[ 73.847954][ T25] audit: type=1400 audit(1575403399.876:37): avc: denied { watch } for pid=9902 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 73.880397][ T25] audit: type=1400 audit(1575403399.876:38): avc: denied { watch } for pid=9902 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2232 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 74.071381][ T25] audit: type=1800 audit(1575403400.106:39): pid=9811 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 74.093318][ T25] audit: type=1800 audit(1575403400.106:40): pid=9811 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 76.510772][ T25] audit: type=1400 audit(1575403402.546:41): avc: denied { map } for pid=9987 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts. executing program [ 96.399888][ T25] audit: type=1400 audit(1575403422.436:42): avc: denied { map } for pid=9999 comm="syz-executor414" path="/root/syz-executor414290971" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 96.444422][ T9999] ================================================================== [ 96.444481][ T9999] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 96.444493][ T9999] Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 [ 96.444497][ T9999] [ 96.444513][ T9999] CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 [ 96.444521][ T9999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.444526][ T9999] Call Trace: [ 96.444546][ T9999] dump_stack+0x197/0x210 [ 96.444561][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.444581][ T9999] print_address_description.constprop.0.cold+0xd4/0x30b [ 96.444594][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.444607][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.444619][ T9999] __kasan_report.cold+0x1b/0x41 [ 96.444634][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.444649][ T9999] kasan_report+0x12/0x20 [ 96.444664][ T9999] check_memory_region+0x134/0x1a0 [ 96.444677][ T9999] memcpy+0x24/0x50 [ 96.444691][ T9999] fbcon_get_font+0x2b2/0x5e0 [ 96.444708][ T9999] ? display_to_var+0x7e0/0x7e0 [ 96.444723][ T9999] con_font_op+0x20b/0x1250 [ 96.444739][ T9999] ? lock_downgrade+0x920/0x920 [ 96.444760][ T9999] ? con_write+0xd0/0xd0 [ 96.444790][ T9999] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.444803][ T9999] ? _copy_from_user+0x12c/0x1a0 [ 96.444822][ T9999] vt_ioctl+0x181a/0x26d0 [ 96.444838][ T9999] ? complete_change_console+0x3a0/0x3a0 [ 96.444850][ T9999] ? lock_downgrade+0x920/0x920 [ 96.444866][ T9999] ? rwlock_bug.part.0+0x90/0x90 [ 96.444881][ T9999] ? tomoyo_path_number_perm+0x214/0x520 [ 96.444899][ T9999] ? find_held_lock+0x35/0x130 [ 96.444916][ T9999] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 96.444934][ T9999] ? tty_jobctrl_ioctl+0x50/0xd40 [ 96.444947][ T9999] ? complete_change_console+0x3a0/0x3a0 [ 96.444962][ T9999] tty_ioctl+0xa37/0x14f0 [ 96.444978][ T9999] ? tty_vhangup+0x30/0x30 [ 96.444990][ T9999] ? tomoyo_path_number_perm+0x454/0x520 [ 96.445008][ T9999] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 96.445021][ T9999] ? tomoyo_path_number_perm+0x25e/0x520 [ 96.445037][ T9999] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 96.445060][ T9999] ? ___might_sleep+0x163/0x2c0 [ 96.445076][ T9999] ? tty_vhangup+0x30/0x30 [ 96.445091][ T9999] do_vfs_ioctl+0x977/0x14e0 [ 96.445108][ T9999] ? compat_ioctl_preallocate+0x220/0x220 [ 96.445121][ T9999] ? selinux_file_mprotect+0x620/0x620 [ 96.445136][ T9999] ? kmem_cache_free+0x26b/0x320 [ 96.445154][ T9999] ? putname+0xf4/0x130 [ 96.445168][ T9999] ? do_sys_open+0x31d/0x5d0 [ 96.445185][ T9999] ? tomoyo_file_ioctl+0x23/0x30 [ 96.445199][ T9999] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.445216][ T9999] ? security_file_ioctl+0x8d/0xc0 [ 96.445233][ T9999] ksys_ioctl+0xab/0xd0 [ 96.445249][ T9999] __x64_sys_ioctl+0x73/0xb0 [ 96.445267][ T9999] do_syscall_64+0xfa/0x790 [ 96.445288][ T9999] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.445299][ T9999] RIP: 0033:0x4444d9 [ 96.445314][ T9999] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.445321][ T9999] RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 96.445336][ T9999] RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 [ 96.445345][ T9999] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 [ 96.445353][ T9999] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 [ 96.445362][ T9999] R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 [ 96.445370][ T9999] R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 [ 96.445389][ T9999] [ 96.445397][ T9999] Allocated by task 9999: [ 96.445409][ T9999] save_stack+0x23/0x90 [ 96.445420][ T9999] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 96.445431][ T9999] kasan_kmalloc+0x9/0x10 [ 96.445445][ T9999] __kmalloc+0x163/0x770 [ 96.445457][ T9999] fbcon_set_font+0x32d/0x860 [ 96.445468][ T9999] con_font_op+0xe18/0x1250 [ 96.445479][ T9999] vt_ioctl+0xd2e/0x26d0 [ 96.445489][ T9999] tty_ioctl+0xa37/0x14f0 [ 96.445500][ T9999] do_vfs_ioctl+0x977/0x14e0 [ 96.445510][ T9999] ksys_ioctl+0xab/0xd0 [ 96.445521][ T9999] __x64_sys_ioctl+0x73/0xb0 [ 96.445534][ T9999] do_syscall_64+0xfa/0x790 [ 96.445547][ T9999] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.445551][ T9999] [ 96.445557][ T9999] Freed by task 9771: [ 96.445566][ T9999] save_stack+0x23/0x90 [ 96.445577][ T9999] __kasan_slab_free+0x102/0x150 [ 96.445587][ T9999] kasan_slab_free+0xe/0x10 [ 96.445599][ T9999] kfree+0x10a/0x2c0 [ 96.445612][ T9999] tomoyo_init_log+0x15c1/0x2070 [ 96.445624][ T9999] tomoyo_supervisor+0x33f/0xef0 [ 96.445637][ T9999] tomoyo_env_perm+0x18e/0x210 [ 96.445651][ T9999] tomoyo_find_next_domain+0x1354/0x1f6c [ 96.445663][ T9999] tomoyo_bprm_check_security+0x124/0x1a0 [ 96.445675][ T9999] security_bprm_check+0x63/0xb0 [ 96.445687][ T9999] search_binary_handler+0x71/0x570 [ 96.445698][ T9999] __do_execve_file.isra.0+0x1329/0x22b0 [ 96.445709][ T9999] __x64_sys_execve+0x8f/0xc0 [ 96.445721][ T9999] do_syscall_64+0xfa/0x790 [ 96.445735][ T9999] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.445738][ T9999] [ 96.445754][ T9999] The buggy address belongs to the object at ffff888094b0a000 [ 96.445754][ T9999] which belongs to the cache kmalloc-4k of size 4096 [ 96.445766][ T9999] The buggy address is located 2576 bytes inside of [ 96.445766][ T9999] 4096-byte region [ffff888094b0a000, ffff888094b0b000) [ 96.445771][ T9999] The buggy address belongs to the page: [ 96.445786][ T9999] page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 [ 96.445804][ T9999] raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 [ 96.445820][ T9999] raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 [ 96.445826][ T9999] page dumped because: kasan: bad access detected [ 96.445830][ T9999] [ 96.445834][ T9999] Memory state around the buggy address: [ 96.445850][ T9999] ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 96.445861][ T9999] ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 96.445871][ T9999] >ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.445876][ T9999] ^ [ 96.445887][ T9999] ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.445897][ T9999] ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.445902][ T9999] ================================================================== [ 96.445908][ T9999] Disabling lock debugging due to