[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.882513] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.079569] random: sshd: uninitialized urandom read (32 bytes read)
[   26.319583] random: sshd: uninitialized urandom read (32 bytes read)
[   26.839118] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   32.614722] urandom_read: 1 callbacks suppressed
[   32.614727] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 00:09:13 parsed 1 programs
[   33.677873] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 00:09:14 executed programs: 0
[   34.920206] IPVS: ftp: loaded support on port[0] = 21
[   35.121363] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.127974] bridge0: port 1(bridge_slave_0) entered disabled state
[   35.135439] device bridge_slave_0 entered promiscuous mode
[   35.151942] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.158303] bridge0: port 2(bridge_slave_1) entered disabled state
[   35.165514] device bridge_slave_1 entered promiscuous mode
[   35.180991] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   35.198403] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   35.239305] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   35.258569] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   35.320195] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   35.327883] team0: Port device team_slave_0 added
[   35.343080] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   35.350147] team0: Port device team_slave_1 added
[   35.365274] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   35.384139] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   35.399724] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   35.417658] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   35.501305] ip (4509) used greatest stack depth: 16824 bytes left
[   35.537469] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.543899] bridge0: port 2(bridge_slave_1) entered forwarding state
[   35.550717] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.557102] bridge0: port 1(bridge_slave_0) entered forwarding state
[   35.977584] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.983833] 8021q: adding VLAN 0 to HW filter on device bond0
[   36.027243] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   36.071087] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   36.079252] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   36.116660] 8021q: adding VLAN 0 to HW filter on device team0
[   39.002000] ==================================================================
[   39.009543] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x739/0x84b
[   39.017009] Read of size 2 at addr ffff8801c19f3d72 by task syz-executor0/5414
[   39.024355] 
[   39.025993] CPU: 0 PID: 5414 Comm: syz-executor0 Not tainted 4.18.0+ #196
[   39.032926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.042271] Call Trace:
[   39.044868]  dump_stack+0x1c9/0x2b4
[   39.048492]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.053707]  ? printk+0xa7/0xcf
[   39.056986]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.061746]  ? tipc_group_fill_sock_diag+0x739/0x84b
[   39.066849]  print_address_description+0x6c/0x20b
[   39.071692]  ? tipc_group_fill_sock_diag+0x739/0x84b
[   39.076807]  kasan_report.cold.7+0x242/0x30d
[   39.081221]  __asan_report_load2_noabort+0x14/0x20
[   39.086149]  tipc_group_fill_sock_diag+0x739/0x84b
[   39.091081]  ? tipc_group_member_evt+0xe30/0xe30
[   39.095836]  ? skb_put+0x17b/0x1e0
[   39.099390]  ? memset+0x31/0x40
[   39.102671]  ? memcpy+0x45/0x50
[   39.105950]  ? __nla_put+0x37/0x40
[   39.109506]  ? nla_put+0x11a/0x150
[   39.113055]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[   39.117754]  ? tipc_diag_dump+0x30/0x30
[   39.121731]  ? tipc_getname+0x7f0/0x7f0
[   39.125708]  ? save_stack+0xa9/0xd0
[   39.129334]  ? save_stack+0x43/0xd0
[   39.132963]  ? kasan_kmalloc+0xc4/0xe0
[   39.136851]  ? __kmalloc_node_track_caller+0x47/0x70
[   39.141966]  ? graph_lock+0x170/0x170
[   39.145764]  ? __netlink_dump_start+0x4f1/0x6f0
[   39.150436]  ? sock_diag_rcv_msg+0x31d/0x410
