[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.093093] random: sshd: uninitialized urandom read (32 bytes read) [ 35.511005] audit: type=1400 audit(1547357284.467:6): avc: denied { map } for pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.557110] random: sshd: uninitialized urandom read (32 bytes read) [ 36.031072] random: sshd: uninitialized urandom read (32 bytes read) [ 36.174591] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts. [ 41.842876] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.927018] audit: type=1400 audit(1547357290.877:7): avc: denied { map } for pid=1789 comm="syz-executor880" path="/root/syz-executor880042654" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.207747] ================================================================== [ 42.215300] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 42.221860] Write of size 4 at addr ffff8881cb4411dc by task syz-executor880/1791 [ 42.229452] [ 42.231062] CPU: 1 PID: 1791 Comm: syz-executor880 Not tainted 4.14.92+ #5 [ 42.238047] Call Trace: [ 42.240714] dump_stack+0xb9/0x10e [ 42.244244] ? ip_check_defrag+0x4f5/0x523 [ 42.248468] print_address_description+0x60/0x226 [ 42.253305] ? ip_check_defrag+0x4f5/0x523 [ 42.257518] kasan_report.cold+0x88/0x2a5 [ 42.261650] ? ip_check_defrag+0x4f5/0x523 [ 42.265862] ? ip_defrag+0x3b50/0x3b50 [ 42.269747] ? mark_held_locks+0xa6/0xf0 [ 42.273822] ? check_preemption_disabled+0x35/0x1f0 [ 42.278817] ? packet_rcv_fanout+0x4d1/0x5e0 [ 42.283200] ? fanout_demux_rollover+0x4d0/0x4d0 [ 42.287932] ? dev_queue_xmit_nit+0x21a/0x960 [ 42.292414] ? dev_hard_start_xmit+0xa3/0x890 [ 42.296901] ? sch_direct_xmit+0x27a/0x520 [ 42.301129] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 42.306816] ? lock_acquire+0x10f/0x380 [ 42.310768] ? ip_finish_output2+0x9fe/0x12f0 [ 42.315261] ? __dev_queue_xmit+0x1565/0x1cd0 [ 42.319745] ? ___slab_alloc.constprop.0+0x354/0x470 [ 42.324841] ? __alloc_skb+0x105/0x550 [ 42.328731] ? netdev_pick_tx+0x2e0/0x2e0 [ 42.332868] ? ip_do_fragment+0xa20/0x1ee0 [ 42.337102] ? mark_held_locks+0xa6/0xf0 [ 42.341137] ? ip_finish_output2+0xd92/0x12f0 [ 42.345611] ? ip_finish_output2+0x9fe/0x12f0 [ 42.350087] ? ip_copy_addrs+0xd0/0xd0 [ 42.353957] ? ip_do_fragment+0xa20/0x1ee0 [ 42.358171] ? ip_do_fragment+0xa20/0x1ee0 [ 42.362389] ? ip_copy_addrs+0xd0/0xd0 [ 42.366254] ? ip_fragment.constprop.0+0x146/0x200 [ 42.371159] ? ip_finish_output+0x7a7/0xc70 [ 42.375572] ? ip_mc_output+0x231/0xbe0 [ 42.379546] ? ip_queue_xmit+0x1a70/0x1a70 [ 42.383759] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 42.389188] ? ip_fragment.constprop.0+0x200/0x200 [ 42.394091] ? dst_release+0xc/0x80 [ 42.397699] ? __ip_make_skb+0xe30/0x1690 [ 42.401825] ? ip_local_out+0x98/0x170 [ 42.405689] ? ip_send_skb+0x3a/0xc0 [ 42.409512] ? ip_push_pending_frames+0x5f/0x80 [ 42.414159] ? raw_sendmsg+0x19de/0x2270 [ 42.418203] ? raw_seq_next+0x80/0x80 [ 42.421979] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 42.426723] ? __schedule+0x924/0x1f30 [ 42.430607] ? trace_hardirqs_on+0x10/0x10 [ 42.434818] ? sock_has_perm+0x1d3/0x260 [ 42.438865] ? trace_hardirqs_on+0x10/0x10 [ 42.443082] ? inet_sendmsg+0x14a/0x510 [ 42.447035] ? inet_recvmsg+0x540/0x540 [ 42.450992] ? sock_sendmsg+0xb7/0x100 [ 42.454857] ? sock_no_sendpage+0x132/0x1a0 [ 42.459154] ? sock_rfree+0x140/0x140 [ 