[ 34.916184] audit: type=1800 audit(1579650946.817:33): pid=7184 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.943810] audit: type=1800 audit(1579650946.817:34): pid=7184 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.285539] random: sshd: uninitialized urandom read (32 bytes read) [ 38.605764] audit: type=1400 audit(1579650950.507:35): avc: denied { map } for pid=7356 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.657848] random: sshd: uninitialized urandom read (32 bytes read) [ 39.372311] random: sshd: uninitialized urandom read (32 bytes read) [ 39.564058] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. [ 45.125593] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 45.241476] audit: type=1400 audit(1579650957.147:36): avc: denied { map } for pid=7369 comm="syz-executor521" path="/root/syz-executor521664430" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.244623] ================================================================== [ 45.276473] BUG: KASAN: slab-out-of-bounds in ipt_init_target+0x24e/0x290 [ 45.283435] Read of size 1 at addr ffff88809fb90a1f by task syz-executor521/7369 [ 45.291035] [ 45.292670] CPU: 1 PID: 7369 Comm: syz-executor521 Not tainted 4.14.166-syzkaller #0 [ 45.300633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.309988] Call Trace: [ 45.312772] dump_stack+0x142/0x197 [ 45.316399] ? ipt_init_target+0x24e/0x290 [ 45.320624] print_address_description.cold+0x7c/0x1dc [ 45.325910] ? ipt_init_target+0x24e/0x290 [ 45.330140] kasan_report.cold+0xa9/0x2af [ 45.334293] __asan_report_load1_noabort+0x14/0x20 [ 45.339382] ipt_init_target+0x24e/0x290 [ 45.343521] ? __lock_is_held+0xb6/0x140 [ 45.347695] ? tcf_ipt_release+0x130/0x130 [ 45.352461] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 45.358035] ? rcu_read_lock_sched_held+0x110/0x130 [ 45.363128] ? memcpy+0x46/0x50 [ 45.366412] __tcf_ipt_init+0x48c/0xb50 [ 45.370393] ? ipt_init_target+0x290/0x290 [ 45.374625] ? lock_downgrade+0x740/0x740 [ 45.378934] ? rcu_read_lock_sched_held+0x110/0x130 [ 45.384044] tcf_xt_init+0x4e/0x60 [ 45.387597] tcf_action_init_1+0x53c/0xaa0 [ 45.391824] ? tcf_action_dump_old+0x80/0x80 [ 45.396740] ? lock_downgrade+0x740/0x740 [ 45.400979] ? nla_parse+0x186/0x240 [ 45.404894] tcf_action_init+0x2ab/0x480 [ 45.408955] ? tcf_action_init_1+0xaa0/0xaa0 [ 45.413364] ? memset+0x32/0x40 [ 45.416652] ? nla_parse+0x186/0x240 [ 45.420379] tc_ctl_action+0x30a/0x548 [ 45.424440] ? tca_action_gd+0x840/0x840 [ 45.428524] ? tca_action_gd+0x840/0x840 [ 45.432597] rtnetlink_rcv_msg+0x3da/0xb70 [ 45.436872] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.441452] ? netlink_deliver_tap+0x93/0x8f0 [ 45.445948] netlink_rcv_skb+0x14f/0x3c0 [ 45.449997] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.454583] ? lock_downgrade+0x740/0x740 [ 45.458732] ? netlink_ack+0x9a0/0x9a0 [ 45.462706] ? netlink_deliver_tap+0xba/0x8f0 [ 45.467206] rtnetlink_rcv+0x1d/0x30 [ 45.470916] netlink_unicast+0x44d/0x650 [ 45.475200] ? netlink_attachskb+0x6a0/0x6a0 [ 45.480049] ? security_netlink_send+0x81/0xb0 [ 45.484755] netlink_sendmsg+0x7c4/0xc60 [ 45.489412] ? netlink_unicast+0x650/0x650 [ 45.493652] ? security_socket_sendmsg+0x89/0xb0 [ 45.498405] ? netlink_unicast+0x650/0x650 [ 45.502639] sock_sendmsg+0xce/0x110 [ 45.506346] ___sys_sendmsg+0x70a/0x840 [ 45.510311] ? lock_downgrade+0x740/0x740 [ 45.514445] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 45.519213] ? do_raw_spin_unlock+0x174/0x260 [ 45.523776] ? _raw_spin_unlock+0x2d/0x50 [ 45.528145] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 45.533598] ? thp_get_unmapped_area+0x1c0/0x1c0 [ 45.538352] ? __handle_mm_fault+0x692/0x33d0 [ 45.542849] ? save_trace+0x290/0x290 [ 