[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.583890] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.137133] random: sshd: uninitialized urandom read (32 bytes read) [ 24.376449] random: sshd: uninitialized urandom read (32 bytes read) [ 25.153800] random: sshd: uninitialized urandom read (32 bytes read) [ 25.318448] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. [ 30.729189] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.823272] ================================================================== [ 30.830789] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 30.837361] Read of size 1 at addr ffff8801acfbd01d by task syz-executor759/4538 [ 30.844884] [ 30.846520] CPU: 1 PID: 4538 Comm: syz-executor759 Not tainted 4.17.0-rc6+ #64 [ 30.853867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.863211] Call Trace: [ 30.865808] dump_stack+0x1b9/0x294 [ 30.869429] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.874606] ? printk+0x9e/0xba [ 30.877870] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.882706] ? kasan_check_write+0x14/0x20 [ 30.886935] print_address_description+0x6c/0x20b [ 30.891779] ? nla_strlcpy+0x13d/0x150 [ 30.895658] kasan_report.cold.7+0x242/0x2fe [ 30.900060] __asan_report_load1_noabort+0x14/0x20 [ 30.904980] nla_strlcpy+0x13d/0x150 [ 30.908689] nfnl_acct_new+0x574/0xc50 [ 30.912564] ? nfnl_acct_overquota+0x380/0x380 [ 30.917136] ? debug_check_no_locks_freed+0x310/0x310 [ 30.922375] ? graph_lock+0x170/0x170 [ 30.926166] ? print_usage_bug+0xc0/0xc0 [ 30.930216] ? find_held_lock+0x36/0x1c0 [ 30.934279] ? graph_lock+0x170/0x170 [ 30.938076] ? lock_downgrade+0x8e0/0x8e0 [ 30.942223] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.947769] ? __lock_is_held+0xb5/0x140 [ 30.951833] ? nfnl_acct_overquota+0x380/0x380 [ 30.956403] nfnetlink_rcv_msg+0xdb5/0xff0 [ 30.960635] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 30.965634] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 30.970051] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.974205] ? graph_lock+0x170/0x170 [ 30.977991] ? find_held_lock+0x36/0x1c0 [ 30.982151] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.987690] netlink_rcv_skb+0x172/0x440 [ 30.991748] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.995885] ? netlink_ack+0xbc0/0xbc0 [ 30.999758] ? __netlink_ns_capable+0x100/0x130 [ 31.004429] nfnetlink_rcv+0x1fe/0x1ba0 [ 31.008395] ? kasan_check_read+0x11/0x20 [ 31.012535] ? rcu_is_watching+0x85/0x140 [ 31.016674] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.021870] ? nfnl_err_reset+0x2d0/0x2d0 [ 31.026028] ? netlink_remove_tap+0x610/0x610 [ 31.030520] ? refcount_add_not_zero+0x320/0x320 [ 31.035264] ? kasan_check_read+0x11/0x20 [ 31.039395] ? rcu_is_watching+0x85/0x140 [ 31.043526] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.048704] ? netlink_skb_destructor+0x210/0x210 [ 31.053541] ? kasan_check_write+0x14/0x20 [ 31.057774] netlink_unicast+0x58b/0x740 [ 31.061826] ? netlink_attachskb+0x970/0x970 [ 31.066234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.071766] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.076767] ? security_netlink_send+0x88/0xb0 [ 31.081335] netlink_sendmsg+0x9f0/0xfa0 [ 31.085388] ? netlink_unicast+0x740/0x740 [ 31.089607] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.095133] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.100656] ? security_socket_sendmsg+0x94/0xc0 [ 31.105400] ? netlink_unicast+0x740/0x740 [ 31.109621] sock_sendmsg+0xd5/0x120 [ 31.113319] sock_write_iter+0x35a/0x5a0 [ 31.117369] ? sock_sendmsg+0x120/0x120 [ 31.121352] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.126874] ? iov_iter_init+0xc9/0x1f0 [ 31.130838] __vfs_write+0x64d/0x960 [ 31.134549] ? kernel_read+0x120/0x120 [ 31.138422] ? lock_downgrade+0x8e0/0x8e0 [ 31.142551] ? handle_mm_fault+0x8c0/0xc70 [ 31.146772] ? handle_mm_fault+0x55a/0xc70 [ 31.151001] ? rw_verify_area+0x118/0x360 [ 31.155143] vfs_write+0x1f8/0x560 [ 31.158668] ksys_write+0xf9/0x250 [ 31.162192] ? __ia32_sys_read+0xb0/0xb0 [ 31.166239] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.170724] __x64_sys_write+0x73/0xb0 [ 31.174595] do_syscall_64+0x1b1/0x800 [ 31.178464] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.183379] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.188300] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.193821] ? retint_user+0x18/0x18 [ 