[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.989066] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.768270] random: sshd: uninitialized urandom read (32 bytes read) [ 24.263274] random: sshd: uninitialized urandom read (32 bytes read) [ 25.010070] random: sshd: uninitialized urandom read (32 bytes read) [ 40.037713] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts. [ 45.538968] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 45.653565] ================================================================== [ 45.661024] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 45.668192] Read of size 8 at addr ffff8801acffc6a0 by task syz-executor477/4496 [ 45.675701] [ 45.677314] CPU: 0 PID: 4496 Comm: syz-executor477 Not tainted 4.17.0-rc2+ #18 [ 45.684652] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.693986] Call Trace: [ 45.696563] dump_stack+0x1b9/0x294 [ 45.700173] ? dump_stack_print_info.cold.2+0x52/0x52 [ 45.705345] ? printk+0x9e/0xba [ 45.708606] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 45.713349] ? kasan_check_write+0x14/0x20 [ 45.717569] print_address_description+0x6c/0x20b [ 45.722397] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 45.726876] kasan_report.cold.7+0x242/0x2fe [ 45.731364] __asan_report_load8_noabort+0x14/0x20 [ 45.736279] __sctp_v6_cmp_addr+0x4c7/0x530 [ 45.740584] sctp_inet6_cmp_addr+0x169/0x1a0 [ 45.744977] sctp_bind_addr_match+0x20b/0x400 [ 45.749454] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 45.754283] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 45.759806] ? sctp_v4_available+0x1b1/0x200 [ 45.764202] ? sctp_inet6_bind_verify+0xb2/0x500 [ 45.768943] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 45.774465] sctp_do_bind+0x1c0/0x5f0 [ 45.778264] sctp_bindx_add+0x90/0x1a0 [ 45.782136] sctp_setsockopt_bindx+0x2ad/0x320 [ 45.786703] sctp_setsockopt+0x12c4/0x7000 [ 45.790932] ? mark_held_locks+0xc9/0x160 [ 45.795071] ? page_add_new_anon_rmap+0x3ff/0x850 [ 45.799901] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 45.805595] ? find_held_lock+0x36/0x1c0 [ 45.809645] ? lock_downgrade+0x8e0/0x8e0 [ 45.813864] ? pudp_huge_clear_flush+0x230/0x230 [ 45.818612] ? kasan_check_read+0x11/0x20 [ 45.822745] ? do_raw_spin_unlock+0x9e/0x2e0 [ 45.827135] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 45.831705] ? kasan_check_write+0x14/0x20 [ 45.835927] ? do_raw_spin_lock+0xc1/0x200 [ 45.840159] ? _raw_spin_unlock+0x22/0x30 [ 45.844292] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 45.849557] ? __thp_get_unmapped_area+0x180/0x180 [ 45.854475] ? debug_check_no_locks_freed+0x310/0x310 [ 45.859647] ? alloc_file+0x24/0x3e0 [ 45.863343] ? sock_alloc_file+0x1f3/0x4e0 [ 45.867560] ? __sys_socket+0x16f/0x250 [ 45.871522] ? do_syscall_64+0x1b1/0x800 [ 45.875569] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.880924] ? debug_mutex_init+0x1c/0x60 [ 45.885055] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.890053] ? graph_lock+0x170/0x170 [ 45.894209] ? pud_val+0x80/0xf0 [ 45.897565] ? pmd_val+0xf0/0xf0 [ 45.900923] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.906453] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.911984] ? __handle_mm_fault+0x93a/0x4310 [ 45.916469] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 45.921207] ? graph_lock+0x170/0x170 [ 45.925006] ? graph_lock+0x170/0x170 [ 45.928791] ? find_held_lock+0x36/0x1c0 [ 45.932936] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.938454] ? __fget_light+0x2ef/0x430 [ 45.942412] ? fget_raw+0x20/0x20 [ 45.945859] ? lock_downgrade+0x8e0/0x8e0 [ 45.949989] ? handle_mm_fault+0x8c0/0xc70 [ 45.954214] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 45.959823] ? handle_mm_fault+0x55a/0xc70 [ 45.964065] sock_common_setsockopt+0x9a/0xe0 [ 45.968553] __sys_setsockopt+0x1bd/0x390 [ 45.972683] ? kernel_accept+0x310/0x310 [ 45.976738] ? mm_fault_error+0x380/0x380 [ 