[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.429768] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 19.920607] random: sshd: uninitialized urandom read (32 bytes read) [ 20.169145] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.940972] random: sshd: uninitialized urandom read (32 bytes read) [ 21.096679] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. [ 26.490550] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/26 20:14:16 parsed 1 programs 2018/05/26 20:14:16 executed programs: 0 [ 27.016232] IPVS: ftp: loaded support on port[0] = 21 [ 27.145395] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.151844] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.159250] device bridge_slave_0 entered promiscuous mode [ 27.175380] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.181762] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.188845] device bridge_slave_1 entered promiscuous mode [ 27.204161] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 27.220065] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 27.260773] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 27.278547] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 27.339642] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 27.346860] team0: Port device team_slave_0 added [ 27.361717] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 27.368792] team0: Port device team_slave_1 added [ 27.383611] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 27.400764] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 27.418457] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 27.436526] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 27.550677] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.557130] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.564266] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.570832] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.972940] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 27.979060] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.021490] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.063557] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.071469] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 28.109538] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.359024] ================================================================== [ 28.366532] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 28.372765] Read of size 1 at addr ffff8801cb27a51d by task syz-executor0/4763 [ 28.380101] [ 28.381714] CPU: 0 PID: 4763 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #93 [ 28.388964] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.398306] Call Trace: [ 28.400885] dump_stack+0x1b9/0x294 [ 28.404496] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.409674] ? printk+0x9e/0xba [ 28.412942] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.417684] ? kasan_check_write+0x14/0x20 [ 28.421910] print_address_description+0x6c/0x20b [ 28.426738] ? nla_strlcpy+0x13d/0x150 [ 28.430611] kasan_report.cold.7+0x242/0x2fe [ 28.435014] __asan_report_load1_noabort+0x14/0x20 [ 28.439933] nla_strlcpy+0x13d/0x150 [ 28.443634] nfnl_acct_new+0x574/0xc50 [ 28.447504] ? nfnl_acct_overquota+0x380/0x380 [ 28.452074] ? debug_check_no_locks_freed+0x310/0x310 [ 28.457247] ? graph_lock+0x170/0x170 [ 28.461042] ? print_usage_bug+0xc0/0xc0 [ 28.465088] ? get_futex_key+0xf83/0x1e90 [ 28.469222] ? find_held_lock+0x36/0x1c0 [ 28.473267] ? graph_lock+0x170/0x170 [ 28.477054] ? lock_downgrade+0x8e0/0x8e0 [ 28.481370] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.486892] ? __lock_is_held+0xb5/0x140 [ 28.490941] ? nfnl_acct_overquota+0x380/0x380 [ 28.495507] nfnetlink_rcv_msg+0xdb5/0xff0 [ 28.499738] ? __lock_is_held+0xb5/0x140 [ 28.503790] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 28.508891] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 28.513307] ? nfnetlink_bind+0x3a0/0x3a0 [ 28.517445] ? graph_lock+0x170/0x170 [ 28.521229] ? find_held_lock+0x36/0x1c0 [ 28.525279] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.530813] netlink_rcv_skb+0x172/0x440 [ 28.534863] ? nfnetlink_bind+0x3a0/0x3a0 [ 28.538994] ? netlink_ack+0xbc0/0xbc0 [ 28.542875] ? __netlink_ns_capable+0x100/0x130 [ 28.547530] nfnetlink_rcv+0x1fe/0x1ba0 [ 28.551500] ? kasan_check_read+0x11/0x20 [ 28.555644] ? rcu_is_watching+0x85/0x140 [ 28.559779] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.564960] ? nfnl_err_reset+0x2d0/0x2d0 [ 28.569106] ? netlink_remove_tap+0x610/0x610 [ 28.573610] ? refcount_add_not_zero+0x320/0x320 [ 28.578368] ? kasan_check_read+0x11/0x20 [ 