[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.215109] audit: type=1400 audit(1601466984.098:8): avc: denied { execmem } for pid=6336 comm="syz-executor339" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.220357] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 32.243910] ================================================================== [ 32.251287] BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0x8df/0xa10 [ 32.259769] Read of size 4 at addr ffff888097414353 by task syz-executor339/6336 [ 32.267290] [ 32.268923] CPU: 0 PID: 6336 Comm: syz-executor339 Not tainted 4.14.198-syzkaller #0 [ 32.276791] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.286120] Call Trace: [ 32.288687] dump_stack+0x1b2/0x283 [ 32.292294] print_address_description.cold+0x54/0x1d3 [ 32.297561] kasan_report_error.cold+0x8a/0x194 [ 32.302208] ? ntfs_attr_find+0x8df/0xa10 [ 32.306331] __asan_report_load_n_noabort+0x6b/0x80 [ 32.311625] ? ntfs_attr_find+0x8df/0xa10 [ 32.315744] ntfs_attr_find+0x8df/0xa10 [ 32.319691] ntfs_attr_lookup+0xeca/0x1f30 [ 32.323900] ? do_raw_spin_unlock+0x164/0x220 [ 32.328377] ? _raw_spin_unlock+0x29/0x40 [ 32.332518] ? cache_alloc_refill+0x2fa/0x350 [ 32.337004] ? check_preemption_disabled+0x35/0x240 [ 32.342622] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 32.347888] ? kmem_cache_alloc+0x2f8/0x3c0 [ 32.352184] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 32.356851] ntfs_fill_super+0x9a6/0x7170 [ 32.360982] ? vsnprintf+0x260/0x1340 [ 32.364780] ? pointer+0x9e0/0x9e0 [ 32.368330] ? lock_downgrade+0x740/0x740 [ 32.372474] ? ntfs_big_inode_init_once+0x20/0x20 [ 32.377291] ? snprintf+0xa5/0xd0 [ 32.380726] ? vsprintf+0x30/0x30 [ 32.384199] ? ns_test_super+0x50/0x50 [ 32.388078] ? set_blocksize+0x125/0x380 [ 32.392113] mount_bdev+0x2b3/0x360 [ 32.395732] ? ntfs_big_inode_init_once+0x20/0x20 [ 32.400549] mount_fs+0x92/0x2a0 [ 32.403922] vfs_kern_mount.part.0+0x5b/0x470 [ 32.408412] do_mount+0xe53/0x2a00 [ 32.411935] ? retint_kernel+0x2d/0x2d [ 32.415817] ? copy_mount_string+0x40/0x40 [ 32.420116] ? memset+0x20/0x40 [ 32.423389] ? copy_mount_options+0x1fa/0x2f0 [ 32.427873] ? copy_mnt_ns+0xa30/0xa30 [ 32.431733] SyS_mount+0xa8/0x120 [ 32.435172] ? copy_mnt_ns+0xa30/0xa30 [ 32.439034] do_syscall_64+0x1d5/0x640 [ 32.442915] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.448080] RIP: 0033:0x44733a [ 32.451279] RSP: 002b:00007ffee3619878 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 32.459057] RAX: ffffffffffffffda RBX: 00007ffee36198d0 RCX: 000000000044733a [ 32.466302] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffee3619890 [ 32.473545] RBP: 00007ffee3619890 R08: 00007ffee36198d0 R09: 0000000000000000 [ 32.480809] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000002 [ 32.488067] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 32.495331] [ 32.496933] Allocated by task 6060: [ 32.500540] kasan_kmalloc+0xeb/0x160 [ 32.504320] kmem_cache_alloc+0x124/0x3c0 [ 32.508455] getname_flags+0xc8/0x550 [ 32.512230] user_path_at_empty+0x2a/0x50 [ 32.516350] vfs_statx+0xd1/0x180 [ 32.519788] SyS_newfstatat+0x8b/0xf0 [ 32.523566] do_syscall_64+0x1d5/0x640 [ 32.527488] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.532647] [ 32.534265] Freed by task 6060: [ 32.537547] kasan_slab_free+0xc3/0x1a0 [ 32.541516] kmem_cache_free+0x7c/0x2b0 [ 32.545476] putname+0xcd/0x110 [ 32.548740] filename_lookup+0x37b/0x510 [ 32.552798] vfs_statx+0xd1/0x180 [ 32.556224] SyS_newfstatat+0x8b/0xf0 [ 32.559998] do_syscall_64+0x1d5/0x640 [ 32.563862] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.569034] [ 32.570641] The buggy address belongs to the object at ffff888097414ac0 [ 32.570641] which belongs to the cache names_cache of size 4096 [ 