[ 44.203391] audit: type=1800 audit(1575358542.658:29): pid=7888 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 44.224153] audit: type=1800 audit(1575358542.658:30): pid=7888 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.655667] kauditd_printk_skb: 5 callbacks suppressed [ 53.655682] audit: type=1400 audit(1575358552.108:36): avc: denied { map } for pid=8073 comm="syz-executor287" path="/root/syz-executor287027879" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 53.696884] ================================================================== [ 53.696921] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 53.696931] Read of size 28 at addr ffffffff87ec9dd8 by task syz-executor287/8074 [ 53.696935] [ 53.696951] CPU: 0 PID: 8074 Comm: syz-executor287 Not tainted 4.19.87-syzkaller #0 [ 53.696958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.696963] Call Trace: [ 53.696982] dump_stack+0x197/0x210 [ 53.696997] ? fbcon_get_font+0x2b2/0x5e0 [ 53.697017] print_address_description.cold+0x5/0x20d [ 53.697029] ? fbcon_get_font+0x2b2/0x5e0 [ 53.697042] kasan_report.cold+0x8c/0x2ba [ 53.697060] check_memory_region+0x123/0x190 [ 53.697075] memcpy+0x24/0x50 [ 53.697089] fbcon_get_font+0x2b2/0x5e0 [ 53.697106] ? display_to_var+0x7e0/0x7e0 [ 53.697121] con_font_op+0x20b/0x1250 [ 53.697182] ? __might_sleep+0x95/0x190 [ 53.697197] ? con_write+0xd0/0xd0 [ 53.697217] ? avc_has_extended_perms+0x8e7/0x10f0 [ 53.697240] ? lock_downgrade+0x880/0x880 [ 53.697256] vt_ioctl+0xd2e/0x2530 [ 53.697272] ? complete_change_console+0x3a0/0x3a0 [ 53.697286] ? avc_has_extended_perms+0xa78/0x10f0 [ 53.697308] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 53.697327] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 53.697340] ? complete_change_console+0x3a0/0x3a0 [ 53.697357] tty_ioctl+0x7f3/0x1510 [ 53.697374] ? tty_vhangup+0x30/0x30 [ 53.697385] ? mark_held_locks+0x100/0x100 [ 53.697399] ? do_futex+0x17d/0x1d70 [ 53.697414] ? debug_check_no_obj_freed+0x200/0x464 [ 53.697434] ? __fget+0x340/0x540 [ 53.697455] ? __might_sleep+0x95/0x190 [ 53.697470] ? tty_vhangup+0x30/0x30 [ 53.697487] do_vfs_ioctl+0xd5f/0x1380 [ 53.697500] ? selinux_file_ioctl+0x46f/0x5e0 [ 53.697513] ? selinux_file_ioctl+0x125/0x5e0 [ 53.697527] ? ioctl_preallocate+0x210/0x210 [ 53.697539] ? selinux_file_mprotect+0x620/0x620 [ 53.697559] ? iterate_fd+0x360/0x360 [ 53.697581] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.697593] ? security_file_ioctl+0x8d/0xc0 [ 53.697609] ksys_ioctl+0xab/0xd0 [ 53.697626] __x64_sys_ioctl+0x73/0xb0 [ 53.697644] do_syscall_64+0xfd/0x620 [ 53.697662] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.697674] RIP: 0033:0x4497f9 [ 53.697687] Code: e8 ec b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.697694] RSP: 002b:00007f4a156bfce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 53.697708] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004497f9 [ 53.697715] RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005 [ 53.697722] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 53.697730] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 53.697738] R13: 00007ffdcbecf8bf R14: 00007f4a156c09c0 R15: 20c49ba5e353f7cf [ 53.697757] [ 53.697762] The buggy address belongs to the variable: [ 53.697775] fontdata_8x16+0xff8/0x1120 [ 53.697778] [ 53.697782] Memory state around the buggy address: [ 53.697794] ffffffff87ec9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.697804] ffffffff87ec9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.697814] >ffffffff87ec9d80: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 53.697820] ^ [ 53.697829] ffffffff87ec9e00: 06 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa [ 53.697839] ffffffff87ec9e80: 06 fa fa fa fa fa fa fa 00 00 03 fa fa fa fa fa [ 53.697844] ================================================================== [ 53.697848] Disabling lock debugging due to kernel taint [ 53.697853] Kernel panic - not syncing: panic_on_warn set ... [ 53.697853] [ 53.697864] CPU: 0 PID: 8074 Comm: syz-executor287 Tainted: G B 4.19.87-syzkaller #0 [ 53.697869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.697871] Call Trace: [ 53.697882] dump_stack+0x197/0x210 [ 53.697895] ? fbcon_get_font+0x2b2/0x5e0 [ 53.697907] panic+0x26a/0x50e [ 53.697917] ? __warn_printk+0xf3/0xf3 [ 53.697931] ? lock_downgrade+0x880/0x880 [ 53.697947] ? trace_hardirqs_on+0x67/0x220 [ 53.697958] ? trace_hardirqs_on+0x5e/0x220 [ 53.697971] ? fbcon_get_font+0x2b2/0x5e0 [ 53.697983] kasan_end_report+0x47/0x4f [ 53.697996] kasan_report.cold+0xa9/0x2ba [ 53.698011] check_memory_region+0x123/0x190 [ 53.698023] memcpy+0x24/0x50 [ 53.698034] fbcon_get_font+0x2b2/0x5e0 [ 53.698046] ? display_to_var+0x7e0/0x7e0 [ 53.698058] con_font_op+0x20b/0x1250 [ 53.698071] ? __might_sleep+0x95/0x190 [ 53.698082] ? con_write+0xd0/0xd0 [ 53.698098] ? avc_has_extended_perms+0x8e7/0x10f0 [ 53.698114] ? lock_downgrade+0x880/0x880 [ 53.698135] vt_ioctl+0xd2e/0x2530 [ 53.698149] ? complete_change_console+0x3a0/0x3a0 [ 53.698162] ? avc_has_extended_perms+0xa78/0x10f0 [ 53.698178] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 53.698192] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 53.698204] ? complete_change_console+0x3a0/0x3a0 [ 53.698218] tty_ioctl+0x7f3/0x1510 [ 53.698232] ? tty_vhangup+0x30/0x30 [ 53.698243] ? mark_held_locks+0x100/0x100 [ 53.698255] ? do_futex+0x17d/0x1d70 [ 53.698268] ? debug_check_no_obj_freed+0x200/0x464 [ 53.698282] ? __fget+0x340/0x540 [ 53.698298] ? __might_sleep+0x95/0x190 [ 53.698312] ? tty_vhangup+0x30/0x30 [ 53.698325] do_vfs_ioctl+0xd5f/0x1380 [ 53.698337] ? selinux_file_ioctl+0x46f/0x5e0 [ 53.698348] ? selinux_file_ioctl+0x125/0x5e0 [ 53.698360] ? ioctl_preallocate+0x210/0x210 [ 53.698371] ? selinux_file_mprotect+0x620/0x620 [ 53.698385] ? iterate_fd+0x360/0x360 [ 53.698400] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.698411] ? security_file_ioctl+0x8d/0xc0 [ 53.698423] ksys_ioctl+0xab/0xd0 [ 53.698437] __x64_sys_ioctl+0x73/0xb0 [ 53.698450] do_syscall_64+0xfd/0x620 [ 53.698464] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.698472] RIP: 0033:0x4497f9 [ 53.698484] Code: e8 ec b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.698490] RSP: 002b:00007f4a156bfce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 53.698501] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004497f9 [ 53.698507] RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005 [ 53.698514] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 53.698521] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 53.698527] R13: 00007ffdcbecf8bf R14: 00007f4a156c09c0 R15: 20c49ba5e353f7cf [ 53.700403] Kernel Offset: disabled [ 54.336546] Rebooting in 86400 seconds..