[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.293807] random: sshd: uninitialized urandom read (32 bytes read)
[   22.587931] audit: type=1400 audit(1538170793.064:6): avc:  denied  { map } for  pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   22.631668] random: sshd: uninitialized urandom read (32 bytes read)
[   23.119931] random: sshd: uninitialized urandom read (32 bytes read)
[   68.788418] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.71' (ECDSA) to the list of known hosts.
[   74.347107] random: sshd: uninitialized urandom read (32 bytes read)
[   74.441281] audit: type=1400 audit(1538170844.924:7): avc:  denied  { map } for  pid=1808 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2018/09/28 21:40:45 parsed 1 programs
[   74.976761] audit: type=1400 audit(1538170845.454:8): avc:  denied  { map } for  pid=1808 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   75.730768] random: cc1: uninitialized urandom read (8 bytes read)
2018/09/28 21:40:47 executed programs: 0
[   77.140093] audit: type=1400 audit(1538170847.614:9): avc:  denied  { map } for  pid=1808 comm="syz-execprog" path="/root/syzkaller-shm048756115" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   79.095204] ip (2693) used greatest stack depth: 23520 bytes left
[   82.169048] audit: type=1400 audit(1538170852.644:10): avc:  denied  { prog_load } for  pid=4025 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   82.199187] ==================================================================
[   82.199209] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xd7d/0x1100
[   82.199215] Read of size 2 at addr ffff8801ca80bc78 by task syz-executor3/4029
[   82.199216] 
[   82.199223] CPU: 1 PID: 4029 Comm: syz-executor3 Not tainted 4.14.72+ #11
[   82.199226] Call Trace:
[   82.199237]  dump_stack+0xb9/0x11b
[   82.199252]  print_address_description+0x60/0x22b
[   82.199275]  kasan_report.cold.6+0x11b/0x2dd
[   82.199282]  ? bpf_skb_change_proto+0xd7d/0x1100
[   82.199293]  bpf_skb_change_proto+0xd7d/0x1100
[   82.199309]  ___bpf_prog_run+0x248e/0x5c70
[   82.199321]  ? __free_insn_slot+0x490/0x490
[   82.199331]  ? bpf_jit_compile+0x30/0x30
[   82.199344]  ? depot_save_stack+0x20a/0x428
[   82.199358]  ? __bpf_prog_run512+0x99/0xe0
[   82.199367]  ? ___bpf_prog_run+0x5c70/0x5c70
[   82.199388]  ? __lock_acquire+0x619/0x4320
[   82.199404]  ? trace_hardirqs_on+0x10/0x10
[   82.199418]  ? trace_hardirqs_on+0x10/0x10
[   82.199430]  ? __lock_acquire+0x619/0x4320
[   82.199452]  ? bpf_test_run+0x57/0x350
[   82.199471]  ? lock_acquire+0x10f/0x380
[   82.199483]  ? check_preemption_disabled+0x34/0x160
[   82.199497]  ? bpf_test_run+0xab/0x350
[   82.199516]  ? bpf_prog_test_run_skb+0x63d/0x8c0
[   82.199529]  ? bpf_test_init.isra.1+0xc0/0xc0
[   82.199540]  ? __fget_light+0x192/0x1f0
[   82.199547]  ? bpf_prog_add+0x42/0xa0
[   82.199553]  ? fput+0xa/0x130
[   82.199563]  ? bpf_test_init.isra.1+0xc0/0xc0
[   82.199572]  ? SyS_bpf+0x79d/0x3640
[   82.199585]  ? bpf_prog_get+0x20/0x20
[   82.199591]  ? _copy_to_user+0x7f/0xc0
[   82.199603]  ? put_timespec64+0xb9/0x110
[   82.199620]  ? do_clock_gettime+0x30/0xb0
[   82.199631]  ? SyS_clock_gettime+0x7b/0xd0
[   82.199639]  ? do_clock_gettime+0xb0/0xb0
[   82.199649]  ? do_syscall_64+0x43/0x4b0
[   82.199661]  ? bpf_prog_get+0x20/0x20
[   82.199666]  ? do_syscall_64+0x19b/0x4b0
[   82.199682]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   82.199702] 
[   82.199705] Allocated by task 4024:
[   82.199713]  kasan_kmalloc.part.1+0x4f/0xd0
[   82.199719]  kmem_cache_alloc+0xe4/0x2b0
[   82.199726]  __alloc_skb+0xd8/0x550
[   82.199731]  netlink_dump+0x21b/0xa60
[   82.199737]  __netlink_dump_start+0x4e4/0x750
[   82.199743]  rtnetlink_rcv_msg+0x6db/0xb30
[   82.199748]  netlink_rcv_skb+0x130/0x390
[   82.199754]  netlink_unicast+0x46d/0x620
[   82.199760]  netlink_sendmsg+0x664/0xbe0
[   82.199767]  sock_sendmsg+0xb5/0x100
[   82.199773]  SyS_sendto+0x211/0x340
[   82.199779]  do_syscall_64+0x19b/0x4b0
