[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.002942] random: sshd: uninitialized urandom read (32 bytes read) [ 17.293639] audit: type=1400 audit(1565882834.289:6): avc: denied { map } for pid=1778 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 17.342162] random: sshd: uninitialized urandom read (32 bytes read) [ 17.894834] random: sshd: uninitialized urandom read (32 bytes read) [ 19.674344] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. [ 25.345841] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 25.444374] audit: type=1400 audit(1565882842.439:7): avc: denied { map } for pid=1796 comm="syz-executor124" path="/root/syz-executor124186621" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.472051] audit: type=1400 audit(1565882842.449:8): avc: denied { prog_load } for pid=1796 comm="syz-executor124" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 25.495014] audit: type=1400 audit(1565882842.489:9): avc: denied { prog_run } for pid=1796 comm="syz-executor124" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 25.495082] ================================================================== [ 25.524818] BUG: KASAN: use-after-free in bpf_skb_change_tail+0xa62/0xb80 [ 25.532222] Read of size 8 at addr ffff8881d9c781d0 by task syz-executor124/1796 [ 25.539827] [ 25.541581] CPU: 0 PID: 1796 Comm: syz-executor124 Not tainted 4.14.138+ #32 [ 25.548822] Call Trace: [ 25.551400] dump_stack+0xca/0x134 [ 25.554939] ? bpf_skb_change_tail+0xa62/0xb80 [ 25.559688] ? bpf_skb_change_tail+0xa62/0xb80 [ 25.564452] ? bpf_skb_vlan_pop+0x520/0x520 [ 25.568797] print_address_description+0x60/0x226 [ 25.573655] ? bpf_skb_change_tail+0xa62/0xb80 [ 25.578430] ? bpf_skb_change_tail+0xa62/0xb80 [ 25.583035] ? bpf_skb_vlan_pop+0x520/0x520 [ 25.587341] __kasan_report.cold+0x1a/0x41 [ 25.591560] ? bpf_skb_change_tail+0xa62/0xb80 [ 25.596279] bpf_skb_change_tail+0xa62/0xb80 [ 25.600675] ? deref_stack_reg+0xaa/0xe0 [ 25.604727] ? bpf_skb_vlan_pop+0x520/0x520 [ 25.609123] ___bpf_prog_run+0x2478/0x5510 [ 25.613405] ? lock_downgrade+0x5d0/0x5d0 [ 25.617544] ? lock_acquire+0x12b/0x360 [ 25.621558] ? bpf_jit_compile+0x30/0x30 [ 25.625717] ? __bpf_prog_run512+0x99/0xe0 [ 25.630093] ? ___bpf_prog_run+0x5510/0x5510 [ 25.634496] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 25.639733] ? trace_hardirqs_on_caller+0x37b/0x540 [ 25.645012] ? __lock_acquire+0x5d7/0x4320 [ 25.649338] ? __lock_acquire+0x5d7/0x4320 [ 25.653772] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 25.658446] ? trace_hardirqs_on+0x10/0x10 [ 25.662710] ? __lock_acquire+0x5d7/0x4320 [ 25.667047] ? bpf_test_run+0x42/0x340 [ 25.670933] ? lock_acquire+0x12b/0x360 [ 25.675087] ? bpf_test_run+0x13a/0x340 [ 25.679088] ? check_preemption_disabled+0x35/0x1f0 [ 25.684096] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 25.689607] ? bpf_test_run+0xa8/0x340 [ 25.693487] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 25.698232] ? bpf_test_init.isra.0+0xc0/0xc0 [ 25.702720] ? bpf_prog_add+0x53/0xc0 [ 25.706523] ? bpf_test_init.isra.0+0xc0/0xc0 [ 25.711005] ? SyS_bpf+0xa3b/0x3830 [ 