Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 37.863651] audit: type=1800 audit(1575534351.922:33): pid=7408 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 37.887318] audit: type=1800 audit(1575534351.922:34): pid=7408 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 40.715987] audit: type=1400 audit(1575534354.772:35): avc: denied { map } for pid=7583 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts. executing program [ 54.708342] audit: type=1400 audit(1575534368.772:36): avc: denied { map } for pid=7596 comm="syz-executor909" path="/root/syz-executor909071848" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.737766] ================================================================== [ 54.737792] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 54.737799] Read of size 2 at addr ffff88809b4e24c0 by task syz-executor909/7598 [ 54.737801] [ 54.737811] CPU: 0 PID: 7598 Comm: syz-executor909 Not tainted 4.19.87-syzkaller #0 [ 54.737816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.737819] Call Trace: [ 54.737830] dump_stack+0x197/0x210 [ 54.737839] ? vcs_scr_readw+0xc2/0xd0 [ 54.737851] print_address_description.cold+0x7c/0x20d [ 54.737859] ? vcs_scr_readw+0xc2/0xd0 [ 54.737867] kasan_report.cold+0x8c/0x2ba [ 54.737878] __asan_report_load2_noabort+0x14/0x20 [ 54.737886] vcs_scr_readw+0xc2/0xd0 [ 54.737895] vcs_write+0x646/0xcf0 [ 54.737910] ? vcs_size+0x240/0x240 [ 54.737926] __vfs_write+0x114/0x810 [ 54.737934] ? vcs_size+0x240/0x240 [ 54.737942] ? kernel_read+0x120/0x120 [ 54.737952] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.737961] ? __inode_security_revalidate+0xda/0x120 [ 54.737970] ? avc_policy_seqno+0xd/0x70 [ 54.737977] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.737986] ? selinux_file_permission+0x92/0x550 [ 54.737995] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.738003] ? security_file_permission+0x89/0x230 [ 54.738012] ? rw_verify_area+0x118/0x360 [ 54.738022] vfs_write+0x20c/0x560 [ 54.738032] ksys_write+0x14f/0x2d0 [ 54.738042] ? __ia32_sys_read+0xb0/0xb0 [ 54.738052] ? do_syscall_64+0x26/0x620 [ 54.738061] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.738068] ? do_syscall_64+0x26/0x620 [ 54.738078] __x64_sys_write+0x73/0xb0 [ 54.738087] do_syscall_64+0xfd/0x620 [ 54.738097] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.738104] RIP: 0033:0x44a419 [ 54.738112] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.738116] RSP: 002b:00007fd035f06d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.738124] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a419 [ 54.738129] RDX: 0000000020000357 RSI: 0000000020000080 RDI: 0000000000000005 [ 54.738134] RBP: 00000000006dbc20 R08: 65732f636f72702f R09: 65732f636f72702f [ 54.738138] R10: 65732f636f72702f R11: 0000000000000246 R12: 00000000006dbc2c [ 54.738143] R13: 00007fd035f06d10 R14: 00007fd035f06d10 R15: 00000000004ae7f0 [ 54.738160] [ 54.738165] Allocated by task 7571: [ 54.738173] save_stack+0x45/0xd0 [ 54.738180] kasan_kmalloc+0xce/0xf0 [ 54.738186] __kmalloc+0x15d/0x750 [ 54.738192] vc_allocate+0x3f5/0x760 [ 54.738198] con_install+0x52/0x410 [ 54.738205] tty_init_dev+0xf7/0x460 [ 54.738210] tty_open+0x4bf/0xb70 [ 54.738217] chrdev_open+0x245/0x6b0 [ 54.738223] do_dentry_open+0x4c3/0x1210 [ 54.738229] vfs_open+0xa0/0xd0 [ 54.738237] path_openat+0x10d7/0x45e0 [ 54.738242] do_filp_open+0x1a1/0x280 [ 54.738248] do_sys_open+0x3fe/0x550 [ 54.738254] __x64_sys_open+0x7e/0xc0 [ 54.738261] do_syscall_64+0xfd/0x620 [ 54.738268] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.738270] [ 54.738273] Freed by task 0: [ 54.738276] (stack is not available) [ 54.738277] [ 