[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.348832] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.445396] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.666941] random: sshd: uninitialized urandom read (32 bytes read) [ 21.409906] random: sshd: uninitialized urandom read (32 bytes read) [ 21.558352] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. [ 26.939591] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/26 20:01:33 parsed 1 programs 2018/05/26 20:01:33 executed programs: 0 [ 27.440423] IPVS: ftp: loaded support on port[0] = 21 [ 27.562708] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.569150] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.576446] device bridge_slave_0 entered promiscuous mode [ 27.592648] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.599064] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.606223] device bridge_slave_1 entered promiscuous mode [ 27.621253] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 27.636676] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 27.677442] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 27.695011] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 27.756717] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 27.764073] team0: Port device team_slave_0 added [ 27.777819] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 27.784867] team0: Port device team_slave_1 added [ 27.799225] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 27.816281] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 27.832432] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 27.849684] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 27.960441] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.966871] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.973777] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.980124] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.369533] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.375632] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.418202] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.461616] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.469357] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 28.507306] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 28.514400] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.521217] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 28.758367] ================================================================== [ 28.765845] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 28.772070] Read of size 1 at addr ffff8801d3ce655d by task syz-executor0/4735 [ 28.779410] [ 28.781027] CPU: 1 PID: 4735 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #93 [ 28.788194] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.797530] Call Trace: [ 28.800103] dump_stack+0x1b9/0x294 [ 28.803713] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.808883] ? printk+0x9e/0xba [ 28.812147] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.816883] ? kasan_check_write+0x14/0x20 [ 28.821097] print_address_description+0x6c/0x20b [ 28.825940] ? nla_strlcpy+0x13d/0x150 [ 28.829808] kasan_report.cold.7+0x242/0x2fe [ 28.834205] __asan_report_load1_noabort+0x14/0x20 [ 28.839118] nla_strlcpy+0x13d/0x150 [ 28.842823] nfnl_acct_new+0x574/0xc50 [ 28.846710] ? nfnl_acct_overquota+0x380/0x380 [ 28.851282] ? debug_check_no_locks_freed+0x310/0x310 [ 28.856454] ? graph_lock+0x170/0x170 [ 28.860239] ? print_usage_bug+0xc0/0xc0 [ 28.864285] ? get_futex_key+0xf83/0x1e90 [ 28.868424] ? find_held_lock+0x36/0x1c0 [ 28.872468] ? graph_lock+0x170/0x170 [ 28.876258] ? lock_downgrade+0x8e0/0x8e0 [ 28.880394] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.885933] ? __lock_is_held+0xb5/0x140 [ 28.889981] ? nfnl_acct_overquota+0x380/0x380 [ 28.894546] nfnetlink_rcv_msg+0xdb5/0xff0 [ 28.898763] ? __lock_is_held+0xb5/0x140 [ 28.902810] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 28.907805] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 28.912203] ? nfnetlink_bind+0x3a0/0x3a0 [ 28.916336] ? graph_lock+0x170/0x170 [ 28.920115] ? find_held_lock+0x36/0x1c0 [ 28.924160] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.929700] netlink_rcv_skb+0x172/0x440 [ 28.933751] ? nfnetlink_bind+0x3a0/0x3a0 [ 28.937879] ? netlink_ack+0xbc0/0xbc0 [ 28.941750] ? __netlink_ns_capable+0x100/0x130 [ 28.946402] nfnetlink_rcv+0x1fe/0x1ba0 [ 28.950358] ? kasan_check_read+0x11/0x20 [ 28.954499] ? rcu_is_watching+0x85/0x140 [ 28.958643] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.963827] ? nfnl_err_reset+0x2d0/0x2d0 [ 28.967958] ? netlink_remove_tap+0x610/0x610 [ 28.972438] ? refcount_add_not_zero+0x320/0x320 [ 28.977176] ? kasan_check_read+0x11/0x20 [ 28.981314] ? rcu_is_watching+0x85/0x140 [ 28.985444] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.990618] ? netlink_skb_destructor+0x210/0x210 [ 28.995442] ? kasan_check_write+0x14/0x20 [ 28.999670] netlink_unicast+0x58b/0x740 [ 29.003722] ? netlink_attachskb+0x970/0x970 [ 29.008117] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.013639] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.018637] ? security_netlink_send+0x88/0xb0 [ 29.023209] netlink_sendmsg+0x9f0/0xfa0 [ 29.027258] ? netlink_unicast+0x740/0x740 [ 29.031480] ? pud_val+0x80/0xf0 [ 29.034831] ? security_socket_sendmsg+0x94/0xc0 [ 29.039567] ? netlink_unicast+0x740/0x740 [ 29.043782] sock_sendmsg+0xd5/0x120 [ 29.047477] sock_write_iter+0x35a/0x5a0 [ 29.051519] ? sock_sendmsg+0x120/0x120 [ 29.055474] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.060214] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.065730] ? iov_iter_init+0xc9/0x1f0 [ 29.069694] __vfs_write+0x64d/0x960 [ 29.073397] ? kernel_read+0x120/0x120 [ 29.077274] ? handle_mm_fault+0x8c0/0xc70 [ 29.081492] ? rw_verify_area+0x118/0x360 [ 29.085623] vfs_write+0x1f8/0x560 [ 29.089144] ksys_write+0xf9/0x250 [ 29.092673] ? __ia32_sys_read+0xb0/0xb0 [ 29.096714] ? mm_fault_error+0x380/0x380 [ 29.100848] __ia32_sys_write+0x71/0xb0 [ 29.104807] do_fast_syscall_32+0x345/0xf9b [ 29.109132] ? do_int80_syscall_32+0x880/0x880 [ 29.113696] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.118437] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.123955] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.128880] ? sysret32_from_system_call+0x5/0x46 [ 29.133725] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.138551] entry_SYSENTER_compat+0x70/0x7f [ 29.142938] RIP: 0023:0xf7faccb9 [ 29.146283] RSP: 002b:00000000ffed915c EFLAGS: 00000286 ORIG_RAX: 0000000000000004 [ 29.153982] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000 [ 29.161229] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 29.168477] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.175724] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 29.182972] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.190226] [ 29.191835] Allocated by task 4239: [ 29.195446] save_stack+0x43/0xd0 [ 29.198879] kasan_kmalloc+0xc4/0xe0 [ 29.202579] kasan_slab_alloc+0x12/0x20 [ 29.206533] kmem_cache_alloc+0x12e/0x760 [ 29.210661] copy_process.part.38+0x2d10/0x6e70 [ 29.215306] _do_fork+0x291/0x12a0 [ 29.218830] __x64_sys_clone+0xbf/0x150 [ 29.222784] do_syscall_64+0x1b1/0x800 [ 29.226656] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.231819] [ 29.233430] Freed by task 4244: [ 29.236701] save_stack+0x43/0xd0 [ 29.240137] __kasan_slab_free+0x11a/0x170 [ 29.244350] kasan_slab_free+0xe/0x10 [ 29.248130] kmem_cache_free+0x86/0x2d0 [ 29.252084] remove_vma+0x164/0x1b0 [ 29.255694] exit_mmap+0x35d/0x5a0 [ 29.259219] mmput+0x251/0x610 [ 29.262389] flush_old_exec+0xb94/0x20e0 [ 29.266429] load_elf_binary+0xa33/0x5610 [ 29.270562] search_binary_handler+0x17d/0x570 [ 29.275122] do_execveat_common.isra.34+0x16ce/0x2590 [ 29.280296] __x64_sys_execve+0x8d/0xb0 [ 29.284251] do_syscall_64+0x1b1/0x800 [ 29.288121] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.293284] [ 29.294891] The buggy address belongs to the object at ffff8801d3ce6528 [ 29.294891] which belongs to the cache vm_area_struct of size 200 [ 29.308287] The buggy address is located 53 bytes inside of [ 29.308287] 200-byte region [ffff8801d3ce6528, ffff8801d3ce65f0) [ 29.320055] The buggy address belongs to the page: [ 29.324969] page:ffffea00074f3980 count:1 mapcount:0 mapping:ffff8801d3ce6000 index:0x0 [ 29.333089] flags: 0x2fffc0000000100(slab) [ 29.337310] raw: 02fffc0000000100 ffff8801d3ce6000 0000000000000000 000000010000000f [ 29.345176] raw: ffffea0006be7a60 ffffea0006c1cba0 ffff8801da97a840 0000000000000000 [ 29.353038] page dumped because: kasan: bad access detected [ 29.358730] [ 29.360332] Memory state around the buggy address: [ 29.365241] ffff8801d3ce6400: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 29.372580] ffff8801d3ce6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 29.379914] >ffff8801d3ce6500: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb [ 29.387248] ^ [ 29.393463] ffff8801d3ce6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 29.400808] ffff8801d3ce6600: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb [ 29.408145] ================================================================== [ 29.415480] Disabling lock debugging due to kernel taint [ 