[....] Starting OpenBSD Secure Shell server: sshd[ 9.901357] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.678689] random: sshd: uninitialized urandom read (32 bytes read) [ 19.167741] audit: type=1400 audit(1547326779.076:6): avc: denied { map } for pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 19.213314] random: sshd: uninitialized urandom read (32 bytes read) [ 19.665449] random: sshd: uninitialized urandom read (32 bytes read) [ 21.234586] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.153' (ECDSA) to the list of known hosts. [ 26.867749] random: sshd: uninitialized urandom read (32 bytes read) [ 26.957367] audit: type=1400 audit(1547326786.866:7): avc: denied { map } for pid=1776 comm="syz-executor149" path="/root/syz-executor149230062" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 27.241845] ================================================================== [ 27.249279] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 27.255929] Read of size 8 at addr ffff8881ccd84150 by task syz-executor149/1779 [ 27.263436] [ 27.265058] CPU: 0 PID: 1779 Comm: syz-executor149 Not tainted 4.14.92+ #5 [ 27.272052] Call Trace: [ 27.274619] dump_stack+0xb9/0x10e [ 27.278147] ? ip_local_deliver+0x43d/0x450 [ 27.282447] print_address_description+0x60/0x226 [ 27.287273] ? ip_local_deliver+0x43d/0x450 [ 27.291580] kasan_report.cold+0x88/0x2a5 [ 27.295711] ? ip_local_deliver+0x43d/0x450 [ 27.300018] ? ip_call_ra_chain+0x540/0x540 [ 27.304333] ? __lock_acquire+0x56a/0x3fa0 [ 27.308547] ? ip_rcv+0x99f/0xf7a [ 27.311980] ? ip_rcv_finish+0x5c9/0x1490 [ 27.316111] ? ip_rcv+0x9e2/0xf7a [ 27.319557] ? ip_local_deliver+0x450/0x450 [ 27.323855] ? __lock_acquire+0x56a/0x3fa0 [ 27.328072] ? check_preemption_disabled+0x35/0x1f0 [ 27.333072] ? ip_local_deliver+0x450/0x450 [ 27.337396] ? __netif_receive_skb_core+0x1364/0x2c60 [ 27.342569] ? trace_hardirqs_on+0x10/0x10 [ 27.346788] ? flush_backlog+0x580/0x580 [ 27.350828] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 27.355997] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 27.361171] ? lock_acquire+0x10f/0x380 [ 27.365127] ? __netif_receive_skb+0x55/0x1f0 [ 27.369599] ? __netif_receive_skb+0x55/0x1f0 [ 27.374072] ? netif_receive_skb_internal+0xec/0x5c0 [ 27.379163] ? dev_cpu_dead+0x810/0x810 [ 27.383130] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.388562] ? rcu_read_lock_sched_held+0x10a/0x130 [ 27.393602] ? tun_rx_batched.isra.0+0x45d/0x730 [ 27.398351] ? __skb_get_hash_symmetric+0x255/0x620 [ 27.403346] ? tun_chr_read_iter+0x1c0/0x1c0 [ 27.407747] ? tun_get_user+0xc07/0x3790 [ 27.411837] ? __local_bh_enable_ip+0x65/0xc0 [ 27.416336] ? tun_get_user+0xd95/0x3790 [ 27.420392] ? tun_rx_batched.isra.0+0x730/0x730 [ 27.425132] ? mutex_remove_waiter+0x150/0x440 [ 27.429690] ? mark_held_locks+0xa6/0xf0 [ 27.433750] ? get_page_from_freelist+0x85e/0x1d60 [ 27.438661] ? preempt_count_add+0xb8/0x180 [ 27.442992] ? __tun_get+0x11c/0x220 [ 27.446696] ? check_preemption_disabled+0x35/0x1f0 [ 27.451695] ? tun_chr_write_iter+0xcf/0x180 [ 27.456092] ? do_iter_readv_writev+0x379/0x580 [ 27.460772] ? clone_verify_area+0x1e0/0x1e0 [ 27.465173] ? avc_policy_seqno+0x5/0x10 [ 