[....] Starting enhanced syslogd: rsyslogd[ 12.055524] audit: type=1400 audit(1514540489.603:5): avc: denied { syslog } for pid=2991 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.708765] audit: type=1400 audit(1514540496.256:6): avc: denied { map } for pid=3131 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. executing program [ 40.436901] audit: type=1400 audit(1514540517.984:7): avc: denied { map } for pid=3148 comm="syzkaller274632" path="/root/syzkaller274632759" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.441427] ================================================================== [ 40.441445] BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x501/0x610 [ 40.441449] Read of size 4 at addr ffff8801cb5b85c0 by task syzkaller274632/3148 [ 40.441450] [ 40.441456] CPU: 1 PID: 3148 Comm: syzkaller274632 Not tainted 4.15.0-rc5+ #240 [ 40.441459] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.441461] Call Trace: [ 40.441469] dump_stack+0x194/0x257 [ 40.441477] ? arch_local_irq_restore+0x53/0x53 [ 40.441485] ? show_regs_print_info+0x18/0x18 [ 40.441494] ? lock_release+0xa40/0xa40 [ 40.441499] ? cap_convert_nscap+0x501/0x610 [ 40.441507] print_address_description+0x73/0x250 [ 40.441512] ? cap_convert_nscap+0x501/0x610 [ 40.441518] kasan_report+0x25b/0x340 [ 40.441527] __asan_report_load4_noabort+0x14/0x20 [ 40.441533] cap_convert_nscap+0x501/0x610 [ 40.441539] ? kasan_check_write+0x14/0x20 [ 40.441550] setxattr+0x365/0x400 [ 40.441553] ? setxattr+0x365/0x400 [ 40.441561] ? vfs_setxattr+0xe0/0xe0 [ 40.441567] ? lock_acquire+0x1d5/0x580 [ 40.441570] ? lock_acquire+0x1d5/0x580 [ 40.441575] ? mnt_want_write_file_path+0x68/0x110 [ 40.441588] ? __lock_is_held+0xb6/0x140 [ 40.441605] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.441610] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 40.441614] ? mnt_clone_write+0xc9/0x110 [ 40.441620] ? __mnt_want_write_file+0x7c/0xb0 [ 40.441630] SyS_fsetxattr+0x130/0x190 [ 40.441641] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.441646] RIP: 0033:0x43fcb9 [ 40.441648] RSP: 002b:00007ffceb9ed048 EFLAGS: 00000203 ORIG_RAX: 00000000000000be [ 40.441653] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcb9 [ 40.441655] RDX: 00000000209b8000 RSI: 0000000020d4bfe8 RDI: 0000000000000003 [ 40.441658] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 40.441660] R10: 0000000000000001 R11: 0000000000000203 R12: 0000000000401620 [ 40.441663] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 40.441679] [ 40.441681] Allocated by task 3148: [ 40.441685] save_stack+0x43/0xd0 [ 40.441689] kasan_kmalloc+0xad/0xe0 [ 40.441693] __kmalloc_node+0x47/0x70 [ 40.441697] kvmalloc_node+0x99/0xd0 [ 40.441700] setxattr+0x152/0x400 [ 40.441703] SyS_fsetxattr+0x130/0x190 [ 40.441707] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.441708] [ 40.441710] Freed by task 1646: [ 40.441713] save_stack+0x43/0xd0 [ 40.441716] kasan_slab_free+0x71/0xc0 [ 40.441719] kfree+0xd6/0x260 [ 40.441724] sel_write_context+0x1bd/0x340 [ 40.441727] selinux_transaction_write+0xd1/0x130 [ 40.441731] __vfs_write+0xef/0x970 [ 40.441733] vfs_write+0x189/0x510 [ 40.441736] SyS_write+0xef/0x220 [ 40.441740] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.441741] [ 40.441744] The buggy address belongs to the object at ffff8801cb5b85c0 [ 40.441744] which