[....] Starting enhanced syslogd: rsyslogd[ 13.801386] audit: type=1400 audit(1518169831.293:4): avc: denied { syslog } for pid=3638 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.375787] ================================================================== [ 26.383173] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 26.390243] Read of size 8 at addr ffff8801c3bcc140 by task syzkaller678010/3794 [ 26.397745] [ 26.399353] CPU: 1 PID: 3794 Comm: syzkaller678010 Not tainted 4.9.80-g20c8a00 #30 [ 26.407037] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.416363] ffff8801d7cf7ab0 ffffffff81d94b69 ffffea00070ef300 ffff8801c3bcc140 [ 26.424333] 0000000000000000 ffff8801c3bcc140 ffff8801b511c438 ffff8801d7cf7ae8 [ 26.432310] ffffffff8153e093 ffff8801c3bcc140 0000000000000008 0000000000000000 [ 26.440284] Call Trace: [ 26.442841] [] dump_stack+0xc1/0x128 [ 26.448184] [] print_address_description+0x73/0x280 [ 26.454817] [] kasan_report+0x275/0x360 [ 26.460411] [] ? sg_remove_request+0x103/0x120 [ 26.466620] [] __asan_report_load8_noabort+0x14/0x20 [ 26.473353] [] sg_remove_request+0x103/0x120 [ 26.479384] [] sg_finish_rem_req+0x295/0x340 [ 26.485409] [] sg_read+0xa16/0x1440 [ 26.490667] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 26.497306] [] ? fasync_insert_entry+0x147/0x2e0 [ 26.503677] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 26.510310] [] __vfs_read+0x103/0x670 [ 26.515731] [] ? default_llseek+0x290/0x290 [ 26.521674] [] ? fsnotify+0x86/0xf30 [ 26.527010] [] ? fsnotify+0xf30/0xf30 [ 26.532438] [] ? avc_policy_seqno+0x9/0x20 [ 26.538301] [] ? selinux_file_permission+0x82/0x460 [ 26.544942] [] ? security_file_permission+0x89/0x1e0 [ 26.551666] [] ? rw_verify_area+0xe5/0x2b0 [ 26.557523] [] vfs_read+0x11e/0x380 [ 26.562778] [] SyS_read+0xd9/0x1b0 [ 26.567942] [] ? vfs_copy_file_range+0x740/0x740 [ 26.574322] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.581133] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.587687] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 26.594241] [ 26.595839] Allocated by task 0: [ 26.599170] (stack is not available) [ 26.602848] [ 26.604450] Freed by task 0: [ 26.607441] (stack is not available) [ 26.611125] [ 26.612726] The buggy address belongs to the object at ffff8801c3bcc100 [ 26.612726] which belongs to the cache fasync_cache of size 96 [ 26.625354] The buggy address is located 64 bytes inside of [ 26.625354] 96-byte region [ffff8801c3bcc100, ffff8801c3bcc160) [ 26.637023] The buggy address belongs to the page: [ 26.641928] page:ffffea00070ef300 count:1 mapcount:0 mapping: (null) index:0x0 [ 26.650158] flags: 0x8000000000000080(slab) [ 26.654448] page dumped because: kasan: bad access detected [ 26.660124] [ 26.661721] Memory state around the buggy address: [ 26.666617] ffff8801c3bcc000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 26.673945] ffff8801c3bcc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.681273] >ffff8801c3bcc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.688597] ^ [ 26.694019] ffff8801c3bcc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.701350] ffff8801c3bcc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.708682] ================================================================== [ 26.716014] Disabling lock debugging due to kernel taint [ 26.721528] Kernel panic - not syncing: panic_on_warn set ... [ 26.721528] [ 26.728877] CPU: 1 PID: 3794 Comm: syzkaller678010 Tainted: G B 4.9.80-g20c8a00 #30 [ 26.737769] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.747100] ffff8801d7cf7a08 ffffffff81d94b69 ffffffff841970af ffff8801d7cf7ae0 [ 26.755071] 0000000000000000 ffff8801c3bcc140 ffff8801b511c438 ffff8801d7cf7ad0 [ 26.763033] ffffffff8142f541 0000000041b58ab3 ffffffff8418ab20 ffffffff8142f385 [ 26.770995] Call Trace: [ 26.773554] [] dump_stack+0xc1/0x128 [ 26.778892] [] panic+0x1bc/0x3a8 [ 26.783886] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 26.792091] [] ? preempt_schedule+0x25/0x30 [ 26.798030] [] ? ___preempt_schedule+0x16/0x18 [ 26.804228] [] kasan_end_report+0x50/0x50 [ 26.809997] [] kasan_report+0x167/0x360 [ 26.815594] [] ? sg_remove_request+0x103/0x120 [ 26.821805] [] __asan_report_load8_noabort+0x14/0x20 [ 26.828536] [] sg_remove_request+0x103/0x120 [ 26.834581] [] sg_finish_rem_req+0x295/0x340 [ 26.840620] [] sg_read+0xa16/0x1440 [ 26.845867] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 26.852501] [] ? fasync_insert_entry+0x147/0x2e0 [ 26.858872] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 26.866093] [] __vfs_read+0x103/0x670 [ 26.871513] [] ? default_llseek+0x290/0x290 [ 26.877451] [] ? fsnotify+0x86/0xf30 [ 26.882782] [] ? fsnotify+0xf30/0xf30 [ 26.888201] [] ? avc_policy_seqno+0x9/0x20 [ 26.894052] [] ? selinux_file_permission+0x82/0x460 [ 26.900687] [] ? security_file_permission+0x89/0x1e0 [ 26.907404] [] ? rw_verify_area+0xe5/0x2b0 [ 26.913253] [] vfs_read+0x11e/0x380 [ 26.918511] [] SyS_read+0xd9/0x1b0 [ 26.923679] [] ? vfs_copy_file_range+0x740/0x740 [ 26.930061] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.936872] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.943426] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 26.950437] Dumping ftrace buffer: [ 26.953951] (ftrace buffer empty) [ 26.957631] Kernel Offset: disabled [ 26.961230] Rebooting in 86400 seconds..