25.714617] ? bpf_prog_get+0x20/0x20 [ 25.718656] ? __do_page_fault+0x49f/0xbb0 [ 25.723027] ? lock_downgrade+0x5d0/0x5d0 [ 25.727174] ? __do_page_fault+0x677/0xbb0 [ 25.731486] ? do_syscall_64+0x43/0x520 [ 25.735446] ? bpf_prog_get+0x20/0x20 [ 25.739393] ? do_syscall_64+0x19b/0x520 [ 25.743442] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.748966] [ 25.750576] Allocated by task 1794: [ 25.754188] __kasan_kmalloc.part.0+0x53/0xc0 [ 25.758669] kmem_cache_alloc+0xd2/0x2e0 [ 25.762793] skb_clone+0x124/0x370 [ 25.766323] dev_queue_xmit_nit+0x2f3/0x970 [ 25.770799] dev_hard_start_xmit+0xa3/0x8c0 [ 25.775108] sch_direct_xmit+0x27a/0x520 [ 25.779153] __dev_queue_xmit+0x1594/0x1d00 [ 25.783469] ip_finish_output2+0x9fe/0x12f0 [ 25.787880] ip_finish_output+0x3be/0xc80 [ 25.792143] ip_output+0x1cf/0x520 [ 25.795786] ip_local_out+0x98/0x170 [ 25.799487] ip_queue_xmit+0x7ca/0x1a70 [ 25.803554] __tcp_transmit_skb+0x18bc/0x2e20 [ 25.808067] tcp_write_xmit+0x510/0x4680 [ 25.812116] __tcp_push_pending_frames+0xa0/0x230 [ 25.816944] tcp_push+0x402/0x600 [ 25.820380] tcp_sendmsg_locked+0x2684/0x31e0 [ 25.825021] tcp_sendmsg+0x2b/0x40 [ 25.828652] inet_sendmsg+0x15b/0x520 [ 25.832439] sock_sendmsg+0xb7/0x100 [ 25.836193] sock_write_iter+0x20f/0x360 [ 25.840280] __vfs_write+0x401/0x5a0 [ 25.843984] vfs_write+0x17f/0x4d0 [ 25.847502] SyS_write+0x102/0x250 [ 25.851082] do_syscall_64+0x19b/0x520 [ 25.854959] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.860217] 0xffffffffffffffff [ 25.863490] [ 25.865098] Freed by task 1794: [ 25.868364] __kasan_slab_free+0x164/0x210 [ 25.872625] kmem_cache_free+0xcb/0x340 [ 25.876709] kfree_skbmem+0xa0/0x110 [ 25.880517] kfree_skb+0xeb/0x370 [ 25.883955] packet_rcv_spkt+0xd5/0x4d0 [ 25.887914] dev_queue_xmit_nit+0x6e1/0x970 [ 25.892219] dev_hard_start_xmit+0xa3/0x8c0 [ 25.896522] sch_direct_xmit+0x27a/0x520 [ 25.900700] __dev_queue_xmit+0x1594/0x1d00 [ 25.905202] ip_finish_output2+0x9fe/0x12f0 [ 25.909508] ip_finish_output+0x3be/0xc80 [ 25.913637] ip_output+0x1cf/0x520 [ 25.917264] ip_local_out+0x98/0x170 [ 25.920988] ip_queue_xmit+0x7ca/0x1a70 [ 25.925242] __tcp_transmit_skb+0x18bc/0x2e20 [ 25.929731] tcp_write_xmit+0x510/0x4680 [ 25.933780] __tcp_push_pending_frames+0xa0/0x230 [ 25.938633] tcp_push+0x402/0x600 [ 25.942073] tcp_sendmsg_locked+0x2684/0x31e0 [ 25.946611] tcp_sendmsg+0x2b/0x40 [ 25.950143] inet_sendmsg+0x15b/0x520 [ 25.953937] sock_sendmsg+0xb7/0x100 [ 25.957759] sock_write_iter+0x20f/0x360 [ 25.961914] __vfs_write+0x401/0x5a0 [ 25.965778] vfs_write+0x17f/0x4d0 [ 25.969299] SyS_write+0x102/0x250 [ 25.972981] do_syscall_64+0x19b/0x520 [ 25.977115] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.982347] 0xffffffffffffffff [ 25.985611] [ 25.987272] The buggy address belongs to the object at ffff8881d9c78140 [ 25.987272] which belongs to the cache skbuff_head_cache of size 224 [ 26.000623] The buggy address is located 144 bytes inside of [ 26.000623] 224-byte region [ffff8881d9c78140, ffff8881d9c78220) [ 26.012799] The buggy address belongs to the page: [ 26.017726] page:ffffea0007671e00 count:1 mapcount:0 mapping: (null) index:0x0 [ 