[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.205' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.029108] audit: type=1400 audit(1601200638.961:8): avc: denied { execmem } for pid=6357 comm="syz-executor863" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.037436] ================================================================== [ 34.058117] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x181/0x1a0 [ 34.065109] Read of size 8 at addr ffff8880903cd578 by task syz-executor863/6357 [ 34.072662] [ 34.074378] CPU: 0 PID: 6357 Comm: syz-executor863 Not tainted 4.14.198-syzkaller #0 [ 34.082245] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.092359] Call Trace: [ 34.095140] dump_stack+0x1b2/0x283 [ 34.098756] print_address_description.cold+0x54/0x1d3 [ 34.104119] kasan_report_error.cold+0x8a/0x194 [ 34.108782] ? squashfs_get_id+0x181/0x1a0 [ 34.112993] __asan_report_load8_noabort+0x68/0x70 [ 34.117919] ? squashfs_get_id+0x181/0x1a0 [ 34.122254] squashfs_get_id+0x181/0x1a0 [ 34.126384] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 34.132420] ? squashfs_read_metadata+0x2a6/0x370 [ 34.137256] squashfs_read_inode+0x171/0x1840 [ 34.141747] ? squashfs_read_id_index_table+0xc0/0xc0 [ 34.146913] ? new_inode+0xc7/0xf0 [ 34.150431] ? lock_acquire+0x170/0x3f0 [ 34.154380] ? do_raw_spin_unlock+0x164/0x220 [ 34.158859] squashfs_fill_super+0x1138/0x1640 [ 34.163561] mount_bdev+0x2b3/0x360 [ 34.167288] ? squashfs_alloc_inode+0x40/0x40 [ 34.171778] mount_fs+0x92/0x2a0 [ 34.175124] vfs_kern_mount.part.0+0x5b/0x470 [ 34.179613] do_mount+0xe53/0x2a00 [ 34.183133] ? retint_kernel+0x2d/0x2d [ 34.187005] ? copy_mount_string+0x40/0x40 [ 34.191265] ? memset+0x20/0x40 [ 34.194518] ? copy_mount_options+0x1fa/0x2f0 [ 34.199003] ? copy_mnt_ns+0xa30/0xa30 [ 34.202878] SyS_mount+0xa8/0x120 [ 34.206304] ? copy_mnt_ns+0xa30/0xa30 [ 34.210192] do_syscall_64+0x1d5/0x640 [ 34.214080] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.219243] RIP: 0033:0x446d1a [ 34.222422] RSP: 002b:00007fff489fd348 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 34.230125] RAX: ffffffffffffffda RBX: 00007fff489fd3a0 RCX: 0000000000446d1a [ 34.237517] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007fff489fd360 [ 34.244817] RBP: 00007fff489fd360 R08: 00007fff489fd3a0 R09: 00007fff00000015 [ 34.252197] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 34.259459] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.266720] [ 34.268338] Allocated by task 6357: [ 34.272024] kasan_kmalloc+0xeb/0x160 [ 34.275818] __kmalloc+0x15a/0x400 [ 34.279348] squashfs_read_data+0x153/0x1140 [ 34.284010] squashfs_read_table+0x11c/0x18d [ 34.288392] squashfs_read_xattr_id_table+0x2b/0x1c0 [ 34.293494] squashfs_fill_super+0xcba/0x1640 [ 34.297971] mount_bdev+0x2b3/0x360 [ 34.301577] mount_fs+0x92/0x2a0 [ 34.304918] vfs_kern_mount.part.0+0x5b/0x470 [ 34.309398] do_mount+0xe53/0x2a00 [ 34.312936] SyS_mount+0xa8/0x120 [ 34.316530] do_syscall_64+0x1d5/0x640 [ 34.320570] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.325749] [ 34.327356] Freed by task 6357: [ 34.330617] kasan_slab_free+0xc3/0x1a0 [ 34.334588] kfree+0xc9/0x250 [ 34.337686] squashfs_read_data+0x931/0x1140 [ 34.342085] squashfs_read_table+0x11c/0x18d [ 34.346468] squashfs_read_xattr_id_table+0x2b/0x1c0 [ 34.351546] squashfs_fill_super+0xcba/0x1640 [ 34.356014] mount_bdev+0x2b3/0x360 [ 34.359612] mount_fs+0x92/0x2a0 [ 34.362952] vfs_kern_mount.part.0+0x5b/0x470 [ 34.367433] do_mount+0xe53/0x2a00 [ 34.370990] SyS_mount+0xa8/0x120 [ 34.374417] do_syscall_64+0x1d5/0x640 [ 