[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.042113] random: sshd: uninitialized urandom read (32 bytes read) [ 26.337047] audit: type=1400 audit(1548832753.289:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.379249] random: sshd: uninitialized urandom read (32 bytes read) [ 26.855041] random: sshd: uninitialized urandom read (32 bytes read) [ 44.370427] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. [ 50.072251] random: sshd: uninitialized urandom read (32 bytes read) [ 50.156062] audit: type=1400 audit(1548832777.109:7): avc: denied { map } for pid=1800 comm="syz-executor794" path="/root/syz-executor794012011" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 50.432833] ================================================================== [ 50.440214] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 50.446852] Read of size 8 at addr ffff8881d1467790 by task syz-executor794/1803 [ 50.454370] [ 50.455974] CPU: 1 PID: 1803 Comm: syz-executor794 Not tainted 4.14.96+ #20 [ 50.463044] Call Trace: [ 50.465608] dump_stack+0xb9/0x10e [ 50.469127] ? ip_local_deliver+0x43d/0x450 [ 50.473476] print_address_description+0x60/0x226 [ 50.478299] ? ip_local_deliver+0x43d/0x450 [ 50.482613] kasan_report.cold+0x88/0x2a5 [ 50.486747] ? ip_local_deliver+0x43d/0x450 [ 50.491045] ? ip_call_ra_chain+0x540/0x540 [ 50.495342] ? __lock_acquire+0x56a/0x3fa0 [ 50.499574] ? deref_stack_reg+0xaa/0xe0 [ 50.503615] ? ip_rcv+0x99f/0xf7a [ 50.507063] ? ip_rcv_finish+0x5c9/0x1490 [ 50.511187] ? ip_rcv+0x9e2/0xf7a [ 50.514630] ? ip_local_deliver+0x450/0x450 [ 50.518933] ? __lock_acquire+0x56a/0x3fa0 [ 50.523151] ? check_preemption_disabled+0x35/0x1f0 [ 50.528140] ? ip_local_deliver+0x450/0x450 [ 50.532437] ? __netif_receive_skb_core+0x1364/0x2c60 [ 50.537599] ? trace_hardirqs_on+0x10/0x10 [ 50.541827] ? flush_backlog+0x580/0x580 [ 50.545864] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 50.551029] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 50.556193] ? lock_acquire+0x10f/0x380 [ 50.560144] ? __netif_receive_skb+0x55/0x1f0 [ 50.564612] ? __netif_receive_skb+0x55/0x1f0 [ 50.569083] ? netif_receive_skb_internal+0xec/0x5c0 [ 50.574159] ? dev_cpu_dead+0x810/0x810 [ 50.578113] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 50.583540] ? rcu_read_lock_sched_held+0x10a/0x130 [ 50.588555] ? tun_rx_batched.isra.0+0x45d/0x730 [ 50.593312] ? __skb_get_hash_symmetric+0x255/0x620 [ 50.598306] ? tun_chr_read_iter+0x1c0/0x1c0 [ 50.602708] ? tun_get_user+0xc07/0x3790 [ 50.606771] ? __local_bh_enable_ip+0x65/0xc0 [ 50.611364] ? tun_get_user+0xd95/0x3790 [ 50.615408] ? tun_rx_batched.isra.0+0x730/0x730 [ 50.620152] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 50.625064] ? __tun_get+0x11c/0x220 [ 50.628756] ? check_preemption_disabled+0x35/0x1f0 [ 50.633755] ? tun_chr_write_iter+0xcf/0x180 [ 50.638141] ? do_iter_readv_writev+0x379/0x580 [ 50.642789] ? clone_verify_area+0x1e0/0x1e0 [ 50.647174] ? avc_policy_seqno+0x5/0x10 [ 50.651228] ? security_file_permission+0x88/0x1e0 [ 50.656139] ? do_iter_write+0x152/0x550 [ 