[....] Starting OpenBSD Secure Shell server: sshd[ 8.959778] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.696149] random: sshd: uninitialized urandom read (32 bytes read) [ 29.208924] audit: type=1400 audit(1547754779.161:6): avc: denied { map } for pid=1757 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.275754] random: sshd: uninitialized urandom read (32 bytes read) [ 29.726425] random: sshd: uninitialized urandom read (32 bytes read) [ 29.870098] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. [ 35.373765] random: sshd: uninitialized urandom read (32 bytes read) [ 35.455465] audit: type=1400 audit(1547754785.411:7): avc: denied { map } for pid=1769 comm="syz-executor101" path="/root/syz-executor101123913" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 35.701056] ================================================================== [ 35.708604] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 35.715259] Read of size 8 at addr ffff8881d1bad150 by task syz-executor101/1772 [ 35.722769] [ 35.724525] CPU: 1 PID: 1772 Comm: syz-executor101 Not tainted 4.14.94+ #10 [ 35.731622] Call Trace: [ 35.734252] dump_stack+0xb9/0x10e [ 35.738675] ? ip_local_deliver+0x43d/0x450 [ 35.745671] print_address_description+0x60/0x226 [ 35.750503] ? ip_local_deliver+0x43d/0x450 [ 35.754805] kasan_report.cold+0x88/0x2a5 [ 35.758936] ? ip_local_deliver+0x43d/0x450 [ 35.763316] ? ip_call_ra_chain+0x540/0x540 [ 35.767635] ? __lock_acquire+0x56a/0x3fa0 [ 35.771852] ? ip_rcv+0x99f/0xf7a [ 35.775291] ? ip_rcv_finish+0x5c9/0x1490 [ 35.779425] ? ip_rcv+0x9e2/0xf7a [ 35.782869] ? ip_local_deliver+0x450/0x450 [ 35.787169] ? __lock_acquire+0x56a/0x3fa0 [ 35.791392] ? check_preemption_disabled+0x35/0x1f0 [ 35.796398] ? ip_local_deliver+0x450/0x450 [ 35.800699] ? __netif_receive_skb_core+0x1364/0x2c60 [ 35.805876] ? trace_hardirqs_on+0x10/0x10 [ 35.810094] ? flush_backlog+0x580/0x580 [ 35.814133] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 35.819300] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 35.824468] ? lock_acquire+0x10f/0x380 [ 35.828439] ? __netif_receive_skb+0x55/0x1f0 [ 35.832916] ? __netif_receive_skb+0x55/0x1f0 [ 35.837387] ? netif_receive_skb_internal+0xec/0x5c0 [ 35.842467] ? dev_cpu_dead+0x810/0x810 [ 35.846423] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 35.851850] ? rcu_read_lock_sched_held+0x10a/0x130 [ 35.856844] ? tun_rx_batched.isra.0+0x45d/0x730 [ 35.861575] ? __skb_get_hash_symmetric+0x255/0x620 [ 35.866570] ? tun_chr_read_iter+0x1c0/0x1c0 [ 35.870958] ? tun_get_user+0xc07/0x3790 [ 35.875004] ? __local_bh_enable_ip+0x65/0xc0 [ 35.879481] ? tun_get_user+0xd95/0x3790 [ 35.883527] ? tun_rx_batched.isra.0+0x730/0x730 [ 35.888263] ? debug_mutex_add_waiter+0x60/0x150 [ 35.893097] ? mark_held_locks+0xa6/0xf0 [ 35.897142] ? get_page_from_freelist+0x85e/0x1d60 [ 35.902205] ? preempt_count_add+0xb8/0x180 [ 35.906510] ? __tun_get+0x11c/0x220 [ 35.910206] ? check_preemption_disabled+0x35/0x1f0 [ 35.916433] ? tun_chr_write_iter+0xcf/0x180 [ 35.920826] ? do_iter_readv_writev+0x379/0x580 [ 35.925473] ? clone_verify_area+0x1e0/0x1e0 [ 35.930081] ? avc_policy_seqno+0x5/0x10 [ 