[....] Starting OpenBSD Secure Shell server: sshd[ 10.366349] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.417420] random: sshd: uninitialized urandom read (32 bytes read) [ 22.985007] audit: type=1400 audit(1547205936.924:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 23.019598] random: sshd: uninitialized urandom read (32 bytes read) [ 23.498725] random: sshd: uninitialized urandom read (32 bytes read) [ 23.645125] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.195' (ECDSA) to the list of known hosts. [ 29.193826] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.277345] audit: type=1400 audit(1547205943.214:7): avc: denied { map } for pid=1782 comm="syz-executor706" path="/root/syz-executor706036313" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.531992] ================================================================== [ 29.539652] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 29.546220] Write of size 4 at addr ffff8881ca46309c by task syz-executor706/1784 [ 29.553816] [ 29.555430] CPU: 0 PID: 1784 Comm: syz-executor706 Not tainted 4.14.92+ #5 [ 29.562419] Call Trace: [ 29.564998] dump_stack+0xb9/0x10e [ 29.568520] ? ip_check_defrag+0x4f5/0x523 [ 29.572738] print_address_description+0x60/0x226 [ 29.577854] ? ip_check_defrag+0x4f5/0x523 [ 29.582072] kasan_report.cold+0x88/0x2a5 [ 29.586266] ? ip_check_defrag+0x4f5/0x523 [ 29.590489] ? ip_defrag+0x3b50/0x3b50 [ 29.594392] ? mark_held_locks+0xa6/0xf0 [ 29.598458] ? check_preemption_disabled+0x35/0x1f0 [ 29.603480] ? packet_rcv_fanout+0x4d1/0x5e0 [ 29.607865] ? fanout_demux_rollover+0x4d0/0x4d0 [ 29.612601] ? dev_queue_xmit_nit+0x21a/0x960 [ 29.617086] ? dev_hard_start_xmit+0xa3/0x890 [ 29.621576] ? sch_direct_xmit+0x27a/0x520 [ 29.625850] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 29.631546] ? lock_acquire+0x10f/0x380 [ 29.635500] ? ip_finish_output2+0x9fe/0x12f0 [ 29.639974] ? __dev_queue_xmit+0x1565/0x1cd0 [ 29.644458] ? netdev_pick_tx+0x2e0/0x2e0 [ 29.648588] ? ip_do_fragment+0x180c/0x1ee0 [ 29.652895] ? mark_held_locks+0xa6/0xf0 [ 29.656937] ? ip_finish_output2+0xd92/0x12f0 [ 29.661409] ? ip_finish_output2+0x9fe/0x12f0 [ 29.665883] ? ip_copy_addrs+0xd0/0xd0 [ 29.669890] ? selinux_ip_postroute_compat+0x360/0x360 [ 29.675148] ? check_preemption_disabled+0x35/0x1f0 [ 29.680310] ? ip_do_fragment+0x180c/0x1ee0 [ 29.684608] ? ip_do_fragment+0x180c/0x1ee0 [ 29.688924] ? ip_copy_addrs+0xd0/0xd0 [ 29.692802] ? ip_fragment.constprop.0+0x146/0x200 [ 29.697828] ? ip_finish_output+0x7a7/0xc70 [ 29.702238] ? ip_mc_output+0x231/0xbe0 [ 29.706305] ? ip_queue_xmit+0x1a70/0x1a70 [ 29.710521] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.716054] ? ip_fragment.constprop.0+0x200/0x200 [ 29.720967] ? dst_release+0xc/0x80 [ 29.724617] ? __ip_make_skb+0xe30/0x1690 [ 29.728774] ? ip_local_out+0x98/0x170 [ 29.732647] ? ip_send_skb+0x3a/0xc0 [ 29.736346] ? ip_push_pending_frames+0x5f/0x80 [ 29.740994] ? raw_sendmsg+0x19de/0x2270 [ 29.745130] ? raw_seq_next+0x80/0x80 [ 29.748924] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 29.753585] ? __schedule+0x924/0x1f30 [ 29.757462] ? trace_hardirqs_on+0x10/0x10 [ 29.761689] ? sock_has_perm+0x1d3/0x260 [ 29.765739] ? trace_hardirqs_on+0x10/0x10 [ 29.769959] ? inet_sendmsg+0x14a/0x510 [ 29.773978] ? inet_recvmsg+0x540/0x540 [ 29.777940] ? sock_sendmsg+0xb7/0x100 [ 29.781816] ? sock_no_sendpage+0x132/0x1a0 [ 29.786115] ? sock_rfree+0x140/0x140 [ 