INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-7,10.128.15.206' (ECDSA) to the list of known hosts. 2017/11/24 14:53:49 parsed 1 programs 2017/11/24 14:53:49 executed programs: 0 syzkaller login: [ 43.432836] ================================================================== [ 43.434289] BUG: KASAN: use-after-free in aead_recvmsg+0x1552/0x1970 [ 43.435258] Read of size 4 at addr ffff8801cd6be85c by task syz-executor3/4244 [ 43.436312] [ 43.436580] CPU: 0 PID: 4244 Comm: syz-executor3 Not tainted 4.14.0+ #192 [ 43.437532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.438946] Call Trace: [ 43.439319] dump_stack+0x194/0x257 [ 43.439891] ? arch_local_irq_restore+0x53/0x53 [ 43.440536] ? show_regs_print_info+0x65/0x65 [ 43.441258] ? af_alg_make_sg+0x510/0x510 [ 43.441977] ? aead_recvmsg+0x1552/0x1970 [ 43.442652] print_address_description+0x73/0x250 [ 43.443411] ? aead_recvmsg+0x1552/0x1970 [ 43.444061] kasan_report+0x25b/0x340 [ 43.444647] __asan_report_load4_noabort+0x14/0x20 [ 43.445397] aead_recvmsg+0x1552/0x1970 [ 43.446046] ? aead_sendpage_nokey+0xa0/0xa0 [ 43.446737] ? selinux_socket_recvmsg+0x36/0x40 [ 43.447375] ? security_socket_recvmsg+0x91/0xc0 [ 43.448095] ? aead_sendpage_nokey+0xa0/0xa0 [ 43.448713] sock_recvmsg+0xc9/0x110 [ 43.449424] ? __sock_recv_wifi_status+0x210/0x210 [ 43.450146] ___sys_recvmsg+0x29b/0x630 [ 43.451117] ? ___sys_sendmsg+0x8a0/0x8a0 [ 43.451847] ? get_unused_fd_flags+0x190/0x190 [ 43.452666] ? _raw_spin_unlock_bh+0x30/0x40 [ 43.453314] ? release_sock+0x1d4/0x2a0 [ 43.457287] ? fget_raw+0x20/0x20 [ 43.460731] ? schedule+0xf5/0x430 [ 43.464262] ? __schedule+0x2060/0x2060 [ 43.468242] ? fput+0xd2/0x140 [ 43.471430] ? SYSC_accept4+0x4f2/0x850 [ 43.475408] ? __fdget+0x18/0x20 [ 43.478770] __sys_recvmsg+0xe2/0x210 [ 43.482559] ? __sys_recvmsg+0xe2/0x210 [ 43.486521] ? SyS_sendmmsg+0x60/0x60 [ 43.490319] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.495321] SyS_recvmsg+0x2d/0x50 [ 43.498837] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 43.503561] RIP: 0033:0x452879 [ 43.506718] RSP: 002b:00007ff6b36cbbe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002f [ 43.514391] RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 [ 43.521629] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000004 [ 43.528867] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 43.536109] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3718 [ 43.543352] R13: 00000000ffffffff R14: 00007ff6b36cc6d4 R15: 0000000000000000 [ 43.550606] [ 43.552208] Allocated by task 3077: [ 43.555805] save_stack+0x43/0xd0 [ 43.559223] kasan_kmalloc+0xad/0xe0 [ 43.562905] __kmalloc+0x162/0x760 [ 43.566411] crypto_create_tfm+0x82/0x2e0 [ 43.570527] crypto_alloc_tfm+0x10e/0x2f0 [ 43.574643] crypto_alloc_skcipher+0x2c/0x40 [ 43.579026] crypto_get_default_null_skcipher+0x5f/0x80 [ 43.584356] aead_bind+0x89/0x140 [ 43.587773] alg_bind+0x1ab/0x440 [ 43.591194] SYSC_bind+0x1b4/0x3f0 [ 43.594700] SyS_bind+0x24/0x30 [ 43.597948] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 43.602665] [ 43.604260] Freed by task 4239: [ 43.607512] save_stack+0x43/0xd0 [ 43.610930] kasan_slab_free+0x71/0xc0 [ 43.614782] kfree+0xca/0x250 [ 43.617855] kzfree+0x28/0x30 [ 43.620930] crypto_destroy_tfm+0x140/0x2e0 [ 43.625217] crypto_put_default_null_skcipher+0x35/0x60 [ 43.630548] aead_sock_destruct+0x13c/0x220 [ 43.634846] __sk_destruct+0xfd/0x910 [ 43.638616] sk_destruct+0x47/0x80 [ 43.642124] __sk_free+0x57/0x230 [ 43.645542] sk_free+0x2a/0x40 [ 43.648703] af_alg_release+0x5d/0x70 [ 43.652470] sock_release+0x8d/0x1e0 [ 43.656161] sock_close+0x16/0x20 [ 43.659603] __fput+0x333/0x7f0 [ 43.662851] ____fput+0x15/0x20 [ 43.666099] task_work_run+0x199/0x270 [ 43.669953] do_exit+0x9bb/0x1ae0 [ 43.673374] do_group_exit+0x149/0x400 [ 43.677228] SyS_exit_group+0x1d/0x20 [ 43.680994] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 43.685714] [ 43.687310] The buggy address belongs to the object at ffff8801cd6be840 [ 43.687310] which belongs to the cache kmalloc-128 of size 128 [ 43.699929] The buggy address is located 28 bytes inside of [ 43.699929] 128-byte region [ffff8801cd6be840, ffff8801cd6be8c0) [ 43.711680] The buggy address belongs to the page: [ 43.716583] page:ffffea000735af80 count:1 mapcount:0 mapping:ffff8801cd6be000 index:0x0 [ 43.724699] flags: 0x2fffc0000000100(slab) [ 43.728902] raw: 02fffc0000000100 ffff8801cd6be000 0000000000000000 0000000100000015 [ 43.736752] raw: ffffea00073511a0 ffffea0007367ba0 ffff8801db000640 0000000000000000 [ 43.744598] page dumped because: kasan: bad access detected [ 43.750285] [ 43.751888] Memory state around the buggy address: [ 43.756786] ffff8801cd6be700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.764113] ffff8801cd6be780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.771443] >ffff8801cd6be800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.778767] ^ [ 43.784966] ffff8801cd6be880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.792300] ffff8801cd6be900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.799641] ================================================================== [ 43.806967] Disabling lock debugging due to kernel taint [ 43.812477] Kernel panic - not syncing: panic_on_warn set ... [ 43.812477] [ 43.819828] CPU: 0 PID: 4244 Comm: syz-executor3 Tainted: G B 4.14.0+ #192 [ 43.828037] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.837375] Call Trace: [ 43.839957] dump_stack+0x194/0x257 [ 43.843578] ? arch_local_irq_restore+0x53/0x53 [ 43.848239] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.852977] ? vsnprintf+0x1ed/0x1900 [ 43.856749] ? aead_recvmsg+0x14d0/0x1970 [ 43.860866] panic+0x1e4/0x41c [ 43.864026] ? refcount_error_report+0x214/0x214 [ 43.868748] ? add_taint+0x1c/0x50 [ 43.872253] ? add_taint+0x1c/0x50 [ 43.875762] ? aead_recvmsg+0x1552/0x1970 [ 43.879884] kasan_end_report+0x50/0x50 [ 43.883824] kasan_report+0x144/0x340 [ 43.887605] __asan_report_load4_noabort+0x14/0x20 [ 43.892501] aead_recvmsg+0x1552/0x1970 [ 43.896460] ? aead_sendpage_nokey+0xa0/0xa0 [ 43.900849] ? selinux_socket_recvmsg+0x36/0x40 [ 43.905489] ? security_socket_recvmsg+0x91/0xc0 [ 43.910213] ? aead_sendpage_nokey+0xa0/0xa0 [ 43.914589] sock_recvmsg+0xc9/0x110 [ 43.918276] ? __sock_recv_wifi_status+0x210/0x210 [ 43.923172] ___sys_recvmsg+0x29b/0x630 [ 43.927116] ? ___sys_sendmsg+0x8a0/0x8a0 [ 43.931234] ? get_unused_fd_flags+0x190/0x190 [ 43.935782] ? _raw_spin_unlock_bh+0x30/0x40 [ 43.940159] ? release_sock+0x1d4/0x2a0 [ 43.944103] ? fget_raw+0x20/0x20 [ 43.947522] ? schedule+0xf5/0x430 [ 43.951028] ? __schedule+0x2060/0x2060 [ 43.954971] ? fput+0xd2/0x140 [ 43.958129] ? SYSC_accept4+0x4f2/0x850 [ 43.962072] ? __fdget+0x18/0x20 [ 43.965408] __sys_recvmsg+0xe2/0x210 [ 43.969175] ? __sys_recvmsg+0xe2/0x210 [ 43.973202] ? SyS_sendmmsg+0x60/0x60 [ 43.976983] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.981967] SyS_recvmsg+0x2d/0x50 [ 43.985476] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 43.990196] RIP: 0033:0x452879 [ 43.993353] RSP: 002b:00007ff6b36cbbe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002f [ 44.001027] RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 [ 44.008264] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000004 [ 44.015500] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 44.022737] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3718 [ 44.029974] R13: 00000000ffffffff R14: 00007ff6b36cc6d4 R15: 0000000000000000 [ 44.037613] Dumping ftrace buffer: [ 44.041123] (ftrace buffer empty) [ 44.044798] Kernel Offset: disabled [ 44.048392] Rebooting in 86400 seconds..