[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.412113] audit: type=1400 audit(1601205882.263:8): avc: denied { execmem } for pid=6502 comm="syz-executor545" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.440981] IPVS: ftp: loaded support on port[0] = 21 [ 40.488232] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 40.498680] ================================================================== [ 40.506699] BUG: KASAN: use-after-free in ntfs_attr_find+0xa42/0xb70 [ 40.513796] Read of size 4 at addr ffff8880a3e9607f by task syz-executor545/6503 [ 40.521947] [ 40.524014] CPU: 0 PID: 6503 Comm: syz-executor545 Not tainted 4.19.148-syzkaller #0 [ 40.534237] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.550051] Call Trace: [ 40.553476] dump_stack+0x22c/0x33e [ 40.557747] print_address_description.cold+0x56/0x25c [ 40.565889] kasan_report_error.cold+0x66/0xb9 [ 40.571794] ? ntfs_attr_find+0xa42/0xb70 [ 40.576402] __asan_report_load_n_noabort+0x8b/0xa0 [ 40.583200] ? ntfs_attr_find+0xa42/0xb70 [ 40.587401] ntfs_attr_find+0xa42/0xb70 [ 40.592233] ntfs_attr_lookup+0x1087/0x2060 [ 40.596792] ? do_raw_spin_unlock+0x171/0x240 [ 40.601465] ? cache_alloc_refill+0x351/0x410 [ 40.606401] ? guard_bio_eod+0x2de/0x690 [ 40.611070] ? check_preemption_disabled+0x41/0x2b0 [ 40.617300] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 40.623198] ? kmem_cache_alloc+0x31b/0x4a0 [ 40.627969] ntfs_read_inode_mount+0x7e4/0x23b0 [ 40.633303] ntfs_fill_super+0x1761/0x89d2 [ 40.637865] ? snprintf+0xbb/0xf0 [ 40.642012] ? vsprintf+0x30/0x30 [ 40.645951] ? ntfs_remount+0x500/0x500 [ 40.650054] ? __mutex_add_waiter+0x160/0x160 [ 40.655940] ? set_blocksize+0x163/0x3f0 [ 40.660603] mount_bdev+0x2fc/0x3b0 [ 40.664999] ? ntfs_remount+0x500/0x500 [ 40.670356] mount_fs+0xa3/0x318 [ 40.673923] vfs_kern_mount.part.0+0x68/0x470 [ 40.680580] do_mount+0x51c/0x2f10 [ 40.684556] ? do_raw_spin_unlock+0x171/0x240 [ 40.689416] ? check_preemption_disabled+0x41/0x2b0 [ 40.695405] ? copy_mount_string+0x40/0x40 [ 40.699778] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 40.704910] ? copy_mount_options+0x261/0x370 [ 40.710251] ksys_mount+0xcf/0x130 [ 40.714237] __x64_sys_mount+0xba/0x150 [ 40.718526] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 40.723209] do_syscall_64+0xf9/0x670 [ 40.727291] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.733188] RIP: 0033:0x44a11a [ 40.736610] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d aa fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fa a9 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 40.757281] RSP: 002b:00007ffecff85cc8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 40.766544] RAX: ffffffffffffffda RBX: 00007ffecff85d20 RCX: 000000000044a11a [ 40.775099] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffecff85ce0 [ 40.784746] RBP: 0000000000000004 R08: 00007ffecff85d20 R09: 00007ffecff85d10 [ 40.794364] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 40.801791] R13: 00007ffecff85ce0 R14: 0000000000000000 R15: 0000000020001fb0 [ 40.810154] [ 40.811783] Allocated by task 6482: [ 40.815416] kmem_cache_alloc+0x126/0x4a0 [ 40.820428] __alloc_file+0x21/0x330 [ 40.825099] alloc_empty_file+0x6d/0x170 [ 40.829706] path_openat+0x12b/0x2e90 [ 40.836464] do_filp_open+0x18c/0x3f0 [ 40.840447] do_sys_open+0x3b3/0x520 [ 40.845023] do_syscall_64+0xf9/0x670 [ 40.849052] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.854981] [ 40.856936] Freed by task 0: [ 40.860811] kmem_cache_free+0x7f/0x2b0 [ 40.865101] rcu_process_callbacks+0x948/0x1d00 [ 40.870535] __do_softirq+0x27d/0xad2 [ 40.874815] [ 40.876756] The buggy address belongs to the object at ffff8880a3e96000 [ 40.876756] which belongs to the cache filp of size 456 [ 40.889361] The buggy address is located 127 bytes inside of [ 40.889361] 456-byte region [ffff8880a3e96000, ffff8880a3e961c8) [ 