[....] Starting OpenBSD Secure Shell server: sshd[ 12.499078] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.316006] random: sshd: uninitialized urandom read (32 bytes read) [ 17.747903] audit: type=1400 audit(1574359466.008:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 17.792398] random: sshd: uninitialized urandom read (32 bytes read) [ 18.322114] random: sshd: uninitialized urandom read (32 bytes read) [ 18.473321] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. [ 24.006452] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 24.102874] audit: type=1400 audit(1574359472.368:7): avc: denied { map } for pid=1783 comm="syz-executor070" path="/root/syz-executor070809677" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.129299] audit: type=1400 audit(1574359472.378:8): avc: denied { prog_load } for pid=1783 comm="syz-executor070" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 24.152413] ================================================================== [ 24.153864] audit: type=1400 audit(1574359472.418:9): avc: denied { prog_run } for pid=1783 comm="syz-executor070" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 24.159900] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0 [ 24.189367] Read of size 8 at addr ffff8881d013d1d0 by task syz-executor070/1783 [ 24.196894] [ 24.198503] CPU: 0 PID: 1783 Comm: syz-executor070 Not tainted 4.14.155-syzkaller #0 [ 24.206632] Call Trace: [ 24.209268] dump_stack+0xe5/0x154 [ 24.212876] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.217401] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.221991] ? __bpf_redirect+0xa30/0xa30 [ 24.226125] print_address_description+0x60/0x226 [ 24.230961] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.235443] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.239922] ? __bpf_redirect+0xa30/0xa30 [ 24.244068] __kasan_report.cold+0x1a/0x41 [ 24.248288] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.252779] bpf_clone_redirect+0x2a7/0x2b0 [ 24.257105] ? __bpf_redirect+0xa30/0xa30 [ 24.261234] ___bpf_prog_run+0x2478/0x5510 [ 24.265463] ? lock_downgrade+0x630/0x630 [ 24.269624] ? lock_acquire+0x12b/0x360 [ 24.273626] ? bpf_jit_compile+0x30/0x30 [ 24.277721] ? __bpf_prog_run512+0x99/0xe0 [ 24.281949] ? ___bpf_prog_run+0x5510/0x5510 [ 24.286358] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 24.291550] ? trace_hardirqs_on_caller+0x37b/0x540 [ 24.296555] ? __lock_acquire+0x5d7/0x4320 [ 24.300793] ? __lock_acquire+0x5d7/0x4320 [ 24.305037] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 24.310492] ? trace_hardirqs_on+0x10/0x10 [ 24.314724] ? __lock_acquire+0x5d7/0x4320 [ 24.318954] ? bpf_test_run+0x42/0x340 [ 24.322922] ? lock_acquire+0x12b/0x360 [ 24.326887] ? bpf_test_run+0x13a/0x340 [ 24.331022] ? check_preemption_disabled+0x35/0x1f0 [ 24.336259] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 24.341457] ? bpf_test_run+0xa8/0x340 [ 24.345345] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 24.350090] ? bpf_test_init.isra.0+0xc0/0xc0 [ 24.354587] ? bpf_prog_add+0x53/0xc0 [ 24.358371] ? bpf_test_init.isra.0+0xc0/0xc0 [ 24.362850] ? SyS_bpf+0xa3b/0x3830 [ 24.366458] ? bpf_prog_get+0x20/0x20 [ 24.370257] ? __do_page_fault+0x49f/0xbb0 [ 24.374488] ? lock_downgrade+0x630/0x630 [ 24.378658] ? __do_page_fault+0x677/0xbb0 [ 24.382914] ? do_syscall_64+0x43/0x520 [ 24.386892] ? bpf_prog_get+0x20/0x20 [ 24.390739] ? do_syscall_64+0x19b/0x520 [ 24.394942] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.400297] [ 24.401965] Allocated by task 1781: [ 24.405575] __kasan_kmalloc.part.0+0x53/0xc0 [ 24.410051] kmem_cache_alloc+0xee/0x360 [ 24.414094] skb_clone+0x124/0x370 [ 24.417646] dev_queue_xmit_nit+0x2f3/0x970 [ 24.422043] dev_hard_start_xmit+0xa3/0x8c0 [ 24.426385] sch_direct_xmit+0x27a/0x520 [ 24.430426] __dev_queue_xmit+0x1594/0x1d00 [ 24.434990] ip_finish_output2+0x9fe/0x12f0 [ 24.439343] ip_finish_output+0x3be/0xc80 [ 24.443481] ip_output+0x1cf/0x520 [ 24.447015] ip_local_out+0x98/0x170 [ 24.450709] ip_queue_xmit+0x7ca/0x1a70 [ 24.454663] __tcp_transmit_skb+0x18bc/0x2e20 [ 24.459138] tcp_write_xmit+0x510/0x4780 [ 24.463178] __tcp_push_pending_frames+0xa0/0x230 [ 24.468088] tcp_push+0x402/0x600 [ 24.471533] tcp_sendmsg_locked+0x21f6/0x2f60 [ 24.476016] tcp_sendmsg+0x2b/0x40 [ 24.479554] inet_sendmsg+0x15b/0x520 [ 24.483344] sock_sendmsg+0xb7/0x100 [ 24.487054] sock_write_iter+0x20f/0x360 [ 24.491208] __vfs_write+0x401/0x5a0 [ 24.494936] vfs_write+0x17f/0x4d0 [ 24.498635] SyS_write+0x102/0x250 [ 24.502180] do_syscall_64+0x19b/0x520 [ 24.506059] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.511228] 0xffffffffffffffff [ 24.514481] [ 24.516093] Freed by task 1781: [ 24.519352] __kasan_slab_free+0x164/0x210 [ 24.523574] kmem_cache_free+0xd7/0x3b0 [ 24.527536] kfree_skbmem+0xa0/0x110 [ 24.531245] kfree_skb+0xeb/0x370 [ 24.534697] packet_rcv_spkt+0xd5/0x4d0 [ 24.538708] dev_queue_xmit_nit+0x6e1/0x970 [ 24.543008] dev_hard_start_xmit+0xa3/0x8c0 [ 24.547326] sch_direct_xmit+0x27a/0x520 [ 24.551382] __dev_queue_xmit+0x1594/0x1d00 [ 24.555683] ip_finish_output2+0x9fe/0x12f0 [ 24.559981] ip_finish_output+0x3be/0xc80 [ 24.564303] ip_output+0x1cf/0x520 [ 24.567832] ip_local_out+0x98/0x170 [ 24.571532] ip_queue_xmit+0x7ca/0x1a70 [ 24.575496] __tcp_transmit_skb+0x18bc/0x2e20 [ 24.580230] tcp_write_xmit+0x510/0x4780 [ 24.584371] __tcp_push_pending_frames+0xa0/0x230 [ 24.589225] tcp_push+0x402/0x600 [ 24.592673] tcp_sendmsg_locked+0x21f6/0x2f60 [ 24.597153] tcp_sendmsg+0x2b/0x40 [ 24.600687] inet_sendmsg+0x15b/0x520 [ 24.604469] sock_sendmsg+0xb7/0x100 [ 24.608183] sock_write_iter+0x20f/0x360 [ 24.612247] __vfs_write+0x401/0x5a0 [ 24.615948] vfs_write+0x17f/0x4d0 [ 24.619472] SyS_write+0x102/0x250 [ 24.622992] do_syscall_64+0x19b/0x520 [ 24.626964] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.632148] 0xffffffffffffffff [ 24.635403] [ 24.637019] The buggy address belongs to the object at ffff8881d013d140 [ 24.637019] which belongs to the cache skbuff_head_cache of size 224 [ 24.650474] The buggy address is located 144 bytes inside of [ 24.650474] 224-byte region [ffff8881d013d140, ffff8881d013d220) [ 24.662351] The buggy address belongs to the page: [ 24.667265] page:ffffea0007404f40 count:1 mapcount:0 mapping: (null) index:0x0 [ 