[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.592867] random: sshd: uninitialized urandom read (32 bytes read) [ 34.061524] audit: type=1400 audit(1569085627.269:6): avc: denied { map } for pid=1778 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.099121] random: sshd: uninitialized urandom read (32 bytes read) [ 34.615077] random: sshd: uninitialized urandom read (32 bytes read) [ 34.777573] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. [ 40.296815] random: sshd: uninitialized urandom read (32 bytes read) [ 40.407674] audit: type=1400 audit(1569085633.609:7): avc: denied { map } for pid=1790 comm="syz-executor788" path="/root/syz-executor788222504" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 41.201378] ================================================================== [ 41.209055] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 41.215796] Read of size 2 at addr ffff8881d7271430 by task syz-executor788/1791 [ 41.223395] [ 41.225008] CPU: 0 PID: 1791 Comm: syz-executor788 Not tainted 4.14.145+ #0 [ 41.232144] Call Trace: [ 41.234733] dump_stack+0xca/0x134 [ 41.238254] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.242844] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.247243] print_address_description+0x60/0x226 [ 41.252086] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.256482] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.260875] __kasan_report.cold+0x1a/0x41 [ 41.265153] ? kvm_guest_cpu_init+0x220/0x220 [ 41.269644] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.274045] tcp_init_tso_segs+0x19d/0x1f0 [ 41.278263] ? tcp_tso_segs+0x7b/0x1c0 [ 41.282131] tcp_write_xmit+0x15a/0x4730 [ 41.286180] ? memset+0x20/0x40 [ 41.289446] __tcp_push_pending_frames+0xa0/0x230 [ 41.294282] tcp_send_fin+0x154/0xbc0 [ 41.298091] tcp_close+0xc62/0xf40 [ 41.301619] inet_release+0xe9/0x1c0 [ 41.305320] __sock_release+0xd2/0x2c0 [ 41.309186] ? __sock_release+0x2c0/0x2c0 [ 41.313318] sock_close+0x15/0x20 [ 41.316756] __fput+0x25e/0x710 [ 41.320024] task_work_run+0x125/0x1a0 [ 41.323899] do_exit+0x9cb/0x2a20 [ 41.327344] ? mm_update_next_owner+0x610/0x610 [ 41.332012] do_group_exit+0x100/0x2e0 [ 41.335878] SyS_exit_group+0x19/0x20 [ 41.339826] ? do_group_exit+0x2e0/0x2e0 [ 41.343876] do_syscall_64+0x19b/0x520 [ 41.347747] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.352928] RIP: 0033:0x440608 [ 41.356194] RSP: 002b:00007ffd59483058 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.363977] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440608 [ 41.371228] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.378498] RBP: 00000000004c6950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.385758] R10: 1000000020000000 R11: 0000000000000246 R12: 0000000000000001 [ 41.393010] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 41.400284] [ 41.401916] Allocated by task 1791: [ 41.405544] __kasan_kmalloc.part.0+0x53/0xc0 [ 41.410022] kmem_cache_alloc+0xee/0x360 [ 41.414070] __alloc_skb+0xea/0x5c0 [ 41.417677] sk_stream_alloc_skb+0xf4/0x8a0 [ 41.423203] tcp_sendmsg_locked+0xf11/0x2f50 [ 41.427600] tcp_sendmsg+0x2b/0x40 [ 41.431141] inet_sendmsg+0x15b/0x520 [ 41.434919] sock_sendmsg+0xb7/0x100 [ 41.438620] SyS_sendto+0x1de/0x2f0 [ 41.442232] do_syscall_64+0x19b/0x520 [ 41.446112] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.451291] 0xffffffffffffffff [ 41.454544] [ 41.456148] Freed by task 1791: [ 41.459408] __kasan_slab_free+0x164/0x210 [ 41.463622] kmem_cache_free+0xd7/0x3b0 [ 41.467580] kfree_skbmem+0x84/0x110 [ 41.471272] tcp_remove_empty_skb+0x264/0x320 [ 41.475743] tcp_sendmsg_locked+0x1c09/0x2f50 [ 