[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.184306] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.221408] random: sshd: uninitialized urandom read (32 bytes read) [ 23.569903] random: sshd: uninitialized urandom read (32 bytes read) [ 24.311339] random: sshd: uninitialized urandom read (32 bytes read) [ 24.470410] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. [ 29.995363] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.083734] ================================================================== [ 30.091197] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 30.097415] Read of size 1 at addr ffff8801adad6c9d by task syz-executor150/4520 [ 30.104926] [ 30.106539] CPU: 0 PID: 4520 Comm: syz-executor150 Not tainted 4.17.0-rc7+ #73 [ 30.113904] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.123276] Call Trace: [ 30.125865] dump_stack+0x1b9/0x294 [ 30.129480] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.134684] ? printk+0x9e/0xba [ 30.137948] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.142697] ? kasan_check_write+0x14/0x20 [ 30.146940] print_address_description+0x6c/0x20b [ 30.151780] ? nla_strlcpy+0x13d/0x150 [ 30.155649] kasan_report.cold.7+0x242/0x2fe [ 30.160042] __asan_report_load1_noabort+0x14/0x20 [ 30.164960] nla_strlcpy+0x13d/0x150 [ 30.168675] nfnl_acct_new+0x574/0xc50 [ 30.172557] ? nfnl_acct_overquota+0x380/0x380 [ 30.177124] ? debug_check_no_locks_freed+0x310/0x310 [ 30.182298] ? graph_lock+0x170/0x170 [ 30.186094] ? print_usage_bug+0xc0/0xc0 [ 30.190158] ? find_held_lock+0x36/0x1c0 [ 30.194214] ? graph_lock+0x170/0x170 [ 30.198004] ? lock_downgrade+0x8e0/0x8e0 [ 30.202134] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.207655] ? __lock_is_held+0xb5/0x140 [ 30.211702] ? nfnl_acct_overquota+0x380/0x380 [ 30.216267] nfnetlink_rcv_msg+0xdb5/0xff0 [ 30.220491] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 30.225487] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 30.229884] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.234013] ? graph_lock+0x170/0x170 [ 30.237793] ? find_held_lock+0x36/0x1c0 [ 30.241853] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.247374] netlink_rcv_skb+0x172/0x440 [ 30.251415] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.255543] ? netlink_ack+0xbc0/0xbc0 [ 30.259421] ? __netlink_ns_capable+0x100/0x130 [ 30.264081] nfnetlink_rcv+0x1fe/0x1ba0 [ 30.268041] ? kasan_check_read+0x11/0x20 [ 30.272168] ? rcu_is_watching+0x85/0x140 [ 30.276296] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.281472] ? nfnl_err_reset+0x2d0/0x2d0 [ 30.285606] ? netlink_remove_tap+0x610/0x610 [ 30.290089] ? refcount_add_not_zero+0x320/0x320 [ 30.294838] ? kasan_check_read+0x11/0x20 [ 30.298975] ? rcu_is_watching+0x85/0x140 [ 30.303127] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.308313] ? netlink_skb_destructor+0x210/0x210 [ 30.313143] ? kasan_check_write+0x14/0x20 [ 30.317361] netlink_unicast+0x58b/0x740 [ 30.321416] ? netlink_attachskb+0x970/0x970 [ 30.325807] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.331339] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.336344] ? security_netlink_send+0x88/0xb0 [ 30.340909] netlink_sendmsg+0x9f0/0xfa0 [ 30.344958] ? netlink_unicast+0x740/0x740 [ 30.349178] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.354700] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.360228] ? security_socket_sendmsg+0x94/0xc0 [ 30.365154] ? netlink_unicast+0x740/0x740 [ 30.369382] sock_sendmsg+0xd5/0x120 [ 30.373097] sock_write_iter+0x35a/0x5a0 [ 30.377141] ? sock_sendmsg+0x120/0x120 [ 30.381119] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.386660] ? iov_iter_init+0xc9/0x1f0 [ 30.390634] __vfs_write+0x64d/0x960 [ 30.394334] ? kernel_read+0x120/0x120 [ 30.398208] ? lock_downgrade+0x8e0/0x8e0 [ 30.402347] ? handle_mm_fault+0x8c0/0xc70 [ 30.406577] ? handle_mm_fault+0x55a/0xc70 [ 