35.934134] ? security_file_permission+0x88/0x1e0 [ 35.939049] ? do_iter_write+0x152/0x550 [ 35.943154] ? lock_downgrade+0x5d0/0x5d0 [ 35.947304] ? vfs_writev+0x146/0x2d0 [ 35.951083] ? vfs_iter_write+0xa0/0xa0 [ 35.955036] ? __handle_mm_fault+0x6c5/0x2640 [ 35.959673] ? __fsnotify_inode_delete+0x20/0x20 [ 35.964439] ? __do_page_fault+0x48e/0xb80 [ 35.968676] ? lock_downgrade+0x5d0/0x5d0 [ 35.973022] ? check_preemption_disabled+0x35/0x1f0 [ 35.978043] ? do_writev+0xc9/0x240 [ 35.981649] ? vfs_writev+0x2d0/0x2d0 [ 35.985432] ? do_syscall_64+0x43/0x4b0 [ 35.989391] ? SyS_readv+0x30/0x30 [ 35.992912] ? do_syscall_64+0x19b/0x4b0 [ 35.997131] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.002490] [ 36.004106] Allocated by task 1772: [ 36.007717] kasan_kmalloc.part.0+0x4f/0xd0 [ 36.012017] kmem_cache_alloc+0xd2/0x2d0 [ 36.016061] __build_skb+0x2e/0x2d0 [ 36.019665] build_skb+0x1a/0x1f0 [ 36.023108] tun_get_user+0x248b/0x3790 [ 36.027111] tun_chr_write_iter+0xcf/0x180 [ 36.031327] do_iter_readv_writev+0x379/0x580 [ 36.035798] do_iter_write+0x152/0x550 [ 36.039663] vfs_writev+0x146/0x2d0 [ 36.043272] do_writev+0xc9/0x240 [ 36.046703] do_syscall_64+0x19b/0x4b0 [ 36.050573] [ 36.052183] Freed by task 1772: [ 36.055522] kasan_slab_free+0xb0/0x190 [ 36.059485] kmem_cache_free+0xc4/0x330 [ 36.063441] kfree_skbmem+0xa0/0x100 [ 36.067132] kfree_skb+0xcd/0x350 [ 36.070568] ip_defrag+0x5f4/0x3b50 [ 36.074273] ip_local_deliver+0x165/0x450 [ 36.078402] ip_rcv_finish+0x5c9/0x1490 [ 36.082413] ip_rcv+0x9e2/0xf7a [ 36.085680] __netif_receive_skb_core+0x1364/0x2c60 [ 36.090679] __netif_receive_skb+0x55/0x1f0 [ 36.094988] netif_receive_skb_internal+0xec/0x5c0 [ 36.099900] tun_rx_batched.isra.0+0x45d/0x730 [ 36.104466] tun_get_user+0xd95/0x3790 [ 36.108484] tun_chr_write_iter+0xcf/0x180 [ 36.112807] do_iter_readv_writev+0x379/0x580 [ 36.117333] do_iter_write+0x152/0x550 [ 36.121253] vfs_writev+0x146/0x2d0 [ 36.125011] do_writev+0xc9/0x240 [ 36.128445] do_syscall_64+0x19b/0x4b0 [ 36.132310] [ 36.134010] The buggy address belongs to the object at ffff8881d1bad140 [ 36.134010] which belongs to the cache skbuff_head_cache of size 224 [ 36.147179] The buggy address is located 16 bytes inside of [ 36.147179] 224-byte region [ffff8881d1bad140, ffff8881d1bad220) [ 36.158943] The buggy address belongs to the page: [ 36.164010] page:ffffea000746eb40 count:1 mapcount:0 mapping: (null) index:0x0 [ 36.172231] flags: 0x4000000000000100(slab) [ 36.176546] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 36.184482] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 36.192353] page dumped because: kasan: bad access detected [ 36.198283] [ 36.199959] Memory state around the buggy address: [ 36.205025] ffff8881d1bad000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.212381] ffff8881d1bad080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.219719] >ffff8881d1bad100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.227146] ^ [ 36.233104] ffff8881d1bad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.240451] ffff8881d1bad200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 36.247797] ================================================================== [ 