[ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.146586] audit: type=1400 audit(1598758376.158:8): avc: denied { execmem } for pid=6352 comm="syz-executor110" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.222233] ================================================================== [ 33.222256] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1be2/0x2140 [ 33.222260] Read of size 2 at addr ffffffff86e8da1e by task syz-executor110/6352 [ 33.222262] [ 33.222268] CPU: 0 PID: 6352 Comm: syz-executor110 Not tainted 4.14.195-syzkaller #0 [ 33.222270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.222273] Call Trace: [ 33.222280] dump_stack+0x1b2/0x283 [ 33.222290] print_address_description.cold+0x5/0x1d3 [ 33.222296] kasan_report_error.cold+0x8a/0x194 [ 33.222300] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.222304] __asan_report_load2_noabort+0x68/0x70 [ 33.222309] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.222313] vga16fb_imageblit+0x1be2/0x2140 [ 33.222321] ? fb_pad_unaligned_buffer+0x2f/0x2e0 [ 33.222327] soft_cursor+0x50a/0xa50 [ 33.222336] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.222341] bit_cursor+0x1056/0x1620 [ 33.222348] ? bit_update_start+0x1f0/0x1f0 [ 33.222357] ? do_update_region+0x41d/0x5b0 [ 33.222361] ? fb_get_color_depth+0x100/0x200 [ 33.222366] ? get_color+0x1be/0x3a0 [ 33.222371] fbcon_cursor+0x4b1/0x6a0 [ 33.222375] ? bit_update_start+0x1f0/0x1f0 [ 33.222378] ? add_softcursor+0x14/0x2d0 [ 33.222384] set_cursor+0x189/0x1e0 [ 33.222389] redraw_screen+0x57b/0x790 [ 33.222411] ? con_shutdown+0x90/0x90 [ 33.222416] ? fbcon_set_palette+0x466/0x580 [ 33.222421] fbcon_modechanged+0x68a/0x980 [ 33.222428] fbcon_event_notify+0x107/0x1760 [ 33.222436] notifier_call_chain+0x108/0x1a0 [ 33.222443] blocking_notifier_call_chain+0x79/0x90 [ 33.222448] fb_set_var+0xac5/0xc90 [ 33.222459] ? fb_set_suspend+0x110/0x110 [ 33.222464] ? __lock_acquire+0x5fc/0x3f20 [ 33.222471] ? lock_acquire+0x170/0x3f0 [ 33.222475] ? do_fb_ioctl+0x2f1/0xa70 [ 33.222485] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.222495] ? do_fb_ioctl+0x2e7/0xa70 [ 33.222502] do_fb_ioctl+0x36d/0xa70 [ 33.222507] ? register_framebuffer+0x8e0/0x8e0 [ 33.222514] ? avc_has_extended_perms+0x6e4/0xbf0 [ 33.222521] ? avc_ss_reset+0x100/0x100 [ 33.222525] ? kasan_slab_free+0x12d/0x1a0 [ 33.222529] ? kasan_slab_free+0xc3/0x1a0 [ 33.222533] ? kmem_cache_free+0x7c/0x2b0 [ 33.222538] ? putname+0xcd/0x110 [ 33.222541] ? do_sys_open+0x203/0x410 [ 33.222547] ? do_syscall_64+0x1d5/0x640 [ 33.222552] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.222556] ? path_lookupat+0x780/0x780 [ 33.222564] ? debug_check_no_obj_freed+0x2c0/0x674 [ 33.222577] fb_ioctl+0xdd/0x130 [ 33.222581] ? do_fb_ioctl+0xa70/0xa70 [ 33.222586] do_vfs_ioctl+0x75a/0xff0 [ 33.222591] ? selinux_inode_setxattr+0x730/0x730 [ 33.222596] ? ioctl_preallocate+0x1a0/0x1a0 [ 33.222600] ? kmem_cache_free+0x23a/0x2b0 [ 33.222604] ? putname+0xcd/0x110 [ 33.222608] ? do_sys_open+0x208/0x410 [ 33.222615] ? security_file_ioctl+0x83/0xb0 [ 33.222620] SyS_ioctl+0x7f/0xb0 [ 33.222624] ? do_vfs_ioctl+0xff0/0xff0 [ 33.222629] do_syscall_64+0x1d5/0x640 [ 33.222636] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.222640] RIP: 0033:0x4403d9 [ 33.222643] RSP: 002b:00007fff23f24848 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.222648] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 33.222651] RDX: 00000000200000c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 33.222653] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 33.222655] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 33.222658] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 33.222664] [ 33.222666] The buggy address belongs to the variable: [ 33.222670] transl_h+0x3e/0x40 [ 33.222671] [ 33.222673] Memory state around the buggy address: [ 33.222677] ffffffff86e8d900: 02 fa fa fa fa fa fa fa 00 00 00 00 00 fa fa fa [ 