[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.856611] random: sshd: uninitialized urandom read (32 bytes read) [ 27.094114] audit: type=1400 audit(1548131682.039:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 27.142923] random: sshd: uninitialized urandom read (32 bytes read) [ 27.603499] random: sshd: uninitialized urandom read (32 bytes read) [ 43.342771] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts. [ 48.867695] random: sshd: uninitialized urandom read (32 bytes read) [ 48.960269] audit: type=1400 audit(1548131703.909:7): avc: denied { map } for pid=1789 comm="syz-executor143" path="/root/syz-executor143456699" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 49.261337] ================================================================== [ 49.268806] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 49.275468] Read of size 8 at addr ffff8881c5d6c8d0 by task syz-executor143/1792 [ 49.282985] [ 49.284606] CPU: 1 PID: 1792 Comm: syz-executor143 Not tainted 4.14.94+ #12 [ 49.291683] Call Trace: [ 49.294263] dump_stack+0xb9/0x10e [ 49.297790] ? ip_local_deliver+0x43d/0x450 [ 49.302088] print_address_description+0x60/0x226 [ 49.306925] ? ip_local_deliver+0x43d/0x450 [ 49.311225] kasan_report.cold+0x88/0x2a5 [ 49.315352] ? ip_local_deliver+0x43d/0x450 [ 49.319652] ? ip_call_ra_chain+0x540/0x540 [ 49.323970] ? __lock_acquire+0x56a/0x3fa0 [ 49.328200] ? ip_rcv+0x99f/0xf7a [ 49.331634] ? ip_rcv_finish+0x5c9/0x1490 [ 49.335776] ? ip_rcv+0x9e2/0xf7a [ 49.339219] ? ip_local_deliver+0x450/0x450 [ 49.343520] ? __lock_acquire+0x56a/0x3fa0 [ 49.347736] ? check_preemption_disabled+0x35/0x1f0 [ 49.352753] ? ip_local_deliver+0x450/0x450 [ 49.357060] ? __netif_receive_skb_core+0x1364/0x2c60 [ 49.362243] ? trace_hardirqs_on+0x10/0x10 [ 49.366550] ? flush_backlog+0x580/0x580 [ 49.370610] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 49.375838] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 49.381017] ? lock_acquire+0x10f/0x380 [ 49.384976] ? __netif_receive_skb+0x55/0x1f0 [ 49.389451] ? __netif_receive_skb+0x55/0x1f0 [ 49.393928] ? netif_receive_skb_internal+0xec/0x5c0 [ 49.399009] ? dev_cpu_dead+0x810/0x810 [ 49.402964] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 49.408395] ? rcu_read_lock_sched_held+0x10a/0x130 [ 49.413397] ? tun_rx_batched.isra.0+0x45d/0x730 [ 49.418141] ? __skb_get_hash_symmetric+0x255/0x620 [ 49.423145] ? tun_chr_read_iter+0x1c0/0x1c0 [ 49.427540] ? tun_get_user+0xc07/0x3790 [ 49.431582] ? __local_bh_enable_ip+0x65/0xc0 [ 49.436072] ? tun_get_user+0xd95/0x3790 [ 49.440127] ? tun_rx_batched.isra.0+0x730/0x730 [ 49.444865] ? debug_mutex_add_waiter+0x60/0x150 [ 49.449608] ? mark_held_locks+0xa6/0xf0 [ 49.453652] ? get_page_from_freelist+0x85e/0x1d60 [ 49.458563] ? preempt_count_add+0xb8/0x180 [ 49.462880] ? __tun_get+0x11c/0x220 [ 49.466584] ? check_preemption_disabled+0x35/0x1f0 [ 49.471607] ? tun_chr_write_iter+0xcf/0x180 [ 49.475998] ? do_iter_readv_writev+0x379/0x580 [ 49.480651] ? clone_verify_area+0x1e0/0x1e0 [ 49.485040] ? avc_policy_seqno+0x5/0x10 [ 49.489088] ? security_file_permission+0x88/0x1e0 [ 