[   39.154848]  ? netlink_rcv_skb+0x172/0x440
[   39.159083]  ? sock_diag_rcv+0x2a/0x40
[   39.162968]  ? netlink_unicast+0x5a0/0x760
[   39.167202]  ? netlink_sendmsg+0xa18/0xfc0
[   39.171436]  ? sock_sendmsg+0xd5/0x120
[   39.175342]  ? ___sys_sendmsg+0x7fd/0x930
[   39.179493]  ? __x64_sys_sendmsg+0x78/0xb0
[   39.183727]  ? do_syscall_64+0x1b9/0x820
[   39.187788]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.193161]  ? lock_acquire+0x1e4/0x540
[   39.197133]  ? tipc_nl_sk_walk+0x60a/0xd30
[   39.201362]  ? tipc_nl_sk_walk+0x311/0xd30
[   39.205624]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   39.210640]  ? skb_put+0x17b/0x1e0
[   39.214186]  ? __nlmsg_put+0x14c/0x1b0
[   39.218077]  __tipc_add_sock_diag+0x22f/0x360
[   39.222580]  tipc_nl_sk_walk+0x68d/0xd30
[   39.226645]  ? tipc_sock_diag_handler_dump+0x340/0x340
[   39.231928]  ? __tipc_nl_add_sk+0x400/0x400
[   39.236249]  ? skb_scrub_packet+0x490/0x490
[   39.240587]  ? kasan_check_write+0x14/0x20
[   39.244845]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   39.249794]  ? lock_downgrade+0x8f0/0x8f0
[   39.253963]  tipc_diag_dump+0x24/0x30
[   39.257769]  netlink_dump+0x519/0xd50
[   39.261578]  ? netlink_broadcast+0x50/0x50
[   39.265820]  __netlink_dump_start+0x4f1/0x6f0
[   39.270319]  ? kasan_check_read+0x11/0x20
[   39.274472]  tipc_sock_diag_handler_dump+0x234/0x340
[   39.279579]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   39.284242]  ? tipc_unregister_sysctl+0x20/0x20
[   39.288906]  ? netlink_deliver_tap+0x356/0xfb0
[   39.293494]  sock_diag_rcv_msg+0x31d/0x410
[   39.297731]  netlink_rcv_skb+0x172/0x440
[   39.301795]  ? sock_diag_bind+0x80/0x80
[   39.305779]  ? netlink_ack+0xbe0/0xbe0
[   39.309664]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   39.314358]  sock_diag_rcv+0x2a/0x40
[   39.318077]  netlink_unicast+0x5a0/0x760
[   39.322143]  ? netlink_attachskb+0x9a0/0x9a0
[   39.326553]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.332100]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   39.337131]  netlink_sendmsg+0xa18/0xfc0
[   39.341199]  ? netlink_unicast+0x760/0x760
[   39.345436]  ? move_addr_to_kernel.part.18+0x100/0x100
[   39.350717]  ? security_socket_sendmsg+0x94/0xc0
[   39.355470]  ? netlink_unicast+0x760/0x760
[   39.359706]  sock_sendmsg+0xd5/0x120
[   39.363418]  ___sys_sendmsg+0x7fd/0x930
[   39.367397]  ? copy_msghdr_from_user+0x580/0x580
[   39.372155]  ? kasan_check_read+0x11/0x20
[   39.376323]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.380740]  ? __fget_light+0x2f7/0x440
[   39.384713]  ? __local_bh_enable_ip+0x161/0x230
[   39.389379]  ? fget_raw+0x20/0x20
[   39.392831]  ? __release_sock+0x3a0/0x3a0
[   39.396980]  ? tipc_nametbl_build_group+0x279/0x360
[   39.402013]  ? tipc_setsockopt+0x726/0xd70
[   39.406253]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   39.411800]  ? sockfd_lookup_light+0xc5/0x160
[   39.416307]  __sys_sendmsg+0x11d/0x290
[   39.420195]  ? __ia32_sys_shutdown+0x80/0x80
[   39.424613]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   39.430147]  ? fput+0x130/0x1a0
[   39.433428]  ? __x64_sys_futex+0x47f/0x6a0
[   39.437685]  __x64_sys_sendmsg+0x78/0xb0
[   39.441747]  do_syscall_64+0x1b9/0x820
[   39.445638]  ? syscall_return_slowpath+0x5e0/0x5e0
[   39.450575]  ? syscall_return_slowpath+0x31d/0x5e0
[   39.455510]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   39.460881]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   39.465742]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.470929] RIP: 0033:0x457089
[   39.474119] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   39.493018] RSP: 002b:00007f073bad5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   39.500731] RAX: ffffffffffffffda RBX: 00007f073bad66d4 RCX: 0000000000457089
[   39.507994] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[   39.515256] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[   39.522521] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   39.529789] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[   39.537061] 
[   39.538683] Allocated by task 5414:
