[ 10.493054] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.554241] random: sshd: uninitialized urandom read (32 bytes read) [ 23.846112] audit: type=1400 audit(1538400118.286:6): avc: denied { map } for pid=1767 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 23.891038] random: sshd: uninitialized urandom read (32 bytes read) [ 24.363448] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.65' (ECDSA) to the list of known hosts. [ 30.347156] urandom_read: 1 callbacks suppressed [ 30.347160] random: sshd: uninitialized urandom read (32 bytes read) [ 30.441289] audit: type=1400 audit(1538400124.886:7): avc: denied { map } for pid=1779 comm="syz-executor273" path="/root/syz-executor273583137" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 30.705509] audit: type=1400 audit(1538400125.146:8): avc: denied { prog_load } for pid=1780 comm="syz-executor273" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 30.730745] ================================================================== [ 30.730769] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xd7d/0x1100 [ 30.730776] Read of size 2 at addr ffff8801cc934b38 by task syz-executor273/1780 [ 30.730778] [ 30.730786] CPU: 1 PID: 1780 Comm: syz-executor273 Not tainted 4.14.73+ #12 [ 30.730789] Call Trace: [ 30.730801] dump_stack+0xb9/0x11b [ 30.730816] print_address_description+0x60/0x22b [ 30.730829] kasan_report.cold.6+0x11b/0x2dd [ 30.730836] ? bpf_skb_change_proto+0xd7d/0x1100 [ 30.730849] bpf_skb_change_proto+0xd7d/0x1100 [ 30.730866] ___bpf_prog_run+0x248e/0x5c70 [ 30.730878] ? __free_insn_slot+0x490/0x490 [ 30.730905] ? bpf_jit_compile+0x30/0x30 [ 30.730919] ? depot_save_stack+0x20a/0x428 [ 30.730931] ? __bpf_prog_run512+0x99/0xe0 [ 30.730938] ? ___bpf_prog_run+0x5c70/0x5c70 [ 30.730957] ? __lock_acquire+0x619/0x4320 [ 30.730972] ? trace_hardirqs_on+0x10/0x10 [ 30.730985] ? trace_hardirqs_on+0x10/0x10 [ 30.730996] ? __lock_acquire+0x619/0x4320 [ 30.731003] ? lock_downgrade+0x560/0x560 [ 30.731013] ? __lru_cache_add+0x174/0x250 [ 30.731023] ? bpf_test_run+0x57/0x350 [ 30.731033] ? lock_acquire+0x10f/0x380 [ 30.731041] ? check_preemption_disabled+0x34/0x160 [ 30.731048] ? bpf_test_run+0xab/0x350 [ 30.731059] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 30.731066] ? bpf_test_init.isra.1+0xc0/0xc0 [ 30.731074] ? __fget_light+0x163/0x1f0 [ 30.731078] ? bpf_prog_add+0x42/0xa0 [ 30.731084] ? bpf_test_init.isra.1+0xc0/0xc0 [ 30.731090] ? SyS_bpf+0x79d/0x3640 [ 30.731097] ? bpf_prog_get+0x20/0x20 [ 30.731103] ? __do_page_fault+0x485/0xb60 [ 30.731108] ? lock_downgrade+0x560/0x560 [ 30.731118] ? up_read+0x17/0x30 [ 30.731122] ? __do_page_fault+0x64c/0xb60 [ 30.731130] ? do_syscall_64+0x43/0x4b0 [ 30.731136] ? bpf_prog_get+0x20/0x20 [ 30.731139] ? do_syscall_64+0x19b/0x4b0 [ 30.731149] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.731159] [ 30.731162] Allocated by task 227: [ 30.731167] kasan_kmalloc.part.1+0x4f/0xd0 [ 30.731170] kmem_cache_alloc+0xe4/0x2b0 [ 30.731175] __alloc_skb+0xd8/0x550 [ 30.731179] alloc_skb_with_frags+0xab/0x500 [ 30.731183] sock_alloc_send_pskb+0x55e/0x6e0 [ 30.731188] unix_dgram_sendmsg+0x37b/0xf50 [ 30.731192] sock_sendmsg+0xb5/0x100 [ 30.731196] SyS_sendto+0x211/0x340 [ 30.731198] do_syscall_64+0x19b/0x4b0 [ 30.731202] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.731203] [ 30.731205] Freed by task 191: [ 30.731209] kasan_slab_free+0xac/0x190 [ 30.731212] kmem_cache_free+0x12d/0x350 [ 30.731215] kfree_skbmem+0x9e/0x100 [ 30.731219] consume_skb+0xc9/0x330 [ 30.731223] skb_free_datagram+0x15/0xd0 [ 30.731226] unix_dgram_recvmsg+0x762/0xd20 [ 30.731229] sock_recvmsg+0xc0/0x100 [ 30.731233] SyS_recvfrom+0x1d2/0x310 [ 30.731236] do_syscall_64+0x19b/0x4b0 [ 30.731239] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.731240] [ 30.731243] The buggy address belongs to the object at ffff8801cc934a00 [ 30.731243] which belongs to the cache skbuff_head_cache of size 224 [ 30.731247] The buggy address is located 88 bytes to the right of [ 30.731247] 224-byte region [ffff8801cc934a00, ffff8801cc934ae0) [ 30.731248] The buggy address belongs to the page: [ 30.731253] page:ffffea0007324d00 count:1 mapcount:0 mapping: (null) index:0x0 [ 30.731257] flags: 0x4000000000000100(slab) [ 30.731264] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 30.731268] raw: 0000000000000000 0000000100000001 ffff8801d6770200 0000000000000000 [ 30.731270] page dumped because: kasan: bad access detected [ 30.731271] [ 30.731272] Memory state around the buggy address: [ 30.731275] ffff8801cc934a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.731278] ffff8801cc934a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 30.731281] >ffff8801cc934b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.731283] ^ [ 30.731285] ffff8801cc934b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.731288] ffff8801cc934c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 30.731290] ================================================================== [ 30.731291] Disabling lock debugging due to kernel taint [ 30.731293] Kernel panic - not syncing: panic_on_warn set ... [ 30.731293] [ 30.731297] CPU: 1 PID: 1780 Comm: syz-executor273 Tainted: G B 4.14.73+ #12 [ 30.731298] Call Trace: [ 30.731303] dump_stack+0xb9/0x11b [ 30.731309] panic+0x1bf/0x3a4 [ 30.731313] ? add_taint.cold.4+0x16/0x16 [ 30.731321] kasan_end_report+0x43/0x49 [ 30.731325] kasan_report.cold.6+0x77/0x2dd [ 30.731329] ? bpf_skb_change_proto+0xd7d/0x1100 [ 30.731334] bpf_skb_change_proto+0xd7d/0x1100 [ 30.731340] ___bpf_prog_run+0x248e/0x5c70 [ 30.731344] ? __free_insn_slot+0x490/0x490 [ 30.731349] ? bpf_jit_compile+0x30/0x30 [ 30.731354] ? depot_save_stack+0x20a/0x428 [ 30.731359] ? __bpf_prog_run512+0x99/0xe0 [ 30.731362] ? ___bpf_prog_run+0x5c70/0x5c70 [ 30.731369] ? __lock_acquire+0x619/0x4320 [ 30.731374] ? trace_hardirqs_on+0x10/0x10 [ 30.731380] ? trace_hardirqs_on+0x10/0x10 [ 30.731386] ? __lock_acquire+0x619/0x4320 [ 30.731390] ? lock_downgrade+0x560/0x560 [ 30.731393] ? __lru_cache_add+0x174/0x250 [ 30.731399] ? bpf_test_run+0x57/0x350 [ 30.731405] ? lock_acquire+0x10f/0x380 [ 30.731410] ? check_preemption_disabled+0x34/0x160 [ 30.731415] ? bpf_test_run+0xab/0x350 [ 30.731421] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 30.731427] ? bpf_test_init.isra.1+0xc0/0xc0 [ 30.731431] ? __fget_light+0x163/0x1f0 [ 30.731434] ? bpf_prog_add+0x42/0xa0 [ 30.731439] ? bpf_test_init.isra.1+0xc0/0xc0 [ 30.731443] ? SyS_bpf+0x79d/0x3640 [ 30.731449] ? bpf_prog_get+0x20/0x20 [ 30.731452] ? __do_page_fault+0x485/0xb60 [ 30.731456] ? lock_downgrade+0x560/0x560 [ 30.731462] ? up_read+0x17/0x30 [ 30.731465] ? __do_page_fault+0x64c/0xb60 [ 30.731469] ? do_syscall_64+0x43/0x4b0 [ 30.731474] ? bpf_prog_get+0x20/0x20 [ 30.731477] ? do_syscall_64+0x19b/0x4b0 [ 30.731483] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.731853] Kernel Offset: 0x1d800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)