[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.81' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.223365] audit: type=1400 audit(1602047127.319:8): avc: denied { execmem } for pid=6353 comm="syz-executor652" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.260957] ================================================================== [ 33.260979] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xab7/0xc30 [ 33.260983] Read of size 1 at addr ffff8880a7da5b3e by task syz-executor652/6353 [ 33.260984] [ 33.260990] CPU: 1 PID: 6353 Comm: syz-executor652 Not tainted 4.14.198-syzkaller #0 [ 33.260993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.260995] Call Trace: [ 33.261004] dump_stack+0x1b2/0x283 [ 33.261014] print_address_description.cold+0x54/0x1d3 [ 33.261019] kasan_report_error.cold+0x8a/0x194 [ 33.261023] ? bit_putcs+0xab7/0xc30 [ 33.261028] __asan_report_load1_noabort+0x68/0x70 [ 33.261032] ? bit_putcs+0xab7/0xc30 [ 33.261036] bit_putcs+0xab7/0xc30 [ 33.261047] ? bit_cursor+0x1620/0x1620 [ 33.261054] ? __lock_acquire+0x5e1/0x3f20 [ 33.261061] ? fb_get_color_depth+0x100/0x200 [ 33.261067] ? bit_cursor+0x1620/0x1620 [ 33.261071] fbcon_putcs+0x2fe/0x480 [ 33.261075] ? fb_flashcursor+0x400/0x400 [ 33.261081] do_con_write+0x9dd/0x19b0 [ 33.261091] ? do_con_trol+0x51e0/0x51e0 [ 33.261100] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 33.261105] con_write+0x21/0xa0 [ 33.261110] n_tty_write+0x352/0xda0 [ 33.261119] ? n_tty_open+0x160/0x160 [ 33.261124] ? do_wait_intr_irq+0x270/0x270 [ 33.261131] ? __might_fault+0x177/0x1b0 [ 33.261138] tty_write+0x410/0x740 [ 33.261141] ? n_tty_open+0x160/0x160 [ 33.261149] __vfs_write+0xe4/0x630 [ 33.261157] ? tty_compat_ioctl+0x240/0x240 [ 33.261162] ? kernel_read+0x110/0x110 [ 33.261169] ? avc_policy_seqno+0x5/0x10 [ 33.261173] ? selinux_file_permission+0x7e/0x530 [ 33.261181] ? security_file_permission+0x82/0x1e0 [ 33.261186] ? rw_verify_area+0xe1/0x2a0 [ 33.261191] vfs_write+0x17f/0x4d0 [ 33.261196] SyS_write+0xf2/0x210 [ 33.261200] ? SyS_read+0x210/0x210 [ 33.261207] ? do_syscall_64+0x4c/0x640 [ 33.261211] ? SyS_read+0x210/0x210 [ 33.261216] do_syscall_64+0x1d5/0x640 [ 33.261222] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.261227] RIP: 0033:0x4403c9 [ 33.261229] RSP: 002b:00007ffdbc816238 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 33.261235] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 [ 33.261237] RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 [ 33.261240] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.261242] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 [ 33.261245] R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 [ 33.261252] [ 33.261254] Allocated by task 6335: [ 33.261259] kasan_kmalloc+0xeb/0x160 [ 33.261263] __kmalloc+0x15a/0x400 [ 33.261267] alloc_pipe_info+0x140/0x3c0 [ 33.261270] create_pipe_files+0xc4/0x880 [ 33.261273] SyS_pipe2+0x76/0x160 [ 33.261277] do_syscall_64+0x1d5/0x640 [ 33.261280] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.261282] [ 33.261283] Freed by task 6335: [ 33.261287] kasan_slab_free+0xc3/0x1a0 [ 33.261297] kfree+0xc9/0x250 [ 33.261300] free_pipe_info+0x1f0/0x2a0 [ 33.261304] pipe_release+0x29f/0x300 [ 33.261307] __fput+0x25f/0x7a0 [ 33.261311] task_work_run+0x11f/0x190 [ 33.261315] exit_to_usermode_loop+0x1ad/0x200 [ 33.261318] do_syscall_64+0x4a3/0x640 [ 33.261322] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.261323] [ 33.261326] The buggy address belongs to the object at ffff8880a7da56c0 [ 33.261326] which belongs to the cache kmalloc-1024 of size 1024 [ 