[ 33.617942] audit: type=1800 audit(1580181384.854:33): pid=7137 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.646915] audit: type=1800 audit(1580181384.854:34): pid=7137 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.046882] random: sshd: uninitialized urandom read (32 bytes read) [ 35.327050] audit: type=1400 audit(1580181386.564:35): avc: denied { map } for pid=7311 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.378327] random: sshd: uninitialized urandom read (32 bytes read) [ 36.062051] random: sshd: uninitialized urandom read (32 bytes read) [ 36.247318] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts. [ 41.770692] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.890237] audit: type=1400 audit(1580181393.124:36): avc: denied { map } for pid=7323 comm="syz-executor073" path="/root/syz-executor073367687" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.917927] audit: type=1400 audit(1580181393.134:37): avc: denied { create } for pid=7323 comm="syz-executor073" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 41.918248] netlink: 20 bytes leftover after parsing attributes in process `syz-executor073'. [ 41.944578] audit: type=1400 audit(1580181393.134:38): avc: denied { write } for pid=7323 comm="syz-executor073" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 41.977528] ================================================================== [ 41.985163] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x3a2/0x3b0 [ 41.993708] Read of size 8 at addr ffffffff875d0478 by task syz-executor073/7323 [ 42.001363] [ 42.002974] CPU: 0 PID: 7323 Comm: syz-executor073 Not tainted 4.14.168-syzkaller #0 [ 42.011181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.020605] Call Trace: [ 42.023181] dump_stack+0x142/0x197 [ 42.026797] ? nfnetlink_parse_nat_setup+0x3a2/0x3b0 [ 42.032146] print_address_description.cold+0x5/0x1dc [ 42.037324] ? nfnetlink_parse_nat_setup+0x3a2/0x3b0 [ 42.042417] kasan_report.cold+0xa9/0x2af [ 42.046552] __asan_report_load8_noabort+0x14/0x20 [ 42.051461] nfnetlink_parse_nat_setup+0x3a2/0x3b0 [ 42.056367] ? nf_nat_alloc_null_binding+0x50/0x50 [ 42.061447] ? rcu_read_lock_sched_held+0x110/0x130 [ 42.066455] ? __lock_is_held+0xb6/0x140 [ 42.070503] ? check_preemption_disabled+0x3c/0x250 [ 42.075499] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 42.080934] ? nf_nat_alloc_null_binding+0x50/0x50 [ 42.086012] ctnetlink_parse_nat_setup+0x76/0x4a0 [ 42.091041] ctnetlink_create_conntrack+0x468/0x10c0 [ 42.096134] ? queue_work_on+0xfd/0x1d0 [ 42.100217] ? ctnetlink_del_conntrack+0x5e0/0x5e0 [ 42.105150] ? hash_conntrack_raw+0x2c1/0x430 [ 42.109678] ? nf_ct_get_id+0x170/0x170 [ 42.113699] ctnetlink_new_conntrack+0x4af/0xcc0 [ 42.119552] ? ctnetlink_create_conntrack+0x10c0/0x10c0 [ 42.124921] ? ctnetlink_create_conntrack+0x10c0/0x10c0 [ 42.130369] nfnetlink_rcv_msg+0xa08/0xc00 [ 42.134619] netlink_rcv_skb+0x14f/0x3c0 [ 42.138661] ? nfnetlink_bind+0x240/0x240 [ 42.142797] ? netlink_ack+0x9a0/0x9a0 [ 42.146685] ? ns_capable_common+0x12c/0x160 [ 42.151084] ? __netlink_ns_capable+0xe2/0x130 [ 42.155679] nfnetlink_rcv+0x1ab/0x1650 [ 42.160476] ? netlink_deliver_tap+0x93/0x8f0 [ 42.165001] ? find_held_lock+0x35/0x130 [ 42.169047] ? netlink_deliver_tap+0x93/0x8f0 [ 42.173645] ? nfnl_err_del+0x160/0x160 [ 42.177708] ? lock_downgrade+0x740/0x740 [ 42.181854] ? netlink_deliver_tap+0xba/0x8f0 [ 42.186564] netlink_unicast+0x44d/0x650 [ 42.190634] ? netlink_attachskb+0x6a0/0x6a0 [ 42.195027] ? security_netlink_send+0x81/0xb0 [ 42.199595] netlink_sendmsg+0x7c4/0xc60 [ 42.203651] ? netlink_unicast+0x650/0x650 [ 42.207866] ? security_socket_sendmsg+0x89/0xb0 [ 42.212604] ? netlink_unicast+0x650/0x650 [ 42.216816] sock_sendmsg+0xce/0x110 [ 42.220529] ___sys_sendmsg+0x70a/0x840 [ 42.224482] ? lock_downgrade+0x740/0x740 [ 42.228609] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 42.233365] ? do_raw_spin_unlock+0x174/0x260 [ 42.237839] ? _raw_spin_unlock+0x2d/0x50 [ 42.241977] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 42.247244] ? prep_transhuge_page+0xa0/0xa0 [ 42.251647] ? __handle_mm_fault+0x692/0x33d0 [ 42.256130] ? save_trace+0x290/0x290 [ 42.259908] ? copy_page_range+0x1de0/0x1de0 [ 42.264392] ? __do_page_fault+0x4e9/0xb80 [ 42.268603] ? __fget_light+0x172/0x1f0 [ 42.272570] ? __fdget+0x1b/0x20 [ 42.275913] ? sockfd_lookup_light+0xb4/0x160 [ 42.280386] __sys_sendmsg+0xb9/0x140 [ 42.284163] ? SyS_shutdown+0x170/0x170 [ 42.288133] SyS_sendmsg+0x2d/0x50 [ 42.292812] ? __sys_sendmsg+0x140/0x140 [ 42.296967] do_syscall_64+0x1e8/0x640 [ 42.300846] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.305776] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.311232] RIP: 0033:0x4401b9 [ 42.314521] RSP: 002b:00007ffdb5982c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.323385] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 [ 42.331078] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 42.338594] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.346181] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 42.353591] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 42.360948] [ 42.362673] The buggy address belongs to the variable: [ 42.368030] nft_table_policy+0xd8/0xe0 [ 42.372110] [ 42.374441] Memory state around the buggy address: [ 42.379718] ffffffff875d0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.387449] ffffffff875d0380: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa [ 42.395991] >ffffffff875d0400: 00 00 00 00 fa fa fa fa 00 02 fa fa fa fa fa fa [ 42.403449] ^ [ 42.410712] ffffffff875d0480: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa [ 42.418464] ffffffff875d0500: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00 [ 42.426056] ================================================================== [ 42.433557] Disabling lock debugging due to kernel taint [ 42.439974] Kernel panic - not syncing: panic_on_warn set ... [ 42.439974] [ 42.447357] CPU: 1 PID: 7323 Comm: syz-executor073 Tainted: G B 4.14.168-syzkaller #0 [ 42.456554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.466026] Call Trace: [ 42.468711] dump_stack+0x142/0x197 [ 42.472338] ? nfnetlink_parse_nat_setup+0x3a2/0x3b0 [ 42.477484] panic+0x1f9/0x42d [ 42.480728] ? add_taint.cold+0x16/0x16 [ 42.484684] ? ___preempt_schedule+0x16/0x18 [ 42.489098] kasan_end_report+0x47/0x4f [ 42.493058] kasan_report.cold+0x130/0x2af [ 