[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.303838] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.710695] random: sshd: uninitialized urandom read (32 bytes read) [ 23.085127] random: sshd: uninitialized urandom read (32 bytes read) [ 23.832530] random: sshd: uninitialized urandom read (32 bytes read) [ 27.577562] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. [ 32.971517] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/21 18:34:34 parsed 1 programs 2018/05/21 18:34:34 executed programs: 0 [ 33.504329] IPVS: ftp: loaded support on port[0] = 21 [ 33.628933] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.635401] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.642752] device bridge_slave_0 entered promiscuous mode [ 33.658913] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.665288] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.672469] device bridge_slave_1 entered promiscuous mode [ 33.688583] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.705077] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 33.745270] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 33.763345] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.824564] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.831796] team0: Port device team_slave_0 added [ 33.847215] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.854509] team0: Port device team_slave_1 added [ 33.869386] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 33.886986] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 33.903532] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.923108] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 34.038240] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.044688] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.051692] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.058087] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.470257] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 34.476364] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.518290] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.561687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.570937] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 34.607858] 8021q: adding VLAN 0 to HW filter on device team0 [ 34.847832] ================================================================== [ 34.855329] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 34.861565] Read of size 1 at addr ffff8801d42af51d by task syz-executor0/4704 [ 34.868906] [ 34.870520] CPU: 0 PID: 4704 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #87 [ 34.877686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.887032] Call Trace: [ 34.889615] dump_stack+0x1b9/0x294 [ 34.893315] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.898488] ? printk+0x9e/0xba [ 34.901749] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.906496] ? kasan_check_write+0x14/0x20 [ 34.910721] print_address_description+0x6c/0x20b [ 34.915546] ? nla_strlcpy+0x13d/0x150 [ 34.919414] kasan_report.cold.7+0x242/0x2fe [ 34.923821] __asan_report_load1_noabort+0x14/0x20 [ 34.928743] nla_strlcpy+0x13d/0x150 [ 34.932440] nfnl_acct_new+0x574/0xc50 [ 34.936308] ? nfnl_acct_overquota+0x380/0x380 [ 34.940874] ? debug_check_no_locks_freed+0x310/0x310 [ 34.946046] ? graph_lock+0x170/0x170 [ 34.949835] ? print_usage_bug+0xc0/0xc0 [ 34.953891] ? get_futex_key+0xf83/0x1e90 [ 34.958031] ? find_held_lock+0x36/0x1c0 [ 34.962077] ? graph_lock+0x170/0x170 [ 34.965870] ? lock_downgrade+0x8e0/0x8e0 [ 34.970005] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.975533] ? __lock_is_held+0xb5/0x140 [ 34.979600] ? nfnl_acct_overquota+0x380/0x380 [ 34.984164] nfnetlink_rcv_msg+0xdb5/0xff0 [ 34.988382] ? __lock_is_held+0xb5/0x140 [ 34.992437] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 34.997457] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 35.001870] ? nfnetlink_bind+0x3a0/0x3a0 [ 35.006006] ? graph_lock+0x170/0x170 [ 35.009795] ? find_held_lock+0x36/0x1c0 [ 35.013844] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.019375] netlink_rcv_skb+0x172/0x440 [ 35.024428] ? nfnetlink_bind+0x3a0/0x3a0 [ 35.028569] ? netlink_ack+0xbc0/0xbc0 [ 35.032445] ? __netlink_ns_capable+0x100/0x130 [ 35.037109] nfnetlink_rcv+0x1fe/0x1ba0 [ 35.041092] ? kasan_check_read+0x11/0x20 [ 35.045229] ? rcu_is_watching+0x85/0x140 [ 35.049361] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 35.054547] ? nfnl_err_reset+0x2d0/0x2d0 [ 35.058695] ? netlink_remove_tap+0x610/0x610 [ 35.063181] ? refcount_add_not_zero+0x320/0x320 [ 