INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.410549] ================================================================== [ 62.417975] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x275e/0x3210 [ 62.424540] Read of size 2081 at addr ffff8801b11a3798 by task syzkaller120450/4487 [ 62.432315] [ 62.433923] CPU: 0 PID: 4487 Comm: syzkaller120450 Not tainted 4.16.0+ #1 [ 62.440821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.450146] Call Trace: [ 62.452714] dump_stack+0x1b9/0x29f [ 62.456319] ? arch_local_irq_restore+0x52/0x52 [ 62.460973] ? printk+0x9e/0xba [ 62.464229] ? show_regs_print_info+0x18/0x18 [ 62.468701] ? kasan_check_write+0x14/0x20 [ 62.472925] print_address_description+0x6c/0x20b [ 62.477745] ? pfkey_add+0x275e/0x3210 [ 62.481606] kasan_report.cold.7+0xac/0x2f5 [ 62.485907] check_memory_region+0x13e/0x1b0 [ 62.490294] memcpy+0x23/0x50 [ 62.493377] pfkey_add+0x275e/0x3210 [ 62.497069] ? pfkey_acquire+0x270/0x270 [ 62.501111] ? iov_iter_advance+0x2e4/0x14c0 [ 62.505499] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 62.510666] ? pfkey_acquire+0x270/0x270 [ 62.514705] pfkey_process+0x7cc/0x8a0 [ 62.518573] ? pfkey_send_new_mapping+0x1260/0x1260 [ 62.523581] pfkey_sendmsg+0x5f4/0x1050 [ 62.527536] ? _copy_from_user+0xdf/0x150 [ 62.531666] ? pfkey_spdget+0xb10/0xb10 [ 62.535618] ? security_socket_sendmsg+0x9b/0xd0 [ 62.540350] ? pfkey_spdget+0xb10/0xb10 [ 62.544301] sock_sendmsg+0xd5/0x120 [ 62.547995] ___sys_sendmsg+0x805/0x940 [ 62.551947] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.557461] ? copy_msghdr_from_user+0x560/0x560 [ 62.562193] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 62.566926] ? graph_lock+0x170/0x170 [ 62.570703] ? graph_lock+0x170/0x170 [ 62.574488] ? find_held_lock+0x36/0x1c0 [ 62.578527] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.584040] ? __fget_light+0x2ef/0x430 [ 62.587993] ? fget_raw+0x20/0x20 [ 62.591426] ? find_held_lock+0x36/0x1c0 [ 62.595469] ? lock_downgrade+0x8e0/0x8e0 [ 62.599596] ? handle_mm_fault+0x8c0/0xc70 [ 62.603811] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 62.609340] ? sockfd_lookup_light+0xc5/0x160 [ 62.613820] __sys_sendmsg+0x115/0x270 [ 62.617686] ? SyS_shutdown+0x30/0x30 [ 62.621466] ? __do_page_fault+0x441/0xe40 [ 62.625678] ? fd_install+0x4d/0x60 [ 62.629602] SyS_sendmsg+0x29/0x30 [ 62.633117] ? __sys_sendmsg+0x270/0x270 [ 62.637156] do_syscall_64+0x29e/0x9d0 [ 62.641018] ? vmalloc_sync_all+0x30/0x30 [ 62.645141] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 62.649873] ? syscall_return_slowpath+0x5c0/0x5c0 [ 62.654783] ? syscall_return_slowpath+0x30f/0x5c0 [ 62.659693] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.665208] ? retint_user+0x18/0x18 [ 62.668899] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.673726] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 62.678909] RIP: 0033:0x43fdd9 [ 62.682073] RSP: 002b:00007fff977c67b8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 62.689757] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 62.697002] RDX: 0000000000000000 RSI: 0000000020f56000 RDI: 0000000000000003 [ 62.704245] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 62.711489] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401700 [ 62.718734] R13: 0000000000401790 R14: 0000000000000000 R15: 0000000000000000 [ 62.725993] [ 62.727599] Allocated by task 4487: [ 62.731211] save_stack+0x43/0xd0 [ 62.734638] kasan_kmalloc+0xc4/0xe0 [ 62.738325] __kmalloc_node_track_caller+0x47/0x70 [ 62.743230] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 62.747960] __alloc_skb+0x14d/0x780 [ 62.751651] pfkey_sendmsg+0x250/0x1050 [ 62.755599] sock_sendmsg+0xd5/0x120 [ 62.759285] ___sys_sendmsg+0x805/0x940 [ 62.763231] __sys_sendmsg+0x115/0x270 [ 62.767090] SyS_sendmsg+0x29/0x30 [ 62.770606] do_syscall_64+0x29e/0x9d0 [ 62.774473] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 62.779631] [ 62.781233] Freed by task 0: [ 62.784221] (stack is not available) [ 62.787920] [ 62.789528] The buggy address belongs to the object at ffff8801b11a3780 [ 62.789528] which belongs to the cache kmalloc-512 of size 512 [ 62.802163] The buggy address is located 24 bytes inside of [ 62.802163] 512-byte region [ffff8801b11a3780, ffff8801b11a3980) [ 62.813923] The buggy address belongs to the page: [ 62.818836] page:ffffea0006c468c0 