54.738283] The buggy address belongs to the object at ffff88809b4e1200 [ 54.738283] which belongs to the cache kmalloc-8192 of size 8192 [ 54.738290] The buggy address is located 4800 bytes inside of [ 54.738290] 8192-byte region [ffff88809b4e1200, ffff88809b4e3200) [ 54.738292] The buggy address belongs to the page: [ 54.738299] page:ffffea00026d3800 count:1 mapcount:0 mapping:ffff88812c315080 index:0x0 compound_mapcount: 0 [ 54.738308] flags: 0xfffe0000008100(slab|head) [ 54.738319] raw: 00fffe0000008100 ffffea000266a208 ffffea000275d008 ffff88812c315080 [ 54.738327] raw: 0000000000000000 ffff88809b4e1200 0000000100000001 0000000000000000 [ 54.738331] page dumped because: kasan: bad access detected [ 54.738333] [ 54.738335] Memory state around the buggy address: [ 54.738341] ffff88809b4e2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.738347] ffff88809b4e2400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.738352] >ffff88809b4e2480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 54.738355] ^ [ 54.738361] ffff88809b4e2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.738367] ffff88809b4e2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.738369] ================================================================== [ 54.738372] Disabling lock debugging due to kernel taint [ 54.738376] Kernel panic - not syncing: panic_on_warn set ... [ 54.738376] [ 54.738384] CPU: 0 PID: 7598 Comm: syz-executor909 Tainted: G B 4.19.87-syzkaller #0 [ 54.738387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.738389] Call Trace: [ 54.738396] dump_stack+0x197/0x210 [ 54.738404] ? vcs_scr_readw+0xc2/0xd0 [ 54.738411] panic+0x26a/0x50e [ 54.738417] ? __warn_printk+0xf3/0xf3 [ 54.738427] ? lock_downgrade+0x880/0x880 [ 54.738436] ? trace_hardirqs_on+0x67/0x220 [ 54.738443] ? trace_hardirqs_on+0x5e/0x220 [ 54.738451] ? vcs_scr_readw+0xc2/0xd0 [ 54.738458] kasan_end_report+0x47/0x4f [ 54.738465] kasan_report.cold+0xa9/0x2ba [ 54.738474] __asan_report_load2_noabort+0x14/0x20 [ 54.738481] vcs_scr_readw+0xc2/0xd0 [ 54.738488] vcs_write+0x646/0xcf0 [ 54.738498] ? vcs_size+0x240/0x240 [ 54.738509] __vfs_write+0x114/0x810 [ 54.738516] ? vcs_size+0x240/0x240 [ 54.738523] ? kernel_read+0x120/0x120 [ 54.738530] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.738537] ? __inode_security_revalidate+0xda/0x120 [ 54.738544] ? avc_policy_seqno+0xd/0x70 [ 54.738553] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.738563] ? selinux_file_permission+0x92/0x550 [ 54.738576] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.738587] ? security_file_permission+0x89/0x230 [ 54.738600] ? rw_verify_area+0x118/0x360 [ 54.738614] vfs_write+0x20c/0x560 [ 54.738627] ksys_write+0x14f/0x2d0 [ 54.738637] ? __ia32_sys_read+0xb0/0xb0 [ 54.738645] ? do_syscall_64+0x26/0x620 [ 54.738652] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.738659] ? do_syscall_64+0x26/0x620 [ 54.738667] __x64_sys_write+0x73/0xb0 [ 54.738675] do_syscall_64+0xfd/0x620 [ 54.738683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.738688] RIP: 0033:0x44a419 [ 54.738695] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.738699] RSP: 002b:00007fd035f06d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.738706] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a419 [ 54.738710] RDX: 0000000020000357 RSI: 0000000020000080 RDI: 0000000000000005 [ 54.738714] RBP: 00000000006dbc20 R08: 65732f636f72702f R09: 65732f636f72702f [ 54.738718] R10: 65732f636f72702f R11: 0000000000000246 R12: 00000000006dbc2c [ 54.738722] R13: 00007fd035f06d10 R14: 00007fd035f06d10 R15: 00000000004ae7f0 [ 54.739923] Kernel Offset: disabled [ 55.414567] Rebooting in 86400 seconds..