[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.195977] random: sshd: uninitialized urandom read (32 bytes read) [ 30.734145] audit: type=1400 audit(1547061044.692:6): avc: denied { map } for pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.766876] random: sshd: uninitialized urandom read (32 bytes read) [ 31.188068] random: sshd: uninitialized urandom read (32 bytes read) [ 31.328465] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. [ 36.953495] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 37.034221] audit: type=1400 audit(1547061050.992:7): avc: denied { map } for pid=1771 comm="syz-executor180" path="/root/syz-executor180789414" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.284686] ================================================================== [ 37.292143] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 37.298699] Write of size 4 at addr ffff8881cfafd31c by task syz-executor180/1773 [ 37.306292] [ 37.307908] CPU: 0 PID: 1773 Comm: syz-executor180 Not tainted 4.14.92+ #4 [ 37.314896] Call Trace: [ 37.317473] dump_stack+0xb9/0x10e [ 37.320993] ? ip_check_defrag+0x4f5/0x523 [ 37.325210] print_address_description+0x60/0x226 [ 37.330036] ? ip_check_defrag+0x4f5/0x523 [ 37.334252] kasan_report.cold+0x88/0x2a5 [ 37.338381] ? ip_check_defrag+0x4f5/0x523 [ 37.342594] ? ip_defrag+0x3b50/0x3b50 [ 37.346460] ? mark_held_locks+0xa6/0xf0 [ 37.350503] ? check_preemption_disabled+0x35/0x1f0 [ 37.355499] ? packet_rcv_fanout+0x4d1/0x5e0 [ 37.359885] ? fanout_demux_rollover+0x4d0/0x4d0 [ 37.364619] ? dev_queue_xmit_nit+0x21a/0x960 [ 37.369095] ? dev_hard_start_xmit+0xa3/0x890 [ 37.373571] ? sch_direct_xmit+0x27a/0x520 [ 37.377784] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 37.383469] ? lock_acquire+0x10f/0x380 [ 37.387418] ? ip_finish_output2+0x9fe/0x12f0 [ 37.391892] ? __dev_queue_xmit+0x1565/0x1cd0 [ 37.396377] ? netdev_pick_tx+0x2e0/0x2e0 [ 37.400508] ? ip_do_fragment+0xa20/0x1ee0 [ 37.404722] ? mark_held_locks+0xa6/0xf0 [ 37.408804] ? ip_finish_output2+0xd92/0x12f0 [ 37.413292] ? ip_finish_output2+0x9fe/0x12f0 [ 37.417782] ? ip_copy_addrs+0xd0/0xd0 [ 37.421654] ? ip_do_fragment+0xa20/0x1ee0 [ 37.425875] ? ip_do_fragment+0xa20/0x1ee0 [ 37.430093] ? ip_copy_addrs+0xd0/0xd0 [ 37.434056] ? ip_fragment.constprop.0+0x146/0x200 [ 37.438967] ? ip_finish_output+0x7a7/0xc70 [ 37.443313] ? ip_mc_output+0x231/0xbe0 [ 37.447275] ? ip_queue_xmit+0x1a70/0x1a70 [ 37.451484] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.456915] ? ip_fragment.constprop.0+0x200/0x200 [ 37.461820] ? dst_release+0xc/0x80 [ 37.465428] ? __ip_make_skb+0xe30/0x1690 [ 37.469556] ? ip_local_out+0x98/0x170 [ 37.473467] ? ip_send_skb+0x3a/0xc0 [ 37.477170] ? ip_push_pending_frames+0x5f/0x80 [ 37.481821] ? raw_sendmsg+0x19de/0x2270 [ 37.485875] ? raw_seq_next+0x80/0x80 [ 37.489656] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 37.494306] ? __schedule+0x924/0x1f30 [ 37.498171] ? trace_hardirqs_on+0x10/0x10 [ 37.502435] ? sock_has_perm+0x1d3/0x260 [ 37.506497] ? trace_hardirqs_on+0x10/0x10 [ 37.510716] ? inet_sendmsg+0x14a/0x510 [ 37.514667] ? inet_recvmsg+0x540/0x540 [ 37.518619] ? sock_sendmsg+0xb7/0x100 [ 37.522485] ? sock_no_sendpage+0x132/0x1a0 [ 37.526789] ? sock_rfree+0x140/0x140 [ 37.530571] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 37.535654] ? trace_hardirqs_on_caller+0x37b/0x540 [ 37.540649] ? inet_sendpage+0x1bb/0x5c0 [ 37.544685] ? inet_getname+0x390/0x390 [ 37.548634] ? kernel_sendpage+0x84/0xd0 [ 37.552670] ? sock_sendpage+0x84/0xa0 [ 37.556536] ? pipe_to_sendpage+0x23d/0x300 [ 37.560837] ? kernel_sendpage+0xd0/0xd0 [ 37.564873] ? direct_splice_actor+0x160/0x160 [ 37.569435] ? __put_page+0x68/0xa0 [ 37.573098] ? __splice_from_pipe+0x331/0x740 [ 37.577578] ? direct_splice_actor+0x160/0x160 [ 37.582139] ? direct_splice_actor+0x160/0x160 [ 37.586699] ? splice_from_pipe+0xd9/0x140 [ 37.590957] ? splice_shrink_spd+0xb0/0xb0 [ 37.595185] ? security_file_permission+0x88/0x1e0 [ 37.600092] ? splice_from_pipe+0x140/0x140 [ 37.604398] ? SyS_splice+0xd1c/0x12d0 [ 37.608280] ? do_futex+0x17f0/0x17f0 [ 37.612059] ? lock_acquire+0x10f/0x380 [ 37.616011] ? compat_SyS_vmsplice+0x150/0x150 [ 37.620569] ? _raw_spin_unlock_irq+0x24/0x50 [ 37.625041] ? do_syscall_64+0x43/0x4b0 [ 37.628990] ? compat_SyS_vmsplice+0x150/0x150 [ 37.633553] ? do_syscall_64+0x19b/0x4b0 [ 37.637600] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.642952] [ 37.644555] Allocated by task 1773: [ 37.648161] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.652466] kmem_cache_alloc+0xd2/0x2d0 [ 37.656508] skb_clone+0x126/0x310 [ 37.660100] ip_check_defrag+0x2bc/0x523 [ 37.664160] packet_rcv_fanout+0x4d1/0x5e0 [ 37.668371] dev_queue_xmit_nit+0x21a/0x960 [ 37.672668] [ 37.674276] Freed by task 1773: [ 37.677531] kasan_slab_free+0xb0/0x190 [ 37.681479] kmem_cache_free+0xc4/0x330 [ 37.685437] kfree_skbmem+0xa0/0x100 [ 37.689259] kfree_skb+0xcd/0x350 [ 37.692689] ip_defrag+0x5f4/0x3b50 [ 37.696293] ip_check_defrag+0x39b/0x523 [ 37.700331] packet_rcv_fanout+0x4d1/0x5e0 [ 37.704549] dev_queue_xmit_nit+0x21a/0x960 [ 37.708840] [ 37.710447] The buggy address belongs to the object at ffff8881cfafd280 [ 37.710447] which belongs to the cache skbuff_head_cache of size 224 [ 37.723596] The buggy address is located 156 bytes inside of [ 37.723596] 224-byte region [ffff8881cfafd280, ffff8881cfafd360) [ 37.735447] The buggy address belongs to the page: [ 37.740357] page:ffffea00073ebf40 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.748476] flags: 0x4000000000000100(slab) [ 37.752772] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 37.760628] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 37.768487] page dumped because: kasan: bad access detected [ 37.774171] [ 37.775862] Memory state around the buggy address: [ 37.780775] ffff8881cfafd200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 37.788109] ffff8881cfafd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.795450] >ffff8881cfafd300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.802939] ^ [ 37.807113] ffff8881cfafd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.814451] ffff8881cfafd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.821831] ================================================================== [ 37.829173] Disabling lock debugging due to kernel taint [ 37.834766] Kernel panic - not syncing: panic_on_warn set ... [ 37.834766] [ 37.842115] CPU: 0 PID: 1773 Comm: syz-executor180 Tainted: G B 4.14.92+ #4 [ 37.850315] Call Trace: [ 37.852883] dump_stack+0xb9/0x10e [ 37.856413] panic+0x1d9/0x3c2 [ 37.859581] ? add_taint.cold+0x16/0x16 [ 37.863530] ? retint_kernel+0x2d/0x2d [ 37.867397] ? ip_check_defrag+0x4f5/0x523 [ 37.871606] kasan_end_report+0x43/0x49 [ 37.875555] kasan_report.cold+0xa4/0x2a5 [ 37.879679] ? ip_check_defrag+0x4f5/0x523 [ 37.883895] ? ip_defrag+0x3b50/0x3b50 [ 37.887766] ? mark_held_locks+0xa6/0xf0 [ 37.891817] ? check_preemption_disabled+0x35/0x1f0 [ 37.896825] ? packet_rcv_fanout+0x4d1/0x5e0 [ 37.901299] ? fanout_demux_rollover+0x4d0/0x4d0 [ 37.906037] ? dev_queue_xmit_nit+0x21a/0x960 [ 37.910514] ? dev_hard_start_xmit+0xa3/0x890 [ 37.914987] ? sch_direct_xmit+0x27a/0x520 [ 37.919206] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 37.924896] ? lock_acquire+0x10f/0x380 [ 37.928845] ? ip_finish_output2+0x9fe/0x12f0 [ 37.933393] ? __dev_queue_xmit+0x1565/0x1cd0 [ 37.937937] ? netdev_pick_tx+0x2e0/0x2e0 [ 37.942070] ? ip_do_fragment+0xa20/0x1ee0 [ 37.946281] ? mark_held_locks+0xa6/0xf0 [ 37.950315] ? ip_finish_output2+0xd92/0x12f0 [ 37.954794] ? ip_finish_output2+0x9fe/0x12f0 [ 37.959274] ? ip_copy_addrs+0xd0/0xd0 [ 37.963140] ? ip_do_fragment+0xa20/0x1ee0 [ 37.967347] ? ip_do_fragment+0xa20/0x1ee0 [ 37.971557] ? ip_copy_addrs+0xd0/0xd0 [ 37.975423] ? ip_fragment.constprop.0+0x146/0x200 [ 37.980326] ? ip_finish_output+0x7a7/0xc70 [ 37.984624] ? ip_mc_output+0x231/0xbe0 [ 37.988578] ? ip_queue_xmit+0x1a70/0x1a70 [ 37.992790] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.998217] ? ip_fragment.constprop.0+0x200/0x200 [ 38.003119] ? dst_release+0xc/0x80 [ 38.006721] ? __ip_make_skb+0xe30/0x1690 [ 38.010978] ? ip_local_out+0x98/0x170 [ 38.014849] ? ip_send_skb+0x3a/0xc0 [ 38.018535] ? ip_push_pending_frames+0x5f/0x80 [ 38.023181] ? raw_sendmsg+0x19de/0x2270 [ 38.027219] ? raw_seq_next+0x80/0x80 [ 38.031007] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 38.035658] ? __schedule+0x924/0x1f30 [ 38.039518] ? trace_hardirqs_on+0x10/0x10 [ 38.043726] ? sock_has_perm+0x1d3/0x260 [ 38.047762] ? trace_hardirqs_on+0x10/0x10 [ 38.051975] ? inet_sendmsg+0x14a/0x510 [ 38.055925] ? inet_recvmsg+0x540/0x540 [ 38.059890] ? sock_sendmsg+0xb7/0x100 [ 38.063751] ? sock_no_sendpage+0x132/0x1a0 [ 38.068055] ? sock_rfree+0x140/0x140 [ 38.071841] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 38.076920] ? trace_hardirqs_on_caller+0x37b/0x540 [ 38.081909] ? inet_sendpage+0x1bb/0x5c0 [ 38.085944] ? inet_getname+0x390/0x390 [ 38.089900] ? kernel_sendpage+0x84/0xd0 [ 38.093985] ? sock_sendpage+0x84/0xa0 [ 38.097855] ? pipe_to_sendpage+0x23d/0x300 [ 38.102149] ? kernel_sendpage+0xd0/0xd0 [ 38.106184] ? direct_splice_actor+0x160/0x160 [ 38.110742] ? __put_page+0x68/0xa0 [ 38.114343] ? __splice_from_pipe+0x331/0x740 [ 38.118818] ? direct_splice_actor+0x160/0x160 [ 38.123377] ? direct_splice_actor+0x160/0x160 [ 38.128082] ? splice_from_pipe+0xd9/0x140 [ 38.132331] ? splice_shrink_spd+0xb0/0xb0 [ 38.136546] ? security_file_permission+0x88/0x1e0 [ 38.141449] ? splice_from_pipe+0x140/0x140 [ 38.145788] ? SyS_splice+0xd1c/0x12d0 [ 38.149673] ? do_futex+0x17f0/0x17f0 [ 38.153447] ? lock_acquire+0x10f/0x380 [ 38.157394] ? compat_SyS_vmsplice+0x150/0x150 [ 38.161951] ? _raw_spin_unlock_irq+0x24/0x50 [ 38.166420] ? do_syscall_64+0x43/0x4b0 [ 38.170366] ? compat_SyS_vmsplice+0x150/0x150 [ 38.174931] ? do_syscall_64+0x19b/0x4b0 [ 38.178973] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.184829] Kernel Offset: 0x2f800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 38.195725] Rebooting in 86400 seconds..