29.789905] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 29.795332] ? trace_hardirqs_on_caller+0x37b/0x540 [ 29.800330] ? inet_sendpage+0x1bb/0x5c0 [ 29.804416] ? inet_getname+0x390/0x390 [ 29.808378] ? kernel_sendpage+0x84/0xd0 [ 29.812418] ? sock_sendpage+0x84/0xa0 [ 29.816284] ? pipe_to_sendpage+0x23d/0x300 [ 29.820684] ? kernel_sendpage+0xd0/0xd0 [ 29.824726] ? direct_splice_actor+0x160/0x160 [ 29.829297] ? __put_page+0x68/0xa0 [ 29.832926] ? __splice_from_pipe+0x331/0x740 [ 29.837402] ? direct_splice_actor+0x160/0x160 [ 29.841987] ? direct_splice_actor+0x160/0x160 [ 29.846605] ? splice_from_pipe+0xd9/0x140 [ 29.850820] ? splice_shrink_spd+0xb0/0xb0 [ 29.855139] ? security_file_permission+0x88/0x1e0 [ 29.860158] ? splice_from_pipe+0x140/0x140 [ 29.864519] ? SyS_splice+0xd1c/0x12d0 [ 29.868398] ? do_futex+0x17f0/0x17f0 [ 29.872176] ? lock_acquire+0x10f/0x380 [ 29.876126] ? compat_SyS_vmsplice+0x150/0x150 [ 29.880686] ? _raw_spin_unlock_irq+0x24/0x50 [ 29.885164] ? do_syscall_64+0x43/0x4b0 [ 29.889125] ? compat_SyS_vmsplice+0x150/0x150 [ 29.893689] ? do_syscall_64+0x19b/0x4b0 [ 29.897732] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.903081] [ 29.904690] Allocated by task 1784: [ 29.908417] kasan_kmalloc.part.0+0x4f/0xd0 [ 29.912719] kmem_cache_alloc+0xd2/0x2d0 [ 29.916757] skb_clone+0x126/0x310 [ 29.920279] ip_check_defrag+0x2bc/0x523 [ 29.924319] packet_rcv_fanout+0x4d1/0x5e0 [ 29.928536] dev_queue_xmit_nit+0x21a/0x960 [ 29.933560] [ 29.935183] Freed by task 1784: [ 29.938454] kasan_slab_free+0xb0/0x190 [ 29.942402] kmem_cache_free+0xc4/0x330 [ 29.946387] kfree_skbmem+0xa0/0x100 [ 29.950081] kfree_skb+0xcd/0x350 [ 29.953514] ip_defrag+0x5f4/0x3b50 [ 29.957115] ip_check_defrag+0x39b/0x523 [ 29.961153] packet_rcv_fanout+0x4d1/0x5e0 [ 29.965360] dev_queue_xmit_nit+0x21a/0x960 [ 29.969652] [ 29.971273] The buggy address belongs to the object at ffff8881ca463000 [ 29.971273] which belongs to the cache skbuff_head_cache of size 224 [ 29.984429] The buggy address is located 156 bytes inside of [ 29.984429] 224-byte region [ffff8881ca463000, ffff8881ca4630e0) [ 29.996412] The buggy address belongs to the page: [ 30.001325] page:ffffea00072918c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 30.009460] flags: 0x4000000000000100(slab) [ 30.013797] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 30.021659] raw: dead000000000100 dead000000000200 ffff8881d6758200 0000000000000000 [ 30.029523] page dumped because: kasan: bad access detected [ 30.035318] [ 30.036922] Memory state around the buggy address: [ 30.041827] ffff8881ca462f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.049159] ffff8881ca463000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.056492] >ffff8881ca463080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 30.063823] ^ [ 30.067944] ffff8881ca463100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.075288] ffff8881ca463180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.082624] ================================================================== [ 30.089963] Disabling lock debugging due to kernel taint [ 30.095472] Kernel panic - not syncing: panic_on_warn set ... [ 30.095472] [ 30.102919] CPU: 0 PID: 1784 Comm: syz-executor706 Tainted: G B 4.14.92+ #5 [ 30.111121] Call Trace: [ 30.113742] dump_stack+0xb9/0x10e [ 30.117548] panic+0x1d9/0x3c2 [ 30.120721] ? add_taint.cold+0x16/0x16 [ 30.124678] ? retint_kernel+0x2d/0x2d [ 30.128551] ? ip_check_defrag+0x4f5/0x523 [ 