[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.341316] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.854888] random: sshd: uninitialized urandom read (32 bytes read)
[   26.112255] random: sshd: uninitialized urandom read (32 bytes read)
[   26.609068] random: sshd: uninitialized urandom read (32 bytes read)
[  816.246649] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts.
[  821.872818] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 05:50:00 parsed 1 programs
[  822.893415] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 05:50:01 executed programs: 0
[  823.704432] IPVS: ftp: loaded support on port[0] = 21
[  823.806934] ip (4476) used greatest stack depth: 16648 bytes left
[  823.933652] bridge0: port 1(bridge_slave_0) entered blocking state
[  823.940123] bridge0: port 1(bridge_slave_0) entered disabled state
[  823.947908] device bridge_slave_0 entered promiscuous mode
[  823.966314] bridge0: port 2(bridge_slave_1) entered blocking state
[  823.972714] bridge0: port 2(bridge_slave_1) entered disabled state
[  823.980122] device bridge_slave_1 entered promiscuous mode
[  823.997083] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  824.014923] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  824.067563] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  824.086945] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  824.159403] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  824.167121] team0: Port device team_slave_0 added
[  824.184951] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  824.192142] team0: Port device team_slave_1 added
[  824.208253] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  824.225287] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  824.242575] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  824.257721] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  824.388183] bridge0: port 2(bridge_slave_1) entered blocking state
[  824.394635] bridge0: port 2(bridge_slave_1) entered forwarding state
[  824.401600] bridge0: port 1(bridge_slave_0) entered blocking state
[  824.407967] bridge0: port 1(bridge_slave_0) entered forwarding state
[  824.879626] 8021q: adding VLAN 0 to HW filter on device bond0
[  824.925795] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  824.975075] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  824.981219] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  824.989139] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  825.030531] 8021q: adding VLAN 0 to HW filter on device team0
[  825.619945] ==================================================================
[  825.627486] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x739/0x84b
[  825.635358] Read of size 2 at addr ffff8801ce8eb172 by task syz-executor0/4790
[  825.642720] 
[  825.644392] CPU: 0 PID: 4790 Comm: syz-executor0 Not tainted 4.18.0+ #189
[  825.651315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  825.660660] Call Trace:
[  825.663261]  dump_stack+0x1c9/0x2b4
[  825.666893]  ? dump_stack_print_info.cold.2+0x52/0x52
[  825.672081]  ? printk+0xa7/0xcf
[  825.675360]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  825.680139]  ? tipc_group_fill_sock_diag+0x739/0x84b
[  825.685247]  print_address_description+0x6c/0x20b
[  825.690090]  ? tipc_group_fill_sock_diag+0x739/0x84b
[  825.695530]  kasan_report.cold.7+0x242/0x2fe
[  825.699929]  __asan_report_load2_noabort+0x14/0x20
[  825.704850]  tipc_group_fill_sock_diag+0x739/0x84b
[  825.709785]  ? tipc_group_member_evt+0xe30/0xe30
[  825.714549]  ? skb_put+0x17b/0x1e0
[  825.718722]  ? memset+0x31/0x40
[  825.721987]  ? memcpy+0x45/0x50
[  825.725257]  ? __nla_put+0x37/0x40
[  825.728781]  ? nla_put+0x11a/0x150
[  825.732308]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  825.736959]  ? tipc_diag_dump+0x30/0x30
[  825.740933]  ? tipc_getname+0x7f0/0x7f0
[  825.744915]  ? save_stack+0xa9/0xd0
[  825.748560]  ? save_stack+0x43/0xd0
[  825.752199]  ? kasan_kmalloc+0xc4/0xe0
[  825.756087]  ? __kmalloc_node_track_caller+0x47/0x70
[  825.761201]  ? graph_lock+0x170/0x170
[  825.765003]  ? __netlink_dump_start+0x4f1/0x6f0
[  825.769673]  ? sock_diag_rcv_msg+0x31d/0x410
