[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.133125] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   23.787972] random: sshd: uninitialized urandom read (32 bytes read)
[   24.070309] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.596107] random: sshd: uninitialized urandom read (32 bytes read)
[  395.971167] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts.
[  402.034157] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 01:09:49 parsed 1 programs
[  403.633205] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 01:09:52 executed programs: 0
[  405.051905] IPVS: ftp: loaded support on port[0] = 21
[  405.272208] bridge0: port 1(bridge_slave_0) entered blocking state
[  405.278894] bridge0: port 1(bridge_slave_0) entered disabled state
[  405.286830] device bridge_slave_0 entered promiscuous mode
[  405.304891] bridge0: port 2(bridge_slave_1) entered blocking state
[  405.311754] bridge0: port 2(bridge_slave_1) entered disabled state
[  405.319027] device bridge_slave_1 entered promiscuous mode
[  405.336010] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  405.352947] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  405.398654] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  405.419033] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  405.490785] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  405.499423] team0: Port device team_slave_0 added
[  405.515111] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  405.523512] team0: Port device team_slave_1 added
[  405.540289] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  405.556912] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  405.576974] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  405.594576] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  405.731522] bridge0: port 2(bridge_slave_1) entered blocking state
[  405.738180] bridge0: port 2(bridge_slave_1) entered forwarding state
[  405.745491] bridge0: port 1(bridge_slave_0) entered blocking state
[  405.752073] bridge0: port 1(bridge_slave_0) entered forwarding state
[  406.240777] 8021q: adding VLAN 0 to HW filter on device bond0
[  406.289890] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  406.338323] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  406.344812] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  406.353271] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  406.395949] 8021q: adding VLAN 0 to HW filter on device team0
2018/08/19 01:09:57 executed programs: 185
[  410.556582] ==================================================================
[  410.564329] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x7b9/0x84b
[  410.571833] Read of size 4 at addr ffff8801b584175c by task syz-executor0/5561
[  410.579274] 
[  410.580928] CPU: 1 PID: 5561 Comm: syz-executor0 Not tainted 4.18.0+ #99
[  410.587784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  410.597163] Call Trace:
[  410.599778]  dump_stack+0x1c9/0x2b4
[  410.603494]  ? dump_stack_print_info.cold.2+0x52/0x52
[  410.608706]  ? printk+0xa7/0xcf
[  410.612010]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  410.616855]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  410.622121]  print_address_description+0x6c/0x20b
[  410.627051]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  410.632217]  kasan_report.cold.7+0x242/0x30d
[  410.636948]  __asan_report_load4_noabort+0x14/0x20
[  410.642103]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  410.647125]  ? tipc_group_member_evt+0xe30/0xe30
[  410.651945]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  410.657035]  ? skb_put+0x17b/0x1e0
[  410.660639]  ? memset+0x31/0x40
[  410.663960]  ? memcpy+0x45/0x50
[  410.667513]  ? __nla_put+0x37/0x40
[  410.671110]  ? nla_put+0x11a/0x150
[  410.674730]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  410.679455]  ? tipc_diag_dump+0x30/0x30
[  410.683567]  ? tipc_getname+0x7f0/0x7f0
[  410.687580]  ? save_stack+0xa9/0xd0
[  410.691299]  ? graph_lock+0x170/0x170
[  410.695124]  ? graph_lock+0x170/0x170
[  410.698938]  ? __netlink_dump_start+0x4f1/0x6f0
[  410.703620]  ? sock_diag_rcv_msg+0x31d/0x410
[  410.708041]  ? netlink_rcv_skb+0x172/0x440
