[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.199017] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.951546] random: sshd: uninitialized urandom read (32 bytes read)
[   28.230717] random: sshd: uninitialized urandom read (32 bytes read)
[   28.778076] random: sshd: uninitialized urandom read (32 bytes read)
[   93.365063] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts.
[   98.964943] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/18 23:57:57 parsed 1 programs
[  100.253521] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/18 23:57:59 executed programs: 0
[  101.651528] IPVS: ftp: loaded support on port[0] = 21
[  101.858760] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.865409] bridge0: port 1(bridge_slave_0) entered disabled state
[  101.873148] device bridge_slave_0 entered promiscuous mode
[  101.889455] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.895833] bridge0: port 2(bridge_slave_1) entered disabled state
[  101.902980] device bridge_slave_1 entered promiscuous mode
[  101.919321] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  101.935168] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  101.978448] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  101.996644] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  102.061133] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  102.068426] team0: Port device team_slave_0 added
[  102.084192] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  102.091278] team0: Port device team_slave_1 added
[  102.106041] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  102.120048] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  102.137581] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  102.154979] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  102.278561] bridge0: port 2(bridge_slave_1) entered blocking state
[  102.285029] bridge0: port 2(bridge_slave_1) entered forwarding state
[  102.291899] bridge0: port 1(bridge_slave_0) entered blocking state
[  102.298265] bridge0: port 1(bridge_slave_0) entered forwarding state
[  102.725329] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  102.731454] 8021q: adding VLAN 0 to HW filter on device bond0
[  102.776197] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  102.820334] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  102.829095] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  102.869108] 8021q: adding VLAN 0 to HW filter on device team0
2018/08/18 23:58:04 executed programs: 232
[  107.353579] ==================================================================
[  107.361100] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x7b9/0x84b
[  107.368549] Read of size 4 at addr ffff8801aed4b75c by task syz-executor0/5799
[  107.375901] 
[  107.377535] CPU: 1 PID: 5799 Comm: syz-executor0 Not tainted 4.18.0+ #196
[  107.384463] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  107.393909] Call Trace:
[  107.396519]  dump_stack+0x1c9/0x2b4
[  107.400158]  ? dump_stack_print_info.cold.2+0x52/0x52
[  107.405351]  ? printk+0xa7/0xcf
[  107.408635]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  107.413400]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  107.418507]  print_address_description+0x6c/0x20b
[  107.423367]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  107.428475]  kasan_report.cold.7+0x242/0x30d
[  107.432892]  __asan_report_load4_noabort+0x14/0x20
[  107.437824]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  107.442767]  ? tipc_group_member_evt+0xe30/0xe30
[  107.447530]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  107.452554]  ? skb_put+0x17b/0x1e0
[  107.456096]  ? memset+0x31/0x40
[  107.459402]  ? memcpy+0x45/0x50
[  107.462686]  ? __nla_put+0x37/0x40
[  107.466230]  ? nla_put+0x11a/0x150
[  107.469782]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  107.474464]  ? tipc_diag_dump+0x30/0x30
[  107.478450]  ? tipc_getname+0x7f0/0x7f0
[  107.482430]  ? save_stack+0xa9/0xd0
[  107.486068]  ? graph_lock+0x170/0x170
[  107.489878]  ? graph_lock+0x170/0x170
[  107.493683]  ? __netlink_dump_start+0x4f1/0x6f0
[  107.498363]  ? sock_diag_rcv_msg+0x31d/0x410