45.546653] ? copy_page_range+0x1de0/0x1de0 [ 45.551052] ? __do_page_fault+0x4e9/0xb80 [ 45.555368] ? __fget_light+0x172/0x1f0 [ 45.559336] ? __fdget+0x1b/0x20 [ 45.562690] ? sockfd_lookup_light+0xb4/0x160 [ 45.567296] __sys_sendmsg+0xb9/0x140 [ 45.571307] ? SyS_shutdown+0x170/0x170 [ 45.575386] SyS_sendmsg+0x2d/0x50 [ 45.578910] ? __sys_sendmsg+0x140/0x140 [ 45.583084] do_syscall_64+0x1e8/0x640 [ 45.587173] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.592010] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.597191] RIP: 0033:0x440579 [ 45.600379] RSP: 002b:00007ffdc216e4b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.608080] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440579 [ 45.616700] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 45.624058] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 45.631893] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000401e00 [ 45.639256] R13: 0000000000401e90 R14: 0000000000000000 R15: 0000000000000000 [ 45.646850] [ 45.648473] Allocated by task 7369: [ 45.652100] save_stack_trace+0x16/0x20 [ 45.656232] save_stack+0x45/0xd0 [ 45.659874] kasan_kmalloc+0xce/0xf0 [ 45.663701] __kmalloc_track_caller+0x159/0x790 [ 45.668364] kmemdup+0x27/0x60 [ 45.671600] __tcf_ipt_init+0x463/0xb50 [ 45.675858] tcf_xt_init+0x4e/0x60 [ 45.679395] tcf_action_init_1+0x53c/0xaa0 [ 45.683628] tcf_action_init+0x2ab/0x480 [ 45.688424] tc_ctl_action+0x30a/0x548 [ 45.692317] rtnetlink_rcv_msg+0x3da/0xb70 [ 45.696551] netlink_rcv_skb+0x14f/0x3c0 [ 45.700601] rtnetlink_rcv+0x1d/0x30 [ 45.704304] netlink_unicast+0x44d/0x650 [ 45.708592] netlink_sendmsg+0x7c4/0xc60 [ 45.712845] sock_sendmsg+0xce/0x110 [ 45.716548] ___sys_sendmsg+0x70a/0x840 [ 45.720526] __sys_sendmsg+0xb9/0x140 [ 45.724406] SyS_sendmsg+0x2d/0x50 [ 45.727945] do_syscall_64+0x1e8/0x640 [ 45.731976] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.737458] [ 45.739102] Freed by task 5391: [ 45.742493] save_stack_trace+0x16/0x20 [ 45.747041] save_stack+0x45/0xd0 [ 45.750534] kasan_slab_free+0x75/0xc0 [ 45.754525] kfree+0xcc/0x270 [ 45.757639] kvfree+0x4d/0x60 [ 45.760732] setxattr+0x1f8/0x350 [ 45.764279] path_setxattr+0x11f/0x140 [ 45.768251] SyS_lsetxattr+0x38/0x50 [ 45.772030] do_syscall_64+0x1e8/0x640 [ 45.776034] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.781211] [ 45.783268] The buggy address belongs to the object at ffff88809fb90a00 [ 45.783268] which belongs to the cache kmalloc-32 of size 32 [ 45.796053] The buggy address is located 31 bytes inside of [ 45.796053] 32-byte region [ffff88809fb90a00, ffff88809fb90a20) [ 45.807983] The buggy address belongs to the page: [ 45.812916] page:ffffea00027ee400 count:1 mapcount:0 mapping:ffff88809fb90000 index:0xffff88809fb90fc1 [ 45.822364] flags: 0xfffe0000000100(slab) [ 45.826593] raw: 00fffe0000000100 ffff88809fb90000 ffff88809fb90fc1 000000010000003f [ 45.834538] raw: ffffea00027d0f20 ffffea00029549e0 ffff8880aa8001c0 0000000000000000 [ 45.843993] page dumped because: kasan: bad access detected [ 45.849710] [ 45.851423] Memory state around the buggy address: [ 45.856346] ffff88809fb90900: 00 04 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc [ 45.863727] ffff88809fb90980: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc [ 45.871084] >ffff88809fb90a00: 04 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 45.878761] ^ [ 45.882994] ffff88809fb90a80: 00 00 00 fc fc fc fc fc 00 07 fc fc fc fc fc fc [ 45.890360] ffff88809fb90b00: 00 fc fc fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 45.897765] ================================================================== [ 45.905142] Disabling lock debugging due to kernel taint [ 45.911344] Kernel panic - not syncing: panic_on_warn