[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.064089] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.448391] random: sshd: uninitialized urandom read (32 bytes read) [ 22.828779] random: sshd: uninitialized urandom read (32 bytes read) [ 23.591569] random: sshd: uninitialized urandom read (32 bytes read) [ 23.745911] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. [ 29.159356] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.249811] ================================================================== [ 29.257259] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 29.263472] Read of size 1 at addr ffff8801ad3dbd5d by task syz-executor369/4496 [ 29.270980] [ 29.272592] CPU: 0 PID: 4496 Comm: syz-executor369 Not tainted 4.17.0-rc6+ #62 [ 29.280422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.289757] Call Trace: [ 29.292329] dump_stack+0x1b9/0x294 [ 29.295940] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.301638] ? printk+0x9e/0xba [ 29.304901] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.309642] ? kasan_check_write+0x14/0x20 [ 29.313857] print_address_description+0x6c/0x20b [ 29.318680] ? nla_strlcpy+0x13d/0x150 [ 29.322548] kasan_report.cold.7+0x242/0x2fe [ 29.326940] __asan_report_load1_noabort+0x14/0x20 [ 29.331847] nla_strlcpy+0x13d/0x150 [ 29.335541] nfnl_acct_new+0x574/0xc50 [ 29.339408] ? nfnl_acct_overquota+0x380/0x380 [ 29.343972] ? debug_check_no_locks_freed+0x310/0x310 [ 29.349143] ? graph_lock+0x170/0x170 [ 29.352928] ? print_usage_bug+0xc0/0xc0 [ 29.356976] ? find_held_lock+0x36/0x1c0 [ 29.361028] ? graph_lock+0x170/0x170 [ 29.364814] ? lock_downgrade+0x8e0/0x8e0 [ 29.368945] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.374462] ? __lock_is_held+0xb5/0x140 [ 29.378505] ? nfnl_acct_overquota+0x380/0x380 [ 29.383069] nfnetlink_rcv_msg+0xdb5/0xff0 [ 29.387292] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 29.392287] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 29.396680] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.400807] ? graph_lock+0x170/0x170 [ 29.404585] ? find_held_lock+0x36/0x1c0 [ 29.408635] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.414164] netlink_rcv_skb+0x172/0x440 [ 29.418203] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.422331] ? netlink_ack+0xbc0/0xbc0 [ 29.426200] ? __netlink_ns_capable+0x100/0x130 [ 29.430850] nfnetlink_rcv+0x1fe/0x1ba0 [ 29.434806] ? kasan_check_read+0x11/0x20 [ 29.438934] ? rcu_is_watching+0x85/0x140 [ 29.443062] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.448235] ? nfnl_err_reset+0x2d0/0x2d0 [ 29.452364] ? netlink_remove_tap+0x610/0x610 [ 29.457041] ? refcount_add_not_zero+0x320/0x320 [ 29.461781] ? kasan_check_read+0x11/0x20 [ 29.465910] ? rcu_is_watching+0x85/0x140 [ 29.470042] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.475219] ? netlink_skb_destructor+0x210/0x210 [ 29.480054] ? kasan_check_write+0x14/0x20 [ 29.484276] netlink_unicast+0x58b/0x740 [ 29.488318] ? netlink_attachskb+0x970/0x970 [ 29.492710] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.498227] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.503225] ? security_netlink_send+0x88/0xb0 [ 29.507787] netlink_sendmsg+0x9f0/0xfa0 [ 29.511830] ? netlink_unicast+0x740/0x740 [ 29.516055] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.521577] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.527097] ? security_socket_sendmsg+0x94/0xc0 [ 29.531832] ? netlink_unicast+0x740/0x740 [ 29.536057] sock_sendmsg+0xd5/0x120 [ 29.539757] sock_write_iter+0x35a/0x5a0 [ 29.543800] ? sock_sendmsg+0x120/0x120 [ 29.547762] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.553278] ? iov_iter_init+0xc9/0x1f0 [ 29.557233] __vfs_write+0x64d/0x960 [ 29.560927] ? kernel_read+0x120/0x120 [ 29.564796] ? lock_downgrade+0x8e0/0x8e0 [ 29.568921] ? handle_mm_fault+0x8c0/0xc70 [ 29.573136] ? handle_mm_fault+0x55a/0xc70 [ 29.577354] ? rw_verify_area+0x118/0x360 [ 29.581483] vfs_write+0x1f8/0x560 [ 29.585006] ksys_write+0xf9/0x250 [ 29.588543] ? __ia32_sys_read+0xb0/0xb0 [ 29.592599] ? __ia32_sys_fallocate+0xf0/0xf0 [ 29.597080] __x64_sys_write+0x73/0xb0 [ 