30.410802] ? rw_verify_area+0x118/0x360 [ 30.414944] vfs_write+0x1f8/0x560 [ 30.418468] ksys_write+0xf9/0x250 [ 30.421990] ? __ia32_sys_read+0xb0/0xb0 [ 30.426036] ? __ia32_sys_fallocate+0xf0/0xf0 [ 30.430518] __x64_sys_write+0x73/0xb0 [ 30.434401] do_syscall_64+0x1b1/0x800 [ 30.438274] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.443221] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.448932] ? retint_user+0x18/0x18 [ 30.452649] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.457493] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.462786] RIP: 0033:0x43fcd9 [ 30.465979] RSP: 002b:00007fff7fa48948 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 30.473694] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcd9 [ 30.480967] RDX: 000000000000007b RSI: 0000000020000080 RDI: 0000000000000003 [ 30.488230] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 30.495491] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401600 [ 30.502770] R13: 0000000000401690 R14: 0000000000000000 R15: 0000000000000000 [ 30.510049] [ 30.511675] Allocated by task 2848: [ 30.515315] save_stack+0x43/0xd0 [ 30.518780] kasan_kmalloc+0xc4/0xe0 [ 30.522483] kasan_slab_alloc+0x12/0x20 [ 30.526446] kmem_cache_alloc+0x12e/0x760 [ 30.530585] getname_flags+0xd0/0x5a0 [ 30.534381] getname+0x19/0x20 [ 30.537565] do_sys_open+0x39a/0x740 [ 30.541273] __x64_sys_open+0x7e/0xc0 [ 30.545061] do_syscall_64+0x1b1/0x800 [ 30.548940] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.554115] [ 30.555731] Freed by task 2848: [ 30.558998] save_stack+0x43/0xd0 [ 30.562442] __kasan_slab_free+0x11a/0x170 [ 30.566681] kasan_slab_free+0xe/0x10 [ 30.570491] kmem_cache_free+0x86/0x2d0 [ 30.574455] putname+0xf2/0x130 [ 30.577742] do_sys_open+0x554/0x740 [ 30.581443] __x64_sys_open+0x7e/0xc0 [ 30.585232] do_syscall_64+0x1b1/0x800 [ 30.589116] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.594296] [ 30.595910] The buggy address belongs to the object at ffff8801adad6c80 [ 30.595910] which belongs to the cache names_cache of size 4096 [ 30.608824] The buggy address is located 29 bytes inside of [ 30.608824] 4096-byte region [ffff8801adad6c80, ffff8801adad7c80) [ 30.620713] The buggy address belongs to the page: [ 30.625641] page:ffffea0006b6b580 count:1 mapcount:0 mapping:ffff8801adad6c80 index:0x0 compound_mapcount: 0 [ 30.635599] flags: 0x2fffc0000008100(slab|head) [ 30.640256] raw: 02fffc0000008100 ffff8801adad6c80 0000000000000000 0000000100000001 [ 30.648125] raw: ffffea0006b545a0 ffffea0006b53d20 ffff8801da988dc0 0000000000000000 [ 30.655990] page dumped because: kasan: bad access detected [ 30.661686] [ 30.663293] Memory state around the buggy address: [ 30.668213] ffff8801adad6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.675581] ffff8801adad6c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.682933] >ffff8801adad6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.690295] ^ [ 30.694437] ffff8801adad6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.701787] ffff8801adad6d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.709121] ================================================================== [ 30.716457] Disabling lock debugging due to kernel taint [ 30.721999] Kernel panic - not syncing: panic_on_warn set ... [ 30.721999] [ 30.729363] CPU: 0 PID: 4520 Comm: syz-executor150 Tainted: G B 4.17.0-rc7+ #73 [ 30.738100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.747450] Call Trace: [ 30.750032] dump_stack+0x1b9/0x294 [ 30.753640] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.758827] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.763582] ? nla_strlcpy+0x110/0x150 [ 30.767469] panic+0x22f/0x4de [ 30.770663] ? add_taint.cold.5+0x16/0x16 [ 30.774809] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.779226] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.783635] ? nla_strlcpy+0x13d/0x150 [ 30.787524] kasan_end_report+0x47/0x4f [ 