28.582500] ? rcu_is_watching+0x85/0x140 [ 28.586631] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.591815] ? netlink_skb_destructor+0x210/0x210 [ 28.596652] ? kasan_check_write+0x14/0x20 [ 28.600893] netlink_unicast+0x58b/0x740 [ 28.604954] ? netlink_attachskb+0x970/0x970 [ 28.609364] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.614897] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.619904] ? security_netlink_send+0x88/0xb0 [ 28.624484] netlink_sendmsg+0x9f0/0xfa0 [ 28.628532] ? netlink_unicast+0x740/0x740 [ 28.632750] ? pud_val+0x80/0xf0 [ 28.636101] ? security_socket_sendmsg+0x94/0xc0 [ 28.640864] ? netlink_unicast+0x740/0x740 [ 28.645085] sock_sendmsg+0xd5/0x120 [ 28.648786] sock_write_iter+0x35a/0x5a0 [ 28.652831] ? sock_sendmsg+0x120/0x120 [ 28.656796] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 28.661549] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.667073] ? iov_iter_init+0xc9/0x1f0 [ 28.671043] __vfs_write+0x64d/0x960 [ 28.674756] ? kernel_read+0x120/0x120 [ 28.678632] ? handle_mm_fault+0x8c0/0xc70 [ 28.682863] ? rw_verify_area+0x118/0x360 [ 28.686994] vfs_write+0x1f8/0x560 [ 28.690523] ksys_write+0xf9/0x250 [ 28.694046] ? __ia32_sys_read+0xb0/0xb0 [ 28.698613] ? mm_fault_error+0x380/0x380 [ 28.702756] __ia32_sys_write+0x71/0xb0 [ 28.706725] do_fast_syscall_32+0x345/0xf9b [ 28.711038] ? do_int80_syscall_32+0x880/0x880 [ 28.715606] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.720347] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.725870] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.730784] ? sysret32_from_system_call+0x5/0x46 [ 28.735611] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.740438] entry_SYSENTER_compat+0x70/0x7f [ 28.744829] RIP: 0023:0xf7f34cb9 [ 28.748175] RSP: 002b:00000000ffe404cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004 [ 28.755867] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000 [ 28.763116] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 28.770367] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 28.777617] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 28.784868] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.792124] [ 28.793732] Allocated by task 3949: [ 28.797346] save_stack+0x43/0xd0 [ 28.800777] kasan_kmalloc+0xc4/0xe0 [ 28.804471] kasan_slab_alloc+0x12/0x20 [ 28.808427] kmem_cache_alloc+0x12e/0x760 [ 28.812559] anon_vma_fork+0x2c8/0x950 [ 28.816428] copy_process.part.38+0x2eff/0x6e70 [ 28.821077] _do_fork+0x291/0x12a0 [ 28.824601] __x64_sys_clone+0xbf/0x150 [ 28.828556] do_syscall_64+0x1b1/0x800 [ 28.832427] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.837590] [ 28.839196] Freed by task 3950: [ 28.842457] save_stack+0x43/0xd0 [ 28.845891] __kasan_slab_free+0x11a/0x170 [ 28.850124] kasan_slab_free+0xe/0x10 [ 28.853904] kmem_cache_free+0x86/0x2d0 [ 28.857860] unlink_anon_vmas+0x5e8/0xa40 [ 28.861988] free_pgtables+0x271/0x380 [ 28.865859] exit_mmap+0x2c9/0x5a0 [ 28.869389] mmput+0x251/0x610 [ 28.872568] flush_old_exec+0xb94/0x20e0 [ 28.876609] load_elf_binary+0xa33/0x5610 [ 28.880734] search_binary_handler+0x17d/0x570 [ 28.885299] do_execveat_common.isra.34+0x16ce/0x2590 [ 28.890471] __x64_sys_execve+0x8d/0xb0 [ 28.894427] do_syscall_64+0x1b1/0x800 [ 28.898300] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.903550] [ 28.905162] The buggy address belongs to the object at ffff8801cb27a4e0 [ 28.905162] which belongs to the cache anon_vma_chain of size 64 [ 28.917972] The buggy address is located 61 bytes inside of [ 28.917972] 64-byte region [ffff8801cb27a4e0, ffff8801cb27a520) [ 28.929660] The buggy address belongs to the page: [ 28.934579] page:ffffea00072c9e80 count:1 mapcount:0 mapping:ffff8801cb27a000 index:0x0 [ 28.942707] flags: 0x2fffc0000000100(slab) [ 28.946926] raw: 02fffc0000000100 ffff8801cb27a000 0000000000000000 000000010000002a [ 28.954799] raw: ffffea0006fe5b20 ffffea0006f2ce60 ffff8801da94a500 0000000000000000 [ 28.962669] page dumped because: kasan: bad access detected [ 28.968355] [ 28.969959] Memory state around the buggy address: [ 28.974876] ffff8801cb27a400: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 28.982216] ffff8801cb27a480: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 28.989560] >ffff8801cb27a500: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 28.996895] ^ [ 29.001029] ffff8801cb27a580: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 29.008373] ffff8801cb27a600: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 29.015708] ================================================================== [ 29.023044] Disabling lock debugging due to kernel taint [ 