[....] Starting enhanced syslogd: rsyslogd[ 14.118595] audit: type=1400 audit(1571008584.837:4): avc: denied { syslog } for pid=1915 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.25' (ECDSA) to the list of known hosts. 2019/10/13 23:16:32 parsed 1 programs 2019/10/13 23:16:34 executed programs: 0 2019/10/13 23:16:39 executed programs: 33 2019/10/13 23:16:44 executed programs: 71 2019/10/13 23:16:49 executed programs: 107 syzkaller login: [ 40.900756] ================================================================== [ 40.908531] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 [ 40.915388] Read of size 8 at addr ffff8801d63b0000 by task syz-executor.0/2821 [ 40.922982] [ 40.924749] CPU: 0 PID: 2821 Comm: syz-executor.0 Not tainted 4.4.174+ #17 [ 40.931760] 0000000000000000 178da4e7f4666f0f ffff8801d8b57028 ffffffff81aad1a1 [ 40.940500] 0000000000000000 ffffea000758ec00 ffff8801d63b0000 0000000000000008 [ 40.948809] dffffc0000000000 ffff8801d8b57060 ffffffff81490120 0000000000000000 [ 40.956874] Call Trace: [ 40.959464] [] dump_stack+0xc1/0x120 [ 40.965017] [] print_address_description+0x6f/0x21b [ 40.971873] [] kasan_report.cold+0x8c/0x2be [ 40.978193] [] ? ip6t_do_table+0x1545/0x1860 [ 40.984412] [] __asan_report_load8_noabort+0x14/0x20 [ 40.991482] [] ip6t_do_table+0x1545/0x1860 [ 40.997661] [] ? mark_held_locks+0xb1/0x100 [ 41.003886] [] ? nf_conntrack_in+0x13ef/0x1c20 [ 41.010381] [] ? __nf_ct_refresh_acct+0x1d2/0x280 [ 41.016967] [] ? ip6t_alloc_initial_table+0x680/0x680 [ 41.024121] [] ? trace_hardirqs_on+0x10/0x10 [ 41.030456] [] ip6table_mangle_hook+0x2d6/0x710 [ 41.036875] [] nf_iterate+0x186/0x220 [ 41.042357] [] nf_hook_slow+0x1b6/0x340 [ 41.048253] [] ? nf_iterate+0x220/0x220 [ 41.053877] [] ? nf_iterate+0x220/0x220 [ 41.059498] [] ? memset+0x32/0x40 [ 41.064781] [] __ip6_local_out+0x309/0x4b0 [ 41.070986] [] ? ip6_find_1stfragopt+0x260/0x260 [ 41.077389] [] ? icmpv6_send+0x1b0/0x1b0 [ 41.083219] [] ? ip6_output+0x520/0x520 [ 41.089042] [] ? __ip6_append_data.isra.0+0xc73/0x33f0 [ 41.096362] [] ip6_local_out+0x29/0x180 [ 41.102245] [] ip6_send_skb+0xa2/0x340 [ 41.108093] [] ? csum_ipv6_magic+0x2b/0x80 [ 41.114135] [] udp_v6_send_skb+0x438/0xe90 [ 41.120334] [] udp_v6_push_pending_frames+0x245/0x360 [ 41.127313] [] ? udp_v6_send_skb+0xe90/0xe90 [ 41.133800] [] ? mark_held_locks+0xb1/0x100 [ 41.140043] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 41.146614] [] udpv6_sendmsg+0x1a37/0x24f0 [ 41.152512] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 41.158835] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 41.166451] [] ? sock_has_perm+0x2a8/0x400 [ 41.173011] [] ? sock_has_perm+0xa6/0x400 [ 41.179131] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 41.186985] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.194116] [] ? check_preemption_disabled+0x3c/0x200 [ 41.201118] [] ? check_preemption_disabled+0x3c/0x200 [ 