32.583370] The buggy address is located 1901 bytes to the left of [ 32.583370] 4096-byte region [ffff888097414ac0, ffff888097415ac0) [ 32.595842] The buggy address belongs to the page: [ 32.600749] page:ffffea00025d0500 count:1 mapcount:0 mapping:ffff888097414ac0 index:0x0 compound_mapcount: 0 [ 32.610705] flags: 0xfffe0000008100(slab|head) [ 32.615261] raw: 00fffe0000008100 ffff888097414ac0 0000000000000000 0000000100000001 [ 32.627122] raw: ffffea00025d04a0 ffffea00025d05a0 ffff8880aa58ccc0 0000000000000000 [ 32.634979] page dumped because: kasan: bad access detected [ 32.640661] [ 32.642274] Memory state around the buggy address: [ 32.647174] ffff888097414200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.654505] ffff888097414280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.661836] >ffff888097414300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.669179] ^ [ 32.675138] ffff888097414380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.682470] ffff888097414400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.689801] ================================================================== [ 32.697156] Disabling lock debugging due to kernel taint [ 32.704253] Kernel panic - not syncing: panic_on_warn set ... [ 32.704253] [ 32.711631] CPU: 0 PID: 6336 Comm: syz-executor339 Tainted: G B 4.14.198-syzkaller #0 [ 32.720724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.730155] Call Trace: [ 32.732737] dump_stack+0x1b2/0x283 [ 32.736356] panic+0x1f9/0x42d [ 32.739521] ? add_taint.cold+0x16/0x16 [ 32.743473] ? ___preempt_schedule+0x16/0x18 [ 32.747859] kasan_end_report+0x43/0x49 [ 32.751806] kasan_report_error.cold+0xa7/0x194 [ 32.756465] ? ntfs_attr_find+0x8df/0xa10 [ 32.760586] __asan_report_load_n_noabort+0x6b/0x80 [ 32.765574] ? ntfs_attr_find+0x8df/0xa10 [ 32.769709] ntfs_attr_find+0x8df/0xa10 [ 32.773658] ntfs_attr_lookup+0xeca/0x1f30 [ 32.777868] ? do_raw_spin_unlock+0x164/0x220 [ 32.782342] ? _raw_spin_unlock+0x29/0x40 [ 32.786464] ? cache_alloc_refill+0x2fa/0x350 [ 32.790954] ? check_preemption_disabled+0x35/0x240 [ 32.795965] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 32.801216] ? kmem_cache_alloc+0x2f8/0x3c0 [ 32.805512] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 32.810153] ntfs_fill_super+0x9a6/0x7170 [ 32.814291] ? vsnprintf+0x260/0x1340 [ 32.818077] ? pointer+0x9e0/0x9e0 [ 32.821632] ? lock_downgrade+0x740/0x740 [ 32.825753] ? ntfs_big_inode_init_once+0x20/0x20 [ 32.830587] ? snprintf+0xa5/0xd0 [ 32.834019] ? vsprintf+0x30/0x30 [ 32.837445] ? ns_test_super+0x50/0x50 [ 32.841328] ? set_blocksize+0x125/0x380 [ 32.845401] mount_bdev+0x2b3/0x360 [ 32.849013] ? ntfs_big_inode_init_once+0x20/0x20 [ 32.853829] mount_fs+0x92/0x2a0 [ 32.857185] vfs_kern_mount.part.0+0x5b/0x470 [ 32.861669] do_mount+0xe53/0x2a00 [ 32.865182] ? retint_kernel+0x2d/0x2d [ 32.869041] ? copy_mount_string+0x40/0x40 [ 32.873263] ? memset+0x20/0x40 [ 32.876529] ? copy_mount_options+0x1fa/0x2f0 [ 32.880998] ? copy_mnt_ns+0xa30/0xa30 [ 32.884872] SyS_mount+0xa8/0x120 [ 32.888295] ? copy_mnt_ns+0xa30/0xa30 [ 32.892179] do_syscall_64+0x1d5/0x640 [ 32.896059] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.901222] RIP: 0033:0x44733a [ 32.904386] RSP: 002b:00007ffee3619878 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 32.912066] RAX: ffffffffffffffda RBX: 00007ffee36198d0 RCX: 000000000044733a [ 32.919321] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffee3619890 [ 32.926580] RBP: 00007ffee3619890 R08: 00007ffee36198d0 R09: 0000000000000000 [ 32.933831] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000002 [ 32.941077] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 32.949575] Kernel Offset: disabled [ 32.953189] Rebooting in 86400 seconds..