[....] Starting enhanced syslogd: rsyslogd[ 13.303236] audit: type=1400 audit(1516822894.998:5): avc: denied { syslog } for pid=3508 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.062490] audit: type=1400 audit(1516822899.757:6): avc: denied { map } for pid=3649 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.208' (ECDSA) to the list of known hosts. executing program [ 32.641840] audit: type=1400 audit(1516822914.336:7): avc: denied { map } for pid=3665 comm="syzkaller352020" path="/root/syzkaller352020895" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 32.644513] ================================================================== [ 32.644526] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 32.644530] Read of size 1 at addr ffff8801d9531f50 by task syzkaller352020/3665 [ 32.644532] [ 32.644537] CPU: 0 PID: 3665 Comm: syzkaller352020 Not tainted 4.15.0-rc9+ #278 [ 32.644540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.644542] Call Trace: [ 32.644551] dump_stack+0x194/0x257 [ 32.644560] ? arch_local_irq_restore+0x53/0x53 [ 32.644568] ? show_regs_print_info+0x18/0x18 [ 32.644572] ? lock_release+0xa40/0xa40 [ 32.644582] ? string+0x1e8/0x200 [ 32.644591] print_address_description+0x73/0x250 [ 32.644599] ? string+0x1e8/0x200 [ 32.644607] kasan_report+0x25b/0x340 [ 32.644620] __asan_report_load1_noabort+0x14/0x20 [ 32.644626] string+0x1e8/0x200 [ 32.644639] vsnprintf+0x863/0x1900 [ 32.644651] ? pointer+0x9e0/0x9e0 [ 32.644669] __request_module+0x1bf/0xc20 [ 32.644673] ? lock_downgrade+0x980/0x980 [ 32.644682] ? free_modprobe_argv+0xa0/0xa0 [ 32.644687] ? lock_downgrade+0x980/0x980 [ 32.644694] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.644701] ? pcpu_alloc+0x146/0x10e0 [ 32.644716] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 32.644721] ? pcpu_free_area+0xa00/0xa00 [ 32.644728] ? wait_for_completion+0x770/0x770 [ 32.644738] ? __kernel_text_address+0xd/0x40 [ 32.644743] ? wait_for_completion+0x770/0x770 [ 32.644750] ? trace_hardirqs_off+0xd/0x10 [ 32.644761] ? depot_save_stack+0x3b5/0x490 [ 32.644771] ? kvfree+0x36/0x60 [ 32.644784] ? xt_find_target+0x17b/0x1e0 [ 32.644802] xt_request_find_target+0x8b/0xb0 [ 32.644811] find_check_entry.isra.8+0x612/0xcb0 [ 32.644823] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.644829] ? ipt_do_table+0x1330/0x1330 [ 32.644838] ? mark_held_locks+0xaf/0x100 [ 32.644844] ? kfree+0xf0/0x260 [ 32.644848] ? kvfree+0x36/0x60 [ 32.644853] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.644860] ? trace_hardirqs_on+0xd/0x10 [ 32.644871] translate_table+0xed1/0x1610 [ 32.644894] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 32.644902] ? kasan_check_write+0x14/0x20 [ 32.644907] ? _copy_from_user+0x99/0x110 [ 32.644916] do_ipt_set_ctl+0x370/0x5f0 [ 32.644924] ? translate_compat_table+0x1b90/0x1b90 [ 32.644940] ? mutex_unlock+0xd/0x10 [ 32.644946] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 32.644955] nf_setsockopt+0x67/0xc0 [ 32.644964] ip_setsockopt+0xa1/0xb0 [ 32.644972] tcp_setsockopt+0x82/0xd0 [ 32.644982] sock_common_setsockopt+0x95/0xd0 [ 32.644991] SyS_setsockopt+0x189/0x360 [ 32.645000] ? SyS_recv+0x40/0x40 [ 32.645010] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 32.645017] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.645024] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.645035] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 32.645039] RIP: 0033:0x43ffc9 [ 32.645041] RSP: 002b:00007ffde8351978 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 32.645047] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 32.645049] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 32.645052] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 32.645054] R10: 00000000203b4326 R11: 0000000000000203 R12: 00000000004018f0 [ 32.645057] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 32.645074] [ 32.645076] Allocated by task 3665: [ 32.645084] save_stack+0x43/0xd0 [ 32.645088] kasan_kmalloc+0xad/0xe0 [ 32.645091] __kmalloc_node+0x47/0x70 [ 32.645094] kvmalloc_node+0x99/0xd0 [ 32.645097] xt_alloc_table_info+0x64/0xe0 [ 32.645101] do_ipt_set_ctl+0x29b/0x5f0 [ 32.645104] nf_setsockopt+0x67/0xc0 [ 32.645108] ip_setsockopt+0xa1/0xb0 [ 32.645111] tcp_setsockopt+0x82/0xd0 [ 32.645114] sock_common_setsockopt+0x95/0xd0 [ 32.645117] SyS_setsockopt+0x189/0x360 [ 32.645121] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 32.645122] [ 32.645124] Freed by task 2020: [ 32.645127] save_stack+0x43/0xd0 [ 32.645130] kasan_slab_free+0x71/0xc0 [ 32.645133] kfree+0xd6/0x260 [ 32.645140] single_release+0x80/0xb0 [ 32.645146] __fput+0x327/0x7e0 [ 32.645149] ____fput+0x15/0x20 [ 32.645153] task_work_run+0x199/0x270 [ 32.645157] exit_to_usermode_loop+0x296/0x310 [ 32.645160] syscall_return_slowpath+0x490/0x550 [ 