[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.718997] ================================================================== [ 41.726626] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x364/0x370 [ 41.735101] Read of size 8 at addr ffffffff873cb1d8 by task syz-executor103/6335 [ 41.742910] [ 41.744548] CPU: 0 PID: 6335 Comm: syz-executor103 Not tainted 4.14.176-syzkaller #0 [ 41.752716] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.762319] Call Trace: [ 41.765051] dump_stack+0x13e/0x194 [ 41.768986] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 41.774086] print_address_description.cold+0x5/0x1e2 [ 41.779537] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 41.785212] kasan_report.cold+0xa9/0x2ae [ 41.789636] nfnetlink_parse_nat_setup+0x364/0x370 [ 41.794857] ? nf_nat_alloc_null_binding+0x40/0x40 [ 41.799880] ? nf_nat_alloc_null_binding+0x40/0x40 [ 41.805046] ctnetlink_parse_nat_setup+0x70/0x490 [ 41.809889] ctnetlink_create_conntrack+0x437/0x1040 [ 41.815311] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 41.820715] ? __do_once_done+0x1be/0x240 [ 41.824889] ? hash_conntrack_raw+0x2ab/0x410 [ 41.829436] ? nf_ct_get_id+0x160/0x160 [ 41.833429] ctnetlink_new_conntrack+0x460/0xc30 [ 41.838600] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 41.844041] ? mutex_trylock+0x1a0/0x1a0 [ 41.848117] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 41.853572] nfnetlink_rcv_msg+0xa08/0xc00 [ 41.857824] ? __kernel_text_address+0x9/0x30 [ 41.862862] netlink_rcv_skb+0x127/0x370 [ 41.866949] ? __lock_acquire+0x583/0x4620 [ 41.871181] ? nfnetlink_bind+0x240/0x240 [ 41.875464] ? netlink_ack+0x980/0x980 [ 41.879501] ? ns_capable_common+0x127/0x150 [ 41.884084] nfnetlink_rcv+0x1ab/0x1650 [ 41.888252] ? find_held_lock+0x2d/0x110 [ 41.892584] ? __netlink_lookup+0x2de/0x590 [ 41.897409] ? save_trace+0x290/0x290 [ 41.901208] ? save_trace+0x290/0x290 [ 41.905205] ? nfnl_err_del+0x150/0x150 [ 41.909193] ? find_held_lock+0x2d/0x110 [ 41.913314] ? netlink_deliver_tap+0x90/0x860 [ 41.918172] ? rcu_is_watching+0x11/0xb0 [ 41.922447] ? lock_downgrade+0x6e0/0x6e0 [ 41.927789] netlink_unicast+0x437/0x620 [ 41.932355] ? netlink_attachskb+0x600/0x600 [ 41.937057] netlink_sendmsg+0x733/0xbe0 [ 41.941609] ? netlink_unicast+0x620/0x620 [ 41.945953] ? SYSC_sendto+0x2b0/0x2b0 [ 41.949839] ? security_socket_sendmsg+0x83/0xb0 [ 41.954748] ? netlink_unicast+0x620/0x620 [ 41.959441] sock_sendmsg+0xc5/0x100 [ 41.963369] ___sys_sendmsg+0x70a/0x840 [ 41.967547] ? trace_hardirqs_on+0x10/0x10 [ 41.972005] ? copy_msghdr_from_user+0x380/0x380 [ 41.976818] ? find_held_lock+0x2d/0x110 [ 41.981026] ? __fget+0x228/0x360 [ 41.984485] ? __fget_light+0x199/0x1f0 [ 41.988582] ? sockfd_lookup_light+0xb2/0x160 [ 41.993074] __sys_sendmsg+0xa3/0x120 [ 41.996940] ? SyS_shutdown+0x160/0x160 [ 42.000908] ? move_addr_to_kernel+0x60/0x60 [ 42.005686] ? __do_page_fault+0x35b/0xb40 [ 42.010119] SyS_sendmsg+0x27/0x40 [ 42.013786] ? __sys_sendmsg+0x120/0x120 [ 42.019023] do_syscall_64+0x1d5/0x640 [ 42.022920] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.028411] RIP: 0033:0x445889 [ 42.031595] RSP: 002b:00007f9c80394da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.039816] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445889 [ 42.047224] RDX: 0000000000000000 RSI: 0000000020000640 RDI: 0000000000000003 [ 42.055069] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 42.062784] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 42.070518] R13: 00000000200002c0 R14: 00000000004add68 R15: 20c49ba5e353f7cf [ 42.077794] [ 42.079648] The buggy address belongs to the variable: [ 42.084942] nft_nat_ops+0xb8/0xc0 [ 42.088694] [ 42.090445] Memory state around the buggy address: [ 42.095520] ffffffff873cb080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa [ 42.103062] ffffffff873cb100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa [ 42.110744] >ffffffff873cb180: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 [ 42.118109] ^ [ 42.125143] ffffffff873cb200: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 42.132787] ffffffff873cb280: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 42.140420] ================================================================== [ 42.148261] Disabling lock debugging due to kernel taint [ 42.154888] Kernel panic - not syncing: panic_on_warn set ... [ 42.154888] [ 42.162606] CPU: 0 PID: 6335 Comm: syz-executor103 Tainted: G B 4.14.176-syzkaller #0 [ 42.171716] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.181168] Call Trace: [ 42.183792] dump_stack+0x13e/0x194 [ 42.187519] panic+0x1f9/0x42d [ 42.190870] ? add_taint.cold+0x16/0x16 [ 42.195013] ? preempt_schedule_common+0x4a/0xc0 [ 42.200094] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 42.205195] ? ___preempt_schedule+0x16/0x18 [ 42.209850] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 42.214957] kasan_end_report+0x43/0x49 [ 42.219068] kasan_report.cold+0x12f/0x2ae [ 42.223301] nfnetlink_parse_nat_setup+0x364/0x370 [ 42.228492] ? nf_nat_alloc_null_binding+0x40/0x40 [ 42.233444] ? nf_nat_alloc_null_binding+0x40/0x40 [ 42.238369] ctnetlink_parse_nat_setup+0x70/0x490 [ 42.243277] ctnetlink_create_conntrack+0x437/0x1040 [ 42.248370] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 42.253457] ? __do_once_done+0x1be/0x240 [ 42.257730] ? hash_conntrack_raw+0x2ab/0x410 [ 42.262329] ? nf_ct_get_id+0x160/0x160 [ 42.266356] ctnetlink_new_conntrack+0x460/0xc30 [ 42.271423] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 42.276992] ? mutex_trylock+0x1a0/0x1a0 [ 42.281301] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 42.286666] nfnetlink_rcv_msg+0xa08/0xc00 [ 42.291124] ? __kernel_text_address+0x9/0x30 [ 42.296003] netlink_rcv_skb+0x127/0x370 [ 42.300165] ? __lock_acquire+0x583/0x4620 [ 42.304676] ? nfnetlink_bind+0x240/0x240 [ 42.309014] ? netlink_ack+0x980/0x980 [ 42.313132] ? ns_capable_common+0x127/0x150 [ 42.317667] nfnetlink_rcv+0x1ab/0x1650 [ 42.321639] ? find_held_lock+0x2d/0x110 [ 42.325693] ? __netlink_lookup+0x2de/0x590 [ 42.330162] ? save_trace+0x290/0x290 [ 42.333955] ? save_trace+0x290/0x290 [ 42.337954] ? nfnl_err_del+0x150/0x150 [ 42.341919] ? find_held_lock+0x2d/0x110 [ 42.346067] ? netlink_deliver_tap+0x90/0x860 [ 42.350796] ? rcu_is_watching+0x11/0xb0 [ 42.354950] ? lock_downgrade+0x6e0/0x6e0 [ 42.359212] netlink_unicast+0x437/0x620 [ 42.363323] ? netlink_attachskb+0x600/0x600 [ 42.367767] netlink_sendmsg+0x733/0xbe0 [ 42.371820] ? netlink_unicast+0x620/0x620 [ 42.376046] ? SYSC_sendto+0x2b0/0x2b0 [ 42.379926] ? security_socket_sendmsg+0x83/0xb0 [ 42.384726] ? netlink_unicast+0x620/0x620 [ 42.389165] sock_sendmsg+0xc5/0x100 [ 42.392880] ___sys_sendmsg+0x70a/0x840 [ 42.396852] ? trace_hardirqs_on+0x10/0x10 [ 42.401281] ? copy_msghdr_from_user+0x380/0x380 [ 42.406590] ? find_held_lock+0x2d/0x110 [ 42.411055] ? __fget+0x228/0x360 [ 42.414520] ? __fget_light+0x199/0x1f0 [ 42.418780] ? sockfd_lookup_light+0xb2/0x160 [ 42.423410] __sys_sendmsg+0xa3/0x120 [ 42.427224] ? SyS_shutdown+0x160/0x160 [ 42.431196] ? move_addr_to_kernel+0x60/0x60 [ 42.435700] ? __do_page_fault+0x35b/0xb40 [ 42.440339] SyS_sendmsg+0x27/0x40 [ 42.443886] ? __sys_sendmsg+0x120/0x120 [ 42.448034] do_syscall_64+0x1d5/0x640 [ 42.451925] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.457314] RIP: 0033:0x445889 [ 42.460797] RSP: 002b:00007f9c80394da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.469379] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445889 [ 42.476860] RDX: 0000000000000000 RSI: 0000000020000640 RDI: 0000000000000003 [ 42.484492] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 42.491767] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 42.499162] R13: 00000000200002c0 R14: 00000000004add68 R15: 20c49ba5e353f7cf [ 42.509468] Kernel Offset: disabled [ 42.513275] Rebooting in 86400 seconds..