count:1 mapcount:0 mapping:ffff8801b11a3000 index:0x0 [ 62.826952] flags: 0x2fffc0000000100(slab) [ 62.831167] raw: 02fffc0000000100 ffff8801b11a3000 0000000000000000 0000000100000006 [ 62.839025] raw: ffffea0006b26b20 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 62.846885] page dumped because: kasan: bad access detected [ 62.852564] [ 62.854163] Memory state around the buggy address: [ 62.859077] ffff8801b11a3880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.866499] ffff8801b11a3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.873834] >ffff8801b11a3980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.881164] ^ [ 62.884503] ffff8801b11a3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.891837] ffff8801b11a3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.899171] ================================================================== [ 62.906510] Disabling lock debugging due to kernel taint [ 62.912037] Kernel panic - not syncing: panic_on_warn set ... [ 62.912037] [ 62.919384] CPU: 0 PID: 4487 Comm: syzkaller120450 Tainted: G B 4.16.0+ #1 [ 62.927582] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.936907] Call Trace: [ 62.939472] dump_stack+0x1b9/0x29f [ 62.943074] ? arch_local_irq_restore+0x52/0x52 [ 62.947727] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 62.952458] ? pfkey_add+0x2700/0x3210 [ 62.956329] panic+0x22f/0x4de [ 62.959496] ? add_taint.cold.5+0x16/0x16 [ 62.963617] ? do_raw_spin_unlock+0x9e/0x2e0 [ 62.968004] ? do_raw_spin_unlock+0x9e/0x2e0 [ 62.972386] ? pfkey_add+0x275e/0x3210 [ 62.976250] kasan_end_report+0x47/0x4f [ 62.980199] kasan_report.cold.7+0xc9/0x2f5 [ 62.984495] check_memory_region+0x13e/0x1b0 [ 62.988881] memcpy+0x23/0x50 [ 62.991960] pfkey_add+0x275e/0x3210 [ 62.995648] ? pfkey_acquire+0x270/0x270 [ 62.999682] ? iov_iter_advance+0x2e4/0x14c0 [ 63.004067] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 63.009231] ? pfkey_acquire+0x270/0x270 [ 63.013266] pfkey_process+0x7cc/0x8a0 [ 63.017131] ? pfkey_send_new_mapping+0x1260/0x1260 [ 63.022128] pfkey_sendmsg+0x5f4/0x1050 [ 63.026082] ? _copy_from_user+0xdf/0x150 [ 63.030204] ? pfkey_spdget+0xb10/0xb10 [ 63.034154] ? security_socket_sendmsg+0x9b/0xd0 [ 63.038890] ? pfkey_spdget+0xb10/0xb10 [ 63.042841] sock_sendmsg+0xd5/0x120 [ 63.046532] ___sys_sendmsg+0x805/0x940 [ 63.050484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 63.056004] ? copy_msghdr_from_user+0x560/0x560 [ 63.060757] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 63.065490] ? graph_lock+0x170/0x170 [ 63.069264] ? graph_lock+0x170/0x170 [ 63.073039] ? find_held_lock+0x36/0x1c0 [ 63.077074] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 63.082585] ? __fget_light+0x2ef/0x430 [ 63.086531] ? fget_raw+0x20/0x20 [ 63.089961] ? find_held_lock+0x36/0x1c0 [ 63.093998] ? lock_downgrade+0x8e0/0x8e0 [ 63.098117] ? handle_mm_fault+0x8c0/0xc70 [ 63.102326] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 63.107839] ? sockfd_lookup_light+0xc5/0x160 [ 63.112308] __sys_sendmsg+0x115/0x270 [ 63.116180] ? SyS_shutdown+0x30/0x30 [ 63.119959] ? __do_page_fault+0x441/0xe40 [ 63.124252] ? fd_install+0x4d/0x60 [ 63.127860] SyS_sendmsg+0x29/0x30 [ 63.131373] ? __sys_sendmsg+0x270/0x270 [ 63.135409] do_syscall_64+0x29e/0x9d0 [ 63.139266] ? vmalloc_sync_all+0x30/0x30 [ 63.143388] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 63.148118] ? syscall_return_slowpath+0x5c0/0x5c0 [ 63.153023] ? syscall_return_slowpath+0x30f/0x5c0 [ 63.157927] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 63.163437] ? retint_user+0x18/0x18 [ 63.167127] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 63.171946] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 63.177109] RIP: 0033:0x43fdd9 [ 63.180273] RSP: 002b:00007fff977c67b8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 63.187957] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdd9 [ 63.195200] RDX: 0000000000000000 RSI: 0000000020f56000 RDI: 0000000000000003 [ 63.202442] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 63.209688] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401700 [ 63.216933] R13: 0000000000401790 R14: 0000000000000000 R15: 0000000000000000 [ 63.224583] Dumping ftrace buffer: [ 63.228105] (ftrace buffer empty) [ 63.231804] Kernel Offset: disabled [ 63.235415] Rebooting in 86400 seconds..