40.902417] The buggy address belongs to the page: [ 40.908218] page:ffffea00028fa580 count:1 mapcount:0 mapping:ffff88812c291840 index:0x0 [ 40.918190] flags: 0xfffe0000000100(slab) [ 40.922663] raw: 00fffe0000000100 ffffea00028df348 ffffea00028c96c8 ffff88812c291840 [ 40.932274] raw: 0000000000000000 ffff8880a3e96000 0000000100000006 0000000000000000 [ 40.940618] page dumped because: kasan: bad access detected [ 40.946325] [ 40.947991] Memory state around the buggy address: [ 40.961286] ffff8880a3e95f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 40.970746] ffff8880a3e95f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 40.980216] >ffff8880a3e96000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.987983] ^ [ 40.997429] ffff8880a3e96080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.006560] ffff8880a3e96100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.014205] ================================================================== [ 41.022781] Disabling lock debugging due to kernel taint [ 41.030109] Kernel panic - not syncing: panic_on_warn set ... [ 41.030109] [ 41.038537] CPU: 0 PID: 6503 Comm: syz-executor545 Tainted: G B 4.19.148-syzkaller #0 [ 41.049912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.061530] Call Trace: [ 41.064378] dump_stack+0x22c/0x33e [ 41.068433] panic+0x2ac/0x565 [ 41.072016] ? __warn_printk+0xf3/0xf3 [ 41.077468] ? preempt_schedule_common+0x45/0xc0 [ 41.082593] ? ___preempt_schedule+0x16/0x18 [ 41.087498] ? trace_hardirqs_on+0x55/0x210 [ 41.092249] kasan_end_report+0x43/0x49 [ 41.096491] kasan_report_error.cold+0x83/0xb9 [ 41.101332] ? ntfs_attr_find+0xa42/0xb70 [ 41.105893] __asan_report_load_n_noabort+0x8b/0xa0 [ 41.111881] ? ntfs_attr_find+0xa42/0xb70 [ 41.117284] ntfs_attr_find+0xa42/0xb70 [ 41.122133] ntfs_attr_lookup+0x1087/0x2060 [ 41.127083] ? do_raw_spin_unlock+0x171/0x240 [ 41.133266] ? cache_alloc_refill+0x351/0x410 [ 41.138271] ? guard_bio_eod+0x2de/0x690 [ 41.142672] ? check_preemption_disabled+0x41/0x2b0 [ 41.148038] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 41.153493] ? kmem_cache_alloc+0x31b/0x4a0 [ 41.158886] ntfs_read_inode_mount+0x7e4/0x23b0 [ 41.165069] ntfs_fill_super+0x1761/0x89d2 [ 41.169849] ? snprintf+0xbb/0xf0 [ 41.173715] ? vsprintf+0x30/0x30 [ 41.177520] ? ntfs_remount+0x500/0x500 [ 41.182008] ? __mutex_add_waiter+0x160/0x160 [ 41.186993] ? set_blocksize+0x163/0x3f0 [ 41.191266] mount_bdev+0x2fc/0x3b0 [ 41.195134] ? ntfs_remount+0x500/0x500 [ 41.199328] mount_fs+0xa3/0x318 [ 41.203027] vfs_kern_mount.part.0+0x68/0x470 [ 41.207968] do_mount+0x51c/0x2f10 [ 41.211663] ? do_raw_spin_unlock+0x171/0x240 [ 41.217841] ? check_preemption_disabled+0x41/0x2b0 [ 41.224710] ? copy_mount_string+0x40/0x40 [ 41.229459] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 41.243502] ? copy_mount_options+0x261/0x370 [ 41.248395] ksys_mount+0xcf/0x130 [ 41.252402] __x64_sys_mount+0xba/0x150 [ 41.256745] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 41.261758] do_syscall_64+0xf9/0x670 [ 41.265921] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.271504] RIP: 0033:0x44a11a [ 41.276301] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d aa fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fa a9 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 41.298933] RSP: 002b:00007ffecff85cc8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 41.307079] RAX: ffffffffffffffda RBX: 00007ffecff85d20 RCX: 000000000044a11a [ 41.316016] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffecff85ce0 [ 41.324556] RBP: 0000000000000004 R08: 00007ffecff85d20 R09: 00007ffecff85d10 [ 41.333953] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 41.342787] R13: 00007ffecff85ce0 R14: 0000000000000000 R15: 0000000020001fb0 [ 41.351662] Kernel Offset: disabled [ 41.355457] Rebooting in 86400 seconds..