[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.548995] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 13.371105] random: sshd: uninitialized urandom read (32 bytes read) [ 13.589460] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.570273] random: sshd: uninitialized urandom read (32 bytes read) [ 14.712794] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. [ 20.154122] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 20.269831] ================================================================== [ 20.277225] BUG: KASAN: slab-out-of-bounds in strlen+0x91/0xa0 [ 20.283173] Read of size 1 at addr ffff8801b78f4740 by task syz-executor676/3790 [ 20.290677] [ 20.292283] CPU: 0 PID: 3790 Comm: syz-executor676 Not tainted 4.9.96-g71fce1e #10 [ 20.299958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.309321] ffff8801b6b0f978 ffffffff81eb0b69 ffffea0006de3d00 ffff8801b78f4740 [ 20.317337] 0000000000000000 ffff8801b78f4740 ffff8801b78f4738 ffff8801b6b0f9b0 [ 20.325334] ffffffff8156540b ffff8801b78f4740 0000000000000001 0000000000000000 [ 20.333331] Call Trace: [ 20.335893] [] dump_stack+0xc1/0x128 [ 20.341229] [] print_address_description+0x6c/0x234 [ 20.347867] [] kasan_report.cold.6+0x242/0x2fe [ 20.354071] [] ? strlen+0x91/0xa0 [ 20.359149] [] __asan_report_load1_noabort+0x14/0x20 [ 20.365874] [] strlen+0x91/0xa0 [ 20.370780] [] getname_kernel+0x24/0x340 [ 20.376464] [] kern_path_mountpoint+0x24/0x70 [ 20.382582] [] ? autofs_dev_ioctl_protosubver+0x80/0x80 [ 20.389579] [] find_autofs_mount.isra.4+0x8e/0x200 [ 20.396132] [] ? autofs_dev_ioctl_compat+0x30/0x30 [ 20.402687] [] autofs_dev_ioctl_openmount+0x153/0x2d0 [ 20.409499] [] ? autofs_dev_ioctl_requester+0x530/0x530 [ 20.416485] [] ? check_stack_object+0x110/0x150 [ 20.422783] [] ? __check_object_size+0x248/0x38e [ 20.429158] [] ? autofs_dev_ioctl_requester+0x530/0x530 [ 20.436145] [] _autofs_dev_ioctl+0x4fb/0x690 [ 20.442176] [] ? autofs_dev_ioctl_closemount+0x50/0x50 [ 20.449074] [] ? _autofs_dev_ioctl+0x690/0x690 [ 20.455277] [] autofs_dev_ioctl+0x1b/0x30 [ 20.461046] [] do_vfs_ioctl+0x1ac/0x11a0 [ 20.466726] [] ? ioctl_preallocate+0x220/0x220 [ 20.472931] [] ? selinux_capable+0x40/0x40 [ 20.478785] [] ? filp_open+0x70/0x70 [ 20.484133] [] ? security_file_ioctl+0x8f/0xc0 [ 20.490344] [] SyS_ioctl+0x8f/0xc0 [ 20.495503] [] ? do_vfs_ioctl+0x11a0/0x11a0 [ 20.501445] [] do_syscall_64+0x1a6/0x490 [ 20.507129] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.514025] [ 20.515626] Allocated by task 3790: [ 20.519226] save_stack_trace+0x16/0x20 [ 20.523173] save_stack+0x43/0xd0 [ 20.526596] kasan_kmalloc+0xc7/0xe0 [ 20.530281] kasan_slab_alloc+0x12/0x20 [ 20.534246] __kmalloc_track_caller+0xdc/0x2b0 [ 20.538799] memdup_user+0x2c/0xb0 [ 20.542310] _autofs_dev_ioctl+0x13a/0x690 [ 20.546515] autofs_dev_ioctl+0x1b/0x30 [ 20.550459] do_vfs_ioctl+0x1ac/0x11a0 [ 20.554315] SyS_ioctl+0x8f/0xc0 [ 20.557654] do_syscall_64+0x1a6/0x490 [ 20.561516] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.566587] [ 20.568185] Freed by task 2441: [ 20.571441] save_stack_trace+0x16/0x20 [ 20.575387] save_stack+0x43/0xd0 [ 20.578811] kasan_slab_free+0x72/0xc0 [ 20.582667] kfree+0xfb/0x310 [ 20.585744] single_release+0x88/0xb0 [ 20.589518] __fput+0x263/0x700 [ 20.592772] ____fput+0x15/0x20 [ 20.596025] task_work_run+0x10c/0x180 [ 20.599884] exit_to_usermode_loop+0xfc/0x120 [ 20.604352] do_syscall_64+0x364/0x490 [ 20.608214] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.613292] [ 20.614893] The buggy address belongs to the object at ffff8801b78f4720 [ 20.614893] which belongs to the cache kmalloc-32 of size 32 [ 20.627355] The buggy address is located 0 bytes to the right of [ 20.627355] 32-byte region [ffff8801b78f4720, ffff8801b78f4740) [ 20.639459] The buggy address belongs to the page: [ 20.644363] page:ffffea0006de3d00 count:1 mapcount:0 mapping: (null) index:0x0 [ 20.652593] flags: 0x8000000000000080(slab) [ 20.656883] page dumped because: kasan: bad access detected [ 20.662561] [ 20.664158] Memory state around the buggy address: [ 20.669057] ffff8801b78f4600: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb [ 20.676386] ffff8801b78f4680: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb [ 20.683714] >ffff8801b78f4700: fb fb fc fc 00 00 00 00 fc fc fb fb fb fb fc fc [ 20.691042] ^ [ 20.696461] ffff8801b78f4780: 00 00 00 00 fc fc fb fb fb fb fc fc fb fb fb fb [ 20.703791] ffff8801b78f4800: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb [ 20.711120] ================================================================== [ 20.718447] Disabling lock debugging due to kernel taint [ 20.724274] Kernel panic - not syncing: panic_on_warn set ... [ 20.724274] [ 20.731636] CPU: 0 PID: 3790 Comm: syz-executor676 Tainted: G B 4.9.96-g71fce1e #10 [ 20.740544] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.749875] ffff8801b6b0f8d8 ffffffff81eb0b69 ffffffff841c492d 00000000ffffffff [ 20.757852] 0000000000000000 0000000000000000 ffff8801b78f4738 ffff8801b6b0f998 [ 20.765835] ffffffff8141f975 0000000041b58ab3 ffffffff841b8030 ffffffff8141f7b6 [ 20.773813] Call Trace: [ 20.776376] [] dump_stack+0xc1/0x128 [ 20.781711] [] panic+0x1bf/0x3bc [ 20.786698] [] ? add_taint.cold.6+0x16/0x16 [ 20.792642] [] ? ___preempt_schedule+0x16/0x18 [ 20.798844] [] kasan_end_report+0x47/0x4f [ 20.804615] [] kasan_report.cold.6+0x76/0x2fe [ 20.810730] [] ? strlen+0x91/0xa0 [ 20.815806] [] __asan_report_load1_noabort+0x14/0x20 [ 20.823290] [] strlen+0x91/0xa0 [ 20.828193] [] getname_kernel+0x24/0x340 [ 20.833879] [] kern_path_mountpoint+0x24/0x70 [ 20.840004] [] ? autofs_dev_ioctl_protosubver+0x80/0x80 [ 20.846994] [] find_autofs_mount.isra.4+0x8e/0x200 [ 20.853548] [] ? autofs_dev_ioctl_compat+0x30/0x30 [ 20.860103] [] autofs_dev_ioctl_openmount+0x153/0x2d0 [ 20.866913] [] ? autofs_dev_ioctl_requester+0x530/0x530 [ 20.873895] [] ? check_stack_object+0x110/0x150 [ 20.880193] [] ? __check_object_size+0x248/0x38e [ 20.886577] [] ? autofs_dev_ioctl_requester+0x530/0x530 [ 20.893561] [] _autofs_dev_ioctl+0x4fb/0x690 [ 20.899590] [] ? autofs_dev_ioctl_closemount+0x50/0x50 [ 20.906485] [] ? _autofs_dev_ioctl+0x690/0x690 [ 20.912688] [] autofs_dev_ioctl+0x1b/0x30 [ 20.918456] [] do_vfs_ioctl+0x1ac/0x11a0 [ 20.924138] [] ? ioctl_preallocate+0x220/0x220 [ 20.930343] [] ? selinux_capable+0x40/0x40 [ 20.936211] [] ? filp_open+0x70/0x70 [ 20.941547] [] ? security_file_ioctl+0x8f/0xc0 [ 20.947750] [] SyS_ioctl+0x8f/0xc0 [ 20.952911] [] ? do_vfs_ioctl+0x11a0/0x11a0 [ 20.958855] [] do_syscall_64+0x1a6/0x490 [ 20.964537] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.971872] Dumping ftrace buffer: [ 20.975389] (ftrace buffer empty) [ 20.979071] Kernel Offset: disabled [ 20.982671] Rebooting in 86400 seconds..