[   39.542314]  save_stack+0x43/0xd0
[   39.545762]  kasan_kmalloc+0xc4/0xe0
[   39.549472]  kmem_cache_alloc_trace+0x152/0x780
[   39.554137]  tipc_group_create+0x155/0xa70
[   39.558368]  tipc_setsockopt+0x2d1/0xd70
[   39.562429]  __sys_setsockopt+0x1c5/0x3b0
[   39.566575]  __x64_sys_setsockopt+0xbe/0x150
[   39.570980]  do_syscall_64+0x1b9/0x820
[   39.574878]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.580078] 
[   39.581697] Freed by task 5413:
[   39.584968]  save_stack+0x43/0xd0
[   39.588417]  __kasan_slab_free+0x11a/0x170
[   39.592659]  kasan_slab_free+0xe/0x10
[   39.596450]  kfree+0xd9/0x260
[   39.599549]  tipc_group_delete+0x2e5/0x3f0
[   39.603783]  tipc_sk_leave+0x113/0x220
[   39.607665]  tipc_release+0x14e/0x12b0
[   39.611546]  __sock_release+0xd7/0x250
[   39.615428]  sock_close+0x19/0x20
[   39.618871]  __fput+0x39b/0x860
[   39.622143]  ____fput+0x15/0x20
[   39.625415]  task_work_run+0x1e8/0x2a0
[   39.629305]  exit_to_usermode_loop+0x318/0x380
[   39.633882]  do_syscall_64+0x6be/0x820
[   39.637757]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.642928] 
[   39.644573] The buggy address belongs to the object at ffff8801c19f3d00
[   39.644573]  which belongs to the cache kmalloc-192 of size 192
[   39.657225] The buggy address is located 114 bytes inside of
[   39.657225]  192-byte region [ffff8801c19f3d00, ffff8801c19f3dc0)
[   39.669087] The buggy address belongs to the page:
[   39.674012] page:ffffea0007067cc0 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[   39.682147] flags: 0x2fffc0000000100(slab)
[   39.686395] raw: 02fffc0000000100 ffffea0007637488 ffff8801dac01148 ffff8801dac00040
[   39.694281] raw: 0000000000000000 ffff8801c19f3000 0000000100000010 0000000000000000
[   39.702152] page dumped because: kasan: bad access detected
[   39.707847] 
[   39.709464] Memory state around the buggy address:
[   39.714389]  ffff8801c19f3c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   39.721747]  ffff8801c19f3c80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.729099] >ffff8801c19f3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.736445]                                                              ^
[   39.743447]  ffff8801c19f3d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   39.750799]  ffff8801c19f3e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.758145] ==================================================================
[   39.765492] Disabling lock debugging due to kernel taint
[   39.770987] Kernel panic - not syncing: panic_on_warn set ...
[   39.770987] 
[   39.778365] CPU: 0 PID: 5414 Comm: syz-executor0 Tainted: G    B             4.18.0+ #196
[   39.786684] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.796024] Call Trace:
[   39.798610]  dump_stack+0x1c9/0x2b4
[   39.802232]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.807430]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   39.812185]  panic+0x238/0x4e7
[   39.815419]  ? add_taint.cold.5+0x16/0x16
[   39.819579]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.823993]  ? tipc_group_fill_sock_diag+0x739/0x84b
[   39.829090]  kasan_end_report+0x47/0x4f
[   39.833057]  kasan_report.cold.7+0x76/0x30d
[   39.837379]  __asan_report_load2_noabort+0x14/0x20
[   39.842328]  tipc_group_fill_sock_diag+0x739/0x84b
[   39.847266]  ? tipc_group_member_evt+0xe30/0xe30
[   39.852024]  ? skb_put+0x17b/0x1e0
[   39.855575]  ? memset+0x31/0x40
[   39.858851]  ? memcpy+0x45/0x50
[   39.862125]  ? __nla_put+0x37/0x40
[   39.865687]  ? nla_put+0x11a/0x150
[   39.869228]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[   39.873888]  ? tipc_diag_dump+0x30/0x30
[   39.877854]  ? tipc_getname+0x7f0/0x7f0
[   39.881820]  ? save_stack+0xa9/0xd0
[   39.885449]  ? save_stack+0x43/0xd0
[   39.889067]  ? kasan_kmalloc+0xc4/0xe0
[   39.892948]  ? __kmalloc_node_track_caller+0x47/0x70
[   39.898061]  ? graph_lock+0x170/0x170
[   39.901873]  ? __netlink_dump_start+0x4f1/0x6f0
[   39.906537]  ? sock_diag_rcv_msg+0x31d/0x410
[   39.910941]  ? netlink_rcv_skb+0x172/0x440
[   39.915169]  ? sock_diag_rcv+0x2a/0x40