32.645164] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 32.645165] [ 32.645168] The buggy address belongs to the object at ffff8801d9531e80 [ 32.645168] which belongs to the cache kmalloc-256 of size 256 [ 32.645171] The buggy address is located 208 bytes inside of [ 32.645171] 256-byte region [ffff8801d9531e80, ffff8801d9531f80) [ 32.645173] The buggy address belongs to the page: [ 32.645176] page:ffffea0007654c40 count:1 mapcount:0 mapping:ffff8801d95310c0 index:0x0 [ 32.645181] flags: 0x2fffc0000000100(slab) [ 32.645187] raw: 02fffc0000000100 ffff8801d95310c0 0000000000000000 000000010000000c [ 32.645191] raw: ffffea00076518a0 ffffea00076584a0 ffff8801dac007c0 0000000000000000 [ 32.645194] page dumped because: kasan: bad access detected [ 32.645195] [ 32.645197] Memory state around the buggy address: [ 32.645200] ffff8801d9531e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.645203] ffff8801d9531e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.645206] >ffff8801d9531f00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 32.645208] ^ [ 32.645211] ffff8801d9531f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.645214] ffff8801d9532000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.645216] ================================================================== [ 32.645217] Disabling lock debugging due to kernel taint [ 32.645231] Kernel panic - not syncing: panic_on_warn set ... [ 32.645231] [ 32.645236] CPU: 0 PID: 3665 Comm: syzkaller352020 Tainted: G B 4.15.0-rc9+ #278 [ 32.645238] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.645239] Call Trace: [ 32.645244] dump_stack+0x194/0x257 [ 32.645249] ? arch_local_irq_restore+0x53/0x53 [ 32.645253] ? kasan_end_report+0x32/0x50 [ 32.645258] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.645262] ? vsnprintf+0x1ed/0x1900 [ 32.645267] ? string+0x120/0x200 [ 32.645273] panic+0x1e4/0x41c [ 32.645277] ? refcount_error_report+0x214/0x214 [ 32.645282] ? add_taint+0x1c/0x50 [ 32.645286] ? add_taint+0x1c/0x50 [ 32.645292] ? string+0x1e8/0x200 [ 32.645296] kasan_end_report+0x50/0x50 [ 32.645300] kasan_report+0x144/0x340 [ 32.645306] __asan_report_load1_noabort+0x14/0x20 [ 32.645310] string+0x1e8/0x200 [ 32.645317] vsnprintf+0x863/0x1900 [ 32.645325] ? pointer+0x9e0/0x9e0 [ 32.645335] __request_module+0x1bf/0xc20 [ 32.645339] ? lock_downgrade+0x980/0x980 [ 32.645345] ? free_modprobe_argv+0xa0/0xa0 [ 32.645349] ? lock_downgrade+0x980/0x980 [ 32.645353] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.645357] ? pcpu_alloc+0x146/0x10e0 [ 32.645366] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 32.645369] ? pcpu_free_area+0xa00/0xa00 [ 32.645375] ? wait_for_completion+0x770/0x770 [ 32.645381] ? __kernel_text_address+0xd/0x40 [ 32.645385] ? wait_for_completion+0x770/0x770 [ 32.645390] ? trace_hardirqs_off+0xd/0x10 [ 32.645395] ? depot_save_stack+0x3b5/0x490 [ 32.645402] ? kvfree+0x36/0x60 [ 32.645409] ? xt_find_target+0x17b/0x1e0 [ 32.645419] xt_request_find_target+0x8b/0xb0 [ 32.645425] find_check_entry.isra.8+0x612/0xcb0 [ 32.645433] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.645438] ? ipt_do_table+0x1330/0x1330 [ 32.645444] ? mark_held_locks+0xaf/0x100 [ 32.645448] ? kfree+0xf0/0x260 [ 32.645451] ? kvfree+0x36/0x60 [ 32.645456] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.645460] ? trace_hardirqs_on+0xd/0x10 [ 32.645467] translate_table+0xed1/0x1610 [ 32.645481] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 32.645486] ? kasan_check_write+0x14/0x20 [ 32.645490] ? _copy_from_user+0x99/0x110 [ 32.645496] do_ipt_set_ctl+0x370/0x5f0 [ 32.645502] ? translate_compat_table+0x1b90/0x1b90 [ 32.645512] ? mutex_unlock+0xd/0x10 [ 32.645516] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 32.645522] nf_setsockopt+0x67/0xc0 [ 32.645528] ip_setsockopt+0xa1/0xb0 [ 32.645534] tcp_setsockopt+0x82/0xd0 [ 32.645540] sock_common_setsockopt+0x95/0xd0 [ 32.645546] SyS_setsockopt+0x189/0x360 [ 32.645552] ? SyS_recv+0x40/0x40 [ 32.645556] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 32.645561] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.645566] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.645573] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 32.645575] RIP: 0033:0x43ffc9 [ 32.645577] RSP: 002b:00007ffde8351978 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 32.645581] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 32.645583] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 32.645585] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 32.645587] R10: 00000000203b4326 R11: 0000000000000203 R12: 00000000004018f0 [ 32.645589] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 32.668111] Dumping ftrace buffer: [ 32.668115] (ftrace buffer empty) [ 32.668117] Kernel Offset: disabled [ 33.534840] Rebooting in 86400 seconds..