29.600949] do_syscall_64+0x1b1/0x800 [ 29.604816] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.609726] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.614635] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.620151] ? retint_user+0x18/0x18 [ 29.623848] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.628674] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.633840] RIP: 0033:0x43fcf9 [ 29.637019] RSP: 002b:00007ffca0b32ff8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 29.644716] RAX: ffffffffffffffda RBX: 0000200000000002 RCX: 000000000043fcf9 [ 29.651966] RDX: 000000000000001f RSI: 0000000020000040 RDI: 0000000000000003 [ 29.659217] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.666478] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 29.673731] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 29.680983] [ 29.682590] Allocated by task 4495: [ 29.686203] save_stack+0x43/0xd0 [ 29.689637] kasan_kmalloc+0xc4/0xe0 [ 29.693332] __kmalloc_node_track_caller+0x47/0x70 [ 29.698243] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 29.702979] __alloc_skb+0x14d/0x780 [ 29.706673] alloc_skb_with_frags+0x137/0x760 [ 29.711146] sock_alloc_send_pskb+0x87a/0xae0 [ 29.715634] unix_stream_sendmsg+0x701/0xd20 [ 29.720033] sock_sendmsg+0xd5/0x120 [ 29.723739] sock_write_iter+0x35a/0x5a0 [ 29.727783] __vfs_write+0x64d/0x960 [ 29.731570] vfs_write+0x1f8/0x560 [ 29.735087] ksys_write+0xf9/0x250 [ 29.738603] __x64_sys_write+0x73/0xb0 [ 29.742471] do_syscall_64+0x1b1/0x800 [ 29.746425] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.751594] [ 29.753203] Freed by task 4494: [ 29.756464] save_stack+0x43/0xd0 [ 29.759897] __kasan_slab_free+0x11a/0x170 [ 29.764119] kasan_slab_free+0xe/0x10 [ 29.767900] kfree+0xd9/0x260 [ 29.770996] skb_free_head+0x99/0xc0 [ 29.774697] skb_release_data+0x690/0x860 [ 29.778827] skb_release_all+0x4a/0x60 [ 29.782696] consume_skb+0x18b/0x550 [ 29.786391] unix_stream_read_generic+0x18a8/0x1ec0 [ 29.791384] unix_stream_recvmsg+0x1b8/0x2c0 [ 29.795784] sock_recvmsg+0xd0/0x110 [ 29.799477] sock_read_iter+0x381/0x550 [ 29.803431] __vfs_read+0x696/0xa50 [ 29.807040] vfs_read+0x17f/0x3d0 [ 29.810471] ksys_read+0xf9/0x250 [ 29.813912] __x64_sys_read+0x73/0xb0 [ 29.817696] do_syscall_64+0x1b1/0x800 [ 29.821582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.826745] [ 29.828362] The buggy address belongs to the object at ffff8801ad3dbcc0 [ 29.828362] which belongs to the cache kmalloc-512 of size 512 [ 29.840997] The buggy address is located 157 bytes inside of [ 29.840997] 512-byte region [ffff8801ad3dbcc0, ffff8801ad3dbec0) [ 29.852857] The buggy address belongs to the page: [ 29.857767] page:ffffea0006b4f6c0 count:1 mapcount:0 mapping:ffff8801ad3db040 index:0x0 [ 29.865886] flags: 0x2fffc0000000100(slab) [ 29.870102] raw: 02fffc0000000100 ffff8801ad3db040 0000000000000000 0000000100000006 [ 29.877961] raw: ffffea0007643820 ffffea0006b329a0 ffff8801da800940 0000000000000000 [ 29.885813] page dumped because: kasan: bad access detected [ 29.891496] [ 29.893098] Memory state around the buggy address: [ 29.898024] ffff8801ad3dbc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.905364] ffff8801ad3dbc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.912698] >ffff8801ad3dbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.920037] ^ [ 29.926254] ffff8801ad3dbd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.933589] ffff8801ad3dbe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.940921] ================================================================== [ 29.948252] Disabling lock debugging due to kernel taint [ 29.953759] Kernel panic - not syncing: panic_on_warn set ... [ 29.953759] [ 29.961131] CPU: 0 PID: 4496 Comm: syz-executor369 Tainted: G B 4.17.0-rc6+ #62 [ 29.969863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.979194] Call Trace: [ 29.981767] dump_stack+0x1b9/0x294 [ 29.985389] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.990565] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.995298] ? nla_strlcpy+0x110/0x150 [ 29.999166] panic+0x22f/0x4de [ 30.002337] ? add_taint.cold.5+0x16/0x16 [ 