[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.121718] random: sshd: uninitialized urandom read (32 bytes read) [ 30.512652] audit: type=1400 audit(1548128715.467:6): avc: denied { map } for pid=1774 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.548453] random: sshd: uninitialized urandom read (32 bytes read) [ 31.015608] random: sshd: uninitialized urandom read (32 bytes read) [ 31.164121] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts. [ 36.951602] random: sshd: uninitialized urandom read (32 bytes read) [ 37.036912] audit: type=1400 audit(1548128721.987:7): avc: denied { map } for pid=1786 comm="syz-executor092" path="/root/syz-executor092137018" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 37.320914] ================================================================== [ 37.328366] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 37.335026] Read of size 8 at addr ffff8881d25813d0 by task syz-executor092/1789 [ 37.342563] [ 37.344166] CPU: 1 PID: 1789 Comm: syz-executor092 Not tainted 4.14.94+ #12 [ 37.351236] Call Trace: [ 37.353828] dump_stack+0xb9/0x10e [ 37.357344] ? ip_local_deliver+0x43d/0x450 [ 37.361648] print_address_description+0x60/0x226 [ 37.366465] ? ip_local_deliver+0x43d/0x450 [ 37.370760] kasan_report.cold+0x88/0x2a5 [ 37.374883] ? ip_local_deliver+0x43d/0x450 [ 37.379177] ? ip_call_ra_chain+0x540/0x540 [ 37.383500] ? __lock_acquire+0x56a/0x3fa0 [ 37.387730] ? ip_rcv+0x99f/0xf7a [ 37.391177] ? ip_rcv_finish+0x5c9/0x1490 [ 37.395335] ? ip_rcv+0x9e2/0xf7a [ 37.398780] ? ip_local_deliver+0x450/0x450 [ 37.403093] ? __lock_acquire+0x56a/0x3fa0 [ 37.407311] ? check_preemption_disabled+0x35/0x1f0 [ 37.412313] ? ip_local_deliver+0x450/0x450 [ 37.416724] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.421901] ? trace_hardirqs_on+0x10/0x10 [ 37.426120] ? flush_backlog+0x580/0x580 [ 37.430297] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.435468] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.440649] ? lock_acquire+0x10f/0x380 [ 37.444619] ? __netif_receive_skb+0x55/0x1f0 [ 37.449099] ? __netif_receive_skb+0x55/0x1f0 [ 37.453574] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.458660] ? dev_cpu_dead+0x810/0x810 [ 37.462632] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.468076] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.473129] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.477871] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.482861] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.487369] ? tun_get_user+0xc07/0x3790 [ 37.491414] ? __local_bh_enable_ip+0x65/0xc0 [ 37.495938] ? tun_get_user+0xd95/0x3790 [ 37.500002] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.504881] ? debug_mutex_add_waiter+0x60/0x150 [ 37.509619] ? __tun_get+0x11c/0x220 [ 37.513312] ? check_preemption_disabled+0x35/0x1f0 [ 37.518308] ? tun_chr_write_iter+0xcf/0x180 [ 37.522696] ? do_iter_readv_writev+0x379/0x580 [ 37.527350] ? clone_verify_area+0x1e0/0x1e0 [ 37.531737] ? avc_policy_seqno+0x5/0x10 [ 37.535776] ? security_file_permission+0x88/0x1e0 [ 37.540793] ? do_iter_write+0x152/0x550 [ 37.544836] ? signal_setup_done+0xac/0x270 [ 37.549167] ? vfs_writev+0x146/0x2d0 [ 37.552981] ? vfs_iter_write+0xa0/0xa0 [ 37.556942] ? do_signal+0x488/0x15c0 [ 37.560723] ? setup_sigcontext+0x810/0x810 [ 37.565021] ? pgtable_bad+0x110/0x110 [ 37.568903] ? __bad_area_nosemaphore+0x25f/0x280 [ 37.574385] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 37.579591] ? do_writev+0xc9/0x240 [ 37.583229] ? vfs_writev+0x2d0/0x2d0 [ 37.587052] ? do_syscall_64+0x43/0x4b0 [ 37.591011] ? SyS_readv+0x30/0x30 [ 37.594539] ? do_syscall_64+0x19b/0x4b0 [ 37.598580] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.603921] [ 37.605526] Allocated by task 1789: [ 37.609170] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.613593] kmem_cache_alloc+0xd2/0x2d0 [ 37.617748] __build_skb+0x2e/0x2d0 [ 37.621355] build_skb+0x1a/0x1f0 [ 37.624885] tun_get_user+0x248b/0x3790 [ 37.628883] tun_chr_write_iter+0xcf/0x180 [ 37.633122] do_iter_readv_writev+0x379/0x580 [ 37.637689] do_iter_write+0x152/0x550 [ 37.641667] vfs_writev+0x146/0x2d0 [ 37.645269] do_writev+0xc9/0x240 [ 37.648699] do_syscall_64+0x19b/0x4b0 [ 37.652564] [ 37.654230] Freed by task 1789: [ 37.657492] kasan_slab_free+0xb0/0x190 [ 37.661446] kmem_cache_free+0xc4/0x330 [ 37.665398] kfree_skbmem+0xa0/0x100 [ 37.669085] kfree_skb+0xcd/0x350 [ 37.672519] ip_defrag+0x5f4/0x3b50 [ 37.676141] ip_local_deliver+0x165/0x450 [ 37.680263] ip_rcv_finish+0x5c9/0x1490 [ 37.684218] ip_rcv+0x9e2/0xf7a [ 37.687476] __netif_receive_skb_core+0x1364/0x2c60 [ 