[ 10.494429] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.296277] random: sshd: uninitialized urandom read (32 bytes read) [ 27.604826] audit: type=1400 audit(1548831829.535:6): avc: denied { map } for pid=1777 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 27.647320] random: sshd: uninitialized urandom read (32 bytes read) [ 28.151572] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. [ 33.771241] urandom_read: 1 callbacks suppressed [ 33.771245] random: sshd: uninitialized urandom read (32 bytes read) [ 33.865757] audit: type=1400 audit(1548831835.795:7): avc: denied { map } for pid=1794 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/01/30 07:03:56 parsed 1 programs [ 34.598303] audit: type=1400 audit(1548831836.525:8): avc: denied { map } for pid=1794 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 35.351349] random: cc1: uninitialized urandom read (8 bytes read) 2019/01/30 07:03:58 executed programs: 0 [ 36.817563] audit: type=1400 audit(1548831838.745:9): avc: denied { map } for pid=1794 comm="syz-execprog" path="/root/syzkaller-shm080401051" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.698591] audit: type=1400 audit(1548831840.625:10): avc: denied { prog_load } for pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 38.721141] audit: type=1400 audit(1548831840.625:11): avc: denied { create } for pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 38.745435] audit: type=1400 audit(1548831840.625:12): avc: denied { write } for pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 38.769235] audit: type=1400 audit(1548831840.635:13): avc: denied { read } for pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 39.549900] ================================================================== [ 39.557428] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 39.563998] Write of size 4 at addr ffff8881d226f09c by task syz-executor0/1964 [ 39.571421] [ 39.573034] CPU: 0 PID: 1964 Comm: syz-executor0 Not tainted 4.14.96+ #20 [ 39.579937] Call Trace: [ 39.582511] dump_stack+0xb9/0x10e [ 39.586034] ? ip_check_defrag+0x4f5/0x523 [ 39.590259] print_address_description+0x60/0x226 [ 39.595092] ? ip_check_defrag+0x4f5/0x523 [ 39.599305] kasan_report.cold+0x88/0x2a5 [ 39.603435] ? ip_check_defrag+0x4f5/0x523 [ 39.607646] ? ip_defrag+0x3b50/0x3b50 [ 39.611510] ? mark_held_locks+0xa6/0xf0 [ 39.615616] ? check_preemption_disabled+0x35/0x1f0 [ 39.620622] ? packet_rcv_fanout+0x4d1/0x5e0 [ 39.625007] ? fanout_demux_rollover+0x4d0/0x4d0 [ 39.629749] ? dev_queue_xmit_nit+0x6d0/0x960 [ 39.634228] ? __packet_pick_tx_queue+0x70/0x70 [ 39.638877] ? dev_hard_start_xmit+0xa3/0x890 [ 39.643348] ? validate_xmit_skb_list+0xd2/0x110 [ 39.648083] ? sch_direct_xmit+0x27a/0x520 [ 39.652302] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 39.658235] ? lock_acquire+0x10f/0x380 [ 39.662193] ? ip_finish_output2+0x9fe/0x12f0 [ 39.666679] ? __dev_queue_xmit+0x1565/0x1cd0 [ 39.671597] ? netdev_pick_tx+0x2e0/0x2e0 [ 39.675728] ? ip_do_fragment+0x180c/0x1ee0 [ 39.680040] ? mark_held_locks+0xa6/0xf0 [ 39.684091] ? ip_finish_output2+0xd92/0x12f0 [ 39.688562] ? ip_finish_output2+0x9fe/0x12f0 [ 39.693040] ? ip_copy_addrs+0xd0/0xd0 [ 39.696905] ? selinux_ip_postroute_compat+0x360/0x360 [ 39.702159] ? check_preemption_disabled+0x35/0x1f0 [ 39.707153] ? ip_do_fragment+0x180c/0x1ee0 [ 39.711524] ? ip_do_fragment+0x180c/0x1ee0 [ 39.715837] ? ip_copy_addrs+0xd0/0xd0 [ 39.719709] ? ip_fragment.constprop.0+0x146/0x200 [ 39.724623] ? ip_finish_output+0x7a7/0xc70 [ 39.728926] ? ip_mc_output+0x231/0xbe0 [ 39.732940] ? ip_queue_xmit+0x1a70/0x1a70 [ 39.737309] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 39.742743] ? ip_fragment.constprop.0+0x200/0x200 [ 39.747664] ? dst_release+0xc/0x80 [ 39.751278] ? __ip_make_skb+0xe30/0x1690 [ 39.755406] ? ip_local_out+0x98/0x170 [ 39.759736] ? ip_send_skb+0x3a/0xc0 [ 39.763432] ? ip_push_pending_frames+0x5f/0x80 [ 39.768078] ? raw_sendmsg+0x19de/0x2270 [ 39.772120] ? raw_seq_next+0x80/0x80 [ 39.775901] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 39.780725] ? lock_downgrade+0x5d0/0x5d0 [ 39.784853] ? lock_acquire+0x10f/0x380 [ 39.788810] ? finish_task_switch+0x1b7/0x620 [ 39.793286] ? _raw_spin_unlock_irq+0x24/0x50 [ 39.797767] ? sock_has_perm+0x1d3/0x260 [ 39.801818] ? __schedule+0x924/0x1f30 [ 39.805693] ? __lock_acquire+0x56a/0x3fa0 [ 39.809918] ? inet_sendmsg+0x14a/0x510 [ 39.814001] ? inet_recvmsg+0x540/0x540 [ 39.817960] ? sock_sendmsg+0xb7/0x100 [ 39.821823] ? sock_no_sendpage+0x132/0x1a0 [ 39.826126] ? sock_rfree+0x140/0x140 [ 39.830009] ? futex_wait+0x406/0x570 [ 39.833808] ? inet_sendpage+0x1bb/0x5c0 [ 39.838029] ? inet_getname+0x390/0x390 [ 39.841980] ? kernel_sendpage+0x84/0xd0 [ 39.846022] ? sock_sendpage+0x84/0xa0 [ 39.849899] ? pipe_to_sendpage+0x23d/0x300 [ 39.854198] ? kernel_sendpage+0xd0/0xd0 [ 39.858236] ? direct_splice_actor+0x160/0x160 [ 39.862796] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 39.868140] ? __splice_from_pipe+0x331/0x740 [ 39.872625] ? direct_splice_actor+0x160/0x160 [ 39.877189] ? direct_splice_actor+0x160/0x160 [ 39.881758] ? splice_from_pipe+0xd9/0x140 [ 39.885975] ? splice_shrink_spd+0xb0/0xb0 [ 39.890194] ? security_file_permission+0x88/0x1e0 [ 39.895104] ? splice_from_pipe+0x140/0x140 [ 39.899402] ? SyS_splice+0xd1c/0x12d0 [ 39.903274] ? compat_SyS_vmsplice+0x150/0x150 [ 39.907834] ? do_clock_gettime+0xd0/0xd0 [ 39.911959] ? do_syscall_64+0x43/0x4b0 [ 39.915907] ? compat_SyS_vmsplice+0x150/0x150 [ 39.920469] ? do_syscall_64+0x19b/0x4b0 [ 39.924512] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.929879] [ 39.931488] Allocated by task 1964: [ 39.935103] kasan_kmalloc.part.0+0x4f/0xd0 [ 39.939406] kmem_cache_alloc+0xd2/0x2d0 [ 39.943449] skb_clone+0x126/0x310 [ 39.946967] dev_queue_xmit_nit+0x2f3/0x960 [ 39.951264] dev_hard_start_xmit+0xa3/0x890 [ 39.955560] sch_direct_xmit+0x27a/0x520 [ 39.959595] [ 39.961300] Freed by task 1964: [ 39.964570] kasan_slab_free+0xb0/0x190 [ 39.968520] kmem_cache_free+0xc4/0x330 [ 39.972476] kfree_skbmem+0xa0/0x100 [ 39.976376] kfree_skb+0xcd/0x350 [ 39.979863] ip_defrag+0x5f4/0x3b50 [ 39.983482] ip_check_defrag+0x39b/0x523 [ 39.987520] packet_rcv_fanout+0x4d1/0x5e0 [ 39.991737] dev_queue_xmit_nit+0x6d0/0x960 [ 39.996042] [ 39.997649] The buggy address belongs to the object at ffff8881d226f000 [ 39.997649] which belongs to the cache skbuff_head_cache of size 224 [ 40.011358] The buggy address is located 156 bytes inside of [ 40.011358] 224-byte region [ffff8881d226f000, ffff8881d226f0e0) [ 40.023209] The buggy address belongs to the page: [ 40.028121] page:ffffea0007489bc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 40.036290] flags: 0x4000000000000100(slab) [ 40.040598] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 40.048707] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 40.056568] page dumped because: kasan: bad access detected [ 40.062255] [ 40.063982] Memory state around the buggy address: [ 40.068889] ffff8881d226ef80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 40.076238] ffff8881d226f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.083584] >ffff8881d226f080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 40.090925] ^ [ 40.095056] ffff8881d226f100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 40.102399] ffff8881d226f180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.109742] ================================================================== [ 40.117077] Disabling lock debugging due to kernel taint [ 40.122566] Kernel panic - not syncing: panic_on_warn set ... [ 40.122566] [ 40.129923] CPU: 0 PID: 1964 Comm: syz-executor0 Tainted: G B 4.14.96+ #20 [ 40.138096] Call Trace: [ 40.140679] dump_stack+0xb9/0x10e [ 40.144199] panic+0x1d9/0x3c2 [ 40.147369] ? add_taint.cold+0x16/0x16 [ 40.151322] ? retint_kernel+0x2d/0x2d [ 40.155188] ? ip_check_defrag+0x4f5/0x523 [ 40.159413] kasan_end_report+0x43/0x49 [ 40.163491] kasan_report.cold+0xa4/0x2a5 [ 40.167618] ? ip_check_defrag+0x4f5/0x523 [ 40.171827] ? ip_defrag+0x3b50/0x3b50 [ 40.175690] ? mark_held_locks+0xa6/0xf0 [ 40.179739] ? check_preemption_disabled+0x35/0x1f0 [ 40.184740] ? packet_rcv_fanout+0x4d1/0x5e0 [ 40.189166] ? fanout_demux_rollover+0x4d0/0x4d0 [ 40.193905] ? dev_queue_xmit_nit+0x6d0/0x960 [ 40.198376] ? __packet_pick_tx_queue+0x70/0x70 [ 40.203021] ? dev_hard_start_xmit+0xa3/0x890 [ 40.207591] ? validate_xmit_skb_list+0xd2/0x110 [ 40.212326] ? sch_direct_xmit+0x27a/0x520 [ 40.216542] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 40.222253] ? lock_acquire+0x10f/0x380 [ 40.226217] ? ip_finish_output2+0x9fe/0x12f0 [ 40.230691] ? __dev_queue_xmit+0x1565/0x1cd0 [ 40.235166] ? netdev_pick_tx+0x2e0/0x2e0 [ 40.239293] ? ip_do_fragment+0x180c/0x1ee0 [ 40.243593] ? mark_held_locks+0xa6/0xf0 [ 40.247631] ? ip_finish_output2+0xd92/0x12f0 [ 40.252105] ? ip_finish_output2+0x9fe/0x12f0 [ 40.256578] ? ip_copy_addrs+0xd0/0xd0 [ 40.260444] ? selinux_ip_postroute_compat+0x360/0x360 [ 40.265767] ? check_preemption_disabled+0x35/0x1f0 [ 40.270776] ? ip_do_fragment+0x180c/0x1ee0 [ 40.275094] ? ip_do_fragment+0x180c/0x1ee0 [ 40.279399] ? ip_copy_addrs+0xd0/0xd0 [ 40.283262] ? ip_fragment.constprop.0+0x146/0x200 [ 40.288172] ? ip_finish_output+0x7a7/0xc70 [ 40.292469] ? ip_mc_output+0x231/0xbe0 [ 40.296418] ? ip_queue_xmit+0x1a70/0x1a70 [ 40.300637] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 40.306081] ? ip_fragment.constprop.0+0x200/0x200 [ 40.310998] ? dst_release+0xc/0x80 [ 40.314604] ? __ip_make_skb+0xe30/0x1690 [ 40.318734] ? ip_local_out+0x98/0x170 [ 40.322614] ? ip_send_skb+0x3a/0xc0 [ 40.326304] ? ip_push_pending_frames+0x5f/0x80 [ 40.330949] ? raw_sendmsg+0x19de/0x2270 [ 40.335011] ? raw_seq_next+0x80/0x80 [ 40.338791] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 40.343446] ? lock_downgrade+0x5d0/0x5d0 [ 40.347570] ? lock_acquire+0x10f/0x380 [ 40.351521] ? finish_task_switch+0x1b7/0x620 [ 40.355993] ? _raw_spin_unlock_irq+0x24/0x50 [ 40.360469] ? sock_has_perm+0x1d3/0x260 [ 40.364506] ? __schedule+0x924/0x1f30 [ 40.368368] ? __lock_acquire+0x56a/0x3fa0 [ 40.372583] ? inet_sendmsg+0x14a/0x510 [ 40.376529] ? inet_recvmsg+0x540/0x540 [ 40.380476] ? sock_sendmsg+0xb7/0x100 [ 40.384338] ? sock_no_sendpage+0x132/0x1a0 [ 40.388633] ? sock_rfree+0x140/0x140 [ 40.392407] ? futex_wait+0x406/0x570 [ 40.396187] ? inet_sendpage+0x1bb/0x5c0 [ 40.400222] ? inet_getname+0x390/0x390 [ 40.404228] ? kernel_sendpage+0x84/0xd0 [ 40.408272] ? sock_sendpage+0x84/0xa0 [ 40.412141] ? pipe_to_sendpage+0x23d/0x300 [ 40.416490] ? kernel_sendpage+0xd0/0xd0 [ 40.420535] ? direct_splice_actor+0x160/0x160 [ 40.425095] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 40.430462] ? __splice_from_pipe+0x331/0x740 [ 40.434948] ? direct_splice_actor+0x160/0x160 [ 40.439511] ? direct_splice_actor+0x160/0x160 [ 40.444081] ? splice_from_pipe+0xd9/0x140 [ 40.448292] ? splice_shrink_spd+0xb0/0xb0 [ 40.452505] ? security_file_permission+0x88/0x1e0 [ 40.457419] ? splice_from_pipe+0x140/0x140 [ 40.461732] ? SyS_splice+0xd1c/0x12d0 [ 40.465603] ? compat_SyS_vmsplice+0x150/0x150 [ 40.470167] ? do_clock_gettime+0xd0/0xd0 [ 40.474294] ? do_syscall_64+0x43/0x4b0 [ 40.478246] ? compat_SyS_vmsplice+0x150/0x150 [ 40.482805] ? do_syscall_64+0x19b/0x4b0 [ 40.486852] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.492595] Kernel Offset: 0x22400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 40.503644] Rebooting in 86400 seconds..