45.980906] ? __ia32_sys_fallocate+0xf0/0xf0 [ 45.985406] __x64_sys_setsockopt+0xbe/0x150 [ 45.989803] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.994804] do_syscall_64+0x1b1/0x800 [ 45.998675] ? syscall_return_slowpath+0x5c0/0x5c0 [ 46.003588] ? syscall_return_slowpath+0x30f/0x5c0 [ 46.008507] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 46.013865] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.018700] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.024355] RIP: 0033:0x43fda9 [ 46.027526] RSP: 002b:00007ffd393eebe8 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 46.035217] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 46.042478] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 46.049742] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 46.057005] R10: 0000000020d24000 R11: 0000000000000217 R12: 00000000004016d0 [ 46.064262] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 46.071608] [ 46.073216] Allocated by task 4496: [ 46.076830] save_stack+0x43/0xd0 [ 46.080273] kasan_kmalloc+0xc4/0xe0 [ 46.083968] __kmalloc_node+0x47/0x70 [ 46.087749] kvmalloc_node+0x6b/0x100 [ 46.091535] vmemdup_user+0x2d/0xa0 [ 46.095154] sctp_setsockopt_bindx+0x5d/0x320 [ 46.099629] sctp_setsockopt+0x12c4/0x7000 [ 46.104461] sock_common_setsockopt+0x9a/0xe0 [ 46.108937] __sys_setsockopt+0x1bd/0x390 [ 46.113065] __x64_sys_setsockopt+0xbe/0x150 [ 46.117469] do_syscall_64+0x1b1/0x800 [ 46.121343] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.126508] [ 46.128113] Freed by task 2859: [ 46.131391] save_stack+0x43/0xd0 [ 46.134827] __kasan_slab_free+0x11a/0x170 [ 46.139043] kasan_slab_free+0xe/0x10 [ 46.143088] kfree+0xd9/0x260 [ 46.146175] single_release+0x8f/0xb0 [ 46.149966] __fput+0x34d/0x890 [ 46.153659] ____fput+0x15/0x20 [ 46.156929] task_work_run+0x1e4/0x290 [ 46.160807] exit_to_usermode_loop+0x2bd/0x310 [ 46.165372] do_syscall_64+0x6ac/0x800 [ 46.169328] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.174492] [ 46.176101] The buggy address belongs to the object at ffff8801acffc680 [ 46.176101] which belongs to the cache kmalloc-32 of size 32 [ 46.188579] The buggy address is located 0 bytes to the right of [ 46.188579] 32-byte region [ffff8801acffc680, ffff8801acffc6a0) [ 46.200704] The buggy address belongs to the page: [ 46.205616] page:ffffea0006b3ff00 count:1 mapcount:0 mapping:ffff8801acffc000 index:0xffff8801acffcfc1 [ 46.215113] flags: 0x2fffc0000000100(slab) [ 46.219336] raw: 02fffc0000000100 ffff8801acffc000 ffff8801acffcfc1 000000010000003c [ 46.227371] raw: ffffea00072c37e0 ffffea0007645ba0 ffff8801da8001c0 0000000000000000 [ 46.235229] page dumped because: kasan: bad access detected [ 46.240917] [ 46.242540] Memory state around the buggy address: [ 46.247453] ffff8801acffc580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 46.254794] ffff8801acffc600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 46.262135] >ffff8801acffc680: 00 00 00 00 fc fc fc fc 00 00 04 fc fc fc fc fc [ 46.269471] ^ [ 46.273858] ffff8801acffc700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 46.281206] ffff8801acffc780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 46.288544] ================================================================== [ 46.295882] Disabling lock debugging due to kernel taint [ 46.301403] Kernel panic - not syncing: panic_on_warn set ... [ 46.301403] [ 46.308761] CPU: 0 PID: 4496 Comm: syz-executor477 Tainted: G B 4.17.0-rc2+ #18 [ 46.317490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.326832] Call Trace: [ 46.329413] dump_stack+0x1b9/0x294 [ 46.333028] ? dump_stack_print_info.cold.2+0x52/0x52 [ 46.338471] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.343206] ? __sctp_v6_cmp_addr+0x450/0x530 [ 46.347703] panic+0x22f/0x4de [ 46.350884] ? add_taint.cold.5+0x16/0x16 [ 46.355028] ? do_raw_spin_unlock+0x9e/0x2e0 [ 46.359440] ? do_raw_spin_unlock+0x9e/0x2e0 [ 46.363840] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 46.368337] kasan_end_report+0x47/0x4f [ 46.372320] kasan_report.cold.7+0x76/0x2fe [ 46.376628] __asan_report_load8_noabort+0x14/0x20 [ 46.381546] __sctp_v6_cmp_addr+0x4c7/0x530 [ 46.385849] sctp_inet6_cmp_addr+0x169/0x1a0 [ 46.390249] sctp_bind_addr_match+0x20b/0x400 [ 46.394741] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 46.399578] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 46.405099] ? sctp_v4_available+0x1b1/0x200 [ 46.409497] ? sctp_inet6_bind_verify+0xb2/0x500 [ 46.414239] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 46.419762] sctp_do_bind+0x1c0/0x5f0 [ 46.423549] sctp_bindx_add+0x90/0x1a0 [ 46.427429] sctp_setsockopt_bindx+0x2ad/0x320 [ 46.431993] sctp_setsockopt+0x12c4/0x7000 [ 46.436221] ? mark_held_locks+0xc9/0x160 [ 46.440352] ? page_add_new_anon_rmap+0x3ff/0x850 [ 46.445177] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 46.450875] ? find_held_lock+0x36/0x1c0 [ 46.454925] ? lock_downgrade+0x8e0/0x8e0 [ 46.459064] ? pudp_huge_clear_flush+0x230/0x230 [ 46.463812] ? kasan_check_read+0x11/0x20 [ 46.467948] ? do_raw_spin_unlock+0x9e/0x2e0 [ 46.472337] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 46.476901] ? kasan_check_write+0x14/0x20 [ 46.481126] ? do_raw_spin_lock+0xc1/0x200 [ 46.485354] ? _raw_spin_unlock+0x22/0x30 [ 46.489499] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 46.494771] ? __thp_get_unmapped_area+0x180/0x180 [ 46.499687] ? debug_check_no_locks_freed+0x310/0x310 [ 46.504875] ? alloc_file+0x24/0x3e0 [ 46.508568] ? sock_alloc_file+0x1f3/0x4e0 [ 46.512792] ? __sys_socket+0x16f/0x250 [ 46.516849] ? do_syscall_64+0x1b1/0x800 [ 46.520994] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.526369] ? debug_mutex_init+0x1c/0x60 [ 46.530516] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 46.535532] ? graph_lock+0x170/0x170 [ 46.539317] ? pud_val+0x80/0xf0 [ 46.542667] ? pmd_val+0xf0/0xf0 [ 46.546020] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.551638] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.557248] ? __handle_mm_fault+0x93a/0x4310 [ 46.561931] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 46.566669] ? graph_lock+0x170/0x170 [ 46.570452] ? graph_lock+0x170/0x170 [ 46.574233] ? find_held_lock+0x36/0x1c0 [ 46.578280] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.583805] ? __fget_light+0x2ef/0x430 [ 46.587763] ? fget_raw+0x20/0x20 [ 46.591205] ? lock_downgrade+0x8e0/0x8e0 [ 46.595340] ? handle_mm_fault+0x8c0/0xc70 [ 46.599569] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 46.605091] ? handle_mm_fault+0x55a/0xc70 [ 46.609314] sock_common_setsockopt+0x9a/0xe0 [ 46.613792] __sys_setsockopt+0x1bd/0x390 [ 46.617919] ? kernel_accept+0x310/0x310 [ 46.621969] ? mm_fault_error+0x380/0x380 [ 46.626101] ? __ia32_sys_fallocate+0xf0/0xf0 [ 46.630580] __x64_sys_setsockopt+0xbe/0x150 [ 46.635062] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 46.640067] do_syscall_64+0x1b1/0x800 [ 46.643939] ? syscall_return_slowpath+0x5c0/0x5c0 [ 46.648852] ? syscall_return_slowpath+0x30f/0x5c0 [ 46.653776] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 46.659124] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.663951] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.669123] RIP: 0033:0x43fda9 [ 46.672294] RSP: 002b:00007ffd393eebe8 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 46.679981] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 46.687244] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 46.694596] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 46.701850] R10: 0000000020d24000 R11: 0000000000000217 R12: 00000000004016d0 [ 46.709100] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 46.716873] Dumping ftrace buffer: [ 46.720402] (ftrace buffer empty) [ 46.724093] Kernel Offset: disabled [ 46.727708] Rebooting in 86400 seconds..