[....] Starting enhanced syslogd: rsyslogd[ 17.157805] audit: type=1400 audit(1521536182.950:5): avc: denied { syslog } for pid=4084 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.437968] audit: type=1400 audit(1521536185.230:6): avc: denied { map } for pid=4221 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. executing program [ 25.790612] audit: type=1400 audit(1521536191.583:7): avc: denied { map } for pid=4235 comm="syzkaller068427" path="/root/syzkaller068427141" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.795445] ================================================================== [ 25.823914] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270 [ 25.830468] Read of size 8160 at addr ffff8801b0ce25c0 by task syzkaller068427/4235 [ 25.838230] [ 25.839835] CPU: 0 PID: 4235 Comm: syzkaller068427 Not tainted 4.16.0-rc6+ #360 [ 25.847251] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.856577] Call Trace: [ 25.859141] dump_stack+0x194/0x24d [ 25.862755] ? arch_local_irq_restore+0x53/0x53 [ 25.867404] ? show_regs_print_info+0x18/0x18 [ 25.871870] ? __lock_is_held+0xb6/0x140 [ 25.875908] ? pfkey_add+0x1634/0x3270 [ 25.879772] print_address_description+0x73/0x250 [ 25.884585] ? pfkey_add+0x1634/0x3270 [ 25.888444] kasan_report+0x23c/0x360 [ 25.892223] check_memory_region+0x137/0x190 [ 25.896605] memcpy+0x23/0x50 [ 25.899683] pfkey_add+0x1634/0x3270 [ 25.903377] ? set_ipsecrequest+0x310/0x310 [ 25.907673] ? lock_release+0xa40/0xa40 [ 25.911620] ? set_ipsecrequest+0x310/0x310 [ 25.915914] pfkey_process+0x67e/0x740 [ 25.919781] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 25.924771] ? kasan_check_write+0x14/0x20 [ 25.928999] ? dup_iter+0x212/0x260 [ 25.932616] pfkey_sendmsg+0x4dc/0xa00 [ 25.936481] ? pfkey_spdget+0xb00/0xb00 [ 25.940432] ? selinux_socket_sendmsg+0x36/0x40 [ 25.945077] ? security_socket_sendmsg+0x89/0xb0 [ 25.949810] ? pfkey_spdget+0xb00/0xb00 [ 25.953762] sock_sendmsg+0xca/0x110 [ 25.957451] ___sys_sendmsg+0x767/0x8b0 [ 25.961397] ? SyS_membarrier+0x700/0x700 [ 25.965521] ? copy_msghdr_from_user+0x590/0x590 [ 25.970259] ? __pmd_alloc+0x4e0/0x4e0 [ 25.974123] ? trace_hardirqs_off+0x10/0x10 [ 25.978417] ? find_held_lock+0x35/0x1d0 [ 25.982453] ? __fget_light+0x2b2/0x3c0 [ 25.986400] ? fget_raw+0x20/0x20 [ 25.989830] ? find_held_lock+0x35/0x1d0 [ 25.993871] ? __do_page_fault+0x5f7/0xc90 [ 25.998081] ? lock_downgrade+0x980/0x980 [ 26.002209] __sys_sendmsg+0xe5/0x210 [ 26.005982] ? __sys_sendmsg+0xe5/0x210 [ 26.009930] ? SyS_shutdown+0x290/0x290 [ 26.013884] ? __do_page_fault+0x3d6/0xc90 [ 26.018102] ? move_addr_to_kernel+0x60/0x60 [ 26.022488] SyS_sendmsg+0x2d/0x50 [ 26.026000] ? __sys_sendmsg+0x210/0x210 [ 26.030038] do_syscall_64+0x281/0x940 [ 26.033897] ? __do_page_fault+0xc90/0xc90 [ 26.038105] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.042837] ? syscall_return_slowpath+0x550/0x550 [ 26.047739] ? syscall_return_slowpath+0x2ac/0x550 [ 26.052643] ? prepare_exit_to_usermode+0x350/0x350 [ 26.057634] ? retint_user+0x18/0x18 [ 26.061325] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.066144] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.071306] RIP: 0033:0x43fd19 [ 26.074467] RSP: 002b:00007ffd8421d608 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 26.082147] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19 [ 26.089388] RDX: 0000000000000000 RSI: 0000000020b6dfc8 RDI: 0000000000000003 [ 26.096631] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 26.103872] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640 [ 26.111114] R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000 [ 26.118372] [ 26.119972] Allocated by task 4235: [ 26.123573] save_stack+0x43/0xd0 [ 26.126999] kasan_kmalloc+0xad/0xe0 [ 26.130685] __kmalloc_node_track_caller+0x47/0x70 [ 26.135588] __kmalloc_reserve.isra.39+0x41/0xd0 [ 26.140317] __alloc_skb+0x13b/0x780 [ 26.144005] pfkey_sendmsg+0x20f/0xa00 [ 26.147870] sock_sendmsg+0xca/0x110 [ 26.151558] ___sys_sendmsg+0x767/0x8b0 [ 26.155502] __sys_sendmsg+0xe5/0x210 [ 26.159291] SyS_sendmsg+0x2d/0x50 [ 26.162825] do_syscall_64+0x281/0x940 [ 26.166698] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.171860] [ 26.173460] Freed by task 0: [ 26.176449] (stack is not available) [ 26.180134] [ 26.181735] The buggy address belongs to the object at ffff8801b0ce2580 [ 26.181735] which belongs to the cache