[  825.774084]  ? netlink_rcv_skb+0x172/0x440
[  825.778316]  ? sock_diag_rcv+0x2a/0x40
[  825.782198]  ? netlink_unicast+0x5a0/0x760
[  825.786432]  ? netlink_sendmsg+0xa18/0xfc0
[  825.790669]  ? sock_sendmsg+0xd5/0x120
[  825.794554]  ? ___sys_sendmsg+0x7fd/0x930
[  825.798705]  ? __x64_sys_sendmsg+0x78/0xb0
[  825.802941]  ? do_syscall_64+0x1b9/0x820
[  825.807004]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  825.812376]  ? lock_acquire+0x1e4/0x540
[  825.816409]  ? tipc_nl_sk_walk+0x60a/0xd30
[  825.820648]  ? tipc_nl_sk_walk+0x311/0xd30
[  825.824889]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  825.829907]  ? skb_put+0x17b/0x1e0
[  825.833454]  ? __nlmsg_put+0x14c/0x1b0
[  825.837353]  __tipc_add_sock_diag+0x22f/0x360
[  825.841863]  tipc_nl_sk_walk+0x68d/0xd30
[  825.845935]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  825.851216]  ? __tipc_nl_add_sk+0x400/0x400
[  825.855542]  ? skb_scrub_packet+0x490/0x490
[  825.859873]  ? kasan_check_write+0x14/0x20
[  825.864110]  ? __mutex_unlock_slowpath+0x197/0x8c0
[  825.869067]  ? lock_downgrade+0x8f0/0x8f0
[  825.873220]  tipc_diag_dump+0x24/0x30
[  825.877024]  netlink_dump+0x519/0xd50
[  825.880829]  ? netlink_broadcast+0x50/0x50
[  825.885071]  __netlink_dump_start+0x4f1/0x6f0
[  825.889570]  ? kasan_check_read+0x11/0x20
[  825.893723]  tipc_sock_diag_handler_dump+0x234/0x340
[  825.899058]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  825.903710]  ? tipc_unregister_sysctl+0x20/0x20
[  825.908362]  ? netlink_deliver_tap+0x356/0xfb0
[  825.912936]  sock_diag_rcv_msg+0x31d/0x410
[  825.917153]  netlink_rcv_skb+0x172/0x440
[  825.921198]  ? sock_diag_bind+0x80/0x80
[  825.925152]  ? netlink_ack+0xbe0/0xbe0
[  825.929019]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  825.933676]  sock_diag_rcv+0x2a/0x40
[  825.937388]  netlink_unicast+0x5a0/0x760
[  825.941432]  ? netlink_attachskb+0x9a0/0x9a0
[  825.945823]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  825.951342]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  825.956342]  netlink_sendmsg+0xa18/0xfc0
[  825.960394]  ? netlink_unicast+0x760/0x760
[  825.964629]  ? move_addr_to_kernel.part.18+0x100/0x100
[  825.969917]  ? security_socket_sendmsg+0x94/0xc0
[  825.974671]  ? netlink_unicast+0x760/0x760
[  825.978913]  sock_sendmsg+0xd5/0x120
[  825.982632]  ___sys_sendmsg+0x7fd/0x930
[  825.986612]  ? copy_msghdr_from_user+0x580/0x580
[  825.991371]  ? kasan_check_read+0x11/0x20
[  825.995533]  ? do_raw_spin_unlock+0xa7/0x2f0
[  825.999947]  ? __fget_light+0x2f7/0x440
[  826.003920]  ? __local_bh_enable_ip+0x161/0x230
[  826.008591]  ? fget_raw+0x20/0x20
[  826.012053]  ? __release_sock+0x3a0/0x3a0
[  826.016235]  ? tipc_nametbl_build_group+0x279/0x360
[  826.021270]  ? tipc_setsockopt+0x726/0xd70
[  826.025519]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  826.031098]  ? sockfd_lookup_light+0xc5/0x160
[  826.035605]  __sys_sendmsg+0x11d/0x290
[  826.039592]  ? __ia32_sys_shutdown+0x80/0x80
[  826.044001]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  826.049544]  ? fput+0x130/0x1a0
[  826.052827]  ? __x64_sys_futex+0x47f/0x6a0
[  826.057078]  ? syscall_slow_exit_work+0x500/0x500
[  826.061929]  __x64_sys_sendmsg+0x78/0xb0
[  826.065996]  do_syscall_64+0x1b9/0x820
[  826.069887]  ? syscall_return_slowpath+0x5e0/0x5e0
[  826.074825]  ? syscall_return_slowpath+0x31d/0x5e0
[  826.079764]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  826.085135]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  826.089982]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  826.095173] RIP: 0033:0x457089
[  826.098375] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  826.117292] RSP: 002b:00007fb6e3a9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  826.125019] RAX: ffffffffffffffda RBX: 00007fb6e3a9e6d4 RCX: 0000000000457089
[  826.132294] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  826.139573] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  826.146853] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  826.154129] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  826.161419] 