[  107.502773]  ? netlink_rcv_skb+0x172/0x440
[  107.507011]  ? sock_diag_rcv+0x2a/0x40
[  107.510910]  ? netlink_unicast+0x5a0/0x760
[  107.515158]  ? netlink_sendmsg+0xa18/0xfc0
[  107.519395]  ? sock_sendmsg+0xd5/0x120
[  107.523292]  ? ___sys_sendmsg+0x7fd/0x930
[  107.527445]  ? __x64_sys_sendmsg+0x78/0xb0
[  107.531684]  ? do_syscall_64+0x1b9/0x820
[  107.535752]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  107.541117]  ? print_usage_bug+0xc0/0xc0
[  107.545187]  ? find_held_lock+0x36/0x1c0
[  107.549260]  ? lock_acquire+0x1e4/0x540
[  107.553246]  ? tipc_nl_sk_walk+0x60a/0xd30
[  107.557498]  ? lock_downgrade+0x8f0/0x8f0
[  107.561657]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  107.566680]  ? skb_put+0x17b/0x1e0
[  107.570228]  ? __nlmsg_put+0x14c/0x1b0
[  107.574124]  __tipc_add_sock_diag+0x22f/0x360
[  107.578626]  tipc_nl_sk_walk+0x68d/0xd30
[  107.582696]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  107.587982]  ? __tipc_nl_add_sk+0x400/0x400
[  107.592319]  ? skb_scrub_packet+0x490/0x490
[  107.596652]  ? kasan_check_write+0x14/0x20
[  107.600896]  ? lock_downgrade+0x8f0/0x8f0
[  107.605064]  tipc_diag_dump+0x24/0x30
[  107.608873]  netlink_dump+0x519/0xd50
[  107.612685]  ? netlink_broadcast+0x50/0x50
[  107.616937]  __netlink_dump_start+0x4f1/0x6f0
[  107.621435]  ? kasan_check_read+0x11/0x20
[  107.625592]  tipc_sock_diag_handler_dump+0x234/0x340
[  107.630703]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  107.635377]  ? tipc_unregister_sysctl+0x20/0x20
[  107.640059]  ? netlink_deliver_tap+0x356/0xfb0
[  107.644654]  sock_diag_rcv_msg+0x31d/0x410
[  107.648897]  netlink_rcv_skb+0x172/0x440
[  107.652965]  ? sock_diag_bind+0x80/0x80
[  107.656949]  ? netlink_ack+0xbe0/0xbe0
[  107.660841]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  107.665531]  sock_diag_rcv+0x2a/0x40
[  107.669251]  netlink_unicast+0x5a0/0x760
[  107.673337]  ? netlink_attachskb+0x9a0/0x9a0
[  107.677754]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  107.683311]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  107.688337]  netlink_sendmsg+0xa18/0xfc0
[  107.692412]  ? netlink_unicast+0x760/0x760
[  107.696654]  ? move_addr_to_kernel.part.18+0x100/0x100
[  107.701938]  ? security_socket_sendmsg+0x94/0xc0
[  107.706696]  ? netlink_unicast+0x760/0x760
[  107.711022]  sock_sendmsg+0xd5/0x120
[  107.714751]  ___sys_sendmsg+0x7fd/0x930
[  107.718734]  ? copy_msghdr_from_user+0x580/0x580
[  107.723495]  ? kasan_check_read+0x11/0x20
[  107.727651]  ? do_raw_spin_unlock+0xa7/0x2f0
[  107.732077]  ? __fget_light+0x2f7/0x440
[  107.736063]  ? __local_bh_enable_ip+0x161/0x230
[  107.740736]  ? fget_raw+0x20/0x20
[  107.744196]  ? __release_sock+0x3a0/0x3a0
[  107.748356]  ? tipc_nametbl_build_group+0x279/0x360
[  107.753383]  ? tipc_setsockopt+0x726/0xd70
[  107.757630]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  107.763174]  ? sockfd_lookup_light+0xc5/0x160
[  107.767676]  __sys_sendmsg+0x11d/0x290
[  107.771570]  ? __ia32_sys_shutdown+0x80/0x80
[  107.775983]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  107.781526]  ? fput+0x130/0x1a0
[  107.784819]  ? __x64_sys_futex+0x47f/0x6a0
[  107.789088]  __x64_sys_sendmsg+0x78/0xb0
[  107.793159]  do_syscall_64+0x1b9/0x820
[  107.797059]  ? syscall_return_slowpath+0x5e0/0x5e0
[  107.801999]  ? syscall_return_slowpath+0x31d/0x5e0
[  107.806936]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  107.812323]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  107.817176]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  107.822369] RIP: 0033:0x457089
[  107.825569] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  107.844484] RSP: 002b:00007f2c44643c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  107.852198] RAX: ffffffffffffffda RBX: 00007f2c446446d4 RCX: 0000000000457089
[  107.859472] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  107.866743] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  107.874025] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  107.881305] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  107.888586] 
