[ 10.371804] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.435009] random: sshd: uninitialized urandom read (32 bytes read) [ 29.644241] audit: type=1400 audit(1537870350.102:6): avc: denied { map } for pid=1768 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.698837] random: sshd: uninitialized urandom read (32 bytes read) [ 30.175223] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.99' (ECDSA) to the list of known hosts. [ 35.850774] urandom_read: 1 callbacks suppressed [ 35.850778] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 35.951322] audit: type=1400 audit(1537870356.412:7): avc: denied { map } for pid=1786 comm="syz-executor167" path="/root/syz-executor167171869" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 35.978160] audit: type=1400 audit(1537870356.412:8): avc: denied { prog_load } for pid=1786 comm="syz-executor167" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 36.001553] ================================================================== [ 36.001574] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x9a/0xc0 [ 36.001580] Read of size 710 at addr ffff8801d033fff3 by task syz-executor167/1786 [ 36.001582] [ 36.001590] CPU: 0 PID: 1786 Comm: syz-executor167 Not tainted 4.14.71+ #8 [ 36.001593] Call Trace: [ 36.001603] dump_stack+0xb9/0x11b [ 36.001617] print_address_description+0x60/0x22b [ 36.001629] kasan_report.cold.6+0x11b/0x2dd [ 36.001635] ? _copy_to_user+0x9a/0xc0 [ 36.001645] _copy_to_user+0x9a/0xc0 [ 36.001658] bpf_test_finish.isra.0+0xc8/0x190 [ 36.001665] ? bpf_test_run+0x350/0x350 [ 36.001676] ? kvm_clock_read+0x1f/0x30 [ 36.001693] ? ktime_get+0x17f/0x1c0 [ 36.001707] ? bpf_test_run+0x280/0x350 [ 36.001726] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 36.001740] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.001751] ? __fget_light+0x163/0x1f0 [ 36.001759] ? bpf_prog_add+0x42/0xa0 [ 36.001770] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.001778] SyS_bpf+0x79d/0x3640 [ 36.001792] ? bpf_prog_get+0x20/0x20 [ 36.001806] ? __do_page_fault+0x485/0xb60 [ 36.001816] ? lock_downgrade+0x560/0x560 [ 36.001834] ? up_read+0x17/0x30 [ 36.001841] ? __do_page_fault+0x64c/0xb60 [ 36.001853] ? do_syscall_64+0x43/0x4b0 [ 36.001864] ? bpf_prog_get+0x20/0x20 [ 36.001870] do_syscall_64+0x19b/0x4b0 [ 36.001886] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.001891] RIP: 0033:0x440339 [ 36.001895] RSP: 002b:00007ffdf4655e78 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 36.001903] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339 [ 36.001907] RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a [ 36.001911] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 36.001915] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401bc0 [ 36.001920] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 36.001940] [ 36.001943] Allocated by task 223: [ 36.001951] kasan_kmalloc.part.1+0x4f/0xd0 [ 36.001957] __kmalloc+0x153/0x340 [ 36.001963] alloc_pipe_info+0x15b/0x370 [ 36.001968] create_pipe_files+0xdc/0x880 [ 36.001973] __do_pipe_flags+0x32/0x210 [ 36.001978] SyS_pipe2+0x83/0x160 [ 36.001983] do_syscall_64+0x19b/0x4b0 [ 36.001989] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.001991] [ 36.001994] Freed by task 223: [ 36.002000] kasan_slab_free+0xac/0x190 [ 36.002005] kfree+0xf5/0x310 [ 36.002010] free_pipe_info+0x1f5/0x2a0 [ 36.002015] put_pipe_info+0xb3/0xd0 [ 36.002020] pipe_release+0x1a6/0x240 [ 36.002026] __fput+0x25e/0x6f0 [ 36.002032] task_work_run+0x116/0x190 [ 36.002037] exit_to_usermode_loop+0x12e/0x150 [ 36.002049] do_syscall_64+0x35d/0x4b0 [ 36.002055] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.002057] [ 36.002062] The buggy address belongs to the object at ffff8801d033fa80 [ 36.002062] which belongs to the cache kmalloc-1024 of size 1024 [ 36.002068] The buggy address is located 371 bytes to the right of [ 36.002068] 1024-byte region [ffff8801d033fa80, ffff8801d033fe80) [ 36.002070] The buggy address belongs to the page: [ 36.002076] page:ffffea000740cf00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 36.002086] flags: 0x4000000000008100(slab|head) [ 36.002095] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e [ 36.002103] raw: 0000000000000000 0000000100000001 ffff8801da802a00 0000000000000000 [ 36.002106] page dumped because: kasan: bad access detected [ 36.002108] [ 36.002110] Memory state around the buggy address: [ 36.002115] ffff8801d033fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.002121] ffff8801d033ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.002126] >ffff8801d033ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.002129] ^ [ 36.002134] ffff8801d0340000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.002139] ffff8801d0340080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.002142] ================================================================== [ 36.002144] Disabling lock debugging due to kernel taint [ 36.002147] Kernel panic - not syncing: panic_on_warn set ... [ 36.002147] [ 36.002154] CPU: 0 PID: 1786 Comm: syz-executor167 Tainted: G B 4.14.71+ #8 [ 36.002156] Call Trace: [ 36.002163] dump_stack+0xb9/0x11b [ 36.002172] panic+0x1bf/0x3a4 [ 36.002178] ? add_taint.cold.4+0x16/0x16 [ 36.002205] kasan_end_report+0x43/0x49 [ 36.002212] kasan_report.cold.6+0x77/0x2dd [ 36.002217] ? _copy_to_user+0x9a/0xc0 [ 36.002225] _copy_to_user+0x9a/0xc0 [ 36.002234] bpf_test_finish.isra.0+0xc8/0x190 [ 36.002241] ? bpf_test_run+0x350/0x350 [ 36.002248] ? kvm_clock_read+0x1f/0x30 [ 36.002254] ? ktime_get+0x17f/0x1c0 [ 36.002263] ? bpf_test_run+0x280/0x350 [ 36.002275] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 36.002285] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.002293] ? __fget_light+0x163/0x1f0 [ 36.002299] ? bpf_prog_add+0x42/0xa0 [ 36.002307] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.002314] SyS_bpf+0x79d/0x3640 [ 36.002324] ? bpf_prog_get+0x20/0x20 [ 36.002330] ? __do_page_fault+0x485/0xb60 [ 36.002337] ? lock_downgrade+0x560/0x560 [ 36.002348] ? up_read+0x17/0x30 [ 36.002354] ? __do_page_fault+0x64c/0xb60 [ 36.002362] ? do_syscall_64+0x43/0x4b0 [ 36.002370] ? bpf_prog_get+0x20/0x20 [ 36.002375] do_syscall_64+0x19b/0x4b0 [ 36.002386] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.002390] RIP: 0033:0x440339 [ 36.002393] RSP: 002b:00007ffdf4655e78 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 36.002400] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339 [ 36.002404] RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a [ 36.002407] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 36.002411] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401bc0 [ 36.002415] R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000 [ 36.009327] Kernel Offset: 0x34a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 36.579121] Rebooting in 86400 seconds..