[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.821083] audit: type=1400 audit(1600863089.241:8): avc: denied { execmem } for pid=6376 comm="syz-executor065" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 35.843287] IPVS: ftp: loaded support on port[0] = 21 [ 35.879225] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 35.887866] ================================================================== [ 35.895246] BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0x8df/0xa10 [ 35.902084] Read of size 4 at addr ffff8880971a2480 by task syz-executor065/6377 [ 35.909621] [ 35.911237] CPU: 0 PID: 6377 Comm: syz-executor065 Not tainted 4.14.198-syzkaller #0 [ 35.919560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.929097] Call Trace: [ 35.931685] dump_stack+0x1b2/0x283 [ 35.935315] print_address_description.cold+0x54/0x1d3 [ 35.940585] kasan_report_error.cold+0x8a/0x194 [ 35.945240] ? ntfs_attr_find+0x8df/0xa10 [ 35.949378] __asan_report_load_n_noabort+0x6b/0x80 [ 35.954420] ? ntfs_attr_find+0x8df/0xa10 [ 35.959528] ntfs_attr_find+0x8df/0xa10 [ 35.963784] ntfs_attr_lookup+0xeca/0x1f30 [ 35.968638] ? do_raw_spin_unlock+0x164/0x220 [ 35.973398] ? _raw_spin_unlock+0x29/0x40 [ 35.977800] ? cache_alloc_refill+0x2fa/0x350 [ 35.982474] ? check_preemption_disabled+0x35/0x240 [ 35.987511] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 35.992782] ? kmem_cache_alloc+0x2f8/0x3c0 [ 35.997187] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 36.001853] ntfs_fill_super+0x9a6/0x7170 [ 36.005994] ? vsnprintf+0x260/0x1340 [ 36.009773] ? pointer+0x9e0/0x9e0 [ 36.013309] ? lock_downgrade+0x740/0x740 [ 36.017456] ? ntfs_big_inode_init_once+0x20/0x20 [ 36.022564] ? snprintf+0xa5/0xd0 [ 36.026356] ? vsprintf+0x30/0x30 [ 36.030324] ? ns_test_super+0x50/0x50 [ 36.034255] ? set_blocksize+0x125/0x380 [ 36.038328] mount_bdev+0x2b3/0x360 [ 36.041966] ? ntfs_big_inode_init_once+0x20/0x20 [ 36.047300] mount_fs+0x92/0x2a0 [ 36.050881] vfs_kern_mount.part.0+0x5b/0x470 [ 36.056287] do_mount+0xe53/0x2a00 [ 36.059908] ? retint_kernel+0x2d/0x2d [ 36.063785] ? copy_mount_string+0x40/0x40 [ 36.068007] ? memset+0x20/0x40 [ 36.071284] ? copy_mount_options+0x1fa/0x2f0 [ 36.075889] ? copy_mnt_ns+0xa30/0xa30 [ 36.079776] SyS_mount+0xa8/0x120 [ 36.083379] ? copy_mnt_ns+0xa30/0xa30 [ 36.087275] do_syscall_64+0x1d5/0x640 [ 36.091399] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.096731] RIP: 0033:0x447cda [ 36.101367] RSP: 002b:00007fff14bcd6b8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 36.109507] RAX: ffffffffffffffda RBX: 00007fff14bcd710 RCX: 0000000000447cda [ 36.116770] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff14bcd6d0 [ 36.124125] RBP: 0000000000000004 R08: 00007fff14bcd710 R09: 00007fff14bcd700 [ 36.131526] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 36.138798] R13: 00007fff14bcd6d0 R14: 0000000000000000 R15: 0000000020000780 [ 36.146064] [ 36.147737] Allocated by task 6370: [ 36.151377] kasan_kmalloc+0xeb/0x160 [ 36.155290] kmem_cache_alloc+0x124/0x3c0 [ 36.159434] getname_flags+0xc8/0x550 [ 36.163226] do_sys_open+0x1ce/0x410 [ 36.166936] do_syscall_64+0x1d5/0x640 [ 36.170810] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.175973] [ 36.177580] Freed by task 6370: [ 36.180840] kasan_slab_free+0xc3/0x1a0 [ 36.184814] kmem_cache_free+0x7c/0x2b0 [ 36.188866] putname+0xcd/0x110 [ 36.192136] do_sys_open+0x203/0x410 [ 36.195828] do_syscall_64+0x1d5/0x640 [ 36.199689] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.204849] [ 36.206450] The buggy address belongs to the object at ffff8880971a2cc0 [ 36.206450] which belongs to the cache names_cache of size 4096 [ 36.219188] The buggy address is located 