[  107.890212] Allocated by task 5799:
[  107.893845]  save_stack+0x43/0xd0
[  107.897315]  kasan_kmalloc+0xc4/0xe0
[  107.901043]  kmem_cache_alloc_trace+0x152/0x780
[  107.905716]  tipc_group_create+0x155/0xa70
[  107.909959]  tipc_setsockopt+0x2d1/0xd70
[  107.914024]  __sys_setsockopt+0x1c5/0x3b0
[  107.918180]  __x64_sys_setsockopt+0xbe/0x150
[  107.922592]  do_syscall_64+0x1b9/0x820
[  107.926486]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  107.931669] 
[  107.933302] Freed by task 5798:
[  107.936586]  save_stack+0x43/0xd0
[  107.940047]  __kasan_slab_free+0x11a/0x170
[  107.944305]  kasan_slab_free+0xe/0x10
[  107.948104]  kfree+0xd9/0x260
[  107.951218]  tipc_group_delete+0x2e5/0x3f0
[  107.955454]  tipc_sk_leave+0x113/0x220
[  107.959344]  tipc_release+0x14e/0x12b0
[  107.963230]  __sock_release+0xd7/0x250
[  107.967120]  sock_close+0x19/0x20
[  107.970576]  __fput+0x39b/0x860
[  107.973857]  ____fput+0x15/0x20
[  107.977144]  task_work_run+0x1e8/0x2a0
[  107.981034]  exit_to_usermode_loop+0x318/0x380
[  107.985630]  do_syscall_64+0x6be/0x820
[  107.989519]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  107.994703] 
[  107.996335] The buggy address belongs to the object at ffff8801aed4b700
[  107.996335]  which belongs to the cache kmalloc-192 of size 192
[  108.009031] The buggy address is located 92 bytes inside of
[  108.009031]  192-byte region [ffff8801aed4b700, ffff8801aed4b7c0)
[  108.020831] The buggy address belongs to the page:
[  108.025776] page:ffffea0006bb52c0 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[  108.033926] flags: 0x2fffc0000000100(slab)
[  108.038170] raw: 02fffc0000000100 ffffea000742ec48 ffffea0006c8e6c8 ffff8801dac00040
[  108.046062] raw: 0000000000000000 ffff8801aed4b000 0000000100000010 0000000000000000
[  108.053935] page dumped because: kasan: bad access detected
[  108.059636] 
[  108.061257] Memory state around the buggy address:
[  108.066194]  ffff8801aed4b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  108.073559]  ffff8801aed4b680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  108.080930] >ffff8801aed4b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  108.088299]                                                     ^
[  108.094529]  ffff8801aed4b780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  108.101892]  ffff8801aed4b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  108.109249] ==================================================================
[  108.116614] Disabling lock debugging due to kernel taint
[  108.122125] Kernel panic - not syncing: panic_on_warn set ...
[  108.122125] 
[  108.129520] CPU: 1 PID: 5799 Comm: syz-executor0 Tainted: G    B             4.18.0+ #196
[  108.137840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  108.147186] Call Trace:
[  108.149777]  dump_stack+0x1c9/0x2b4
[  108.153408]  ? dump_stack_print_info.cold.2+0x52/0x52
[  108.158602]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  108.163364]  panic+0x238/0x4e7
[  108.166559]  ? add_taint.cold.5+0x16/0x16
[  108.170714]  ? do_raw_spin_unlock+0xa7/0x2f0
[  108.175133]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  108.180235]  kasan_end_report+0x47/0x4f
[  108.184212]  kasan_report.cold.7+0x76/0x30d
[  108.188536]  __asan_report_load4_noabort+0x14/0x20
[  108.193470]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  108.198400]  ? tipc_group_member_evt+0xe30/0xe30
[  108.203160]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  108.208180]  ? skb_put+0x17b/0x1e0
[  108.211717]  ? memset+0x31/0x40
[  108.214996]  ? memcpy+0x45/0x50
[  108.218290]  ? __nla_put+0x37/0x40
[  108.221833]  ? nla_put+0x11a/0x150
[  108.225381]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  108.230057]  ? tipc_diag_dump+0x30/0x30
[  108.234045]  ? tipc_getname+0x7f0/0x7f0
[  108.238052]  ? save_stack+0xa9/0xd0
[  108.241696]  ? graph_lock+0x170/0x170
[  108.245496]  ? graph_lock+0x170/0x170
[  108.249319]  ? __netlink_dump_start+0x4f1/0x6f0
[  108.254000]  ? sock_diag_rcv_msg+0x31d/0x410
[  108.258406]  ? netlink_rcv_skb+0x172/0x440
[  108.262643]  ? sock_diag_rcv+0x2a/0x40
[  108.266533]  ? netlink_unicast+0x5a0/0x760