[  410.712290]  ? sock_diag_rcv+0x2a/0x40
[  410.716190]  ? netlink_unicast+0x5a0/0x760
[  410.720437]  ? netlink_sendmsg+0xa18/0xfc0
[  410.724685]  ? sock_sendmsg+0xd5/0x120
[  410.728584]  ? ___sys_sendmsg+0x7fd/0x930
[  410.732746]  ? __ia32_compat_sys_sendmsg+0x7a/0xb0
[  410.737693]  ? do_fast_syscall_32+0x34d/0xfb2
[  410.742207]  ? entry_SYSENTER_compat+0x70/0x7f
[  410.746878]  ? print_usage_bug+0xc0/0xc0
[  410.751211]  ? find_held_lock+0x36/0x1c0
[  410.755402]  ? lock_acquire+0x1e4/0x540
[  410.759541]  ? tipc_nl_sk_walk+0x60a/0xd30
[  410.763789]  ? lock_downgrade+0x8f0/0x8f0
[  410.767958]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  410.772991]  ? skb_put+0x17b/0x1e0
[  410.776556]  ? __nlmsg_put+0x14c/0x1b0
[  410.780463]  __tipc_add_sock_diag+0x22f/0x360
[  410.785034]  tipc_nl_sk_walk+0x68d/0xd30
[  410.789121]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  410.794417]  ? __tipc_nl_add_sk+0x400/0x400
[  410.798752]  ? skb_scrub_packet+0x490/0x490
[  410.803097]  ? kasan_check_write+0x14/0x20
[  410.807378]  ? lock_downgrade+0x8f0/0x8f0
[  410.811546]  tipc_diag_dump+0x24/0x30
[  410.815382]  netlink_dump+0x519/0xd50
[  410.819216]  ? netlink_broadcast+0x50/0x50
[  410.823492]  __netlink_dump_start+0x4f1/0x6f0
[  410.828071]  ? kasan_check_read+0x11/0x20
[  410.832252]  tipc_sock_diag_handler_dump+0x234/0x340
[  410.837507]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  410.842335]  ? tipc_unregister_sysctl+0x20/0x20
[  410.847411]  ? netlink_deliver_tap+0x356/0xfb0
[  410.852173]  sock_diag_rcv_msg+0x31d/0x410
[  410.856935]  netlink_rcv_skb+0x172/0x440
[  410.861260]  ? sock_diag_bind+0x80/0x80
[  410.865429]  ? netlink_ack+0xbe0/0xbe0
[  410.869496]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  410.874287]  sock_diag_rcv+0x2a/0x40
[  410.878493]  netlink_unicast+0x5a0/0x760
[  410.882781]  ? netlink_attachskb+0x9a0/0x9a0
[  410.887436]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  410.893259]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  410.898667]  netlink_sendmsg+0xa18/0xfc0
[  410.902920]  ? move_addr_to_kernel.part.18+0xc6/0x100
[  410.908258]  ? netlink_unicast+0x760/0x760
[  410.912516]  ? compat_mc_getsockopt+0xb20/0xb20
[  410.917209]  ? security_socket_sendmsg+0x94/0xc0
[  410.921989]  ? netlink_unicast+0x760/0x760
[  410.926243]  sock_sendmsg+0xd5/0x120
[  410.929975]  ___sys_sendmsg+0x7fd/0x930
[  410.933971]  ? copy_msghdr_from_user+0x580/0x580
[  410.938744]  ? kasan_check_read+0x11/0x20
[  410.942914]  ? __fget_light+0x2f7/0x440
[  410.946906]  ? fget_raw+0x20/0x20
[  410.950401]  ? __release_sock+0x3a0/0x3a0
[  410.954574]  ? tipc_nametbl_build_group+0x279/0x360
[  410.959710]  ? tipc_setsockopt+0x726/0xd70
[  410.963973]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  410.969538]  ? sockfd_lookup_light+0xc5/0x160
[  410.974060]  __sys_sendmsg+0x11d/0x290
[  410.977973]  ? __ia32_sys_shutdown+0x80/0x80
[  410.982518]  ? __ia32_compat_sys_futex+0x3e6/0x5f0
[  410.987569]  ? syscall_slow_exit_work+0x500/0x500
[  410.992448]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  410.997242]  do_fast_syscall_32+0x34d/0xfb2
[  411.001597]  ? do_int80_syscall_32+0x890/0x890
[  411.006207]  ? _raw_spin_unlock_irq+0x27/0x70
[  411.010869]  ? finish_task_switch+0x1d3/0x870
[  411.015426]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  411.021077]  ? syscall_return_slowpath+0x31d/0x5e0
[  411.026036]  ? __switch_to_asm+0x34/0x70
[  411.030132]  ? sysret32_from_system_call+0x5/0x46
[  411.035016]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  411.039894]  entry_SYSENTER_compat+0x70/0x7f
[  411.044329] RIP: 0023:0xf7f21ca9
[  411.047741] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  411.066732] RSP: 002b:00000000f7f1d0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172
[  411.074470] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040
[  411.081828] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  411.089126] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  411.096418] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  411.103713] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  411.111101] 