31.197522] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.202357] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.207526] RIP: 0033:0x43fcf9 [ 31.210695] RSP: 002b:00007ffecfa84e08 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 31.218388] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 31.225641] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 31.232894] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.240159] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 31.247418] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 31.254673] [ 31.256283] Allocated by task 4528: [ 31.259899] save_stack+0x43/0xd0 [ 31.263334] kasan_kmalloc+0xc4/0xe0 [ 31.267038] kasan_slab_alloc+0x12/0x20 [ 31.270998] kmem_cache_alloc+0x12e/0x760 [ 31.275147] skb_clone+0x1ed/0x4f0 [ 31.278679] dev_queue_xmit_nit+0x44a/0xc50 [ 31.282989] dev_hard_start_xmit+0x16b/0xc10 [ 31.287388] sch_direct_xmit+0x4de/0x11e0 [ 31.291517] __qdisc_run+0x611/0x19e0 [ 31.295300] __dev_queue_xmit+0x1417/0x3900 [ 31.299600] dev_queue_xmit+0x17/0x20 [ 31.303384] ip_finish_output2+0x1046/0x1840 [ 31.307774] ip_finish_output+0x828/0xf80 [ 31.311903] ip_output+0x21b/0x850 [ 31.315421] ip_local_out+0xc5/0x1b0 [ 31.319120] ip_queue_xmit+0x9d7/0x1f70 [ 31.323078] tcp_transmit_skb+0x1bea/0x3ec0 [ 31.327387] tcp_send_ack+0x4a1/0x690 [ 31.331170] tcp_cleanup_rbuf+0x409/0x730 [ 31.335298] tcp_recvmsg+0xae7/0x34a0 [ 31.339088] inet_recvmsg+0x179/0x6b0 [ 31.342869] sock_recvmsg+0xd0/0x110 [ 31.346574] sock_read_iter+0x381/0x550 [ 31.350532] __vfs_read+0x696/0xa50 [ 31.354141] vfs_read+0x17f/0x3d0 [ 31.357575] ksys_read+0xf9/0x250 [ 31.361011] __x64_sys_read+0x73/0xb0 [ 31.364803] do_syscall_64+0x1b1/0x800 [ 31.368675] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.373840] [ 31.375446] Freed by task 4528: [ 31.378714] save_stack+0x43/0xd0 [ 31.382154] __kasan_slab_free+0x11a/0x170 [ 31.386368] kasan_slab_free+0xe/0x10 [ 31.390151] kmem_cache_free+0x86/0x2d0 [ 31.394107] kfree_skbmem+0x13c/0x210 [ 31.397885] kfree_skb+0x19d/0x560 [ 31.401410] packet_rcv_spkt+0x126/0x730 [ 31.405473] dev_queue_xmit_nit+0x90c/0xc50 [ 31.409777] dev_hard_start_xmit+0x16b/0xc10 [ 31.414182] sch_direct_xmit+0x4de/0x11e0 [ 31.418312] __qdisc_run+0x611/0x19e0 [ 31.422099] __dev_queue_xmit+0x1417/0x3900 [ 31.426414] dev_queue_xmit+0x17/0x20 [ 31.430208] ip_finish_output2+0x1046/0x1840 [ 31.434602] ip_finish_output+0x828/0xf80 [ 31.438755] ip_output+0x21b/0x850 [ 31.442281] ip_local_out+0xc5/0x1b0 [ 31.445977] ip_queue_xmit+0x9d7/0x1f70 [ 31.449950] tcp_transmit_skb+0x1bea/0x3ec0 [ 31.454256] tcp_send_ack+0x4a1/0x690 [ 31.458046] tcp_cleanup_rbuf+0x409/0x730 [ 31.462185] tcp_recvmsg+0xae7/0x34a0 [ 31.465970] inet_recvmsg+0x179/0x6b0 [ 31.469756] sock_recvmsg+0xd0/0x110 [ 31.473453] sock_read_iter+0x381/0x550 [ 31.477412] __vfs_read+0x696/0xa50 [ 31.481032] vfs_read+0x17f/0x3d0 [ 31.484469] ksys_read+0xf9/0x250 [ 31.487908] __x64_sys_read+0x73/0xb0 [ 31.491699] do_syscall_64+0x1b1/0x800 [ 31.495574] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.500742] [ 31.502356] The buggy address belongs to the object at ffff8801acfbd080 [ 31.502356] which belongs to the cache skbuff_head_cache of size 232 [ 31.515520] The buggy address is located 99 bytes to the left of [ 31.515520] 232-byte region [ffff8801acfbd080, ffff8801acfbd168) [ 31.527729] The buggy address belongs to the page: [ 31.532652] page:ffffea0006b3ef40 count:1 mapcount:0 mapping:ffff8801acfbd080 index:0x0 [ 31.540792] flags: 0x2fffc0000000100(slab) [ 31.545036] raw: 02fffc0000000100 ffff8801acfbd080 0000000000000000 000000010000000c [ 31.552905] raw: ffffea0006b20d20 ffffea000766d960 ffff8801d9bdd6c0 0000000000000000 [ 31.560774] page dumped because: kasan: bad access detected [ 31.566472] [ 31.568081] Memory state around the buggy address: [ 31.572992] ffff8801acfbcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.580344] ffff8801acfbcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.587702] >ffff8801acfbd000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.595046] ^ [ 31.599183] ffff8801acfbd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.606527] ffff8801acfbd100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 31.613864] ================================================================== [ 31.621203] Disabling lock debugging due to kernel taint [ 31.627014] Kernel panic - not syncing: panic_on_warn set ... [ 31.627014] [ 31.634391] CPU: 1 PID: 4538 Comm: syz-executor759 Tainted: G B 4.17.0-rc6+ #64 [ 