30.006464] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.010851] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.015236] ? nla_strlcpy+0x13d/0x150 [ 30.019124] kasan_end_report+0x47/0x4f [ 30.023078] kasan_report.cold.7+0x76/0x2fe [ 30.027378] __asan_report_load1_noabort+0x14/0x20 [ 30.032295] nla_strlcpy+0x13d/0x150 [ 30.035988] nfnl_acct_new+0x574/0xc50 [ 30.039858] ? nfnl_acct_overquota+0x380/0x380 [ 30.044419] ? debug_check_no_locks_freed+0x310/0x310 [ 30.049585] ? graph_lock+0x170/0x170 [ 30.053365] ? print_usage_bug+0xc0/0xc0 [ 30.057407] ? find_held_lock+0x36/0x1c0 [ 30.061447] ? graph_lock+0x170/0x170 [ 30.065224] ? lock_downgrade+0x8e0/0x8e0 [ 30.069350] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.074867] ? __lock_is_held+0xb5/0x140 [ 30.078907] ? nfnl_acct_overquota+0x380/0x380 [ 30.083466] nfnetlink_rcv_msg+0xdb5/0xff0 [ 30.087683] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 30.092675] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 30.097082] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.101208] ? graph_lock+0x170/0x170 [ 30.104988] ? find_held_lock+0x36/0x1c0 [ 30.109036] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.114559] netlink_rcv_skb+0x172/0x440 [ 30.118601] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.122727] ? netlink_ack+0xbc0/0xbc0 [ 30.126592] ? __netlink_ns_capable+0x100/0x130 [ 30.131244] nfnetlink_rcv+0x1fe/0x1ba0 [ 30.135197] ? kasan_check_read+0x11/0x20 [ 30.139334] ? rcu_is_watching+0x85/0x140 [ 30.143470] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.148640] ? nfnl_err_reset+0x2d0/0x2d0 [ 30.152767] ? netlink_remove_tap+0x610/0x610 [ 30.157243] ? refcount_add_not_zero+0x320/0x320 [ 30.161982] ? kasan_check_read+0x11/0x20 [ 30.166118] ? rcu_is_watching+0x85/0x140 [ 30.170244] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.175420] ? netlink_skb_destructor+0x210/0x210 [ 30.180267] ? kasan_check_write+0x14/0x20 [ 30.184499] netlink_unicast+0x58b/0x740 [ 30.188545] ? netlink_attachskb+0x970/0x970 [ 30.192935] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.198452] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.203449] ? security_netlink_send+0x88/0xb0 [ 30.208019] netlink_sendmsg+0x9f0/0xfa0 [ 30.212065] ? netlink_unicast+0x740/0x740 [ 30.216289] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.221808] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.227333] ? security_socket_sendmsg+0x94/0xc0 [ 30.232076] ? netlink_unicast+0x740/0x740 [ 30.236289] sock_sendmsg+0xd5/0x120 [ 30.239981] sock_write_iter+0x35a/0x5a0 [ 30.244029] ? sock_sendmsg+0x120/0x120 [ 30.247992] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.253510] ? iov_iter_init+0xc9/0x1f0 [ 30.257469] __vfs_write+0x64d/0x960 [ 30.261169] ? kernel_read+0x120/0x120 [ 30.265040] ? lock_downgrade+0x8e0/0x8e0 [ 30.269166] ? handle_mm_fault+0x8c0/0xc70 [ 30.273378] ? handle_mm_fault+0x55a/0xc70 [ 30.277592] ? rw_verify_area+0x118/0x360 [ 30.281716] vfs_write+0x1f8/0x560 [ 30.285236] ksys_write+0xf9/0x250 [ 30.288760] ? __ia32_sys_read+0xb0/0xb0 [ 30.292801] ? __ia32_sys_fallocate+0xf0/0xf0 [ 30.297274] __x64_sys_write+0x73/0xb0 [ 30.301152] do_syscall_64+0x1b1/0x800 [ 30.305028] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.309940] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.314855] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.320369] ? retint_user+0x18/0x18 [ 30.324071] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.328892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.334060] RIP: 0033:0x43fcf9 [ 30.337236] RSP: 002b:00007ffca0b32ff8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 30.344924] RAX: ffffffffffffffda RBX: 0000200000000002 RCX: 000000000043fcf9 [ 30.352171] RDX: 000000000000001f RSI: 0000000020000040 RDI: 0000000000000003 [ 30.359417] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 30.366671] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 30.373916] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 30.381658] Dumping ftrace buffer: [ 30.385176] (ftrace buffer empty) [ 30.388861] Kernel Offset: disabled [ 30.392464] Rebooting in 86400 seconds..