[  411.112746] Allocated by task 5561:
[  411.116413]  save_stack+0x43/0xd0
[  411.119880]  kasan_kmalloc+0xc4/0xe0
[  411.123613]  kmem_cache_alloc_trace+0x152/0x780
[  411.128378]  tipc_group_create+0x155/0xa70
[  411.132635]  tipc_setsockopt+0x2d1/0xd70
[  411.136714]  __compat_sys_setsockopt+0x329/0x860
[  411.141578]  __ia32_compat_sys_setsockopt+0xbd/0x150
[  411.146767]  do_fast_syscall_32+0x34d/0xfb2
[  411.151173]  entry_SYSENTER_compat+0x70/0x7f
[  411.155589] 
[  411.157224] Freed by task 5560:
[  411.160519]  save_stack+0x43/0xd0
[  411.163988]  __kasan_slab_free+0x11a/0x170
[  411.168247]  kasan_slab_free+0xe/0x10
[  411.172064]  kfree+0xd9/0x260
[  411.175185]  tipc_group_delete+0x2e5/0x3f0
[  411.179663]  tipc_sk_leave+0x113/0x220
[  411.183567]  tipc_release+0x14e/0x12b0
[  411.187468]  __sock_release+0xd7/0x250
[  411.191391]  sock_close+0x19/0x20
[  411.194861]  __fput+0x39b/0x860
[  411.198155]  ____fput+0x15/0x20
[  411.201458]  task_work_run+0x1e8/0x2a0
[  411.205388]  exit_to_usermode_loop+0x318/0x380
[  411.209998]  do_fast_syscall_32+0xcd5/0xfb2
[  411.214432]  entry_SYSENTER_compat+0x70/0x7f
[  411.218850] 
[  411.220668] The buggy address belongs to the object at ffff8801b5841700
[  411.220668]  which belongs to the cache kmalloc-192 of size 192
[  411.233375] The buggy address is located 92 bytes inside of
[  411.233375]  192-byte region [ffff8801b5841700, ffff8801b58417c0)
[  411.245313] The buggy address belongs to the page:
[  411.250285] page:ffffea0006d61040 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[  411.258455] flags: 0x2fffc0000000100(slab)
[  411.262707] raw: 02fffc0000000100 ffffea00073ea208 ffffea0007605c48 ffff8801dac00040
[  411.270602] raw: 0000000000000000 ffff8801b5841000 0000000100000010 0000000000000000
[  411.278639] page dumped because: kasan: bad access detected
[  411.284384] 
[  411.286087] Memory state around the buggy address:
[  411.291040]  ffff8801b5841600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  411.298426]  ffff8801b5841680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  411.305834] >ffff8801b5841700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  411.313212]                                                     ^
[  411.319477]  ffff8801b5841780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  411.326912]  ffff8801b5841800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  411.334286] ==================================================================
[  411.341660] Disabling lock debugging due to kernel taint
[  411.347276] Kernel panic - not syncing: panic_on_warn set ...
[  411.347276] 
[  411.354797] CPU: 1 PID: 5561 Comm: syz-executor0 Tainted: G    B             4.18.0+ #99
[  411.363125] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  411.372581] Call Trace:
[  411.375189]  dump_stack+0x1c9/0x2b4
[  411.378830]  ? dump_stack_print_info.cold.2+0x52/0x52
[  411.384038]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  411.388816]  panic+0x238/0x4e7
[  411.392026]  ? add_taint.cold.5+0x16/0x16
[  411.396203]  ? do_raw_spin_unlock+0xa7/0x2f0
[  411.400635]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  411.405765]  kasan_end_report+0x47/0x4f
[  411.409762]  kasan_report.cold.7+0x76/0x30d
[  411.414318]  __asan_report_load4_noabort+0x14/0x20
[  411.419412]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  411.424393]  ? tipc_group_member_evt+0xe30/0xe30
[  411.429184]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  411.434222]  ? skb_put+0x17b/0x1e0
[  411.437780]  ? memset+0x31/0x40
[  411.441073]  ? memcpy+0x45/0x50
[  411.444391]  ? __nla_put+0x37/0x40
[  411.447948]  ? nla_put+0x11a/0x150
[  411.451508]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  411.456196]  ? tipc_diag_dump+0x30/0x30
[  411.460188]  ? tipc_getname+0x7f0/0x7f0
[  411.464176]  ? save_stack+0xa9/0xd0
[  411.467818]  ? graph_lock+0x170/0x170
[  411.471633]  ? graph_lock+0x170/0x170
[  411.475451]  ? __netlink_dump_start+0x4f1/0x6f0
[  411.480680]  ? sock_diag_rcv_msg+0x31d/0x410
[  411.485192]  ? netlink_rcv_skb+0x172/0x440
[  411.489597]  ? sock_diag_rcv+0x2a/0x40
[  411.493519]  ? netlink_unicast+0x5a0/0x760
[  411.497771]  ? netlink_sendmsg+0xa18/0xfc0
