[....] Starting enhanced syslogd: rsyslogd[ 10.479563] audit: type=1400 audit(1516823452.754:4): avc: denied { syslog } for pid=3173 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.225' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 18.982396] ================================================================== [ 18.983447] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 18.984260] Read of size 1 at addr ffff8801c88cbc10 by task syzkaller219204/3321 [ 18.985275] [ 18.985524] CPU: 1 PID: 3321 Comm: syzkaller219204 Not tainted 4.9.78-ge9dabe6 #19 [ 18.986534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.987816] ffff8801cd59f740 ffffffff81d943a9 ffffea00072232c0 ffff8801c88cbc10 [ 18.989029] 0000000000000000 ffff8801c88cbc10 ffff8801cd59f99c ffff8801cd59f778 [ 18.990172] ffffffff8153dc23 ffff8801c88cbc10 0000000000000001 0000000000000000 [ 18.991323] Call Trace: [ 18.991679] [] dump_stack+0xc1/0x128 [ 18.992394] [] print_address_description+0x73/0x280 [ 18.993274] [] kasan_report+0x275/0x360 [ 18.994042] [] ? string+0x1e8/0x200 [ 18.994741] [] __asan_report_load1_noabort+0x14/0x20 [ 18.995645] [] string+0x1e8/0x200 [ 18.996359] [] vsnprintf+0x7ad/0x16d0 [ 18.997079] [] ? pointer+0xa90/0xa90 [ 18.997791] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 18.998740] [] __request_module+0x14f/0x750 [ 18.999566] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 19.000387] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 19.001326] [] ? nft_dynset_init+0xc48/0x1230 [ 19.002160] [] xt_request_find_target+0x8b/0xb0 [ 19.006279] [] translate_table+0x177a/0x1e30 [ 19.012308] [] ? ipt_alloc_initial_table+0x660/0x660 [ 19.019029] [] ? check_stack_object+0x68/0x140 [ 19.025263] [] ? __check_object_size+0x174/0x3a9 [ 19.031634] [] ? 0xffffffff810002b8 [ 19.036879] [] do_ipt_set_ctl+0x2be/0x470 [ 19.042645] [] ? compat_do_ipt_set_ctl+0x150/0x150 [ 19.049194] [] ? mutex_unlock+0x9/0x10 [ 19.054700] [] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 19.061766] [] nf_setsockopt+0x67/0xc0 [ 19.067270] [] ip_setsockopt+0xa1/0xb0 [ 19.072778] [] udp_setsockopt+0x45/0x80 [ 19.078372] [] sock_common_setsockopt+0x95/0xd0 [ 19.084656] [] SyS_setsockopt+0x160/0x250 [ 19.090421] [] ? SyS_recv+0x40/0x40 [ 19.095667] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 19.102303] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.118849] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 19.125410] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.131955] [ 19.133553] Allocated by task 3321: [ 19.137148] save_stack_trace+0x16/0x20 [ 19.141092] save_stack+0x43/0xd0 [ 19.144518] kasan_kmalloc+0xad/0xe0 [ 19.148221] __kmalloc+0x11d/0x310 [ 19.151735] xt_alloc_table_info+0x71/0x100 [ 19.156025] do_ipt_set_ctl+0x242/0x470 [ 19.159966] nf_setsockopt+0x67/0xc0 [ 19.163650] ip_setsockopt+0xa1/0xb0 [ 19.167331] udp_setsockopt+0x45/0x80 [ 19.171116] sock_common_setsockopt+0x95/0xd0 [ 19.175578] SyS_setsockopt+0x160/0x250 [ 19.179518] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.184238] [ 19.185834] Freed by task 1914: [ 19.189081] save_stack_trace+0x16/0x20 [ 19.193022] save_stack+0x43/0xd0 [ 19.196442] kasan_slab_free+0x72/0xc0 [ 19.200297] kfree+0x103/0x300 [ 19.203458] free_bprm+0x19d/0x200 [ 19.206962] do_execveat_common.isra.37+0x17df/0x1f10 [ 19.212119] SyS_execve+0x42/0x50 [ 19.215537] do_syscall_64+0x197/0x490 [ 19.219396] return_from_SYSCALL_64+0x0/0x7e [ 19.223768] [ 19.225364] The buggy address