[ 9.467394] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.806841] random: sshd: uninitialized urandom read (32 bytes read) [ 15.017277] audit: type=1400 audit(1564831962.840:6): avc: denied { map } for pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.048713] random: sshd: uninitialized urandom read (32 bytes read) [ 15.536868] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. [ 21.222638] urandom_read: 1 callbacks suppressed [ 21.222643] random: sshd: uninitialized urandom read (32 bytes read) [ 21.319001] audit: type=1400 audit(1564831969.140:7): avc: denied { map } for pid=1776 comm="syz-executor376" path="/root/syz-executor376744530" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 21.350202] audit: type=1400 audit(1564831969.180:8): avc: denied { prog_load } for pid=1776 comm="syz-executor376" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 21.352780] ================================================================== [ 21.372941] audit: type=1400 audit(1564831969.180:9): avc: denied { prog_run } for pid=1776 comm="syz-executor376" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 21.380095] BUG: KASAN: use-after-free in _copy_to_user+0x9d/0xd0 [ 21.380101] Read of size 924 at addr ffff8881be3ffff3 by task syz-executor376/1776 [ 21.380103] [ 21.380111] CPU: 1 PID: 1776 Comm: syz-executor376 Not tainted 4.14.135+ #26 [ 21.380114] Call Trace: [ 21.380126] dump_stack+0xca/0x134 [ 21.380132] ? _copy_to_user+0x9d/0xd0 [ 21.380140] ? _copy_to_user+0x9d/0xd0 [ 21.380148] print_address_description+0x60/0x226 [ 21.380155] ? _copy_to_user+0x9d/0xd0 [ 21.380163] ? _copy_to_user+0x9d/0xd0 [ 21.380170] __kasan_report.cold+0x1a/0x41 [ 21.380182] ? _copy_to_user+0x9d/0xd0 [ 21.380193] ? _copy_to_user+0x9d/0xd0 [ 21.380207] ? bpf_test_finish.isra.0+0xa7/0x160 [ 21.380215] ? bpf_test_run+0x340/0x340 [ 21.380236] ? bpf_prog_test_run_skb+0x528/0x8c0 [ 21.380249] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.380260] ? bpf_prog_add+0x53/0xc0 [ 21.380269] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.380280] ? SyS_bpf+0xa3b/0x3830 [ 21.380295] ? bpf_prog_get+0x20/0x20 [ 21.498282] ? __do_page_fault+0x49f/0xbb0 [ 21.502512] ? lock_downgrade+0x5d0/0x5d0 [ 21.506655] ? __do_page_fault+0x677/0xbb0 [ 21.510869] ? do_syscall_64+0x43/0x520 [ 21.514819] ? bpf_prog_get+0x20/0x20 [ 21.518598] ? do_syscall_64+0x19b/0x520 [ 21.522642] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 21.527989] [ 21.529592] The buggy address belongs to the page: [ 21.534497] page:ffffea0006f8ffc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 21.542699] flags: 0x4000000000000000() [ 21.546668] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 21.554530] raw: ffffea0006f8ffe0 ffffea0006f8ffe0 0000000000000000 0000000000000000 [ 21.562387] page dumped because: kasan: bad access detected [ 21.568140] [ 21.569753] Memory state around the buggy address: [ 21.574727] ffff8881be3ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.582072] ffff8881be3fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.589498] >ffff8881be3fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.596851] ^ [ 21.603853] ffff8881be400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.611199] ffff8881be400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.618545] ================================================================== [ 21.626001] Disabling lock debugging due to kernel taint [ 21.631677] Kernel panic - not syncing: panic_on_warn set ... [ 21.631677] [ 21.639037] CPU: 1 PID: 1776 Comm: syz-executor376 Tainted: G B 4.14.135+ #26 [ 21.647525] Call Trace: [ 21.650109] dump_stack+0xca/0x134 [ 21.653629] panic+0x1ea/0x3d3 [ 21.656798] ? add_taint.cold+0x16/0x16 [ 21.660750] ? _copy_to_user+0x9d/0xd0 [ 21.664614] ? ___preempt_schedule+0x16/0x18 [ 21.668997] ? _copy_to_user+0x9d/0xd0 [ 21.672859] end_report+0x43/0x49 [ 21.676453] ? _copy_to_user+0x9d/0xd0 [ 21.680343] __kasan_report.cold+0xd/0x41 [ 21.684473] ? _copy_to_user+0x9d/0xd0 [ 21.688338] ? _copy_to_user+0x9d/0xd0 [ 21.692288] ? bpf_test_finish.isra.0+0xa7/0x160 [ 21.697033] ? bpf_test_run+0x340/0x340 [ 21.700992] ? bpf_prog_test_run_skb+0x528/0x8c0 [ 21.705847] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.710331] ? bpf_prog_add+0x53/0xc0 [ 21.714362] ? bpf_test_init.isra.0+0xc0/0xc0 [ 21.718856] ? SyS_bpf+0xa3b/0x3830 [ 21.722465] ? bpf_prog_get+0x20/0x20 [ 21.726254] ? __do_page_fault+0x49f/0xbb0 [ 21.730483] ? lock_downgrade+0x5d0/0x5d0 [ 21.739672] ? __do_page_fault+0x677/0xbb0 [ 21.744188] ? do_syscall_64+0x43/0x520 [ 21.748151] ? bpf_prog_get+0x20/0x20 [ 21.751932] ? do_syscall_64+0x19b/0x520 [ 21.755984] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 21.761826] Kernel Offset: 0x28000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 21.772731] Rebooting in 86400 seconds..