[  826.163050] Allocated by task 4790:
[  826.166684]  save_stack+0x43/0xd0
[  826.170134]  kasan_kmalloc+0xc4/0xe0
[  826.173855]  kmem_cache_alloc_trace+0x152/0x780
[  826.178533]  tipc_group_create+0x155/0xa70
[  826.182772]  tipc_setsockopt+0x2d1/0xd70
[  826.186837]  __sys_setsockopt+0x1c5/0x3b0
[  826.190987]  __x64_sys_setsockopt+0xbe/0x150
[  826.195402]  do_syscall_64+0x1b9/0x820
[  826.199291]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  826.204471] 
[  826.206099] Freed by task 4789:
[  826.209391]  save_stack+0x43/0xd0
[  826.212848]  __kasan_slab_free+0x11a/0x170
[  826.217078]  kasan_slab_free+0xe/0x10
[  826.220897]  kfree+0xd9/0x260
[  826.224003]  tipc_group_delete+0x2e5/0x3f0
[  826.228238]  tipc_sk_leave+0x113/0x220
[  826.232123]  tipc_release+0x14e/0x12b0
[  826.236011]  __sock_release+0xd7/0x250
[  826.239899]  sock_close+0x19/0x20
[  826.243448]  __fput+0x39b/0x860
[  826.246734]  ____fput+0x15/0x20
[  826.250020]  task_work_run+0x1e8/0x2a0
[  826.253933]  exit_to_usermode_loop+0x318/0x380
[  826.258519]  do_syscall_64+0x6be/0x820
[  826.262415]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  826.267594] 
[  826.269220] The buggy address belongs to the object at ffff8801ce8eb100
[  826.269220]  which belongs to the cache kmalloc-192 of size 192
[  826.281882] The buggy address is located 114 bytes inside of
[  826.281882]  192-byte region [ffff8801ce8eb100, ffff8801ce8eb1c0)
[  826.293753] The buggy address belongs to the page:
[  826.298690] page:ffffea00073a3ac0 count:1 mapcount:0 mapping:ffff8801dac00040 index:0xffff8801ce8ebe00
[  826.308137] flags: 0x2fffc0000000100(slab)
[  826.312374] raw: 02fffc0000000100 ffffea00073a9388 ffff8801dac01138 ffff8801dac00040
[  826.320267] raw: ffff8801ce8ebe00 ffff8801ce8eb000 0000000100000009 0000000000000000
[  826.328140] page dumped because: kasan: bad access detected
[  826.333840] 
[  826.335460] Memory state around the buggy address:
[  826.340411]  ffff8801ce8eb000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  826.347768]  ffff8801ce8eb080: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  826.355126] >ffff8801ce8eb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  826.362476]                                                              ^
[  826.369491]  ffff8801ce8eb180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  826.376867]  ffff8801ce8eb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  826.384229] ==================================================================
[  826.391593] Disabling lock debugging due to kernel taint
[  826.397113] Kernel panic - not syncing: panic_on_warn set ...
[  826.397113] 
[  826.404490] CPU: 0 PID: 4790 Comm: syz-executor0 Tainted: G    B             4.18.0+ #189
[  826.412794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  826.422136] Call Trace:
[  826.424729]  dump_stack+0x1c9/0x2b4
[  826.428358]  ? dump_stack_print_info.cold.2+0x52/0x52
[  826.433555]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  826.438313]  panic+0x238/0x4e7
[  826.441508]  ? add_taint.cold.5+0x16/0x16
[  826.445658]  ? do_raw_spin_unlock+0xa7/0x2f0
[  826.450076]  ? tipc_group_fill_sock_diag+0x739/0x84b
[  826.455178]  kasan_end_report+0x47/0x4f
[  826.459155]  kasan_report.cold.7+0x76/0x2fe
[  826.463477]  __asan_report_load2_noabort+0x14/0x20
[  826.468413]  tipc_group_fill_sock_diag+0x739/0x84b
[  826.473339]  ? tipc_group_member_evt+0xe30/0xe30
[  826.478092]  ? skb_put+0x17b/0x1e0
[  826.481629]  ? memset+0x31/0x40
[  826.484904]  ? memcpy+0x45/0x50
[  826.488184]  ? __nla_put+0x37/0x40
[  826.491725]  ? nla_put+0x11a/0x150
[  826.495266]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  826.499942]  ? tipc_diag_dump+0x30/0x30
[  826.503919]  ? tipc_getname+0x7f0/0x7f0
[  826.507895]  ? save_stack+0xa9/0xd0
[  826.511527]  ? save_stack+0x43/0xd0
[  826.515148]  ? kasan_kmalloc+0xc4/0xe0
[  826.519034]  ? __kmalloc_node_track_caller+0x47/0x70
[  826.524135]  ? graph_lock+0x170/0x170
[  826.527933]  ? __netlink_dump_start+0x4f1/0x6f0
[  826.532607]  ? sock_diag_rcv_msg+0x31d/0x410
[  826.537012]  ? netlink_rcv_skb+0x172/0x440
[  826.541241]  ? sock_diag_rcv+0x2a/0x40