29.422067] Kernel panic - not syncing: panic_on_warn set ... [ 29.422067] [ 29.429435] CPU: 1 PID: 4735 Comm: syz-executor0 Tainted: G B 4.17.0-rc6+ #93 [ 29.437988] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.447326] Call Trace: [ 29.449903] dump_stack+0x1b9/0x294 [ 29.453511] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.458682] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.463417] ? nla_strlcpy+0x70/0x150 [ 29.467203] panic+0x22f/0x4de [ 29.470379] ? add_taint.cold.5+0x16/0x16 [ 29.474508] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.478895] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.483279] ? nla_strlcpy+0x13d/0x150 [ 29.487146] kasan_end_report+0x47/0x4f [ 29.491103] kasan_report.cold.7+0x76/0x2fe [ 29.495412] __asan_report_load1_noabort+0x14/0x20 [ 29.500327] nla_strlcpy+0x13d/0x150 [ 29.504030] nfnl_acct_new+0x574/0xc50 [ 29.507900] ? nfnl_acct_overquota+0x380/0x380 [ 29.512460] ? debug_check_no_locks_freed+0x310/0x310 [ 29.517639] ? graph_lock+0x170/0x170 [ 29.521421] ? print_usage_bug+0xc0/0xc0 [ 29.525461] ? get_futex_key+0xf83/0x1e90 [ 29.529594] ? find_held_lock+0x36/0x1c0 [ 29.533634] ? graph_lock+0x170/0x170 [ 29.537411] ? lock_downgrade+0x8e0/0x8e0 [ 29.541548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.547063] ? __lock_is_held+0xb5/0x140 [ 29.551108] ? nfnl_acct_overquota+0x380/0x380 [ 29.555673] nfnetlink_rcv_msg+0xdb5/0xff0 [ 29.559889] ? __lock_is_held+0xb5/0x140 [ 29.563936] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 29.568931] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 29.573317] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.577448] ? graph_lock+0x170/0x170 [ 29.581224] ? find_held_lock+0x36/0x1c0 [ 29.585275] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.590791] netlink_rcv_skb+0x172/0x440 [ 29.594832] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.598956] ? netlink_ack+0xbc0/0xbc0 [ 29.602822] ? __netlink_ns_capable+0x100/0x130 [ 29.607472] nfnetlink_rcv+0x1fe/0x1ba0 [ 29.611427] ? kasan_check_read+0x11/0x20 [ 29.615552] ? rcu_is_watching+0x85/0x140 [ 29.619676] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.624844] ? nfnl_err_reset+0x2d0/0x2d0 [ 29.628973] ? netlink_remove_tap+0x610/0x610 [ 29.633449] ? refcount_add_not_zero+0x320/0x320 [ 29.638182] ? kasan_check_read+0x11/0x20 [ 29.642306] ? rcu_is_watching+0x85/0x140 [ 29.646437] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.651606] ? netlink_skb_destructor+0x210/0x210 [ 29.656432] ? kasan_check_write+0x14/0x20 [ 29.660646] netlink_unicast+0x58b/0x740 [ 29.664686] ? netlink_attachskb+0x970/0x970 [ 29.669075] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.674588] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.679590] ? security_netlink_send+0x88/0xb0 [ 29.684152] netlink_sendmsg+0x9f0/0xfa0 [ 29.688192] ? netlink_unicast+0x740/0x740 [ 29.692407] ? pud_val+0x80/0xf0 [ 29.695758] ? security_socket_sendmsg+0x94/0xc0 [ 29.700490] ? netlink_unicast+0x740/0x740 [ 29.704706] sock_sendmsg+0xd5/0x120 [ 29.708405] sock_write_iter+0x35a/0x5a0 [ 29.712447] ? sock_sendmsg+0x120/0x120 [ 29.716400] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.721141] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.726666] ? iov_iter_init+0xc9/0x1f0 [ 29.730630] __vfs_write+0x64d/0x960 [ 29.734321] ? kernel_read+0x120/0x120 [ 29.738187] ? handle_mm_fault+0x8c0/0xc70 [ 29.742399] ? rw_verify_area+0x118/0x360 [ 29.746526] vfs_write+0x1f8/0x560 [ 29.750050] ksys_write+0xf9/0x250 [ 29.753567] ? __ia32_sys_read+0xb0/0xb0 [ 29.757605] ? mm_fault_error+0x380/0x380 [ 29.761730] __ia32_sys_write+0x71/0xb0 [ 29.765874] do_fast_syscall_32+0x345/0xf9b [ 29.770175] ? do_int80_syscall_32+0x880/0x880 [ 29.774732] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.779467] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.784990] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.789906] ? sysret32_from_system_call+0x5/0x46 [ 29.794733] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.799571] entry_SYSENTER_compat+0x70/0x7f [ 29.803965] RIP: 0023:0xf7faccb9 [ 29.807305] RSP: 002b:00000000ffed915c EFLAGS: 00000286 ORIG_RAX: 0000000000000004 [ 29.814990] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000 [ 29.822239] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 29.829494] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.836747] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 29.844011] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.851759] Dumping ftrace buffer: [ 29.855287] (ftrace buffer empty) [ 29.858973] Kernel Offset: disabled [ 29.862577] Rebooting in 86400 seconds..