[ 10.247259] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.583257] random: sshd: uninitialized urandom read (32 bytes read) [ 31.967548] audit: type=1400 audit(1568966012.210:6): avc: denied { map } for pid=1773 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.005079] random: sshd: uninitialized urandom read (32 bytes read) [ 32.582049] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.113' (ECDSA) to the list of known hosts. [ 38.050656] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/20 07:53:38 fuzzer started [ 38.142608] audit: type=1400 audit(1568966018.390:7): avc: denied { map } for pid=1782 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.639694] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/20 07:53:39 dialing manager at 10.128.0.26:34001 2019/09/20 07:53:40 syscalls: 1353 2019/09/20 07:53:40 code coverage: enabled 2019/09/20 07:53:40 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/20 07:53:40 extra coverage: extra coverage is not supported by the kernel 2019/09/20 07:53:40 setuid sandbox: enabled 2019/09/20 07:53:40 namespace sandbox: enabled 2019/09/20 07:53:40 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/20 07:53:40 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/20 07:53:40 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/20 07:53:40 net packet injection: enabled 2019/09/20 07:53:40 net device setup: enabled [ 41.336623] random: crng init done 07:54:34 executing program 0: 07:54:34 executing program 5: 07:54:34 executing program 1: 07:54:34 executing program 2: 07:54:34 executing program 3: 07:54:34 executing program 4: [ 94.005288] audit: type=1400 audit(1568966074.250:8): avc: denied { map } for pid=1782 comm="syz-fuzzer" path="/root/syzkaller-shm675498661" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 94.051501] audit: type=1400 audit(1568966074.280:9): avc: denied { map } for pid=1833 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 07:54:37 executing program 2: r0 = socket$inet6(0xa, 0x2, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x8001, &(0x7f0000000000)={0xa, 0x4e20, 0x0, @mcast2}, 0x1c) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) write$binfmt_misc(r0, &(0x7f0000000200)=ANY=[], 0xffdc) 07:54:37 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x1000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) recvmmsg(r0, &(0x7f0000000bc0), 0x4000000000002e5, 0x0, 0x0) sendmmsg$unix(r1, &(0x7f0000004e00)=[{0x0, 0x36b, 0x0, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="18000000000000000100b83859e9a3ac0001000000000000000000", @ANYRES32, @ANYRES32], 0x18}], 0x492492492492556, 0x0) 07:54:37 executing program 0: clone(0x802102001ffd, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = socket$inet_udplite(0x2, 0x2, 0x88) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000140)=@nat={'nat\x00', 0x19, 0x2, 0x268, [0x20000540, 0x0, 0x0, 0x20000748, 0x20000778], 0x90, 0x0, &(0x7f0000000540)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000000000000080000000000000000000ffffffff020000000d000000000000000000697036677265300000cd000000000000677265300000000000000000000000006272696467655f736c6176655f31000076657468315f746f5f62726964676500aaaaaaaaaabb000000000000aaaaaaaaaabb0000000000000000b0000000b0000000e800000071756f746100000000000000000000000000000000000000000000000000000018000000000000000000000000000000000000000000000000000000000000006d61726b0000000000000000000000000000000000000000000000000000000010000000000000000000000000000000dfffffff000000001500000000000000000069705f7674693000000000000000000073797a5f74756e00000000000000000073697430000000000000000000000000626f6e64300000000000000000000000aaaaaaaaaabb000000000000aaaaaaaaaaaa0000000000000000c0000000c0000000f000000068656c70657200000000000000000000000000000000000000000000000000002800000000000000000000005241530000000000000000000000000000000000000000000000000000000000000000004e465155455545000000000000000000000000000000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000feffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000002000000feffffff00000000"]}, 0x2e0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000440)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) recvmmsg(r1, &(0x7f0000000500)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0) [ 97.481603] hrtimer: interrupt took 50930 ns 07:54:38 executing program 1: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)={0x9, 0xbe, 0x249e1e, 0x8000000001}, 0x3c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000100)={r0, &(0x7f0000000080), &(0x7f00000000c0)}, 0x20) 07:54:38 executing program 1: mknod$loop(&(0x7f0000000080)='./file0\x00', 0x800, 0x0) r0 = open$dir(&(0x7f0000000100)='./file0\x00', 0x8004002, 0x0) truncate(&(0x7f0000000240)='./file0\x00', 0x90002) sendfile(r0, r0, 0x0, 0x8800000) 07:54:38 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000000)='bridge0\x00', 0x3ee) connect$inet(r0, &(0x7f0000000140)={0x2, 0x0, @multicast1}, 0x10) setsockopt$inet_udp_int(r0, 0x11, 0x67, &(0x7f0000000100)=0x3, 0x4) sendmmsg(r0, &(0x7f0000007fc0), 0xc3, 0x3f000000) 07:54:38 executing program 5: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f0000000080)='syz_tun\x00', 0x10) connect$inet(r0, &(0x7f0000000000)={0x2, 0x0, @multicast1}, 0x10) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000100)="11dca50d5e0bcfe47bf070") r2 