[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.727679] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.826462] random: sshd: uninitialized urandom read (32 bytes read) [ 22.239636] random: sshd: uninitialized urandom read (32 bytes read) [ 22.995957] random: sshd: uninitialized urandom read (32 bytes read) [ 23.154232] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. [ 28.606558] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.696803] ================================================================== [ 28.704261] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 28.710826] Read of size 1 at addr ffff8801ac617f1d by task syz-executor739/4507 [ 28.718334] [ 28.719946] CPU: 0 PID: 4507 Comm: syz-executor739 Not tainted 4.17.0-rc7+ #73 [ 28.727285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.736627] Call Trace: [ 28.739210] dump_stack+0x1b9/0x294 [ 28.742822] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.747993] ? printk+0x9e/0xba [ 28.751257] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.756038] ? kasan_check_write+0x14/0x20 [ 28.760265] print_address_description+0x6c/0x20b [ 28.765100] ? nla_strlcpy+0x13d/0x150 [ 28.768970] kasan_report.cold.7+0x242/0x2fe [ 28.773363] __asan_report_load1_noabort+0x14/0x20 [ 28.778275] nla_strlcpy+0x13d/0x150 [ 28.782115] nfnl_acct_new+0x574/0xc50 [ 28.785986] ? nfnl_acct_overquota+0x380/0x380 [ 28.790587] ? debug_check_no_locks_freed+0x310/0x310 [ 28.795777] ? graph_lock+0x170/0x170 [ 28.799568] ? print_usage_bug+0xc0/0xc0 [ 28.803614] ? find_held_lock+0x36/0x1c0 [ 28.807658] ? graph_lock+0x170/0x170 [ 28.811440] ? lock_downgrade+0x8e0/0x8e0 [ 28.815573] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.821106] ? __lock_is_held+0xb5/0x140 [ 28.825151] ? nfnl_acct_overquota+0x380/0x380 [ 28.829973] nfnetlink_rcv_msg+0xdb5/0xff0 [ 28.834202] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 28.839201] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 28.843617] ? nfnetlink_bind+0x3a0/0x3a0 [ 28.847745] ? graph_lock+0x170/0x170 [ 28.851530] ? find_held_lock+0x36/0x1c0 [ 28.855585] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.861119] netlink_rcv_skb+0x172/0x440 [ 28.865229] ? nfnetlink_bind+0x3a0/0x3a0 [ 28.869358] ? netlink_ack+0xbc0/0xbc0 [ 28.873230] ? __netlink_ns_capable+0x100/0x130 [ 28.877888] nfnetlink_rcv+0x1fe/0x1ba0 [ 28.881849] ? kasan_check_read+0x11/0x20 [ 28.885998] ? rcu_is_watching+0x85/0x140 [ 28.890135] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.895314] ? nfnl_err_reset+0x2d0/0x2d0 [ 28.899448] ? netlink_remove_tap+0x610/0x610 [ 28.903940] ? refcount_add_not_zero+0x320/0x320 [ 28.908679] ? kasan_check_read+0x11/0x20 [ 28.912824] ? rcu_is_watching+0x85/0x140 [ 28.916956] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.922132] ? netlink_skb_destructor+0x210/0x210 [ 28.926963] ? kasan_check_write+0x14/0x20 [ 28.931180] netlink_unicast+0x58b/0x740 [ 28.935223] ? netlink_attachskb+0x970/0x970 [ 28.939614] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.945132] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.950130] ? security_netlink_send+0x88/0xb0 [ 28.954869] netlink_sendmsg+0x9f0/0xfa0 [ 28.958915] ? netlink_unicast+0x740/0x740 [ 28.963131] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.968664] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.974195] ? security_socket_sendmsg+0x94/0xc0 [ 28.979015] ? netlink_unicast+0x740/0x740 [ 28.983264] sock_sendmsg+0xd5/0x120 [ 28.986972] sock_write_iter+0x35a/0x5a0 [ 28.993556] ? sock_sendmsg+0x120/0x120 [ 28.997521] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.005425] ? iov_iter_init+0xc9/0x1f0 [ 29.009394] __vfs_write+0x64d/0x960 [ 29.014546] ? kernel_read+0x120/0x120 [ 29.018916] ? lock_downgrade+0x8e0/0x8e0 [ 29.023163] ? handle_mm_fault+0x8c0/0xc70 [ 29.027383] ? handle_mm_fault+0x55a/0xc70 [ 29.031605] ? rw_verify_area+0x118/0x360 [ 29.035739] vfs_write+0x1f8/0x560 [ 29.039267] ksys_write+0xf9/0x250 [ 29.042791] ? __ia32_sys_read+0xb0/0xb0 [ 29.046836] __x64_sys_write+0x73/0xb0 [ 29.050709] do_syscall_64+0x1b1/0x800 [ 29.054581] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.059495] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.064411] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.069936] ? retint_user+0x18/0x18 [ 29.073642] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.079251] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.084422] RIP: 0033:0x43ff09 [ 29.087591] RSP: 002b:00007fff06d0bf78 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 29.095298] RAX: ffffffffffffffda RBX: 00007fff06d0bf90 RCX: 000000000043ff09 [ 29.102546] RDX: 000000000000007b RSI: 0000000020000080 RDI: 0000000000000003 [ 29.109797] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 29.117050] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004017d0 [ 29.124302] R13: 0000000000401860 R14: 0000000000000000 R15: 0000000000000000 [ 29.131557] [ 29.133167] Allocated by task 2857: [ 29.136782] save_stack+0x43/0xd0 [ 29.140217] kasan_kmalloc+0xc4/0xe0 [ 29.143925] kasan_slab_alloc+0x12/0x20 [ 29.147879] kmem_cache_alloc+0x12e/0x760 [ 29.152014] getname_flags+0xd0/0x5a0 [ 29.155805] getname+0x19/0x20 [ 29.158979] do_sys_open+0x39a/0x740 [ 29.162675] __x64_sys_open+0x7e/0xc0 [ 29.166455] do_syscall_64+0x1b1/0x800 [ 29.170339] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.175511] [ 29.177118] Freed by task 2857: [ 29.180385] save_stack+0x43/0xd0 [ 29.183820] __kasan_slab_free+0x11a/0x170 [ 29.188053] kasan_slab_free+0xe/0x10 [ 29.191842] kmem_cache_free+0x86/0x2d0 [ 29.195798] putname+0xf2/0x130 [ 29.199060] do_sys_open+0x554/0x740 [ 29.202755] __x64_sys_open+0x7e/0xc0 [ 29.206537] do_syscall_64+0x1b1/0x800 [ 29.210407] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.215571] [ 29.217180] The buggy address belongs to the object at ffff8801ac616680 [ 29.217180] which belongs to the cache names_cache of size 4096 [ 29.229909] The buggy address is located 2205 bytes to the right of [ 29.229909] 4096-byte region [ffff8801ac616680, ffff8801ac617680) [ 29.242652] The buggy address belongs to the page: [ 29.247565] page:ffffea0006b18580 count:1 mapcount:0 mapping:ffff8801ac616680 index:0x0 compound_mapcount: 0 [ 29.257516] flags: 0x2fffc0000008100(slab|head) [ 29.262169] raw: 02fffc0000008100 ffff8801ac616680 0000000000000000 0000000100000001 [ 29.270049] raw: ffffea000764c8a0 ffffea0006b18ca0 ffff8801da988dc0 0000000000000000 [ 29.277906] page dumped because: kasan: bad access detected [ 29.283596] [ 29.285206] Memory state around the buggy address: [ 29.290115] ffff8801ac617e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.297470] ffff8801ac617e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.304823] >ffff8801ac617f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.312160] ^ [ 29.316414] ffff8801ac617f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.323750] ffff8801ac618000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.331088] ================================================================== [ 29.338622] Disabling lock debugging due to kernel taint [ 29.344122] Kernel panic - not syncing: panic_on_warn set ... [ 29.344122] [ 29.351494] CPU: 0 PID: 4507 Comm: syz-executor739 Tainted: G B 4.17.0-rc7+ #73 [ 29.361621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.370956] Call Trace: [ 29.373530] dump_stack+0x1b9/0x294 [ 29.377142] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.382310] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.387050] ? nla_strlcpy+0x110/0x150 [ 29.390919] panic+0x22f/0x4de [ 29.394092] ? add_taint.cold.5+0x16/0x16 [ 29.398220] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.402606] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.406993] ? nla_strlcpy+0x13d/0x150 [ 29.410877] kasan_end_report+0x47/0x4f [ 