[....] Starting enhanced syslogd: rsyslogd[ 13.863286] audit: type=1400 audit(1546387455.814:4): avc: denied { syslog } for pid=1919 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.474235] ================================================================== [ 40.481628] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x23f5/0x24c0 [ 40.488793] Read of size 4 at addr ffff8801d42a7710 by task syz-executor028/2077 [ 40.496322] [ 40.497934] CPU: 0 PID: 2077 Comm: syz-executor028 Not tainted 4.4.169+ #1 [ 40.504926] 0000000000000000 7836bb36766aabdb ffff8801d42a6ed0 ffffffff81aab9c1 [ 40.512929] 0000000000000000 ffffea000750a9c0 ffff8801d42a7710 0000000000000004 [ 40.520934] 0000000000000003 ffff8801d42a6f08 ffffffff8148fc0d 0000000000000000 [ 40.528934] Call Trace: [ 40.531530] [] dump_stack+0xc1/0x120 [ 40.536880] [] print_address_description+0x6f/0x21b [ 40.543540] [] kasan_report.cold+0x8c/0x2be [ 40.549500] [] ? xfrm_state_find+0x23f5/0x24c0 [ 40.555764] [] __asan_report_load4_noabort+0x14/0x20 [ 40.562491] [] xfrm_state_find+0x23f5/0x24c0 [ 40.568528] [] ? xfrm_unregister_mode+0x1a0/0x1a0 [ 40.575012] [] ? check_usage_backwards+0x118/0x280 [ 40.581567] [] ? check_usage_forwards+0x280/0x280 [ 40.588041] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 40.594952] [] ? depot_save_stack+0x1c3/0x5f0 [ 40.601073] [] xfrm_tmpl_resolve_one+0x1c7/0x790 [ 40.607459] [] ? xfrm_expand_policies.constprop.0+0x240/0x240 [ 40.614970] [] ? __lock_acquire+0x1c95/0x4f50 [ 40.621088] [] ? __lock_acquire+0xa4f/0x4f50 [ 40.627127] [] xfrm_resolve_and_create_bundle+0x210/0x1df0 [ 40.634387] [] ? trace_hardirqs_on+0x10/0x10 [ 40.640434] [] ? trace_hardirqs_on+0x10/0x10 [ 40.646489] [] ? xfrm_tmpl_resolve_one+0x790/0x790 [ 40.653047] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 40.659775] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 40.666512] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 40.672811] [] ? xfrm_sk_policy_lookup+0x231/0x360 [ 40.679364] [] ? xfrm_sk_policy_lookup+0x258/0x360 [ 40.685919] [] ? xfrm_expand_policies.constprop.0+0x188/0x240 [ 40.693435] [] xfrm_lookup+0x203/0xad0 [ 40.698949] [] ? xfrm_sk_policy_lookup+0x360/0x360 [ 40.705508] [] ? rt_set_nexthop.constprop.0+0xcd0/0xcd0 [ 40.712493] [] xfrm_lookup_route+0x38/0x140 [ 40.718441] [] ip_route_output_flow+0x93/0xa0 [ 40.724569] [] udp_sendmsg+0x1537/0x1c60 [ 40.730251] [] ? udp_sendmsg+0x62d/0x1c60 [ 40.736021] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 40.742138] [] ? udp_lib_unhash+0x630/0x630 [ 40.748084] [] ? trace_hardirqs_on+0x10/0x10 [ 40.754113] [] ? mark_held_locks+0xb1/0x100 [ 40.760060] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 40.766353] [] ? mark_held_locks+0xb1/0x100 [ 40.772298] [] udpv6_sendmsg+0x12f2/0x24f0 [ 40.778155] [] ? trace_hardirqs_on+0x10/0x10 [ 40.784199] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 40.790509] [] ? _raw_spin_unlock_bh+0x31/0x40 [ 40.796714] [] ? udp_lib_get_port+0x701/0xdf0 [ 40.802834] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 40.809735] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 40.816042] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 40.822857] [] ? release_sock+0x3a8/0x500 [ 40.828633] [] ? trace_hardirqs_on+0xd/0x10 [ 40.834595] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 40.840891] [] ? _raw_spin_unlock_bh+0x31/0x40 [ 40.847101] [] ? release_sock+0x3a8/0x500 [ 40.852884] [] ? udp_v6_get_port+0xae/0xe0 [ 40.858746] [] inet_sendmsg+0x202/0x4d0 [ 40.864352] [] ? inet_sendmsg+0x76/0x4d0 [ 40.870046] [] ? inet_recvmsg+0x4d0/0x4d0 [ 40.875822] [] sock_sendmsg+0xbe/0x110 [ 40.881333] [] ___sys_sendmsg+0x369/0x890 [ 40.887122] [] ? check_preemption_disabled+0x3c/0x200 [ 40.893973] [] ? copy_msghdr_from_user+0x550/0x550 [ 40.900540] [] ? avc_has_perm+0x164/0x3a0 [ 40.906314] [] ? avc_has_perm+0x1d2/0x3a0 [ 40.912088] [] ? avc_has_perm+0xac/0x3a0 [ 40.917780] [] ? trace_hardirqs_on+0x10/0x10 [ 40.923815] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 40.930562] [] ? __fget_light+0xa3/0x1f0 [ 40.936249] [] ? __fdget+0x1b/0x20 [ 40.941416] [] __sys_sendmmsg+0x130/0x2e0 [ 40.947196] [] ? SyS_sendmsg+0x50/0x50 [ 40.952708] [] ? handle_mm_fault+0x98d/0x3140 [ 40.958844] [] ? __fd_install+0x25b/0x640 [ 40.964621] [] ? udpv6_setsockopt+0x56/0x90 [ 40.970569] [] ? sock_common_setsockopt+0x9a/0xe0 [ 40.977050] [] ? SyS_recv+0x40/0x40 [ 40.982309] [] ? retint_user+0x18/0x3c [ 40.987821] [] SyS_sendmmsg+0x35/0x60 [ 40.993246] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 40.999815] [ 41.001417] The buggy address belongs to the page: [ 41.006325] page:ffffea000750a9c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 41.014446] flags: 0x4000000000000000() [ 41.018511] page dumped because: kasan: bad access detected [ 41.024193] [ 41.025794] Memory state around the buggy address: [ 41.030710] ffff8801d42a7600: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 41.038042] ffff8801d42a7680: f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 [ 41.045376] >ffff8801d42a7700: 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 [ 41.052707] ^ [ 41.056572] ffff8801d42a7780: f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 [ 41.063904] ffff8801d42a7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.071236] ================================================================== [ 41.078569] Disabling lock debugging due to kernel taint [ 41.084043] Kernel panic - not syncing: panic_on_warn set ... [ 41.084043] [ 41.091399] CPU: 0 PID: 2077 Comm: syz-executor028 Tainted: G B 4.4.169+ #1 [ 41.099604] 0000000000000000 7836bb36766aabdb ffff8801d42a6e10 ffffffff81aab9c1 [ 41.107631] ffff8801d42a6f20 ffffffff82c5c83b ffff8801d42a7710 0000000000000004 [ 41.115620] 0000000000000003 ffff8801d42a6ef0 ffffffff813a46d2 0000000041b58ab3 [ 41.123608] Call Trace: [ 41.126173] [] dump_stack+0xc1/0x120 [ 41.131548] [] panic+0x1b9/0x37b [ 41.136550] [] ? add_taint.cold+0x16/0x16 [ 41.142349] [] kasan_end_report+0x47/0x4f [ 41.148128] [] kasan_report.cold+0xa9/0x2be [ 41.154073] [] ? xfrm_state_find+0x23f5/0x24c0 [ 41.160282] [] __asan_report_load4_noabort+0x14/0x20 [ 41.167014] [] xfrm_state_find+0x23f5/0x24c0 [ 41.173048] [] ? xfrm_unregister_mode+0x1a0/0x1a0 [ 41.179518] [] ? check_usage_backwards+0x118/0x280 [ 41.186074] [] ? check_usage_forwards+0x280/0x280 [ 41.192545] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 41.199455] [] ? depot_save_stack+0x1c3/0x5f0 [ 41.205609] [] xfrm_tmpl_resolve_one+0x1c7/0x790 [ 41.211996] [] ? xfrm_expand_policies.constprop.0+0x240/0x240 [ 41.219508] [] ? __lock_acquire+0x1c95/0x4f50 [ 41.225628] [] ? __lock_acquire+0xa4f/0x4f50 [ 41.231660] [] xfrm_resolve_and_create_bundle+0x210/0x1df0 [ 41.238910] [] ? trace_hardirqs_on+0x10/0x10 [ 41.244944] [] ? trace_hardirqs_on+0x10/0x10 [ 41.250994] [] ? xfrm_tmpl_resolve_one+0x790/0x790 [ 41.257570] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.264333] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.271076] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 41.277388] [] ? xfrm_sk_policy_lookup+0x231/0x360 [ 41.283945] [] ? xfrm_sk_policy_lookup+0x258/0x360 [ 41.290512] [] ? xfrm_expand_policies.constprop.0+0x188/0x240 [ 41.298033] [] xfrm_lookup+0x203/0xad0 [ 41.303565] [] ? xfrm_sk_policy_lookup+0x360/0x360 [ 41.310124] [] ? rt_set_nexthop.constprop.0+0xcd0/0xcd0 [ 41.317115] [] xfrm_lookup_route+0x38/0x140 [ 41.323095] [] ip_route_output_flow+0x93/0xa0 [ 41.329220] [] udp_sendmsg+0x1537/0x1c60 [ 41.334909] [] ? udp_sendmsg+0x62d/0x1c60 [ 41.340697] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 41.346820] [] ? udp_lib_unhash+0x630/0x630 [ 41.352771] [] ? trace_hardirqs_on+0x10/0x10 [ 41.358806] [] ? mark_held_locks+0xb1/0x100 [ 41.364754] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 41.371043] [] ? mark_held_locks+0xb1/0x100 [ 41.376987] [] udpv6_sendmsg+0x12f2/0x24f0 [ 41.382856] [] ? trace_hardirqs_on+0x10/0x10 [ 41.388890] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 41.395182] [] ? _raw_spin_unlock_bh+0x31/0x40 [ 41.401386] [] ? udp_lib_get_port+0x701/0xdf0 [ 41.407504] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 41.414405] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 41.420705] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 41.427516] [] ? release_sock+0x3a8/0x500 [ 41.433288] [] ? trace_hardirqs_on+0xd/0x10 [ 41.439233] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 41.445530] [] ? _raw_spin_unlock_bh+0x31/0x40 [ 41.451734] [] ? release_sock+0x3a8/0x500 [ 41.457505] [] ? udp_v6_get_port+0xae/0xe0 [ 41.463378] [] inet_sendmsg+0x202/0x4d0 [ 41.468973] [] ? inet_sendmsg+0x76/0x4d0 [ 41.474656] [] ? inet_recvmsg+0x4d0/0x4d0 [ 41.480445] [] sock_sendmsg+0xbe/0x110 [ 41.485960] [] ___sys_sendmsg+0x369/0x890 [ 41.491737] [] ? check_preemption_disabled+0x3c/0x200 [ 41.498548] [] ? copy_msghdr_from_user+0x550/0x550 [ 41.505110] [] ? avc_has_perm+0x164/0x3a0 [ 41.510878] [] ? avc_has_perm+0x1d2/0x3a0 [ 41.516679] [] ? avc_has_perm+0xac/0x3a0 [ 41.522360] [] ? trace_hardirqs_on+0x10/0x10 [ 41.528393] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.535120] [] ? __fget_light+0xa3/0x1f0 [ 41.540804] [] ? __fdget+0x1b/0x20 [ 41.545973] [] __sys_sendmmsg+0x130/0x2e0 [ 41.551771] [] ? SyS_sendmsg+0x50/0x50 [ 41.557299] [] ? handle_mm_fault+0x98d/0x3140 [ 41.563434] [] ? __fd_install+0x25b/0x640 [ 41.569225] [] ? udpv6_setsockopt+0x56/0x90 [ 41.575193] [] ? sock_common_setsockopt+0x9a/0xe0 [ 41.581671] [] ? SyS_recv+0x40/0x40 [ 41.586937] [] ? retint_user+0x18/0x3c [ 41.592465] [] SyS_sendmmsg+0x35/0x60 [ 41.597886] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 41.604784] Kernel Offset: disabled [ 41.608396] Rebooting in 86400 seconds..