41.480216] tcp_sendmsg+0x2b/0x40 [ 41.483746] inet_sendmsg+0x15b/0x520 [ 41.488049] sock_sendmsg+0xb7/0x100 [ 41.492982] SyS_sendto+0x1de/0x2f0 [ 41.496690] do_syscall_64+0x19b/0x520 [ 41.501008] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.506176] 0xffffffffffffffff [ 41.509431] [ 41.511570] The buggy address belongs to the object at ffff8881d7271400 [ 41.511570] which belongs to the cache skbuff_fclone_cache of size 456 [ 41.525161] The buggy address is located 48 bytes inside of [ 41.525161] 456-byte region [ffff8881d7271400, ffff8881d72715c8) [ 41.537027] The buggy address belongs to the page: [ 41.541945] page:ffffea00075c9c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 41.551897] flags: 0x4000000000010200(slab|head) [ 41.556676] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 41.564535] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 41.572407] page dumped because: kasan: bad access detected [ 41.578091] [ 41.579695] Memory state around the buggy address: [ 41.584617] ffff8881d7271300: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 41.592126] ffff8881d7271380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.599488] >ffff8881d7271400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.606860] ^ [ 41.612002] ffff8881d7271480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.619349] ffff8881d7271500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.627066] ================================================================== [ 41.634413] Disabling lock debugging due to kernel taint [ 41.640173] Kernel panic - not syncing: panic_on_warn set ... [ 41.640173] [ 41.647536] CPU: 0 PID: 1791 Comm: syz-executor788 Tainted: G B 4.14.145+ #0 [ 41.655841] Call Trace: [ 41.658427] dump_stack+0xca/0x134 [ 41.661967] panic+0x1ea/0x3d3 [ 41.665140] ? add_taint.cold+0x16/0x16 [ 41.669094] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.673619] ? ___preempt_schedule+0x16/0x18 [ 41.678018] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.682419] end_report+0x43/0x49 [ 41.685848] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.690232] __kasan_report.cold+0xd/0x41 [ 41.694414] ? kvm_guest_cpu_init+0x220/0x220 [ 41.698886] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.703286] tcp_init_tso_segs+0x19d/0x1f0 [ 41.708044] ? tcp_tso_segs+0x7b/0x1c0 [ 41.711920] tcp_write_xmit+0x15a/0x4730 [ 41.715963] ? memset+0x20/0x40 [ 41.719355] __tcp_push_pending_frames+0xa0/0x230 [ 41.724187] tcp_send_fin+0x154/0xbc0 [ 41.728063] tcp_close+0xc62/0xf40 [ 41.731612] inet_release+0xe9/0x1c0 [ 41.735523] __sock_release+0xd2/0x2c0 [ 41.739391] ? __sock_release+0x2c0/0x2c0 [ 41.743613] sock_close+0x15/0x20 [ 41.747072] __fput+0x25e/0x710 [ 41.750646] task_work_run+0x125/0x1a0 [ 41.754532] do_exit+0x9cb/0x2a20 [ 41.757975] ? mm_update_next_owner+0x610/0x610 [ 41.762636] do_group_exit+0x100/0x2e0 [ 41.766524] SyS_exit_group+0x19/0x20 [ 41.770307] ? do_group_exit+0x2e0/0x2e0 [ 41.774455] do_syscall_64+0x19b/0x520 [ 41.778334] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.783504] RIP: 0033:0x440608 [ 41.786679] RSP: 002b:00007ffd59483058 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.795056] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440608 [ 41.802322] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.809579] RBP: 00000000004c6950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.816826] R10: 1000000020000000 R11: 0000000000000246 R12: 0000000000000001 [ 41.824073] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 41.832035] Kernel Offset: 0x1c400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 41.842950] Rebooting in 86400 seconds..