29.029609] Kernel panic - not syncing: panic_on_warn set ... [ 29.029609] [ 29.036992] CPU: 0 PID: 4763 Comm: syz-executor0 Tainted: G B 4.17.0-rc6+ #93 [ 29.045555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.054888] Call Trace: [ 29.057476] dump_stack+0x1b9/0x294 [ 29.061092] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.066270] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.071020] ? nla_strlcpy+0x70/0x150 [ 29.074823] panic+0x22f/0x4de [ 29.077995] ? add_taint.cold.5+0x16/0x16 [ 29.082129] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.086525] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.090912] ? nla_strlcpy+0x13d/0x150 [ 29.094779] kasan_end_report+0x47/0x4f [ 29.098733] kasan_report.cold.7+0x76/0x2fe [ 29.103043] __asan_report_load1_noabort+0x14/0x20 [ 29.107954] nla_strlcpy+0x13d/0x150 [ 29.111646] nfnl_acct_new+0x574/0xc50 [ 29.115511] ? nfnl_acct_overquota+0x380/0x380 [ 29.120079] ? debug_check_no_locks_freed+0x310/0x310 [ 29.125250] ? graph_lock+0x170/0x170 [ 29.129037] ? print_usage_bug+0xc0/0xc0 [ 29.133077] ? get_futex_key+0xf83/0x1e90 [ 29.137297] ? find_held_lock+0x36/0x1c0 [ 29.141342] ? graph_lock+0x170/0x170 [ 29.145124] ? lock_downgrade+0x8e0/0x8e0 [ 29.149255] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.154866] ? __lock_is_held+0xb5/0x140 [ 29.158918] ? nfnl_acct_overquota+0x380/0x380 [ 29.163478] nfnetlink_rcv_msg+0xdb5/0xff0 [ 29.167691] ? __lock_is_held+0xb5/0x140 [ 29.171743] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 29.176738] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 29.181126] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.185264] ? graph_lock+0x170/0x170 [ 29.189055] ? find_held_lock+0x36/0x1c0 [ 29.193107] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.198632] netlink_rcv_skb+0x172/0x440 [ 29.202685] ? nfnetlink_bind+0x3a0/0x3a0 [ 29.206815] ? netlink_ack+0xbc0/0xbc0 [ 29.210697] ? __netlink_ns_capable+0x100/0x130 [ 29.215349] nfnetlink_rcv+0x1fe/0x1ba0 [ 29.219308] ? kasan_check_read+0x11/0x20 [ 29.223440] ? rcu_is_watching+0x85/0x140 [ 29.227571] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.232743] ? nfnl_err_reset+0x2d0/0x2d0 [ 29.236881] ? netlink_remove_tap+0x610/0x610 [ 29.241361] ? refcount_add_not_zero+0x320/0x320 [ 29.246096] ? kasan_check_read+0x11/0x20 [ 29.250224] ? rcu_is_watching+0x85/0x140 [ 29.254354] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.259533] ? netlink_skb_destructor+0x210/0x210 [ 29.264367] ? kasan_check_write+0x14/0x20 [ 29.268585] netlink_unicast+0x58b/0x740 [ 29.272632] ? netlink_attachskb+0x970/0x970 [ 29.277035] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.282554] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.287552] ? security_netlink_send+0x88/0xb0 [ 29.292115] netlink_sendmsg+0x9f0/0xfa0 [ 29.296163] ? netlink_unicast+0x740/0x740 [ 29.300375] ? pud_val+0x80/0xf0 [ 29.303722] ? security_socket_sendmsg+0x94/0xc0 [ 29.308456] ? netlink_unicast+0x740/0x740 [ 29.312674] sock_sendmsg+0xd5/0x120 [ 29.316374] sock_write_iter+0x35a/0x5a0 [ 29.320418] ? sock_sendmsg+0x120/0x120 [ 29.324371] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.329195] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.334711] ? iov_iter_init+0xc9/0x1f0 [ 29.338667] __vfs_write+0x64d/0x960 [ 29.342367] ? kernel_read+0x120/0x120 [ 29.346237] ? handle_mm_fault+0x8c0/0xc70 [ 29.350452] ? rw_verify_area+0x118/0x360 [ 29.354578] vfs_write+0x1f8/0x560 [ 29.358096] ksys_write+0xf9/0x250 [ 29.361618] ? __ia32_sys_read+0xb0/0xb0 [ 29.365656] ? mm_fault_error+0x380/0x380 [ 29.369801] __ia32_sys_write+0x71/0xb0 [ 29.373771] do_fast_syscall_32+0x345/0xf9b [ 29.378072] ? do_int80_syscall_32+0x880/0x880 [ 29.382632] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.387373] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.392905] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.397829] ? sysret32_from_system_call+0x5/0x46 [ 29.402680] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.407513] entry_SYSENTER_compat+0x70/0x7f [ 29.411915] RIP: 0023:0xf7f34cb9 [ 29.415261] RSP: 002b:00000000ffe404cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004 [ 29.422957] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000 [ 29.430205] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 29.437459] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.444706] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 29.451953] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.459699] Dumping ftrace buffer: [ 29.463224] (ftrace buffer empty) [ 29.466911] Kernel Offset: disabled [ 29.470514] Rebooting in 86400 seconds..