27.469221] ? security_file_permission+0x88/0x1e0 [ 27.474136] ? do_iter_write+0x152/0x550 [ 27.478176] ? lock_downgrade+0x5d0/0x5d0 [ 27.482309] ? vfs_writev+0x146/0x2d0 [ 27.486094] ? vfs_iter_write+0xa0/0xa0 [ 27.490053] ? __handle_mm_fault+0x6c5/0x2640 [ 27.494563] ? __fsnotify_inode_delete+0x20/0x20 [ 27.499313] ? __do_page_fault+0x48e/0xb80 [ 27.503540] ? lock_downgrade+0x5d0/0x5d0 [ 27.507666] ? check_preemption_disabled+0x35/0x1f0 [ 27.512664] ? do_writev+0xc9/0x240 [ 27.516266] ? vfs_writev+0x2d0/0x2d0 [ 27.520055] ? do_syscall_64+0x43/0x4b0 [ 27.524028] ? SyS_readv+0x30/0x30 [ 27.527546] ? do_syscall_64+0x19b/0x4b0 [ 27.531587] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 27.536939] [ 27.538543] Allocated by task 1779: [ 27.542165] kasan_kmalloc.part.0+0x4f/0xd0 [ 27.546465] kmem_cache_alloc+0xd2/0x2d0 [ 27.550506] __build_skb+0x2e/0x2d0 [ 27.554118] build_skb+0x1a/0x1f0 [ 27.557547] tun_get_user+0x248b/0x3790 [ 27.561514] tun_chr_write_iter+0xcf/0x180 [ 27.565731] do_iter_readv_writev+0x379/0x580 [ 27.570203] do_iter_write+0x152/0x550 [ 27.574073] vfs_writev+0x146/0x2d0 [ 27.577698] do_writev+0xc9/0x240 [ 27.581129] do_syscall_64+0x19b/0x4b0 [ 27.584989] [ 27.586594] Freed by task 1779: [ 27.589852] kasan_slab_free+0xb0/0x190 [ 27.593801] kmem_cache_free+0xc4/0x330 [ 27.597751] kfree_skbmem+0xa0/0x100 [ 27.601439] kfree_skb+0xcd/0x350 [ 27.604939] ip_defrag+0x5f4/0x3b50 [ 27.608549] ip_local_deliver+0x165/0x450 [ 27.612685] ip_rcv_finish+0x5c9/0x1490 [ 27.616638] ip_rcv+0x9e2/0xf7a [ 27.619893] __netif_receive_skb_core+0x1364/0x2c60 [ 27.624887] __netif_receive_skb+0x55/0x1f0 [ 27.629185] netif_receive_skb_internal+0xec/0x5c0 [ 27.634106] tun_rx_batched.isra.0+0x45d/0x730 [ 27.638669] tun_get_user+0xd95/0x3790 [ 27.642534] tun_chr_write_iter+0xcf/0x180 [ 27.646744] do_iter_readv_writev+0x379/0x580 [ 27.651215] do_iter_write+0x152/0x550 [ 27.655078] vfs_writev+0x146/0x2d0 [ 27.658707] do_writev+0xc9/0x240 [ 27.662152] do_syscall_64+0x19b/0x4b0 [ 27.666011] [ 27.667612] The buggy address belongs to the object at ffff8881ccd84140 [ 27.667612] which belongs to the cache skbuff_head_cache of size 224 [ 27.680761] The buggy address is located 16 bytes inside of [ 27.680761] 224-byte region [ffff8881ccd84140, ffff8881ccd84220) [ 27.692527] The buggy address belongs to the page: [ 27.697431] page:ffffea0007336100 count:1 mapcount:0 mapping: (null) index:0xffff8881ccd84dc0 [ 27.706855] flags: 0x4000000000000100(slab) [ 27.711169] raw: 4000000000000100 0000000000000000 ffff8881ccd84dc0 00000001800c0009 [ 27.719027] raw: ffffea0007338400 0000000500000005 ffff8881dab58200 0000000000000000 [ 27.726884] page dumped because: kasan: bad access detected [ 27.732570] [ 27.734173] Memory state around the buggy address: [ 27.739078] ffff8881ccd84000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.746423] ffff8881ccd84080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 27.753758] >ffff8881ccd84100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.761113] ^ [ 27.767063] ffff8881ccd84180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.774405] ffff8881ccd84200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 