42.497280] __asan_report_load8_noabort+0x14/0x20 [ 42.502341] nfnetlink_parse_nat_setup+0x3a2/0x3b0 [ 42.507336] ? nf_nat_alloc_null_binding+0x50/0x50 [ 42.512257] ? rcu_read_lock_sched_held+0x110/0x130 [ 42.517257] ? __lock_is_held+0xb6/0x140 [ 42.521544] ? check_preemption_disabled+0x3c/0x250 [ 42.526621] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 42.532067] ? nf_nat_alloc_null_binding+0x50/0x50 [ 42.537109] ctnetlink_parse_nat_setup+0x76/0x4a0 [ 42.541940] ctnetlink_create_conntrack+0x468/0x10c0 [ 42.547184] ? queue_work_on+0xfd/0x1d0 [ 42.551307] ? ctnetlink_del_conntrack+0x5e0/0x5e0 [ 42.556265] ? hash_conntrack_raw+0x2c1/0x430 [ 42.560751] ? nf_ct_get_id+0x170/0x170 [ 42.564725] ctnetlink_new_conntrack+0x4af/0xcc0 [ 42.573335] ? ctnetlink_create_conntrack+0x10c0/0x10c0 [ 42.578827] ? ctnetlink_create_conntrack+0x10c0/0x10c0 [ 42.584532] nfnetlink_rcv_msg+0xa08/0xc00 [ 42.588782] netlink_rcv_skb+0x14f/0x3c0 [ 42.593009] ? nfnetlink_bind+0x240/0x240 [ 42.597245] ? netlink_ack+0x9a0/0x9a0 [ 42.601232] ? ns_capable_common+0x12c/0x160 [ 42.605737] ? __netlink_ns_capable+0xe2/0x130 [ 42.610364] nfnetlink_rcv+0x1ab/0x1650 [ 42.614450] ? netlink_deliver_tap+0x93/0x8f0 [ 42.619007] ? find_held_lock+0x35/0x130 [ 42.623180] ? netlink_deliver_tap+0x93/0x8f0 [ 42.627665] ? nfnl_err_del+0x160/0x160 [ 42.631650] ? lock_downgrade+0x740/0x740 [ 42.635794] ? netlink_deliver_tap+0xba/0x8f0 [ 42.640388] netlink_unicast+0x44d/0x650 [ 42.644454] ? netlink_attachskb+0x6a0/0x6a0 [ 42.649028] ? security_netlink_send+0x81/0xb0 [ 42.653611] netlink_sendmsg+0x7c4/0xc60 [ 42.657747] ? netlink_unicast+0x650/0x650 [ 42.662039] ? security_socket_sendmsg+0x89/0xb0 [ 42.666787] ? netlink_unicast+0x650/0x650 [ 42.671007] sock_sendmsg+0xce/0x110 [ 42.674720] ___sys_sendmsg+0x70a/0x840 [ 42.678688] ? lock_downgrade+0x740/0x740 [ 42.682838] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 42.687703] ? do_raw_spin_unlock+0x174/0x260 [ 42.692306] ? _raw_spin_unlock+0x2d/0x50 [ 42.696454] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 42.701726] ? prep_transhuge_page+0xa0/0xa0 [ 42.706208] ? __handle_mm_fault+0x692/0x33d0 [ 42.710800] ? save_trace+0x290/0x290 [ 42.714697] ? copy_page_range+0x1de0/0x1de0 [ 42.719087] ? __do_page_fault+0x4e9/0xb80 [ 42.723425] ? __fget_light+0x172/0x1f0 [ 42.727753] ? __fdget+0x1b/0x20 [ 42.731115] ? sockfd_lookup_light+0xb4/0x160 [ 42.735718] __sys_sendmsg+0xb9/0x140 [ 42.739678] ? SyS_shutdown+0x170/0x170 [ 42.743754] SyS_sendmsg+0x2d/0x50 [ 42.747666] ? __sys_sendmsg+0x140/0x140 [ 42.751796] do_syscall_64+0x1e8/0x640 [ 42.755681] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.760809] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.766113] RIP: 0033:0x4401b9 [ 42.769304] RSP: 002b:00007ffdb5982c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.777006] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 [ 42.784718] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 42.791979] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.799460] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40 [ 42.807332] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 42.815982] Kernel Offset: disabled [ 42.819712] Rebooting in 86400 seconds..