[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.293807] random: sshd: uninitialized urandom read (32 bytes read) [ 22.587931] audit: type=1400 audit(1538170793.064:6): avc: denied { map } for pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.631668] random: sshd: uninitialized urandom read (32 bytes read) [ 23.119931] random: sshd: uninitialized urandom read (32 bytes read) [ 68.788418] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.71' (ECDSA) to the list of known hosts. [ 74.347107] random: sshd: uninitialized urandom read (32 bytes read) [ 74.441281] audit: type=1400 audit(1538170844.924:7): avc: denied { map } for pid=1808 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/09/28 21:40:45 parsed 1 programs [ 74.976761] audit: type=1400 audit(1538170845.454:8): avc: denied { map } for pid=1808 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 75.730768] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/28 21:40:47 executed programs: 0 [ 77.140093] audit: type=1400 audit(1538170847.614:9): avc: denied { map } for pid=1808 comm="syz-execprog" path="/root/syzkaller-shm048756115" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 79.095204] ip (2693) used greatest stack depth: 23520 bytes left [ 82.169048] audit: type=1400 audit(1538170852.644:10): avc: denied { prog_load } for pid=4025 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 82.199187] ================================================================== [ 82.199209] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xd7d/0x1100 [ 82.199215] Read of size 2 at addr ffff8801ca80bc78 by task syz-executor3/4029 [ 82.199216] [ 82.199223] CPU: 1 PID: 4029 Comm: syz-executor3 Not tainted 4.14.72+ #11 [ 82.199226] Call Trace: [ 82.199237] dump_stack+0xb9/0x11b [ 82.199252] print_address_description+0x60/0x22b [ 82.199275] kasan_report.cold.6+0x11b/0x2dd [ 82.199282] ? bpf_skb_change_proto+0xd7d/0x1100 [ 82.199293] bpf_skb_change_proto+0xd7d/0x1100 [ 82.199309] ___bpf_prog_run+0x248e/0x5c70 [ 82.199321] ? __free_insn_slot+0x490/0x490 [ 82.199331] ? bpf_jit_compile+0x30/0x30 [ 82.199344] ? depot_save_stack+0x20a/0x428 [ 82.199358] ? __bpf_prog_run512+0x99/0xe0 [ 82.199367] ? ___bpf_prog_run+0x5c70/0x5c70 [ 82.199388] ? __lock_acquire+0x619/0x4320 [ 82.199404] ? trace_hardirqs_on+0x10/0x10 [ 82.199418] ? trace_hardirqs_on+0x10/0x10 [ 82.199430] ? __lock_acquire+0x619/0x4320 [ 82.199452] ? bpf_test_run+0x57/0x350 [ 82.199471] ? lock_acquire+0x10f/0x380 [ 82.199483] ? check_preemption_disabled+0x34/0x160 [ 82.199497] ? bpf_test_run+0xab/0x350 [ 82.199516] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 82.199529] ? bpf_test_init.isra.1+0xc0/0xc0 [ 82.199540] ? __fget_light+0x192/0x1f0 [ 82.199547] ? bpf_prog_add+0x42/0xa0 [ 82.199553] ? fput+0xa/0x130 [ 82.199563] ? bpf_test_init.isra.1+0xc0/0xc0 [ 82.199572] ? SyS_bpf+0x79d/0x3640 [ 82.199585] ? bpf_prog_get+0x20/0x20 [ 82.199591] ? _copy_to_user+0x7f/0xc0 [ 82.199603] ? put_timespec64+0xb9/0x110 [ 82.199620] ? do_clock_gettime+0x30/0xb0 [ 82.199631] ? SyS_clock_gettime+0x7b/0xd0 [ 82.199639] ? do_clock_gettime+0xb0/0xb0 [ 82.199649] ? do_syscall_64+0x43/0x4b0 [ 82.199661] ? bpf_prog_get+0x20/0x20 [ 82.199666] ? do_syscall_64+0x19b/0x4b0 [ 82.199682] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 82.199702] [ 82.199705] Allocated by task 4024: [ 82.199713] kasan_kmalloc.part.1+0x4f/0xd0 [ 82.199719] kmem_cache_alloc+0xe4/0x2b0 [ 82.199726] __alloc_skb+0xd8/0x550 [ 82.199731] netlink_dump+0x21b/0xa60 [ 82.199737] __netlink_dump_start+0x4e4/0x750 [ 82.199743] rtnetlink_rcv_msg+0x6db/0xb30 [ 82.199748] netlink_rcv_skb+0x130/0x390 [ 82.199754] netlink_unicast+0x46d/0x620 [ 82.199760] netlink_sendmsg+0x664/0xbe0 [ 82.199767] sock_sendmsg+0xb5/0x100 [ 82.199773] SyS_sendto+0x211/0x340 [ 82.199779] do_syscall_64+0x19b/0x4b0 [ 82.199785] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 82.199787] [ 82.199790] Freed by task 4024: [ 82.199796] kasan_slab_free+0xac/0x190 [ 82.199802] kmem_cache_free+0x12d/0x350 [ 82.199807] kfree_skbmem+0x9e/0x100 [ 82.199813] consume_skb+0xc9/0x330 [ 82.199820] skb_free_datagram+0x15/0xd0 [ 82.199825] netlink_recvmsg+0x569/0xd10 [ 82.199831] sock_recvmsg+0xc0/0x100 [ 82.199837] ___sys_recvmsg+0x242/0x510 [ 82.199843] __sys_recvmsg+0xc7/0x170 [ 82.199849] SyS_recvmsg+0x27/0x40 [ 82.199854] do_syscall_64+0x19b/0x4b0 [ 82.199860] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 82.199862] [ 82.199867] The buggy address belongs to the object at ffff8801ca80bb40 [ 82.199867] which belongs to the cache skbuff_head_cache of size 224 [ 82.199873] The buggy address is located 88 bytes to the right of [ 82.199873] 224-byte region [ffff8801ca80bb40, ffff8801ca80bc20) [ 82.199875] The buggy address belongs to the page: [ 82.199881] page:ffffea00072a02c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 82.199887] flags: 0x4000000000000100(slab) [ 82.199897] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 82.199906] raw: ffffea00072e4dc0 0000000500000005 ffff8801dab70200 0000000000000000 [ 82.199908] page dumped because: kasan: bad access detected [ 82.199910] [ 82.199912] Memory state around the buggy address: [ 82.199918] ffff8801ca80bb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 82.199923] ffff8801ca80bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.199928] >ffff8801ca80bc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 82.199931] ^ [ 82.199936] ffff8801ca80bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.199941] ffff8801ca80bd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 82.199944] ================================================================== [ 82.199946] Disabling lock debugging due to kernel taint [ 82.199949] Kernel panic - not syncing: panic_on_warn set ... [ 82.199949] [ 82.199956] CPU: 1 PID: 4029 Comm: syz-executor3 Tainted: G B 4.14.72+ #11 [ 82.199958] Call Trace: [ 82.199966] dump_stack+0xb9/0x11b [ 82.199975] panic+0x1bf/0x3a4 [ 82.199982] ? add_taint.cold.4+0x16/0x16 [ 82.199997] kasan_end_report+0x43/0x49 [ 82.200012] kasan_report.cold.6+0x77/0x2dd [ 82.200026] ? bpf_skb_change_proto+0xd7d/0x1100 [ 82.200035] bpf_skb_change_proto+0xd7d/0x1100 [ 82.200045] ___bpf_prog_run+0x248e/0x5c70 [ 82.200052] ? __free_insn_slot+0x490/0x490 [ 82.200059] ? bpf_jit_compile+0x30/0x30 [ 82.200068] ? depot_save_stack+0x20a/0x428 [ 82.200077] ? __bpf_prog_run512+0x99/0xe0 [ 82.200083] ? ___bpf_prog_run+0x5c70/0x5c70 [ 82.200095] ? __lock_acquire+0x619/0x4320 [ 82.200105] ? trace_hardirqs_on+0x10/0x10 [ 82.200114] ? trace_hardirqs_on+0x10/0x10 [ 82.200122] ? __lock_acquire+0x619/0x4320 [ 82.200135] ? bpf_test_run+0x57/0x350 [ 82.200147] ? lock_acquire+0x10f/0x380 [ 82.200155] ? check_preemption_disabled+0x34/0x160 [ 82.200164] ? bpf_test_run+0xab/0x350 [ 82.200176] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 82.200185] ? bpf_test_init.isra.1+0xc0/0xc0 [ 82.200193] ? __fget_light+0x192/0x1f0 [ 82.200198] ? bpf_prog_add+0x42/0xa0 [ 82.200203] ? fput+0xa/0x130 [ 82.200211] ? bpf_test_init.isra.1+0xc0/0xc0 [ 82.200218] ? SyS_bpf+0x79d/0x3640 [ 82.200228] ? bpf_prog_get+0x20/0x20 [ 82.200233] ? _copy_to_user+0x7f/0xc0 [ 82.200242] ? put_timespec64+0xb9/0x110 [ 82.200251] ? do_clock_gettime+0x30/0xb0 [ 82.200272] ? SyS_clock_gettime+0x7b/0xd0 [ 82.200279] ? do_clock_gettime+0xb0/0xb0 [ 82.200286] ? do_syscall_64+0x43/0x4b0 [ 82.200294] ? bpf_prog_get+0x20/0x20 [ 82.200299] ? do_syscall_64+0x19b/0x4b0 [ 82.200309] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 82.200635] Kernel Offset: 0x13800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 82.807776] Rebooting in 86400 seconds..