34.378278] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.383483] [ 34.385091] The buggy address belongs to the object at ffff8880903cd540 [ 34.385091] which belongs to the cache kmalloc-32 of size 32 [ 34.397594] The buggy address is located 24 bytes to the right of [ 34.397594] 32-byte region [ffff8880903cd540, ffff8880903cd560) [ 34.409912] The buggy address belongs to the page: [ 34.414817] page:ffffea000240f340 count:1 mapcount:0 mapping:ffff8880903cd000 index:0xffff8880903cdfc1 [ 34.424245] flags: 0xfffe0000000100(slab) [ 34.428378] raw: 00fffe0000000100 ffff8880903cd000 ffff8880903cdfc1 000000010000003f [ 34.436301] raw: ffffea00024cfa20 ffffea000234e2e0 ffff88812fe501c0 0000000000000000 [ 34.444157] page dumped because: kasan: bad access detected [ 34.449856] [ 34.451456] Memory state around the buggy address: [ 34.456359] ffff8880903cd400: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 34.463703] ffff8880903cd480: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 34.471072] >ffff8880903cd500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.478409] ^ [ 34.485672] ffff8880903cd580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 34.493012] ffff8880903cd600: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 34.500347] ================================================================== [ 34.508655] Disabling lock debugging due to kernel taint [ 34.515585] Kernel panic - not syncing: panic_on_warn set ... [ 34.515585] [ 34.522961] CPU: 0 PID: 6357 Comm: syz-executor863 Tainted: G B 4.14.198-syzkaller #0 [ 34.532133] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.541880] Call Trace: [ 34.544448] dump_stack+0x1b2/0x283 [ 34.548054] panic+0x1f9/0x42d [ 34.551232] ? add_taint.cold+0x16/0x16 [ 34.555195] ? ___preempt_schedule+0x16/0x18 [ 34.559579] kasan_end_report+0x43/0x49 [ 34.564046] kasan_report_error.cold+0xa7/0x194 [ 34.568700] ? squashfs_get_id+0x181/0x1a0 [ 34.572908] __asan_report_load8_noabort+0x68/0x70 [ 34.577811] ? squashfs_get_id+0x181/0x1a0 [ 34.582021] squashfs_get_id+0x181/0x1a0 [ 34.586056] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 34.591741] ? squashfs_read_metadata+0x2a6/0x370 [ 34.596579] squashfs_read_inode+0x171/0x1840 [ 34.601051] ? squashfs_read_id_index_table+0xc0/0xc0 [ 34.606233] ? new_inode+0xc7/0xf0 [ 34.609756] ? lock_acquire+0x170/0x3f0 [ 34.613727] ? do_raw_spin_unlock+0x164/0x220 [ 34.618217] squashfs_fill_super+0x1138/0x1640 [ 34.623312] mount_bdev+0x2b3/0x360 [ 34.626918] ? squashfs_alloc_inode+0x40/0x40 [ 34.631397] mount_fs+0x92/0x2a0 [ 34.634747] vfs_kern_mount.part.0+0x5b/0x470 [ 34.639223] do_mount+0xe53/0x2a00 [ 34.642771] ? retint_kernel+0x2d/0x2d [ 34.646629] ? copy_mount_string+0x40/0x40 [ 34.650852] ? memset+0x20/0x40 [ 34.654104] ? copy_mount_options+0x1fa/0x2f0 [ 34.658569] ? copy_mnt_ns+0xa30/0xa30 [ 34.662428] SyS_mount+0xa8/0x120 [ 34.665868] ? copy_mnt_ns+0xa30/0xa30 [ 34.669731] do_syscall_64+0x1d5/0x640 [ 34.673596] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.678780] RIP: 0033:0x446d1a [ 34.681954] RSP: 002b:00007fff489fd348 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 34.689635] RAX: ffffffffffffffda RBX: 00007fff489fd3a0 RCX: 0000000000446d1a [ 34.696886] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007fff489fd360 [ 34.704237] RBP: 00007fff489fd360 R08: 00007fff489fd3a0 R09: 00007fff00000015 [ 34.711491] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 34.718732] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.727565] Kernel Offset: disabled [ 34.731190] Rebooting in 86400 seconds..