kernel taint [ 96.451889][ T9999] Kernel panic - not syncing: panic_on_warn set ... [ 96.451908][ T9999] CPU: 0 PID: 9999 Comm: syz-executor414 Tainted: G B 5.4.0-syzkaller #0 [ 96.451914][ T9999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.451919][ T9999] Call Trace: [ 96.451941][ T9999] dump_stack+0x197/0x210 [ 96.451957][ T9999] panic+0x2e3/0x75c [ 96.451969][ T9999] ? add_taint.cold+0x16/0x16 [ 96.451985][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.451999][ T9999] ? preempt_schedule+0x4b/0x60 [ 96.452015][ T9999] ? ___preempt_schedule+0x16/0x18 [ 96.452031][ T9999] ? trace_hardirqs_on+0x5e/0x240 [ 96.452045][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.452060][ T9999] end_report+0x47/0x4f [ 96.452072][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.452083][ T9999] __kasan_report.cold+0xe/0x41 [ 96.452096][ T9999] ? fbcon_get_font+0x2b2/0x5e0 [ 96.452109][ T9999] kasan_report+0x12/0x20 [ 96.452122][ T9999] check_memory_region+0x134/0x1a0 [ 96.452133][ T9999] memcpy+0x24/0x50 [ 96.452146][ T9999] fbcon_get_font+0x2b2/0x5e0 [ 96.452160][ T9999] ? display_to_var+0x7e0/0x7e0 [ 96.452174][ T9999] con_font_op+0x20b/0x1250 [ 96.452188][ T9999] ? lock_downgrade+0x920/0x920 [ 96.452200][ T9999] ? con_write+0xd0/0xd0 [ 96.452222][ T9999] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.452235][ T9999] ? _copy_from_user+0x12c/0x1a0 [ 96.452250][ T9999] vt_ioctl+0x181a/0x26d0 [ 96.452264][ T9999] ? complete_change_console+0x3a0/0x3a0 [ 96.452274][ T9999] ? lock_downgrade+0x920/0x920 [ 96.452288][ T9999] ? rwlock_bug.part.0+0x90/0x90 [ 96.452301][ T9999] ? tomoyo_path_number_perm+0x214/0x520 [ 96.452317][ T9999] ? find_held_lock+0x35/0x130 [ 96.452331][ T9999] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 96.452347][ T9999] ? tty_jobctrl_ioctl+0x50/0xd40 [ 96.452359][ T9999] ? complete_change_console+0x3a0/0x3a0 [ 96.452373][ T9999] tty_ioctl+0xa37/0x14f0 [ 96.452386][ T9999] ? tty_vhangup+0x30/0x30 [ 96.452396][ T9999] ? tomoyo_path_number_perm+0x454/0x520 [ 96.452409][ T9999] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 96.452421][ T9999] ? tomoyo_path_number_perm+0x25e/0x520 [ 96.452434][ T9999] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 96.452451][ T9999] ? ___might_sleep+0x163/0x2c0 [ 96.452462][ T9999] ? tty_vhangup+0x30/0x30 [ 96.452476][ T9999] do_vfs_ioctl+0x977/0x14e0 [ 96.452490][ T9999] ? compat_ioctl_preallocate+0x220/0x220 [ 96.452500][ T9999] ? selinux_file_mprotect+0x620/0x620 [ 96.452511][ T9999] ? kmem_cache_free+0x26b/0x320 [ 96.452525][ T9999] ? putname+0xf4/0x130 [ 96.452538][ T9999] ? do_sys_open+0x31d/0x5d0 [ 96.452553][ T9999] ? tomoyo_file_ioctl+0x23/0x30 [ 96.452566][ T9999] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.452582][ T9999] ? security_file_ioctl+0x8d/0xc0 [ 96.452593][ T9999] ksys_ioctl+0xab/0xd0 [ 96.452606][ T9999] __x64_sys_ioctl+0x73/0xb0 [ 96.452620][ T9999] do_syscall_64+0xfa/0x790 [ 96.452638][ T9999] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.452648][ T9999] RIP: 0033:0x4444d9 [ 96.452662][ T9999] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.452668][ T9999] RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 96.452680][ T9999] RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 [ 96.452686][ T9999] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 [ 96.452693][ T9999] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 [ 96.452700][ T9999] R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 [ 96.452706][ T9999] R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 [ 96.454105][ T9999] Kernel Offset: disabled [ 97.452050][ T9999] Rebooting in 86400 seconds..