26.026185] flags: 0x4000000000000200(slab) [ 26.030572] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 26.038541] raw: dead000000000100 dead000000000200 ffff8881dab70200 0000000000000000 [ 26.046582] page dumped because: kasan: bad access detected [ 26.052708] [ 26.054391] Memory state around the buggy address: [ 26.059303] ffff8881d9c78080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.066927] ffff8881d9c78100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.074273] >ffff8881d9c78180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.081841] ^ [ 26.087932] ffff8881d9c78200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.095317] ffff8881d9c78280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.102661] ================================================================== [ 26.110052] Disabling lock debugging due to kernel taint [ 26.116304] Kernel panic - not syncing: panic_on_warn set ... [ 26.116304] [ 26.123674] CPU: 0 PID: 1796 Comm: syz-executor124 Tainted: G B 4.14.138+ #32 [ 26.132054] Call Trace: [ 26.134731] dump_stack+0xca/0x134 [ 26.138258] panic+0x1ea/0x3d3 [ 26.141493] ? add_taint.cold+0x16/0x16 [ 26.145461] ? bpf_skb_change_tail+0xa62/0xb80 [ 26.150125] ? bpf_skb_vlan_pop+0x520/0x520 [ 26.154434] end_report+0x43/0x49 [ 26.157876] ? bpf_skb_change_tail+0xa62/0xb80 [ 26.162441] __kasan_report.cold+0xd/0x41 [ 26.166579] ? bpf_skb_change_tail+0xa62/0xb80 [ 26.171145] bpf_skb_change_tail+0xa62/0xb80 [ 26.175540] ? deref_stack_reg+0xaa/0xe0 [ 26.179689] ? bpf_skb_vlan_pop+0x520/0x520 [ 26.183997] ___bpf_prog_run+0x2478/0x5510 [ 26.188211] ? lock_downgrade+0x5d0/0x5d0 [ 26.192440] ? lock_acquire+0x12b/0x360 [ 26.196395] ? bpf_jit_compile+0x30/0x30 [ 26.200442] ? __bpf_prog_run512+0x99/0xe0 [ 26.204661] ? ___bpf_prog_run+0x5510/0x5510 [ 26.209056] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 26.214140] ? trace_hardirqs_on_caller+0x37b/0x540 [ 26.219151] ? __lock_acquire+0x5d7/0x4320 [ 26.223522] ? __lock_acquire+0x5d7/0x4320 [ 26.227746] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 26.232642] ? trace_hardirqs_on+0x10/0x10 [ 26.236862] ? __lock_acquire+0x5d7/0x4320 [ 26.241145] ? bpf_test_run+0x42/0x340 [ 26.245029] ? lock_acquire+0x12b/0x360 [ 26.248986] ? bpf_test_run+0x13a/0x340 [ 26.252958] ? check_preemption_disabled+0x35/0x1f0 [ 26.258028] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 26.263203] ? bpf_test_run+0xa8/0x340 [ 26.267158] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 26.271897] ? bpf_test_init.isra.0+0xc0/0xc0 [ 26.276391] ? bpf_prog_add+0x53/0xc0 [ 26.280176] ? bpf_test_init.isra.0+0xc0/0xc0 [ 26.284651] ? SyS_bpf+0xa3b/0x3830 [ 26.288260] ? bpf_prog_get+0x20/0x20 [ 26.292045] ? __do_page_fault+0x49f/0xbb0 [ 26.296258] ? lock_downgrade+0x5d0/0x5d0 [ 26.300393] ? __do_page_fault+0x677/0xbb0 [ 26.304608] ? do_syscall_64+0x43/0x520 [ 26.308562] ? bpf_prog_get+0x20/0x20 [ 26.312468] ? do_syscall_64+0x19b/0x520 [ 26.316510] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.322198] Kernel Offset: 0x200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 26.332927] Rebooting in 86400 seconds..