[....] Starting OpenBSD Secure Shell server: sshd[ 11.303925] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.403678] random: sshd: uninitialized urandom read (32 bytes read) [ 22.906730] audit: type=1400 audit(1542601410.364:6): avc: denied { map } for pid=1774 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.938124] random: sshd: uninitialized urandom read (32 bytes read) [ 23.366847] random: sshd: uninitialized urandom read (32 bytes read) [ 23.518126] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. [ 29.034309] random: sshd: uninitialized urandom read (32 bytes read) [ 29.120602] audit: type=1400 audit(1542601416.584:7): avc: denied { map } for pid=1786 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/11/19 04:23:37 parsed 1 programs [ 29.645682] audit: type=1400 audit(1542601417.104:8): avc: denied { map } for pid=1786 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 30.246033] random: cc1: uninitialized urandom read (8 bytes read) 2018/11/19 04:23:38 executed programs: 0 [ 31.158598] audit: type=1400 audit(1542601418.614:9): avc: denied { map } for pid=1786 comm="syz-execprog" path="/root/syzkaller-shm812481192" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.723443] audit: type=1400 audit(1542601424.184:10): avc: denied { prog_load } for pid=4156 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 36.749539] ================================================================== [ 36.749558] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_tail+0xa2c/0xb90 [ 36.749564] Read of size 8 at addr ffff8801c7c57e10 by task syz-executor2/4162 [ 36.749565] [ 36.749572] CPU: 0 PID: 4162 Comm: syz-executor2 Not tainted 4.14.81+ #6 [ 36.749575] Call Trace: [ 36.749585] dump_stack+0xb9/0x11b [ 36.749597] print_address_description+0x60/0x22b [ 36.749607] kasan_report.cold.6+0x11b/0x2dd [ 36.749614] ? bpf_skb_change_tail+0xa2c/0xb90 [ 36.749624] bpf_skb_change_tail+0xa2c/0xb90 [ 36.749640] ___bpf_prog_run+0x248e/0x5c70 [ 36.749651] ? __free_insn_slot+0x490/0x490 [ 36.749659] ? bpf_jit_compile+0x30/0x30 [ 36.749672] ? depot_save_stack+0x20a/0x428 [ 36.749683] ? __bpf_prog_run512+0x99/0xe0 [ 36.749690] ? ___bpf_prog_run+0x5c70/0x5c70 [ 36.749708] ? __lock_acquire+0x619/0x4320 [ 36.749722] ? trace_hardirqs_on+0x10/0x10 [ 36.749734] ? trace_hardirqs_on+0x10/0x10 [ 36.749744] ? __lock_acquire+0x619/0x4320 [ 36.749764] ? bpf_test_run+0x57/0x350 [ 36.749780] ? lock_acquire+0x10f/0x380 [ 36.749791] ? check_preemption_disabled+0x34/0x1e0 [ 36.749802] ? bpf_test_run+0xab/0x350 [ 36.749820] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 36.749832] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.749842] ? __fget_light+0x192/0x1f0 [ 36.749848] ? bpf_prog_add+0x42/0xa0 [ 36.749854] ? fput+0xa/0x130 [ 36.749863] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.749871] ? SyS_bpf+0x79d/0x3700 [ 36.749884] ? bpf_prog_get+0x20/0x20 [ 36.749889] ? _copy_to_user+0x7f/0xc0 [ 36.749900] ? put_timespec64+0xb9/0x110 [ 36.749914] ? do_clock_gettime+0x30/0xb0 [ 36.749924] ? SyS_clock_gettime+0x7b/0xd0 [ 36.749931] ? do_clock_gettime+0xb0/0xb0 [ 36.749940] ? do_syscall_64+0x43/0x4b0 [ 36.749950] ? bpf_prog_get+0x20/0x20 [ 36.749955] ? do_syscall_64+0x19b/0x4b0 [ 36.749970] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.749987] [ 36.749991] Allocated by task 350: [ 36.749997] kasan_kmalloc.part.1+0x4f/0xd0 [ 36.750007] kmem_cache_alloc+0xe4/0x2b0 [ 36.750013] getname_flags+0xc4/0x540 [ 36.750018] do_unlinkat+0xc9/0x650 [ 36.750022] do_syscall_64+0x19b/0x4b0 [ 