37.692486] __netif_receive_skb+0x55/0x1f0 [ 37.696791] netif_receive_skb_internal+0xec/0x5c0 [ 37.701700] tun_rx_batched.isra.0+0x45d/0x730 [ 37.706357] tun_get_user+0xd95/0x3790 [ 37.710399] tun_chr_write_iter+0xcf/0x180 [ 37.714716] do_iter_readv_writev+0x379/0x580 [ 37.719200] do_iter_write+0x152/0x550 [ 37.723063] vfs_writev+0x146/0x2d0 [ 37.726663] do_writev+0xc9/0x240 [ 37.730102] do_syscall_64+0x19b/0x4b0 [ 37.733958] [ 37.735555] The buggy address belongs to the object at ffff8881d25813c0 [ 37.735555] which belongs to the cache skbuff_head_cache of size 224 [ 37.748718] The buggy address is located 16 bytes inside of [ 37.748718] 224-byte region [ffff8881d25813c0, ffff8881d25814a0) [ 37.760568] The buggy address belongs to the page: [ 37.765498] page:ffffea0007496040 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.773795] flags: 0x4000000000000100(slab) [ 37.778094] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 37.785973] raw: 0000000000000000 0000000100000001 ffff8881dab58200 0000000000000000 [ 37.793843] page dumped because: kasan: bad access detected [ 37.799548] [ 37.801148] Memory state around the buggy address: [ 37.806061] ffff8881d2581280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.813397] ffff8881d2581300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.820983] >ffff8881d2581380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.828427] ^ [ 37.834378] ffff8881d2581400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.841752] ffff8881d2581480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.849090] ================================================================== [ 37.856458] Disabling lock debugging due to kernel taint [ 37.861938] Kernel panic - not syncing: panic_on_warn set ... [ 37.861938] [ 37.869285] CPU: 1 PID: 1789 Comm: syz-executor092 Tainted: G B 4.14.94+ #12 [ 37.877590] Call Trace: [ 37.880191] dump_stack+0xb9/0x10e [ 37.883717] panic+0x1d9/0x3c2 [ 37.886890] ? add_taint.cold+0x16/0x16 [ 37.890837] ? retint_kernel+0x2d/0x2d [ 37.894703] ? ip_local_deliver+0x43d/0x450 [ 37.899113] kasan_end_report+0x43/0x49 [ 37.903065] kasan_report.cold+0xa4/0x2a5 [ 37.907209] ? ip_local_deliver+0x43d/0x450 [ 37.911529] ? ip_call_ra_chain+0x540/0x540 [ 37.915867] ? __lock_acquire+0x56a/0x3fa0 [ 37.920083] ? ip_rcv+0x99f/0xf7a [ 37.923559] ? ip_rcv_finish+0x5c9/0x1490 [ 37.927783] ? ip_rcv+0x9e2/0xf7a [ 37.931223] ? ip_local_deliver+0x450/0x450 [ 37.935521] ? __lock_acquire+0x56a/0x3fa0 [ 37.939739] ? check_preemption_disabled+0x35/0x1f0 [ 37.944731] ? ip_local_deliver+0x450/0x450 [ 37.949130] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.954299] ? trace_hardirqs_on+0x10/0x10 [ 37.958510] ? flush_backlog+0x580/0x580 [ 37.962558] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.967768] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.972940] ? lock_acquire+0x10f/0x380 [ 37.976959] ? __netif_receive_skb+0x55/0x1f0 [ 37.981510] ? __netif_receive_skb+0x55/0x1f0 [ 37.986077] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.991164] ? dev_cpu_dead+0x810/0x810 [ 37.995124] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 38.000549] ? rcu_read_lock_sched_held+0x10a/0x130 [ 38.005565] ? tun_rx_batched.isra.0+0x45d/0x730 [ 38.010303] ? __skb_get_hash_symmetric+0x255/0x620 [ 38.015300] ? tun_chr_read_iter+0x1c0/0x1c0 [ 38.019697] ? tun_get_user+0xc07/0x3790 [ 38.023742] ? __local_bh_enable_ip+0x65/0xc0 [ 38.028278] ? tun_get_user+0xd95/0x3790 [ 38.032324] ? tun_rx_batched.isra.0+0x730/0x730 [ 38.037061] ? debug_mutex_add_waiter+0x60/0x150 [ 38.041799] ? __tun_get+0x11c/0x220 [ 38.045495] ? check_preemption_disabled+0x35/0x1f0 [ 38.050506] ? tun_chr_write_iter+0xcf/0x180 [ 38.054905] ? do_iter_readv_writev+0x379/0x580 [ 38.059554] ? clone_verify_area+0x1e0/0x1e0 [ 38.063938] ? avc_policy_seqno+0x5/0x10 [ 38.068003] ? security_file_permission+0x88/0x1e0 [ 38.072903] ? do_iter_write+0x152/0x550 [ 38.076938] ? signal_setup_done+0xac/0x270 [ 38.081232] ? vfs_writev+0x146/0x2d0 [ 38.085007] ? vfs_iter_write+0xa0/0xa0 [ 38.088955] ? do_signal+0x488/0x15c0 [ 38.092731] ? setup_sigcontext+0x810/0x810 [ 38.097025] ? pgtable_bad+0x110/0x110 [ 38.100883] ? __bad_area_nosemaphore+0x25f/0x280 [ 38.105852] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 38.110935] ? do_writev+0xc9/0x240 [ 38.114551] ? vfs_writev+0x2d0/0x2d0 [ 38.118325] ? do_syscall_64+0x43/0x4b0 [ 38.122271] ? SyS_readv+0x30/0x30 [ 38.125791] ? do_syscall_64+0x19b/0x4b0 [ 38.129830] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.135497] Kernel Offset: 0xea00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 38.146301] Rebooting in 86400 seconds..