belongs to the cache kmalloc-32 of size 32 [ 40.441747] The buggy address is located 0 bytes inside of [ 40.441747] 32-byte region [ffff8801cb5b85c0, ffff8801cb5b85e0) [ 40.441749] The buggy address belongs to the page: [ 40.441753] page:00000000ed0eaf71 count:1 mapcount:0 mapping:000000001f984ceb index:0xffff8801cb5b8fc1 [ 40.441757] flags: 0x2fffc0000000100(slab) [ 40.441764] raw: 02fffc0000000100 ffff8801cb5b8000 ffff8801cb5b8fc1 000000010000003f [ 40.441768] raw: ffffea00072468e0 ffffea0007246e20 ffff8801db0001c0 0000000000000000 [ 40.441770] page dumped because: kasan: bad access detected [ 40.441772] [ 40.441773] Memory state around the buggy address: [ 40.441777] ffff8801cb5b8480: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 40.441780] ffff8801cb5b8500: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 40.441783] >ffff8801cb5b8580: fb fb fb fb fc fc fc fc 01 fc fc fc fc fc fc fc [ 40.441784] ^ [ 40.441787] ffff8801cb5b8600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 40.441790] ffff8801cb5b8680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 40.441792] ================================================================== [ 40.441793] Disabling lock debugging due to kernel taint [ 40.441796] Kernel panic - not syncing: panic_on_warn set ... [ 40.441796] [ 40.441800] CPU: 1 PID: 3148 Comm: syzkaller274632 Tainted: G B 4.15.0-rc5+ #240 [ 40.441802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.441803] Call Trace: [ 40.441807] dump_stack+0x194/0x257 [ 40.441812] ? arch_local_irq_restore+0x53/0x53 [ 40.441815] ? kasan_end_report+0x32/0x50 [ 40.441820] ? lock_downgrade+0x980/0x980 [ 40.441825] ? vsnprintf+0x1ed/0x1900 [ 40.441830] ? cap_convert_nscap+0x410/0x610 [ 40.441835] panic+0x1e4/0x41c [ 40.441839] ? refcount_error_report+0x214/0x214 [ 40.441845] ? add_taint+0x40/0x50 [ 40.441849] ? add_taint+0x1c/0x50 [ 40.441855] ? cap_convert_nscap+0x501/0x610 [ 40.441859] kasan_end_report+0x50/0x50 [ 40.441862] kasan_report+0x144/0x340 [ 40.441869] __asan_report_load4_noabort+0x14/0x20 [ 40.441873] cap_convert_nscap+0x501/0x610 [ 40.441877] ? kasan_check_write+0x14/0x20 [ 40.441883] setxattr+0x365/0x400 [ 40.441886] ? setxattr+0x365/0x400 [ 40.441892] ? vfs_setxattr+0xe0/0xe0 [ 40.441896] ? lock_acquire+0x1d5/0x580 [ 40.441899] ? lock_acquire+0x1d5/0x580 [ 40.441903] ? mnt_want_write_file_path+0x68/0x110 [ 40.441911] ? __lock_is_held+0xb6/0x140 [ 40.441921] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.441925] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 40.441928] ? mnt_clone_write+0xc9/0x110 [ 40.441933] ? __mnt_want_write_file+0x7c/0xb0 [ 40.441939] SyS_fsetxattr+0x130/0x190 [ 40.441945] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.441948] RIP: 0033:0x43fcb9 [ 40.441950] RSP: 002b:00007ffceb9ed048 EFLAGS: 00000203 ORIG_RAX: 00000000000000be [ 40.441954] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcb9 [ 40.441956] RDX: 00000000209b8000 RSI: 0000000020d4bfe8 RDI: 0000000000000003 [ 40.441958] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 40.441960] R10: 0000000000000001 R11: 0000000000000203 R12: 0000000000401620 [ 40.441962] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 40.462783] Dumping ftrace buffer: [ 40.462787] (ftrace buffer empty) [ 40.462789] Kernel Offset: disabled [ 41.057625] Rebooting in 86400 seconds..