2112 bytes to the left of [ 36.219188] 4096-byte region [ffff8880971a2cc0, ffff8880971a3cc0) [ 36.231658] The buggy address belongs to the page: [ 36.236577] page:ffffea00025c6880 count:1 mapcount:0 mapping:ffff8880971a2cc0 index:0x0 compound_mapcount: 0 [ 36.246535] flags: 0xfffe0000008100(slab|head) [ 36.251190] raw: 00fffe0000008100 ffff8880971a2cc0 0000000000000000 0000000100000001 [ 36.259328] raw: ffffea00025c3320 ffffea00025c2120 ffff8880aa58ccc0 0000000000000000 [ 36.269064] page dumped because: kasan: bad access detected [ 36.274799] [ 36.276587] Memory state around the buggy address: [ 36.281495] ffff8880971a2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.288940] ffff8880971a2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.296281] >ffff8880971a2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.303616] ^ [ 36.307057] ffff8880971a2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.314405] ffff8880971a2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.321745] ================================================================== [ 36.329079] Disabling lock debugging due to kernel taint [ 36.335927] Kernel panic - not syncing: panic_on_warn set ... [ 36.335927] [ 36.343302] CPU: 0 PID: 6377 Comm: syz-executor065 Tainted: G B 4.14.198-syzkaller #0 [ 36.352396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.361744] Call Trace: [ 36.364336] dump_stack+0x1b2/0x283 [ 36.368028] panic+0x1f9/0x42d [ 36.371231] ? add_taint.cold+0x16/0x16 [ 36.375200] ? ___preempt_schedule+0x16/0x18 [ 36.379918] kasan_end_report+0x43/0x49 [ 36.383885] kasan_report_error.cold+0xa7/0x194 [ 36.388944] ? ntfs_attr_find+0x8df/0xa10 [ 36.393551] __asan_report_load_n_noabort+0x6b/0x80 [ 36.398565] ? ntfs_attr_find+0x8df/0xa10 [ 36.403510] ntfs_attr_find+0x8df/0xa10 [ 36.407482] ntfs_attr_lookup+0xeca/0x1f30 [ 36.411701] ? do_raw_spin_unlock+0x164/0x220 [ 36.416279] ? _raw_spin_unlock+0x29/0x40 [ 36.420411] ? cache_alloc_refill+0x2fa/0x350 [ 36.424982] ? check_preemption_disabled+0x35/0x240 [ 36.430177] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 36.435465] ? kmem_cache_alloc+0x2f8/0x3c0 [ 36.439867] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 36.444535] ntfs_fill_super+0x9a6/0x7170 [ 36.448678] ? vsnprintf+0x260/0x1340 [ 36.452639] ? pointer+0x9e0/0x9e0 [ 36.456171] ? lock_downgrade+0x740/0x740 [ 36.460299] ? ntfs_big_inode_init_once+0x20/0x20 [ 36.465309] ? snprintf+0xa5/0xd0 [ 36.468768] ? vsprintf+0x30/0x30 [ 36.472205] ? ns_test_super+0x50/0x50 [ 36.476092] ? set_blocksize+0x125/0x380 [ 36.480152] mount_bdev+0x2b3/0x360 [ 36.483924] ? ntfs_big_inode_init_once+0x20/0x20 [ 36.489540] mount_fs+0x92/0x2a0 [ 36.494174] vfs_kern_mount.part.0+0x5b/0x470 [ 36.498697] do_mount+0xe53/0x2a00 [ 36.502232] ? retint_kernel+0x2d/0x2d [ 36.506115] ? copy_mount_string+0x40/0x40 [ 36.510331] ? memset+0x20/0x40 [ 36.513593] ? copy_mount_options+0x1fa/0x2f0 [ 36.518094] ? copy_mnt_ns+0xa30/0xa30 [ 36.521963] SyS_mount+0xa8/0x120 [ 36.525396] ? copy_mnt_ns+0xa30/0xa30 [ 36.529788] do_syscall_64+0x1d5/0x640 [ 36.533669] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.539341] RIP: 0033:0x447cda [ 36.542521] RSP: 002b:00007fff14bcd6b8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 36.550214] RAX: ffffffffffffffda RBX: 00007fff14bcd710 RCX: 0000000000447cda [ 36.557499] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff14bcd6d0 [ 36.564763] RBP: 0000000000000004 R08: 00007fff14bcd710 R09: 00007fff14bcd700 [ 36.572046] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 36.579311] R13: 00007fff14bcd6d0 R14: 0000000000000000 R15: 0000000020000780 [ 36.588146] Kernel Offset: disabled [ 36.591898] Rebooting in 86400 seconds..