Warning: Permanently added '10.128.0.169' (ECDSA) to the list of known hosts. [ 38.643781] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.760593] audit: type=1400 audit(1575334489.173:36): avc: denied { map } for pid=6993 comm="syz-executor391" path="/root/syz-executor391329638" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.799716] ================================================================== [ 38.799756] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x288/0x550 [ 38.799763] Read of size 16 at addr ffff8880a50c1290 by task syz-executor391/6993 [ 38.799765] [ 38.799775] CPU: 1 PID: 6993 Comm: syz-executor391 Not tainted 4.14.157-syzkaller #0 [ 38.799780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.799783] Call Trace: [ 38.799797] dump_stack+0x142/0x197 [ 38.799807] ? chv_dpio_cmn_power_well_disable+0x80/0x220 [ 38.799816] ? fbcon_get_font+0x288/0x550 [ 38.799827] print_address_description.cold+0x7c/0x1dc [ 38.799835] ? fbcon_get_font+0x288/0x550 [ 38.799842] kasan_report.cold+0xa9/0x2af [ 38.799853] check_memory_region+0x123/0x190 [ 38.799861] memcpy+0x24/0x50 [ 38.799870] fbcon_get_font+0x288/0x550 [ 38.799881] ? display_to_var+0x7e0/0x7e0 [ 38.799892] con_font_op+0x1d5/0x1060 [ 38.799902] ? con_write+0xc0/0xc0 [ 38.799915] ? kasan_check_write+0x14/0x20 [ 38.799925] ? _copy_from_user+0x99/0x110 [ 38.799936] vt_ioctl+0x179f/0x2170 [ 38.799943] ? avc_has_extended_perms+0x8ec/0xe40 [ 38.799952] ? complete_change_console+0x360/0x360 [ 38.799960] ? avc_ss_reset+0x110/0x110 [ 38.799966] ? kasan_slab_free+0x75/0xc0 [ 38.799977] ? SyS_open+0x2d/0x40 [ 38.799987] ? do_syscall_64+0x1e8/0x640 [ 38.799997] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.800014] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 38.800021] ? tty_jobctrl_ioctl+0x44/0xc10 [ 38.800028] ? complete_change_console+0x360/0x360 [ 38.800038] tty_ioctl+0x841/0x1320 [ 38.800047] ? tty_vhangup+0x30/0x30 [ 38.800064] ? __might_sleep+0x93/0xb0 [ 38.800078] ? tty_vhangup+0x30/0x30 [ 38.800087] do_vfs_ioctl+0x7ae/0x1060 [ 38.800096] ? selinux_file_mprotect+0x5d0/0x5d0 [ 38.800104] ? ioctl_preallocate+0x1c0/0x1c0 [ 38.800110] ? putname+0xe0/0x120 [ 38.800119] ? do_sys_open+0x221/0x430 [ 38.800132] ? security_file_ioctl+0x7d/0xb0 [ 38.800138] ? security_file_ioctl+0x89/0xb0 [ 38.800148] SyS_ioctl+0x8f/0xc0 [ 38.800156] ? do_vfs_ioctl+0x1060/0x1060 [ 38.800164] do_syscall_64+0x1e8/0x640 [ 38.800172] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.800184] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.800190] RIP: 0033:0x4444d9 [ 38.800195] RSP: 002b:00007ffee4b581b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 38.800203] RAX: ffffffffffffffda RBX: 00007ffee4b581c0 RCX: 00000000004444d9 [ 38.800208] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 [ 38.800212] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 [ 38.800217] R10: 00007ffee4b57d00 R11: 0000000000000246 R12: 00000000004021e0 [ 38.800221] R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 [ 38.800234] [ 38.800238] Allocated by task 6993: [ 38.800248] save_stack_trace+0x16/0x20 [ 38.800254] save_stack+0x45/0xd0 [ 38.800260] kasan_kmalloc+0xce/0xf0 [ 38.800266] __kmalloc+0x15d/0x7a0 [ 38.800272] fbcon_set_font+0x2f8/0x7b0 [ 38.800278] con_font_op+0xc0f/0x1060 [ 38.800285] vt_ioctl+0xb80/0x2170 [ 38.800291] tty_ioctl+0x841/0x1320 [ 38.800297] do_vfs_ioctl+0x7ae/0x1060 [ 38.800302] SyS_ioctl+0x8f/0xc0 [ 38.800307] do_syscall_64+0x1e8/0x640 [ 38.800314] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.800316] [ 38.800319] Freed by task 0: [ 38.800321] (stack is not available) [ 38.800323] [ 38.800328] The buggy address belongs to the object at ffff8880a50c0880 [ 38.800328] which belongs to the cache