[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.503656] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.340790] random: sshd: uninitialized urandom read (32 bytes read) [ 24.840561] random: sshd: uninitialized urandom read (32 bytes read) [ 25.591405] random: sshd: uninitialized urandom read (32 bytes read) [ 25.760444] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. [ 31.232189] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.337403] ================================================================== [ 31.344872] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 31.351106] Read of size 1 at addr ffff8801ada0449d by task syz-executor648/4514 [ 31.358629] [ 31.360245] CPU: 1 PID: 4514 Comm: syz-executor648 Not tainted 4.17.0-rc6+ #64 [ 31.367584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.376917] Call Trace: [ 31.379491] dump_stack+0x1b9/0x294 [ 31.383103] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.388282] ? printk+0x9e/0xba [ 31.391551] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.396298] ? kasan_check_write+0x14/0x20 [ 31.400516] print_address_description+0x6c/0x20b [ 31.405345] ? nla_strlcpy+0x13d/0x150 [ 31.409222] kasan_report.cold.7+0x242/0x2fe [ 31.413629] __asan_report_load1_noabort+0x14/0x20 [ 31.418545] nla_strlcpy+0x13d/0x150 [ 31.422250] nfnl_acct_new+0x574/0xc50 [ 31.426128] ? nfnl_acct_overquota+0x380/0x380 [ 31.430702] ? debug_check_no_locks_freed+0x310/0x310 [ 31.435879] ? graph_lock+0x170/0x170 [ 31.439660] ? print_usage_bug+0xc0/0xc0 [ 31.443706] ? print_usage_bug+0xc0/0xc0 [ 31.447759] ? __enqueue_entity+0x10d/0x1f0 [ 31.452068] ? find_held_lock+0x36/0x1c0 [ 31.456117] ? graph_lock+0x170/0x170 [ 31.459904] ? lock_downgrade+0x8e0/0x8e0 [ 31.464048] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.469583] ? __lock_is_held+0xb5/0x140 [ 31.473635] ? nfnl_acct_overquota+0x380/0x380 [ 31.478201] nfnetlink_rcv_msg+0xdb5/0xff0 [ 31.482428] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 31.487427] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 31.491831] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.495967] ? graph_lock+0x170/0x170 [ 31.499755] ? find_held_lock+0x36/0x1c0 [ 31.503805] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.509331] netlink_rcv_skb+0x172/0x440 [ 31.513398] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.517541] ? netlink_ack+0xbc0/0xbc0 [ 31.521416] ? __netlink_ns_capable+0x100/0x130 [ 31.526075] nfnetlink_rcv+0x1fe/0x1ba0 [ 31.530052] ? kasan_check_read+0x11/0x20 [ 31.534198] ? rcu_is_watching+0x85/0x140 [ 31.538348] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.543527] ? nfnl_err_reset+0x2d0/0x2d0 [ 31.547665] ? netlink_remove_tap+0x610/0x610 [ 31.552153] ? refcount_add_not_zero+0x320/0x320 [ 31.556901] ? kasan_check_read+0x11/0x20 [ 31.561070] ? rcu_is_watching+0x85/0x140 [ 31.565204] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.570380] ? netlink_skb_destructor+0x210/0x210 [ 31.575212] ? kasan_check_write+0x14/0x20 [ 31.579456] netlink_unicast+0x58b/0x740 [ 31.583506] ? netlink_attachskb+0x970/0x970 [ 31.587908] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.593439] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.598449] ? security_netlink_send+0x88/0xb0 [ 31.603037] netlink_sendmsg+0x9f0/0xfa0 [ 31.607114] ? netlink_unicast+0x740/0x740 [ 31.611350] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.616891] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.622430] ? security_socket_sendmsg+0x94/0xc0 [ 31.627188] ? netlink_unicast+0x740/0x740 [ 31.631424] sock_sendmsg+0xd5/0x120 [ 31.635132] sock_write_iter+0x35a/0x5a0 [ 31.639182] ? sock_sendmsg+0x120/0x120 [ 31.643156] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.648683] ? iov_iter_init+0xc9/0x1f0 [ 31.652655] __vfs_write+0x64d/0x960 [ 31.656367] ? kernel_read+0x120/0x120 [ 31.660250] ? lock_downgrade+0x8e0/0x8e0 [ 31.664409] ? handle_mm_fault+0x8c0/0xc70 [ 31.668634] ? handle_mm_fault+0x55a/0xc70 [ 31.672870] ? rw_verify_area+0x118/0x360 [ 31.677020] vfs_write+0x1f8/0x560 [ 31.680561] ksys_write+0xf9/0x250 [ 31.684091] ? __ia32_sys_read+0xb0/0xb0 [ 31.688145] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.692640] __x64_sys_write+0x73/0xb0 [ 31.696531] do_syscall_64+0x1b1/0x800 [ 31.700408] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.705325] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.710263] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.715798] ? retint_user+0x18/0x18 [ 31.719503] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.724341] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.729517] RIP: 0033:0x43fcf9 [ 31.732688] RSP: 002b:00007ffee6524a18 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 31.740378] RAX: ffffffffffffffda RBX: 0000200000000002 RCX: 000000000043fcf9 [ 31.747633] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 31.754894] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.762153] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 31.769414] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 31.776694] [ 31.778319] Allocated by task 2840: [ 31.781942] save_stack+0x43/0xd0 [ 31.785380] kasan_kmalloc+0xc4/0xe0 [ 31.789083] kasan_slab_alloc+0x12/0x20 [ 31.793055] kmem_cache_alloc+0x12e/0x760 [ 31.797193] get_empty_filp+0x125/0x520 [ 31.801149] path_openat+0x116/0x4e20 [ 31.804934] do_filp_open+0x249/0x350 [ 31.808719] do_sys_open+0x56f/0x740 [ 31.812419] __x64_sys_open+0x7e/0xc0 [ 31.816213] do_syscall_64+0x1b1/0x800 [ 31.820093] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.825264] [ 31.826878] Freed by task 2848: [ 31.830170] save_stack+0x43/0xd0 [ 31.833610] __kasan_slab_free+0x11a/0x170 [ 31.837836] kasan_slab_free+0xe/0x10 [ 31.841626] kmem_cache_free+0x86/0x2d0 [ 31.845597] file_free_rcu+0x6f/0x90 [ 31.849298] rcu_process_callbacks+0x941/0x15f0 [ 31.853964] __do_softirq+0x2e0/0xaf5 [ 31.857749] [ 31.859360] The buggy address belongs to the object at ffff8801ada04340 [ 31.859360] which belongs to the cache filp of size 456 [ 31.871393] The buggy address is located 349 bytes inside of [ 31.871393] 456-byte region [ffff8801ada04340, ffff8801ada04508) [ 31.883252] The buggy address belongs to the page: [ 31.888175] page:ffffea0006b68100 count:1 mapcount:0 mapping:ffff8801ada040c0 index:0xffff8801ada04340 [ 31.897618] flags: 0x2fffc0000000100(slab) [ 31.901860] raw: 02fffc0000000100 ffff8801ada040c0 ffff8801ada04340 0000000100000001 [ 31.909757] raw: ffffea0006b72360 ffffea0006b93f60 ffff8801da988940 0000000000000000 [ 31.917624] page dumped because: kasan: bad access detected [ 31.923318] [ 31.924930] Memory state around the buggy address: [ 31.929854] ffff8801ada04380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.937205] ffff8801ada04400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.944552] >ffff8801ada04480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.951899] ^ [ 31.956044] ffff8801ada04500: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.963387] ffff8801ada04580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.970727] ================================================================== [ 31.978069] Disabling lock debugging due to kernel taint [ 31.983574] Kernel panic - not syncing: panic_on_warn set ... [ 31.983574] [ 31.990944] CPU: 1 PID: 4514 Comm: syz-executor648 Tainted: G B 4.17.0-rc6+ #64 [ 31.999693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.009029] Call Trace: [ 32.011606] dump_stack+0x1b9/0x294 [ 32.015221] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.020391] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.025130] ? nla_strlcpy+0x80/0x150 [ 32.028923] panic+0x22f/0x4de [ 32.032099] ? add_taint.cold.5+0x16/0x16 [ 32.036238] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.040632] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.045037] ? nla_strlcpy+0x13d/0x150 [ 32.049087] kasan_end_report+0x47/0x4f [ 32.053046] kasan_report.cold.7+0x76/0x2fe [ 