[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.793885] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.595178] random: sshd: uninitialized urandom read (32 bytes read) [ 22.998035] random: sshd: uninitialized urandom read (32 bytes read) [ 23.468449] random: sshd: uninitialized urandom read (32 bytes read) [ 31.672614] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. [ 37.296672] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/01 00:03:18 parsed 1 programs [ 38.413420] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/01 00:03:20 executed programs: 0 2018/09/01 00:03:27 executed programs: 8 [ 46.523301] ================================================================== [ 46.530851] BUG: KASAN: use-after-free in _copy_to_user+0x9a/0xc0 [ 46.537077] Read of size 1425 at addr ffff8801c7fffff5 by task syz-executor3/4533 [ 46.544683] [ 46.546305] CPU: 1 PID: 4533 Comm: syz-executor3 Not tainted 4.14.67+ #1 [ 46.553135] Call Trace: [ 46.555719] dump_stack+0xb9/0x11b [ 46.559268] print_address_description+0x60/0x22b [ 46.564112] kasan_report.cold.6+0x11b/0x2dd [ 46.568516] ? _copy_to_user+0x9a/0xc0 [ 46.572416] _copy_to_user+0x9a/0xc0 [ 46.576134] bpf_test_finish.isra.0+0xc8/0x190 [ 46.580715] ? bpf_test_run+0x350/0x350 [ 46.584687] ? kvm_clock_read+0x1f/0x30 [ 46.588685] ? ktime_get+0x17f/0x1c0 [ 46.592449] ? bpf_test_run+0x280/0x350 [ 46.596470] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 46.601055] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.605549] ? __fget_light+0x192/0x1f0 [ 46.609532] ? bpf_prog_add+0x42/0xa0 [ 46.613330] ? fput+0xa/0x130 [ 46.616439] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.620952] SyS_bpf+0x79d/0x3640 [ 46.624447] ? bpf_prog_get+0x20/0x20 [ 46.628252] ? SyS_futex+0x1b7/0x2b5 [ 46.631975] ? SyS_futex+0x1c0/0x2b5 [ 46.635702] ? do_futex+0x17b0/0x17b0 [ 46.639519] ? up_read+0x17/0x30 [ 46.642879] ? __do_page_fault+0x64c/0xb60 [ 46.647113] ? do_syscall_64+0x43/0x4b0 [ 46.651103] ? bpf_prog_get+0x20/0x20 [ 46.654899] do_syscall_64+0x19b/0x4b0 [ 46.658788] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.663976] RIP: 0033:0x457099 [ 46.667155] RSP: 002b:00007f6494e04c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 46.674855] RAX: ffffffffffffffda RBX: 00007f6494e056d4 RCX: 0000000000457099 [ 46.682117] RDX: 0000000000000028 RSI: 00000000200002c0 RDI: 000000000000000a [ 46.689378] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 46.696679] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 46.703946] R13: 00000000004cb680 R14: 00000000004c3071 R15: 0000000000000000 [ 46.711226] [ 46.712842] The buggy address belongs to the page: [ 46.717779] page:ffffea00071fffc0 count:0 mapcount:0 mapping: (null) index:0x1 [ 46.725932] flags: 0x4000000000000000() [ 46.729903] raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffffff [ 46.737791] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 46.745661] page dumped because: kasan: bad access detected [ 46.751355] [ 46.752972] Memory state around the buggy address: [ 46.757891] ffff8801c7fffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 46.765263] ffff8801c7ffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 46.772618] >ffff8801c7ffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 46.779977] ^ [ 46.786979] ffff8801c8000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.794342] ffff8801c8000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.801685] ================================================================== [ 46.809029] Disabling lock debugging due to kernel taint [ 46.875220] Kernel panic - not syncing: panic_on_warn set ... [ 46.875220] [ 46.882661] CPU: 1 PID: 4533 Comm: syz-executor3 Tainted: G B 4.14.67+ #1 [ 46.890707] Call Trace: [ 46.893323] dump_stack+0xb9/0x11b [ 46.896864] panic+0x1bf/0x3a4 [ 46.900048] ? add_taint.cold.4+0x16/0x16 [ 46.904209] ? ___preempt_schedule+0x16/0x18 [ 46.908632] kasan_end_report+0x43/0x49 [ 46.912612] kasan_report.cold.6+0x77/0x2dd [ 46.916931] ? _copy_to_user+0x9a/0xc0 [ 46.920815] _copy_to_user+0x9a/0xc0 [ 46.924529] bpf_test_finish.isra.0+0xc8/0x190 [ 46.929104] ? bpf_test_run+0x350/0x350 [ 46.933071] ? kvm_clock_read+0x1f/0x30 [ 46.937047] ? ktime_get+0x17f/0x1c0 [ 46.940754] ? bpf_test_run+0x280/0x350 [ 46.944727] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 46.949310] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.953803] ? __fget_light+0x192/0x1f0 [ 46.957775] ? bpf_prog_add+0x42/0xa0 [ 46.961571] ? fput+0xa/0x130 [ 46.964675] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.969167] SyS_bpf+0x79d/0x3640 [ 46.972621] ? bpf_prog_get+0x20/0x20 [ 46.976435] ? SyS_futex+0x1b7/0x2b5 [ 46.980141] ? SyS_futex+0x1c0/0x2b5 [ 46.983851] ? do_futex+0x17b0/0x17b0 [ 46.987653] ? up_read+0x17/0x30 [ 46.991013] ? __do_page_fault+0x64c/0xb60 [ 46.995242] ? do_syscall_64+0x43/0x4b0 [ 46.999211] ? bpf_prog_get+0x20/0x20 [ 47.003032] do_syscall_64+0x19b/0x4b0 [ 47.006920] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.012116] RIP: 0033:0x457099 [ 47.015306] RSP: 002b:00007f6494e04c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 47.023005] RAX: ffffffffffffffda RBX: 00007f6494e056d4 RCX: 0000000000457099 [ 47.030281] RDX: 0000000000000028 RSI: 00000000200002c0 RDI: 000000000000000a [ 47.037541] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 47.044799] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 47.052059] R13: 00000000004cb680 R14: 00000000004c3071 R15: 0000000000000000 [ 47.059652] Dumping ftrace buffer: [ 47.063175] (ftrace buffer empty) [ 47.066870] Kernel Offset: 0x24e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 47.077795] Rebooting in 86400 seconds..