[....] Starting enhanced syslogd: rsyslogd[ 11.467183] audit: type=1400 audit(1513087121.318:4): avc: denied { syslog } for pid=3164 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-4,10.128.15.216' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.900377] ================================================================== [ 34.901516] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 at addr ffff8801ca664518 [ 34.902672] Read of size 8192 by task syzkaller921419/3331 [ 34.903419] CPU: 0 PID: 3331 Comm: syzkaller921419 Not tainted 4.9.68-gfb66dc2 #107 [ 34.904440] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.905678] ffff8801c9baf748 ffffffff81d90889 ffff8801da001280 ffff8801ca664500 [ 34.906845] ffff8801ca664700 ffffed00394cc8e0 ffff8801ca664518 ffff8801c9baf770 [ 34.908008] ffffffff8153a44c ffffed00394cc8e0 ffff8801da001280 0000000000000000 [ 34.909187] Call Trace: [ 34.909547] [] dump_stack+0xc1/0x128 [ 34.910260] [] kasan_object_err+0x1c/0x70 [ 34.911040] [] kasan_report.part.1+0x21c/0x500 [ 34.911861] [] ? __kmalloc+0x19d/0x310 [ 34.912591] [] ? pfkey_add+0x153e/0x3470 [ 34.913347] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 34.914244] [] kasan_report+0x21/0x30 [ 34.914980] [] check_memory_region+0x137/0x190 [ 34.915797] [] memcpy+0x23/0x50 [ 34.916449] [] pfkey_add+0x153e/0x3470 [ 34.917181] [] ? pfkey_delete+0x360/0x360 [ 34.917964] [] ? pfkey_seq_stop+0x80/0x80 [ 34.918754] [] ? __skb_clone+0x24a/0x7d0 [ 34.919526] [] ? pfkey_delete+0x360/0x360 [ 34.920326] [] pfkey_process+0x61e/0x730 [ 34.925044] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 34.931859] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.938672] [] pfkey_sendmsg+0x3a9/0x760 [ 34.944352] [] ? pfkey_spdget+0x820/0x820 [ 34.950119] [] sock_sendmsg+0xca/0x110 [ 34.955627] [] ___sys_sendmsg+0x6d1/0x7e0 [ 34.961394] [] ? copy_msghdr_from_user+0x550/0x550 [ 34.967940] [] ? __lru_cache_add+0x187/0x250 [ 34.973966] [] ? lru_cache_add+0xd9/0x1e0 [ 34.979734] [] ? handle_mm_fault+0xb12/0x2530 [ 34.985846] [] ? _raw_spin_unlock+0x2c/0x50 [ 34.991786] [] ? handle_mm_fault+0x6ee/0x2530 [ 34.998767] [] ? __lock_is_held+0xa1/0xf0 [ 35.004533] [] ? __pmd_alloc+0x410/0x410 [ 35.010212] [] ? __fget_light+0x158/0x1e0 [ 35.015977] [] ? __fdget+0x18/0x20 [ 35.021147] [] __sys_sendmsg+0xd6/0x190 [ 35.026791] [] ? SyS_shutdown+0x1b0/0x1b0 [ 35.032833] [] ? __do_page_fault+0x5ec/0xd40 [ 35.038862] [] ? __do_page_fault+0x3bd/0xd40 [ 35.044894] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.051699] [] SyS_sendmsg+0x2d/0x50 [ 35.057036] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 35.063587] Object at ffff8801ca664500, in cache kmalloc-512 size: 512 [ 35.070217] Allocated: [ 35.072680] PID = 3331 [ 35.075155] save_stack_trace+0x16/0x20 [ 35.079096] save_stack+0x43/0xd0 [ 35.082514] kasan_kmalloc+0xad/0xe0 [ 35.086193] kasan_slab_alloc+0x12/0x20 [ 35.090132] __kmalloc_track_caller+0xda/0x2b0 [ 35.094684] __kmalloc_reserve.isra.37+0x33/0xc0 [ 35.099404] __alloc_skb+0x119/0x600 [ 35.103094] pfkey_sendmsg+0x135/0x760 [ 35.106953] sock_sendmsg+0xca/0x110 [ 35.110636] ___sys_sendmsg+0x6d1/0x7e0 [ 35.114578] __sys_sendmsg+0xd6/0x190 [ 35.118344] SyS_sendmsg+0x2d/0x50 [ 35.121854] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 35.126572] Freed: [ 35.128687] PID = 0 [ 35.130892] (stack is not available) [ 35.134922] Memory state around the buggy address: [ 35.141742] ffff8801ca664600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.149066] ffff8801ca664680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.156391] >ffff8801ca664700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.163716] ^ [ 35.167048] ffff8801ca664780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.174373] ffff8801ca664800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.181696] ================================================================== [ 35.189106] Disabling lock debugging due to kernel taint