belongs to the object at ffff8801c88cbb40 [ 19.225364] which belongs to the cache kmalloc-256 of size 256 [ 19.237989] The buggy address is located 208 bytes inside of [ 19.237989] 256-byte region [ffff8801c88cbb40, ffff8801c88cbc40) [ 19.249833] The buggy address belongs to the page: [ 19.254730] page:ffffea00072232c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 19.262951] flags: 0x8000000000000080(slab) [ 19.267236] page dumped because: kasan: bad access detected [ 19.272909] [ 19.274502] Memory state around the buggy address: [ 19.279399] ffff8801c88cbb00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 19.286726] ffff8801c88cbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.294052] >ffff8801c88cbc00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.301376] ^ [ 19.305231] ffff8801c88cbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.312556] ffff8801c88cbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.319880] ================================================================== [ 19.327204] Disabling lock debugging due to kernel taint [ 19.332911] Kernel panic - not syncing: panic_on_warn set ... [ 19.332911] [ 19.340254] CPU: 1 PID: 3321 Comm: syzkaller219204 Tainted: G B 4.9.78-ge9dabe6 #19 [ 19.349147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.358470] ffff8801cd59f698 ffffffff81d943a9 ffffffff841971bf ffff8801cd59f770 [ 19.366436] 0000000000000000 ffff8801c88cbc10 ffff8801cd59f99c ffff8801cd59f760 [ 19.374396] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 19.382358] Call Trace: [ 19.384916] [] dump_stack+0xc1/0x128 [ 19.390249] [] panic+0x1bc/0x3a8 [ 19.395234] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 19.403430] [] ? preempt_schedule+0x25/0x30 [ 19.409368] [] ? ___preempt_schedule+0x16/0x18 [ 19.415571] [] kasan_end_report+0x50/0x50 [ 19.421334] [] kasan_report+0x167/0x360 [ 19.426923] [] ? string+0x1e8/0x200 [ 19.432171] [] __asan_report_load1_noabort+0x14/0x20 [ 19.438891] [] string+0x1e8/0x200 [ 19.443962] [] vsnprintf+0x7ad/0x16d0 [ 19.449384] [] ? pointer+0xa90/0xa90 [ 19.454715] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 19.461436] [] __request_module+0x14f/0x750 [ 19.467379] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 19.473580] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 19.480474] [] ? nft_dynset_init+0xc48/0x1230 [ 19.486586] [] xt_request_find_target+0x8b/0xb0 [ 19.492873] [] translate_table+0x177a/0x1e30 [ 19.498900] [] ? ipt_alloc_initial_table+0x660/0x660 [ 19.505626] [] ? check_stack_object+0x68/0x140 [ 19.511824] [] ? __check_object_size+0x174/0x3a9 [ 19.518197] [] ? 0xffffffff810002b8 [ 19.523442] [] do_ipt_set_ctl+0x2be/0x470 [ 19.529206] [] ? compat_do_ipt_set_ctl+0x150/0x150 [ 19.535754] [] ? mutex_unlock+0x9/0x10 [ 19.541259] [] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 19.548332] [] nf_setsockopt+0x67/0xc0 [ 19.553840] [] ip_setsockopt+0xa1/0xb0 [ 19.559345] [] udp_setsockopt+0x45/0x80 [ 19.564936] [] sock_common_setsockopt+0x95/0xd0 [ 19.571220] [] SyS_setsockopt+0x160/0x250 [ 19.576984] [] ? SyS_recv+0x40/0x40 [ 19.582228] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 19.588864] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.595669] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 19.602214] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.609176] Dumping ftrace buffer: [ 19.612683] (ftrace buffer empty) [ 19.616360] Kernel Offset: disabled [ 19.619959] Rebooting in 86400 seconds..