[   82.199785]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   82.199787] 
[   82.199790] Freed by task 4024:
[   82.199796]  kasan_slab_free+0xac/0x190
[   82.199802]  kmem_cache_free+0x12d/0x350
[   82.199807]  kfree_skbmem+0x9e/0x100
[   82.199813]  consume_skb+0xc9/0x330
[   82.199820]  skb_free_datagram+0x15/0xd0
[   82.199825]  netlink_recvmsg+0x569/0xd10
[   82.199831]  sock_recvmsg+0xc0/0x100
[   82.199837]  ___sys_recvmsg+0x242/0x510
[   82.199843]  __sys_recvmsg+0xc7/0x170
[   82.199849]  SyS_recvmsg+0x27/0x40
[   82.199854]  do_syscall_64+0x19b/0x4b0
[   82.199860]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   82.199862] 
[   82.199867] The buggy address belongs to the object at ffff8801ca80bb40
[   82.199867]  which belongs to the cache skbuff_head_cache of size 224
[   82.199873] The buggy address is located 88 bytes to the right of
[   82.199873]  224-byte region [ffff8801ca80bb40, ffff8801ca80bc20)
[   82.199875] The buggy address belongs to the page:
[   82.199881] page:ffffea00072a02c0 count:1 mapcount:0 mapping:          (null) index:0x0
[   82.199887] flags: 0x4000000000000100(slab)
[   82.199897] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   82.199906] raw: ffffea00072e4dc0 0000000500000005 ffff8801dab70200 0000000000000000
[   82.199908] page dumped because: kasan: bad access detected
[   82.199910] 
[   82.199912] Memory state around the buggy address:
[   82.199918]  ffff8801ca80bb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   82.199923]  ffff8801ca80bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   82.199928] >ffff8801ca80bc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   82.199931]                                                                 ^
[   82.199936]  ffff8801ca80bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   82.199941]  ffff8801ca80bd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   82.199944] ==================================================================
[   82.199946] Disabling lock debugging due to kernel taint
[   82.199949] Kernel panic - not syncing: panic_on_warn set ...
[   82.199949] 
[   82.199956] CPU: 1 PID: 4029 Comm: syz-executor3 Tainted: G    B           4.14.72+ #11
[   82.199958] Call Trace:
[   82.199966]  dump_stack+0xb9/0x11b
[   82.199975]  panic+0x1bf/0x3a4
[   82.199982]  ? add_taint.cold.4+0x16/0x16
[   82.199997]  kasan_end_report+0x43/0x49
[   82.200012]  kasan_report.cold.6+0x77/0x2dd
[   82.200026]  ? bpf_skb_change_proto+0xd7d/0x1100
[   82.200035]  bpf_skb_change_proto+0xd7d/0x1100
[   82.200045]  ___bpf_prog_run+0x248e/0x5c70
[   82.200052]  ? __free_insn_slot+0x490/0x490
[   82.200059]  ? bpf_jit_compile+0x30/0x30
[   82.200068]  ? depot_save_stack+0x20a/0x428
[   82.200077]  ? __bpf_prog_run512+0x99/0xe0
[   82.200083]  ? ___bpf_prog_run+0x5c70/0x5c70
[   82.200095]  ? __lock_acquire+0x619/0x4320
[   82.200105]  ? trace_hardirqs_on+0x10/0x10
[   82.200114]  ? trace_hardirqs_on+0x10/0x10
[   82.200122]  ? __lock_acquire+0x619/0x4320
[   82.200135]  ? bpf_test_run+0x57/0x350
[   82.200147]  ? lock_acquire+0x10f/0x380
[   82.200155]  ? check_preemption_disabled+0x34/0x160
[   82.200164]  ? bpf_test_run+0xab/0x350
[   82.200176]  ? bpf_prog_test_run_skb+0x63d/0x8c0
[   82.200185]  ? bpf_test_init.isra.1+0xc0/0xc0
[   82.200193]  ? __fget_light+0x192/0x1f0
[   82.200198]  ? bpf_prog_add+0x42/0xa0
[   82.200203]  ? fput+0xa/0x130
[   82.200211]  ? bpf_test_init.isra.1+0xc0/0xc0
[   82.200218]  ? SyS_bpf+0x79d/0x3640
[   82.200228]  ? bpf_prog_get+0x20/0x20
[   82.200233]  ? _copy_to_user+0x7f/0xc0
[   82.200242]  ? put_timespec64+0xb9/0x110
[   82.200251]  ? do_clock_gettime+0x30/0xb0
[   82.200272]  ? SyS_clock_gettime+0x7b/0xd0
[   82.200279]  ? do_clock_gettime+0xb0/0xb0
[   82.200286]  ? do_syscall_64+0x43/0x4b0
[   82.200294]  ? bpf_prog_get+0x20/0x20
[   82.200299]  ? do_syscall_64+0x19b/0x4b0
[   82.200309]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   82.200635] Kernel Offset: 0x13800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   82.807776] Rebooting in 86400 seconds..