42.462961] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 42.468052] ? trace_hardirqs_on_caller+0x37b/0x540 [ 42.473045] ? inet_sendpage+0x1bb/0x5c0 [ 42.477085] ? inet_getname+0x390/0x390 [ 42.481039] ? kernel_sendpage+0x84/0xd0 [ 42.485085] ? sock_sendpage+0x84/0xa0 [ 42.488952] ? pipe_to_sendpage+0x23d/0x300 [ 42.493249] ? kernel_sendpage+0xd0/0xd0 [ 42.497287] ? direct_splice_actor+0x160/0x160 [ 42.501847] ? __put_page+0x68/0xa0 [ 42.505450] ? __splice_from_pipe+0x331/0x740 [ 42.509920] ? direct_splice_actor+0x160/0x160 [ 42.514605] ? direct_splice_actor+0x160/0x160 [ 42.519166] ? splice_from_pipe+0xd9/0x140 [ 42.523379] ? splice_shrink_spd+0xb0/0xb0 [ 42.527606] ? security_file_permission+0x88/0x1e0 [ 42.532515] ? splice_from_pipe+0x140/0x140 [ 42.536811] ? SyS_splice+0xd1c/0x12d0 [ 42.540681] ? do_futex+0x17f0/0x17f0 [ 42.544458] ? compat_SyS_vmsplice+0x150/0x150 [ 42.549013] ? do_syscall_64+0x43/0x4b0 [ 42.552959] ? compat_SyS_vmsplice+0x150/0x150 [ 42.557530] ? do_syscall_64+0x19b/0x4b0 [ 42.561568] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.566911] [ 42.568512] Allocated by task 1791: [ 42.572112] kasan_kmalloc.part.0+0x4f/0xd0 [ 42.576563] kmem_cache_alloc+0xd2/0x2d0 [ 42.580615] skb_clone+0x126/0x310 [ 42.584127] ip_check_defrag+0x2bc/0x523 [ 42.588156] packet_rcv_fanout+0x4d1/0x5e0 [ 42.592364] dev_queue_xmit_nit+0x21a/0x960 [ 42.596655] [ 42.598273] Freed by task 1791: [ 42.601526] kasan_slab_free+0xb0/0x190 [ 42.605472] kmem_cache_free+0xc4/0x330 [ 42.609423] kfree_skbmem+0xa0/0x100 [ 42.613110] kfree_skb+0xcd/0x350 [ 42.616532] ip_defrag+0x5f4/0x3b50 [ 42.620136] ip_check_defrag+0x39b/0x523 [ 42.624174] packet_rcv_fanout+0x4d1/0x5e0 [ 42.628381] dev_queue_xmit_nit+0x21a/0x960 [ 42.632673] [ 42.634284] The buggy address belongs to the object at ffff8881cb441140 [ 42.634284] which belongs to the cache skbuff_head_cache of size 224 [ 42.647434] The buggy address is located 156 bytes inside of [ 42.647434] 224-byte region [ffff8881cb441140, ffff8881cb441220) [ 42.659279] The buggy address belongs to the page: [ 42.664180] page:ffffea00072d1040 count:1 mapcount:0 mapping: (null) index:0x0 [ 42.672309] flags: 0x4000000000000100(slab) [ 42.676620] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 42.684488] raw: dead000000000100 dead000000000200 ffff8881d6758200 0000000000000000 [ 42.692367] page dumped because: kasan: bad access detected [ 42.698047] [ 42.699645] Memory state around the buggy address: [ 42.704633] ffff8881cb441080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 42.712012] ffff8881cb441100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.719352] >ffff8881cb441180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.726686] ^ [ 42.732895] ffff8881cb441200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 42.740239] ffff8881cb441280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.747565] ================================================================== [ 42.754896] Disabling lock debugging due to kernel taint [ 42.760368] Kernel panic - not syncing: panic_on_warn set ... [ 42.760368] [ 42.767721] CPU: 1 PID: 1791 Comm: syz-executor880 Tainted: G B 4.14.92+ #5 [ 42.775920] Call Trace: [ 42.778479] dump_stack+0xb9/0x10e [ 42.781995] panic+0x1d9/0x3c2 [ 42.785159] ? add_taint.cold+0x16/0x16 [ 42.789105] ? retint_kernel+0x2d/0x2d [ 42.792971] ? ip_check_defrag+0x4f5/0x523 [ 42.797185] kasan_end_report+0x43/0x49 [ 42.801135] kasan_report.cold+0xa4/0x2a5 [ 42.805258] ? ip_check_defrag+0x4f5/0x523 [ 42.809461] ? ip_defrag+0x3b50/0x3b50 [ 42.813324] ? mark_held_locks+0xa6/0xf0 [ 42.817360] ? check_preemption_disabled+0x35/0x1f0 [ 42.822383] ? packet_rcv_fanout+0x4d1/0x5e0 [ 42.826797] ? fanout_demux_rollover+0x4d0/0x4d0 [ 42.831527] ? dev_queue_xmit_nit+0x21a/0x960 [ 42.835996] ? dev_hard_start_xmit+0xa3/0x890 [ 42.840466] ? sch_direct_xmit+0x27a/0x520 [ 42.844674] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 42.850354] ? lock_acquire+0x10f/0x380 [ 42.854299] ? ip_finish_output2+0x9fe/0x12f0 [ 42.858974] ? __dev_queue_xmit+0x1565/0x1cd0 [ 42.863448] ? ___slab_alloc.constprop.0+0x354/0x470 [ 42.868525] ? __alloc_skb+0x105/0x550 [ 42.872385] ? netdev_pick_tx+0x2e0/0x2e0 [ 42.876506] ? ip_do_fragment+0xa20/0x1ee0 [ 42.880715] ? mark_held_locks+0xa6/0xf0 [ 42.884748] ? ip_finish_output2+0xd92/0x12f0 [ 42.889214] ? ip_finish_output2+0x9fe/0x12f0 [ 42.893698] ? ip_copy_addrs+0xd0/0xd0 [ 42.897561] ? ip_do_fragment+0xa20/0x1ee0 [ 42.901768] ? ip_do_fragment+0xa20/0x1ee0 [ 42.905980] ? ip_copy_addrs+0xd0/0xd0 [ 42.909838] ? ip_fragment.constprop.0+0x146/0x200 [ 42.914738] ? ip_finish_output+0x7a7/0xc70 [ 42.919030] ? ip_mc_output+0x231/0xbe0 [ 42.922979] ? ip_queue_xmit+0x1a70/0x1a70 [ 42.927186] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 42.932608] ? ip_fragment.constprop.0+0x200/0x200 [ 42.937510] ? dst_release+0xc/0x80 [ 42.941110] ? __ip_make_skb+0xe30/0x1690 [ 42.945235] ? ip_local_out+0x98/0x170 [ 42.949222] ? ip_send_skb+0x3a/0xc0 [ 42.952913] ? ip_push_pending_frames+0x5f/0x80 [ 42.957568] ? raw_sendmsg+0x19de/0x2270 [ 42.961620] ? raw_seq_next+0x80/0x80 [ 42.965393] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 42.970041] ? __schedule+0x924/0x1f30 [ 42.973906] ? trace_hardirqs_on+0x10/0x10 [ 42.978112] ? sock_has_perm+0x1d3/0x260 [ 42.982151] ? trace_hardirqs_on+0x10/0x10 [ 42.986368] ? inet_sendmsg+0x14a/0x510 [ 42.990321] ? inet_recvmsg+0x540/0x540 [ 42.994265] ? sock_sendmsg+0xb7/0x100 [ 42.998125] ? sock_no_sendpage+0x132/0x1a0 [ 43.002418] ? sock_rfree+0x140/0x140 [ 43.006196] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 43.011271] ? trace_hardirqs_on_caller+0x37b/0x540 [ 43.016261] ? inet_sendpage+0x1bb/0x5c0 [ 43.020297] ? inet_getname+0x390/0x390 [ 43.024246] ? kernel_sendpage+0x84/0xd0 [ 43.028279] ? sock_sendpage+0x84/0xa0 [ 43.032140] ? pipe_to_sendpage+0x23d/0x300 [ 43.036431] ? kernel_sendpage+0xd0/0xd0 [ 43.040623] ? direct_splice_actor+0x160/0x160 [ 43.045196] ? __put_page+0x68/0xa0 [ 43.048799] ? __splice_from_pipe+0x331/0x740 [ 43.053286] ? direct_splice_actor+0x160/0x160 [ 43.057840] ? direct_splice_actor+0x160/0x160 [ 43.062402] ? splice_from_pipe+0xd9/0x140 [ 43.066615] ? splice_shrink_spd+0xb0/0xb0 [ 43.070827] ? security_file_permission+0x88/0x1e0 [ 43.075728] ? splice_from_pipe+0x140/0x140 [ 43.080030] ? SyS_splice+0xd1c/0x12d0 [ 43.083915] ? do_futex+0x17f0/0x17f0 [ 43.087691] ? compat_SyS_vmsplice+0x150/0x150 [ 43.092249] ? do_syscall_64+0x43/0x4b0 [ 43.096305] ? compat_SyS_vmsplice+0x150/0x150 [ 43.100865] ? do_syscall_64+0x19b/0x4b0 [ 43.104910] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.110581] Kernel Offset: 0x35400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 43.121478] Rebooting in 86400 seconds..