[....] Starting enhanced syslogd: rsyslogd[ 13.446398] audit: type=1400 audit(1513168925.808:5): avc: denied { syslog } for pid=3001 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.603611] audit: type=1400 audit(1513168930.965:6): avc: denied { map } for pid=3142 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.15.230' (ECDSA) to the list of known hosts. executing program [ 25.210670] audit: type=1400 audit(1513168937.572:7): avc: denied { map } for pid=3156 comm="syzkaller814298" path="/root/syzkaller814298950" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.217509] ================================================================== [ 25.217531] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270 [ 25.217539] Read of size 8192 at addr ffff8801c585d2d8 by task syzkaller814298/3156 [ 25.217544] [ 25.217554] CPU: 1 PID: 3156 Comm: syzkaller814298 Not tainted 4.15.0-rc3+ #129 [ 25.217560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.217564] Call Trace: [ 25.217576] dump_stack+0x194/0x257 [ 25.217591] ? arch_local_irq_restore+0x53/0x53 [ 25.217603] ? show_regs_print_info+0x18/0x18 [ 25.217612] ? __lock_is_held+0xbc/0x140 [ 25.217629] ? pfkey_add+0x1634/0x3270 [ 25.217642] print_address_description+0x73/0x250 [ 25.217652] ? pfkey_add+0x1634/0x3270 [ 25.217663] kasan_report+0x25b/0x340 [ 25.217679] check_memory_region+0x137/0x190 [ 25.217690] memcpy+0x23/0x50 [ 25.217702] pfkey_add+0x1634/0x3270 [ 25.217729] ? set_ipsecrequest+0x310/0x310 [ 25.217743] ? lock_release+0xda0/0xda0 [ 25.217754] ? set_ipsecrequest+0x310/0x310 [ 25.217767] pfkey_process+0x60b/0x720 [ 25.217786] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 25.217794] ? kasan_check_write+0x14/0x20 [ 25.217853] pfkey_sendmsg+0x4d6/0x9f0 [ 25.217869] ? pfkey_spdget+0xb00/0xb00 [ 25.217886] ? selinux_socket_sendmsg+0x36/0x40 [ 25.217897] ? security_socket_sendmsg+0x89/0xb0 [ 25.217907] ? pfkey_spdget+0xb00/0xb00 [ 25.217923] sock_sendmsg+0xca/0x110 [ 25.217937] ___sys_sendmsg+0x75b/0x8a0 [ 25.217955] ? copy_msghdr_from_user+0x590/0x590 [ 25.217972] ? check_noncircular+0x20/0x20 [ 25.217991] ? __pmd_alloc+0x4e0/0x4e0 [ 25.218005] ? find_held_lock+0x39/0x1d0 [ 25.218018] ? __fget_light+0x29d/0x390 [ 25.218031] ? fget_raw+0x20/0x20 [ 25.218051] ? find_held_lock+0x39/0x1d0 [ 25.218085] ? __fdget+0x18/0x20 [ 25.218102] __sys_sendmsg+0xe5/0x210 [ 25.218111] ? __sys_sendmsg+0xe5/0x210 [ 25.218124] ? SyS_shutdown+0x290/0x290 [ 25.218132] ? handle_mm_fault+0x410/0x8d0 [ 25.218143] ? __do_page_fault+0x32d/0xc90 [ 25.218154] ? __handle_mm_fault+0x3e20/0x3e20 [ 25.218162] ? vmacache_find+0x5f/0x280 [ 25.218210] compat_SyS_sendmsg+0x2a/0x40 [ 25.218221] ? compat_SyS_getsockopt+0x420/0x420 [ 25.218231] do_fast_syscall_32+0x3ee/0xf9d [ 25.218252] ? do_int80_syscall_32+0x9d0/0x9d0 [ 25.218262] ? kasan_check_read+0x11/0x20 [ 25.218275] ? syscall_return_slowpath+0x550/0x550 [ 25.218288] ? SyS_rt_sigaction+0x94/0x1b0 [ 25.218302] ? lockdep_sys_exit+0x47/0xf0 [ 25.218312] ? retint_user+0x18/0x18 [ 25.218330] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.218350] entry_SYSENTER_compat+0x51/0x60 [ 25.218358] RIP: 0023:0xf7f96c79 [ 25.218364] RSP: 002b:00000000ffb5c01c EFLAGS: 00000203 ORIG_RAX: 0000000000000172 [ 25.218376] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000205f5000 [ 25.218382] RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f [ 25.218387] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 25.218393] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 25.218399] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 25.218430] [ 25.218435] Allocated by task 3156: [ 25.218444] save_stack+0x43/0xd0 [ 25.218451] kasan_kmalloc+0xad/0xe0 [ 25.218460] __kmalloc_node_track_caller+0x47/0x70 [ 25.218468] __kmalloc_reserve.isra.41+0x41/0xd0 [ 25.218475] __alloc_skb+0x13b/0x780 [ 25.218482] pfkey_sendmsg+0x20f/0x9f0 [ 25.218490] sock_sendmsg+0xca/0x110 [ 25.218497] ___sys_sendmsg+0x75b/0x8a0 [ 25.218505] __sys_sendmsg+0xe5/0x210 [ 25.218513] compat_SyS_sendmsg+0x2a/0x40 [ 25.218520] do_fast_syscall_32+0x3ee/0xf9d [ 25.218528] entry_SYSENTER_compat+0x51/0x60 [ 25.218532] [ 25.218537] Freed by task 1647: [ 25.218544] save_stack+0x43/0xd0 [ 25.218551] kasan_slab_free+0x71/0xc0 [ 25.218559] kfree+0xca/0x250 [ 25.218567] kernfs_fop_release+0x13f/0x180 [ 25.218575] __fput+0x333/0x7f0 [ 25.218582] ____fput+0x15/0x20 [ 25.218590] task_work_run+0x199/0x270 [ 25.218597] exit_to_usermode_loop+0x296/0x310 [ 25.218605] syscall_return_slowpath+0x490/0x550 [ 25.218613] entry_SYSCALL_64_fastpath+0x94/0x96 [ 25.218616] [ 25.218623] The buggy address belongs to the object at ffff8801c585d2c0 [ 25.218623] which belongs to the cache kmalloc-512 of size 512 [ 25.218630] The buggy address is located 24 bytes inside of [ 25.218630] 512-byte region [ffff8801c585d2c0, ffff8801c585d4c0) [ 25.218634] The buggy address belongs to the page: [ 25.218642] page:00000000a83766cd count:1 mapcount:0 mapping:000000007f1ae482 index:0x0 [ 25.218653] flags: 0x2fffc0000000100(slab) [ 25.218664] raw: 02fffc0000000100 ffff8801c585d040 0000000000000000 0000000100000006 [ 25.218673] raw: ffffea000715dee0 ffffea0007154260 ffff8801db000940 0000000000000000 [ 25.218678] page dumped because: kasan: bad access detected [ 25.218682] [ 25.218687] Memory state around the buggy address: [ 25.218694] ffff8801c585d380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.218701] ffff8801c585d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.218708] >ffff8801c585d480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 25.218713] ^ [ 25.218720] ffff8801c585d500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.218727] ffff8801c585d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.218731] ================================================================== [ 25.218734] Disabling lock debugging due to kernel taint [ 25.218755] Kernel panic - not syncing: panic_on_warn set ... [ 25.218755] [ 25.218761] CPU: 1 PID: 3156 Comm: syzkaller814298 Tainted: G B 4.15.0-rc3+ #129 [ 25.218764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.218766] Call Trace: [ 25.218772] dump_stack+0x194/0x257 [ 25.218780] ? arch_local_irq_restore+0x53/0x53 [ 25.218787] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.218794] ? vsnprintf+0x1ed/0x1900 [ 25.218801] ? pfkey_add+0x15b0/0x3270 [ 25.218808] panic+0x1e4/0x41c [ 25.218814] ? refcount_error_report+0x214/0x214 [ 25.218844] ? add_taint+0x1c/0x50 [ 25.218851] ? add_taint+0x1c/0x50 [ 25.218858] ? pfkey_add+0x1634/0x3270 [ 25.218864] kasan_end_report+0x50/0x50 [ 25.218870] kasan_report+0x144/0x340 [ 25.218879] check_memory_region+0x137/0x190 [ 25.218885] memcpy+0x23/0x50 [ 25.218893] pfkey_add+0x1634/0x3270 [ 25.218906] ? set_ipsecrequest+0x310/0x310 [ 25.218914] ? lock_release+0xda0/0xda0 [ 25.218921] ? set_ipsecrequest+0x310/0x310 [ 25.218929] pfkey_process+0x60b/0x720 [ 25.218940] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 25.218944] ? kasan_check_write+0x14/0x20 [ 25.218972] pfkey_sendmsg+0x4d6/0x9f0 [ 25.218981] ? pfkey_spdget+0xb00/0xb00 [ 25.218989] ? selinux_socket_sendmsg+0x36/0x40 [ 25.218996] ? security_socket_sendmsg+0x89/0xb0 [ 25.219005] ? pfkey_spdget+0xb00/0xb00 [ 25.219012] sock_sendmsg+0xca/0x110 [ 25.219021] ___sys_sendmsg+0x75b/0x8a0 [ 25.219032] ? copy_msghdr_from_user+0x590/0x590 [ 25.219041] ? check_noncircular+0x20/0x20 [ 25.219051] ? __pmd_alloc+0x4e0/0x4e0 [ 25.219058] ? find_held_lock+0x39/0x1d0 [ 25.219064] ? __fget_light+0x29d/0x390 [ 25.219072] ? fget_raw+0x20/0x20 [ 25.219083] ? find_held_lock+0x39/0x1d0 [ 25.219100] ? __fdget+0x18/0x20 [ 25.219110] __sys_sendmsg+0xe5/0x210 [ 25.219117] ? __sys_sendmsg+0xe5/0x210 [ 25.219125] ? SyS_shutdown+0x290/0x290 [ 25.219129] ? handle_mm_fault+0x410/0x8d0 [ 25.219136] ? __do_page_fault+0x32d/0xc90 [ 25.219142] ? __handle_mm_fault+0x3e20/0x3e20 [ 25.219148] ? vmacache_find+0x5f/0x280 [ 25.219172] compat_SyS_sendmsg+0x2a/0x40 [ 25.219178] ? compat_SyS_getsockopt+0x420/0x420 [ 25.219184] do_fast_syscall_32+0x3ee/0xf9d [ 25.219196] ? do_int80_syscall_32+0x9d0/0x9d0 [ 25.219202] ? kasan_check_read+0x11/0x20 [ 25.219210] ? syscall_return_slowpath+0x550/0x550 [ 25.219218] ? SyS_rt_sigaction+0x94/0x1b0 [ 25.219226] ? lockdep_sys_exit+0x47/0xf0 [ 25.219232] ? retint_user+0x18/0x18 [ 25.219242] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.219254] entry_SYSENTER_compat+0x51/0x60 [ 25.219257] RIP: 0023:0xf7f96c79 [ 25.219261] RSP: 002b:00000000ffb5c01c EFLAGS: 00000203 ORIG_RAX: 0000000000000172 [ 25.219267] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000205f5000 [ 25.219270] RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f [ 25.219273] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 25.219276] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 25.219279] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 25.237850] Dumping ftrace buffer: [ 25.237854] (ftrace buffer empty) [ 25.237857] Kernel Offset: disabled [ 26.066765] Rebooting in 86400 seconds..