31.643132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.652470] Call Trace: [ 31.655056] dump_stack+0x1b9/0x294 [ 31.658667] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.663861] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.668605] ? nla_strlcpy+0x80/0x150 [ 31.672386] panic+0x22f/0x4de [ 31.675561] ? add_taint.cold.5+0x16/0x16 [ 31.679697] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.684103] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.688493] ? nla_strlcpy+0x13d/0x150 [ 31.692364] kasan_end_report+0x47/0x4f [ 31.696326] kasan_report.cold.7+0x76/0x2fe [ 31.700629] __asan_report_load1_noabort+0x14/0x20 [ 31.705540] nla_strlcpy+0x13d/0x150 [ 31.709235] nfnl_acct_new+0x574/0xc50 [ 31.713115] ? nfnl_acct_overquota+0x380/0x380 [ 31.717690] ? debug_check_no_locks_freed+0x310/0x310 [ 31.722858] ? graph_lock+0x170/0x170 [ 31.726639] ? print_usage_bug+0xc0/0xc0 [ 31.730681] ? find_held_lock+0x36/0x1c0 [ 31.734722] ? graph_lock+0x170/0x170 [ 31.738503] ? lock_downgrade+0x8e0/0x8e0 [ 31.742633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.748151] ? __lock_is_held+0xb5/0x140 [ 31.752283] ? nfnl_acct_overquota+0x380/0x380 [ 31.756849] nfnetlink_rcv_msg+0xdb5/0xff0 [ 31.761084] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 31.766086] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 31.770490] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.774625] ? graph_lock+0x170/0x170 [ 31.778406] ? find_held_lock+0x36/0x1c0 [ 31.782464] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.787990] netlink_rcv_skb+0x172/0x440 [ 31.792044] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.796175] ? netlink_ack+0xbc0/0xbc0 [ 31.800054] ? __netlink_ns_capable+0x100/0x130 [ 31.804705] nfnetlink_rcv+0x1fe/0x1ba0 [ 31.808683] ? kasan_check_read+0x11/0x20 [ 31.812818] ? rcu_is_watching+0x85/0x140 [ 31.816948] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.822122] ? nfnl_err_reset+0x2d0/0x2d0 [ 31.826256] ? netlink_remove_tap+0x610/0x610 [ 31.830732] ? refcount_add_not_zero+0x320/0x320 [ 31.835472] ? kasan_check_read+0x11/0x20 [ 31.839605] ? rcu_is_watching+0x85/0x140 [ 31.843736] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.848908] ? netlink_skb_destructor+0x210/0x210 [ 31.853732] ? kasan_check_write+0x14/0x20 [ 31.857949] netlink_unicast+0x58b/0x740 [ 31.861993] ? netlink_attachskb+0x970/0x970 [ 31.866393] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.871914] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.876915] ? security_netlink_send+0x88/0xb0 [ 31.881484] netlink_sendmsg+0x9f0/0xfa0 [ 31.885530] ? netlink_unicast+0x740/0x740 [ 31.889751] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.895288] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.900824] ? security_socket_sendmsg+0x94/0xc0 [ 31.905572] ? netlink_unicast+0x740/0x740 [ 31.909788] sock_sendmsg+0xd5/0x120 [ 31.913481] sock_write_iter+0x35a/0x5a0 [ 31.917521] ? sock_sendmsg+0x120/0x120 [ 31.921478] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.926995] ? iov_iter_init+0xc9/0x1f0 [ 31.930955] __vfs_write+0x64d/0x960 [ 31.934675] ? kernel_read+0x120/0x120 [ 31.938544] ? lock_downgrade+0x8e0/0x8e0 [ 31.942675] ? handle_mm_fault+0x8c0/0xc70 [ 31.946891] ? handle_mm_fault+0x55a/0xc70 [ 31.951107] ? rw_verify_area+0x118/0x360 [ 31.955234] vfs_write+0x1f8/0x560 [ 31.958772] ksys_write+0xf9/0x250 [ 31.962292] ? __ia32_sys_read+0xb0/0xb0 [ 31.966334] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.970811] __x64_sys_write+0x73/0xb0 [ 31.974680] do_syscall_64+0x1b1/0x800 [ 31.978548] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.983457] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.988458] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.993977] ? retint_user+0x18/0x18 [ 31.997674] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.002501] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.007670] RIP: 0033:0x43fcf9 [ 32.010851] RSP: 002b:00007ffecfa84e08 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 32.018540] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 32.025798] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 32.033046] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.040295] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 32.047544] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 32.055295] Dumping ftrace buffer: [ 32.058820] (ftrace buffer empty) [ 32.062506] Kernel Offset: disabled [ 32.066113] Rebooting in 86400 seconds..