kmalloc-512 of size 512 [ 26.194370] The buggy address is located 64 bytes inside of [ 26.194370] 512-byte region [ffff8801b0ce2580, ffff8801b0ce2780) [ 26.206131] The buggy address belongs to the page: [ 26.211044] page:ffffea0006c33880 count:1 mapcount:0 mapping:ffff8801b0ce2080 index:0x0 [ 26.219163] flags: 0x2fffc0000000100(slab) [ 26.223384] raw: 02fffc0000000100 ffff8801b0ce2080 0000000000000000 0000000100000006 [ 26.231238] raw: ffffea0006b848e0 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 26.239089] page dumped because: kasan: bad access detected [ 26.244770] [ 26.246370] Memory state around the buggy address: [ 26.251272] ffff8801b0ce2680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.258604] ffff8801b0ce2700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.265935] >ffff8801b0ce2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.273264] ^ [ 26.276602] ffff8801b0ce2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.283935] ffff8801b0ce2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.291260] ================================================================== [ 26.298589] Disabling lock debugging due to kernel taint [ 26.304325] Kernel panic - not syncing: panic_on_warn set ... [ 26.304325] [ 26.311677] CPU: 0 PID: 4235 Comm: syzkaller068427 Tainted: G B 4.16.0-rc6+ #360 [ 26.320398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.329727] Call Trace: [ 26.332303] dump_stack+0x194/0x24d [ 26.335903] ? arch_local_irq_restore+0x53/0x53 [ 26.340546] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.345275] ? vsnprintf+0x1ed/0x1900 [ 26.349054] ? pfkey_add+0x1540/0x3270 [ 26.352922] panic+0x1e4/0x41c [ 26.356086] ? refcount_error_report+0x214/0x214 [ 26.360814] ? add_taint+0x1c/0x50 [ 26.364326] ? add_taint+0x1c/0x50 [ 26.367839] ? pfkey_add+0x1634/0x3270 [ 26.371701] kasan_end_report+0x50/0x50 [ 26.375646] kasan_report+0x149/0x360 [ 26.379429] check_memory_region+0x137/0x190 [ 26.383817] memcpy+0x23/0x50 [ 26.386897] pfkey_add+0x1634/0x3270 [ 26.390588] ? set_ipsecrequest+0x310/0x310 [ 26.394887] ? lock_release+0xa40/0xa40 [ 26.398836] ? set_ipsecrequest+0x310/0x310 [ 26.403128] pfkey_process+0x67e/0x740 [ 26.406990] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 26.411977] ? kasan_check_write+0x14/0x20 [ 26.416192] ? dup_iter+0x212/0x260 [ 26.419794] pfkey_sendmsg+0x4dc/0xa00 [ 26.423664] ? pfkey_spdget+0xb00/0xb00 [ 26.427612] ? selinux_socket_sendmsg+0x36/0x40 [ 26.432267] ? security_socket_sendmsg+0x89/0xb0 [ 26.436994] ? pfkey_spdget+0xb00/0xb00 [ 26.440948] sock_sendmsg+0xca/0x110 [ 26.444633] ___sys_sendmsg+0x767/0x8b0 [ 26.448579] ? SyS_membarrier+0x700/0x700 [ 26.452713] ? copy_msghdr_from_user+0x590/0x590 [ 26.457444] ? __pmd_alloc+0x4e0/0x4e0 [ 26.461305] ? trace_hardirqs_off+0x10/0x10 [ 26.465598] ? find_held_lock+0x35/0x1d0 [ 26.469632] ? __fget_light+0x2b2/0x3c0 [ 26.473576] ? fget_raw+0x20/0x20 [ 26.477021] ? find_held_lock+0x35/0x1d0 [ 26.481066] ? __do_page_fault+0x5f7/0xc90 [ 26.485273] ? lock_downgrade+0x980/0x980 [ 26.489396] __sys_sendmsg+0xe5/0x210 [ 26.493166] ? __sys_sendmsg+0xe5/0x210 [ 26.497112] ? SyS_shutdown+0x290/0x290 [ 26.501062] ? __do_page_fault+0x3d6/0xc90 [ 26.505272] ? move_addr_to_kernel+0x60/0x60 [ 26.509653] SyS_sendmsg+0x2d/0x50 [ 26.513167] ? __sys_sendmsg+0x210/0x210 [ 26.517201] do_syscall_64+0x281/0x940 [ 26.521059] ? __do_page_fault+0xc90/0xc90 [ 26.525267] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.529996] ? syscall_return_slowpath+0x550/0x550 [ 26.535320] ? syscall_return_slowpath+0x2ac/0x550 [ 26.540221] ? prepare_exit_to_usermode+0x350/0x350 [ 26.545211] ? retint_user+0x18/0x18 [ 26.548914] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.553750] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.558912] RIP: 0033:0x43fd19 [ 26.562073] RSP: 002b:00007ffd8421d608 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 26.569756] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19 [ 26.576998] RDX: 0000000000000000 RSI: 0000000020b6dfc8 RDI: 0000000000000003 [ 26.584251] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 26.591493] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640 [ 26.598732] R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000 [ 26.606460] Dumping ftrace buffer: [ 26.609969] (ftrace buffer empty) [ 26.613650] Kernel Offset: disabled [ 26.617249] Rebooting in 86400 seconds..