[ 33.053787] audit: type=1800 audit(1576519050.816:33): pid=6874 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.075852] audit: type=1800 audit(1576519050.816:34): pid=6874 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.738834] random: sshd: uninitialized urandom read (32 bytes read) [ 36.195387] audit: type=1400 audit(1576519053.956:35): avc: denied { map } for pid=7048 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.277872] random: sshd: uninitialized urandom read (32 bytes read) [ 36.840145] random: sshd: uninitialized urandom read (32 bytes read) [ 37.027976] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.143' (ECDSA) to the list of known hosts. [ 42.609062] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.723386] audit: type=1400 audit(1576519060.486:36): avc: denied { map } for pid=7060 comm="syz-executor852" path="/root/syz-executor852288446" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.806260] ================================================================== [ 42.806285] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1bdb/0x2160 [ 42.806290] Read of size 2 at addr ffffffff87088fde by task syz-executor852/7060 [ 42.806292] [ 42.806298] CPU: 0 PID: 7060 Comm: syz-executor852 Not tainted 4.14.158-syzkaller #0 [ 42.806301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.806303] Call Trace: [ 42.806310] dump_stack+0x142/0x197 [ 42.806317] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.806324] print_address_description.cold+0x5/0x1dc [ 42.806329] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.806333] kasan_report.cold+0xa9/0x2af [ 42.806340] __asan_report_load2_noabort+0x14/0x20 [ 42.806344] vga16fb_imageblit+0x1bdb/0x2160 [ 42.806351] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 42.806357] ? debug_check_no_obj_freed+0x217/0x7b7 [ 42.806366] soft_cursor+0x4ff/0xa50 [ 42.806375] bit_cursor+0x11be/0x1830 [ 42.806383] ? bit_clear+0x4a0/0x4a0 [ 42.806388] ? fbcon_putcs+0x3c2/0x480 [ 42.806392] ? fbcon_putcs+0x223/0x480 [ 42.806399] ? fb_get_color_depth+0x5f/0x70 [ 42.806403] ? get_color+0x1bf/0x3b0 [ 42.806409] fbcon_cursor+0x4e3/0x6f0 [ 42.806414] ? bit_clear+0x4a0/0x4a0 [ 42.806421] set_cursor+0x1bd/0x240 [ 42.806426] redraw_screen+0x596/0x7c0 [ 42.806433] ? con_flush_chars+0x90/0x90 [ 42.806437] ? fbcon_set_palette+0x203/0x5b0 [ 42.806444] fbcon_modechanged+0x59e/0x880 [ 42.806451] fbcon_event_notify+0x11f/0x17af [ 42.806459] ? lock_acquire+0x16f/0x430 [ 42.806467] notifier_call_chain+0x111/0x1b0 [ 42.806477] blocking_notifier_call_chain+0x80/0xa0 [ 42.806483] fb_notifier_call_chain+0x25/0x30 [ 42.806487] fb_set_var+0xb09/0xcf0 [ 42.806493] ? fb_set_suspend+0x110/0x110 [ 42.806497] ? lock_acquire+0x16f/0x430 [ 42.806501] ? lock_fb_info+0x1f/0x80 [ 42.806507] ? lock_fb_info+0x1f/0x80 [ 42.806511] ? __mutex_lock+0x36a/0x1470 [ 42.806516] ? trace_hardirqs_on+0x10/0x10 [ 42.806524] ? lock_acquire+0x16f/0x430 [ 42.806528] ? __down+0x16b/0x290 [ 42.806534] ? mutex_trylock+0x1c0/0x1c0 [ 42.806539] ? down+0x70/0x90 [ 42.806549] ? mutex_lock_nested+0x16/0x20 [ 42.806553] ? mutex_lock_nested+0x16/0x20 [ 42.806558] do_fb_ioctl+0x3cc/0x940 [ 42.806563] ? fb_read+0x520/0x520 [ 42.806570] ? avc_has_extended_perms+0x8ec/0xe40 [ 42.806575] ? putname+0xdb/0x120 [ 42.806580] ? avc_ss_reset+0x110/0x110 [ 42.806584] ? kmem_cache_free+0x83/0x2b0 [ 42.806591] ? do_syscall_64+0x1e8/0x640 [ 42.806595] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.806600] ? find_held_lock+0x35/0x130 [ 42.806604] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 42.806619] ? __might_sleep+0x93/0xb0 [ 42.806625] fb_ioctl+0xe6/0x130 [ 42.806630] ? do_fb_ioctl+0x940/0x940 [ 42.806635] do_vfs_ioctl+0x7ae/0x1060 [ 42.806640] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.806643] ? kmem_cache_free+0x244/0x2b0 [ 42.806648] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.806652] ? putname+0xe0/0x120 [ 42.806658] ? do_sys_open+0x221/0x430 [ 42.806666] ? security_file_ioctl+0x7d/0xb0 [ 42.806670] ? security_file_ioctl+0x89/0xb0 [ 42.806676] SyS_ioctl+0x8f/0xc0 [ 42.806680] ? do_vfs_ioctl+0x1060/0x1060 [ 42.806686] do_syscall_64+0x1e8/0x640 [ 42.806690] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.806697] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.806702] RIP: 0033:0x440309 [ 42.806705] RSP: 002b:00007ffc8be969b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.806711] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 42.806713] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 