[....] Starting OpenBSD Secure Shell server: sshd[ 11.910443] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.436906] random: sshd: uninitialized urandom read (32 bytes read) [ 24.756633] audit: type=1400 audit(1565387994.264:6): avc: denied { map } for pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 24.803437] random: sshd: uninitialized urandom read (32 bytes read) [ 25.316732] random: sshd: uninitialized urandom read (32 bytes read) [ 25.475450] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. [ 30.933143] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.041273] audit: type=1400 audit(1565388000.554:7): avc: denied { map } for pid=1776 comm="syz-executor919" path="/root/syz-executor919441422" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 31.068406] audit: type=1400 audit(1565388000.554:8): avc: denied { prog_load } for pid=1776 comm="syz-executor919" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 31.091479] ================================================================== [ 31.092317] audit: type=1400 audit(1565388000.604:9): avc: denied { prog_run } for pid=1776 comm="syz-executor919" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 31.099085] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xcc2/0x1080 [ 31.129121] Read of size 2 at addr ffff8881d7236638 by task syz-executor919/1776 [ 31.136694] [ 31.138312] CPU: 0 PID: 1776 Comm: syz-executor919 Not tainted 4.14.138+ #30 [ 31.145478] Call Trace: [ 31.148057] dump_stack+0xca/0x134 [ 31.151726] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.156620] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.161574] print_address_description+0x60/0x226 [ 31.166949] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.171974] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.176867] __kasan_report.cold+0x1a/0x41 [ 31.181154] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.186399] bpf_skb_change_proto+0xcc2/0x1080 [ 31.191207] ? bpf_skb_generic_pop+0x3e0/0x3e0 [ 31.195819] ___bpf_prog_run+0x2478/0x5510 [ 31.200334] ? lock_downgrade+0x5d0/0x5d0 [ 31.204470] ? lock_acquire+0x12b/0x360 [ 31.208554] ? bpf_jit_compile+0x30/0x30 [ 31.212793] ? __bpf_prog_run512+0x99/0xe0 [ 31.217309] ? ___bpf_prog_run+0x5510/0x5510 [ 31.221721] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 31.226840] ? trace_hardirqs_on_caller+0x37b/0x540 [ 31.232348] ? __lock_acquire+0x5d7/0x4320 [ 31.236610] ? __lock_acquire+0x5d7/0x4320 [ 31.242060] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 31.249179] ? trace_hardirqs_on+0x10/0x10 [ 31.253615] ? __lock_acquire+0x5d7/0x4320 [ 31.257963] ? bpf_test_run+0x42/0x340 [ 31.262049] ? lock_acquire+0x12b/0x360 [ 31.266100] ? bpf_test_run+0x13a/0x340 [ 31.270432] ? check_preemption_disabled+0x35/0x1f0 [ 31.275455] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 31.281650] ? bpf_test_run+0xa8/0x340 [ 31.285719] ? bpf_prog_test_run_skb+0x45c/0x8c0 [ 31.290465] ? bpf_test_init.isra.0+0xc0/0xc0 [ 31.295346] ? bpf_prog_add+0x53/0xc0 [ 31.299282] ? bpf_test_init.isra.0+0xc0/0xc0 [ 31.303782] ? SyS_bpf+0xa3b/0x3830 [ 