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_mreqsrc(r2, 0x0, 0x27, &(0x7f00000000c0)={@multicast1, @local, @broadcast}, 0xc) setsockopt$inet_mreqn(r0, 0x0, 0x14, &(0x7f0000000840)={@local, @local}, 0xc) 07:54:38 executing program 5: mmap(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x3000009, 0x400a972, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) 07:54:38 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f00000001c0)='bond0\x00', 0xfcae) connect$inet(r0, &(0x7f0000000000)={0x2, 0x0, @multicast1}, 0x10) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000100)="11dca50d5e0bcfe47bf070") r2 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_mreqsrc(r2, 0x0, 0x27, &(0x7f00000000c0)={@multicast1, @local, @broadcast}, 0xc) setsockopt$IP_VS_SO_SET_DEL(r0, 0x0, 0x484, &(0x7f0000000040)={0x0, @multicast2, 0x0, 0x0, 'lc\x00'}, 0x2c) 07:54:38 executing program 4: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x4, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000004000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7040000000000006a0a00fe000000008500000032000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00'}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000180)={r0, 0x0, 0x17d, 0x0, &(0x7f0000000400)="37eb573300001519e6a6d63d05dd", 0x0, 0xffffffff0000009d, 0x0, 0x0, 0xfffffffffffffd07}, 0x28) [ 98.014850] audit: type=1400 audit(1568966078.260:10): avc: denied { prog_load } for pid=2774 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 07:54:38 executing program 3: r0 = socket$inet(0x2, 0x4000020000000001, 0x0) bind$inet(r0, &(0x7f0000000200)={0x2, 0x4e23, @dev}, 0x10) sendto$inet(r0, 0x0, 0xfffffffffffffc6d, 0x20000800, &(0x7f0000000240)={0x2, 0x4e23, @local}, 0x10) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f00000001c0)='ip6_vti0\x00', 0x1000001d0) sendto$inet(r0, &(0x7f0000000000), 0xfffffffffffffccf, 0x3e8, 0x0, 0xffffffffffffff37) 07:54:38 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000001200)=""/148, 0x94}], 0x100001c9, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000040)='net/snmp6\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f2, 0x0) 07:54:38 executing program 1: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) [ 98.048771] audit: type=1400 audit(1568966078.290:11): avc: denied { prog_run } for pid=2774 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 98.091850] kasan: CONFIG_KASAN_INLINE enabled [ 98.106241] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 98.126463] general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 98.133348] Modules linked in: [ 98.136534] CPU: 0 PID: 2782 Comm: syz-executor.3 Not tainted 4.14.145+ #0 [ 98.143533] task: 000000004312ca7b task.stack: 000000007b2bd3a9 [ 98.149603] RIP: 0010:tcp_sendmsg_locked+0x509/0x2f50 [ 98.154776] RSP: 0018:ffff88819dc6fae8 EFLAGS: 00010206 [ 98.160180] RAX: 0000000000000011 RBX: ffff8881d3604c80 RCX: 0000000000000092 [ 98.167437] RDX: ffffffff8252ea80 RSI: ffffc9000373a000 RDI: 0000000000000088 [ 98.174775] RBP: ffff8881d2b68a92 R08: 0000000000000001 R09: ffffed103a56d198 [ 98.182140] R10: ffffed103a56d197 R11: 0000000000000000 R12: ffff88819dc6fd90 [ 98.189393] R13: 0000000000000000 R14: ffff8881d2b68a80 R15: dffffc0000000000 [ 98.196657] FS: 00007f5907160700(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 [ 98.205214] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 98.211074] CR2: 00007f4988cce518 CR3: 00000001c5e82006 CR4: 00000000001606b0 [ 98.218325] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 98.225590] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 98.232933] Call Trace: [ 98.235522] ? tcp_sendpage+0x60/0x60 [ 98.239312] ? __local_bh_enable_ip+0x65/0xc0 [ 98.243897] tcp_sendmsg+0x2b/0x40 [ 98.247420] inet_sendmsg+0x15b/0x520 [ 98.251205] ? inet_recvmsg+0x550/0x550 [ 98.255602] sock_sendmsg+0xb7/0x100 [ 98.259296] SyS_sendto+0x1de/0x2f0 [ 98.263070] ? SyS_getpeername+0x250/0x250 [ 98.267302] ? put_timespec64+0xbe/0x110 [ 98.271346] ? nsecs_to_jiffies+0x30/0x30 [ 98.275499] ? SyS_clock_gettime+0x7d/0xe0 [ 98.279713] ? do_clock_gettime+0xd0/0xd0 [ 98.284015] ? do_syscall_64+0x43/0x520 [ 98.288080] ? SyS_getpeername+0x250/0x250 [ 98.292300] do_syscall_64+0x19b/0x520 [ 98.296173] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 98.301342] RIP: 0033:0x459a09 [ 98.304514] RSP: 002b:00007f590715fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 98.312202] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459a09 [ 98.319461] RDX: fffffffffffffccf RSI: 0000000020000000 RDI: 0000000000000003 [ 98.326712] RBP: 000000000075bf20 R08: 0000000000000000 R09: ffffffffffffff37 [ 98.333989] R10: 00000000000003e8 R11: 0000000000000246 R12: 00007f59071606d4 [ 98.341239] R13: 00000000004c79ac R14: 00000000004dd400 R15: 00000000ffffffff [ 98.348493] Code: ee 2b de fe 48 85 db 0f 84 12 08 00 00 e8 e0 2b de fe 8b 84 24 08 01 00 00 49 8d bd 88 00 00 00 89 44 24 08 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 74 06 0f 8e 07 24 00 00 41 f6 85 88 00 00 [ 98.367610] RIP: tcp_sendmsg_locked+0x509/0x2f50 RSP: ffff88819dc6fae8 [ 98.390682] ---[ end trace 89c97749b02b8fd2 ]--- [ 98.399362] Kernel panic - not syncing: Fatal exception [ 98.405657] Kernel Offset: 0x800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 98.416545] Rebooting in 86400 seconds..