[....] Starting enhanced syslogd: rsyslogd[ 16.732608] audit: type=1400 audit(1520613752.696:5): avc: denied { syslog } for pid=3957 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.818149] audit: type=1400 audit(1520613758.781:6): avc: denied { map } for pid=4097 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 29.118642] audit: type=1400 audit(1520613765.082:7): avc: denied { map } for pid=4111 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/03/09 16:42:45 parsed 1 programs 2018/03/09 16:42:45 executed programs: 0 [ 29.371492] audit: type=1400 audit(1520613765.335:8): avc: denied { map } for pid=4111 comm="syz-execprog" path="/root/syzkaller-shm435572295" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.407393] IPVS: ftp: loaded support on port[0] = 21 [ 29.444781] IPVS: ftp: loaded support on port[0] = 21 [ 29.464508] audit: type=1400 audit(1520613765.428:9): avc: denied { map } for pid=4131 comm="syz-executor3" path="/dev/dsp1" dev="devtmpfs" ino=225 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1 [ 29.485330] IPVS: ftp: loaded support on port[0] = 21 [ 29.527676] IPVS: ftp: loaded support on port[0] = 21 [ 29.588693] IPVS: ftp: loaded support on port[0] = 21 [ 29.659094] IPVS: ftp: loaded support on port[0] = 21 [ 29.737425] IPVS: ftp: loaded support on port[0] = 21 [ 29.841792] IPVS: ftp: loaded support on port[0] = 21 [ 30.004763] ================================================================== [ 30.012290] BUG: KASAN: use-after-free in snd_pcm_oss_get_formats+0x320/0x380 [ 30.019557] Read of size 4 at addr ffff8801b2736da4 by task syz-executor2/4211 [ 30.026902] [ 30.028522] CPU: 1 PID: 4211 Comm: syz-executor2 Not tainted 4.16.0-rc4+ #256 [ 30.035788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.045133] Call Trace: [ 30.047718] dump_stack+0x194/0x24d [ 30.051346] ? arch_local_irq_restore+0x53/0x53 [ 30.056008] ? show_regs_print_info+0x18/0x18 [ 30.060514] ? trace_hardirqs_off+0xd/0x10 [ 30.064751] ? snd_pcm_oss_get_formats+0x320/0x380 [ 30.069680] print_address_description+0x73/0x250 [ 30.074524] ? snd_pcm_oss_get_formats+0x320/0x380 [ 30.079451] kasan_report+0x23c/0x360 [ 30.083251] __asan_report_load4_noabort+0x14/0x20 [ 30.088177] snd_pcm_oss_get_formats+0x320/0x380 [ 30.092930] ? snd_pcm_oss_set_channels+0x3a0/0x3a0 [ 30.097950] ? __might_sleep+0x95/0x190 [ 30.101928] snd_pcm_oss_ioctl+0x1e2f/0x39f0 [ 30.106334] ? avc_ss_reset+0x110/0x110 [ 30.110311] ? snd_pcm_oss_release+0x280/0x280 [ 30.114887] ? __lock_is_held+0xb6/0x140 [ 30.118986] ? check_same_owner+0x320/0x320 [ 30.123299] ? free_obj_work+0x690/0x690 [ 30.127354] ? rcu_note_context_switch+0x710/0x710 [ 30.132285] ? __might_sleep+0x95/0x190 [ 30.136260] ? _cond_resched+0x14/0x30 [ 30.140151] ? selinux_file_ioctl+0x444/0x690 [ 30.144642] ? __fget_light+0x2b2/0x3c0 [ 30.148615] ? selinux_capable+0x40/0x40 [ 30.152670] ? rcu_seq_end+0x55/0x100 [ 30.156476] ? kmem_cache_free+0x258/0x2a0 [ 30.160718] ? compat_SyS_futex+0x288/0x380 [ 30.165047] snd_pcm_oss_ioctl_compat+0x24/0x30 [ 30.169714] compat_SyS_ioctl+0x151/0x2a30 [ 30.173942] ? do_fast_syscall_32+0x156/0xf9f [ 30.178433] ? snd_pcm_oss_ioctl+0x39f0/0x39f0 [ 30.183013] ? do_ioctl+0x60/0x60 [ 30.186472] do_fast_syscall_32+0x3ec/0xf9f [ 30.190804] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.195364] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.199835] ? finish_task_switch+0x1c1/0x7e0 [ 30.204313] ? syscall_return_slowpath+0x2ac/0x550 [ 30.209221] ? prepare_exit_to_usermode+0x350/0x350 [ 30.214214] ? sysret32_from_system_call+0x5/0x3c [ 30.219040] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.223864] entry_SYSENTER_compat+0x70/0x7f [ 30.228247] RIP: 0023:0xf7f4dc99 [ 30.231588] RSP: 002b:00000000f7f4909c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 [ 30.239273] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000c0045005 [ 30.246517] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.253758] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.261003] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.268251] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.275514] [ 30.277124] Allocated by task 4211: [ 30.280728] save_stack+0x43/0xd0 [ 30.284152] kasan_kmalloc+0xad/0xe0 [ 30.287840] kmem_cache_alloc_trace+0x136/0x740 [ 30.292488] snd_pcm_oss_get_formats+0x1c7/0x380 [ 30.297230] snd_pcm_oss_ioctl+0x1e2f/0x39f0 [ 30.301621] snd_pcm_oss_ioctl_compat+0x24/0x30 [ 30.306264] compat_SyS_ioctl+0x151/0x2a30 [ 30.310481] do_fast_syscall_32+0x3ec/0xf9f [ 30.314775] entry_SYSENTER_compat+0x70/0x7f [ 30.319152] [ 30.320754] Freed by task 4211: [ 