29.414843] kasan_report.cold.7+0x76/0x2fe [ 29.419148] __asan_report_load1_noabort+0x14/0x20 [ 29.424062] nla_strlcpy+0x13d/0x150 [ 29.427768] nfnl_acct_new+0x574/0xc50 [ 29.431634] ? nfnl_acct_overquota+0x380/0x380 [ 29.436198] ? debug_check_no_locks_freed+0x310/0x310 [ 29.441372] ? graph_lock+0x170/0x170 [ 29.445155] ? print_usage_bug+0xc0/0xc0 [ 29.449197] ? find_held_lock+0x36/0x1c0 [ 29.453241] ? graph_lock+0x170/0x170 [ 29.457035] ? lock_downgrade+0x8e0/0x8e0 [ 29.461171] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.466690] ? __lock_is_held+0xb5/0x140 [ 29.470736] ? nfnl_acct_overquota+0x380/0x380 [ 29.475299] nfnetlink_rcv_msg+0xdb5/0xff0 [ 29.479521] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 29.484518] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 29.488910] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.493039] ? graph_lock+0x170/0x170 [ 29.496820] ? find_held_lock+0x36/0x1c0 [ 29.500861] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.506380] netlink_rcv_skb+0x172/0x440 [ 29.510420] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.514548] ? netlink_ack+0xbc0/0xbc0 [ 29.518415] ? __netlink_ns_capable+0x100/0x130 [ 29.523075] nfnetlink_rcv+0x1fe/0x1ba0 [ 29.527038] ? kasan_check_read+0x11/0x20 [ 29.531166] ? rcu_is_watching+0x85/0x140 [ 29.535293] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.540464] ? nfnl_err_reset+0x2d0/0x2d0 [ 29.544592] ? netlink_remove_tap+0x610/0x610 [ 29.549074] ? refcount_add_not_zero+0x320/0x320 [ 29.553810] ? kasan_check_read+0x11/0x20 [ 29.557937] ? rcu_is_watching+0x85/0x140 [ 29.562065] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.567235] ? netlink_skb_destructor+0x210/0x210 [ 29.572068] ? kasan_check_write+0x14/0x20 [ 29.576409] netlink_unicast+0x58b/0x740 [ 29.580457] ? netlink_attachskb+0x970/0x970 [ 29.584849] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.590366] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.595365] ? security_netlink_send+0x88/0xb0 [ 29.599939] netlink_sendmsg+0x9f0/0xfa0 [ 29.603999] ? netlink_unicast+0x740/0x740 [ 29.608223] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.613757] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.619291] ? security_socket_sendmsg+0x94/0xc0 [ 29.624026] ? netlink_unicast+0x740/0x740 [ 29.628242] sock_sendmsg+0xd5/0x120 [ 29.631964] sock_write_iter+0x35a/0x5a0 [ 29.636006] ? sock_sendmsg+0x120/0x120 [ 29.639964] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.645479] ? iov_iter_init+0xc9/0x1f0 [ 29.649433] __vfs_write+0x64d/0x960 [ 29.653124] ? kernel_read+0x120/0x120 [ 29.656991] ? lock_downgrade+0x8e0/0x8e0 [ 29.661122] ? handle_mm_fault+0x8c0/0xc70 [ 29.665337] ? handle_mm_fault+0x55a/0xc70 [ 29.669552] ? rw_verify_area+0x118/0x360 [ 29.673677] vfs_write+0x1f8/0x560 [ 29.677193] ksys_write+0xf9/0x250 [ 29.680724] ? __ia32_sys_read+0xb0/0xb0 [ 29.684767] __x64_sys_write+0x73/0xb0 [ 29.688636] do_syscall_64+0x1b1/0x800 [ 29.692501] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.697410] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.702322] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.707847] ? retint_user+0x18/0x18 [ 29.711540] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.716361] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.721529] RIP: 0033:0x43ff09 [ 29.724697] RSP: 002b:00007fff06d0bf78 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 29.732554] RAX: ffffffffffffffda RBX: 00007fff06d0bf90 RCX: 000000000043ff09 [ 29.739802] RDX: 000000000000007b RSI: 0000000020000080 RDI: 0000000000000003 [ 29.747053] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 29.754301] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004017d0 [ 29.761548] R13: 0000000000401860 R14: 0000000000000000 R15: 0000000000000000 [ 29.769221] Dumping ftrace buffer: [ 29.772745] (ftrace buffer empty) [ 29.776442] Kernel Offset: disabled [ 29.780050] Rebooting in 86400 seconds..