[  411.502017]  ? sock_sendmsg+0xd5/0x120
[  411.505990]  ? ___sys_sendmsg+0x7fd/0x930
[  411.510212]  ? __ia32_compat_sys_sendmsg+0x7a/0xb0
[  411.515157]  ? do_fast_syscall_32+0x34d/0xfb2
[  411.519666]  ? entry_SYSENTER_compat+0x70/0x7f
[  411.524262]  ? print_usage_bug+0xc0/0xc0
[  411.528365]  ? find_held_lock+0x36/0x1c0
[  411.532531]  ? lock_acquire+0x1e4/0x540
[  411.536600]  ? tipc_nl_sk_walk+0x60a/0xd30
[  411.540846]  ? lock_downgrade+0x8f0/0x8f0
[  411.545009]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  411.550185]  ? skb_put+0x17b/0x1e0
[  411.553848]  ? __nlmsg_put+0x14c/0x1b0
[  411.557766]  __tipc_add_sock_diag+0x22f/0x360
[  411.562277]  tipc_nl_sk_walk+0x68d/0xd30
[  411.566383]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  411.571813]  ? __tipc_nl_add_sk+0x400/0x400
[  411.576300]  ? skb_scrub_packet+0x490/0x490
[  411.580643]  ? kasan_check_write+0x14/0x20
[  411.584898]  ? lock_downgrade+0x8f0/0x8f0
[  411.589072]  tipc_diag_dump+0x24/0x30
[  411.593003]  netlink_dump+0x519/0xd50
[  411.596821]  ? netlink_broadcast+0x50/0x50
[  411.601166]  __netlink_dump_start+0x4f1/0x6f0
[  411.605671]  ? kasan_check_read+0x11/0x20
[  411.609834]  tipc_sock_diag_handler_dump+0x234/0x340
[  411.614958]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  411.619727]  ? tipc_unregister_sysctl+0x20/0x20
[  411.624615]  ? netlink_deliver_tap+0x356/0xfb0
[  411.629224]  sock_diag_rcv_msg+0x31d/0x410
[  411.633559]  netlink_rcv_skb+0x172/0x440
[  411.637640]  ? sock_diag_bind+0x80/0x80
[  411.641694]  ? netlink_ack+0xbe0/0xbe0
[  411.645595]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  411.650288]  sock_diag_rcv+0x2a/0x40
[  411.654087]  netlink_unicast+0x5a0/0x760
[  411.658171]  ? netlink_attachskb+0x9a0/0x9a0
[  411.662683]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  411.668244]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  411.673281]  netlink_sendmsg+0xa18/0xfc0
[  411.677384]  ? move_addr_to_kernel.part.18+0xc6/0x100
[  411.682599]  ? netlink_unicast+0x760/0x760
[  411.686853]  ? compat_mc_getsockopt+0xb20/0xb20
[  411.691537]  ? security_socket_sendmsg+0x94/0xc0
[  411.696307]  ? netlink_unicast+0x760/0x760
[  411.700562]  sock_sendmsg+0xd5/0x120
[  411.704289]  ___sys_sendmsg+0x7fd/0x930
[  411.708280]  ? copy_msghdr_from_user+0x580/0x580
[  411.713048]  ? kasan_check_read+0x11/0x20
[  411.717215]  ? __fget_light+0x2f7/0x440
[  411.721204]  ? fget_raw+0x20/0x20
[  411.724737]  ? __release_sock+0x3a0/0x3a0
[  411.728928]  ? tipc_nametbl_build_group+0x279/0x360
[  411.734026]  ? tipc_setsockopt+0x726/0xd70
[  411.738305]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  411.743864]  ? sockfd_lookup_light+0xc5/0x160
[  411.748668]  __sys_sendmsg+0x11d/0x290
[  411.752635]  ? __ia32_sys_shutdown+0x80/0x80
[  411.757065]  ? __ia32_compat_sys_futex+0x3e6/0x5f0
[  411.762022]  ? syscall_slow_exit_work+0x500/0x500
[  411.766889]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  411.771730]  do_fast_syscall_32+0x34d/0xfb2
[  411.776138]  ? do_int80_syscall_32+0x890/0x890
[  411.780735]  ? _raw_spin_unlock_irq+0x27/0x70
[  411.785302]  ? finish_task_switch+0x1d3/0x870
[  411.789816]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  411.795396]  ? syscall_return_slowpath+0x31d/0x5e0
[  411.800374]  ? __switch_to_asm+0x34/0x70
[  411.804457]  ? sysret32_from_system_call+0x5/0x46
[  411.809319]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  411.814203]  entry_SYSENTER_compat+0x70/0x7f
[  411.818625] RIP: 0023:0xf7f21ca9
[  411.822008] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  411.841240] RSP: 002b:00000000f7f1d0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172
[  411.848971] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040
[  411.856433] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  411.863784] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  411.871069] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  411.878377] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  411.886109] Dumping ftrace buffer:
[  411.889674]    (ftrace buffer empty)
[  411.893397] Kernel Offset: disabled
[  411.897242] Rebooting in 86400 seconds..