[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   52.736700] random: sshd: uninitialized urandom read (32 bytes read)
[   53.312521] audit: type=1400 audit(1540861970.758:6): avc:  denied  { map } for  pid=1783 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   53.352064] random: sshd: uninitialized urandom read (32 bytes read)
[   53.792488] random: sshd: uninitialized urandom read (32 bytes read)
[   53.954957] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts.
[   59.540275] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   59.631966] audit: type=1400 audit(1540861977.078:7): avc:  denied  { map } for  pid=1795 comm="syz-executor778" path="/root/syz-executor778957210" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   59.658357] audit: type=1400 audit(1540861977.088:8): avc:  denied  { prog_load } for  pid=1795 comm="syz-executor778" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   59.681292] ==================================================================
[   59.681312] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x29a/0x2b0
[   59.681317] Read of size 8 at addr ffff8801c4cb8250 by task syz-executor778/1795
[   59.681319] 
[   59.681326] CPU: 0 PID: 1795 Comm: syz-executor778 Not tainted 4.14.78+ #26
[   59.681329] Call Trace:
[   59.681338]  dump_stack+0xb9/0x11b
[   59.681350]  print_address_description+0x60/0x22b
[   59.681361]  kasan_report.cold.6+0x11b/0x2dd
[   59.681367]  ? bpf_clone_redirect+0x29a/0x2b0
[   59.681379]  bpf_clone_redirect+0x29a/0x2b0
[   59.681394]  ___bpf_prog_run+0x248e/0x5c70
[   59.681406]  ? __free_insn_slot+0x490/0x490
[   59.681416]  ? bpf_jit_compile+0x30/0x30
[   59.681433]  ? depot_save_stack+0x20a/0x428
[   59.681447]  ? __bpf_prog_run512+0x99/0xe0
[   59.681481]  ? ___bpf_prog_run+0x5c70/0x5c70
[   59.681503]  ? __lock_acquire+0x619/0x4320
[   59.681521]  ? trace_hardirqs_on+0x10/0x10
[   59.681535]  ? trace_hardirqs_on+0x10/0x10
[   59.681549]  ? __lock_acquire+0x619/0x4320
[   59.681565]  ? get_unused_fd_flags+0xc0/0xc0
[   59.681586]  ? bpf_test_run+0x57/0x350
[   59.681604]  ? lock_acquire+0x10f/0x380
[   59.681613]  ? check_preemption_disabled+0x34/0x160
[   59.681624]  ? bpf_test_run+0xab/0x350
[   59.681641]  ? bpf_prog_test_run_skb+0x6b0/0x8c0
[   59.681654]  ? bpf_test_init.isra.1+0xc0/0xc0
[   59.681664]  ? __fget_light+0x163/0x1f0
[   59.681670]  ? bpf_prog_add+0x42/0xa0
[   59.681681]  ? bpf_test_init.isra.1+0xc0/0xc0
[   59.681690]  ? SyS_bpf+0x79d/0x3640
[   59.681702]  ? bpf_prog_get+0x20/0x20
[   59.681711]  ? __do_page_fault+0x485/0xb60
[   59.681720]  ? lock_downgrade+0x560/0x560
[   59.681743]  ? up_read+0x17/0x30
[   59.681751]  ? __do_page_fault+0x64c/0xb60
[   59.681765]  ? do_syscall_64+0x43/0x4b0
[   59.681779]  ? bpf_prog_get+0x20/0x20
[   59.681788]  ? do_syscall_64+0x19b/0x4b0
[   59.681804]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   59.681827] 
[   59.681833] Allocated by task 1795:
[   59.681843]  kasan_kmalloc.part.1+0x4f/0xd0
[   59.681852]  kmem_cache_alloc+0xe4/0x2b0
[   59.681862]  __alloc_skb+0xd8/0x550
[   59.681872]  audit_log_start+0x3dd/0x6f0
[   59.681883]  common_lsm_audit+0xe8/0x1d00
[   59.681894]  slow_avc_audit+0x14a/0x1d0
[   59.681903]  avc_has_perm+0x2f2/0x390
[   59.681911]  selinux_bpf+0xb4/0x100
[   59.681920]  security_bpf+0x7c/0xb0
[   59.681929]  SyS_bpf+0x153/0x3640
[   59.681937]  do_syscall_64+0x19b/0x4b0
[   59.681946]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   59.681950] 
