[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.324860] random: sshd: uninitialized urandom read (32 bytes read) [ 18.675646] audit: type=1400 audit(1537843261.114:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.724646] random: sshd: uninitialized urandom read (32 bytes read) [ 19.210943] random: sshd: uninitialized urandom read (32 bytes read) [ 19.373552] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. [ 24.980339] random: sshd: uninitialized urandom read (32 bytes read) [ 25.074332] audit: type=1400 audit(1537843267.514:7): avc: denied { map } for pid=1783 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/09/25 02:41:08 parsed 1 programs [ 25.575173] audit: type=1400 audit(1537843268.014:8): avc: denied { map } for pid=1783 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 25.982196] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/25 02:41:09 executed programs: 0 [ 26.759612] audit: type=1400 audit(1537843269.194:9): avc: denied { map } for pid=1783 comm="syz-execprog" path="/root/syzkaller-shm365679224" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.738775] audit: type=1400 audit(1537843276.174:10): avc: denied { prog_load } for pid=4439 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 33.762659] audit: type=1400 audit(1537843276.204:11): avc: denied { prog_run } for pid=4439 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 33.767918] ================================================================== [ 33.767948] BUG: KASAN: use-after-free in _copy_to_user+0x9a/0xc0 [ 33.767954] Read of size 1659 at addr ffff8801c0bffff5 by task syz-executor2/4440 [ 33.767956] [ 33.767969] CPU: 0 PID: 4440 Comm: syz-executor2 Not tainted 4.14.71+ #8 [ 33.767972] Call Trace: [ 33.767990] dump_stack+0xb9/0x11b [ 33.768004] print_address_description+0x60/0x22b [ 33.768016] kasan_report.cold.6+0x11b/0x2dd [ 33.768022] ? _copy_to_user+0x9a/0xc0 [ 33.768032] _copy_to_user+0x9a/0xc0 [ 33.768045] bpf_test_finish.isra.0+0xc8/0x190 [ 33.768053] ? bpf_test_run+0x350/0x350 [ 33.768065] ? kvm_clock_read+0x1f/0x30 [ 33.768072] ? ktime_get+0x17f/0x1c0 [ 33.768085] ? bpf_test_run+0x280/0x350 [ 33.768104] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 33.768117] ? bpf_test_init.isra.1+0xc0/0xc0 [ 33.768128] ? __fget_light+0x192/0x1f0 [ 33.768135] ? bpf_prog_add+0x42/0xa0 [ 33.768141] ? fput+0xa/0x130 [ 33.768151] ? bpf_test_init.isra.1+0xc0/0xc0 [ 33.768160] SyS_bpf+0x79d/0x3640 [ 33.768174] ? bpf_prog_get+0x20/0x20 [ 33.768180] ? _copy_to_user+0x7f/0xc0 [ 33.768191] ? put_timespec64+0xb9/0x110 [ 33.768206] ? do_clock_gettime+0x30/0xb0 [ 33.768218] ? SyS_clock_gettime+0x7b/0xd0 [ 33.768226] ? do_clock_gettime+0xb0/0xb0 [ 33.768236] ? do_syscall_64+0x43/0x4b0 [ 33.768248] ? bpf_prog_get+0x20/0x20 [ 33.768253] do_syscall_64+0x19b/0x4b0 [ 33.768276] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.768282] RIP: 0033:0x457579 [ 33.768285] RSP: 002b:00007f3bd265cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 33.768293] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579 [ 33.768297] RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a [ 33.768302] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 33.768306] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3bd265d6d4 [ 33.768310] R13: 00000000004bd8a6 R14: 00000000004cc168 R15: 00000000ffffffff [ 33.768330] [ 33.768332] The buggy address belongs to the page: [ 33.768338] page:ffffea000702ffc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 33.768344] flags: 0x4000000000000000() [ 33.768354] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 33.768361] raw: ffffea000702ffe0 ffffea000702ffe0 0000000000000000 0000000000000000 [ 33.768364] page dumped because: kasan: bad access detected [ 33.768366] [ 33.768368] Memory state around the buggy address: [ 33.768374] ffff8801c0bffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.768379] ffff8801c0bfff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.768384] >ffff8801c0bfff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.768387] ^ [ 33.768392] ffff8801c0c00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.768397] ffff8801c0c00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.768399] ================================================================== [ 33.768402] Disabling lock debugging due to kernel taint [ 33.768405] Kernel panic - not syncing: panic_on_warn set ... [ 33.768405] [ 33.768412] CPU: 0 PID: 4440 Comm: syz-executor2 Tainted: G B 4.14.71+ #8 [ 33.768414] Call Trace: [ 33.768420] dump_stack+0xb9/0x11b [ 33.768429] panic+0x1bf/0x3a4 [ 33.768436] ? add_taint.cold.4+0x16/0x16 [ 33.768450] kasan_end_report+0x43/0x49 [ 33.768457] kasan_report.cold.6+0x77/0x2dd [ 33.768463] ? _copy_to_user+0x9a/0xc0 [ 33.768470] _copy_to_user+0x9a/0xc0 [ 33.768479] bpf_test_finish.isra.0+0xc8/0x190 [ 33.768486] ? bpf_test_run+0x350/0x350 [ 33.768493] ? kvm_clock_read+0x1f/0x30 [ 33.768498] ? ktime_get+0x17f/0x1c0 [ 33.768507] ? bpf_test_run+0x280/0x350 [ 33.768525] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 33.768534] ? bpf_test_init.isra.1+0xc0/0xc0 [ 33.768542] ? __fget_light+0x192/0x1f0 [ 33.768548] ? bpf_prog_add+0x42/0xa0 [ 33.768553] ? fput+0xa/0x130 [ 33.768560] ? bpf_test_init.isra.1+0xc0/0xc0 [ 33.768568] SyS_bpf+0x79d/0x3640 [ 33.768578] ? bpf_prog_get+0x20/0x20 [ 33.768583] ? _copy_to_user+0x7f/0xc0 [ 33.768591] ? put_timespec64+0xb9/0x110 [ 33.768601] ? do_clock_gettime+0x30/0xb0 [ 33.768610] ? SyS_clock_gettime+0x7b/0xd0 [ 33.768617] ? do_clock_gettime+0xb0/0xb0 [ 33.768624] ? do_syscall_64+0x43/0x4b0 [ 33.768632] ? bpf_prog_get+0x20/0x20 [ 33.768637] do_syscall_64+0x19b/0x4b0 [ 33.768647] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.768651] RIP: 0033:0x457579 [ 33.768654] RSP: 002b:00007f3bd265cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 33.768661] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579 [ 33.768664] RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a [ 33.768668] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 33.768672] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3bd265d6d4 [ 33.768676] R13: 00000000004bd8a6 R14: 00000000004cc168 R15: 00000000ffffffff [ 33.785279] Kernel Offset: 0x33000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 34.267007] Rebooting in 86400 seconds..