[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.845470] random: sshd: uninitialized urandom read (32 bytes read) [ 18.016311] audit: type=1400 audit(1566016433.582:6): avc: denied { map } for pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.058692] random: sshd: uninitialized urandom read (32 bytes read) [ 18.570950] random: sshd: uninitialized urandom read (32 bytes read) [ 34.865624] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts. [ 40.339907] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 40.430901] audit: type=1400 audit(1566016456.002:7): avc: denied { map } for pid=1788 comm="syz-executor105" path="/root/syz-executor105050139" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.457248] audit: type=1400 audit(1566016456.012:8): avc: denied { prog_load } for pid=1788 comm="syz-executor105" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 40.480756] audit: type=1400 audit(1566016456.052:9): avc: denied { prog_run } for pid=1788 comm="syz-executor105" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 40.490206] ================================================================== [ 40.510596] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0 [ 40.517406] Read of size 8 at addr ffff8881d0506a90 by task syz-executor105/1788 [ 40.524907] [ 40.526510] CPU: 0 PID: 1788 Comm: syz-executor105 Not tainted 4.14.139+ #33 [ 40.533669] Call Trace: [ 40.536374] dump_stack+0xca/0x134 [ 40.539908] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.544381] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.548849] ? __bpf_redirect+0xa30/0xa30 [ 40.552975] print_address_description+0x60/0x226 [ 40.557796] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.562411] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.567029] ? __bpf_redirect+0xa30/0xa30 [ 40.567036] __kasan_report.cold+0x1a/0x41 [ 40.567050] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.579896] bpf_clone_redirect+0x2a7/0x2b0 [ 40.584219] ? __bpf_redirect+0xa30/0xa30 [ 40.588344] ___bpf_prog_run+0x2478/0x5510 [ 40.592559] ? lock_downgrade+0x5d0/0x5d0 [ 40.596680] ? lock_acquire+0x12b/0x360 [ 40.600636] ? bpf_jit_compile+0x30/0x30 [ 40.604679] ? __bpf_prog_run512+0x99/0xe0 [ 40.608917] ? ___bpf_prog_run+0x5510/0x5510 [ 40.608927] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 40.608938] ? trace_hardirqs_on_caller+0x37b/0x540 [ 40.623602] ? __lock_acquire+0x5d7/0x4320 [ 40.623619] ? __lock_acquire+0x5d7/0x4320 [ 40.623629] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 40.623651] ? trace_hardirqs_on+0x10/0x10 [ 40.623665] ? __lock_acquire+0x5d7/0x4320 [ 40.623685] ? bpf_test_run+0x42/0x340 [ 40.623703] ? lock_acquire+0x12b/0x360 [ 40.623711] ? bpf_test_run+0x13a/0x340 [ 40.623718] ? check_preemption_disabled+0x35/0x1f0 [ 40.623733] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 40.623743] ? bpf_test_run+0xa8/0x340 [ 40.623763] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 40.623778] ? bpf_test_init.isra.0+0xc0/0xc0 [ 40.623789] ? bpf_prog_add+0x53/0xc0 [ 40.623799] ? bpf_test_init.isra.0+0xc0/0xc0 [ 40.623809] ? SyS_bpf+0xa3b/0x3830 [ 40.623823] ? bpf_prog_get+0x20/0x20 [ 40.623831] ? __do_page_fault+0x49f/0xbb0 [ 40.623840] ? lock_downgrade+0x5d0/0x5d0 [ 40.623863] ? __do_page_fault+0x677/0xbb0 [ 40.623877] ? do_syscall_64+0x43/0x520 [ 40.623883] ? bpf_prog_get+0x20/0x20 [ 40.623894] ? do_syscall_64+0x19b/0x520 [ 40.623913] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.623938] [ 40.623942] Allocated by task 1788: [ 40.623950] __kasan_kmalloc.part.0+0x53/0xc0 [ 40.623957] kmem_cache_alloc+0xd2/0x2e0 [ 40.623964] __alloc_skb+0xea/0x5c0 [ 40.623971] audit_log_start+0x292/0x6d0 [ 40.623979] common_lsm_audit+0xd3/0x1d50 [ 40.623987] slow_avc_audit+0x14b/0x1e0 [ 40.623993] avc_has_perm+0x2d1/0x350 [ 40.623999] selinux_bpf+0xbe/0x110 [ 40.624005] security_bpf+0x7c/0xb0 [ 40.624010] SyS_bpf+0x145/0x3830 [ 40.624015] do_syscall_64+0x19b/0x520 [ 40.624022] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.624027] 