35.067920] ? kasan_check_read+0x11/0x20 [ 35.072054] ? rcu_is_watching+0x85/0x140 [ 35.076182] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 35.081354] ? netlink_skb_destructor+0x210/0x210 [ 35.086179] ? kasan_check_write+0x14/0x20 [ 35.090395] netlink_unicast+0x58b/0x740 [ 35.094440] ? netlink_attachskb+0x970/0x970 [ 35.098839] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.104361] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 35.109359] ? security_netlink_send+0x88/0xb0 [ 35.113931] netlink_sendmsg+0x9f0/0xfa0 [ 35.117985] ? netlink_unicast+0x740/0x740 [ 35.122206] ? pud_val+0x80/0xf0 [ 35.125563] ? security_socket_sendmsg+0x94/0xc0 [ 35.130308] ? netlink_unicast+0x740/0x740 [ 35.134535] sock_sendmsg+0xd5/0x120 [ 35.138232] sock_write_iter+0x35a/0x5a0 [ 35.142362] ? sock_sendmsg+0x120/0x120 [ 35.146317] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 35.151063] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.156585] ? iov_iter_init+0xc9/0x1f0 [ 35.160547] __vfs_write+0x64d/0x960 [ 35.164258] ? kernel_read+0x120/0x120 [ 35.168133] ? handle_mm_fault+0x8c0/0xc70 [ 35.172351] ? rw_verify_area+0x118/0x360 [ 35.176515] vfs_write+0x1f8/0x560 [ 35.180042] ksys_write+0xf9/0x250 [ 35.183574] ? __ia32_sys_read+0xb0/0xb0 [ 35.187629] ? mm_fault_error+0x380/0x380 [ 35.191779] __ia32_sys_write+0x71/0xb0 [ 35.195743] do_fast_syscall_32+0x345/0xf9b [ 35.200059] ? do_int80_syscall_32+0x880/0x880 [ 35.204624] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.209365] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.214886] ? syscall_return_slowpath+0x30f/0x5c0 [ 35.219798] ? sysret32_from_system_call+0x5/0x46 [ 35.224621] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.229455] entry_SYSENTER_compat+0x70/0x7f [ 35.233847] RIP: 0023:0xf7f0dcb9 [ 35.237189] RSP: 002b:00000000ff957cfc EFLAGS: 00000286 ORIG_RAX: 0000000000000004 [ 35.244876] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 35.252122] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 35.259370] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 35.266619] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 35.273884] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.281138] [ 35.282746] Allocated by task 3109: [ 35.286357] save_stack+0x43/0xd0 [ 35.289797] kasan_kmalloc+0xc4/0xe0 [ 35.293491] kasan_slab_alloc+0x12/0x20 [ 35.297445] kmem_cache_alloc+0x12e/0x760 [ 35.301577] copy_process.part.38+0x2d37/0x6e90 [ 35.306226] _do_fork+0x291/0x12a0 [ 35.309744] __x64_sys_clone+0xbf/0x150 [ 35.313703] do_syscall_64+0x1b1/0x800 [ 35.317577] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.322742] [ 35.324353] Freed by task 3110: [ 35.327639] save_stack+0x43/0xd0 [ 35.331080] __kasan_slab_free+0x11a/0x170 [ 35.335300] kasan_slab_free+0xe/0x10 [ 35.339082] kmem_cache_free+0x86/0x2d0 [ 35.343042] remove_vma+0x164/0x1b0 [ 35.346647] exit_mmap+0x35d/0x5a0 [ 35.350164] mmput+0x251/0x610 [ 35.353341] flush_old_exec+0xb94/0x20e0 [ 35.357388] load_elf_binary+0xa33/0x5610 [ 35.361513] search_binary_handler+0x17d/0x570 [ 35.366073] do_execveat_common.isra.34+0x16ce/0x2590 [ 35.371241] __x64_sys_execve+0x8d/0xb0 [ 35.375196] do_syscall_64+0x1b1/0x800 [ 35.379065] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.384238] [ 35.385850] The buggy address belongs to the object at ffff8801d42af460 [ 35.385850] which belongs to the cache vm_area_struct of size 200 [ 35.398757] The buggy address is located 189 bytes inside of [ 35.398757] 200-byte region [ffff8801d42af460, ffff8801d42af528) [ 35.410616] The buggy address belongs to the page: [ 35.415527] page:ffffea000750abc0 count:1 mapcount:0 mapping:ffff8801d42af040 index:0x0 [ 35.423655] flags: 0x2fffc0000000100(slab) [ 35.427874] raw: 02fffc0000000100 ffff8801d42af040 0000000000000000 000000010000000f [ 35.435741] raw: ffffea0006cc6820 ffffea0006ca5e60 ffff8801da97a840 0000000000000000 [ 35.443599] page dumped because: kasan: bad access detected [ 35.449285] [ 35.450888] Memory state around the buggy address: [ 35.455797] ffff8801d42af400: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb [ 35.463149] ffff8801d42af480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.470493] >ffff8801d42af500: fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb [ 35.477844] ^ [ 35.481975] ffff8801d42af580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.489318] ffff8801d42af600: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb [ 35.496664] ================================================================== [ 35.504006] Disabling lock debugging due to kernel taint [ 