[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.229214] random: sshd: uninitialized urandom read (32 bytes read) [ 24.521184] audit: type=1400 audit(1547927429.320:6): avc: denied { map } for pid=1750 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 24.561369] random: sshd: uninitialized urandom read (32 bytes read) [ 24.975301] random: sshd: uninitialized urandom read (32 bytes read) [ 55.379011] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. [ 61.420235] random: sshd: uninitialized urandom read (32 bytes read) [ 61.505268] audit: type=1400 audit(1547927466.300:7): avc: denied { map } for pid=1786 comm="syz-executor711" path="/root/syz-executor711329748" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 61.781232] ================================================================== [ 61.788728] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 61.795381] Read of size 8 at addr ffff8881d3c1c290 by task syz-executor711/1789 [ 61.802895] [ 61.804508] CPU: 1 PID: 1789 Comm: syz-executor711 Not tainted 4.14.94+ #12 [ 61.811598] Call Trace: [ 61.814173] dump_stack+0xb9/0x10e [ 61.817693] ? ip_local_deliver+0x43d/0x450 [ 61.821993] print_address_description+0x60/0x226 [ 61.826926] ? ip_local_deliver+0x43d/0x450 [ 61.831239] kasan_report.cold+0x88/0x2a5 [ 61.835380] ? ip_local_deliver+0x43d/0x450 [ 61.839680] ? ip_call_ra_chain+0x540/0x540 [ 61.843984] ? __lock_acquire+0x56a/0x3fa0 [ 61.848205] ? deref_stack_reg+0xaa/0xe0 [ 61.852253] ? ip_rcv+0x99f/0xf7a [ 61.855691] ? ip_rcv_finish+0x5c9/0x1490 [ 61.859822] ? ip_rcv+0x9e2/0xf7a [ 61.863254] ? ip_local_deliver+0x450/0x450 [ 61.867557] ? __lock_acquire+0x56a/0x3fa0 [ 61.871786] ? check_preemption_disabled+0x35/0x1f0 [ 61.876778] ? ip_local_deliver+0x450/0x450 [ 61.881144] ? __netif_receive_skb_core+0x1364/0x2c60 [ 61.886324] ? trace_hardirqs_on+0x10/0x10 [ 61.890544] ? flush_backlog+0x580/0x580 [ 61.894593] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 61.899762] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 61.904931] ? lock_acquire+0x10f/0x380 [ 61.908896] ? __netif_receive_skb+0x55/0x1f0 [ 61.913372] ? __netif_receive_skb+0x55/0x1f0 [ 61.917849] ? netif_receive_skb_internal+0xec/0x5c0 [ 61.922932] ? dev_cpu_dead+0x810/0x810 [ 61.926998] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 61.932434] ? rcu_read_lock_sched_held+0x10a/0x130 [ 61.937442] ? tun_rx_batched.isra.0+0x45d/0x730 [ 61.942183] ? __skb_get_hash_symmetric+0x255/0x620 [ 61.947175] ? tun_chr_read_iter+0x1c0/0x1c0 [ 61.951575] ? tun_get_user+0xc07/0x3790 [ 61.955673] ? __local_bh_enable_ip+0x65/0xc0 [ 61.960169] ? tun_get_user+0xd95/0x3790 [ 61.964222] ? tun_rx_batched.isra.0+0x730/0x730 [ 61.968967] ? debug_mutex_add_waiter+0x60/0x150 [ 61.973708] ? mark_held_locks+0xa6/0xf0 [ 61.977754] ? get_page_from_freelist+0x85e/0x1d60 [ 61.982662] ? preempt_count_add+0xb8/0x180 [ 61.986966] ? __tun_get+0x11c/0x220 [ 61.990728] ? check_preemption_disabled+0x35/0x1f0 [ 61.995752] ? tun_chr_write_iter+0xcf/0x180 [ 62.000225] ? do_iter_readv_writev+0x379/0x580 [ 62.004898] ? clone_verify_area+0x1e0/0x1e0 [ 62.009382] ? avc_policy_seqno+0x5/0x10 [ 62.013426] ? security_file_permission+0x88/0x1e0 [ 62.018346] ? do_iter_write+0x152/0x550 [ 62.022394] ? lock_downgrade+0x5d0/0x5d0 [ 62.026524] ? vfs_writev+0x146/0x2d0 [ 62.030307] ? vfs_iter_write+0xa0/0xa0 [ 62.034260] ? __handle_mm_fault+0x6c5/0x2640 [ 62.038738] ? __fsnotify_inode_delete+0x20/0x20 [ 62.043477] ? __do_page_fault+0x48e/0xb80 [ 62.047698] ? lock_downgrade+0x5d0/0x5d0 [ 62.051827] ? check_preemption_disabled+0x35/0x1f0 [ 62.056823] ? do_writev+0xc9/0x240 [ 62.060427] ? vfs_writev+0x2d0/0x2d0 [ 62.064213] ? do_syscall_64+0x43/0x4b0 [ 62.068165] ? SyS_readv+0x30/0x30 [ 62.071810] ? do_syscall_64+0x19b/0x4b0 [ 62.075868] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 62.081222] [ 62.082827] Allocated by task 1789: [ 62.086431] kasan_kmalloc.part.0+0x4f/0xd0 [ 62.090729] kmem_cache_alloc+0xd2/0x2d0 [ 62.094766] __build_skb+0x2e/0x2d0 [ 62.098378] build_skb+0x1a/0x1f0 [ 62.101864] tun_get_user+0x248b/0x3790 [ 62.105831] tun_chr_write_iter+0xcf/0x180 [ 62.110048] do_iter_readv_writev+0x379/0x580 [ 62.114527] do_iter_write+0x152/0x550 [ 62.118502] vfs_writev+0x146/0x2d0 [ 62.122109] do_writev+0xc9/0x240 [ 62.125540] do_syscall_64+0x19b/0x4b0 [ 62.129408] [ 62.131015] Freed by task 1789: [ 62.134270] kasan_slab_free+0xb0/0x190 [ 62.138220] kmem_cache_free+0xc4/0x330 [ 62.142173] kfree_skbmem+0xa0/0x100 [ 62.145867] kfree_skb+0xcd/0x350 [ 62.149300] ip_defrag+0x5f4/0x3b50 [ 62.152906] ip_local_deliver+0x165/0x450 [ 62.157037] ip_rcv_finish+0x5c9/0x1490 [ 62.160997] ip_rcv+0x9e2/0xf7a [ 62.164252] __netif_receive_skb_core+0x1364/0x2c60 [ 62.169244] __netif_receive_skb+0x55/0x1f0 [ 62.173550] netif_receive_skb_internal+0xec/0x5c0 [ 62.178457] tun_rx_batched.isra.0+0x45d/0x730 [ 62.183014] tun_get_user+0xd95/0x3790 [ 62.186980] tun_chr_write_iter+0xcf/0x180 [ 62.191205] do_iter_readv_writev+0x379/0x580 [ 62.195681] do_iter_write+0x152/0x550 [ 62.199552] vfs_writev+0x146/0x2d0 [ 62.203160] do_writev+0xc9/0x240 [ 62.206590] do_syscall_64+0x19b/0x4b0 [ 62.210452] [ 62.212059] The buggy address belongs to the object at ffff8881d3c1c280 [ 62.212059] which belongs to the cache skbuff_head_cache of size 224 [ 62.225218] The buggy address is located 16 bytes inside of [ 62.225218] 224-byte region [ffff8881d3c1c280, ffff8881d3c1c360) [ 62.236983] The buggy address belongs to the page: [ 62.241890] page:ffffea00074f0700 count:1 mapcount:0 mapping: (null) index:0x0 [ 62.250009] flags: 0x4000000000000100(slab) [ 62.254319] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 62.262181] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 62.270038] page dumped because: kasan: bad access detected [ 62.275724] [ 62.277328] Memory state around the buggy address: [ 62.282231] ffff8881d3c1c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.289571] ffff8881d3c1c200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 62.296913] >ffff8881d3c1c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.304256] ^ [ 62.308126] ffff8881d3c1c300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 62.315575] ffff8881d3c1c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.322914] ================================================================== [ 