[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.924702] random: sshd: uninitialized urandom read (32 bytes read) [ 15.087999] audit: type=1400 audit(1536376830.511:6): avc: denied { map } for pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.131287] random: sshd: uninitialized urandom read (32 bytes read) [ 15.576042] random: sshd: uninitialized urandom read (32 bytes read) [ 46.108241] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 51.695150] random: sshd: uninitialized urandom read (32 bytes read) [ 51.790938] audit: type=1400 audit(1536376867.221:7): avc: denied { map } for pid=1795 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/09/08 03:21:07 parsed 1 programs [ 52.264477] audit: type=1400 audit(1536376867.691:8): avc: denied { map } for pid=1795 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 52.713208] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/08 03:21:09 executed programs: 0 [ 53.650091] audit: type=1400 audit(1536376869.071:9): avc: denied { map } for pid=1795 comm="syz-execprog" path="/root/syzkaller-shm331623110" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 55.795803] ip (2799) used greatest stack depth: 24296 bytes left [ 56.902572] ip (3218) used greatest stack depth: 24232 bytes left [ 62.393381] audit: type=1400 audit(1536376877.821:10): avc: denied { prog_load } for pid=5153 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 62.443532] ================================================================== [ 62.443556] BUG: KASAN: use-after-free in _copy_to_user+0x9a/0xc0 [ 62.443563] Read of size 1368 at addr ffff8801c0bffffc by task syz-executor4/5156 [ 62.443565] [ 62.443573] CPU: 0 PID: 5156 Comm: syz-executor4 Not tainted 4.14.68+ #4 [ 62.443576] Call Trace: [ 62.443587] dump_stack+0xb9/0x11b [ 62.443602] print_address_description+0x60/0x22b [ 62.443614] kasan_report.cold.6+0x11b/0x2dd [ 62.443621] ? _copy_to_user+0x9a/0xc0 [ 62.443632] _copy_to_user+0x9a/0xc0 [ 62.443645] bpf_test_finish.isra.0+0xc8/0x190 [ 62.443654] ? bpf_test_run+0x350/0x350 [ 62.443665] ? kvm_clock_read+0x1f/0x30 [ 62.443673] ? ktime_get+0x17f/0x1c0 [ 62.443687] ? bpf_test_run+0x280/0x350 [ 62.443708] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 62.443722] ? bpf_test_init.isra.1+0xc0/0xc0 [ 62.443734] ? __fget_light+0x192/0x1f0 [ 62.443742] ? bpf_prog_add+0x42/0xa0 [ 62.443748] ? fput+0xa/0x130 [ 62.443759] ? bpf_test_init.isra.1+0xc0/0xc0 [ 62.443768] SyS_bpf+0x79d/0x3640 [ 62.443784] ? bpf_prog_get+0x20/0x20 [ 62.443797] ? SyS_futex+0x1b7/0x2b5 [ 62.443804] ? SyS_futex+0x1c0/0x2b5 [ 62.443817] ? do_futex+0x17b0/0x17b0 [ 62.443828] ? up_read+0x17/0x30 [ 62.443836] ? __do_page_fault+0x64c/0xb60 [ 62.443849] ? do_syscall_64+0x43/0x4b0 [ 62.443861] ? bpf_prog_get+0x20/0x20 [ 62.443866] do_syscall_64+0x19b/0x4b0 [ 62.443883] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 62.443889] RIP: 0033:0x457099 [ 62.443893] RSP: 002b:00007f5351cfec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 62.443901] RAX: ffffffffffffffda RBX: 00007f5351cff6d4 RCX: 0000000000457099 [ 62.443906] RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a [ 62.443911] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 62.443915] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 62.443919] R13: 00000000004cb8c0 R14: 00000000004c3289 R15: 0000000000000000 [ 62.443941] [ 62.443944] The buggy address belongs to the page: [ 62.443950] page:ffffea000702ffc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 62.443956] flags: 0x4000000000000000() [ 62.443965] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 62.443973] raw: ffffea000702ffe0 ffffea000702ffe0 0000000000000000 0000000000000000 [ 62.443975] page dumped because: kasan: bad access detected [ 62.443977] [ 62.443979] Memory state around the buggy address: [ 62.443985] ffff8801c0bffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.443990] ffff8801c0bfff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.443995] >ffff8801c0bfff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.443998] ^ [ 62.444003] ffff8801c0c00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.444008] ffff8801c0c00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.444011] ================================================================== [ 62.444013] Disabling lock debugging due to kernel taint [ 62.444016] Kernel panic - not syncing: panic_on_warn set ... [ 62.444016] [ 62.444024] CPU: 0 PID: 5156 Comm: syz-executor4 Tainted: G B 4.14.68+ #4 [ 62.444026] Call Trace: [ 62.444034] dump_stack+0xb9/0x11b [ 62.444043] panic+0x1bf/0x3a4 [ 62.444050] ? add_taint.cold.4+0x16/0x16 [ 62.444065] kasan_end_report+0x43/0x49 [ 62.444073] kasan_report.cold.6+0x77/0x2dd [ 62.444078] ? _copy_to_user+0x9a/0xc0 [ 62.444086] _copy_to_user+0x9a/0xc0 [ 62.444095] bpf_test_finish.isra.0+0xc8/0x190 [ 62.444114] ? bpf_test_run+0x350/0x350 [ 62.444123] ? kvm_clock_read+0x1f/0x30 [ 62.444128] ? ktime_get+0x17f/0x1c0 [ 62.444137] ? bpf_test_run+0x280/0x350 [ 62.444150] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 62.444160] ? bpf_test_init.isra.1+0xc0/0xc0 [ 62.444168] ? __fget_light+0x192/0x1f0 [ 62.444174] ? bpf_prog_add+0x42/0xa0 [ 62.444179] ? fput+0xa/0x130 [ 62.444187] ? bpf_test_init.isra.1+0xc0/0xc0 [ 62.444195] SyS_bpf+0x79d/0x3640 [ 62.444205] ? bpf_prog_get+0x20/0x20 [ 62.444213] ? SyS_futex+0x1b7/0x2b5 [ 62.444219] ? SyS_futex+0x1c0/0x2b5 [ 62.444228] ? do_futex+0x17b0/0x17b0 [ 62.444236] ? up_read+0x17/0x30 [ 62.444242] ? __do_page_fault+0x64c/0xb60 [ 62.444250] ? do_syscall_64+0x43/0x4b0 [ 62.444259] ? bpf_prog_get+0x20/0x20 [ 62.444264] do_syscall_64+0x19b/0x4b0 [ 62.444275] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 62.444279] RIP: 0033:0x457099 [ 62.444283] RSP: 002b:00007f5351cfec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 62.444290] RAX: ffffffffffffffda RBX: 00007f5351cff6d4 RCX: 0000000000457099 [ 62.444294] RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a [ 62.444297] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 62.444301] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 62.444305] R13: 00000000004cb8c0 R14: 00000000004c3289 R15: 0000000000000000 [ 62.444595] Dumping ftrace buffer: [ 62.444598] (ftrace buffer empty) [ 62.444606] Kernel Offset: 0x26000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 62.930818] Rebooting in 86400 seconds..