[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.720389] random: sshd: uninitialized urandom read (32 bytes read) [ 33.966240] kauditd_printk_skb: 10 callbacks suppressed [ 33.966248] audit: type=1400 audit(1567015451.499:35): avc: denied { map } for pid=6875 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.021539] random: sshd: uninitialized urandom read (32 bytes read) [ 34.534289] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts. [ 40.180378] urandom_read: 1 callbacks suppressed [ 40.180382] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 40.300685] audit: type=1400 audit(1567015457.839:36): avc: denied { map } for pid=6888 comm="syz-executor117" path="/root/syz-executor117959427" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.328629] ================================================================== [ 40.336284] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0 [ 40.343619] Read of size 8 at addr ffff888080d5cbd0 by task syz-executor117/6888 [ 40.351134] [ 40.352754] CPU: 0 PID: 6888 Comm: syz-executor117 Not tainted 4.14.140 #36 [ 40.359834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.369181] Call Trace: [ 40.371765] dump_stack+0x138/0x197 [ 40.375379] ? bpf_clone_redirect+0x2de/0x2f0 [ 40.379872] print_address_description.cold+0x7c/0x1dc [ 40.385192] ? bpf_clone_redirect+0x2de/0x2f0 [ 40.389679] kasan_report.cold+0xa9/0x2af [ 40.393817] __asan_report_load8_noabort+0x14/0x20 [ 40.398737] bpf_clone_redirect+0x2de/0x2f0 [ 40.403563] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 40.408309] ? SyS_bpf+0x6ad/0x2da8 [ 40.413173] bpf_prog_fbe9546a32ffc29e+0xd31/0x1000 [ 40.418683] ? trace_hardirqs_on+0x10/0x10 [ 40.423104] ? trace_hardirqs_on+0x10/0x10 [ 40.427939] ? bpf_test_run+0x44/0x330 [ 40.432002] ? find_held_lock+0x35/0x130 [ 40.436538] ? bpf_test_run+0x44/0x330 [ 40.440440] ? lock_acquire+0x16f/0x430 [ 40.444858] ? check_preemption_disabled+0x3c/0x250 [ 40.450092] ? bpf_test_run+0xa8/0x330 [ 40.454219] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 40.459260] ? bpf_test_init.isra.0+0xe0/0xe0 [ 40.463761] ? __bpf_prog_get+0x153/0x1a0 [ 40.468179] ? SyS_bpf+0x6ad/0x2da8 [ 40.471942] ? __do_page_fault+0x4e9/0xb80 [ 40.476319] ? bpf_test_init.isra.0+0xe0/0xe0 [ 40.480983] ? bpf_prog_get+0x20/0x20 [ 40.484917] ? lock_downgrade+0x6e0/0x6e0 [ 40.489253] ? up_read+0x1a/0x40 [ 40.492619] ? __do_page_fault+0x358/0xb80 [ 40.496847] ? bpf_prog_get+0x20/0x20 [ 40.500751] ? do_syscall_64+0x1e8/0x640 [ 40.504841] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.510114] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.515506] [ 40.517124] Allocated by task 0: [ 40.520471] (stack is not available) [ 40.524175] [ 40.525788] Freed by task 0: [ 40.528961] (stack is not available) [ 40.532660] [ 40.534277] The buggy address belongs to the object at ffff888080d5cb40 [ 40.534277] which belongs to the cache skbuff_head_cache of size 232 [ 40.549026] The buggy address is located 144 bytes inside of [ 40.549026] 232-byte region [ffff888080d5cb40, ffff888080d5cc28) [ 40.561242] The buggy address belongs to the page: [ 40.566161] page:ffffea0002035700 count:1 mapcount:0 mapping:ffff888080d5c000 index:0x0 [ 40.574293] flags: 0x1fffc0000000100(slab) [ 40.578776] raw: 01fffc0000000100 ffff888080d5c000 0000000000000000 000000010000000c [ 40.586877] raw: ffffea00022d1120 ffff8880a9e63648 ffff88821b75f240 0000000000000000 [ 40.594941] page dumped because: kasan: bad access detected [ 40.600646] [ 40.602445] Memory state around the buggy address: [ 40.607518] ffff888080d5ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.615009] ffff888080d5cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.622360] >ffff888080d5cb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.629706] ^ [ 40.635984] ffff888080d5cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.643911] ffff888080d5cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.651591] ================================================================== [ 40.659194] Disabling lock debugging due to kernel taint [ 40.664942] Kernel panic - not syncing: panic_on_warn set ... [ 40.664942] [ 40.672314] CPU: 0 PID: 6888 Comm: syz-executor117 Tainted: G B 4.14.140 #36 [ 40.681138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.690780] Call Trace: [ 40.693477] dump_stack+0x138/0x197 [ 40.697216] ? bpf_clone_redirect+0x2de/0x2f0 [ 40.701935] panic+0x1f2/0x426 [ 40.705653] ? add_taint.cold+0x16/0x16 [ 40.709790] kasan_end_report+0x47/0x4f [ 40.713756] kasan_report.cold+0x130/0x2af [ 40.718136] __asan_report_load8_noabort+0x14/0x20 [ 40.723214] bpf_clone_redirect+0x2de/0x2f0 [ 40.727833] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 40.733101] ? SyS_bpf+0x6ad/0x2da8 [ 40.736720] bpf_prog_fbe9546a32ffc29e+0xd31/0x1000 [ 40.742117] ? trace_hardirqs_on+0x10/0x10 [ 40.746355] ? trace_hardirqs_on+0x10/0x10 [ 40.750582] ? bpf_test_run+0x44/0x330 [ 40.754463] ? find_held_lock+0x35/0x130 [ 40.758564] ? bpf_test_run+0x44/0x330 [ 40.762473] ? lock_acquire+0x16f/0x430 [ 40.766895] ? check_preemption_disabled+0x3c/0x250 [ 40.771998] ? bpf_test_run+0xa8/0x330 [ 40.775885] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 40.780630] ? bpf_test_init.isra.0+0xe0/0xe0 [ 40.785122] ? __bpf_prog_get+0x153/0x1a0 [ 40.789261] ? SyS_bpf+0x6ad/0x2da8 [ 40.792877] ? __do_page_fault+0x4e9/0xb80 [ 40.797284] ? bpf_test_init.isra.0+0xe0/0xe0 [ 40.801777] ? bpf_prog_get+0x20/0x20 [ 40.805611] ? lock_downgrade+0x6e0/0x6e0 [ 40.809966] ? up_read+0x1a/0x40 [ 40.813322] ? __do_page_fault+0x358/0xb80 [ 40.817545] ? bpf_prog_get+0x20/0x20 [ 40.821335] ? do_syscall_64+0x1e8/0x640 [ 40.825578] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.830609] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.837784] Kernel Offset: disabled [ 40.842024] Rebooting in 86400 seconds..