[   39.919066]  ? netlink_unicast+0x5a0/0x760
[   39.923326]  ? netlink_sendmsg+0xa18/0xfc0
[   39.927577]  ? sock_sendmsg+0xd5/0x120
[   39.931458]  ? ___sys_sendmsg+0x7fd/0x930
[   39.935614]  ? __x64_sys_sendmsg+0x78/0xb0
[   39.939856]  ? do_syscall_64+0x1b9/0x820
[   39.943911]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.949268]  ? lock_acquire+0x1e4/0x540
[   39.953259]  ? tipc_nl_sk_walk+0x60a/0xd30
[   39.957521]  ? tipc_nl_sk_walk+0x311/0xd30
[   39.961778]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   39.966884]  ? skb_put+0x17b/0x1e0
[   39.970421]  ? __nlmsg_put+0x14c/0x1b0
[   39.974309]  __tipc_add_sock_diag+0x22f/0x360
[   39.978800]  tipc_nl_sk_walk+0x68d/0xd30
[   39.982892]  ? tipc_sock_diag_handler_dump+0x340/0x340
[   39.988181]  ? __tipc_nl_add_sk+0x400/0x400
[   39.992507]  ? skb_scrub_packet+0x490/0x490
[   39.996846]  ? kasan_check_write+0x14/0x20
[   40.001084]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   40.006020]  ? lock_downgrade+0x8f0/0x8f0
[   40.010176]  tipc_diag_dump+0x24/0x30
[   40.013973]  netlink_dump+0x519/0xd50
[   40.017806]  ? netlink_broadcast+0x50/0x50
[   40.022036]  __netlink_dump_start+0x4f1/0x6f0
[   40.026523]  ? kasan_check_read+0x11/0x20
[   40.030669]  tipc_sock_diag_handler_dump+0x234/0x340
[   40.035769]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   40.040433]  ? tipc_unregister_sysctl+0x20/0x20
[   40.045094]  ? netlink_deliver_tap+0x356/0xfb0
[   40.049679]  sock_diag_rcv_msg+0x31d/0x410
[   40.053907]  netlink_rcv_skb+0x172/0x440
[   40.057965]  ? sock_diag_bind+0x80/0x80
[   40.061934]  ? netlink_ack+0xbe0/0xbe0
[   40.065816]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   40.070485]  sock_diag_rcv+0x2a/0x40
[   40.074195]  netlink_unicast+0x5a0/0x760
[   40.078255]  ? netlink_attachskb+0x9a0/0x9a0
[   40.082658]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.088189]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   40.093215]  netlink_sendmsg+0xa18/0xfc0
[   40.097274]  ? netlink_unicast+0x760/0x760
[   40.101512]  ? move_addr_to_kernel.part.18+0x100/0x100
[   40.106785]  ? security_socket_sendmsg+0x94/0xc0
[   40.111528]  ? netlink_unicast+0x760/0x760
[   40.115758]  sock_sendmsg+0xd5/0x120
[   40.119468]  ___sys_sendmsg+0x7fd/0x930
[   40.123439]  ? copy_msghdr_from_user+0x580/0x580
[   40.128193]  ? kasan_check_read+0x11/0x20
[   40.132339]  ? do_raw_spin_unlock+0xa7/0x2f0
[   40.136748]  ? __fget_light+0x2f7/0x440
[   40.140731]  ? __local_bh_enable_ip+0x161/0x230
[   40.145394]  ? fget_raw+0x20/0x20
[   40.148844]  ? __release_sock+0x3a0/0x3a0
[   40.152986]  ? tipc_nametbl_build_group+0x279/0x360
[   40.158012]  ? tipc_setsockopt+0x726/0xd70
[   40.162251]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.167785]  ? sockfd_lookup_light+0xc5/0x160
[   40.172281]  __sys_sendmsg+0x11d/0x290
[   40.176171]  ? __ia32_sys_shutdown+0x80/0x80
[   40.180577]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   40.186123]  ? fput+0x130/0x1a0
[   40.189401]  ? __x64_sys_futex+0x47f/0x6a0
[   40.193643]  __x64_sys_sendmsg+0x78/0xb0
[   40.197704]  do_syscall_64+0x1b9/0x820
[   40.201592]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.206519]  ? syscall_return_slowpath+0x31d/0x5e0
[   40.211448]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   40.216809]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.221653]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.226829] RIP: 0033:0x457089
[   40.230013] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.248909] RSP: 002b:00007f073bad5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   40.256615] RAX: ffffffffffffffda RBX: 00007f073bad66d4 RCX: 0000000000457089
[   40.263881] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[   40.271145] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[   40.278424] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   40.285693] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[   40.293243] Dumping ftrace buffer:
[   40.296776]    (ftrace buffer empty)
[   40.300475] Kernel Offset: disabled
[   40.304078] Rebooting in 86400 seconds..