[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.269172] random: sshd: uninitialized urandom read (32 bytes read) [ 26.524706] audit: type=1400 audit(1538537147.899:6): avc: denied { map } for pid=1776 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.569098] random: sshd: uninitialized urandom read (32 bytes read) [ 27.001820] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. [ 32.674560] urandom_read: 1 callbacks suppressed [ 32.674564] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.770908] audit: type=1400 audit(1538537154.149:7): avc: denied { map } for pid=1794 comm="syz-executor525" path="/root/syz-executor525565252" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 32.799163] audit: type=1400 audit(1538537154.169:8): avc: denied { prog_load } for pid=1794 comm="syz-executor525" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 32.823110] audit: type=1400 audit(1538537154.199:9): avc: denied { prog_run } for pid=1794 comm="syz-executor525" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 32.823179] ================================================================== [ 32.823201] BUG: KASAN: slab-out-of-bounds in bpf_skb_vlan_push+0x45e/0x540 [ 32.823207] Read of size 4 at addr ffff8801d0ef0c48 by task syz-executor525/1794 [ 32.823209] [ 32.823217] CPU: 1 PID: 1794 Comm: syz-executor525 Not tainted 4.14.73+ #14 [ 32.823219] Call Trace: [ 32.823230] dump_stack+0xb9/0x11b [ 32.823256] print_address_description+0x60/0x22b [ 32.823268] kasan_report.cold.6+0x11b/0x2dd [ 32.823275] ? bpf_skb_vlan_push+0x45e/0x540 [ 32.823286] bpf_skb_vlan_push+0x45e/0x540 [ 32.823300] ___bpf_prog_run+0x248e/0x5c70 [ 32.823312] ? __free_insn_slot+0x490/0x490 [ 32.823322] ? bpf_jit_compile+0x30/0x30 [ 32.823334] ? depot_save_stack+0x20a/0x428 [ 32.823347] ? __bpf_prog_run512+0x99/0xe0 [ 32.823355] ? ___bpf_prog_run+0x5c70/0x5c70 [ 32.823374] ? __lock_acquire+0x619/0x4320 [ 32.823390] ? trace_hardirqs_on+0x10/0x10 [ 32.823404] ? trace_hardirqs_on+0x10/0x10 [ 32.823415] ? __lock_acquire+0x619/0x4320 [ 32.823427] ? get_unused_fd_flags+0xc0/0xc0 [ 32.823442] ? bpf_test_run+0x57/0x350 [ 32.823460] ? lock_acquire+0x10f/0x380 [ 32.823471] ? check_preemption_disabled+0x34/0x160 [ 32.823485] ? bpf_test_run+0xab/0x350 [ 32.823504] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 32.823517] ? bpf_test_init.isra.1+0xc0/0xc0 [ 32.823527] ? __fget_light+0x163/0x1f0 [ 32.823533] ? bpf_prog_add+0x42/0xa0 [ 32.823544] ? bpf_test_init.isra.1+0xc0/0xc0 [ 32.823553] ? SyS_bpf+0x79d/0x3640 [ 32.823575] ? bpf_prog_get+0x20/0x20 [ 32.823584] ? __do_page_fault+0x485/0xb60 [ 32.823592] ? lock_downgrade+0x560/0x560 [ 32.823610] ? up_read+0x17/0x30 [ 32.823617] ? __do_page_fault+0x64c/0xb60 [ 32.823629] ? do_syscall_64+0x43/0x4b0 [ 32.823641] ? bpf_prog_get+0x20/0x20 [ 32.823646] ? do_syscall_64+0x19b/0x4b0 [ 32.823661] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.823681] [ 32.823685] Allocated by task 230: [ 32.823692] kasan_kmalloc.part.1+0x4f/0xd0 [ 32.823698] kmem_cache_alloc+0xe4/0x2b0 [ 32.823705] __alloc_skb+0xd8/0x550 [ 32.823711] alloc_skb_with_frags+0xab/0x500 [ 32.823717] sock_alloc_send_pskb+0x55e/0x6e0 [ 32.823724] unix_dgram_sendmsg+0x37b/0xf50 [ 32.823730] sock_sendmsg+0xb5/0x100 [ 32.823736] SyS_sendto+0x211/0x340 [ 32.823741] do_syscall_64+0x19b/0x4b0 [ 32.823747] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.823749] [ 32.823752] Freed by task 191: [ 32.823759] kasan_slab_free+0xac/0x190 [ 32.823764] kmem_cache_free+0x12d/0x350 [ 32.823770] kfree_skbmem+0x9e/0x100 [ 32.823776] consume_skb+0xc9/0x330 [ 32.823782] skb_free_datagram+0x15/0xd0 [ 32.823787] unix_dgram_recvmsg+0x762/0xd20 [ 32.823793] sock_recvmsg+0xc0/0x100 [ 32.823799] SyS_recvfrom+0x1d2/0x310 [ 32.823804] do_syscall_64+0x19b/0x4b0 [ 32.823810] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.823812] [ 32.823817] The buggy address belongs to the object at ffff8801d0ef0b40 [ 32.823817] which belongs to the cache skbuff_head_cache of size 224 [ 32.823823] The buggy address is located 40 bytes to the right of [ 32.823823] 224-byte region [ffff8801d0ef0b40, ffff8801d0ef0c20) [ 32.823825] The buggy address belongs to the page: [ 32.823832] page:ffffea000743bc00 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.823839] flags: 0x4000000000000100(slab) [ 32.823848] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 32.823856] raw: 0000000000000000 0000000100000001 ffff8801dab70200 0000000000000000 [ 32.823859] page dumped because: kasan: bad access detected [ 32.823860] [ 32.823862] Memory state around the buggy address: [ 32.823868] ffff8801d0ef0b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.823873] ffff8801d0ef0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.823878] >ffff8801d0ef0c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.823881] ^ [ 32.823886] ffff8801d0ef0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.823891] ffff8801d0ef0d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.823894] ================================================================== [ 32.823896] Disabling lock debugging due to kernel taint [ 32.823900] Kernel panic - not syncing: panic_on_warn set ... [ 32.823900] [ 32.823906] CPU: 1 PID: 1794 Comm: syz-executor525 Tainted: G B 4.14.73+ #14 [ 32.823908] Call Trace: [ 32.823916] dump_stack+0xb9/0x11b [ 32.823924] panic+0x1bf/0x3a4 [ 32.823932] ? add_taint.cold.4+0x16/0x16 [ 32.823946] kasan_end_report+0x43/0x49 [ 32.823953] kasan_report.cold.6+0x77/0x2dd [ 32.823959] ? bpf_skb_vlan_push+0x45e/0x540 [ 32.823968] bpf_skb_vlan_push+0x45e/0x540 [ 32.823977] ___bpf_prog_run+0x248e/0x5c70 [ 32.823985] ? __free_insn_slot+0x490/0x490 [ 32.823992] ? bpf_jit_compile+0x30/0x30 [ 32.824001] ? depot_save_stack+0x20a/0x428 [ 32.824010] ? __bpf_prog_run512+0x99/0xe0 [ 32.824017] ? ___bpf_prog_run+0x5c70/0x5c70 [ 32.824028] ? __lock_acquire+0x619/0x4320 [ 32.824038] ? trace_hardirqs_on+0x10/0x10 [ 32.824047] ? trace_hardirqs_on+0x10/0x10 [ 32.824055] ? __lock_acquire+0x619/0x4320 [ 32.824064] ? get_unused_fd_flags+0xc0/0xc0 [ 32.824074] ? bpf_test_run+0x57/0x350 [ 32.824085] ? lock_acquire+0x10f/0x380 [ 32.824093] ? check_preemption_disabled+0x34/0x160 [ 32.824103] ? bpf_test_run+0xab/0x350 [ 32.824115] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 32.824124] ? bpf_test_init.isra.1+0xc0/0xc0 [ 32.824131] ? __fget_light+0x163/0x1f0 [ 32.824137] ? bpf_prog_add+0x42/0xa0 [ 32.824145] ? bpf_test_init.isra.1+0xc0/0xc0 [ 32.824152] ? SyS_bpf+0x79d/0x3640 [ 32.824162] ? bpf_prog_get+0x20/0x20 [ 32.824168] ? __do_page_fault+0x485/0xb60 [ 32.824175] ? lock_downgrade+0x560/0x560 [ 32.824185] ? up_read+0x17/0x30 [ 32.824191] ? __do_page_fault+0x64c/0xb60 [ 32.824199] ? do_syscall_64+0x43/0x4b0 [ 32.824207] ? bpf_prog_get+0x20/0x20 [ 32.824212] ? do_syscall_64+0x19b/0x4b0 [ 32.824222] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.845873] Kernel Offset: 0xd600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 33.429307] Rebooting in 86400 seconds..