[....] Starting enhanced syslogd: rsyslogd[ 13.236130] audit: type=1400 audit(1512850494.420:5): avc: denied { syslog } for pid=2993 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.806144] audit: type=1400 audit(1512850507.990:6): avc: denied { map } for pid=3135 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-kasan-gce-0,10.128.0.2' (ECDSA) to the list of known hosts. executing program [ 32.898739] audit: type=1400 audit(1512850514.083:7): avc: denied { map } for pid=3149 comm="syzkaller168370" path="/root/syzkaller168370441" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 32.903759] ================================================================== [ 32.903774] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 32.903779] Read of size 4 at addr ffff8801c5259e5c by task syzkaller168370/3149 [ 32.903781] [ 32.903788] CPU: 0 PID: 3149 Comm: syzkaller168370 Not tainted 4.15.0-rc2+ #214 [ 32.903793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.903795] Call Trace: [ 32.903803] dump_stack+0x194/0x257 [ 32.903813] ? arch_local_irq_restore+0x53/0x53 [ 32.903821] ? show_regs_print_info+0x18/0x18 [ 32.903831] ? af_alg_make_sg+0x510/0x510 [ 32.903838] ? aead_recvmsg+0x1758/0x1bc0 [ 32.903846] print_address_description+0x73/0x250 [ 32.903853] ? aead_recvmsg+0x1758/0x1bc0 [ 32.903860] kasan_report+0x25b/0x340 [ 32.903870] __asan_report_load4_noabort+0x14/0x20 [ 32.903876] aead_recvmsg+0x1758/0x1bc0 [ 32.903900] ? aead_release+0x50/0x50 [ 32.903911] ? selinux_socket_recvmsg+0x36/0x40 [ 32.903918] ? security_socket_recvmsg+0x91/0xc0 [ 32.903927] ? aead_release+0x50/0x50 [ 32.903935] sock_recvmsg+0xc9/0x110 [ 32.903941] ? __sock_recv_wifi_status+0x210/0x210 [ 32.903950] ___sys_recvmsg+0x29b/0x630 [ 32.903965] ? ___sys_sendmsg+0x8a0/0x8a0 [ 32.903992] ? __handle_mm_fault+0x3e20/0x3e20 [ 32.903998] ? vmacache_find+0x5f/0x280 [ 32.904016] ? up_read+0x1a/0x40 [ 32.904025] ? __do_page_fault+0x3d6/0xc90 [ 32.904032] ? task_work_run+0x1f4/0x270 [ 32.904048] ? __fdget+0x18/0x20 [ 32.904059] __sys_recvmsg+0xe2/0x210 [ 32.904064] ? __sys_recvmsg+0xe2/0x210 [ 32.904072] ? SyS_sendmmsg+0x60/0x60 [ 32.904081] ? __do_page_fault+0xc90/0xc90 [ 32.904105] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.904117] SyS_recvmsg+0x2d/0x50 [ 32.904131] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 32.904136] RIP: 0033:0x440009 [ 32.904140] RSP: 002b:00007ffee19bc768 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 32.904147] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440009 [ 32.904151] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 32.904155] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 32.904159] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401970 [ 32.904162] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 32.904181] [ 32.904185] Allocated by task 3149: [ 32.904190] save_stack+0x43/0xd0 [ 32.904194] kasan_kmalloc+0xad/0xe0 [ 32.904200] __kmalloc+0x162/0x760 [ 32.904207] crypto_create_tfm+0x82/0x2e0 [ 32.904212] crypto_alloc_tfm+0x10e/0x2f0 [ 32.904217] crypto_alloc_skcipher+0x2c/0x40 [ 32.904223] crypto_get_default_null_skcipher+0x5f/0x80 [ 32.904228] aead_bind+0x89/0x140 [ 32.904232] alg_bind+0x1ab/0x440 [ 32.904236] SYSC_bind+0x1b4/0x3f0 [ 32.904241] SyS_bind+0x24/0x30 [ 32.904246] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 32.904248] [ 32.904251] Freed by task 3149: [ 32.904255] save_stack+0x43/0xd0 [ 32.904260] kasan_slab_free+0x71/0xc0 [ 32.904264] kfree+0xca/0x250 [ 32.904269] kzfree+0x28/0x30 [ 32.904274] crypto_destroy_tfm+0x140/0x2e0 [ 32.904279] crypto_put_default_null_skcipher+0x35/0x60 [ 32.904284] aead_sock_destruct+0x13c/0x220 [ 32.904289] __sk_destruct+0xfd/0x910 [ 32.904293] sk_destruct+0x47/0x80 [ 32.904298] __sk_free+0x57/0x230 [ 32.904302] sk_free+0x2a/0x40 [ 32.904306] af_alg_release+0x5d/0x70 [ 32.904310] sock_release+0x8d/0x1e0 [ 32.904315] sock_close+0x16/0x20 [ 32.904320] __fput+0x333/0x7f0 [ 32.904325] ____fput+0x15/0x20 [ 32.904330] task_work_run+0x199/0x270 [ 32.904337] exit_to_usermode_loop+0x296/0x310 [ 32.904341] syscall_return_slowpath+0x490/0x550 [ 32.904346] entry_SYSCALL_64_fastpath+0x94/0x96 [ 32.904348] [ 32.904353] The buggy address belongs to the object at ffff8801c5259e40 [ 32.904353] which belongs to the cache kmalloc-128 of size 128 [ 32.904357] The buggy address is located 28 bytes inside of [ 32.904357] 128-byte region [ffff8801c5259e40, ffff8801c5259ec0) [ 32.904360] The buggy address belongs to the page: [ 32.904365] page:00000000ac68fd2d count:1 mapcount:0 mapping:000000003296ebe9 index:0x0 [ 32.904372] flags: 0x2fffc0000000100(slab) [ 32.904381] raw: 02fffc0000000100 ffff8801c5259000 0000000000000000 0000000100000015 [ 32.904386] raw: ffffea00071653a0 ffffea0007133320 ffff8801db000640 0000000000000000 [ 32.904390] page dumped because: kasan: bad access detected [ 32.904392] [ 32.904394] Memory state around the buggy address: [ 32.904400] ffff8801c5259d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.904404] ffff8801c5259d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.904409] >ffff8801c5259e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.904412] ^ [ 32.904417] ffff8801c5259e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.904421] ffff8801c5259f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.904424] ================================================================== [ 32.904426] Disabling lock debugging due to kernel taint [ 32.904442] Kernel panic - not syncing: panic_on_warn set ... [ 32.904442] [ 32.904446] CPU: 0 PID: 3149 Comm: syzkaller168370 Tainted: G B 4.15.0-rc2+ #214 [ 32.904448] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.904450] Call Trace: [ 32.904454] dump_stack+0x194/0x257 [ 32.904459] ? arch_local_irq_restore+0x53/0x53 [ 32.904464] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.904469] ? vsnprintf+0x1ed/0x1900 [ 32.904473] ? aead_recvmsg+0x1710/0x1bc0 [ 32.904478] panic+0x1e4/0x41c [ 32.904481] ? refcount_error_report+0x214/0x214 [ 32.904488] ? add_taint+0x1c/0x50 [ 32.904492] ? add_taint+0x1c/0x50 [ 32.904497] ? aead_recvmsg+0x1758/0x1bc0 [ 32.904501] kasan_end_report+0x50/0x50 [ 32.904504] kasan_report+0x144/0x340 [ 32.904510] __asan_report_load4_noabort+0x14/0x20 [ 32.904514] aead_recvmsg+0x1758/0x1bc0 [ 32.904527] ? aead_release+0x50/0x50 [ 32.904532] ? selinux_socket_recvmsg+0x36/0x40 [ 32.904536] ? security_socket_recvmsg+0x91/0xc0 [ 32.904541] ? aead_release+0x50/0x50 [ 32.904545] sock_recvmsg+0xc9/0x110 [ 32.904549] ? __sock_recv_wifi_status+0x210/0x210 [ 32.904554] ___sys_recvmsg+0x29b/0x630 [ 32.904562] ? ___sys_sendmsg+0x8a0/0x8a0 [ 32.904575] ? __handle_mm_fault+0x3e20/0x3e20 [ 32.904579] ? vmacache_find+0x5f/0x280 [ 32.904586] ? up_read+0x1a/0x40 [ 32.904590] ? __do_page_fault+0x3d6/0xc90 [ 32.904594] ? task_work_run+0x1f4/0x270 [ 32.904601] ? __fdget+0x18/0x20 [ 32.904608] __sys_recvmsg+0xe2/0x210 [ 32.904611] ? __sys_recvmsg+0xe2/0x210 [ 32.904616] ? SyS_sendmmsg+0x60/0x60 [ 32.904621] ? __do_page_fault+0xc90/0xc90 [ 32.904634] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.904641] SyS_recvmsg+0x2d/0x50 [ 32.904645] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 32.904648] RIP: 0033:0x440009 [ 32.904650] RSP: 002b:00007ffee19bc768 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 32.904654] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440009 [ 32.904656] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 32.904658] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 32.904660] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401970 [ 32.904662] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 32.924654] Dumping ftrace buffer: [ 32.924658] (ftrace buffer empty) [ 32.924660] Kernel Offset: disabled [ 33.628914] Rebooting in 86400 seconds..