35.509847] Kernel panic - not syncing: panic_on_warn set ... [ 35.509847] [ 35.517226] CPU: 0 PID: 4704 Comm: syz-executor0 Tainted: G B 4.17.0-rc6+ #87 [ 35.525794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.535154] Call Trace: [ 35.537739] dump_stack+0x1b9/0x294 [ 35.541350] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.546523] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.551263] ? nla_strlcpy+0x110/0x150 [ 35.555155] panic+0x22f/0x4de [ 35.558325] ? add_taint.cold.5+0x16/0x16 [ 35.562457] ? do_raw_spin_unlock+0x9e/0x2e0 [ 35.566869] ? do_raw_spin_unlock+0x9e/0x2e0 [ 35.571259] ? nla_strlcpy+0x13d/0x150 [ 35.575134] kasan_end_report+0x47/0x4f [ 35.579096] kasan_report.cold.7+0x76/0x2fe [ 35.583406] __asan_report_load1_noabort+0x14/0x20 [ 35.588318] nla_strlcpy+0x13d/0x150 [ 35.592023] nfnl_acct_new+0x574/0xc50 [ 35.595902] ? nfnl_acct_overquota+0x380/0x380 [ 35.600486] ? debug_check_no_locks_freed+0x310/0x310 [ 35.605674] ? graph_lock+0x170/0x170 [ 35.609462] ? print_usage_bug+0xc0/0xc0 [ 35.613504] ? get_futex_key+0xf83/0x1e90 [ 35.617630] ? find_held_lock+0x36/0x1c0 [ 35.621684] ? graph_lock+0x170/0x170 [ 35.625465] ? lock_downgrade+0x8e0/0x8e0 [ 35.629597] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.635114] ? __lock_is_held+0xb5/0x140 [ 35.639166] ? nfnl_acct_overquota+0x380/0x380 [ 35.643735] nfnetlink_rcv_msg+0xdb5/0xff0 [ 35.647957] ? __lock_is_held+0xb5/0x140 [ 35.652003] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 35.657008] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 35.661404] ? nfnetlink_bind+0x3a0/0x3a0 [ 35.665531] ? graph_lock+0x170/0x170 [ 35.669310] ? find_held_lock+0x36/0x1c0 [ 35.673350] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.678869] netlink_rcv_skb+0x172/0x440 [ 35.682920] ? nfnetlink_bind+0x3a0/0x3a0 [ 35.687062] ? netlink_ack+0xbc0/0xbc0 [ 35.690929] ? __netlink_ns_capable+0x100/0x130 [ 35.695576] nfnetlink_rcv+0x1fe/0x1ba0 [ 35.699533] ? kasan_check_read+0x11/0x20 [ 35.703675] ? rcu_is_watching+0x85/0x140 [ 35.707809] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 35.712981] ? nfnl_err_reset+0x2d0/0x2d0 [ 35.717109] ? netlink_remove_tap+0x610/0x610 [ 35.721584] ? refcount_add_not_zero+0x320/0x320 [ 35.726317] ? kasan_check_read+0x11/0x20 [ 35.730442] ? rcu_is_watching+0x85/0x140 [ 35.734570] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 35.739740] ? netlink_skb_destructor+0x210/0x210 [ 35.744574] ? kasan_check_write+0x14/0x20 [ 35.748790] netlink_unicast+0x58b/0x740 [ 35.752830] ? netlink_attachskb+0x970/0x970 [ 35.757216] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.762733] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 35.767736] ? security_netlink_send+0x88/0xb0 [ 35.772301] netlink_sendmsg+0x9f0/0xfa0 [ 35.776345] ? netlink_unicast+0x740/0x740 [ 35.780561] ? pud_val+0x80/0xf0 [ 35.783905] ? security_socket_sendmsg+0x94/0xc0 [ 35.788637] ? netlink_unicast+0x740/0x740 [ 35.792852] sock_sendmsg+0xd5/0x120 [ 35.796573] sock_write_iter+0x35a/0x5a0 [ 35.800623] ? sock_sendmsg+0x120/0x120 [ 35.804576] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 35.809314] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.814830] ? iov_iter_init+0xc9/0x1f0 [ 35.818786] __vfs_write+0x64d/0x960 [ 35.822487] ? kernel_read+0x120/0x120 [ 35.826356] ? handle_mm_fault+0x8c0/0xc70 [ 35.830571] ? rw_verify_area+0x118/0x360 [ 35.834697] vfs_write+0x1f8/0x560 [ 35.838217] ksys_write+0xf9/0x250 [ 35.841748] ? __ia32_sys_read+0xb0/0xb0 [ 35.845798] ? mm_fault_error+0x380/0x380 [ 35.849924] __ia32_sys_write+0x71/0xb0 [ 35.853877] do_fast_syscall_32+0x345/0xf9b [ 35.858177] ? do_int80_syscall_32+0x880/0x880 [ 35.862739] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.867477] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.872999] ? syscall_return_slowpath+0x30f/0x5c0 [ 35.877913] ? sysret32_from_system_call+0x5/0x46 [ 35.882734] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.887563] entry_SYSENTER_compat+0x70/0x7f [ 35.891949] RIP: 0023:0xf7f0dcb9 [ 35.895291] RSP: 002b:00000000ff957cfc EFLAGS: 00000286 ORIG_RAX: 0000000000000004 [ 35.902975] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 35.910221] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 35.917469] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 35.924715] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 35.931967] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.939834] Dumping ftrace buffer: [ 35.943361] (ftrace buffer empty) [ 35.947052] Kernel Offset: disabled [ 35.950656] Rebooting in 86400 seconds..