[....] Starting enhanced syslogd: rsyslogd[ 10.510725] audit: type=1400 audit(1514959800.122:4): avc: denied { syslog } for pid=3173 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.451722] ================================================================== [ 32.452925] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2702/0x3470 [ 32.453810] Read of size 2048 at addr ffff8801c9eac018 by task syzkaller347804/3338 [ 32.454853] [ 32.455087] CPU: 0 PID: 3338 Comm: syzkaller347804 Not tainted 4.9.74-g9e5dd8e #12 [ 32.456112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.457332] ffff8801c81a7718 ffffffff81d91d19 ffffea000727ab00 ffff8801c9eac018 [ 32.458462] 0000000000000000 ffff8801c9eac200 ffff8801c81a7958 ffff8801c81a7750 [ 32.459611] ffffffff8153b503 ffff8801c9eac018 0000000000000800 0000000000000000 [ 32.460743] Call Trace: [ 32.461101] [] dump_stack+0xc1/0x128 [ 32.461817] [] print_address_description+0x73/0x280 [ 32.462715] [] kasan_report+0x275/0x360 [ 32.463458] [] ? pfkey_add+0x2702/0x3470 [ 32.464215] [] check_memory_region+0x137/0x190 [ 32.465036] [] memcpy+0x23/0x50 [ 32.465759] [] pfkey_add+0x2702/0x3470 [ 32.466489] [] ? pfkey_delete+0x360/0x360 [ 32.467252] [] ? pfkey_seq_stop+0x80/0x80 [ 32.468032] [] ? __skb_clone+0x24a/0x7d0 [ 32.468851] [] ? pfkey_delete+0x360/0x360 [ 32.469626] [] pfkey_process+0x61e/0x730 [ 32.470397] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 32.471297] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.474445] [] pfkey_sendmsg+0x3a9/0x760 [ 32.480123] [] ? pfkey_spdget+0x820/0x820 [ 32.485901] [] sock_sendmsg+0xca/0x110 [ 32.491403] [] ___sys_sendmsg+0x6d1/0x7e0 [ 32.497169] [] ? copy_msghdr_from_user+0x550/0x550 [ 32.503722] [] ? __lru_cache_add+0x187/0x250 [ 32.509760] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 32.516829] [] ? _raw_spin_unlock+0x2c/0x50 [ 32.522768] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 32.529846] [] ? handle_mm_fault+0x6ee/0x2530 [ 32.535960] [] ? __fget_light+0x158/0x1e0 [ 32.541726] [] ? __fdget+0x18/0x20 [ 32.546885] [] ? sockfd_lookup_light+0x118/0x160 [ 32.553258] [] __sys_sendmsg+0xd6/0x190 [ 32.558846] [] ? SyS_shutdown+0x1b0/0x1b0 [ 32.564613] [] ? __do_page_fault+0x5ec/0xd40 [ 32.570639] [] compat_SyS_sendmsg+0x2a/0x40 [ 32.576581] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 32.583127] [] do_fast_syscall_32+0x2f7/0x890 [ 32.589239] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.595875] [] entry_SYSENTER_compat+0x51/0x60 [ 32.602086] [ 32.603684] Allocated by task 3338: [ 32.607284] save_stack_trace+0x16/0x20 [ 32.611224] save_stack+0x43/0xd0 [ 32.614646] kasan_kmalloc+0xad/0xe0 [ 32.618329] kasan_slab_alloc+0x12/0x20 [ 32.622270] __kmalloc_track_caller+0xda/0x2b0 [ 32.626832] __kmalloc_reserve.isra.37+0x33/0xc0 [ 32.631554] __alloc_skb+0x119/0x600 [ 32.635236] pfkey_sendmsg+0x135/0x760 [ 32.639088] sock_sendmsg+0xca/0x110 [ 32.642768] ___sys_sendmsg+0x6d1/0x7e0 [ 32.646709] __sys_sendmsg+0xd6/0x190 [ 32.650476] compat_SyS_sendmsg+0x2a/0x40 [ 32.654591] do_fast_syscall_32+0x2f7/0x890 [ 32.658877] entry_SYSENTER_compat+0x51/0x60 [ 32.663250] [ 32.664846] Freed by task 1795: [ 32.668094] save_stack_trace+0x16/0x20 [ 32.672036] save_stack+0x43/0xd0 [ 32.675456] kasan_slab_free+0x72/0xc0 [ 32.679323] kfree+0x103/0x300 [ 32.682481] skb_free_head+0x74/0xb0 [ 32.686165] skb_release_data+0x315/0x3f0 [ 32.690290] skb_release_all+0x4a/0x60 [ 32.694144] __kfree_skb+0x15/0x20 [ 32.697652] kfree_skb+0xcc/0x330 [ 32.701070] netlink_unicast+0x653/0x750 [ 32.705106] netlink_sendmsg+0x8e8/0xc50 [ 32.709135] sock_sendmsg+0xca/0x110 [ 32.712814] ___sys_sendmsg+0x6d1/0x7e0 [ 32.716755] __sys_sendmsg+0xd6/0x190 [ 