41.208522] [] ? inet_sendmsg+0x143/0x4d0 [ 41.214673] [] inet_sendmsg+0x202/0x4d0 [ 41.220309] [] ? inet_sendmsg+0x76/0x4d0 [ 41.226152] [] ? inet_recvmsg+0x4d0/0x4d0 [ 41.232305] [] sock_sendmsg+0xbe/0x110 [ 41.238110] [] ___sys_sendmsg+0x369/0x890 [ 41.243913] [] ? copy_msghdr_from_user+0x550/0x550 [ 41.250841] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.257614] [] ? check_preemption_disabled+0x3c/0x200 [ 41.264564] [] ? check_preemption_disabled+0x3c/0x200 [ 41.272186] [] ? __fget+0x13b/0x370 [ 41.277623] [] ? __fget+0x162/0x370 [ 41.283205] [] ? __fget+0x47/0x370 [ 41.288527] [] ? __fget_light+0xa3/0x1f0 [ 41.294993] [] ? __fdget+0x1b/0x20 [ 41.300452] [] ? sockfd_lookup_light+0xb4/0x160 [ 41.307143] [] __sys_sendmmsg+0x1d6/0x2e0 [ 41.313205] [] ? SyS_sendmsg+0x50/0x50 [ 41.318740] [] ? __might_fault+0x95/0x1d0 [ 41.324983] [] ? SyS_clock_gettime+0x118/0x1e0 [ 41.331219] [] ? SyS_clock_settime+0x220/0x220 [ 41.337756] [] ? __compat_put_timespec.isra.0+0xce/0x140 [ 41.345285] [] ? compat_SyS_clock_gettime+0x162/0x1f0 [ 41.352836] [] ? compat_SyS_clock_settime+0x1b0/0x1b0 [ 41.360230] [] compat_SyS_sendmmsg+0x32/0x40 [ 41.366632] [] ? compat_SyS_sendmsg+0x40/0x40 [ 41.373262] [] do_fast_syscall_32+0x32d/0xa90 [ 41.379590] [] sysenter_flags_fixed+0xd/0x1a [ 41.385895] [ 41.388574] The buggy address belongs to the page: [ 41.393854] page:ffffea000758ec00 count:0 mapcount:-127 mapping: (null) index:0x0 [ 41.402399] flags: 0x4000000000000000() [ 41.406497] page dumped because: kasan: bad access detected [ 41.412382] [ 41.414005] Memory state around the buggy address: [ 41.419255] ffff8801d63aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.426605] ffff8801d63aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.434254] >ffff8801d63b0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 41.442044] ^ [ 41.445398] ffff8801d63b0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 41.452752] ffff8801d63b0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 41.460103] ================================================================== [ 41.467623] Disabling lock debugging due to kernel taint [ 41.473108] Kernel panic - not syncing: panic_on_warn set ... [ 41.473108] [ 41.480838] CPU: 0 PID: 2821 Comm: syz-executor.0 Tainted: G B 4.4.174+ #17 [ 41.489058] 0000000000000000 178da4e7f4666f0f ffff8801d8b56f68 ffffffff81aad1a1 [ 41.497418] ffff8801d8b57078 ffffffff82c5cf1b ffff8801d63b0000 0000000000000008 [ 41.505746] dffffc0000000000 ffff8801d8b57048 ffffffff813a48c2 0000000041b58ab3 [ 41.513880] Call Trace: [ 41.516637] [] dump_stack+0xc1/0x120 [ 41.522381] [] panic+0x1b9/0x37b [ 41.527407] [] ? add_taint.cold+0x16/0x16 [ 41.533207] [] kasan_end_report+0x47/0x4f [ 41.539140] [] kasan_report.cold+0xa9/0x2be [ 41.545402] [] ? ip6t_do_table+0x1545/0x1860 [ 41.551811] [] __asan_report_load8_noabort+0x14/0x20 [ 41.559800] [] ip6t_do_table+0x1545/0x1860 [ 41.566185] [] ? mark_held_locks+0xb1/0x100 [ 41.572588] [] ? nf_conntrack_in+0x13ef/0x1c20 [ 41.578873] [] ? __nf_ct_refresh_acct+0x1d2/0x280 [ 41.586285] [] ? ip6t_alloc_initial_table+0x680/0x680 [ 41.593275] [] ? trace_hardirqs_on+0x10/0x10 [ 41.599546] [] ip6table_mangle_hook+0x2d6/0x710 [ 41.606102] [] nf_iterate+0x186/0x220 [ 41.611552] [] nf_hook_slow+0x1b6/0x340 [ 41.617362] [] ? nf_iterate+0x220/0x220 [ 41.623114] [] ? nf_iterate+0x220/0x220 [ 41.628988] [] ? memset+0x32/0x40 [ 41.634184] [] __ip6_local_out+0x309/0x4b0 [ 41.640266] [] ? ip6_find_1stfragopt+0x260/0x260 [ 41.646724] [] ? icmpv6_send+0x1b0/0x1b0 [ 41.652483] [] ? ip6_output+0x520/0x520 [ 41.658227] [] ? __ip6_append_data.isra.0+0xc73/0x33f0 [ 41.665729] [] ip6_local_out+0x29/0x180 [ 41.671764] [] ip6_send_skb+0xa2/0x340 [ 41.677842] [] ? csum_ipv6_magic+0x2b/0x80 [ 41.683899] [] udp_v6_send_skb+0x438/0xe90 [ 41.690083] [] udp_v6_push_pending_frames+0x245/0x360 [ 41.697306] [] ? udp_v6_send_skb+0xe90/0xe90 [ 41.703425] [] ? mark_held_locks+0xb1/0x100 [ 41.709481] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 41.715619] [] udpv6_sendmsg+0x1a37/0x24f0 [ 41.721495] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 41.727640] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 41.734763] [] ? sock_has_perm+0x2a8/0x400 [ 41.741563] [] ? sock_has_perm+0xa6/0x400 [ 41.747444] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 41.754995] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.761741] [] ? check_preemption_disabled+0x3c/0x200 [ 41.768880] [] ? check_preemption_disabled+0x3c/0x200 [ 41.775714] [] ? inet_sendmsg+0x143/0x4d0 [ 41.782077] [] inet_sendmsg+0x202/0x4d0 [ 41.787783] [] ? inet_sendmsg+0x76/0x4d0 [ 41.793487] [] ? inet_recvmsg+0x4d0/0x4d0 [ 41.799505] [] sock_sendmsg+0xbe/0x110 [ 41.805343] [] ___sys_sendmsg+0x369/0x890 [ 41.811268] [] ? copy_msghdr_from_user+0x550/0x550 [ 41.818498] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.827015] [] ? check_preemption_disabled+0x3c/0x200 [ 41.834180] [] ? check_preemption_disabled+0x3c/0x200 [ 41.841195] [] ? __fget+0x13b/0x370 [ 41.846936] [] ? __fget+0x162/0x370 [ 41.852326] [] ? __fget+0x47/0x370 [ 41.857558] [] ? __fget_light+0xa3/0x1f0 [ 41.863579] [] ? __fdget+0x1b/0x20 [ 41.869224] [] ? sockfd_lookup_light+0xb4/0x160 [ 41.876052] [] __sys_sendmmsg+0x1d6/0x2e0 [ 41.882251] [] ? SyS_sendmsg+0x50/0x50 [ 41.887924] [] ? __might_fault+0x95/0x1d0 [ 41.893834] [] ? SyS_clock_gettime+0x118/0x1e0 [ 41.900061] [] ? SyS_clock_settime+0x220/0x220 [ 41.906449] [] ? __compat_put_timespec.isra.0+0xce/0x140 [ 41.914209] [] ? compat_SyS_clock_gettime+0x162/0x1f0 [ 41.921615] [] ? compat_SyS_clock_settime+0x1b0/0x1b0 [ 41.928803] [] compat_SyS_sendmmsg+0x32/0x40 [ 41.935018] [] ? compat_SyS_sendmsg+0x40/0x40 [ 41.941169] [] do_fast_syscall_32+0x32d/0xa90 [ 41.947642] [] sysenter_flags_fixed+0xd/0x1a [ 41.955659] Kernel Offset: disabled [ 41.959299] Rebooting in 86400 seconds..