32.057354] __asan_report_load1_noabort+0x14/0x20 [ 32.062274] nla_strlcpy+0x13d/0x150 [ 32.065970] nfnl_acct_new+0x574/0xc50 [ 32.069845] ? nfnl_acct_overquota+0x380/0x380 [ 32.074430] ? debug_check_no_locks_freed+0x310/0x310 [ 32.079605] ? graph_lock+0x170/0x170 [ 32.083385] ? print_usage_bug+0xc0/0xc0 [ 32.087429] ? print_usage_bug+0xc0/0xc0 [ 32.091476] ? __enqueue_entity+0x10d/0x1f0 [ 32.095794] ? find_held_lock+0x36/0x1c0 [ 32.099840] ? graph_lock+0x170/0x170 [ 32.103623] ? lock_downgrade+0x8e0/0x8e0 [ 32.107840] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.113373] ? __lock_is_held+0xb5/0x140 [ 32.117425] ? nfnl_acct_overquota+0x380/0x380 [ 32.121991] nfnetlink_rcv_msg+0xdb5/0xff0 [ 32.126240] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 32.131237] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 32.135633] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.139773] ? graph_lock+0x170/0x170 [ 32.143554] ? find_held_lock+0x36/0x1c0 [ 32.147603] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.153126] netlink_rcv_skb+0x172/0x440 [ 32.157182] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.161310] ? netlink_ack+0xbc0/0xbc0 [ 32.165180] ? __netlink_ns_capable+0x100/0x130 [ 32.169827] nfnetlink_rcv+0x1fe/0x1ba0 [ 32.173790] ? kasan_check_read+0x11/0x20 [ 32.177931] ? rcu_is_watching+0x85/0x140 [ 32.182074] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.187248] ? nfnl_err_reset+0x2d0/0x2d0 [ 32.191382] ? netlink_remove_tap+0x610/0x610 [ 32.195862] ? refcount_add_not_zero+0x320/0x320 [ 32.200702] ? kasan_check_read+0x11/0x20 [ 32.204844] ? rcu_is_watching+0x85/0x140 [ 32.208980] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.214166] ? netlink_skb_destructor+0x210/0x210 [ 32.219009] ? kasan_check_write+0x14/0x20 [ 32.223251] netlink_unicast+0x58b/0x740 [ 32.227297] ? netlink_attachskb+0x970/0x970 [ 32.231703] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.237225] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.242398] ? security_netlink_send+0x88/0xb0 [ 32.246964] netlink_sendmsg+0x9f0/0xfa0 [ 32.251021] ? netlink_unicast+0x740/0x740 [ 32.255250] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.260772] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.266294] ? security_socket_sendmsg+0x94/0xc0 [ 32.271039] ? netlink_unicast+0x740/0x740 [ 32.275264] sock_sendmsg+0xd5/0x120 [ 32.278960] sock_write_iter+0x35a/0x5a0 [ 32.283010] ? sock_sendmsg+0x120/0x120 [ 32.286979] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.292505] ? iov_iter_init+0xc9/0x1f0 [ 32.296471] __vfs_write+0x64d/0x960 [ 32.300169] ? kernel_read+0x120/0x120 [ 32.304043] ? lock_downgrade+0x8e0/0x8e0 [ 32.308173] ? handle_mm_fault+0x8c0/0xc70 [ 32.312393] ? handle_mm_fault+0x55a/0xc70 [ 32.316611] ? rw_verify_area+0x118/0x360 [ 32.320748] vfs_write+0x1f8/0x560 [ 32.324275] ksys_write+0xf9/0x250 [ 32.327807] ? __ia32_sys_read+0xb0/0xb0 [ 32.331863] ? __ia32_sys_fallocate+0xf0/0xf0 [ 32.336346] __x64_sys_write+0x73/0xb0 [ 32.340218] do_syscall_64+0x1b1/0x800 [ 32.344087] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.349001] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.353918] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.359439] ? retint_user+0x18/0x18 [ 32.363139] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.367975] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.373151] RIP: 0033:0x43fcf9 [ 32.376320] RSP: 002b:00007ffee6524a18 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 32.384015] RAX: ffffffffffffffda RBX: 0000200000000002 RCX: 000000000043fcf9 [ 32.391270] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 32.398522] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.405774] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 32.413030] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 32.420785] Dumping ftrace buffer: [ 32.424317] (ftrace buffer empty) [ 32.428006] Kernel Offset: disabled [ 32.431613] Rebooting in 86400 seconds..