50.660201] ? signal_setup_done+0xac/0x270 [ 50.664497] ? vfs_writev+0x146/0x2d0 [ 50.668289] ? vfs_iter_write+0xa0/0xa0 [ 50.672241] ? do_signal+0x488/0x15c0 [ 50.676018] ? setup_sigcontext+0x810/0x810 [ 50.680328] ? pgtable_bad+0x110/0x110 [ 50.684192] ? __bad_area_nosemaphore+0x25f/0x280 [ 50.689042] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 50.694125] ? do_writev+0xc9/0x240 [ 50.697729] ? vfs_writev+0x2d0/0x2d0 [ 50.701507] ? do_syscall_64+0x43/0x4b0 [ 50.705457] ? SyS_readv+0x30/0x30 [ 50.708974] ? do_syscall_64+0x19b/0x4b0 [ 50.713207] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.718576] [ 50.720200] Allocated by task 1803: [ 50.723807] kasan_kmalloc.part.0+0x4f/0xd0 [ 50.728113] kmem_cache_alloc+0xd2/0x2d0 [ 50.732149] __build_skb+0x2e/0x2d0 [ 50.735875] build_skb+0x1a/0x1f0 [ 50.739314] tun_get_user+0x248b/0x3790 [ 50.743258] tun_chr_write_iter+0xcf/0x180 [ 50.747462] do_iter_readv_writev+0x379/0x580 [ 50.752073] do_iter_write+0x152/0x550 [ 50.756182] vfs_writev+0x146/0x2d0 [ 50.760082] do_writev+0xc9/0x240 [ 50.763508] do_syscall_64+0x19b/0x4b0 [ 50.767428] [ 50.769048] Freed by task 1803: [ 50.772307] kasan_slab_free+0xb0/0x190 [ 50.776622] kmem_cache_free+0xc4/0x330 [ 50.780579] kfree_skbmem+0xa0/0x100 [ 50.784265] kfree_skb+0xcd/0x350 [ 50.787692] ip_defrag+0x5f4/0x3b50 [ 50.791377] ip_local_deliver+0x165/0x450 [ 50.795698] ip_rcv_finish+0x5c9/0x1490 [ 50.799651] ip_rcv+0x9e2/0xf7a [ 50.802906] __netif_receive_skb_core+0x1364/0x2c60 [ 50.807932] __netif_receive_skb+0x55/0x1f0 [ 50.812256] netif_receive_skb_internal+0xec/0x5c0 [ 50.817180] tun_rx_batched.isra.0+0x45d/0x730 [ 50.821733] tun_get_user+0xd95/0x3790 [ 50.825604] tun_chr_write_iter+0xcf/0x180 [ 50.829808] do_iter_readv_writev+0x379/0x580 [ 50.834436] do_iter_write+0x152/0x550 [ 50.838297] vfs_writev+0x146/0x2d0 [ 50.841900] do_writev+0xc9/0x240 [ 50.845344] do_syscall_64+0x19b/0x4b0 [ 50.849200] [ 50.850811] The buggy address belongs to the object at ffff8881d1467780 [ 50.850811] which belongs to the cache skbuff_head_cache of size 224 [ 50.863976] The buggy address is located 16 bytes inside of [ 50.863976] 224-byte region [ffff8881d1467780, ffff8881d1467860) [ 50.875740] The buggy address belongs to the page: [ 50.880642] page:ffffea00074519c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 50.888758] flags: 0x4000000000000100(slab) [ 50.893058] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 50.900911] raw: ffffea000742a780 0000000700000007 ffff8881dab58200 0000000000000000 [ 50.908799] page dumped because: kasan: bad access detected [ 50.914489] [ 50.916102] Memory state around the buggy address: [ 50.921008] ffff8881d1467680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.928354] ffff8881d1467700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 50.935688] >ffff8881d1467780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.943021] ^ [ 50.946988] ffff8881d1467800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 50.954325] ffff8881d1467880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.961654] ================================================================== [ 