36.255157] Disabling lock debugging due to kernel taint [ 36.260636] Kernel panic - not syncing: panic_on_warn set ... [ 36.260636] [ 36.267988] CPU: 1 PID: 1772 Comm: syz-executor101 Tainted: G B 4.14.94+ #10 [ 36.276274] Call Trace: [ 36.278848] dump_stack+0xb9/0x10e [ 36.282368] panic+0x1d9/0x3c2 [ 36.285546] ? add_taint.cold+0x16/0x16 [ 36.289495] ? retint_kernel+0x2d/0x2d [ 36.293372] ? ip_local_deliver+0x43d/0x450 [ 36.297685] kasan_end_report+0x43/0x49 [ 36.301660] kasan_report.cold+0xa4/0x2a5 [ 36.305787] ? ip_local_deliver+0x43d/0x450 [ 36.310098] ? ip_call_ra_chain+0x540/0x540 [ 36.314456] ? __lock_acquire+0x56a/0x3fa0 [ 36.318679] ? ip_rcv+0x99f/0xf7a [ 36.322107] ? ip_rcv_finish+0x5c9/0x1490 [ 36.326241] ? ip_rcv+0x9e2/0xf7a [ 36.329725] ? ip_local_deliver+0x450/0x450 [ 36.334035] ? __lock_acquire+0x56a/0x3fa0 [ 36.338256] ? check_preemption_disabled+0x35/0x1f0 [ 36.343255] ? ip_local_deliver+0x450/0x450 [ 36.347559] ? __netif_receive_skb_core+0x1364/0x2c60 [ 36.352729] ? trace_hardirqs_on+0x10/0x10 [ 36.357096] ? flush_backlog+0x580/0x580 [ 36.361143] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 36.366318] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 36.371488] ? lock_acquire+0x10f/0x380 [ 36.375440] ? __netif_receive_skb+0x55/0x1f0 [ 36.379995] ? __netif_receive_skb+0x55/0x1f0 [ 36.384485] ? netif_receive_skb_internal+0xec/0x5c0 [ 36.389568] ? dev_cpu_dead+0x810/0x810 [ 36.393524] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 36.399010] ? rcu_read_lock_sched_held+0x10a/0x130 [ 36.404152] ? tun_rx_batched.isra.0+0x45d/0x730 [ 36.408894] ? __skb_get_hash_symmetric+0x255/0x620 [ 36.413891] ? tun_chr_read_iter+0x1c0/0x1c0 [ 36.418283] ? tun_get_user+0xc07/0x3790 [ 36.422401] ? __local_bh_enable_ip+0x65/0xc0 [ 36.426887] ? tun_get_user+0xd95/0x3790 [ 36.430931] ? tun_rx_batched.isra.0+0x730/0x730 [ 36.435671] ? debug_mutex_add_waiter+0x60/0x150 [ 36.440548] ? mark_held_locks+0xa6/0xf0 [ 36.444592] ? get_page_from_freelist+0x85e/0x1d60 [ 36.449618] ? preempt_count_add+0xb8/0x180 [ 36.453934] ? __tun_get+0x11c/0x220 [ 36.457642] ? check_preemption_disabled+0x35/0x1f0 [ 36.462642] ? tun_chr_write_iter+0xcf/0x180 [ 36.467029] ? do_iter_readv_writev+0x379/0x580 [ 36.471677] ? clone_verify_area+0x1e0/0x1e0 [ 36.476128] ? avc_policy_seqno+0x5/0x10 [ 36.480182] ? security_file_permission+0x88/0x1e0 [ 36.485100] ? do_iter_write+0x152/0x550 [ 36.489143] ? lock_downgrade+0x5d0/0x5d0 [ 36.493272] ? vfs_writev+0x146/0x2d0 [ 36.497055] ? vfs_iter_write+0xa0/0xa0 [ 36.501127] ? __handle_mm_fault+0x6c5/0x2640 [ 36.505663] ? __fsnotify_inode_delete+0x20/0x20 [ 36.510478] ? __do_page_fault+0x48e/0xb80 [ 36.514701] ? lock_downgrade+0x5d0/0x5d0 [ 36.519019] ? check_preemption_disabled+0x35/0x1f0 [ 36.524026] ? do_writev+0xc9/0x240 [ 36.527633] ? vfs_writev+0x2d0/0x2d0 [ 36.531411] ? do_syscall_64+0x43/0x4b0 [ 36.535362] ? SyS_readv+0x30/0x30 [ 36.538887] ? do_syscall_64+0x19b/0x4b0 [ 36.542945] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.548697] Kernel Offset: 0x13600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 36.559651] Rebooting in 86400 seconds..