[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.600760] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 18.198155] random: sshd: uninitialized urandom read (32 bytes read) [ 18.455232] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.178136] random: sshd: uninitialized urandom read (32 bytes read) [ 42.413117] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 47.799199] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/21 18:49:47 parsed 1 programs 2018/05/21 18:49:47 executed programs: 0 [ 48.289241] IPVS: ftp: loaded support on port[0] = 21 [ 48.414076] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.420542] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.427892] device bridge_slave_0 entered promiscuous mode [ 48.444820] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.451235] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.458369] device bridge_slave_1 entered promiscuous mode [ 48.473907] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 48.490157] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 48.530929] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 48.549521] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 48.610605] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 48.617842] team0: Port device team_slave_0 added [ 48.633391] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 48.641282] team0: Port device team_slave_1 added [ 48.656204] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 48.672959] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 48.689249] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.705969] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.822312] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.828780] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.835657] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.842049] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.263974] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 49.270134] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.315997] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 49.358974] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.367239] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.403278] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.669607] ================================================================== [ 49.677109] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 49.683327] Read of size 1 at addr ffff8801c5f36b5d by task syz-executor0/4700 [ 49.690667] [ 49.692297] CPU: 0 PID: 4700 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #87 [ 49.699461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.708801] Call Trace: [ 49.711385] dump_stack+0x1b9/0x294 [ 49.715012] ? dump_stack_print_info.cold.2+0x52/0x52 [ 49.720193] ? printk+0x9e/0xba [ 49.723453] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 49.728193] ? kasan_check_write+0x14/0x20 [ 49.732413] print_address_description+0x6c/0x20b [ 49.737238] ? nla_strlcpy+0x13d/0x150 [ 49.741107] kasan_report.cold.7+0x242/0x2fe [ 49.745497] __asan_report_load1_noabort+0x14/0x20 [ 49.750405] nla_strlcpy+0x13d/0x150 [ 49.754105] nfnl_acct_new+0x574/0xc50 [ 49.757976] ? nfnl_acct_overquota+0x380/0x380 [ 49.762549] ? debug_check_no_locks_freed+0x310/0x310 [ 49.767720] ? graph_lock+0x170/0x170 [ 49.771509] ? print_usage_bug+0xc0/0xc0 [ 49.775552] ? get_futex_key+0xf83/0x1e90 [ 49.779684] ? find_held_lock+0x36/0x1c0 [ 49.783725] ? graph_lock+0x170/0x170 [ 49.787512] ? lock_downgrade+0x8e0/0x8e0 [ 49.791669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.797201] ? __lock_is_held+0xb5/0x140 [ 49.801270] ? nfnl_acct_overquota+0x380/0x380 [ 49.805847] nfnetlink_rcv_msg+0xdb5/0xff0 [ 49.810068] ? __lock_is_held+0xb5/0x140 [ 49.814124] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 49.819120] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 49.823519] ? nfnetlink_bind+0x3a0/0x3a0 [ 49.827648] ? graph_lock+0x170/0x170 [ 49.831432] ? find_held_lock+0x36/0x1c0 [ 49.835482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.841008] netlink_rcv_skb+0x172/0x440 [ 49.845051] ? nfnetlink_bind+0x3a0/0x3a0 [ 49.849182] ? netlink_ack+0xbc0/0xbc0 [ 49.853064] ? __netlink_ns_capable+0x100/0x130 [ 49.857735] nfnetlink_rcv+0x1fe/0x1ba0 [ 49.861692] ? kasan_check_read+0x11/0x20 [ 49.865842] ? rcu_is_watching+0x85/0x140 [ 49.869985] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 49.875163] ? nfnl_err_reset+0x2d0/0x2d0 [ 49.879294] ? netlink_remove_tap+0x610/0x610 [ 