[....] Starting enhanced syslogd: rsyslogd[ 12.643054] audit: type=1400 audit(1517140798.421:5): avc: denied { syslog } for pid=3520 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.836655] audit: type=1400 audit(1517140803.615:6): avc: denied { map } for pid=3661 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.222' (ECDSA) to the list of known hosts. executing program [ 24.112294] audit: type=1400 audit(1517140809.891:7): avc: denied { map } for pid=3675 comm="syzkaller595958" path="/root/syzkaller595958577" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.115627] ================================================================== [ 24.115646] BUG: KASAN: slab-out-of-bounds in clusterip_tg_check+0x150f/0x1570 [ 24.115652] Read of size 2 at addr ffff8801bcb41e00 by task syzkaller595958/3675 [ 24.115654] [ 24.115662] CPU: 1 PID: 3675 Comm: syzkaller595958 Not tainted 4.15.0-rc9+ #212 [ 24.115666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.115669] Call Trace: [ 24.115679] dump_stack+0x194/0x257 [ 24.115692] ? arch_local_irq_restore+0x53/0x53 [ 24.115703] ? show_regs_print_info+0x18/0x18 [ 24.115720] ? clusterip_tg_check+0x150f/0x1570 [ 24.115733] print_address_description+0x73/0x250 [ 24.115743] ? clusterip_tg_check+0x150f/0x1570 [ 24.115753] kasan_report+0x25b/0x340 [ 24.115768] __asan_report_load2_noabort+0x14/0x20 [ 24.115776] clusterip_tg_check+0x150f/0x1570 [ 24.115796] ? arp_mangle+0x550/0x550 [ 24.115807] ? xt_find_target+0x150/0x1e0 [ 24.115818] ? lock_downgrade+0x980/0x980 [ 24.115831] ? nf_connlabels_get+0x62/0x80 [ 24.115849] ? lock_release+0xa40/0xa40 [ 24.115856] ? ipv4_conntrack_in+0x90/0x90 [ 24.115878] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 24.115892] ? wait_for_completion+0x770/0x770 [ 24.115902] ? nf_connlabels_get+0x67/0x80 [ 24.115913] ? arp_mangle+0x550/0x550 [ 24.115926] xt_check_target+0x22c/0x7d0 [ 24.115938] ? xt_target_seq_next+0x30/0x30 [ 24.115952] ? mutex_unlock+0xd/0x10 [ 24.115969] ? mutex_unlock+0xd/0x10 [ 24.115976] ? xt_find_target+0x17b/0x1e0 [ 24.116005] find_check_entry.isra.8+0x8c8/0xcb0 [ 24.116032] ? ipt_do_table+0x1860/0x1860 [ 24.116046] ? mark_held_locks+0xaf/0x100 [ 24.116056] ? kfree+0xf0/0x260 [ 24.116072] ? trace_hardirqs_on+0xd/0x10 [ 24.116091] translate_table+0xed1/0x1610 [ 24.116129] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 24.116143] ? kasan_check_write+0x14/0x20 [ 24.116151] ? _copy_from_user+0x99/0x110 [ 24.116169] do_ipt_set_ctl+0x370/0x5f0 [ 24.116184] ? translate_compat_table+0x1b90/0x1b90 [ 24.116211] ? mutex_unlock+0xd/0x10 [ 24.116219] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 24.116233] nf_setsockopt+0x67/0xc0 [ 24.116248] ip_setsockopt+0xa1/0xb0 [ 24.116262] udp_setsockopt+0x45/0x80 [ 24.116278] sock_common_setsockopt+0x95/0xd0 [ 24.116294] SyS_setsockopt+0x189/0x360 [ 24.116309] ? SyS_recv+0x40/0x40 [ 24.116319] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 24.116331] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.116343] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.116362] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.116368] RIP: 0033:0x440b49 [ 24.116371] RSP: 002b:00007ffdac3b5058 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 24.116379] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440b49 [ 24.116384] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 24.116387] RBP: 00000000006cb018 R08: 0000000000000320 R09: 0000000000000000 [ 24.116392] R10: 0000000020027000 R11: 0000000000000203 R12: 0000000000402470 [ 24.116396] R13: 0000000000402500 R14: 0000000000000000 R15: 0000000000000000 [ 24.116424] [ 24.116428] Allocated by task 3675: [ 24.116434] save_stack+0x43/0xd0 [ 24.116440] kasan_kmalloc+0xad/0xe0 [ 24.116446] __kmalloc_node+0x47/0x70 [ 24.116453] kvmalloc_node+0x99/0xd0 [ 24.116458] xt_alloc_table_info+0x64/0xe0 [ 24.116464] do_ipt_set_ctl+0x29b/0x5f0 [ 24.116469] nf_setsockopt+0x67/0xc0 [ 24.116474] ip_setsockopt+0xa1/0xb0 [ 24.116479] udp_setsockopt+0x45/0x80 [ 24.116485] sock_common_setsockopt+0x95/0xd0 [ 24.116491] SyS_setsockopt+0x189/0x360 [ 24.116497] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.116499] [ 24.116502] Freed by task 1821: [ 24.116507] save_stack+0x43/0xd0 [ 24.116513] kasan_slab_free+0x71/0xc0 [ 24.116518] kfree+0xd6/0x260 [ 24.116525] free_pipe_info+0x1f8/0x2a0 [ 24.116531] put_pipe_info+0xb0/0xd0 [ 24.116537] pipe_release+0x1af/0x250 [ 24.116542] __fput+0x327/0x7e0 [ 24.116546] ____fput+0x15/0x20 [ 24.116553] task_work_run+0x199/0x270 [ 24.116559] exit_to_usermode_loop+0x296/0x310 [ 24.116565] syscall_return_slowpath+0x490/0x550 [ 24.116571] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 24.116573] [ 24.116578] The buggy address belongs to the object at ffff8801bcb41b00 [ 24.116578] which belongs to the cache kmalloc-1024 of size 1024 [ 24.116583] The buggy address is located 768 bytes inside of [ 24.116583] 1024-byte region [ffff8801bcb41b00, ffff8801bcb41f00) [ 24.116585] The buggy address belongs to the page: [ 24.116591] page:ffffea0006f2d000 count:1 mapcount:0 mapping:ffff8801bcb40000 index:0x0 compound_mapcount: 0 [ 24.116600] flags: 0x2fffc0000008100(slab|head) [ 24.116610] raw: 02fffc0000008100 ffff8801bcb40000 0000000000000000 0000000100000007 [ 24.116617] raw: ffffea00076b86a0 ffffea0007663e20 ffff8801dac00ac0 0000000000000000 [ 24.116620] page dumped because: kasan: bad access detected [ 24.116622] [ 24.116624] Memory state around the buggy address: [ 24.116629] ffff8801bcb41d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.116634] ffff8801bcb41d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.116639] >ffff8801bcb41e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.116642] ^ [ 24.116647] ffff8801bcb41e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.116652] ffff8801bcb41f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.116655] ================================================================== [ 24.116657] Disabling lock debugging due to kernel taint [ 24.116674] Kernel panic - not syncing: panic_on_warn set ... [ 24.116674] [ 24.116680] CPU: 1 PID: 3675 Comm: syzkaller595958 Tainted: G B 4.15.0-rc9+ #212 [ 24.116683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.116685] Call Trace: [ 24.116691] dump_stack+0x194/0x257 [ 24.116700] ? arch_local_irq_restore+0x53/0x53 [ 24.116708] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.116716] ? vsnprintf+0x1ed/0x1900 [ 24.116724] ? clusterip_tg_check+0x1440/0x1570 [ 24.116731] panic+0x1e4/0x41c [ 24.116738] ? refcount_error_report+0x214/0x214 [ 24.116747] ? add_taint+0x1c/0x50 [ 24.116755] ? add_taint+0x1c/0x50 [ 24.116764] ? clusterip_tg_check+0x150f/0x1570 [ 24.116771] kasan_end_report+0x50/0x50 [ 24.116777] kasan_report+0x144/0x340 [ 24.116788] __asan_report_load2_noabort+0x14/0x20 [ 24.116795] clusterip_tg_check+0x150f/0x1570 [ 24.116807] ? arp_mangle+0x550/0x550 [ 24.116814] ? xt_find_target+0x150/0x1e0 [ 24.116821] ? lock_downgrade+0x980/0x980 [ 24.116830] ? nf_connlabels_get+0x62/0x80 [ 24.116841] ? lock_release+0xa40/0xa40 [ 24.116847] ? ipv4_conntrack_in+0x90/0x90 [ 24.116859] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 24.116869] ? wait_for_completion+0x770/0x770 [ 24.116876] ? nf_connlabels_get+0x67/0x80 [ 24.116885] ? arp_mangle+0x550/0x550 [ 24.116893] xt_check_target+0x22c/0x7d0 [ 24.116902] ? xt_target_seq_next+0x30/0x30 [ 24.116911] ? mutex_unlock+0xd/0x10 [ 24.116921] ? mutex_unlock+0xd/0x10 [ 24.116927] ? xt_find_target+0x17b/0x1e0 [ 24.116942] find_check_entry.isra.8+0x8c8/0xcb0 [ 24.116957] ? ipt_do_table+0x1860/0x1860 [ 24.116967] ? mark_held_locks+0xaf/0x100 [ 24.116974] ? kfree+0xf0/0x260 [ 24.116984] ? trace_hardirqs_on+0xd/0x10 [ 24.116996] translate_table+0xed1/0x1610 [ 24.117021] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 24.117030] ? kasan_check_write+0x14/0x20 [ 24.117036] ? _copy_from_user+0x99/0x110 [ 24.117045] do_ipt_set_ctl+0x370/0x5f0 [ 24.117054] ? translate_compat_table+0x1b90/0x1b90 [ 24.117070] ? mutex_unlock+0xd/0x10 [ 24.117076] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 24.117085] nf_setsockopt+0x67/0xc0 [ 24.117094] ip_setsockopt+0xa1/0xb0 [ 24.117104] udp_setsockopt+0x45/0x80 [ 24.117114] sock_common_setsockopt+0x95/0xd0 [ 24.117124] SyS_setsockopt+0x189/0x360 [ 24.117134] ? SyS_recv+0x40/0x40 [ 24.117141] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 24.117150] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.117161] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.117174] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.117178] RIP: 0033:0x440b49 [ 24.117181] RSP: 002b:00007ffdac3b5058 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 24.117187] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440b49 [ 24.117191] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 24.117194] RBP: 00000000006cb018 R08: 0000000000000320 R09: 0000000000000000 [ 24.117198] R10: 0000000020027000 R11: 0000000000000203 R12: 0000000000402470 [ 24.117201] R13: 0000000000402500 R14: 0000000000000000 R15: 0000000000000000 [ 24.138599] Dumping ftrace buffer: [ 24.138602] (ftrace buffer empty) [ 24.138605] Kernel Offset: disabled [ 24.959960] Rebooting in 86400 seconds..