24.675417] flags: 0x4000000000000200(slab) [ 24.679827] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 24.687709] raw: dead000000000100 dead000000000200 ffff8881d6770200 0000000000000000 [ 24.695597] page dumped because: kasan: bad access detected [ 24.701310] [ 24.703003] Memory state around the buggy address: [ 24.707928] ffff8881d013d080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.715284] ffff8881d013d100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 24.722622] >ffff8881d013d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.730094] ^ [ 24.736117] ffff8881d013d200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 24.743556] ffff8881d013d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.750919] ================================================================== [ 24.758775] Disabling lock debugging due to kernel taint [ 24.764626] Kernel panic - not syncing: panic_on_warn set ... [ 24.764626] [ 24.771995] CPU: 0 PID: 1783 Comm: syz-executor070 Tainted: G B 4.14.155-syzkaller #0 [ 24.781069] Call Trace: [ 24.783650] dump_stack+0xe5/0x154 [ 24.787179] panic+0x1f1/0x3da [ 24.790360] ? add_taint.cold+0x16/0x16 [ 24.794314] ? retint_kernel+0x2d/0x2d [ 24.798375] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.803013] ? __bpf_redirect+0xa30/0xa30 [ 24.807165] end_report+0x43/0x49 [ 24.810605] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.815151] __kasan_report.cold+0xd/0x41 [ 24.819326] ? bpf_clone_redirect+0x2a7/0x2b0 [ 24.823817] bpf_clone_redirect+0x2a7/0x2b0 [ 24.828130] ? __bpf_redirect+0xa30/0xa30 [ 24.832354] ___bpf_prog_run+0x2478/0x5510 [ 24.836583] ? lock_downgrade+0x630/0x630 [ 24.840710] ? lock_acquire+0x12b/0x360 [ 24.844663] ? bpf_jit_compile+0x30/0x30 [ 24.848731] ? __bpf_prog_run512+0x99/0xe0 [ 24.852957] ? ___bpf_prog_run+0x5510/0x5510 [ 24.857363] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 24.862455] ? trace_hardirqs_on_caller+0x37b/0x540 [ 24.867487] ? __lock_acquire+0x5d7/0x4320 [ 24.871823] ? __lock_acquire+0x5d7/0x4320 [ 24.876051] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 24.880714] ? trace_hardirqs_on+0x10/0x10 [ 24.884927] ? __lock_acquire+0x5d7/0x4320 [ 24.889159] ? bpf_test_run+0x42/0x340 [ 24.893034] ? lock_acquire+0x12b/0x360 [ 24.897920] ? bpf_test_run+0x13a/0x340 [ 24.901891] ? check_preemption_disabled+0x35/0x1f0 [ 24.906896] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 24.912168] ? bpf_test_run+0xa8/0x340 [ 24.916036] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 24.920779] ? bpf_test_init.isra.0+0xc0/0xc0 [ 24.925269] ? bpf_prog_add+0x53/0xc0 [ 24.929054] ? bpf_test_init.isra.0+0xc0/0xc0 [ 24.933537] ? SyS_bpf+0xa3b/0x3830 [ 24.937231] ? bpf_prog_get+0x20/0x20 [ 24.941019] ? __do_page_fault+0x49f/0xbb0 [ 24.945231] ? lock_downgrade+0x630/0x630 [ 24.949367] ? __do_page_fault+0x677/0xbb0 [ 24.953583] ? do_syscall_64+0x43/0x520 [ 24.957537] ? bpf_prog_get+0x20/0x20 [ 24.961343] ? do_syscall_64+0x19b/0x520 [ 24.965382] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.971642] Kernel Offset: 0xce00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 24.982482] Rebooting in 86400 seconds..