[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.475163] random: sshd: uninitialized urandom read (32 bytes read) [ 44.697481] audit: type=1400 audit(1541342424.073:6): avc: denied { map } for pid=1782 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 44.741667] random: sshd: uninitialized urandom read (32 bytes read) [ 45.176635] random: sshd: uninitialized urandom read (32 bytes read) [ 62.380902] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.99' (ECDSA) to the list of known hosts. [ 67.874108] random: sshd: uninitialized urandom read (32 bytes read) [ 67.970289] audit: type=1400 audit(1541342447.353:7): avc: denied { map } for pid=1806 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/11/04 14:40:47 parsed 1 programs [ 68.518012] audit: type=1400 audit(1541342447.893:8): avc: denied { map } for pid=1806 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 68.983105] random: cc1: uninitialized urandom read (8 bytes read) 2018/11/04 14:40:49 executed programs: 0 [ 70.303841] audit: type=1400 audit(1541342449.683:9): avc: denied { map } for pid=1806 comm="syz-execprog" path="/root/syzkaller-shm863587585" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 75.438045] audit: type=1400 audit(1541342454.813:10): avc: denied { prog_load } for pid=4087 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 2018/11/04 14:40:54 executed programs: 6 [ 75.488597] audit: type=1400 audit(1541342454.863:12): avc: denied { prog_run } for pid=4094 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 75.536933] ================================================================== [ 75.536955] BUG: KASAN: slab-out-of-bounds in bpf_skb_vlan_push+0x45e/0x540 [ 75.536962] Read of size 4 at addr ffff8801c9e9a608 by task syz-executor3/4118 [ 75.536964] [ 75.536972] CPU: 1 PID: 4118 Comm: syz-executor3 Not tainted 4.14.78+ #27 [ 75.536975] Call Trace: [ 75.536985] dump_stack+0xb9/0x11b [ 75.536999] print_address_description+0x60/0x22b [ 75.537011] kasan_report.cold.6+0x11b/0x2dd [ 75.537018] ? bpf_skb_vlan_push+0x45e/0x540 [ 75.537030] bpf_skb_vlan_push+0x45e/0x540 [ 75.537044] ___bpf_prog_run+0x248e/0x5c70 [ 75.537056] ? __free_insn_slot+0x490/0x490 [ 75.537066] ? bpf_jit_compile+0x30/0x30 [ 75.537080] ? depot_save_stack+0x20a/0x428 [ 75.537094] ? __bpf_prog_run512+0x99/0xe0 [ 75.537102] ? ___bpf_prog_run+0x5c70/0x5c70 [ 75.537123] ? __lock_acquire+0x619/0x4320 [ 75.537140] ? trace_hardirqs_on+0x10/0x10 [ 75.537164] ? trace_hardirqs_on+0x10/0x10 [ 75.537176] ? __lock_acquire+0x619/0x4320 [ 75.537199] ? bpf_test_run+0x57/0x350 [ 75.537217] ? lock_acquire+0x10f/0x380 [ 75.537229] ? check_preemption_disabled+0x34/0x160 [ 75.537243] ? bpf_test_run+0xab/0x350 [ 75.537264] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 75.537278] ? bpf_test_init.isra.1+0xc0/0xc0 [ 75.537290] ? __fget_light+0x192/0x1f0 [ 75.537296] ? bpf_prog_add+0x42/0xa0 [ 75.537303] ? fput+0xa/0x130 [ 75.537313] ? bpf_test_init.isra.1+0xc0/0xc0 [ 75.537337] ? SyS_bpf+0x79d/0x3640 [ 75.537404] ? bpf_prog_get+0x20/0x20 [ 75.537423] ? _copy_to_user+0x7f/0xc0 [ 75.537448] ? put_timespec64+0xb9/0x110 [ 75.537465] ? do_clock_gettime+0x30/0xb0 [ 75.537476] ? SyS_clock_gettime+0x7b/0xd0 [ 75.537484] ? do_clock_gettime+0xb0/0xb0 [ 75.537495] ? do_syscall_64+0x43/0x4b0 [ 75.537506] ? bpf_prog_get+0x20/0x20 [ 75.537512] ? do_syscall_64+0x19b/0x4b0 [ 75.537528] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 75.537548] [ 75.537552] Allocated by task 2357: [ 75.537560] kasan_kmalloc.part.1+0x4f/0xd0 [ 75.537566] kmem_cache_alloc+0xe4/0x2b0 [ 75.537572] __alloc_skb+0xd8/0x550 [ 75.537591] netlink_dump+0x19d/0xa60 [ 75.537597] __netlink_dump_start+0x4e4/0x750 [ 75.537603] rtnetlink_rcv_msg+0x6db/0xb30 [ 75.537609] netlink_rcv_skb+0x130/0x390 [ 75.537626] netlink_unicast+0x46d/0x620 [ 75.537632] netlink_sendmsg+0x664/0xbe0 [ 75.537639] sock_sendmsg+0xb5/0x100 [ 75.537646] SyS_sendto+0x211/0x340 [ 75.537650] do_syscall_64+0x19b/0x4b0 [ 75.537656] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 75.537658] [ 75.537661] Freed by task 2357: [ 75.537668] kasan_slab_free+0xac/0x190 [ 75.537674] kmem_cache_free+0x12d/0x350 [ 75.537680] kfree_skbmem+0x9e/0x100 [ 75.537686] consume_skb+0xc9/0x330 [ 75.537692] skb_free_datagram+0x15/0xd0 [ 75.537698] netlink_recvmsg+0x569/0xd10 [ 75.537704] sock_recvmsg+0xc0/0x100 [ 75.537710] ___sys_recvmsg+0x242/0x510 [ 75.537716] __sys_recvmsg+0xc7/0x170 [ 75.537722] SyS_recvmsg+0x27/0x40 [ 75.537727] do_syscall_64+0x19b/0x4b0 [ 75.537733] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 75.537735] [ 75.537741] The buggy address belongs to the object at ffff8801c9e9a500 [ 75.537741] which belongs to the cache skbuff_head_cache of size 224 [ 75.537747] The buggy address is located 40 bytes to the right of [ 75.537747] 224-byte region [ffff8801c9e9a500, ffff8801c9e9a5e0) [ 75.537749] The buggy address belongs to the page: [ 75.537755] page:ffffea000727a680 count:1 mapcount:0 mapping: (null) index:0x0 [ 75.537762] flags: 0x4000000000000100(slab) [ 75.537771] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 75.537779] raw: ffffea0007308d80 0000000600000006 ffff8801dab70200 0000000000000000 [ 75.537782] page dumped because: kasan: bad access detected [ 75.537784] [ 75.537786] Memory state around the buggy address: [ 75.537792] ffff8801c9e9a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.537797] ffff8801c9e9a580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 75.537802] >ffff8801c9e9a600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 75.537805] ^ [ 75.537810] ffff8801c9e9a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.537816] ffff8801c9e9a700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 75.537818] ================================================================== [ 75.537820] Disabling lock debugging due to kernel taint [ 75.537824] Kernel panic - not syncing: panic_on_warn set ... [ 75.537824] [ 75.537831] CPU: 1 PID: 4118 Comm: syz-executor3 Tainted: G B 4.14.78+ #27 [ 75.537833] Call Trace: [ 75.537841] dump_stack+0xb9/0x11b [ 75.537849] panic+0x1bf/0x3a4 [ 75.537856] ? add_taint.cold.4+0x16/0x16 [ 75.537871] kasan_end_report+0x43/0x49 [ 75.537878] kasan_report.cold.6+0x77/0x2dd [ 75.537885] ? bpf_skb_vlan_push+0x45e/0x540 [ 75.537894] bpf_skb_vlan_push+0x45e/0x540 [ 75.537903] ___bpf_prog_run+0x248e/0x5c70 [ 75.537911] ? __free_insn_slot+0x490/0x490 [ 75.537919] ? bpf_jit_compile+0x30/0x30 [ 75.537928] ? depot_save_stack+0x20a/0x428 [ 75.537937] ? __bpf_prog_run512+0x99/0xe0 [ 75.537944] ? ___bpf_prog_run+0x5c70/0x5c70 [ 75.537955] ? __lock_acquire+0x619/0x4320 [ 75.537965] ? trace_hardirqs_on+0x10/0x10 [ 75.537975] ? trace_hardirqs_on+0x10/0x10 [ 75.537983] ? __lock_acquire+0x619/0x4320 [ 75.537997] ? bpf_test_run+0x57/0x350 [ 75.538007] ? lock_acquire+0x10f/0x380 [ 75.538016] ? check_preemption_disabled+0x34/0x160 [ 75.538026] ? bpf_test_run+0xab/0x350 [ 75.538038] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 75.538048] ? bpf_test_init.isra.1+0xc0/0xc0 [ 75.538056] ? __fget_light+0x192/0x1f0 [ 75.538062] ? bpf_prog_add+0x42/0xa0 [ 75.538080] ? fput+0xa/0x130 [ 75.538088] ? bpf_test_init.isra.1+0xc0/0xc0 [ 75.538095] ? SyS_bpf+0x79d/0x3640 [ 75.538104] ? bpf_prog_get+0x20/0x20 [ 75.538110] ? _copy_to_user+0x7f/0xc0 [ 75.538117] ? put_timespec64+0xb9/0x110 [ 75.538128] ? do_clock_gettime+0x30/0xb0 [ 75.538158] ? SyS_clock_gettime+0x7b/0xd0 [ 75.538166] ? do_clock_gettime+0xb0/0xb0 [ 75.538173] ? do_syscall_64+0x43/0x4b0 [ 75.538181] ? bpf_prog_get+0x20/0x20 [ 75.538187] ? do_syscall_64+0x19b/0x4b0 [ 75.538197] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 75.538504] Kernel Offset: 0x23a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 76.140588] Rebooting in 86400 seconds..