[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 32.271459] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.566108] kauditd_printk_skb: 10 callbacks suppressed [ 32.566117] audit: type=1400 audit(1574657505.609:35): avc: denied { map } for pid=6969 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.631768] random: sshd: uninitialized urandom read (32 bytes read) [ 33.230981] random: sshd: uninitialized urandom read (32 bytes read) [ 33.459289] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts. [ 39.055649] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.171079] audit: type=1400 audit(1574657512.219:36): avc: denied { map } for pid=6982 comm="syz-executor856" path="/root/syz-executor856703914" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.199071] ================================================================== [ 39.206656] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x4f3/0x600 [ 39.213911] Read of size 4 at addr ffff8880a4d0f440 by task syz-executor856/6982 [ 39.221431] [ 39.223091] CPU: 0 PID: 6982 Comm: syz-executor856 Not tainted 4.14.156-syzkaller #0 [ 39.230998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.240345] Call Trace: [ 39.242921] dump_stack+0x142/0x197 [ 39.246536] ? bpf_skb_change_head+0x4f3/0x600 [ 39.251225] print_address_description.cold+0x7c/0x1dc [ 39.256491] ? bpf_skb_change_head+0x4f3/0x600 [ 39.261058] kasan_report.cold+0xa9/0x2af [ 39.265294] __asan_report_load4_noabort+0x14/0x20 [ 39.270232] bpf_skb_change_head+0x4f3/0x600 [ 39.274632] ? __lock_acquire+0x5f7/0x4620 [ 39.278852] ? build_skb+0x1f/0x160 [ 39.282520] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 39.287258] ? SyS_bpf+0x6ad/0x2da8 [ 39.290871] bpf_prog_147a7bac71f62ca7+0x428/0x1000 [ 39.295871] ? trace_hardirqs_on+0x10/0x10 [ 39.300088] ? trace_hardirqs_on+0x10/0x10 [ 39.304304] ? bpf_test_run+0x44/0x330 [ 39.308191] ? find_held_lock+0x35/0x130 [ 39.312231] ? bpf_test_run+0x44/0x330 [ 39.316118] ? lock_acquire+0x16f/0x430 [ 39.320089] ? check_preemption_disabled+0x3c/0x250 [ 39.325089] ? bpf_test_run+0xa8/0x330 [ 39.328969] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 39.333713] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.338188] ? __bpf_prog_get+0x153/0x1a0 [ 39.342314] ? SyS_bpf+0x6ad/0x2da8 [ 39.345937] ? __do_page_fault+0x4e9/0xb80 [ 39.350148] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.354634] ? bpf_prog_get+0x20/0x20 [ 39.358417] ? lock_downgrade+0x740/0x740 [ 39.362546] ? up_read+0x1a/0x40 [ 39.365898] ? __do_page_fault+0x358/0xb80 [ 39.370118] ? bpf_prog_get+0x20/0x20 [ 39.373903] ? do_syscall_64+0x1e8/0x640 [ 39.377940] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.382767] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.388112] [ 39.389720] Allocated by task 0: [ 39.393058] (stack is not available) [ 39.396745] [ 39.398364] Freed by task 0: [ 39.401355] (stack is not available) [ 39.405081] [ 39.406698] The buggy address belongs to the object at ffff8880a4d0f340 [ 39.406698] which belongs to the cache skbuff_head_cache of size 232 [ 39.419884] The buggy address is located 24 bytes to the right of [ 39.419884] 232-byte region [ffff8880a4d0f340, ffff8880a4d0f428) [ 39.432179] The buggy address belongs to the page: [ 39.437091] page:ffffea00029343c0 count:1 mapcount:0 mapping:ffff8880a4d0f0c0 index:0x0 [ 39.445210] flags: 0x1fffc0000000100(slab) [ 39.449424] raw: 01fffc0000000100 ffff8880a4d0f0c0 0000000000000000 000000010000000c [ 39.457284] raw: ffffea0002a3a820 ffffea00026100e0 ffff8880a9e19a80 0000000000000000 [ 39.465139] page dumped because: kasan: bad access detected [ 39.470822] [ 39.472426] Memory state around the buggy address: [ 39.477680] ffff8880a4d0f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.485021] ffff8880a4d0f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.492356] >ffff8880a4d0f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.499717] ^ [ 39.505169] ffff8880a4d0f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.512516] ffff8880a4d0f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.519858] ================================================================== [ 39.527195] Disabling lock debugging due to kernel taint [ 39.532868] Kernel panic - not syncing: panic_on_warn set ... [ 39.532868] [ 39.540244] CPU: 0 PID: 6982 Comm: syz-executor856 Tainted: G B 4.14.156-syzkaller #0 [ 39.549453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.558789] Call Trace: [ 39.561372] dump_stack+0x142/0x197 [ 39.565023] ? bpf_skb_change_head+0x4f3/0x600 [ 39.569595] panic+0x1f9/0x42d [ 39.572763] ? add_taint.cold+0x16/0x16 [ 39.576722] kasan_end_report+0x47/0x4f [ 39.580675] kasan_report.cold+0x130/0x2af [ 39.584885] __asan_report_load4_noabort+0x14/0x20 [ 39.589789] bpf_skb_change_head+0x4f3/0x600 [ 39.594203] ? __lock_acquire+0x5f7/0x4620 [ 39.598417] ? build_skb+0x1f/0x160 [ 39.602029] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 39.606759] ? SyS_bpf+0x6ad/0x2da8 [ 39.610381] bpf_prog_147a7bac71f62ca7+0x428/0x1000 [ 39.615376] ? trace_hardirqs_on+0x10/0x10 [ 39.619611] ? trace_hardirqs_on+0x10/0x10 [ 39.623895] ? bpf_test_run+0x44/0x330 [ 39.627814] ? find_held_lock+0x35/0x130 [ 39.631858] ? bpf_test_run+0x44/0x330 [ 39.635733] ? lock_acquire+0x16f/0x430 [ 39.639706] ? check_preemption_disabled+0x3c/0x250 [ 39.644736] ? bpf_test_run+0xa8/0x330 [ 39.648630] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 39.653373] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.657909] ? __bpf_prog_get+0x153/0x1a0 [ 39.662049] ? SyS_bpf+0x6ad/0x2da8 [ 39.665661] ? __do_page_fault+0x4e9/0xb80 [ 39.669882] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.674355] ? bpf_prog_get+0x20/0x20 [ 39.678136] ? lock_downgrade+0x740/0x740 [ 39.682617] ? up_read+0x1a/0x40 [ 39.685958] ? __do_page_fault+0x358/0xb80 [ 39.690173] ? bpf_prog_get+0x20/0x20 [ 39.693961] ? do_syscall_64+0x1e8/0x640 [ 39.697997] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.702818] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.709566] Kernel Offset: disabled [ 39.713344] Rebooting in 86400 seconds..