33.222680] ffffffff86e8d980: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 [ 33.222683] >ffffffff86e8da00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 01 fa fa [ 33.222685] ^ [ 33.222688] ffffffff86e8da80: fa fa fa fa 00 00 00 04 fa fa fa fa 00 00 04 fa [ 33.222691] ffffffff86e8db00: fa fa fa fa 00 00 00 00 00 00 02 fa fa fa fa fa [ 33.222693] ================================================================== [ 33.222694] Disabling lock debugging due to kernel taint [ 33.222697] Kernel panic - not syncing: panic_on_warn set ... [ 33.222697] [ 33.222701] CPU: 0 PID: 6352 Comm: syz-executor110 Tainted: G B 4.14.195-syzkaller #0 [ 33.222703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.222704] Call Trace: [ 33.222708] dump_stack+0x1b2/0x283 [ 33.222713] panic+0x1f9/0x42d [ 33.222717] ? add_taint.cold+0x16/0x16 [ 33.222721] ? lock_downgrade+0x740/0x740 [ 33.222727] kasan_end_report+0x43/0x49 [ 33.222731] kasan_report_error.cold+0xa7/0x194 [ 33.222735] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.222738] __asan_report_load2_noabort+0x68/0x70 [ 33.222742] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.222746] vga16fb_imageblit+0x1be2/0x2140 [ 33.222751] ? fb_pad_unaligned_buffer+0x2f/0x2e0 [ 33.222755] soft_cursor+0x50a/0xa50 [ 33.222761] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.222765] bit_cursor+0x1056/0x1620 [ 33.222774] ? bit_update_start+0x1f0/0x1f0 [ 33.222779] ? do_update_region+0x41d/0x5b0 [ 33.222783] ? fb_get_color_depth+0x100/0x200 [ 33.222787] ? get_color+0x1be/0x3a0 [ 33.222791] fbcon_cursor+0x4b1/0x6a0 [ 33.222794] ? bit_update_start+0x1f0/0x1f0 [ 33.222797] ? add_softcursor+0x14/0x2d0 [ 33.222802] set_cursor+0x189/0x1e0 [ 33.222805] redraw_screen+0x57b/0x790 [ 33.222810] ? con_shutdown+0x90/0x90 [ 33.222814] ? fbcon_set_palette+0x466/0x580 [ 33.222818] fbcon_modechanged+0x68a/0x980 [ 33.222823] fbcon_event_notify+0x107/0x1760 [ 33.222828] notifier_call_chain+0x108/0x1a0 [ 33.222833] blocking_notifier_call_chain+0x79/0x90 [ 33.222837] fb_set_var+0xac5/0xc90 [ 33.222841] ? fb_set_suspend+0x110/0x110 [ 33.222845] ? __lock_acquire+0x5fc/0x3f20 [ 33.222850] ? lock_acquire+0x170/0x3f0 [ 33.222854] ? do_fb_ioctl+0x2f1/0xa70 [ 33.222860] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.222867] ? do_fb_ioctl+0x2e7/0xa70 [ 33.222872] do_fb_ioctl+0x36d/0xa70 [ 33.222876] ? register_framebuffer+0x8e0/0x8e0 [ 33.222881] ? avc_has_extended_perms+0x6e4/0xbf0 [ 33.222885] ? avc_ss_reset+0x100/0x100 [ 33.222889] ? kasan_slab_free+0x12d/0x1a0 [ 33.222893] ? kasan_slab_free+0xc3/0x1a0 [ 33.222896] ? kmem_cache_free+0x7c/0x2b0 [ 33.222899] ? putname+0xcd/0x110 [ 33.222901] ? do_sys_open+0x203/0x410 [ 33.222905] ? do_syscall_64+0x1d5/0x640 [ 33.222909] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.222913] ? path_lookupat+0x780/0x780 [ 33.222917] ? debug_check_no_obj_freed+0x2c0/0x674 [ 33.222926] fb_ioctl+0xdd/0x130 [ 33.222930] ? do_fb_ioctl+0xa70/0xa70 [ 33.222933] do_vfs_ioctl+0x75a/0xff0 [ 33.222937] ? selinux_inode_setxattr+0x730/0x730 [ 33.222941] ? ioctl_preallocate+0x1a0/0x1a0 [ 33.222945] ? kmem_cache_free+0x23a/0x2b0 [ 33.222948] ? putname+0xcd/0x110 [ 33.222952] ? do_sys_open+0x208/0x410 [ 33.222956] ? security_file_ioctl+0x83/0xb0 [ 33.222961] SyS_ioctl+0x7f/0xb0 [ 33.222964] ? do_vfs_ioctl+0xff0/0xff0 [ 33.222968] do_syscall_64+0x1d5/0x640 [ 33.222974] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.222976] RIP: 0033:0x4403d9 [ 33.222978] RSP: 002b:00007fff23f24848 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.222982] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 33.222984] RDX: 00000000200000c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 33.222986] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 33.222988] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 33.222990] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 33.224148] Kernel Offset: disabled [ 33.970211] Rebooting in 86400 seconds..