30.324025] save_stack+0x43/0xd0 [ 30.327450] __kasan_slab_free+0x11a/0x170 [ 30.331657] kasan_slab_free+0xe/0x10 [ 30.335429] kfree+0xd9/0x260 [ 30.338510] snd_pcm_oss_get_formats+0x216/0x380 [ 30.343239] snd_pcm_oss_ioctl+0x1e2f/0x39f0 [ 30.347619] snd_pcm_oss_ioctl_compat+0x24/0x30 [ 30.352259] compat_SyS_ioctl+0x151/0x2a30 [ 30.356469] do_fast_syscall_32+0x3ec/0xf9f [ 30.360768] entry_SYSENTER_compat+0x70/0x7f [ 30.365147] [ 30.366750] The buggy address belongs to the object at ffff8801b2736d80 [ 30.366750] which belongs to the cache kmalloc-1024 of size 1024 [ 30.379552] The buggy address is located 36 bytes inside of [ 30.379552] 1024-byte region [ffff8801b2736d80, ffff8801b2737180) [ 30.391396] The buggy address belongs to the page: [ 30.396299] page:ffffea0006c9cd80 count:1 mapcount:0 mapping:ffff8801b2736000 index:0x0 compound_mapcount: 0 [ 30.406239] flags: 0x2fffc0000008100(slab|head) [ 30.410881] raw: 02fffc0000008100 ffff8801b2736000 0000000000000000 0000000100000007 [ 30.418741] raw: ffffea000761bf20 ffffea000709d920 ffff8801dac00ac0 0000000000000000 [ 30.426594] page dumped because: kasan: bad access detected [ 30.432276] [ 30.433879] Memory state around the buggy address: [ 30.438783] ffff8801b2736c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.446125] ffff8801b2736d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.453458] >ffff8801b2736d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.460790] ^ [ 30.465172] ffff8801b2736e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.472502] ffff8801b2736e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.479832] ================================================================== [ 30.487163] Disabling lock debugging due to kernel taint [ 30.492696] Kernel panic - not syncing: panic_on_warn set ... [ 30.492696] [ 30.500046] CPU: 1 PID: 4211 Comm: syz-executor2 Tainted: G B 4.16.0-rc4+ #256 [ 30.508613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.517952] Call Trace: [ 30.520525] dump_stack+0x194/0x24d [ 30.524140] ? arch_local_irq_restore+0x53/0x53 [ 30.528803] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.533725] ? vsnprintf+0x1ed/0x1900 [ 30.537520] ? snd_pcm_oss_get_formats+0x2c0/0x380 [ 30.542438] panic+0x1e4/0x41c [ 30.545622] ? refcount_error_report+0x214/0x214 [ 30.550372] ? add_taint+0x1c/0x50 [ 30.553905] ? add_taint+0x1c/0x50 [ 30.557448] ? snd_pcm_oss_get_formats+0x320/0x380 [ 30.562366] kasan_end_report+0x50/0x50 [ 30.566320] kasan_report+0x149/0x360 [ 30.570109] __asan_report_load4_noabort+0x14/0x20 [ 30.575039] snd_pcm_oss_get_formats+0x320/0x380 [ 30.579771] ? snd_pcm_oss_set_channels+0x3a0/0x3a0 [ 30.584761] ? __might_sleep+0x95/0x190 [ 30.588716] snd_pcm_oss_ioctl+0x1e2f/0x39f0 [ 30.593097] ? avc_ss_reset+0x110/0x110 [ 30.597046] ? snd_pcm_oss_release+0x280/0x280 [ 30.601599] ? __lock_is_held+0xb6/0x140 [ 30.605640] ? check_same_owner+0x320/0x320 [ 30.609942] ? free_obj_work+0x690/0x690 [ 30.613986] ? rcu_note_context_switch+0x710/0x710 [ 30.618893] ? __might_sleep+0x95/0x190 [ 30.622843] ? _cond_resched+0x14/0x30 [ 30.626719] ? selinux_file_ioctl+0x444/0x690 [ 30.631196] ? __fget_light+0x2b2/0x3c0 [ 30.635154] ? selinux_capable+0x40/0x40 [ 30.639192] ? rcu_seq_end+0x55/0x100 [ 30.642976] ? kmem_cache_free+0x258/0x2a0 [ 30.647196] ? compat_SyS_futex+0x288/0x380 [ 30.651499] snd_pcm_oss_ioctl_compat+0x24/0x30 [ 30.656143] compat_SyS_ioctl+0x151/0x2a30 [ 30.660359] ? do_fast_syscall_32+0x156/0xf9f [ 30.664833] ? snd_pcm_oss_ioctl+0x39f0/0x39f0 [ 30.669390] ? do_ioctl+0x60/0x60 [ 30.672829] do_fast_syscall_32+0x3ec/0xf9f [ 30.677137] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.681691] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.686161] ? finish_task_switch+0x1c1/0x7e0 [ 30.690633] ? syscall_return_slowpath+0x2ac/0x550 [ 30.695534] ? prepare_exit_to_usermode+0x350/0x350 [ 30.700531] ? sysret32_from_system_call+0x5/0x3c [ 30.705363] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.710205] entry_SYSENTER_compat+0x70/0x7f [ 30.714597] RIP: 0023:0xf7f4dc99 [ 30.717932] RSP: 002b:00000000f7f4909c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 [ 30.725608] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000c0045005 [ 30.732857] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.740099] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.747339] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.754590] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.762305] Dumping ftrace buffer: [ 30.765814] (ftrace buffer empty) [ 30.769496] Kernel Offset: disabled [ 30.773092] Rebooting in 86400 seconds..