[  826.545122]  ? netlink_unicast+0x5a0/0x760
[  826.549356]  ? netlink_sendmsg+0xa18/0xfc0
[  826.553596]  ? sock_sendmsg+0xd5/0x120
[  826.557479]  ? ___sys_sendmsg+0x7fd/0x930
[  826.561629]  ? __x64_sys_sendmsg+0x78/0xb0
[  826.565863]  ? do_syscall_64+0x1b9/0x820
[  826.569922]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  826.575393]  ? lock_acquire+0x1e4/0x540
[  826.579370]  ? tipc_nl_sk_walk+0x60a/0xd30
[  826.583612]  ? tipc_nl_sk_walk+0x311/0xd30
[  826.587855]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  826.592871]  ? skb_put+0x17b/0x1e0
[  826.596419]  ? __nlmsg_put+0x14c/0x1b0
[  826.600305]  __tipc_add_sock_diag+0x22f/0x360
[  826.604801]  tipc_nl_sk_walk+0x68d/0xd30
[  826.608864]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  826.614150]  ? __tipc_nl_add_sk+0x400/0x400
[  826.618477]  ? skb_scrub_packet+0x490/0x490
[  826.622801]  ? kasan_check_write+0x14/0x20
[  826.627033]  ? __mutex_unlock_slowpath+0x197/0x8c0
[  826.631962]  ? lock_downgrade+0x8f0/0x8f0
[  826.636108]  tipc_diag_dump+0x24/0x30
[  826.639906]  netlink_dump+0x519/0xd50
[  826.643705]  ? netlink_broadcast+0x50/0x50
[  826.647940]  __netlink_dump_start+0x4f1/0x6f0
[  826.652456]  ? kasan_check_read+0x11/0x20
[  826.656611]  tipc_sock_diag_handler_dump+0x234/0x340
[  826.661710]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  826.666386]  ? tipc_unregister_sysctl+0x20/0x20
[  826.671057]  ? netlink_deliver_tap+0x356/0xfb0
[  826.675645]  sock_diag_rcv_msg+0x31d/0x410
[  826.679884]  netlink_rcv_skb+0x172/0x440
[  826.683944]  ? sock_diag_bind+0x80/0x80
[  826.687915]  ? netlink_ack+0xbe0/0xbe0
[  826.691799]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  826.696471]  sock_diag_rcv+0x2a/0x40
[  826.700182]  netlink_unicast+0x5a0/0x760
[  826.704243]  ? netlink_attachskb+0x9a0/0x9a0
[  826.708653]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  826.714199]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  826.719218]  netlink_sendmsg+0xa18/0xfc0
[  826.723278]  ? netlink_unicast+0x760/0x760
[  826.727510]  ? move_addr_to_kernel.part.18+0x100/0x100
[  826.732790]  ? security_socket_sendmsg+0x94/0xc0
[  826.737542]  ? netlink_unicast+0x760/0x760
[  826.741772]  sock_sendmsg+0xd5/0x120
[  826.745485]  ___sys_sendmsg+0x7fd/0x930
[  826.749459]  ? copy_msghdr_from_user+0x580/0x580
[  826.754216]  ? kasan_check_read+0x11/0x20
[  826.758362]  ? do_raw_spin_unlock+0xa7/0x2f0
[  826.762782]  ? __fget_light+0x2f7/0x440
[  826.766755]  ? __local_bh_enable_ip+0x161/0x230
[  826.771420]  ? fget_raw+0x20/0x20
[  826.774873]  ? __release_sock+0x3a0/0x3a0
[  826.779020]  ? tipc_nametbl_build_group+0x279/0x360
[  826.784038]  ? tipc_setsockopt+0x726/0xd70
[  826.788278]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  826.793817]  ? sockfd_lookup_light+0xc5/0x160
[  826.798306]  __sys_sendmsg+0x11d/0x290
[  826.802200]  ? __ia32_sys_shutdown+0x80/0x80
[  826.806609]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  826.812147]  ? fput+0x130/0x1a0
[  826.815432]  ? __x64_sys_futex+0x47f/0x6a0
[  826.819680]  ? syscall_slow_exit_work+0x500/0x500
[  826.824523]  __x64_sys_sendmsg+0x78/0xb0
[  826.828587]  do_syscall_64+0x1b9/0x820
[  826.832476]  ? syscall_return_slowpath+0x5e0/0x5e0
[  826.837420]  ? syscall_return_slowpath+0x31d/0x5e0
[  826.842374]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  826.847750]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  826.852596]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  826.857783] RIP: 0033:0x457089
[  826.860976] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  826.879872] RSP: 002b:00007fb6e3a9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  826.887578] RAX: ffffffffffffffda RBX: 00007fb6e3a9e6d4 RCX: 0000000000457089
[  826.894840] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  826.902102] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  826.909366] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  826.916641] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  826.924499] Dumping ftrace buffer:
[  826.928037]    (ftrace buffer empty)
[  826.931726] Kernel Offset: disabled
[  826.935336] Rebooting in 86400 seconds..