[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.100' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.849691] ================================================================== [ 51.857140] BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x68f/0x710 [ 51.863705] Write of size 1 at addr ffff8880b2899f4e by task syz-executor311/8116 [ 51.871298] [ 51.872909] CPU: 1 PID: 8116 Comm: syz-executor311 Not tainted 4.19.211-syzkaller #0 [ 51.880768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 51.890102] Call Trace: [ 51.892674] dump_stack+0x1fc/0x2ef [ 51.896285] print_address_description.cold+0x54/0x219 [ 51.901542] kasan_report_error.cold+0x8a/0x1b9 [ 51.906192] ? hfs_asc2mac+0x68f/0x710 [ 51.910067] __asan_report_store1_noabort+0x88/0x90 [ 51.915066] ? hfs_asc2mac+0x68f/0x710 [ 51.918935] hfs_asc2mac+0x68f/0x710 [ 51.922634] ? hfs_mac2asc+0x530/0x530 [ 51.926503] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 51.931497] ? __kmalloc+0x38e/0x3c0 [ 51.935192] ? hfs_find_init+0x91/0x230 [ 51.939148] hfs_cat_build_key+0xbe/0x1a0 [ 51.943274] hfs_lookup+0x1c2/0x300 [ 51.946881] ? hfs_rename+0x200/0x200 [ 51.950667] ? __d_lookup_rcu+0x6b0/0x6b0 [ 51.954795] ? __d_lookup+0x411/0x710 [ 51.958577] ? mark_held_locks+0xa6/0xf0 [ 51.962619] ? d_lookup+0x1aa/0x250 [ 51.966227] ? d_lookup+0x18e/0x250 [ 51.969832] ? hfs_rename+0x200/0x200 [ 51.973611] lookup_open+0x698/0x1a20 [ 51.977396] ? vfs_mkdir+0x7a0/0x7a0 [ 51.981094] ? lookup_fast+0x4e9/0x1080 [ 51.985049] ? path_openat+0x17ec/0x2df0 [ 51.989093] path_openat+0x1804/0x2df0 [ 51.992962] ? path_lookupat+0x8d0/0x8d0 [ 51.997000] ? mark_held_locks+0xf0/0xf0 [ 52.001039] ? mark_held_locks+0xf0/0xf0 [ 52.005078] ? check_preemption_disabled+0x41/0x280 [ 52.010074] do_filp_open+0x18c/0x3f0 [ 52.013851] ? may_open_dev+0xf0/0xf0 [ 52.017634] ? lock_downgrade+0x720/0x720 [ 52.021763] ? lock_acquire+0x170/0x3c0 [ 52.025721] ? __alloc_fd+0x34/0x570 [ 52.029413] ? do_raw_spin_unlock+0x171/0x230 [ 52.033888] ? _raw_spin_unlock+0x29/0x40 [ 52.038013] ? __alloc_fd+0x28d/0x570 [ 52.041820] do_sys_open+0x3b3/0x520 [ 52.045603] ? filp_open+0x70/0x70 [ 52.049142] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 52.054485] ? trace_hardirqs_off_caller+0x6e/0x210 [ 52.059481] ? do_syscall_64+0x21/0x620 [ 52.063432] do_syscall_64+0xf9/0x620 [ 52.067211] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.072491] RIP: 0033:0x7fc25ccc4219 [ 52.076188] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.095158] RSP: 002b:00007ffd9e228f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 52.102869] RAX: ffffffffffffffda RBX: 00007ffd9e228f38 RCX: 00007fc25ccc4219 [ 52.110119] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 00000000ffffff9c [ 52.117777] RBP: 00007ffd9e228f30 R08: 00007ffd9e228f30 R09: 00007fc25cc81540 [ 52.125028] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 52.132293] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 52.139553] [ 52.141247] Allocated by task 8116: [ 52.144861] __kmalloc+0x15a/0x3c0 [ 52.148381] hfs_find_init+0x91/0x230 [ 52.152168] hfs_lookup+0xfe/0x300 [ 52.155691] lookup_open+0x698/0x1a20 [ 52.159471] path_openat+0x1804/0x2df0 [ 52.163334] do_filp_open+0x18c/0x3f0 [ 52.167129] do_sys_open+0x3b3/0x520 [ 52.170821] do_syscall_64+0xf9/0x620 [ 52.174607] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.179773] [ 52.181378] Freed by task 1: [ 52.184373] kfree+0xcc/0x210 [ 52.187455] apparmor_file_free_security+0x9a/0xd0 [ 52.192367] security_file_free+0x3e/0x70 [ 52.196498] __fput+0x42a/0x890 [ 52.199757] task_work_run+0x148/0x1c0 [ 52.203621] exit_to_usermode_loop+0x251/0x2a0 [ 52.208182] do_syscall_64+0x538/0x620 [ 52.212048] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.217211] [ 52.218818] The buggy address belongs to the object at ffff8880b2899f00 [ 52.218818] which belongs to the cache kmalloc-96 of size 96 [ 52.231284] The buggy address is located 78 bytes inside of [ 52.231284] 96-byte region [ffff8880b2899f00, ffff8880b2899f60) [ 52.242959] The buggy address belongs to the page: [ 52.247866] page:ffffea0002ca2640 count:1 mapcount:0 mapping:ffff88813bff04c0 index:0x0 [ 52.255987] flags: 0xfff00000000100(slab) [ 52.260123] raw: 00fff00000000100 ffffea0002cbb6c8 ffffea0002cbec08 ffff88813bff04c0 [ 52.267982] raw: 0000000000000000 ffff8880b2899000 0000000100000020 0000000000000000 [ 52.275837] page dumped because: kasan: bad access detected [ 52.281521] [ 52.283125] Memory state around the buggy address: [ 52.288031] ffff8880b2899e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 52.295371] ffff8880b2899e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 52.302706] >ffff8880b2899f00: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc [ 52.310039] ^ [ 52.315726] ffff8880b2899f80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 52.323059] ffff8880b289a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.330388] ================================================================== [ 52.337728] Disabling lock debugging due to kernel taint [ 52.343966] Kernel panic - not syncing: panic_on_warn set ... [ 52.343966] [ 52.351338] CPU: 0 PID: 8116 Comm: syz-executor311 Tainted: G B 4.19.211-syzkaller #0 [ 52.360599] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 52.369946] Call Trace: [ 52.372532] dump_stack+0x1fc/0x2ef [ 52.376149] panic+0x26a/0x50e [ 52.379322] ? __warn_printk+0xf3/0xf3 [ 52.383185] ? preempt_schedule_common+0x45/0xc0 [ 52.387923] ? ___preempt_schedule+0x16/0x18 [ 52.392309] ? trace_hardirqs_on+0x55/0x210 [ 52.396608] kasan_end_report+0x43/0x49 [ 52.400564] kasan_report_error.cold+0xa7/0x1b9 [ 52.405217] ? hfs_asc2mac+0x68f/0x710 [ 52.409083] __asan_report_store1_noabort+0x88/0x90 [ 52.414078] ? hfs_asc2mac+0x68f/0x710 [ 52.417943] hfs_asc2mac+0x68f/0x710 [ 52.421636] ? hfs_mac2asc+0x530/0x530 [ 52.425501] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 52.430496] ? __kmalloc+0x38e/0x3c0 [ 52.434187] ? hfs_find_init+0x91/0x230 [ 52.438138] hfs_cat_build_key+0xbe/0x1a0 [ 52.442265] hfs_lookup+0x1c2/0x300 [ 52.445892] ? hfs_rename+0x200/0x200 [ 52.449670] ? __d_lookup_rcu+0x6b0/0x6b0 [ 52.453792] ? __d_lookup+0x411/0x710 [ 52.457569] ? mark_held_locks+0xa6/0xf0 [ 52.461612] ? d_lookup+0x1aa/0x250 [ 52.465215] ? d_lookup+0x18e/0x250 [ 52.468816] ? hfs_rename+0x200/0x200 [ 52.472593] lookup_open+0x698/0x1a20 [ 52.476371] ? vfs_mkdir+0x7a0/0x7a0 [ 52.480064] ? lookup_fast+0x4e9/0x1080 [ 52.484016] ? path_openat+0x17ec/0x2df0 [ 52.488057] path_openat+0x1804/0x2df0 [ 52.491924] ? path_lookupat+0x8d0/0x8d0 [ 52.495967] ? mark_held_locks+0xf0/0xf0 [ 52.500002] ? mark_held_locks+0xf0/0xf0 [ 52.504042] ? check_preemption_disabled+0x41/0x280 [ 52.509035] do_filp_open+0x18c/0x3f0 [ 52.512811] ? may_open_dev+0xf0/0xf0 [ 52.516591] ? lock_downgrade+0x720/0x720 [ 52.520712] ? lock_acquire+0x170/0x3c0 [ 52.524663] ? __alloc_fd+0x34/0x570 [ 52.528359] ? do_raw_spin_unlock+0x171/0x230 [ 52.532832] ? _raw_spin_unlock+0x29/0x40 [ 52.536958] ? __alloc_fd+0x28d/0x570 [ 52.540736] do_sys_open+0x3b3/0x520 [ 52.544424] ? filp_open+0x70/0x70 [ 52.547940] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 52.553278] ? trace_hardirqs_off_caller+0x6e/0x210 [ 52.558269] ? do_syscall_64+0x21/0x620 [ 52.562242] do_syscall_64+0xf9/0x620 [ 52.566020] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.571186] RIP: 0033:0x7fc25ccc4219 [ 52.574879] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.593755] RSP: 002b:00007ffd9e228f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 52.601437] RAX: ffffffffffffffda RBX: 00007ffd9e228f38 RCX: 00007fc25ccc4219 [ 52.608682] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 00000000ffffff9c [ 52.615927] RBP: 00007ffd9e228f30 R08: 00007ffd9e228f30 R09: 00007fc25cc81540 [ 52.623174] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 52.630418] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 52.637862] Kernel Offset: disabled [ 52.641466] Rebooting in 86400 seconds..