33.261330] The buggy address is located 126 bytes to the right of [ 33.261330] 1024-byte region [ffff8880a7da56c0, ffff8880a7da5ac0) [ 33.261332] The buggy address belongs to the page: [ 33.261337] page:ffffea00029f6900 count:1 mapcount:0 mapping:ffff8880a7da4040 index:0x0 compound_mapcount: 0 [ 33.261343] flags: 0xfffe0000008100(slab|head) [ 33.261350] raw: 00fffe0000008100 ffff8880a7da4040 0000000000000000 0000000100000007 [ 33.261354] raw: ffffea00029f1620 ffffea00029f69a0 ffff88812fe50ac0 0000000000000000 [ 33.261356] page dumped because: kasan: bad access detected [ 33.261357] [ 33.261358] Memory state around the buggy address: [ 33.261362] ffff8880a7da5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.261365] ffff8880a7da5a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.261368] >ffff8880a7da5b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.261370] ^ [ 33.261373] ffff8880a7da5b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.261376] ffff8880a7da5c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.261378] ================================================================== [ 33.261379] Disabling lock debugging due to kernel taint [ 33.261382] Kernel panic - not syncing: panic_on_warn set ... [ 33.261382] [ 33.261386] CPU: 1 PID: 6353 Comm: syz-executor652 Tainted: G B 4.14.198-syzkaller #0 [ 33.261388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.261389] Call Trace: [ 33.261393] dump_stack+0x1b2/0x283 [ 33.261399] panic+0x1f9/0x42d [ 33.261403] ? add_taint.cold+0x16/0x16 [ 33.261408] ? lock_downgrade+0x740/0x740 [ 33.261413] kasan_end_report+0x43/0x49 [ 33.261417] kasan_report_error.cold+0xa7/0x194 [ 33.261421] ? bit_putcs+0xab7/0xc30 [ 33.261425] __asan_report_load1_noabort+0x68/0x70 [ 33.261428] ? bit_putcs+0xab7/0xc30 [ 33.261432] bit_putcs+0xab7/0xc30 [ 33.261439] ? bit_cursor+0x1620/0x1620 [ 33.261443] ? __lock_acquire+0x5e1/0x3f20 [ 33.261448] ? fb_get_color_depth+0x100/0x200 [ 33.261452] ? bit_cursor+0x1620/0x1620 [ 33.261455] fbcon_putcs+0x2fe/0x480 [ 33.261459] ? fb_flashcursor+0x400/0x400 [ 33.261463] do_con_write+0x9dd/0x19b0 [ 33.261470] ? do_con_trol+0x51e0/0x51e0 [ 33.261475] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 33.261479] con_write+0x21/0xa0 [ 33.261482] n_tty_write+0x352/0xda0 [ 33.261488] ? n_tty_open+0x160/0x160 [ 33.261492] ? do_wait_intr_irq+0x270/0x270 [ 33.261496] ? __might_fault+0x177/0x1b0 [ 33.261501] tty_write+0x410/0x740 [ 33.261504] ? n_tty_open+0x160/0x160 [ 33.261509] __vfs_write+0xe4/0x630 [ 33.261513] ? tty_compat_ioctl+0x240/0x240 [ 33.261516] ? kernel_read+0x110/0x110 [ 33.261521] ? avc_policy_seqno+0x5/0x10 [ 33.261524] ? selinux_file_permission+0x7e/0x530 [ 33.261529] ? security_file_permission+0x82/0x1e0 [ 33.261532] ? rw_verify_area+0xe1/0x2a0 [ 33.261536] vfs_write+0x17f/0x4d0 [ 33.261540] SyS_write+0xf2/0x210 [ 33.261544] ? SyS_read+0x210/0x210 [ 33.261548] ? do_syscall_64+0x4c/0x640 [ 33.261551] ? SyS_read+0x210/0x210 [ 33.261555] do_syscall_64+0x1d5/0x640 [ 33.261560] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.261562] RIP: 0033:0x4403c9 [ 33.261564] RSP: 002b:00007ffdbc816238 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 33.261569] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 [ 33.261571] RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 [ 33.261573] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.261575] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 [ 33.261577] R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 [ 33.262622] Kernel Offset: disabled [ 33.942694] Rebooting in 86400 seconds..