[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 31.235847] kauditd_printk_skb: 9 callbacks suppressed [ 31.235859] audit: type=1800 audit(1540929903.058:33): pid=5658 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 31.262942] audit: type=1800 audit(1540929903.068:34): pid=5658 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.959580] audit: type=1400 audit(1540929916.788:35): avc: denied { map } for pid=5837 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 44.997722] sshd (5835) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.69' (ECDSA) to the list of known hosts. [ 51.605122] audit: type=1400 audit(1540929923.428:36): avc: denied { map } for pid=5849 comm="syz-executor334" path="/root/syz-executor334387810" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.621270] IPVS: ftp: loaded support on port[0] = 21 [ 51.797705] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.804440] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.811665] device bridge_slave_0 entered promiscuous mode [ 51.831090] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.837616] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.844517] device bridge_slave_1 entered promiscuous mode [ 51.863147] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 51.881808] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 51.933699] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 51.953890] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.031881] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.039276] team0: Port device team_slave_0 added [ 52.055634] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.062799] team0: Port device team_slave_1 added [ 52.079817] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 52.102240] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 52.123148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 52.142781] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 52.292648] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.299092] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.305881] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.312295] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 52.838339] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.891415] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.945129] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.951348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.959320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.008592] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 53.301592] audit: type=1400 audit(1540929925.128:37): avc: denied { prog_load } for pid=5850 comm="syz-executor334" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 53.327758] audit: type=1400 audit(1540929925.158:38): avc: denied { prog_run } for pid=5850 comm="syz-executor334" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 53.328168] ================================================================== [ 53.357716] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x134a/0x1500 [ 53.364885] Read of size 1 at addr ffff8801d88177c7 by task syz-executor334/5850 [ 53.372397] [ 53.374010] CPU: 0 PID: 5850 Comm: syz-executor334 Not tainted 4.19.0+ #90 [ 53.381003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.390342] Call Trace: [ 53.392920] dump_stack+0x244/0x39d [ 53.396538] ? dump_stack_print_info.cold.1+0x20/0x20 [ 53.401713] ? printk+0xa7/0xcf [ 53.404986] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.409736] print_address_description.cold.7+0x9/0x1ff [ 53.415114] kasan_report.cold.8+0x242/0x309 [ 53.419533] ? _decode_session6+0x134a/0x1500 [ 53.424040] __asan_report_load1_noabort+0x14/0x20 [ 53.428965] _decode_session6+0x134a/0x1500 [ 53.433288] __xfrm_decode_session+0x71/0x140 [ 53.437810] vti6_tnl_xmit+0x3fc/0x1c10 [ 53.441773] ? __lock_acquire+0x62f/0x4c20 [ 53.446014] ? vti6_tnl_create2+0x430/0x430 [ 53.450341] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.455864] ? check_preemption_disabled+0x48/0x280 [ 53.460901] dev_hard_start_xmit+0x295/0xc90 [ 53.465302] ? dev_direct_xmit+0x6b0/0x6b0 [ 53.469528] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.475068] ? netif_skb_features+0x690/0xb70 [ 53.479548] ? rcu_softirq_qs+0x20/0x20 [ 53.483516] ? lock_acquire+0x1ed/0x520 [ 53.487495] ? __dev_queue_xmit+0x3063/0x3ad0 [ 53.491983] ? kasan_check_read+0x11/0x20 [ 53.496121] ? do_raw_spin_lock+0x14f/0x350 [ 53.500428] ? rwlock_bug.part.2+0x90/0x90 [ 53.504653] ? netif_skb_features+0xb70/0xb70 [ 53.509139] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.514663] ? check_preemption_disabled+0x48/0x280 [ 53.519672] __dev_queue_xmit+0x2f71/0x3ad0 [ 53.523979] ? save_stack+0x43/0xd0 [ 53.527588] ? kasan_kmalloc+0xc7/0xe0 [ 53.531463] ? __kmalloc_node_track_caller+0x50/0x70 [ 53.536560] ? netdev_pick_tx+0x310/0x310 [ 53.540696] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.546226] ? check_preemption_disabled+0x48/0x280 [ 53.551259] ? __lock_is_held+0xb5/0x140 [ 53.555320] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 53.560349] ? skb_release_data+0x1c4/0x880 [ 53.564659] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 53.570008] ? kasan_unpoison_shadow+0x35/0x50 [ 53.574587] ? skb_tx_error+0x2f0/0x2f0 [ 53.578554] ? __kmalloc_node_track_caller+0x50/0x70 [ 53.583652] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.589182] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.594721] ? kasan_check_write+0x14/0x20 [ 53.598950] ? pskb_expand_head+0x6b3/0x10f0 [ 53.603354] ? skb_release_data+0x880/0x880 [ 53.607669] ? __alloc_skb+0x770/0x770 [ 53.611545] ? __lock_is_held+0xb5/0x140 [ 53.615593] ? kasan_check_write+0x14/0x20 [ 53.619814] ? __skb_clone+0x6c7/0xa00 [ 53.623686] ? __copy_skb_header+0x6b0/0x6b0 [ 53.628097] ? kmem_cache_alloc+0x33a/0x730 [ 53.632419] ? depot_save_stack+0x292/0x470 [ 53.636778] ? skb_ensure_writable+0x15e/0x640 [ 53.641353] dev_queue_xmit+0x17/0x20 [ 53.645137] ? dev_queue_xmit+0x17/0x20 [ 53.649101] __bpf_redirect+0x5cf/0xb20 [ 53.653065] bpf_clone_redirect+0x2f6/0x490 [ 53.657380] bpf_prog_c39d1ba309a769f7+0x1db/0x1000 [ 53.662383] ? bpf_test_run+0x175/0x780 [ 53.666366] ? lock_downgrade+0x900/0x900 [ 53.670499] ? ktime_get+0x332/0x400 [ 53.674200] ? find_held_lock+0x36/0x1c0 [ 53.678250] ? lock_acquire+0x1ed/0x520 [ 53.682206] ? bpf_test_run+0x3cb/0x780 [ 53.686165] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.691692] ? check_preemption_disabled+0x48/0x280 [ 53.696696] ? kasan_check_read+0x11/0x20 [ 53.700827] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 53.706087] ? rcu_softirq_qs+0x20/0x20 [ 53.710044] ? bpf_cgroup_storage_release+0x220/0x220 [ 53.715217] ? skb_try_coalesce+0x1b70/0x1b70 [ 53.719702] ? bpf_test_run+0x25d/0x780 [ 53.723668] ? netlink_diag_dump+0x2a0/0x2a0 [ 53.728081] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.733606] ? bpf_prog_test_run_skb+0x73b/0xcb0 [ 53.738353] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 53.743193] ? bpf_prog_add+0x69/0xd0 [ 53.746999] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.752537] ? __bpf_prog_get+0x9b/0x290 [ 53.756587] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 53.761413] ? bpf_prog_test_run+0x130/0x1a0 [ 53.765809] ? __x64_sys_bpf+0x3d8/0x520 [ 53.769855] ? bpf_prog_get+0x20/0x20 [ 53.773657] ? do_syscall_64+0x1b9/0x820 [ 53.777704] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 53.783055] ? syscall_return_slowpath+0x5e0/0x5e0 [ 53.787968] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.792818] ? trace_hardirqs_on_caller+0x310/0x310 [ 53.797820] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 53.802824] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.808347] ? prepare_exit_to_usermode+0x291/0x3b0 [ 53.813351] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.818183] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.823533] [ 53.825143] Allocated by task 5850: [ 53.828758] save_stack+0x43/0xd0 [ 53.832195] kasan_kmalloc+0xc7/0xe0 [ 53.835890] __kmalloc_node_track_caller+0x50/0x70 [ 53.840807] __kmalloc_reserve.isra.40+0x41/0xe0 [ 53.845547] pskb_expand_head+0x230/0x10f0 [ 53.849766] skb_ensure_writable+0x3dd/0x640 [ 53.854191] bpf_clone_redirect+0x14a/0x490 [ 53.858500] bpf_prog_c39d1ba309a769f7+0x1db/0x1000 [ 53.863493] [ 53.865103] Freed by task 4644: [ 53.868370] save_stack+0x43/0xd0 [ 53.871807] __kasan_slab_free+0x102/0x150 [ 53.876030] kasan_slab_free+0xe/0x10 [ 53.879815] kfree+0xcf/0x230 [ 53.882903] load_elf_binary+0x25b4/0x5620 [ 53.887125] search_binary_handler+0x17d/0x570 [ 53.891692] __do_execve_file.isra.33+0x1661/0x25d0 [ 53.896691] __x64_sys_execve+0x8f/0xc0 [ 53.900668] do_syscall_64+0x1b9/0x820 [ 53.904540] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.909708] [ 53.911322] The buggy address belongs to the object at ffff8801d88175c0 [ 53.911322] which belongs to the cache kmalloc-512 of size 512 [ 53.923964] The buggy address is located 7 bytes to the right of [ 53.923964] 512-byte region [ffff8801d88175c0, ffff8801d88177c0) [ 53.936165] The buggy address belongs to the page: [ 53.941081] page:ffffea00076205c0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 53.949206] flags: 0x2fffc0000000200(slab) [ 53.953426] raw: 02fffc0000000200 ffffea0007635d88 ffffea000766edc8 ffff8801da800940 [ 53.961292] raw: 0000000000000000 ffff8801d88170c0 0000000100000006 0000000000000000 [ 53.969155] page dumped because: kasan: bad access detected [ 53.974843] [ 53.976454] Memory state around the buggy address: [ 53.981365] ffff8801d8817680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.988706] ffff8801d8817700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.996052] >ffff8801d8817780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 54.003391] ^ [ 54.008842] ffff8801d8817800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.016187] ffff8801d8817880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.023542] ================================================================== [ 54.030884] Disabling lock debugging due to kernel taint [ 54.036357] Kernel panic - not syncing: panic_on_warn set ... [ 54.036357] [ 54.043734] CPU: 0 PID: 5850 Comm: syz-executor334 Tainted: G B 4.19.0+ #90 [ 54.052131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.061465] Call Trace: [ 54.064057] dump_stack+0x244/0x39d [ 54.067677] ? dump_stack_print_info.cold.1+0x20/0x20 [ 54.072852] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.077593] panic+0x238/0x4e7 [ 54.080791] ? add_taint.cold.5+0x16/0x16 [ 54.084925] ? trace_hardirqs_on+0x9a/0x310 [ 54.089231] ? trace_hardirqs_on+0xb4/0x310 [ 54.093533] ? trace_hardirqs_on+0xb4/0x310 [ 54.097843] kasan_end_report+0x47/0x4f [ 54.101798] kasan_report.cold.8+0x76/0x309 [ 54.106104] ? _decode_session6+0x134a/0x1500 [ 54.110582] __asan_report_load1_noabort+0x14/0x20 [ 54.115494] _decode_session6+0x134a/0x1500 [ 54.119803] __xfrm_decode_session+0x71/0x140 [ 54.124283] vti6_tnl_xmit+0x3fc/0x1c10 [ 54.128243] ? __lock_acquire+0x62f/0x4c20 [ 54.132472] ? vti6_tnl_create2+0x430/0x430 [ 54.136798] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.142317] ? check_preemption_disabled+0x48/0x280 [ 54.147329] dev_hard_start_xmit+0x295/0xc90 [ 54.151739] ? dev_direct_xmit+0x6b0/0x6b0 [ 54.155968] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.161510] ? netif_skb_features+0x690/0xb70 [ 54.165995] ? rcu_softirq_qs+0x20/0x20 [ 54.169971] ? lock_acquire+0x1ed/0x520 [ 54.173926] ? __dev_queue_xmit+0x3063/0x3ad0 [ 54.178410] ? kasan_check_read+0x11/0x20 [ 54.182539] ? do_raw_spin_lock+0x14f/0x350 [ 54.186843] ? rwlock_bug.part.2+0x90/0x90 [ 54.191086] ? netif_skb_features+0xb70/0xb70 [ 54.195566] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.201088] ? check_preemption_disabled+0x48/0x280 [ 54.206107] __dev_queue_xmit+0x2f71/0x3ad0 [ 54.210414] ? save_stack+0x43/0xd0 [ 54.214019] ? kasan_kmalloc+0xc7/0xe0 [ 54.217906] ? __kmalloc_node_track_caller+0x50/0x70 [ 54.223026] ? netdev_pick_tx+0x310/0x310 [ 54.227162] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.232686] ? check_preemption_disabled+0x48/0x280 [ 54.237704] ? __lock_is_held+0xb5/0x140 [ 54.241752] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.246758] ? skb_release_data+0x1c4/0x880 [ 54.251061] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 54.256320] ? kasan_unpoison_shadow+0x35/0x50 [ 54.260885] ? skb_tx_error+0x2f0/0x2f0 [ 54.264844] ? __kmalloc_node_track_caller+0x50/0x70 [ 54.269931] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.275461] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 54.280986] ? kasan_check_write+0x14/0x20 [ 54.285202] ? pskb_expand_head+0x6b3/0x10f0 [ 54.289597] ? skb_release_data+0x880/0x880 [ 54.293899] ? __alloc_skb+0x770/0x770 [ 54.297774] ? __lock_is_held+0xb5/0x140 [ 54.301820] ? kasan_check_write+0x14/0x20 [ 54.306043] ? __skb_clone+0x6c7/0xa00 [ 54.309925] ? __copy_skb_header+0x6b0/0x6b0 [ 54.314318] ? kmem_cache_alloc+0x33a/0x730 [ 54.318640] ? depot_save_stack+0x292/0x470 [ 54.322945] ? skb_ensure_writable+0x15e/0x640 [ 54.327517] dev_queue_xmit+0x17/0x20 [ 54.331302] ? dev_queue_xmit+0x17/0x20 [ 54.335259] __bpf_redirect+0x5cf/0xb20 [ 54.339221] bpf_clone_redirect+0x2f6/0x490 [ 54.343527] bpf_prog_c39d1ba309a769f7+0x1db/0x1000 [ 54.348529] ? bpf_test_run+0x175/0x780 [ 54.352488] ? lock_downgrade+0x900/0x900 [ 54.356618] ? ktime_get+0x332/0x400 [ 54.360318] ? find_held_lock+0x36/0x1c0 [ 54.364364] ? lock_acquire+0x1ed/0x520 [ 54.368319] ? bpf_test_run+0x3cb/0x780 [ 54.372301] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.377836] ? check_preemption_disabled+0x48/0x280 [ 54.382839] ? kasan_check_read+0x11/0x20 [ 54.386979] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 54.392240] ? rcu_softirq_qs+0x20/0x20 [ 54.396207] ? bpf_cgroup_storage_release+0x220/0x220 [ 54.401395] ? skb_try_coalesce+0x1b70/0x1b70 [ 54.405893] ? bpf_test_run+0x25d/0x780 [ 54.409856] ? netlink_diag_dump+0x2a0/0x2a0 [ 54.414255] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.419778] ? bpf_prog_test_run_skb+0x73b/0xcb0 [ 54.424537] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 54.429365] ? bpf_prog_add+0x69/0xd0 [ 54.433148] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.438670] ? __bpf_prog_get+0x9b/0x290 [ 54.442715] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 54.447538] ? bpf_prog_test_run+0x130/0x1a0 [ 54.451930] ? __x64_sys_bpf+0x3d8/0x520 [ 54.456011] ? bpf_prog_get+0x20/0x20 [ 54.459830] ? do_syscall_64+0x1b9/0x820 [ 54.463874] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.469222] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.474146] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.478973] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.483972] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.488974] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.494495] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.499496] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.504347] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.510585] Kernel Offset: disabled [ 54.514210] Rebooting in 86400 seconds..