[....] Starting enhanced syslogd: rsyslogd[ 15.295489] audit: type=1400 audit(1521536147.871:4): avc: denied { syslog } for pid=3646 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. 2018/03/20 08:55:59 parsed 1 programs 2018/03/20 08:55:59 executed programs: 0 syzkaller login: [ 27.022978] IPVS: Creating netns size=2536 id=1 [ 27.043526] ================================================================== [ 27.050911] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 [ 27.057458] Read of size 8160 at addr ffff8801c33691c0 by task syz-executor0/3815 [ 27.065042] [ 27.066643] CPU: 1 PID: 3815 Comm: syz-executor0 Not tainted 4.9.88-g71df7bb #8 [ 27.074054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.083383] ffff8801d790f718 ffffffff81d95f19 ffffea00070cda00 ffff8801c33691c0 [ 27.091363] 0000000000000000 ffff8801c3369380 ffff8801d790f958 ffff8801d790f750 [ 27.099342] ffffffff8153e793 ffff8801c33691c0 0000000000001fe0 0000000000000000 [ 27.107393] Call Trace: [ 27.109953] [] dump_stack+0xc1/0x128 [ 27.115290] [] print_address_description+0x73/0x280 [ 27.121926] [] kasan_report+0x255/0x380 [ 27.127518] [] ? pfkey_add+0x153e/0x3470 [ 27.133199] [] check_memory_region+0x137/0x190 [ 27.139406] [] memcpy+0x23/0x50 [ 27.144311] [] pfkey_add+0x153e/0x3470 [ 27.149825] [] ? pfkey_delete+0x360/0x360 [ 27.155591] [] ? pfkey_seq_stop+0x80/0x80 [ 27.161359] [] ? __skb_clone+0x24a/0x7d0 [ 27.167039] [] ? pfkey_delete+0x360/0x360 [ 27.172805] [] pfkey_process+0x68b/0x750 [ 27.178484] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 27.185296] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.192213] [] pfkey_sendmsg+0x3a9/0x760 [ 27.197895] [] ? pfkey_spdget+0x820/0x820 [ 27.203661] [] sock_sendmsg+0xca/0x110 [ 27.209169] [] ___sys_sendmsg+0x6d1/0x7e0 [ 27.214935] [] ? copy_msghdr_from_user+0x570/0x570 [ 27.221484] [] ? do_futex+0x3f8/0x15c0 [ 27.226995] [] ? __lru_cache_add+0x187/0x250 [ 27.233035] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 27.240106] [] ? exit_robust_list+0x230/0x230 [ 27.246221] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 27.253295] [] ? __fget_light+0x169/0x1f0 [ 27.259069] [] ? __fdget+0x18/0x20 [ 27.264232] [] ? sockfd_lookup_light+0x118/0x160 [ 27.270607] [] __sys_sendmsg+0xd6/0x190 [ 27.276199] [] ? SyS_shutdown+0x1b0/0x1b0 [ 27.281967] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 27.288084] [] compat_SyS_sendmsg+0x2a/0x40 [ 27.294025] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 27.300578] [] do_fast_syscall_32+0x2f5/0x870 [ 27.306692] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.313328] [] entry_SYSENTER_compat+0x90/0xa2 [ 27.319524] [ 27.321123] Allocated by task 3815: [ 27.324719] save_stack_trace+0x16/0x20 [ 27.328673] save_stack+0x43/0xd0 [ 27.332096] kasan_kmalloc+0xad/0xe0 [ 27.335784] kasan_slab_alloc+0x12/0x20 [ 27.339725] __kmalloc_track_caller+0xda/0x2b0 [ 27.344277] __kmalloc_reserve.isra.37+0x33/0xc0 [ 27.349010] __alloc_skb+0x119/0x600 [ 27.352694] pfkey_sendmsg+0x135/0x760 [ 27.356550] sock_sendmsg+0xca/0x110 [ 27.360233] ___sys_sendmsg+0x6d1/0x7e0 [ 27.364177] __sys_sendmsg+0xd6/0x190 [ 27.368296] compat_SyS_sendmsg+0x2a/0x40 [ 27.372502] do_fast_syscall_32+0x2f5/0x870 [ 27.376795] entry_SYSENTER_compat+0x90/0xa2 [ 27.381176] [ 27.382773] Freed by task 2202: [ 27.386026] save_stack_trace+0x16/0x20 [ 27.389970] save_stack+0x43/0xd0 [ 27.393396] kasan_slab_free+0x72/0xc0 [ 27.397251] kfree+0x103/0x300 [ 27.400413] load_elf_binary+0x1cf1/0x4690 [ 27.404618] search_binary_handler+0x142/0x6b0 [ 27.409178] do_execveat_common.isra.37+0x1594/0x1f10 [ 27.414336] SyS_execve+0x42/0x50 [ 27.417935] do_syscall_64+0x1a4/0x490 [ 27.421796] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.426869] [ 27.428466] The buggy address belongs to the object at ffff8801c3369180 [ 27.428466] which belongs to the cache kmalloc-512 of size 512 [ 27.441089] The buggy address is located 64 bytes inside of [ 27.441089] 512-byte region [ffff8801c3369180, ffff8801c3369380) [ 27.452847] The buggy address belongs to the page: [ 27.457750] page:ffffea00070cda00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.467910] flags: 0x8000000000004080(slab|head) [ 27.472643] page dumped because: kasan: bad access detected [ 27.478318] [ 27.479915] Memory state around the buggy address: [ 27.484815] ffff8801c3369280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.492143] ffff8801c3369300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.499478] >ffff8801c3369380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.506813] ^ [ 27.510152] ffff8801c3369400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.517485] ffff8801c3369480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.524816] ================================================================== [ 27.532155] Disabling lock debugging due to kernel taint [ 27.537757] Kernel panic - not syncing: panic_on_warn set ... [ 27.537757] [ 27.545106] CPU: 1 PID: 3815 Comm: syz-executor0 Tainted: G B 4.9.88-g71df7bb #8 [ 27.553738] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.563061] ffff8801d790f670 ffffffff81d95f19 ffffffff841981e7 ffff8801d790f748 [ 27.571056] 0000000000000000 ffff8801c3369380 ffff8801d790f958 ffff8801d790f738 [ 27.579038] ffffffff8142fa71 0000000041b58ab3 ffffffff8418bc48 ffffffff8142f8b5 [ 27.587012] Call Trace: [ 27.589569] [] dump_stack+0xc1/0x128 [ 27.594907] [] panic+0x1bc/0x3a8 [ 27.599891] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.608092] [] ? preempt_schedule+0x25/0x30 [ 27.614038] [] ? ___preempt_schedule+0x16/0x18 [ 27.620238] [] kasan_end_report+0x50/0x50 [ 27.626005] [] kasan_report+0x16b/0x380 [ 27.631604] [] ? pfkey_add+0x153e/0x3470 [ 27.637289] [] check_memory_region+0x137/0x190 [ 27.643488] [] memcpy+0x23/0x50 [ 27.648383] [] pfkey_add+0x153e/0x3470 [ 27.653894] [] ? pfkey_delete+0x360/0x360 [ 27.659675] [] ? pfkey_seq_stop+0x80/0x80 [ 27.665450] [] ? __skb_clone+0x24a/0x7d0 [ 27.671217] [] ? pfkey_delete+0x360/0x360 [ 27.676983] [] pfkey_process+0x68b/0x750 [ 27.682665] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 27.689474] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.696387] [] pfkey_sendmsg+0x3a9/0x760 [ 27.702069] [] ? pfkey_spdget+0x820/0x820 [ 27.707835] [] sock_sendmsg+0xca/0x110 [ 27.713337] [] ___sys_sendmsg+0x6d1/0x7e0 [ 27.719115] [] ? copy_msghdr_from_user+0x570/0x570 [ 27.725665] [] ? do_futex+0x3f8/0x15c0 [ 27.731170] [] ? __lru_cache_add+0x187/0x250 [ 27.737197] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 27.744277] [] ? exit_robust_list+0x230/0x230 [ 27.750390] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 27.757459] [] ? __fget_light+0x169/0x1f0 [ 27.763225] [] ? __fdget+0x18/0x20 [ 27.768382] [] ? sockfd_lookup_light+0x118/0x160 [ 27.774760] [] __sys_sendmsg+0xd6/0x190 [ 27.780355] [] ? SyS_shutdown+0x1b0/0x1b0 [ 27.786125] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 27.792239] [] compat_SyS_sendmsg+0x2a/0x40 [ 27.798179] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 27.804736] [] do_fast_syscall_32+0x2f5/0x870 [ 27.810848] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.817483] [] entry_SYSENTER_compat+0x90/0xa2 [ 27.824168] Dumping ftrace buffer: [ 27.827769] (ftrace buffer empty) [ 27.831452] Kernel Offset: disabled [ 27.835048] Rebooting in 86400 seconds..