49.883776] ? refcount_add_not_zero+0x320/0x320 [ 49.888525] ? kasan_check_read+0x11/0x20 [ 49.892671] ? rcu_is_watching+0x85/0x140 [ 49.896801] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 49.901984] ? netlink_skb_destructor+0x210/0x210 [ 49.906839] ? kasan_check_write+0x14/0x20 [ 49.915649] netlink_unicast+0x58b/0x740 [ 49.919700] ? netlink_attachskb+0x970/0x970 [ 49.924094] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.929616] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 49.934623] ? security_netlink_send+0x88/0xb0 [ 49.939187] netlink_sendmsg+0x9f0/0xfa0 [ 49.943238] ? netlink_unicast+0x740/0x740 [ 49.947457] ? pud_val+0x80/0xf0 [ 49.950806] ? security_socket_sendmsg+0x94/0xc0 [ 49.955539] ? netlink_unicast+0x740/0x740 [ 49.959759] sock_sendmsg+0xd5/0x120 [ 49.963452] sock_write_iter+0x35a/0x5a0 [ 49.967494] ? sock_sendmsg+0x120/0x120 [ 49.971445] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 49.976187] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 49.981707] ? iov_iter_init+0xc9/0x1f0 [ 49.985660] __vfs_write+0x64d/0x960 [ 49.989355] ? kernel_read+0x120/0x120 [ 49.993228] ? handle_mm_fault+0x8c0/0xc70 [ 49.997444] ? rw_verify_area+0x118/0x360 [ 50.001571] vfs_write+0x1f8/0x560 [ 50.005094] ksys_write+0xf9/0x250 [ 50.008617] ? __ia32_sys_read+0xb0/0xb0 [ 50.012658] ? mm_fault_error+0x380/0x380 [ 50.016784] __ia32_sys_write+0x71/0xb0 [ 50.020743] do_fast_syscall_32+0x345/0xf9b [ 50.025065] ? do_int80_syscall_32+0x880/0x880 [ 50.029627] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.034367] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.039896] ? syscall_return_slowpath+0x30f/0x5c0 [ 50.044809] ? sysret32_from_system_call+0x5/0x46 [ 50.049642] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.054472] entry_SYSENTER_compat+0x70/0x7f [ 50.058858] RIP: 0023:0xf7ff8cb9 [ 50.062200] RSP: 002b:00000000fff2450c EFLAGS: 00000282 ORIG_RAX: 0000000000000004 [ 50.069903] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 50.077151] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 50.084421] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 50.091685] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 50.098935] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.106190] [ 50.107800] Allocated by task 3374: [ 50.111413] save_stack+0x43/0xd0 [ 50.114847] kasan_kmalloc+0xc4/0xe0 [ 50.118539] __kmalloc+0x14e/0x760 [ 50.122061] load_elf_phdrs+0x17a/0x250 [ 50.126021] load_elf_binary+0x32b/0x5610 [ 50.130150] search_binary_handler+0x17d/0x570 [ 50.134708] do_execveat_common.isra.34+0x16ce/0x2590 [ 50.139875] __x64_sys_execve+0x8d/0xb0 [ 50.143827] do_syscall_64+0x1b1/0x800 [ 50.147694] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.152855] [ 50.154460] Freed by task 3374: [ 50.157719] save_stack+0x43/0xd0 [ 50.161153] __kasan_slab_free+0x11a/0x170 [ 50.165366] kasan_slab_free+0xe/0x10 [ 50.169143] kfree+0xd9/0x260 [ 50.172228] load_elf_binary+0x2569/0x5610 [ 50.176442] search_binary_handler+0x17d/0x570 [ 50.181002] do_execveat_common.isra.34+0x16ce/0x2590 [ 50.186275] __x64_sys_execve+0x8d/0xb0 [ 50.190229] do_syscall_64+0x1b1/0x800 [ 50.194102] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.199285] [ 50.200893] The buggy address belongs to the object at ffff8801c5f36ac0 [ 50.200893] which belongs to the cache kmalloc-512 of size 512 [ 50.213529] The buggy address is located 157 bytes inside of [ 50.213529] 512-byte region [ffff8801c5f36ac0, ffff8801c5f36cc0) [ 50.225378] The buggy address belongs to the page: [ 50.230286] page:ffffea000717cd80 count:1 mapcount:0 mapping:ffff8801c5f360c0 index:0x0 [ 50.238406] flags: 0x2fffc0000000100(slab) [ 50.242623] raw: 02fffc0000000100 ffff8801c5f360c0 0000000000000000 0000000100000006 [ 50.250483] raw: ffffea000717cd20 ffffea000717ce20 ffff8801da800940 0000000000000000 [ 50.258338] page dumped because: kasan: bad access detected [ 50.264023] [ 50.265629] Memory state around the buggy address: [ 50.270623] ffff8801c5f36a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.277963] ffff8801c5f36a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.285302] >ffff8801c5f36b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.292637] ^ [ 50.298859] ffff8801c5f36b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.306197] ffff8801c5f36c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.313533] ================================================================== [ 50.320876] Disabling lock debugging due to kernel taint [ 50.326818] Kernel panic - not syncing: panic_on_warn set ... [ 50.326818] [ 50.334201] CPU: 0 PID: 4700 Comm: syz-executor0 Tainted: G B 4.17.0-rc6+ #87 [ 50.342771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.352114] Call Trace: [ 50.354692] dump_stack+0x1b9/0x294 [ 50.358303] ? dump_stack_print_info.cold.2+0x52/0x52 [ 50.363474] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.368213] ? nla_strlcpy+0x110/0x150 [ 50.372087] panic+0x22f/0x4de [ 50.375257] ? add_taint.cold.5+0x16/0x16 [ 50.379385] ? do_raw_spin_unlock+0x9e/0x2e0 [ 50.383773] ? do_raw_spin_unlock+0x9e/0x2e0 [ 50.388165] ? nla_strlcpy+0x13d/0x150 [ 50.392036] kasan_end_report+0x47/0x4f [ 50.395994] kasan_report.cold.7+0x76/0x2fe [ 50.400299] __asan_report_load1_noabort+0x14/0x20 [ 50.405214] nla_strlcpy+0x13d/0x150 [ 50.408909] nfnl_acct_new+0x574/0xc50 [ 50.412864] ? nfnl_acct_overquota+0x380/0x380 [ 50.417430] ? debug_check_no_locks_freed+0x310/0x310 [ 50.422602] ? graph_lock+0x170/0x170 [ 50.426392] ? print_usage_bug+0xc0/0xc0 [ 50.430435] ? get_futex_key+0xf83/0x1e90 [ 50.434561] ? find_held_lock+0x36/0x1c0 [ 50.438601] ? graph_lock+0x170/0x170 [ 50.442381] ? lock_downgrade+0x8e0/0x8e0 [ 50.446511] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.452034] ? __lock_is_held+0xb5/0x140 [ 50.456085] ? nfnl_acct_overquota+0x380/0x380 [ 50.460651] nfnetlink_rcv_msg+0xdb5/0xff0 [ 50.464872] ? __lock_is_held+0xb5/0x140 [ 50.468927] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 50.473928] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 50.478322] ? nfnetlink_bind+0x3a0/0x3a0 [ 50.482451] ? graph_lock+0x170/0x170 [ 50.486244] ? find_held_lock+0x36/0x1c0 [ 50.490288] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.495816] netlink_rcv_skb+0x172/0x440 [ 50.499864] ? nfnetlink_bind+0x3a0/0x3a0 [ 50.503994] ? netlink_ack+0xbc0/0xbc0 [ 50.507868] ? __netlink_ns_capable+0x100/0x130 [ 50.512522] nfnetlink_rcv+0x1fe/0x1ba0 [ 50.516484] ? kasan_check_read+0x11/0x20 [ 50.520622] ? rcu_is_watching+0x85/0x140 [ 50.524758] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 50.529931] ? nfnl_err_reset+0x2d0/0x2d0 [ 50.534070] ? netlink_remove_tap+0x610/0x610 [ 50.538549] ? refcount_add_not_zero+0x320/0x320 [ 50.543284] ? kasan_check_read+0x11/0x20 [ 50.547413] ? rcu_is_watching+0x85/0x140 [ 50.551541] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 50.556720] ? netlink_skb_destructor+0x210/0x210 [ 50.561551] ? kasan_check_write+0x14/0x20 [ 50.565766] netlink_unicast+0x58b/0x740 [ 50.569810] ? netlink_attachskb+0x970/0x970 [ 50.574199] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.579716] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 50.584723] ? security_netlink_send+0x88/0xb0 [ 50.589286] netlink_sendmsg+0x9f0/0xfa0 [ 50.593328] ? netlink_unicast+0x740/0x740 [ 50.597540] ? pud_val+0x80/0xf0 [ 50.600886] ? security_socket_sendmsg+0x94/0xc0 [ 50.605623] ? netlink_unicast+0x740/0x740 [ 50.609847] sock_sendmsg+0xd5/0x120 [ 50.613539] sock_write_iter+0x35a/0x5a0 [ 50.617577] ? sock_sendmsg+0x120/0x120 [ 50.621529] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 50.626281] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.631796] ? iov_iter_init+0xc9/0x1f0 [ 50.635750] __vfs_write+0x64d/0x960 [ 50.639440] ? kernel_read+0x120/0x120 [ 50.643309] ? handle_mm_fault+0x8c0/0xc70 [ 50.648277] ? rw_verify_area+0x118/0x360 [ 50.652405] vfs_write+0x1f8/0x560 [ 50.655926] ksys_write+0xf9/0x250 [ 50.659446] ? __ia32_sys_read+0xb0/0xb0 [ 50.663487] ? mm_fault_error+0x380/0x380 [ 50.667622] __ia32_sys_write+0x71/0xb0 [ 50.671576] do_fast_syscall_32+0x345/0xf9b [ 50.675874] ? do_int80_syscall_32+0x880/0x880 [ 50.680436] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.685173] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.690689] ? syscall_return_slowpath+0x30f/0x5c0 [ 50.695598] ? sysret32_from_system_call+0x5/0x46 [ 50.700418] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.705243] entry_SYSENTER_compat+0x70/0x7f [ 50.709639] RIP: 0023:0xf7ff8cb9 [ 50.712994] RSP: 002b:00000000fff2450c EFLAGS: 00000282 ORIG_RAX: 0000000000000004 [ 50.720689] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 50.727936] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 50.735184] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 50.742431] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 50.749692] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.757440] Dumping ftrace buffer: [ 50.760962] (ftrace buffer empty) [ 50.764658] Kernel Offset: disabled [ 50.768271] Rebooting in 86400 seconds..