36.750028] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.750030] [ 36.750032] Freed by task 350: [ 36.750038] kasan_slab_free+0xac/0x190 [ 36.750042] kmem_cache_free+0x12d/0x350 [ 36.750047] putname+0xcf/0x100 [ 36.750052] do_unlinkat+0x16c/0x650 [ 36.750057] do_syscall_64+0x19b/0x4b0 [ 36.750062] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.750064] [ 36.750068] The buggy address belongs to the object at ffff8801c7c56600 [ 36.750068] which belongs to the cache names_cache of size 4096 [ 36.750074] The buggy address is located 2064 bytes to the right of [ 36.750074] 4096-byte region [ffff8801c7c56600, ffff8801c7c57600) [ 36.750076] The buggy address belongs to the page: [ 36.750081] page:ffffea00071f1400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 36.750090] flags: 0x4000000000008100(slab|head) [ 36.750099] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100070007 [ 36.750107] raw: dead000000000100 dead000000000200 ffff8801da97e000 0000000000000000 [ 36.750110] page dumped because: kasan: bad access detected [ 36.750111] [ 36.750113] Memory state around the buggy address: [ 36.750118] ffff8801c7c57d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.750123] ffff8801c7c57d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.750128] >ffff8801c7c57e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.750130] ^ [ 36.750135] ffff8801c7c57e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.750150] ffff8801c7c57f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.750153] ================================================================== [ 36.750155] Disabling lock debugging due to kernel taint [ 36.750295] Kernel panic - not syncing: panic_on_warn set ... [ 36.750295] [ 36.750301] CPU: 0 PID: 4162 Comm: syz-executor2 Tainted: G B 4.14.81+ #6 [ 36.750303] Call Trace: [ 36.750310] dump_stack+0xb9/0x11b [ 36.750318] panic+0x1bf/0x3a4 [ 36.750324] ? add_taint.cold.4+0x16/0x16 [ 36.750338] kasan_end_report+0x43/0x49 [ 36.750344] kasan_report.cold.6+0x77/0x2dd [ 36.750350] ? bpf_skb_change_tail+0xa2c/0xb90 [ 36.750358] bpf_skb_change_tail+0xa2c/0xb90 [ 36.750368] ___bpf_prog_run+0x248e/0x5c70 [ 36.750375] ? __free_insn_slot+0x490/0x490 [ 36.750381] ? bpf_jit_compile+0x30/0x30 [ 36.750389] ? depot_save_stack+0x20a/0x428 [ 36.750397] ? __bpf_prog_run512+0x99/0xe0 [ 36.750403] ? ___bpf_prog_run+0x5c70/0x5c70 [ 36.750421] ? __lock_acquire+0x619/0x4320 [ 36.750431] ? trace_hardirqs_on+0x10/0x10 [ 36.750439] ? trace_hardirqs_on+0x10/0x10 [ 36.750446] ? __lock_acquire+0x619/0x4320 [ 36.750457] ? bpf_test_run+0x57/0x350 [ 36.750467] ? lock_acquire+0x10f/0x380 [ 36.750474] ? check_preemption_disabled+0x34/0x1e0 [ 36.750482] ? bpf_test_run+0xab/0x350 [ 36.750493] ? bpf_prog_test_run_skb+0x63d/0x8c0 [ 36.750501] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.750508] ? __fget_light+0x192/0x1f0 [ 36.750513] ? bpf_prog_add+0x42/0xa0 [ 36.750517] ? fput+0xa/0x130 [ 36.750531] ? bpf_test_init.isra.1+0xc0/0xc0 [ 36.750537] ? SyS_bpf+0x79d/0x3700 [ 36.750546] ? bpf_prog_get+0x20/0x20 [ 36.750551] ? _copy_to_user+0x7f/0xc0 [ 36.750558] ? put_timespec64+0xb9/0x110 [ 36.750567] ? do_clock_gettime+0x30/0xb0 [ 36.750574] ? SyS_clock_gettime+0x7b/0xd0 [ 36.750580] ? do_clock_gettime+0xb0/0xb0 [ 36.750586] ? do_syscall_64+0x43/0x4b0 [ 36.750593] ? bpf_prog_get+0x20/0x20 [ 36.750598] ? do_syscall_64+0x19b/0x4b0 [ 36.750607] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.750952] Kernel Offset: 0x27200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 37.304241] Rebooting in 86400 seconds..