50.968981] Disabling lock debugging due to kernel taint [ 50.974439] Kernel panic - not syncing: panic_on_warn set ... [ 50.974439] [ 50.981778] CPU: 1 PID: 1803 Comm: syz-executor794 Tainted: G B 4.14.96+ #20 [ 50.990218] Call Trace: [ 50.992786] dump_stack+0xb9/0x10e [ 50.996307] panic+0x1d9/0x3c2 [ 50.999471] ? add_taint.cold+0x16/0x16 [ 51.003428] ? retint_kernel+0x2d/0x2d [ 51.007292] ? ip_local_deliver+0x43d/0x450 [ 51.011584] kasan_end_report+0x43/0x49 [ 51.015528] kasan_report.cold+0xa4/0x2a5 [ 51.019652] ? ip_local_deliver+0x43d/0x450 [ 51.024013] ? ip_call_ra_chain+0x540/0x540 [ 51.028327] ? __lock_acquire+0x56a/0x3fa0 [ 51.032535] ? deref_stack_reg+0xaa/0xe0 [ 51.036588] ? ip_rcv+0x99f/0xf7a [ 51.040033] ? ip_rcv_finish+0x5c9/0x1490 [ 51.044156] ? ip_rcv+0x9e2/0xf7a [ 51.047688] ? ip_local_deliver+0x450/0x450 [ 51.051992] ? __lock_acquire+0x56a/0x3fa0 [ 51.056204] ? check_preemption_disabled+0x35/0x1f0 [ 51.061193] ? ip_local_deliver+0x450/0x450 [ 51.065502] ? __netif_receive_skb_core+0x1364/0x2c60 [ 51.070663] ? trace_hardirqs_on+0x10/0x10 [ 51.074872] ? flush_backlog+0x580/0x580 [ 51.078909] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 51.084071] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 51.089234] ? lock_acquire+0x10f/0x380 [ 51.093183] ? __netif_receive_skb+0x55/0x1f0 [ 51.097650] ? __netif_receive_skb+0x55/0x1f0 [ 51.102118] ? netif_receive_skb_internal+0xec/0x5c0 [ 51.107195] ? dev_cpu_dead+0x810/0x810 [ 51.111162] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 51.116586] ? rcu_read_lock_sched_held+0x10a/0x130 [ 51.121686] ? tun_rx_batched.isra.0+0x45d/0x730 [ 51.126425] ? __skb_get_hash_symmetric+0x255/0x620 [ 51.131415] ? tun_chr_read_iter+0x1c0/0x1c0 [ 51.135795] ? tun_get_user+0xc07/0x3790 [ 51.139830] ? __local_bh_enable_ip+0x65/0xc0 [ 51.144317] ? tun_get_user+0xd95/0x3790 [ 51.148352] ? tun_rx_batched.isra.0+0x730/0x730 [ 51.153310] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 51.158232] ? __tun_get+0x11c/0x220 [ 51.161916] ? check_preemption_disabled+0x35/0x1f0 [ 51.166901] ? tun_chr_write_iter+0xcf/0x180 [ 51.171390] ? do_iter_readv_writev+0x379/0x580 [ 51.176031] ? clone_verify_area+0x1e0/0x1e0 [ 51.180510] ? avc_policy_seqno+0x5/0x10 [ 51.184545] ? security_file_permission+0x88/0x1e0 [ 51.189465] ? do_iter_write+0x152/0x550 [ 51.193496] ? signal_setup_done+0xac/0x270 [ 51.197816] ? vfs_writev+0x146/0x2d0 [ 51.201595] ? vfs_iter_write+0xa0/0xa0 [ 51.205545] ? do_signal+0x488/0x15c0 [ 51.209325] ? setup_sigcontext+0x810/0x810 [ 51.213622] ? pgtable_bad+0x110/0x110 [ 51.217663] ? __bad_area_nosemaphore+0x25f/0x280 [ 51.222496] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 51.227574] ? do_writev+0xc9/0x240 [ 51.231180] ? vfs_writev+0x2d0/0x2d0 [ 51.234954] ? do_syscall_64+0x43/0x4b0 [ 51.238905] ? SyS_readv+0x30/0x30 [ 51.242516] ? do_syscall_64+0x19b/0x4b0 [ 51.246551] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.252240] Kernel Offset: 0x12400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 51.263149] Rebooting in 86400 seconds..