878665] ? find_held_lock+0x36/0x1c0 [ 38.882710] ? lock_downgrade+0x8e0/0x8e0 [ 38.886843] ? handle_mm_fault+0x8c0/0xc70 [ 38.891056] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.896569] ? sockfd_lookup_light+0xc5/0x160 [ 38.901051] __sys_sendmsg+0x115/0x270 [ 38.904917] ? SyS_shutdown+0x30/0x30 [ 38.908698] ? __do_page_fault+0x441/0xe40 [ 38.912910] ? fd_install+0x4d/0x60 [ 38.916516] SyS_sendmsg+0x29/0x30 [ 38.920304] ? __sys_sendmsg+0x270/0x270 [ 38.924365] do_syscall_64+0x29e/0x9d0 [ 38.928238] ? vmalloc_sync_all+0x30/0x30 [ 38.932370] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.937103] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.942010] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.946942] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.952457] ? retint_user+0x18/0x18 [ 38.957897] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.962720] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.967887] RIP: 0033:0x43fdd9 [ 38.971056] RSP: 002b:00007ffc4a5ac668 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 38.978849] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 38.986098] RDX: 0000000000000000 RSI: 0000000020f56000 RDI: 0000000000000003 [ 38.993357] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 39.000606] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401700 [ 39.009164] R13: 0000000000401790 R14: 0000000000000000 R15: 0000000000000000 [ 39.016826] Dumping ftrace buffer: [ 39.020350] (ftrace buffer empty) [ 39.024035] Kernel Offset: disabled [ 39.027640] Rebooting in 86400 seconds..