27.781801] ================================================================== [ 27.789140] Disabling lock debugging due to kernel taint [ 27.794615] Kernel panic - not syncing: panic_on_warn set ... [ 27.794615] [ 27.801967] CPU: 0 PID: 1779 Comm: syz-executor149 Tainted: G B 4.14.92+ #5 [ 27.810176] Call Trace: [ 27.812743] dump_stack+0xb9/0x10e [ 27.816269] panic+0x1d9/0x3c2 [ 27.819436] ? add_taint.cold+0x16/0x16 [ 27.823385] ? retint_kernel+0x2d/0x2d [ 27.827255] ? ip_local_deliver+0x43d/0x450 [ 27.831554] kasan_end_report+0x43/0x49 [ 27.835503] kasan_report.cold+0xa4/0x2a5 [ 27.839645] ? ip_local_deliver+0x43d/0x450 [ 27.843945] ? ip_call_ra_chain+0x540/0x540 [ 27.848348] ? __lock_acquire+0x56a/0x3fa0 [ 27.852564] ? ip_rcv+0x99f/0xf7a [ 27.855997] ? ip_rcv_finish+0x5c9/0x1490 [ 27.860148] ? ip_rcv+0x9e2/0xf7a [ 27.863583] ? ip_local_deliver+0x450/0x450 [ 27.867885] ? __lock_acquire+0x56a/0x3fa0 [ 27.872108] ? check_preemption_disabled+0x35/0x1f0 [ 27.877116] ? ip_local_deliver+0x450/0x450 [ 27.881418] ? __netif_receive_skb_core+0x1364/0x2c60 [ 27.886604] ? trace_hardirqs_on+0x10/0x10 [ 27.890819] ? flush_backlog+0x580/0x580 [ 27.894857] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 27.900028] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 27.905212] ? lock_acquire+0x10f/0x380 [ 27.909182] ? __netif_receive_skb+0x55/0x1f0 [ 27.913651] ? __netif_receive_skb+0x55/0x1f0 [ 27.918121] ? netif_receive_skb_internal+0xec/0x5c0 [ 27.923205] ? dev_cpu_dead+0x810/0x810 [ 27.927209] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.932676] ? rcu_read_lock_sched_held+0x10a/0x130 [ 27.937677] ? tun_rx_batched.isra.0+0x45d/0x730 [ 27.942411] ? __skb_get_hash_symmetric+0x255/0x620 [ 27.947402] ? tun_chr_read_iter+0x1c0/0x1c0 [ 27.951801] ? tun_get_user+0xc07/0x3790 [ 27.955837] ? __local_bh_enable_ip+0x65/0xc0 [ 27.960311] ? tun_get_user+0xd95/0x3790 [ 27.964352] ? tun_rx_batched.isra.0+0x730/0x730 [ 27.969095] ? mutex_remove_waiter+0x150/0x440 [ 27.973669] ? mark_held_locks+0xa6/0xf0 [ 27.977739] ? get_page_from_freelist+0x85e/0x1d60 [ 27.982654] ? preempt_count_add+0xb8/0x180 [ 27.986951] ? __tun_get+0x11c/0x220 [ 27.990638] ? check_preemption_disabled+0x35/0x1f0 [ 27.995628] ? tun_chr_write_iter+0xcf/0x180 [ 28.000007] ? do_iter_readv_writev+0x379/0x580 [ 28.004717] ? clone_verify_area+0x1e0/0x1e0 [ 28.009109] ? avc_policy_seqno+0x5/0x10 [ 28.013147] ? security_file_permission+0x88/0x1e0 [ 28.018049] ? do_iter_write+0x152/0x550 [ 28.022092] ? lock_downgrade+0x5d0/0x5d0 [ 28.026213] ? vfs_writev+0x146/0x2d0 [ 28.029990] ? vfs_iter_write+0xa0/0xa0 [ 28.033936] ? __handle_mm_fault+0x6c5/0x2640 [ 28.038457] ? __fsnotify_inode_delete+0x20/0x20 [ 28.043203] ? __do_page_fault+0x48e/0xb80 [ 28.047416] ? lock_downgrade+0x5d0/0x5d0 [ 28.051538] ? check_preemption_disabled+0x35/0x1f0 [ 28.056526] ? do_writev+0xc9/0x240 [ 28.060123] ? vfs_writev+0x2d0/0x2d0 [ 28.063903] ? do_syscall_64+0x43/0x4b0 [ 28.067859] ? SyS_readv+0x30/0x30 [ 28.071390] ? do_syscall_64+0x19b/0x4b0 [ 28.075424] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.081061] Kernel Offset: 0x2e600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 28.091964] Rebooting in 86400 seconds..