[  108.270771]  ? netlink_sendmsg+0xa18/0xfc0
[  108.275004]  ? sock_sendmsg+0xd5/0x120
[  108.278898]  ? ___sys_sendmsg+0x7fd/0x930
[  108.283052]  ? __x64_sys_sendmsg+0x78/0xb0
[  108.287301]  ? do_syscall_64+0x1b9/0x820
[  108.291368]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  108.296734]  ? print_usage_bug+0xc0/0xc0
[  108.300797]  ? find_held_lock+0x36/0x1c0
[  108.304863]  ? lock_acquire+0x1e4/0x540
[  108.308846]  ? tipc_nl_sk_walk+0x60a/0xd30
[  108.313082]  ? lock_downgrade+0x8f0/0x8f0
[  108.317236]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  108.322250]  ? skb_put+0x17b/0x1e0
[  108.325805]  ? __nlmsg_put+0x14c/0x1b0
[  108.329699]  __tipc_add_sock_diag+0x22f/0x360
[  108.334197]  tipc_nl_sk_walk+0x68d/0xd30
[  108.338262]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  108.343554]  ? __tipc_nl_add_sk+0x400/0x400
[  108.347882]  ? skb_scrub_packet+0x490/0x490
[  108.352209]  ? kasan_check_write+0x14/0x20
[  108.356450]  ? lock_downgrade+0x8f0/0x8f0
[  108.360600]  tipc_diag_dump+0x24/0x30
[  108.364402]  netlink_dump+0x519/0xd50
[  108.368207]  ? netlink_broadcast+0x50/0x50
[  108.372446]  __netlink_dump_start+0x4f1/0x6f0
[  108.376940]  ? kasan_check_read+0x11/0x20
[  108.381094]  tipc_sock_diag_handler_dump+0x234/0x340
[  108.386197]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  108.390865]  ? tipc_unregister_sysctl+0x20/0x20
[  108.395533]  ? netlink_deliver_tap+0x356/0xfb0
[  108.400125]  sock_diag_rcv_msg+0x31d/0x410
[  108.404363]  netlink_rcv_skb+0x172/0x440
[  108.408430]  ? sock_diag_bind+0x80/0x80
[  108.412407]  ? netlink_ack+0xbe0/0xbe0
[  108.416304]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  108.420985]  sock_diag_rcv+0x2a/0x40
[  108.424704]  netlink_unicast+0x5a0/0x760
[  108.428769]  ? netlink_attachskb+0x9a0/0x9a0
[  108.433184]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  108.438723]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  108.443741]  netlink_sendmsg+0xa18/0xfc0
[  108.447808]  ? netlink_unicast+0x760/0x760
[  108.452058]  ? move_addr_to_kernel.part.18+0x100/0x100
[  108.457338]  ? security_socket_sendmsg+0x94/0xc0
[  108.462092]  ? netlink_unicast+0x760/0x760
[  108.466331]  sock_sendmsg+0xd5/0x120
[  108.470055]  ___sys_sendmsg+0x7fd/0x930
[  108.474032]  ? copy_msghdr_from_user+0x580/0x580
[  108.478796]  ? kasan_check_read+0x11/0x20
[  108.482950]  ? do_raw_spin_unlock+0xa7/0x2f0
[  108.487362]  ? __fget_light+0x2f7/0x440
[  108.491336]  ? __local_bh_enable_ip+0x161/0x230
[  108.496004]  ? fget_raw+0x20/0x20
[  108.499465]  ? __release_sock+0x3a0/0x3a0
[  108.503614]  ? tipc_nametbl_build_group+0x279/0x360
[  108.508638]  ? tipc_setsockopt+0x726/0xd70
[  108.512879]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  108.518418]  ? sockfd_lookup_light+0xc5/0x160
[  108.522919]  __sys_sendmsg+0x11d/0x290
[  108.526812]  ? __ia32_sys_shutdown+0x80/0x80
[  108.531231]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  108.536769]  ? fput+0x130/0x1a0
[  108.540060]  ? __x64_sys_futex+0x47f/0x6a0
[  108.544315]  __x64_sys_sendmsg+0x78/0xb0
[  108.548386]  do_syscall_64+0x1b9/0x820
[  108.552285]  ? syscall_return_slowpath+0x5e0/0x5e0
[  108.557217]  ? syscall_return_slowpath+0x31d/0x5e0
[  108.562149]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  108.567514]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  108.572361]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  108.577553] RIP: 0033:0x457089
[  108.580748] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  108.599648] RSP: 002b:00007f2c44643c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  108.607361] RAX: ffffffffffffffda RBX: 00007f2c446446d4 RCX: 0000000000457089
[  108.614633] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  108.621901] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  108.629170] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  108.636464] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  108.644025] Dumping ftrace buffer:
[  108.647565]    (ftrace buffer empty)
[  108.651257] Kernel Offset: disabled
[  108.654873] Rebooting in 86400 seconds..