30.791491] kasan_report.cold.7+0x76/0x2fe [ 30.795815] __asan_report_load1_noabort+0x14/0x20 [ 30.800743] nla_strlcpy+0x13d/0x150 [ 30.804453] nfnl_acct_new+0x574/0xc50 [ 30.808337] ? nfnl_acct_overquota+0x380/0x380 [ 30.812915] ? debug_check_no_locks_freed+0x310/0x310 [ 30.818110] ? graph_lock+0x170/0x170 [ 30.821912] ? print_usage_bug+0xc0/0xc0 [ 30.825969] ? find_held_lock+0x36/0x1c0 [ 30.830024] ? graph_lock+0x170/0x170 [ 30.833822] ? lock_downgrade+0x8e0/0x8e0 [ 30.837998] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.843530] ? __lock_is_held+0xb5/0x140 [ 30.847588] ? nfnl_acct_overquota+0x380/0x380 [ 30.852165] nfnetlink_rcv_msg+0xdb5/0xff0 [ 30.856412] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 30.861421] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 30.865828] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.869976] ? graph_lock+0x170/0x170 [ 30.873769] ? find_held_lock+0x36/0x1c0 [ 30.877830] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.883371] netlink_rcv_skb+0x172/0x440 [ 30.887605] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.891752] ? netlink_ack+0xbc0/0xbc0 [ 30.895623] ? __netlink_ns_capable+0x100/0x130 [ 30.900281] nfnetlink_rcv+0x1fe/0x1ba0 [ 30.904240] ? kasan_check_read+0x11/0x20 [ 30.908373] ? rcu_is_watching+0x85/0x140 [ 30.912619] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.917801] ? nfnl_err_reset+0x2d0/0x2d0 [ 30.921943] ? netlink_remove_tap+0x610/0x610 [ 30.926420] ? refcount_add_not_zero+0x320/0x320 [ 30.931157] ? kasan_check_read+0x11/0x20 [ 30.935288] ? rcu_is_watching+0x85/0x140 [ 30.939417] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.944588] ? netlink_skb_destructor+0x210/0x210 [ 30.949419] ? kasan_check_write+0x14/0x20 [ 30.953636] netlink_unicast+0x58b/0x740 [ 30.958371] ? netlink_attachskb+0x970/0x970 [ 30.962793] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.968408] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.973408] ? security_netlink_send+0x88/0xb0 [ 30.977992] netlink_sendmsg+0x9f0/0xfa0 [ 30.982035] ? netlink_unicast+0x740/0x740 [ 30.986257] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.992047] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.997564] ? security_socket_sendmsg+0x94/0xc0 [ 31.002646] ? netlink_unicast+0x740/0x740 [ 31.006871] sock_sendmsg+0xd5/0x120 [ 31.010565] sock_write_iter+0x35a/0x5a0 [ 31.014868] ? sock_sendmsg+0x120/0x120 [ 31.018823] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.024353] ? iov_iter_init+0xc9/0x1f0 [ 31.028326] __vfs_write+0x64d/0x960 [ 31.032029] ? kernel_read+0x120/0x120 [ 31.035986] ? lock_downgrade+0x8e0/0x8e0 [ 31.040114] ? handle_mm_fault+0x8c0/0xc70 [ 31.044512] ? handle_mm_fault+0x55a/0xc70 [ 31.048762] ? rw_verify_area+0x118/0x360 [ 31.052888] vfs_write+0x1f8/0x560 [ 31.056583] ksys_write+0xf9/0x250 [ 31.060116] ? __ia32_sys_read+0xb0/0xb0 [ 31.064159] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.068634] __x64_sys_write+0x73/0xb0 [ 31.072688] do_syscall_64+0x1b1/0x800 [ 31.076556] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.081473] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.086988] ? retint_user+0x18/0x18 [ 31.090684] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.095508] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.100678] RIP: 0033:0x43fcd9 [ 31.103846] RSP: 002b:00007fff7fa48948 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 31.111618] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcd9 [ 31.118968] RDX: 000000000000007b RSI: 0000000020000080 RDI: 0000000000000003 [ 31.126215] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.133486] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401600 [ 31.140733] R13: 0000000000401690 R14: 0000000000000000 R15: 0000000000000000 [ 31.148527] Dumping ftrace buffer: [ 31.152081] (ftrace buffer empty) [ 31.156128] Kernel Offset: disabled [ 31.159736] Rebooting in 86400 seconds..