[ 31.903338] audit: type=1800 audit(1579079340.006:33): pid=7020 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 31.935689] audit: type=1800 audit(1579079340.006:34): pid=7020 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.455058] random: sshd: uninitialized urandom read (32 bytes read) [ 35.762678] audit: type=1400 audit(1579079343.866:35): avc: denied { map } for pid=7194 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.811706] random: sshd: uninitialized urandom read (32 bytes read) [ 36.460943] random: sshd: uninitialized urandom read (32 bytes read) [ 36.644862] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. [ 42.306377] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.421977] audit: type=1400 audit(1579079350.526:36): avc: denied { map } for pid=7206 comm="syz-executor905" path="/root/syz-executor905735920" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.505196] ================================================================== [ 42.505217] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1bdb/0x2160 [ 42.505222] Read of size 2 at addr ffffffff8708ffde by task syz-executor905/7206 [ 42.505223] [ 42.505230] CPU: 0 PID: 7206 Comm: syz-executor905 Not tainted 4.14.165-syzkaller #0 [ 42.505233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.505235] Call Trace: [ 42.505243] dump_stack+0x142/0x197 [ 42.505249] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.505257] print_address_description.cold+0x5/0x1dc [ 42.505262] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.505266] kasan_report.cold+0xa9/0x2af [ 42.505272] __asan_report_load2_noabort+0x14/0x20 [ 42.505277] vga16fb_imageblit+0x1bdb/0x2160 [ 42.505283] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 42.505289] ? debug_check_no_obj_freed+0x297/0x7b7 [ 42.505296] soft_cursor+0x4ff/0xa50 [ 42.505305] bit_cursor+0x11be/0x1830 [ 42.505312] ? bit_clear+0x4a0/0x4a0 [ 42.505317] ? fbcon_putcs+0x3c2/0x480 [ 42.505326] ? fbcon_putcs+0x223/0x480 [ 42.505333] ? fb_get_color_depth+0x5f/0x70 [ 42.505338] ? get_color+0x1bf/0x3b0 [ 42.505344] fbcon_cursor+0x4e3/0x6f0 [ 42.505347] ? bit_clear+0x4a0/0x4a0 [ 42.505355] set_cursor+0x1bd/0x240 [ 42.505359] redraw_screen+0x596/0x7c0 [ 42.505365] ? con_flush_chars+0x90/0x90 [ 42.505369] ? fbcon_set_palette+0x203/0x5b0 [ 42.505376] fbcon_modechanged+0x59e/0x880 [ 42.505383] fbcon_event_notify+0x11f/0x17af [ 42.505390] ? lock_acquire+0x16f/0x430 [ 42.505398] notifier_call_chain+0x111/0x1b0 [ 42.505405] blocking_notifier_call_chain+0x80/0xa0 [ 42.505410] fb_notifier_call_chain+0x25/0x30 [ 42.505415] fb_set_var+0xb09/0xcf0 [ 42.505420] ? fb_set_suspend+0x110/0x110 [ 42.505424] ? lock_acquire+0x16f/0x430 [ 42.505428] ? lock_fb_info+0x1f/0x80 [ 42.505434] ? lock_fb_info+0x1f/0x80 [ 42.505440] ? __mutex_lock+0x36a/0x1470 [ 42.505444] ? trace_hardirqs_on+0x10/0x10 [ 42.505448] ? lock_acquire+0x16f/0x430 [ 42.505452] ? __down+0x16b/0x290 [ 42.505459] ? mutex_trylock+0x1c0/0x1c0 [ 42.505462] ? down+0x70/0x90 [ 42.505474] ? mutex_lock_nested+0x16/0x20 [ 42.505478] ? mutex_lock_nested+0x16/0x20 [ 42.505483] do_fb_ioctl+0x3cc/0x940 [ 42.505487] ? fb_read+0x520/0x520 [ 42.505495] ? avc_has_extended_perms+0x8ec/0xe40 [ 42.505501] ? putname+0xdb/0x120 [ 42.505507] ? avc_ss_reset+0x110/0x110 [ 42.505510] ? kmem_cache_free+0x83/0x2b0 [ 42.505517] ? do_syscall_64+0x1e8/0x640 [ 42.505521] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.505525] ? find_held_lock+0x35/0x130 [ 42.505530] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 42.505543] ? __might_sleep+0x93/0xb0 [ 42.505550] fb_ioctl+0xe6/0x130 [ 42.505554] ? do_fb_ioctl+0x940/0x940 [ 42.505558] do_vfs_ioctl+0x7ae/0x1060 [ 42.505563] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.505567] ? kmem_cache_free+0x244/0x2b0 [ 42.505572] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.505575] ? putname+0xe0/0x120 [ 42.505582] ? do_sys_open+0x221/0x430 [ 42.505590] ? security_file_ioctl+0x7d/0xb0 [ 42.505594] ? security_file_ioctl+0x89/0xb0 [ 42.505599] SyS_ioctl+0x8f/0xc0 [ 42.505604] ? do_vfs_ioctl+0x1060/0x1060 [ 42.505609] do_syscall_64+0x1e8/0x640 [ 42.505613] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.505620] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.505624] RIP: 0033:0x440309 [ 42.505627] RSP: 002b:00007ffffc0ab698 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.505633] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 42.505635] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 42.505638] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.505641] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 