31.307917] ? bpf_prog_get+0x20/0x20 [ 31.311726] ? __do_page_fault+0x49f/0xbb0 [ 31.316038] ? lock_downgrade+0x5d0/0x5d0 [ 31.320355] ? __do_page_fault+0x677/0xbb0 [ 31.324716] ? do_syscall_64+0x43/0x520 [ 31.328770] ? bpf_prog_get+0x20/0x20 [ 31.332617] ? do_syscall_64+0x19b/0x520 [ 31.336819] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.342313] [ 31.343929] Allocated by task 1774: [ 31.348031] __kasan_kmalloc.part.0+0x53/0xc0 [ 31.352586] kmem_cache_alloc+0xd2/0x2e0 [ 31.356770] skb_clone+0x124/0x370 [ 31.360294] dev_queue_xmit_nit+0x2f3/0x970 [ 31.365041] dev_hard_start_xmit+0xa3/0x8c0 [ 31.369448] sch_direct_xmit+0x27a/0x520 [ 31.373616] __dev_queue_xmit+0x1594/0x1d00 [ 31.378019] ip_finish_output2+0x9fe/0x12f0 [ 31.382536] ip_finish_output+0x3be/0xc80 [ 31.386670] ip_output+0x1cf/0x520 [ 31.390307] ip_local_out+0x98/0x170 [ 31.394592] ip_queue_xmit+0x7ca/0x1a70 [ 31.398575] __tcp_transmit_skb+0x18bc/0x2e20 [ 31.403247] tcp_write_xmit+0x510/0x4680 [ 31.407301] __tcp_push_pending_frames+0xa0/0x230 [ 31.412575] tcp_push+0x402/0x600 [ 31.416112] tcp_sendmsg_locked+0x2684/0x31e0 [ 31.420693] tcp_sendmsg+0x2b/0x40 [ 31.424233] inet_sendmsg+0x15b/0x520 [ 31.428373] sock_sendmsg+0xb7/0x100 [ 31.432366] sock_write_iter+0x20f/0x360 [ 31.436619] __vfs_write+0x401/0x5a0 [ 31.440434] vfs_write+0x17f/0x4d0 [ 31.444202] SyS_write+0x102/0x250 [ 31.448001] do_syscall_64+0x19b/0x520 [ 31.451970] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.457422] 0xffffffffffffffff [ 31.460680] [ 31.462296] Freed by task 1774: [ 31.466273] __kasan_slab_free+0x164/0x210 [ 31.470674] kmem_cache_free+0xcb/0x340 [ 31.474743] kfree_skbmem+0xa0/0x110 [ 31.478699] kfree_skb+0xeb/0x370 [ 31.482586] packet_rcv_spkt+0xd5/0x4d0 [ 31.486573] dev_queue_xmit_nit+0x6e1/0x970 [ 31.491003] dev_hard_start_xmit+0xa3/0x8c0 [ 31.495312] sch_direct_xmit+0x27a/0x520 [ 31.499570] __dev_queue_xmit+0x1594/0x1d00 [ 31.504054] ip_finish_output2+0x9fe/0x12f0 [ 31.508368] ip_finish_output+0x3be/0xc80 [ 31.512595] ip_output+0x1cf/0x520 [ 31.516237] ip_local_out+0x98/0x170 [ 31.520202] ip_queue_xmit+0x7ca/0x1a70 [ 31.524243] __tcp_transmit_skb+0x18bc/0x2e20 [ 31.529079] tcp_write_xmit+0x510/0x4680 [ 31.533119] __tcp_push_pending_frames+0xa0/0x230 [ 31.538030] tcp_push+0x402/0x600 [ 31.541800] tcp_sendmsg_locked+0x2684/0x31e0 [ 31.546290] tcp_sendmsg+0x2b/0x40 [ 31.549806] inet_sendmsg+0x15b/0x520 [ 31.553688] sock_sendmsg+0xb7/0x100 [ 31.557442] sock_write_iter+0x20f/0x360 [ 31.561491] __vfs_write+0x401/0x5a0 [ 31.565185] vfs_write+0x17f/0x4d0 [ 31.568901] SyS_write+0x102/0x250 [ 31.572556] do_syscall_64+0x19b/0x520 [ 31.576522] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.581690] 0xffffffffffffffff [ 31.585073] [ 31.586868] The buggy address belongs to the object at ffff8881d7236500 [ 31.586868] which belongs to the cache skbuff_head_cache of size 224 [ 31.600210] The buggy address is located 88 bytes to the right of [ 31.600210] 224-byte region [ffff8881d7236500, ffff8881d72365e0) [ 31.612801] The buggy address belongs to the page: [ 31.617874] page:ffffea00075c8d80 count:1 mapcount:0 mapping: (null) index:0x0 [ 31.626173] flags: 0x4000000000000200(slab) [ 31.631262] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 31.639462] raw: dead000000000100 dead000000000200 ffff8881dab70200 0000000000000000 [ 31.647517] page dumped because: kasan: bad access detected [ 31.653524] [ 31.655132] Memory state around the buggy address: [ 31.660240] ffff8881d7236500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.670401] ffff8881d7236580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 31.677844] >ffff8881d7236600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.685372] ^ [ 31.690648] ffff8881d7236680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.697990] ffff8881d7236700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 31.705437] ================================================================== [ 31.712908] Disabling lock debugging due to kernel taint [ 31.719022] Kernel panic - not syncing: panic_on_warn set ... [ 31.719022] [ 31.727468] CPU: 0 PID: 1776 Comm: syz-executor919 Tainted: G B 4.14.138+ #30 [ 31.737927] Call Trace: [ 31.740929] dump_stack+0xca/0x134 [ 31.744570] panic+0x1ea/0x3d3 [ 31.747837] ? add_taint.cold+0x16/0x16 [ 31.752426] ? retint_kernel+0x2d/0x2d [ 31.756550] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.762968] end_report+0x43/0x49 [ 31.766415] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.771671] __kasan_report.cold+0xd/0x41 [ 31.777557] ? bpf_skb_change_proto+0xcc2/0x1080 [ 31.782303] bpf_skb_change_proto+0xcc2/0x1080 [ 31.788056] ? bpf_skb_generic_pop+0x3e0/0x3e0 [ 31.792717] ___bpf_prog_run+0x2478/0x5510 [ 31.797731] ? lock_downgrade+0x5d0/0x5d0 [ 31.801966] ? lock_acquire+0x12b/0x360 [ 31.806105] ? bpf_jit_compile+0x30/0x30 [ 31.810377] ? __bpf_prog_run512+0x99/0xe0 [ 31.814865] ? ___bpf_prog_run+0x5510/0x5510 [ 31.819363] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 31.824987] ? trace_hardirqs_on_caller+0x37b/0x540 [ 31.830729] ? __lock_acquire+0x5d7/0x4320 [ 31.835148] ? __lock_acquire+0x5d7/0x4320 [ 31.839454] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 31.844176] ? trace_hardirqs_on+0x10/0x10 [ 31.848401] ? __lock_acquire+0x5d7/0x4320 [ 31.852641] ? bpf_test_run+0x42/0x340 [ 31.856876] ? lock_acquire+0x12b/0x360 [ 31.861195] ? bpf_test_run+0x13a/0x340 [ 31.865436] ? check_preemption_disabled+0x35/0x1f0 [ 31.870538] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 31.876056] ? bpf_test_run+0xa8/0x340 [ 31.880136] ? bpf_prog_test_run_skb+0x45c/0x8c0 [ 31.885572] ? bpf_test_init.isra.0+0xc0/0xc0 [ 31.890276] ? bpf_prog_add+0x53/0xc0 [ 31.894734] ? bpf_test_init.isra.0+0xc0/0xc0 [ 31.899405] ? SyS_bpf+0xa3b/0x3830 [ 31.903087] ? bpf_prog_get+0x20/0x20 [ 31.906924] ? __do_page_fault+0x49f/0xbb0 [ 31.911149] ? lock_downgrade+0x5d0/0x5d0 [ 31.915359] ? __do_page_fault+0x677/0xbb0 [ 31.919752] ? do_syscall_64+0x43/0x520 [ 31.924015] ? bpf_prog_get+0x20/0x20 [ 31.928061] ? do_syscall_64+0x19b/0x520 [ 31.932112] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.938120] Kernel Offset: 0x7a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 31.949083] Rebooting in 86400 seconds..