0xffffffffffffffff [ 40.624030] [ 40.624033] Freed by task 31: [ 40.624040] __kasan_slab_free+0x164/0x210 [ 40.624046] kmem_cache_free+0xcb/0x340 [ 40.624052] kfree_skbmem+0xa0/0x110 [ 40.624057] kfree_skb+0xeb/0x370 [ 40.624064] kauditd_hold_skb+0x112/0x140 [ 40.624070] kauditd_send_queue+0x102/0x140 [ 40.624076] kauditd_thread+0x4de/0x6a0 [ 40.624082] kthread+0x31f/0x430 [ 40.624089] ret_from_fork+0x3a/0x50 [ 40.624093] 0xffffffffffffffff [ 40.624095] [ 40.624101] The buggy address belongs to the object at ffff8881d0506a00 [ 40.624101] which belongs to the cache skbuff_head_cache of size 224 [ 40.624107] The buggy address is located 144 bytes inside of [ 40.624107] 224-byte region [ffff8881d0506a00, ffff8881d0506ae0) [ 40.624110] The buggy address belongs to the page: [ 40.624116] page:ffffea0007414180 count:1 mapcount:0 mapping: (null) index:0x0 [ 40.624125] flags: 0x4000000000000200(slab) [ 40.624134] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 40.624143] raw: dead000000000100 dead000000000200 ffff8881dab70200 0000000000000000 [ 40.624146] page dumped because: kasan: bad access detected [ 40.624148] [ 40.624151] Memory state around the buggy address: [ 40.624156] ffff8881d0506980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 40.624161] ffff8881d0506a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.624166] >ffff8881d0506a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 40.624169] ^ [ 40.624175] ffff8881d0506b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.624180] ffff8881d0506b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.624183] ================================================================== [ 40.624186] Disabling lock debugging due to kernel taint [ 40.624360] Kernel panic - not syncing: panic_on_warn set ... [ 40.624360] [ 40.624367] CPU: 0 PID: 1788 Comm: syz-executor105 Tainted: G B 4.14.139+ #33 [ 40.624371] Call Trace: [ 40.624380] dump_stack+0xca/0x134 [ 40.624390] panic+0x1ea/0x3d3 [ 40.624397] ? add_taint.cold+0x16/0x16 [ 40.624403] ? retint_kernel+0x2d/0x2d [ 40.624419] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.624425] ? __bpf_redirect+0xa30/0xa30 [ 40.624431] end_report+0x43/0x49 [ 40.624437] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.624445] __kasan_report.cold+0xd/0x41 [ 40.624455] ? bpf_clone_redirect+0x2a7/0x2b0 [ 40.624462] bpf_clone_redirect+0x2a7/0x2b0 [ 40.624469] ? __bpf_redirect+0xa30/0xa30 [ 40.624476] ___bpf_prog_run+0x2478/0x5510 [ 40.624482] ? lock_downgrade+0x5d0/0x5d0 [ 40.624489] ? lock_acquire+0x12b/0x360 [ 40.624495] ? bpf_jit_compile+0x30/0x30 [ 40.624509] ? __bpf_prog_run512+0x99/0xe0 [ 40.624516] ? ___bpf_prog_run+0x5510/0x5510 [ 40.624523] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 40.624530] ? trace_hardirqs_on_caller+0x37b/0x540 [ 40.624537] ? __lock_acquire+0x5d7/0x4320 [ 40.624546] ? __lock_acquire+0x5d7/0x4320 [ 40.624553] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 40.624567] ? trace_hardirqs_on+0x10/0x10 [ 40.624576] ? __lock_acquire+0x5d7/0x4320 [ 40.624588] ? bpf_test_run+0x42/0x340 [ 40.624596] ? lock_acquire+0x12b/0x360 [ 40.624601] ? bpf_test_run+0x13a/0x340 [ 40.624606] ? check_preemption_disabled+0x35/0x1f0 [ 40.624620] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 40.624627] ? bpf_test_run+0xa8/0x340 [ 40.624639] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 40.624648] ? bpf_test_init.isra.0+0xc0/0xc0 [ 40.624655] ? bpf_prog_add+0x53/0xc0 [ 40.624663] ? bpf_test_init.isra.0+0xc0/0xc0 [ 40.624669] ? SyS_bpf+0xa3b/0x3830 [ 40.624677] ? bpf_prog_get+0x20/0x20 [ 40.624683] ? __do_page_fault+0x49f/0xbb0 [ 40.624690] ? lock_downgrade+0x5d0/0x5d0 [ 40.624702] ? __do_page_fault+0x677/0xbb0 [ 40.624710] ? do_syscall_64+0x43/0x520 [ 40.624715] ? bpf_prog_get+0x20/0x20 [ 40.624721] ? do_syscall_64+0x19b/0x520 [ 40.624731] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.625231] Kernel Offset: 0x33600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 41.165482] Rebooting in 86400 seconds..