set ... [ 45.911344] [ 45.919065] CPU: 1 PID: 7369 Comm: syz-executor521 Tainted: G B 4.14.166-syzkaller #0 [ 45.928601] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.938009] Call Trace: [ 45.940740] dump_stack+0x142/0x197 [ 45.944572] ? ipt_init_target+0x24e/0x290 [ 45.948811] panic+0x1f9/0x42d [ 45.952176] ? add_taint.cold+0x16/0x16 [ 45.956137] ? ___preempt_schedule+0x16/0x18 [ 45.960551] kasan_end_report+0x47/0x4f [ 45.964509] kasan_report.cold+0x130/0x2af [ 45.968763] __asan_report_load1_noabort+0x14/0x20 [ 45.973690] ipt_init_target+0x24e/0x290 [ 45.977733] ? __lock_is_held+0xb6/0x140 [ 45.981787] ? tcf_ipt_release+0x130/0x130 [ 45.986019] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 45.991572] ? rcu_read_lock_sched_held+0x110/0x130 [ 45.996571] ? memcpy+0x46/0x50 [ 45.999844] __tcf_ipt_init+0x48c/0xb50 [ 46.003967] ? ipt_init_target+0x290/0x290 [ 46.008198] ? lock_downgrade+0x740/0x740 [ 46.012631] ? rcu_read_lock_sched_held+0x110/0x130 [ 46.018074] tcf_xt_init+0x4e/0x60 [ 46.021610] tcf_action_init_1+0x53c/0xaa0 [ 46.025839] ? tcf_action_dump_old+0x80/0x80 [ 46.030276] ? lock_downgrade+0x740/0x740 [ 46.034431] ? nla_parse+0x186/0x240 [ 46.038129] tcf_action_init+0x2ab/0x480 [ 46.043486] ? tcf_action_init_1+0xaa0/0xaa0 [ 46.047882] ? memset+0x32/0x40 [ 46.051435] ? nla_parse+0x186/0x240 [ 46.055240] tc_ctl_action+0x30a/0x548 [ 46.059214] ? tca_action_gd+0x840/0x840 [ 46.063473] ? tca_action_gd+0x840/0x840 [ 46.067546] rtnetlink_rcv_msg+0x3da/0xb70 [ 46.073031] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 46.077623] ? netlink_deliver_tap+0x93/0x8f0 [ 46.082111] netlink_rcv_skb+0x14f/0x3c0 [ 46.086313] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 46.090891] ? lock_downgrade+0x740/0x740 [ 46.095125] ? netlink_ack+0x9a0/0x9a0 [ 46.099083] ? netlink_deliver_tap+0xba/0x8f0 [ 46.103659] rtnetlink_rcv+0x1d/0x30 [ 46.107372] netlink_unicast+0x44d/0x650 [ 46.111418] ? netlink_attachskb+0x6a0/0x6a0 [ 46.115947] ? security_netlink_send+0x81/0xb0 [ 46.120745] netlink_sendmsg+0x7c4/0xc60 [ 46.124986] ? netlink_unicast+0x650/0x650 [ 46.129315] ? security_socket_sendmsg+0x89/0xb0 [ 46.134065] ? netlink_unicast+0x650/0x650 [ 46.138297] sock_sendmsg+0xce/0x110 [ 46.142027] ___sys_sendmsg+0x70a/0x840 [ 46.146007] ? lock_downgrade+0x740/0x740 [ 46.150243] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 46.154992] ? do_raw_spin_unlock+0x174/0x260 [ 46.159571] ? _raw_spin_unlock+0x2d/0x50 [ 46.163704] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 46.168983] ? thp_get_unmapped_area+0x1c0/0x1c0 [ 46.173910] ? __handle_mm_fault+0x692/0x33d0 [ 46.178401] ? save_trace+0x290/0x290 [ 46.182572] ? copy_page_range+0x1de0/0x1de0 [ 46.186999] ? __do_page_fault+0x4e9/0xb80 [ 46.191241] ? __fget_light+0x172/0x1f0 [ 46.195200] ? __fdget+0x1b/0x20 [ 46.198651] ? sockfd_lookup_light+0xb4/0x160 [ 46.203134] __sys_sendmsg+0xb9/0x140 [ 46.206916] ? SyS_shutdown+0x170/0x170 [ 46.211033] SyS_sendmsg+0x2d/0x50 [ 46.214569] ? __sys_sendmsg+0x140/0x140 [ 46.218623] do_syscall_64+0x1e8/0x640 [ 46.222495] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.227348] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.232528] RIP: 0033:0x440579 [ 46.235757] RSP: 002b:00007ffdc216e4b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.243551] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440579 [ 46.250811] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 46.258175] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 46.265526] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000401e00 [ 46.272967] R13: 0000000000401e90 R14: 0000000000000000 R15: 0000000000000000 [ 46.281980] Kernel Offset: disabled [ 46.285759] Rebooting in 86400 seconds..