[....] Starting enhanced syslogd: rsyslogd[ 14.185365] audit: type=1400 audit(1516825687.161:5): avc: denied { syslog } for pid=3524 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.679257] audit: type=1400 audit(1516825691.654:6): avc: denied { map } for pid=3664 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts. executing program [ 24.990496] audit: type=1400 audit(1516825697.966:7): avc: denied { map } for pid=3679 comm="syzkaller842686" path="/root/syzkaller842686504" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 24.992751] ================================================================== [ 24.992769] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 24.992773] Read of size 1 at addr ffff8801d902a850 by task syzkaller842686/3679 [ 24.992775] [ 24.992781] CPU: 1 PID: 3679 Comm: syzkaller842686 Not tainted 4.15.0-rc9+ #278 [ 24.992783] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.992785] Call Trace: [ 24.992796] dump_stack+0x194/0x257 [ 24.992806] ? arch_local_irq_restore+0x53/0x53 [ 24.992816] ? show_regs_print_info+0x18/0x18 [ 24.992826] ? string+0x1e8/0x200 [ 24.992837] print_address_description+0x73/0x250 [ 24.992842] ? string+0x1e8/0x200 [ 24.992848] kasan_report+0x25b/0x340 [ 24.992857] __asan_report_load1_noabort+0x14/0x20 [ 24.992862] string+0x1e8/0x200 [ 24.992874] vsnprintf+0x863/0x1900 [ 24.992886] ? pointer+0x9e0/0x9e0 [ 24.992906] __request_module+0x1bf/0xc20 [ 24.992912] ? lock_downgrade+0x980/0x980 [ 24.992920] ? free_modprobe_argv+0xa0/0xa0 [ 24.992925] ? lock_downgrade+0x980/0x980 [ 24.992933] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.992940] ? pcpu_alloc+0x146/0x10e0 [ 24.992956] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 24.992960] ? pcpu_free_area+0xa00/0xa00 [ 24.992967] ? wait_for_completion+0x770/0x770 [ 24.992978] ? __kernel_text_address+0xd/0x40 [ 24.992983] ? wait_for_completion+0x770/0x770 [ 24.992990] ? trace_hardirqs_off+0xd/0x10 [ 24.993005] ? depot_save_stack+0x3b5/0x490 [ 24.993016] ? kvfree+0x36/0x60 [ 24.993029] ? xt_find_target+0x17b/0x1e0 [ 24.993047] xt_request_find_target+0x8b/0xb0 [ 24.993057] find_check_entry.isra.8+0x612/0xcb0 [ 24.993070] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.993076] ? ipt_do_table+0x1330/0x1330 [ 24.993085] ? mark_held_locks+0xaf/0x100 [ 24.993091] ? kfree+0xf0/0x260 [ 24.993095] ? kvfree+0x36/0x60 [ 24.993101] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.993107] ? trace_hardirqs_on+0xd/0x10 [ 24.993118] translate_table+0xed1/0x1610 [ 24.993141] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 24.993150] ? kasan_check_write+0x14/0x20 [ 24.993158] ? _copy_from_user+0x99/0x110 [ 24.993166] do_ipt_set_ctl+0x370/0x5f0 [ 24.993175] ? translate_compat_table+0x1b90/0x1b90 [ 24.993191] ? mutex_unlock+0xd/0x10 [ 24.993199] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 24.993207] nf_setsockopt+0x67/0xc0 [ 24.993218] ip_setsockopt+0xa1/0xb0 [ 24.993230] udp_setsockopt+0x45/0x80 [ 24.993242] sock_common_setsockopt+0x95/0xd0 [ 24.993251] SyS_setsockopt+0x189/0x360 [ 24.993260] ? SyS_recv+0x40/0x40 [ 24.993266] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 24.993273] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.993281] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.993292] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.993297] RIP: 0033:0x43ffc9 [ 24.993299] RSP: 002b:00007ffd06a09588 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 24.993304] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 24.993307] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 24.993309] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 24.993312] R10: 0000000020f20000 R11: 0000000000000203 R12: 00000000004018f0 [ 24.993314] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 24.993331] [ 24.993334] Allocated by task 3679: [ 24.993338] save_stack+0x43/0xd0 [ 24.993341] kasan_kmalloc+0xad/0xe0 [ 24.993344] __kmalloc_node+0x47/0x70 [ 24.993348] kvmalloc_node+0x99/0xd0 [ 24.993351] xt_alloc_table_info+0x64/0xe0 [ 24.993355] do_ipt_set_ctl+0x29b/0x5f0 [ 24.993358] nf_setsockopt+0x67/0xc0 [ 24.993361] ip_setsockopt+0xa1/0xb0 [ 24.993365] udp_setsockopt+0x45/0x80 [ 24.993368] sock_common_setsockopt+0x95/0xd0 [ 24.993371] SyS_setsockopt+0x189/0x360 [ 24.993375] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.993376] [ 24.993377] Freed by task 2031: [ 24.993381] save_stack+0x43/0xd0 [ 24.993385] kasan_slab_free+0x71/0xc0 [ 24.993388] kfree+0xd6/0x260 [ 24.993395] single_release+0x80/0xb0 [ 24.993402] __fput+0x327/0x7e0 [ 24.993405] ____fput+0x15/0x20 [ 24.993409] task_work_run+0x199/0x270 [ 24.993412] exit_to_usermode_loop+0x296/0x310 [ 24.993416] syscall_return_slowpath+0x490/0x550 [ 24.993419] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 