[   59.681956] Freed by task 0:
[   59.681961] (stack is not available)
[   59.681965] 
[   59.681974] The buggy address belongs to the object at ffff8801c4cb8140
[   59.681974]  which belongs to the cache skbuff_head_cache of size 224
[   59.681986] The buggy address is located 48 bytes to the right of
[   59.681986]  224-byte region [ffff8801c4cb8140, ffff8801c4cb8220)
[   59.681995] The buggy address belongs to the page:
[   59.682003] page:ffffea0007132e00 count:1 mapcount:0 mapping:          (null) index:0x0
[   59.682010] flags: 0x4000000000000100(slab)
[   59.682019] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   59.682027] raw: dead000000000100 dead000000000200 ffff8801dab70200 0000000000000000
[   59.682030] page dumped because: kasan: bad access detected
[   59.682032] 
[   59.682034] Memory state around the buggy address:
[   59.682039]  ffff8801c4cb8100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   59.682044]  ffff8801c4cb8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   59.682049] >ffff8801c4cb8200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   59.682052]                                                  ^
[   59.682057]  ffff8801c4cb8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   59.682062]  ffff8801c4cb8300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   59.682064] ==================================================================
[   59.682067] Disabling lock debugging due to kernel taint
[   59.682070] Kernel panic - not syncing: panic_on_warn set ...
[   59.682070] 
[   59.682077] CPU: 0 PID: 1795 Comm: syz-executor778 Tainted: G    B           4.14.78+ #26
[   59.682082] Call Trace:
[   59.682091]  dump_stack+0xb9/0x11b
[   59.682101]  panic+0x1bf/0x3a4
[   59.682110]  ? add_taint.cold.4+0x16/0x16
[   59.682127]  kasan_end_report+0x43/0x49
[   59.682137]  kasan_report.cold.6+0x77/0x2dd
[   59.682153]  ? bpf_clone_redirect+0x29a/0x2b0
[   59.682163]  bpf_clone_redirect+0x29a/0x2b0
[   59.682176]  ___bpf_prog_run+0x248e/0x5c70
[   59.682185]  ? __free_insn_slot+0x490/0x490
[   59.682198]  ? bpf_jit_compile+0x30/0x30
[   59.682207]  ? depot_save_stack+0x20a/0x428
[   59.682217]  ? __bpf_prog_run512+0x99/0xe0
[   59.682226]  ? ___bpf_prog_run+0x5c70/0x5c70
[   59.682239]  ? __lock_acquire+0x619/0x4320
[   59.682252]  ? trace_hardirqs_on+0x10/0x10
[   59.682265]  ? trace_hardirqs_on+0x10/0x10
[   59.682273]  ? __lock_acquire+0x619/0x4320
[   59.682283]  ? get_unused_fd_flags+0xc0/0xc0
[   59.682296]  ? bpf_test_run+0x57/0x350
[   59.682309]  ? lock_acquire+0x10f/0x380
[   59.682319]  ? check_preemption_disabled+0x34/0x160
[   59.682331]  ? bpf_test_run+0xab/0x350
[   59.682345]  ? bpf_prog_test_run_skb+0x6b0/0x8c0
[   59.682355]  ? bpf_test_init.isra.1+0xc0/0xc0
[   59.682364]  ? __fget_light+0x163/0x1f0
[   59.682373]  ? bpf_prog_add+0x42/0xa0
[   59.682382]  ? bpf_test_init.isra.1+0xc0/0xc0
[   59.682391]  ? SyS_bpf+0x79d/0x3640
[   59.682404]  ? bpf_prog_get+0x20/0x20
[   59.682413]  ? __do_page_fault+0x485/0xb60
[   59.682422]  ? lock_downgrade+0x560/0x560
[   59.682434]  ? up_read+0x17/0x30
[   59.682442]  ? __do_page_fault+0x64c/0xb60
[   59.682451]  ? do_syscall_64+0x43/0x4b0
[   59.682482]  ? bpf_prog_get+0x20/0x20
[   59.682491]  ? do_syscall_64+0x19b/0x4b0
[   59.682505]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   59.682857] Kernel Offset: 0x15600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   60.236055] Rebooting in 86400 seconds..