30.132765] kasan_end_report+0x43/0x49 [ 30.136718] kasan_report.cold+0xa4/0x2a5 [ 30.140845] ? ip_check_defrag+0x4f5/0x523 [ 30.145052] ? ip_defrag+0x3b50/0x3b50 [ 30.148916] ? mark_held_locks+0xa6/0xf0 [ 30.152962] ? check_preemption_disabled+0x35/0x1f0 [ 30.157965] ? packet_rcv_fanout+0x4d1/0x5e0 [ 30.162364] ? fanout_demux_rollover+0x4d0/0x4d0 [ 30.167131] ? dev_queue_xmit_nit+0x21a/0x960 [ 30.171801] ? dev_hard_start_xmit+0xa3/0x890 [ 30.176286] ? sch_direct_xmit+0x27a/0x520 [ 30.180497] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 30.186189] ? lock_acquire+0x10f/0x380 [ 30.190145] ? ip_finish_output2+0x9fe/0x12f0 [ 30.194617] ? __dev_queue_xmit+0x1565/0x1cd0 [ 30.199094] ? netdev_pick_tx+0x2e0/0x2e0 [ 30.203235] ? ip_do_fragment+0x180c/0x1ee0 [ 30.207534] ? mark_held_locks+0xa6/0xf0 [ 30.211569] ? ip_finish_output2+0xd92/0x12f0 [ 30.216099] ? ip_finish_output2+0x9fe/0x12f0 [ 30.220580] ? ip_copy_addrs+0xd0/0xd0 [ 30.224447] ? selinux_ip_postroute_compat+0x360/0x360 [ 30.229702] ? check_preemption_disabled+0x35/0x1f0 [ 30.234695] ? ip_do_fragment+0x180c/0x1ee0 [ 30.238989] ? ip_do_fragment+0x180c/0x1ee0 [ 30.243304] ? ip_copy_addrs+0xd0/0xd0 [ 30.247165] ? ip_fragment.constprop.0+0x146/0x200 [ 30.252076] ? ip_finish_output+0x7a7/0xc70 [ 30.256377] ? ip_mc_output+0x231/0xbe0 [ 30.260349] ? ip_queue_xmit+0x1a70/0x1a70 [ 30.264570] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.270175] ? ip_fragment.constprop.0+0x200/0x200 [ 30.275100] ? dst_release+0xc/0x80 [ 30.278708] ? __ip_make_skb+0xe30/0x1690 [ 30.282831] ? ip_local_out+0x98/0x170 [ 30.286846] ? ip_send_skb+0x3a/0xc0 [ 30.290534] ? ip_push_pending_frames+0x5f/0x80 [ 30.295202] ? raw_sendmsg+0x19de/0x2270 [ 30.299239] ? raw_seq_next+0x80/0x80 [ 30.303014] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 30.307873] ? __schedule+0x924/0x1f30 [ 30.311839] ? trace_hardirqs_on+0x10/0x10 [ 30.316056] ? sock_has_perm+0x1d3/0x260 [ 30.320102] ? trace_hardirqs_on+0x10/0x10 [ 30.324323] ? inet_sendmsg+0x14a/0x510 [ 30.328285] ? inet_recvmsg+0x540/0x540 [ 30.332235] ? sock_sendmsg+0xb7/0x100 [ 30.336101] ? sock_no_sendpage+0x132/0x1a0 [ 30.340394] ? sock_rfree+0x140/0x140 [ 30.344174] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 30.349254] ? trace_hardirqs_on_caller+0x37b/0x540 [ 30.354253] ? inet_sendpage+0x1bb/0x5c0 [ 30.358296] ? inet_getname+0x390/0x390 [ 30.362252] ? kernel_sendpage+0x84/0xd0 [ 30.366290] ? sock_sendpage+0x84/0xa0 [ 30.370153] ? pipe_to_sendpage+0x23d/0x300 [ 30.374451] ? kernel_sendpage+0xd0/0xd0 [ 30.378492] ? direct_splice_actor+0x160/0x160 [ 30.383053] ? __put_page+0x68/0xa0 [ 30.386656] ? __splice_from_pipe+0x331/0x740 [ 30.391125] ? direct_splice_actor+0x160/0x160 [ 30.395680] ? direct_splice_actor+0x160/0x160 [ 30.400388] ? splice_from_pipe+0xd9/0x140 [ 30.404613] ? splice_shrink_spd+0xb0/0xb0 [ 30.408833] ? security_file_permission+0x88/0x1e0 [ 30.413740] ? splice_from_pipe+0x140/0x140 [ 30.418038] ? SyS_splice+0xd1c/0x12d0 [ 30.421905] ? do_futex+0x17f0/0x17f0 [ 30.425678] ? lock_acquire+0x10f/0x380 [ 30.429630] ? compat_SyS_vmsplice+0x150/0x150 [ 30.434194] ? _raw_spin_unlock_irq+0x24/0x50 [ 30.438663] ? do_syscall_64+0x43/0x4b0 [ 30.442608] ? compat_SyS_vmsplice+0x150/0x150 [ 30.447173] ? do_syscall_64+0x19b/0x4b0 [ 30.451897] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.457577] Kernel Offset: 0x34000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 30.468474] Rebooting in 86400 seconds..