32.720521] SyS_sendmsg+0x2d/0x50 [ 32.724030] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 32.728750] [ 32.730345] The buggy address belongs to the object at ffff8801c9eac000 [ 32.730345] which belongs to the cache kmalloc-512 of size 512 [ 32.742966] The buggy address is located 24 bytes inside of [ 32.742966] 512-byte region [ffff8801c9eac000, ffff8801c9eac200) [ 32.754717] The buggy address belongs to the page: [ 32.759615] page:ffffea000727ab00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 32.769776] flags: 0x8000000000004080(slab|head) [ 32.774496] page dumped because: kasan: bad access detected [ 32.780172] [ 32.781763] Memory state around the buggy address: [ 32.786660] ffff8801c9eac100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.793987] ffff8801c9eac180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.801312] >ffff8801c9eac200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.808652] ^ [ 32.811984] ffff8801c9eac280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.819311] ffff8801c9eac300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.826638] ================================================================== [ 32.833976] Disabling lock debugging due to kernel taint [ 32.839734] Kernel panic - not syncing: panic_on_warn set ... [ 32.839734] [ 32.847089] CPU: 0 PID: 3338 Comm: syzkaller347804 Tainted: G B 4.9.74-g9e5dd8e #12 [ 32.855981] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.865306] ffff8801c81a7670 ffffffff81d91d19 ffffffff8419562f ffff8801c81a7748 [ 32.873280] 0000000000000000 ffff8801c9eac200 ffff8801c81a7958 ffff8801c81a7738 [ 32.881235] ffffffff8142d161 0000000041b58ab3 ffffffff84189070 ffffffff8142cfa5 [ 32.889186] Call Trace: [ 32.891744] [] dump_stack+0xc1/0x128 [ 32.897082] [] panic+0x1bc/0x3a8 [ 32.902068] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 32.910275] [] ? preempt_schedule+0x25/0x30 [ 32.916217] [] ? ___preempt_schedule+0x16/0x18 [ 32.922420] [] kasan_end_report+0x50/0x50 [ 32.928194] [] kasan_report+0x167/0x360 [ 32.933798] [] ? pfkey_add+0x2702/0x3470 [ 32.939477] [] check_memory_region+0x137/0x190 [ 32.945690] [] memcpy+0x23/0x50 [ 32.950590] [] pfkey_add+0x2702/0x3470 [ 32.956093] [] ? pfkey_delete+0x360/0x360 [ 32.961869] [] ? pfkey_seq_stop+0x80/0x80 [ 32.967639] [] ? __skb_clone+0x24a/0x7d0 [ 32.973321] [] ? pfkey_delete+0x360/0x360 [ 32.979084] [] pfkey_process+0x61e/0x730 [ 32.984764] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 32.991574] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.998382] [] pfkey_sendmsg+0x3a9/0x760 [ 33.004072] [] ? pfkey_spdget+0x820/0x820 [ 33.009841] [] sock_sendmsg+0xca/0x110 [ 33.015355] [] ___sys_sendmsg+0x6d1/0x7e0 [ 33.021123] [] ? copy_msghdr_from_user+0x550/0x550 [ 33.027683] [] ? __lru_cache_add+0x187/0x250 [ 33.033710] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 33.040778] [] ? _raw_spin_unlock+0x2c/0x50 [ 33.046731] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 33.053812] [] ? handle_mm_fault+0x6ee/0x2530 [ 33.059924] [] ? __fget_light+0x158/0x1e0 [ 33.065689] [] ? __fdget+0x18/0x20 [ 33.070848] [] ? sockfd_lookup_light+0x118/0x160 [ 33.077221] [] __sys_sendmsg+0xd6/0x190 [ 33.082821] [] ? SyS_shutdown+0x1b0/0x1b0 [ 33.088588] [] ? __do_page_fault+0x5ec/0xd40 [ 33.094621] [] compat_SyS_sendmsg+0x2a/0x40 [ 33.100571] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 33.107118] [] do_fast_syscall_32+0x2f7/0x890 [ 33.113233] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.119881] [] entry_SYSENTER_compat+0x51/0x60 [ 33.126469] Dumping ftrace buffer: [ 33.129987] (ftrace buffer empty) [ 33.133665] Kernel Offset: disabled [ 33.137261] Rebooting in 86400 seconds..