42.505643] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 42.505651] [ 42.505652] The buggy address belongs to the variable: [ 42.505657] transl_h+0x3e/0x40 [ 42.505658] [ 42.505660] Memory state around the buggy address: [ 42.505664] ffffffff8708fe80: 00 03 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 42.505667] ffffffff8708ff00: 00 00 00 00 00 fa fa fa fa fa fa fa 04 fa fa fa [ 42.505671] >ffffffff8708ff80: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00 [ 42.505673] ^ [ 42.505676] ffffffff87090000: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 00 04 [ 42.505679] ffffffff87090080: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 00 00 [ 42.505681] ================================================================== [ 42.505683] Disabling lock debugging due to kernel taint [ 42.505685] Kernel panic - not syncing: panic_on_warn set ... [ 42.505685] [ 42.505689] CPU: 0 PID: 7206 Comm: syz-executor905 Tainted: G B 4.14.165-syzkaller #0 [ 42.505691] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.505692] Call Trace: [ 42.505696] dump_stack+0x142/0x197 [ 42.505701] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.505705] panic+0x1f9/0x42d [ 42.505708] ? add_taint.cold+0x16/0x16 [ 42.505712] ? lock_downgrade+0x740/0x740 [ 42.505718] kasan_end_report+0x47/0x4f [ 42.505722] kasan_report.cold+0x130/0x2af [ 42.505727] __asan_report_load2_noabort+0x14/0x20 [ 42.505731] vga16fb_imageblit+0x1bdb/0x2160 [ 42.505734] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 42.505738] ? debug_check_no_obj_freed+0x297/0x7b7 [ 42.505743] soft_cursor+0x4ff/0xa50 [ 42.505749] bit_cursor+0x11be/0x1830 [ 42.505754] ? bit_clear+0x4a0/0x4a0 [ 42.505757] ? fbcon_putcs+0x3c2/0x480 [ 42.505761] ? fbcon_putcs+0x223/0x480 [ 42.505766] ? fb_get_color_depth+0x5f/0x70 [ 42.505770] ? get_color+0x1bf/0x3b0 [ 42.505774] fbcon_cursor+0x4e3/0x6f0 [ 42.505777] ? bit_clear+0x4a0/0x4a0 [ 42.505782] set_cursor+0x1bd/0x240 [ 42.505785] redraw_screen+0x596/0x7c0 [ 42.505789] ? con_flush_chars+0x90/0x90 [ 42.505793] ? fbcon_set_palette+0x203/0x5b0 [ 42.505798] fbcon_modechanged+0x59e/0x880 [ 42.505803] fbcon_event_notify+0x11f/0x17af [ 42.505808] ? lock_acquire+0x16f/0x430 [ 42.505812] notifier_call_chain+0x111/0x1b0 [ 42.505817] blocking_notifier_call_chain+0x80/0xa0 [ 42.505821] fb_notifier_call_chain+0x25/0x30 [ 42.505828] fb_set_var+0xb09/0xcf0 [ 42.505832] ? fb_set_suspend+0x110/0x110 [ 42.505836] ? lock_acquire+0x16f/0x430 [ 42.505839] ? lock_fb_info+0x1f/0x80 [ 42.505843] ? lock_fb_info+0x1f/0x80 [ 42.505847] ? __mutex_lock+0x36a/0x1470 [ 42.505851] ? trace_hardirqs_on+0x10/0x10 [ 42.505855] ? lock_acquire+0x16f/0x430 [ 42.505858] ? __down+0x16b/0x290 [ 42.505863] ? mutex_trylock+0x1c0/0x1c0 [ 42.505866] ? down+0x70/0x90 [ 42.505874] ? mutex_lock_nested+0x16/0x20 [ 42.505877] ? mutex_lock_nested+0x16/0x20 [ 42.505881] do_fb_ioctl+0x3cc/0x940 [ 42.505885] ? fb_read+0x520/0x520 [ 42.505889] ? avc_has_extended_perms+0x8ec/0xe40 [ 42.505893] ? putname+0xdb/0x120 [ 42.505897] ? avc_ss_reset+0x110/0x110 [ 42.505900] ? kmem_cache_free+0x83/0x2b0 [ 42.505904] ? do_syscall_64+0x1e8/0x640 [ 42.505907] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.505911] ? find_held_lock+0x35/0x130 [ 42.505915] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 42.505923] ? __might_sleep+0x93/0xb0 [ 42.505928] fb_ioctl+0xe6/0x130 [ 42.505931] ? do_fb_ioctl+0x940/0x940 [ 42.505935] do_vfs_ioctl+0x7ae/0x1060 [ 42.505939] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.505942] ? kmem_cache_free+0x244/0x2b0 [ 42.505946] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.505949] ? putname+0xe0/0x120 [ 42.505953] ? do_sys_open+0x221/0x430 [ 42.505959] ? security_file_ioctl+0x7d/0xb0 [ 42.505962] ? security_file_ioctl+0x89/0xb0 [ 42.505967] SyS_ioctl+0x8f/0xc0 [ 42.505971] ? do_vfs_ioctl+0x1060/0x1060 [ 42.505975] do_syscall_64+0x1e8/0x640 [ 42.505978] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.505983] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.505986] RIP: 0033:0x440309 [ 42.505988] RSP: 002b:00007ffffc0ab698 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.505992] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 42.505994] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 42.505996] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.505998] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 42.506000] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 42.507454] Kernel Offset: disabled [ 43.316439] Rebooting in 86400 seconds..