[ 32.339073] audit: type=1800 audit(1581246556.735:33): pid=7168 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.366221] audit: type=1800 audit(1581246556.745:34): pid=7168 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.267506] random: sshd: uninitialized urandom read (32 bytes read) [ 35.585376] audit: type=1400 audit(1581246559.985:35): avc: denied { map } for pid=7342 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.635935] random: sshd: uninitialized urandom read (32 bytes read) [ 36.363689] random: sshd: uninitialized urandom read (32 bytes read) [ 36.556927] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.151' (ECDSA) to the list of known hosts. [ 42.108596] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.231573] audit: type=1400 audit(1581246566.635:36): avc: denied { map } for pid=7354 comm="syz-executor796" path="/root/syz-executor796035686" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.366043] ================================================================== [ 42.366066] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1bdb/0x2160 [ 42.366071] Read of size 2 at addr ffffffff8708cbfe by task syz-executor796/7354 [ 42.366072] [ 42.366079] CPU: 0 PID: 7354 Comm: syz-executor796 Not tainted 4.14.170-syzkaller #0 [ 42.366082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.366084] Call Trace: [ 42.366093] dump_stack+0x142/0x197 [ 42.366099] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.366106] print_address_description.cold+0x5/0x1dc [ 42.366111] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.366115] kasan_report.cold+0xa9/0x2af [ 42.366121] __asan_report_load2_noabort+0x14/0x20 [ 42.366126] vga16fb_imageblit+0x1bdb/0x2160 [ 42.366133] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 42.366140] ? debug_check_no_obj_freed+0x207/0x7b7 [ 42.366148] soft_cursor+0x4ff/0xa50 [ 42.366158] bit_cursor+0x11be/0x1830 [ 42.366166] ? bit_clear+0x4a0/0x4a0 [ 42.366170] ? fbcon_putcs+0x3c2/0x480 [ 42.366174] ? fbcon_putcs+0x223/0x480 [ 42.366181] ? fb_get_color_depth+0x5f/0x70 [ 42.366186] ? get_color+0x1bf/0x3b0 [ 42.366192] fbcon_cursor+0x4e3/0x6f0 [ 42.366196] ? bit_clear+0x4a0/0x4a0 [ 42.366204] set_cursor+0x1bd/0x240 [ 42.366209] redraw_screen+0x596/0x7c0 [ 42.366215] ? con_flush_chars+0x90/0x90 [ 42.366220] ? fbcon_set_palette+0x203/0x5b0 [ 42.366226] fbcon_modechanged+0x59e/0x880 [ 42.366233] fbcon_event_notify+0x11f/0x17af [ 42.366241] ? lock_acquire+0x16f/0x430 [ 42.366249] notifier_call_chain+0x111/0x1b0 [ 42.366268] blocking_notifier_call_chain+0x80/0xa0 [ 42.366274] fb_notifier_call_chain+0x25/0x30 [ 42.366278] fb_set_var+0xb09/0xcf0 [ 42.366283] ? fb_set_suspend+0x110/0x110 [ 42.366288] ? lock_acquire+0x16f/0x430 [ 42.366291] ? lock_fb_info+0x1f/0x80 [ 42.366297] ? lock_fb_info+0x1f/0x80 [ 42.366301] ? __mutex_lock+0x36a/0x1470 [ 42.366306] ? trace_hardirqs_on+0x10/0x10 [ 42.366310] ? lock_acquire+0x16f/0x430 [ 42.366314] ? __down+0x16b/0x290 [ 42.366320] ? mutex_trylock+0x1c0/0x1c0 [ 42.366324] ? down+0x70/0x90 [ 42.366335] ? mutex_lock_nested+0x16/0x20 [ 42.366338] ? mutex_lock_nested+0x16/0x20 [ 42.366343] do_fb_ioctl+0x3cc/0x940 [ 42.366348] ? fb_read+0x520/0x520 [ 42.366355] ? avc_has_extended_perms+0x8ec/0xe40 [ 42.366361] ? putname+0xdb/0x120 [ 42.366366] ? avc_ss_reset+0x110/0x110 [ 42.366370] ? kmem_cache_free+0x83/0x2b0 [ 42.366377] ? do_syscall_64+0x1e8/0x640 [ 42.366381] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.366386] ? find_held_lock+0x35/0x130 [ 42.366390] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 42.366404] ? __might_sleep+0x93/0xb0 [ 42.366411] fb_ioctl+0xe6/0x130 [ 42.366415] ? do_fb_ioctl+0x940/0x940 [ 42.366420] do_vfs_ioctl+0x7ae/0x1060 [ 42.366425] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.366428] ? kmem_cache_free+0x244/0x2b0 [ 42.366433] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.366437] ? putname+0xe0/0x120 [ 42.366443] ? do_sys_open+0x221/0x430 [ 42.366451] ? security_file_ioctl+0x7d/0xb0 [ 42.366455] ? security_file_ioctl+0x89/0xb0 [ 42.366461] SyS_ioctl+0x8f/0xc0 [ 42.366465] ? do_vfs_ioctl+0x1060/0x1060 [ 42.366471] do_syscall_64+0x1e8/0x640 [ 42.366475] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.366482] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.366486] RIP: 0033:0x440319 [ 42.366489] RSP: 002b:00007ffe228a42b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.366495] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440319 [ 42.366498] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 42.366500] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.366503] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ba0 [ 42.366505] R13: 0000000000401c30 R14: 0000000000000000 R15: 0000000000000000 [ 42.366513] [ 42.366514] The buggy address belongs to the variable: [ 42.366519] transl_h+0x3e/0x40 [ 42.366520] [ 42.366522] Memory state around the buggy address: [ 42.366526] ffffffff8708ca80: 00 00 00 00 00 03 fa fa fa fa fa fa 00 00 00 00 [ 42.366529] ffffffff8708cb00: fa fa fa fa 00 00 00 00 00 fa fa fa fa fa fa fa [ 42.366532] >ffffffff8708cb80: 04 fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 42.366535] ^ [ 42.366538] ffffffff8708cc00: 00 00 00 00 fa fa fa fa 00 01 fa fa fa fa fa fa [ 42.366541] ffffffff8708cc80: 00 00 00 04 fa fa fa fa 00 00 04 fa fa fa fa fa [ 42.366543] ================================================================== [ 42.366545] Disabling lock debugging due to kernel taint [ 42.366548] Kernel panic - not syncing: panic_on_warn set ... [ 42.366548] [ 42.366552] CPU: 0 PID: 7354 Comm: syz-executor796 Tainted: G B 4.14.170-syzkaller #0 [ 42.366554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.366555] Call Trace: [ 42.366559] dump_stack+0x142/0x197 [ 42.366564] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.366568] panic+0x1f9/0x42d [ 42.366571] ? add_taint.cold+0x16/0x16 [ 42.366575] ? lock_downgrade+0x740/0x740 [ 42.366581] kasan_end_report+0x47/0x4f [ 42.366585] kasan_report.cold+0x130/0x2af [ 42.366590] __asan_report_load2_noabort+0x14/0x20 [ 42.366594] vga16fb_imageblit+0x1bdb/0x2160 [ 42.366598] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 42.366601] ? debug_check_no_obj_freed+0x207/0x7b7 [ 42.366607] soft_cursor+0x4ff/0xa50 [ 42.366613] bit_cursor+0x11be/0x1830 [ 42.366619] ? bit_clear+0x4a0/0x4a0 [ 42.366623] ? fbcon_putcs+0x3c2/0x480 [ 42.366626] ? fbcon_putcs+0x223/0x480 [ 42.366631] ? fb_get_color_depth+0x5f/0x70 [ 42.366635] ? get_color+0x1bf/0x3b0 [ 42.366640] fbcon_cursor+0x4e3/0x6f0 [ 42.366643] ? bit_clear+0x4a0/0x4a0 [ 42.366648] set_cursor+0x1bd/0x240 [ 42.366652] redraw_screen+0x596/0x7c0 [ 42.366657] ? con_flush_chars+0x90/0x90 [ 42.366661] ? fbcon_set_palette+0x203/0x5b0 [ 42.366665] fbcon_modechanged+0x59e/0x880 [ 42.366671] fbcon_event_notify+0x11f/0x17af [ 42.366675] ? lock_acquire+0x16f/0x430 [ 42.366680] notifier_call_chain+0x111/0x1b0 [ 42.366685] blocking_notifier_call_chain+0x80/0xa0 [ 42.366689] fb_notifier_call_chain+0x25/0x30 [ 42.366692] fb_set_var+0xb09/0xcf0 [ 42.366696] ? fb_set_suspend+0x110/0x110 [ 42.366700] ? lock_acquire+0x16f/0x430 [ 42.366703] ? lock_fb_info+0x1f/0x80 [ 42.366707] ? lock_fb_info+0x1f/0x80 [ 42.366711] ? __mutex_lock+0x36a/0x1470 [ 42.366715] ? trace_hardirqs_on+0x10/0x10 [ 42.366718] ? lock_acquire+0x16f/0x430 [ 42.366721] ? __down+0x16b/0x290 [ 42.366725] ? mutex_trylock+0x1c0/0x1c0 [ 42.366729] ? down+0x70/0x90 [ 42.366736] ? mutex_lock_nested+0x16/0x20 [ 42.366738] ? mutex_lock_nested+0x16/0x20 [ 42.366742] do_fb_ioctl+0x3cc/0x940 [ 42.366746] ? fb_read+0x520/0x520 [ 42.366750] ? avc_has_extended_perms+0x8ec/0xe40 [ 42.366754] ? putname+0xdb/0x120 [ 42.366758] ? avc_ss_reset+0x110/0x110 [ 42.366761] ? kmem_cache_free+0x83/0x2b0 [ 42.366765] ? do_syscall_64+0x1e8/0x640 [ 42.366769] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.366772] ? find_held_lock+0x35/0x130 [ 42.366776] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 42.366784] ? __might_sleep+0x93/0xb0 [ 42.366789] fb_ioctl+0xe6/0x130 [ 42.366792] ? do_fb_ioctl+0x940/0x940 [ 42.366796] do_vfs_ioctl+0x7ae/0x1060 [ 42.366800] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.366803] ? kmem_cache_free+0x244/0x2b0 [ 42.366807] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.366810] ? putname+0xe0/0x120 [ 42.366814] ? do_sys_open+0x221/0x430 [ 42.366820] ? security_file_ioctl+0x7d/0xb0 [ 42.366823] ? security_file_ioctl+0x89/0xb0 [ 42.366828] SyS_ioctl+0x8f/0xc0 [ 42.366832] ? do_vfs_ioctl+0x1060/0x1060 [ 42.366836] do_syscall_64+0x1e8/0x640 [ 42.366839] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.366845] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.366847] RIP: 0033:0x440319 [ 42.366849] RSP: 002b:00007ffe228a42b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.366853] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440319 [ 42.366855] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 42.366857] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.366860] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ba0 [ 42.366862] R13: 0000000000401c30 R14: 0000000000000000 R15: 0000000000000000 [ 42.368182] Kernel Offset: disabled [ 43.168424] Rebooting in 86400 seconds..