[....] Starting OpenBSD Secure Shell server: sshd[ 9.931603] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.951362] random: sshd: uninitialized urandom read (32 bytes read) [ 15.195541] audit: type=1400 audit(1564931177.979:6): avc: denied { map } for pid=1760 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.227709] random: sshd: uninitialized urandom read (32 bytes read) [ 15.812181] random: sshd: uninitialized urandom read (32 bytes read) [ 15.963181] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. [ 21.402940] random: sshd: uninitialized urandom read (32 bytes read) [ 21.489801] audit: type=1400 audit(1564931184.269:7): avc: denied { map } for pid=1778 comm="syz-executor912" path="/root/syz-executor912122084" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 21.516248] audit: type=1400 audit(1564931184.289:8): avc: denied { prog_load } for pid=1778 comm="syz-executor912" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 21.539245] audit: type=1400 audit(1564931184.319:9): avc: denied { prog_run } for pid=1778 comm="syz-executor912" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 21.544786] ================================================================== [ 21.569022] BUG: KASAN: use-after-free in _copy_to_user+0x9d/0xd0 [ 21.575269] Read of size 931 at addr ffff8881c33ffff3 by task syz-executor912/1778 [ 21.583022] [ 21.584636] CPU: 0 PID: 1778 Comm: syz-executor912 Not tainted 4.14.136+ #27 [ 21.591897] Call Trace: [ 21.594525] dump_stack+0xca/0x134 [ 21.598050] ? _copy_to_user+0x9d/0xd0 [ 21.601913] ? _copy_to_user+0x9d/0xd0 [ 21.605773] print_address_description+0x60/0x226 [ 21.610591] ? _copy_to_user+0x9d/0xd0 [ 21.614494] ? _copy_to_user+0x9d/0xd0 [ 21.618361] __kasan_report.cold+0x1a/0x41 [ 21.622575] ? _copy_to_user+0x9d/0xd0 [ 21.626437] ? _copy_to_user+0x9d/0xd0 [ 21.630351] ? bpf_test_finish.isra.0+0xa7/0x160 [ 21.635089] ? bpf_test_run+0x340/0x340 [ 21.639045] ? bpf_prog_test_run_skb+0x528/0x8c0 [ 21.643778] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.648296] ? bpf_prog_add+0x53/0xc0 [ 21.652080] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.656552] ? SyS_bpf+0xa3b/0x3830 [ 21.660161] ? bpf_prog_get+0x20/0x20 [ 21.663939] ? __do_page_fault+0x49f/0xbb0 [ 21.668149] ? lock_downgrade+0x5d0/0x5d0 [ 21.672279] ? __do_page_fault+0x677/0xbb0 [ 21.676499] ? do_syscall_64+0x43/0x520 [ 21.680455] ? bpf_prog_get+0x20/0x20 [ 21.684252] ? do_syscall_64+0x19b/0x520 [ 21.688339] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 21.693689] [ 21.695289] The buggy address belongs to the page: [ 21.700200] page:ffffea00070cffc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 21.708316] flags: 0x4000000000000000() [ 21.712269] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 21.720126] raw: ffffea00070cffe0 ffffea00070cffe0 0000000000000000 0000000000000000 [ 21.727976] page dumped because: kasan: bad access detected [ 21.733669] [ 21.735271] Memory state around the buggy address: [ 21.740210] ffff8881c33ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.747547] ffff8881c33fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.754884] >ffff8881c33fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.762228] ^ [ 21.769271] ffff8881c3400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.776611] ffff8881c3400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.784087] ================================================================== [ 21.791419] Disabling lock debugging due to kernel taint [ 21.796965] Kernel panic - not syncing: panic_on_warn set ... [ 21.796965] [ 21.804347] CPU: 0 PID: 1778 Comm: syz-executor912 Tainted: G B 4.14.136+ #27 [ 21.812721] Call Trace: [ 21.815284] dump_stack+0xca/0x134 [ 21.818798] panic+0x1ea/0x3d3 [ 21.821962] ? add_taint.cold+0x16/0x16 [ 21.825951] ? _copy_to_user+0x9d/0xd0 [ 21.829859] ? ___preempt_schedule+0x16/0x18 [ 21.834250] ? _copy_to_user+0x9d/0xd0 [ 21.838111] end_report+0x43/0x49 [ 21.841538] ? _copy_to_user+0x9d/0xd0 [ 21.845397] __kasan_report.cold+0xd/0x41 [ 21.849586] ? _copy_to_user+0x9d/0xd0 [ 21.853460] ? _copy_to_user+0x9d/0xd0 [ 21.857366] ? bpf_test_finish.isra.0+0xa7/0x160 [ 21.862107] ? bpf_test_run+0x340/0x340 [ 21.866068] ? bpf_prog_test_run_skb+0x528/0x8c0 [ 21.870807] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.875281] ? bpf_prog_add+0x53/0xc0 [ 21.879052] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.883529] ? SyS_bpf+0xa3b/0x3830 [ 21.887146] ? bpf_prog_get+0x20/0x20 [ 21.890929] ? __do_page_fault+0x49f/0xbb0 [ 21.895139] ? lock_downgrade+0x5d0/0x5d0 [ 21.899263] ? __do_page_fault+0x677/0xbb0 [ 21.903470] ? do_syscall_64+0x43/0x520 [ 21.907418] ? bpf_prog_get+0x20/0x20 [ 21.911191] ? do_syscall_64+0x19b/0x520 [ 21.915228] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 21.921010] Kernel Offset: 0xa000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 21.931827] Rebooting in 86400 seconds..