62.330376] Disabling lock debugging due to kernel taint [ 62.335825] Kernel panic - not syncing: panic_on_warn set ... [ 62.335825] [ 62.343165] CPU: 1 PID: 1789 Comm: syz-executor711 Tainted: G B 4.14.94+ #12 [ 62.351462] Call Trace: [ 62.354346] dump_stack+0xb9/0x10e [ 62.358011] panic+0x1d9/0x3c2 [ 62.361356] ? add_taint.cold+0x16/0x16 [ 62.365466] ? retint_kernel+0x2d/0x2d [ 62.369459] ? ip_local_deliver+0x43d/0x450 [ 62.373811] kasan_end_report+0x43/0x49 [ 62.377912] kasan_report.cold+0xa4/0x2a5 [ 62.382051] ? ip_local_deliver+0x43d/0x450 [ 62.386607] ? ip_call_ra_chain+0x540/0x540 [ 62.390906] ? __lock_acquire+0x56a/0x3fa0 [ 62.395118] ? deref_stack_reg+0xaa/0xe0 [ 62.399176] ? ip_rcv+0x99f/0xf7a [ 62.402615] ? ip_rcv_finish+0x5c9/0x1490 [ 62.406740] ? ip_rcv+0x9e2/0xf7a [ 62.410169] ? ip_local_deliver+0x450/0x450 [ 62.414466] ? __lock_acquire+0x56a/0x3fa0 [ 62.418732] ? check_preemption_disabled+0x35/0x1f0 [ 62.423732] ? ip_local_deliver+0x450/0x450 [ 62.428032] ? __netif_receive_skb_core+0x1364/0x2c60 [ 62.433198] ? trace_hardirqs_on+0x10/0x10 [ 62.437418] ? flush_backlog+0x580/0x580 [ 62.441461] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 62.446636] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 62.451803] ? lock_acquire+0x10f/0x380 [ 62.455751] ? __netif_receive_skb+0x55/0x1f0 [ 62.460334] ? __netif_receive_skb+0x55/0x1f0 [ 62.464803] ? netif_receive_skb_internal+0xec/0x5c0 [ 62.469880] ? dev_cpu_dead+0x810/0x810 [ 62.473831] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 62.479258] ? rcu_read_lock_sched_held+0x10a/0x130 [ 62.484249] ? tun_rx_batched.isra.0+0x45d/0x730 [ 62.488978] ? __skb_get_hash_symmetric+0x255/0x620 [ 62.493977] ? tun_chr_read_iter+0x1c0/0x1c0 [ 62.498368] ? tun_get_user+0xc07/0x3790 [ 62.502409] ? __local_bh_enable_ip+0x65/0xc0 [ 62.506882] ? tun_get_user+0xd95/0x3790 [ 62.510919] ? tun_rx_batched.isra.0+0x730/0x730 [ 62.515656] ? debug_mutex_add_waiter+0x60/0x150 [ 62.520392] ? mark_held_locks+0xa6/0xf0 [ 62.524428] ? get_page_from_freelist+0x85e/0x1d60 [ 62.529335] ? preempt_count_add+0xb8/0x180 [ 62.533634] ? __tun_get+0x11c/0x220 [ 62.537464] ? check_preemption_disabled+0x35/0x1f0 [ 62.542469] ? tun_chr_write_iter+0xcf/0x180 [ 62.546941] ? do_iter_readv_writev+0x379/0x580 [ 62.551598] ? clone_verify_area+0x1e0/0x1e0 [ 62.555990] ? avc_policy_seqno+0x5/0x10 [ 62.560034] ? security_file_permission+0x88/0x1e0 [ 62.564946] ? do_iter_write+0x152/0x550 [ 62.568983] ? lock_downgrade+0x5d0/0x5d0 [ 62.573107] ? vfs_writev+0x146/0x2d0 [ 62.576889] ? vfs_iter_write+0xa0/0xa0 [ 62.580846] ? __handle_mm_fault+0x6c5/0x2640 [ 62.585323] ? __fsnotify_inode_delete+0x20/0x20 [ 62.590061] ? __do_page_fault+0x48e/0xb80 [ 62.594272] ? lock_downgrade+0x5d0/0x5d0 [ 62.598492] ? check_preemption_disabled+0x35/0x1f0 [ 62.603494] ? do_writev+0xc9/0x240 [ 62.607110] ? vfs_writev+0x2d0/0x2d0 [ 62.610897] ? do_syscall_64+0x43/0x4b0 [ 62.614848] ? SyS_readv+0x30/0x30 [ 62.618361] ? do_syscall_64+0x19b/0x4b0 [ 62.622401] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 62.628189] Kernel Offset: 0x37600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 62.639086] Rebooting in 86400 seconds..