42.806716] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.806719] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 42.806721] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 42.806729] [ 42.806731] The buggy address belongs to the variable: [ 42.806735] transl_h+0x3e/0x40 [ 42.806737] [ 42.806738] Memory state around the buggy address: [ 42.806743] ffffffff87088e80: 00 03 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 42.806746] ffffffff87088f00: 00 00 00 00 00 fa fa fa fa fa fa fa 04 fa fa fa [ 42.806749] >ffffffff87088f80: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00 [ 42.806752] ^ [ 42.806755] ffffffff87089000: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 00 04 [ 42.806758] ffffffff87089080: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 00 00 [ 42.806760] ================================================================== [ 42.806762] Disabling lock debugging due to kernel taint [ 42.806764] Kernel panic - not syncing: panic_on_warn set ... [ 42.806764] [ 42.806768] CPU: 0 PID: 7060 Comm: syz-executor852 Tainted: G B 4.14.158-syzkaller #0 [ 42.806770] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.806771] Call Trace: [ 42.806775] dump_stack+0x142/0x197 [ 42.806780] ? vga16fb_imageblit+0x1bdb/0x2160 [ 42.806784] panic+0x1f9/0x42d [ 42.806787] ? add_taint.cold+0x16/0x16 [ 42.806792] ? lock_downgrade+0x740/0x740 [ 42.806798] kasan_end_report+0x47/0x4f [ 42.806802] kasan_report.cold+0x130/0x2af [ 42.806806] __asan_report_load2_noabort+0x14/0x20 [ 42.806810] vga16fb_imageblit+0x1bdb/0x2160 [ 42.806815] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 42.806818] ? debug_check_no_obj_freed+0x217/0x7b7 [ 42.806824] soft_cursor+0x4ff/0xa50 [ 42.806830] bit_cursor+0x11be/0x1830 [ 42.806836] ? bit_clear+0x4a0/0x4a0 [ 42.806839] ? fbcon_putcs+0x3c2/0x480 [ 42.806843] ? fbcon_putcs+0x223/0x480 [ 42.806847] ? fb_get_color_depth+0x5f/0x70 [ 42.806851] ? get_color+0x1bf/0x3b0 [ 42.806856] fbcon_cursor+0x4e3/0x6f0 [ 42.806859] ? bit_clear+0x4a0/0x4a0 [ 42.806864] set_cursor+0x1bd/0x240 [ 42.806868] redraw_screen+0x596/0x7c0 [ 42.806873] ? con_flush_chars+0x90/0x90 [ 42.806877] ? fbcon_set_palette+0x203/0x5b0 [ 42.806882] fbcon_modechanged+0x59e/0x880 [ 42.806887] fbcon_event_notify+0x11f/0x17af [ 42.806892] ? lock_acquire+0x16f/0x430 [ 42.806896] notifier_call_chain+0x111/0x1b0 [ 42.806902] blocking_notifier_call_chain+0x80/0xa0 [ 42.806906] fb_notifier_call_chain+0x25/0x30 [ 42.806909] fb_set_var+0xb09/0xcf0 [ 42.806913] ? fb_set_suspend+0x110/0x110 [ 42.806917] ? lock_acquire+0x16f/0x430 [ 42.806920] ? lock_fb_info+0x1f/0x80 [ 42.806924] ? lock_fb_info+0x1f/0x80 [ 42.806928] ? __mutex_lock+0x36a/0x1470 [ 42.806932] ? trace_hardirqs_on+0x10/0x10 [ 42.806936] ? lock_acquire+0x16f/0x430 [ 42.806939] ? __down+0x16b/0x290 [ 42.806943] ? mutex_trylock+0x1c0/0x1c0 [ 42.806947] ? down+0x70/0x90 [ 42.806954] ? mutex_lock_nested+0x16/0x20 [ 42.806957] ? mutex_lock_nested+0x16/0x20 [ 42.806961] do_fb_ioctl+0x3cc/0x940 [ 42.806964] ? fb_read+0x520/0x520 [ 42.806969] ? avc_has_extended_perms+0x8ec/0xe40 [ 42.806972] ? putname+0xdb/0x120 [ 42.806976] ? avc_ss_reset+0x110/0x110 [ 42.806979] ? kmem_cache_free+0x83/0x2b0 [ 42.806983] ? do_syscall_64+0x1e8/0x640 [ 42.806987] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.807005] ? find_held_lock+0x35/0x130 [ 42.807010] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 42.807018] ? __might_sleep+0x93/0xb0 [ 42.807022] fb_ioctl+0xe6/0x130 [ 42.807026] ? do_fb_ioctl+0x940/0x940 [ 42.807033] do_vfs_ioctl+0x7ae/0x1060 [ 42.807037] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.807040] ? kmem_cache_free+0x244/0x2b0 [ 42.807045] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.807048] ? putname+0xe0/0x120 [ 42.807052] ? do_sys_open+0x221/0x430 [ 42.807057] ? security_file_ioctl+0x7d/0xb0 [ 42.807061] ? security_file_ioctl+0x89/0xb0 [ 42.807065] SyS_ioctl+0x8f/0xc0 [ 42.807069] ? do_vfs_ioctl+0x1060/0x1060 [ 42.807073] do_syscall_64+0x1e8/0x640 [ 42.807077] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.807082] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.807085] RIP: 0033:0x440309 [ 42.807087] RSP: 002b:00007ffc8be969b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.807091] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 42.807093] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 42.807095] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.807098] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 42.807100] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 42.808478] Kernel Offset: disabled [ 43.612801] Rebooting in 86400 seconds..