24.993420] [ 24.993424] The buggy address belongs to the object at ffff8801d902a780 [ 24.993424] which belongs to the cache kmalloc-256 of size 256 [ 24.993427] The buggy address is located 208 bytes inside of [ 24.993427] 256-byte region [ffff8801d902a780, ffff8801d902a880) [ 24.993428] The buggy address belongs to the page: [ 24.993437] page:ffffea0007640a80 count:1 mapcount:0 mapping:ffff8801d902a000 index:0x0 [ 24.993442] flags: 0x2fffc0000000100(slab) [ 24.993448] raw: 02fffc0000000100 ffff8801d902a000 0000000000000000 000000010000000c [ 24.993453] raw: ffffea0007652420 ffffea0007640be0 ffff8801dac007c0 0000000000000000 [ 24.993455] page dumped because: kasan: bad access detected [ 24.993457] [ 24.993458] Memory state around the buggy address: [ 24.993462] ffff8801d902a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.993465] ffff8801d902a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.993469] >ffff8801d902a800: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 24.993470] ^ [ 24.993473] ffff8801d902a880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 24.993476] ffff8801d902a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.993478] ================================================================== [ 24.993479] Disabling lock debugging due to kernel taint [ 24.993496] Kernel panic - not syncing: panic_on_warn set ... [ 24.993496] [ 24.993500] CPU: 1 PID: 3679 Comm: syzkaller842686 Tainted: G B 4.15.0-rc9+ #278 [ 24.993502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.993503] Call Trace: [ 24.993509] dump_stack+0x194/0x257 [ 24.993514] ? arch_local_irq_restore+0x53/0x53 [ 24.993519] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.993524] ? vsnprintf+0x1ed/0x1900 [ 24.993529] ? string+0x120/0x200 [ 24.993535] panic+0x1e4/0x41c [ 24.993539] ? refcount_error_report+0x214/0x214 [ 24.993545] ? add_taint+0x1c/0x50 [ 24.993549] ? add_taint+0x1c/0x50 [ 24.993554] ? string+0x1e8/0x200 [ 24.993559] kasan_end_report+0x50/0x50 [ 24.993563] kasan_report+0x144/0x340 [ 24.993569] __asan_report_load1_noabort+0x14/0x20 [ 24.993573] string+0x1e8/0x200 [ 24.993580] vsnprintf+0x863/0x1900 [ 24.993588] ? pointer+0x9e0/0x9e0 [ 24.993598] __request_module+0x1bf/0xc20 [ 24.993602] ? lock_downgrade+0x980/0x980 [ 24.993608] ? free_modprobe_argv+0xa0/0xa0 [ 24.993612] ? lock_downgrade+0x980/0x980 [ 24.993616] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.993620] ? pcpu_alloc+0x146/0x10e0 [ 24.993629] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 24.993633] ? pcpu_free_area+0xa00/0xa00 [ 24.993639] ? wait_for_completion+0x770/0x770 [ 24.993645] ? __kernel_text_address+0xd/0x40 [ 24.993649] ? wait_for_completion+0x770/0x770 [ 24.993654] ? trace_hardirqs_off+0xd/0x10 [ 24.993660] ? depot_save_stack+0x3b5/0x490 [ 24.993666] ? kvfree+0x36/0x60 [ 24.993673] ? xt_find_target+0x17b/0x1e0 [ 24.993684] xt_request_find_target+0x8b/0xb0 [ 24.993690] find_check_entry.isra.8+0x612/0xcb0 [ 24.993698] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.993703] ? ipt_do_table+0x1330/0x1330 [ 24.993709] ? mark_held_locks+0xaf/0x100 [ 24.993713] ? kfree+0xf0/0x260 [ 24.993716] ? kvfree+0x36/0x60 [ 24.993721] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.993725] ? trace_hardirqs_on+0xd/0x10 [ 24.993733] translate_table+0xed1/0x1610 [ 24.993746] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 24.993752] ? kasan_check_write+0x14/0x20 [ 24.993756] ? _copy_from_user+0x99/0x110 [ 24.993761] do_ipt_set_ctl+0x370/0x5f0 [ 24.993768] ? translate_compat_table+0x1b90/0x1b90 [ 24.993777] ? mutex_unlock+0xd/0x10 [ 24.993781] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 24.993787] nf_setsockopt+0x67/0xc0 [ 24.993793] ip_setsockopt+0xa1/0xb0 [ 24.993799] udp_setsockopt+0x45/0x80 [ 24.993805] sock_common_setsockopt+0x95/0xd0 [ 24.993811] SyS_setsockopt+0x189/0x360 [ 24.993816] ? SyS_recv+0x40/0x40 [ 24.993821] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 24.993826] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.993831] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.993838] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 24.993841] RIP: 0033:0x43ffc9 [ 24.993843] RSP: 002b:00007ffd06a09588 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 24.993847] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 24.993849] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 24.993851] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 24.993853] R10: 0000000020f20000 R11: 0000000000000203 R12: 00000000004018f0 [ 24.993855] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 25.016838] Dumping ftrace buffer: [ 25.016843] (ftrace buffer empty) [ 25.016847] Kernel Offset: disabled [ 25.881866] Rebooting in 86400 seconds..