kmalloc-4096 of size 4096 [ 38.800334] The buggy address is located 2576 bytes inside of [ 38.800334] 4096-byte region [ffff8880a50c0880, ffff8880a50c1880) [ 38.800337] The buggy address belongs to the page: [ 38.800342] page:ffffea0002943000 count:1 mapcount:0 mapping:ffff8880a50c0880 index:0x0 compound_mapcount: 0 [ 38.800352] flags: 0xfffe0000008100(slab|head) [ 38.800361] raw: 00fffe0000008100 ffff8880a50c0880 0000000000000000 0000000100000001 [ 38.800365] raw: ffffea0001eccda0 ffffea000247b6a0 ffff8880aa800dc0 0000000000000000 [ 38.800367] page dumped because: kasan: bad access detected [ 38.800369] [ 38.800370] Memory state around the buggy address: [ 38.800374] ffff8880a50c1180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.800377] ffff8880a50c1200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.800380] >ffff8880a50c1280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.800382] ^ [ 38.800385] ffff8880a50c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.800388] ffff8880a50c1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.800390] ================================================================== [ 38.800392] Disabling lock debugging due to kernel taint [ 38.800424] Kernel panic - not syncing: panic_on_warn set ... [ 38.800424] [ 38.800431] CPU: 1 PID: 6993 Comm: syz-executor391 Tainted: G B 4.14.157-syzkaller #0 [ 38.800434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.800436] Call Trace: [ 38.800446] dump_stack+0x142/0x197 [ 38.800454] ? fbcon_get_font+0x288/0x550 [ 38.800461] panic+0x1f9/0x42d [ 38.800466] ? add_taint.cold+0x16/0x16 [ 38.800474] kasan_end_report+0x47/0x4f [ 38.800478] kasan_report.cold+0x130/0x2af [ 38.800483] check_memory_region+0x123/0x190 [ 38.800486] memcpy+0x24/0x50 [ 38.800490] fbcon_get_font+0x288/0x550 [ 38.800495] ? display_to_var+0x7e0/0x7e0 [ 38.800498] con_font_op+0x1d5/0x1060 [ 38.800503] ? con_write+0xc0/0xc0 [ 38.800508] ? kasan_check_write+0x14/0x20 [ 38.800514] ? _copy_from_user+0x99/0x110 [ 38.800519] vt_ioctl+0x179f/0x2170 [ 38.800523] ? avc_has_extended_perms+0x8ec/0xe40 [ 38.800528] ? complete_change_console+0x360/0x360 [ 38.800531] ? avc_ss_reset+0x110/0x110 [ 38.800535] ? kasan_slab_free+0x75/0xc0 [ 38.800539] ? SyS_open+0x2d/0x40 [ 38.800543] ? do_syscall_64+0x1e8/0x640 [ 38.800547] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.800552] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 38.800556] ? tty_jobctrl_ioctl+0x44/0xc10 [ 38.800560] ? complete_change_console+0x360/0x360 [ 38.800565] tty_ioctl+0x841/0x1320 [ 38.800569] ? tty_vhangup+0x30/0x30 [ 38.800576] ? __might_sleep+0x93/0xb0 [ 38.800581] ? tty_vhangup+0x30/0x30 [ 38.800585] do_vfs_ioctl+0x7ae/0x1060 [ 38.800591] ? selinux_file_mprotect+0x5d0/0x5d0 [ 38.800595] ? ioctl_preallocate+0x1c0/0x1c0 [ 38.800598] ? putname+0xe0/0x120 [ 38.800603] ? do_sys_open+0x221/0x430 [ 38.800608] ? security_file_ioctl+0x7d/0xb0 [ 38.800611] ? security_file_ioctl+0x89/0xb0 [ 38.800616] SyS_ioctl+0x8f/0xc0 [ 38.800619] ? do_vfs_ioctl+0x1060/0x1060 [ 38.800624] do_syscall_64+0x1e8/0x640 [ 38.800627] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.800632] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.800635] RIP: 0033:0x4444d9 [ 38.800637] RSP: 002b:00007ffee4b581b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 38.800642] RAX: ffffffffffffffda RBX: 00007ffee4b581c0 RCX: 00000000004444d9 [ 38.800644] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 [ 38.800647] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 [ 38.800649] R10: 00007ffee4b57d00 R11: 0000000000000246 R12: 00000000004021e0 [ 38.800651] R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 [ 38.801987] Kernel Offset: disabled [ 39.498015] Rebooting in 86400 seconds..