49.494017] ? do_iter_write+0x152/0x550 [ 49.498066] ? lock_downgrade+0x5d0/0x5d0 [ 49.502196] ? vfs_writev+0x146/0x2d0 [ 49.505981] ? vfs_iter_write+0xa0/0xa0 [ 49.509936] ? __handle_mm_fault+0x6c5/0x2640 [ 49.514414] ? __fsnotify_inode_delete+0x20/0x20 [ 49.519157] ? __do_page_fault+0x48e/0xb80 [ 49.523369] ? lock_downgrade+0x5d0/0x5d0 [ 49.527495] ? check_preemption_disabled+0x35/0x1f0 [ 49.532492] ? do_writev+0xc9/0x240 [ 49.536101] ? vfs_writev+0x2d0/0x2d0 [ 49.539890] ? do_syscall_64+0x43/0x4b0 [ 49.543841] ? SyS_readv+0x30/0x30 [ 49.547359] ? do_syscall_64+0x19b/0x4b0 [ 49.551405] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.556749] [ 49.558354] Allocated by task 1792: [ 49.561961] kasan_kmalloc.part.0+0x4f/0xd0 [ 49.566261] kmem_cache_alloc+0xd2/0x2d0 [ 49.570301] __build_skb+0x2e/0x2d0 [ 49.573904] build_skb+0x1a/0x1f0 [ 49.577337] tun_get_user+0x248b/0x3790 [ 49.581286] tun_chr_write_iter+0xcf/0x180 [ 49.585619] do_iter_readv_writev+0x379/0x580 [ 49.590097] do_iter_write+0x152/0x550 [ 49.593962] vfs_writev+0x146/0x2d0 [ 49.597564] do_writev+0xc9/0x240 [ 49.600999] do_syscall_64+0x19b/0x4b0 [ 49.604864] [ 49.606468] Freed by task 1792: [ 49.609734] kasan_slab_free+0xb0/0x190 [ 49.613684] kmem_cache_free+0xc4/0x330 [ 49.617644] kfree_skbmem+0xa0/0x100 [ 49.621334] kfree_skb+0xcd/0x350 [ 49.624762] ip_defrag+0x5f4/0x3b50 [ 49.628364] ip_local_deliver+0x165/0x450 [ 49.632488] ip_rcv_finish+0x5c9/0x1490 [ 49.636439] ip_rcv+0x9e2/0xf7a [ 49.639697] __netif_receive_skb_core+0x1364/0x2c60 [ 49.644693] __netif_receive_skb+0x55/0x1f0 [ 49.648995] netif_receive_skb_internal+0xec/0x5c0 [ 49.653904] tun_rx_batched.isra.0+0x45d/0x730 [ 49.658475] tun_get_user+0xd95/0x3790 [ 49.662341] tun_chr_write_iter+0xcf/0x180 [ 49.666552] do_iter_readv_writev+0x379/0x580 [ 49.671021] do_iter_write+0x152/0x550 [ 49.674883] vfs_writev+0x146/0x2d0 [ 49.678483] do_writev+0xc9/0x240 [ 49.681914] do_syscall_64+0x19b/0x4b0 [ 49.685776] [ 49.687387] The buggy address belongs to the object at ffff8881c5d6c8c0 [ 49.687387] which belongs to the cache skbuff_head_cache of size 224 [ 49.700543] The buggy address is located 16 bytes inside of [ 49.700543] 224-byte region [ffff8881c5d6c8c0, ffff8881c5d6c9a0) [ 49.712408] The buggy address belongs to the page: [ 49.717322] page:ffffea0007175b00 count:1 mapcount:0 mapping: (null) index:0x0 [ 49.725446] flags: 0x4000000000000100(slab) [ 49.729747] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 49.737615] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 49.745549] page dumped because: kasan: bad access detected [ 49.751243] [ 49.752861] Memory state around the buggy address: [ 49.757767] ffff8881c5d6c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.765104] ffff8881c5d6c800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 49.772443] >ffff8881c5d6c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.779778] ^ [ 49.785726] ffff8881c5d6c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.793062] ffff8881c5d6c980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 49.800399] ================================================================== [ 49.807735] Disabling lock debugging due to kernel taint [ 49.813184] Kernel panic - not syncing: panic_on_warn set ... [ 49.813184] [ 49.820531] CPU: 1 PID: 1792 Comm: syz-executor143 Tainted: G B 4.14.94+ #12 [ 49.828818] Call Trace: [ 49.831391] dump_stack+0xb9/0x10e [ 49.834908] panic+0x1d9/0x3c2 [ 49.838079] ? add_taint.cold+0x16/0x16 [ 49.842033] ? retint_kernel+0x2d/0x2d [ 49.845901] ? ip_local_deliver+0x43d/0x450 [ 49.850301] kasan_end_report+0x43/0x49 [ 49.854256] kasan_report.cold+0xa4/0x2a5 [ 49.858392] ? ip_local_deliver+0x43d/0x450 [ 49.862699] ? ip_call_ra_chain+0x540/0x540 [ 49.867094] ? __lock_acquire+0x56a/0x3fa0 [ 49.871323] ? ip_rcv+0x99f/0xf7a [ 49.874760] ? ip_rcv_finish+0x5c9/0x1490 [ 49.878897] ? ip_rcv+0x9e2/0xf7a [ 49.882334] ? ip_local_deliver+0x450/0x450 [ 49.886665] ? __lock_acquire+0x56a/0x3fa0 [ 49.886679] ? check_preemption_disabled+0x35/0x1f0 [ 49.895942] ? ip_local_deliver+0x450/0x450 [ 49.900260] ? __netif_receive_skb_core+0x1364/0x2c60 [ 49.905440] ? trace_hardirqs_on+0x10/0x10 [ 49.909661] ? flush_backlog+0x580/0x580 [ 49.913700] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 49.918869] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 49.924047] ? lock_acquire+0x10f/0x380 [ 49.928045] ? __netif_receive_skb+0x55/0x1f0 [ 49.928051] ? __netif_receive_skb+0x55/0x1f0 [ 49.928061] ? netif_receive_skb_internal+0xec/0x5c0 [ 49.942120] ? dev_cpu_dead+0x810/0x810 [ 49.946108] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 49.946120] ? rcu_read_lock_sched_held+0x10a/0x130 [ 49.956581] ? tun_rx_batched.isra.0+0x45d/0x730 [ 49.961349] ? __skb_get_hash_symmetric+0x255/0x620 [ 49.966370] ? tun_chr_read_iter+0x1c0/0x1c0 [ 49.970774] ? tun_get_user+0xc07/0x3790 [ 49.974815] ? __local_bh_enable_ip+0x65/0xc0 [ 49.979289] ? tun_get_user+0xd95/0x3790 [ 49.983333] ? tun_rx_batched.isra.0+0x730/0x730 [ 49.988067] ? debug_mutex_add_waiter+0x60/0x150 [ 49.992804] ? mark_held_locks+0xa6/0xf0 [ 49.996849] ? get_page_from_freelist+0x85e/0x1d60 [ 50.001769] ? preempt_count_add+0xb8/0x180 [ 50.006070] ? __tun_get+0x11c/0x220 [ 50.009765] ? check_preemption_disabled+0x35/0x1f0 [ 50.014764] ? tun_chr_write_iter+0xcf/0x180 [ 50.019151] ? do_iter_readv_writev+0x379/0x580 [ 50.023851] ? clone_verify_area+0x1e0/0x1e0 [ 50.028244] ? avc_policy_seqno+0x5/0x10 [ 50.032288] ? security_file_permission+0x88/0x1e0 [ 50.037197] ? do_iter_write+0x152/0x550 [ 50.041240] ? lock_downgrade+0x5d0/0x5d0 [ 50.045365] ? vfs_writev+0x146/0x2d0 [ 50.049151] ? vfs_iter_write+0xa0/0xa0 [ 50.053110] ? __handle_mm_fault+0x6c5/0x2640 [ 50.057587] ? __fsnotify_inode_delete+0x20/0x20 [ 50.062349] ? __do_page_fault+0x48e/0xb80 [ 50.066577] ? lock_downgrade+0x5d0/0x5d0 [ 50.070722] ? check_preemption_disabled+0x35/0x1f0 [ 50.075718] ? do_writev+0xc9/0x240 [ 50.079323] ? vfs_writev+0x2d0/0x2d0 [ 50.083106] ? do_syscall_64+0x43/0x4b0 [ 50.087057] ? SyS_readv+0x30/0x30 [ 50.090575] ? do_syscall_64+0x19b/0x4b0 [ 50.094630] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.100322] Kernel Offset: 0x4600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 50.111147] Rebooting in 86400 seconds..