[ 11.451657] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 13.221503] random: sshd: uninitialized urandom read (32 bytes read) [ 13.371796] audit: type=1400 audit(1567424344.704:6): avc: denied { map } for pid=1757 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 13.415832] random: sshd: uninitialized urandom read (32 bytes read) [ 13.953509] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.137' (ECDSA) to the list of known hosts. [ 19.532550] urandom_read: 1 callbacks suppressed [ 19.532555] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 19.633454] audit: type=1400 audit(1567424350.964:7): avc: denied { map } for pid=1769 comm="syz-executor612" path="/root/syz-executor612500582" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 19.661569] audit: type=1400 audit(1567424350.964:8): avc: denied { prog_load } for pid=1769 comm="syz-executor612" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 19.684656] audit: type=1400 audit(1567424351.014:9): avc: denied { prog_run } for pid=1769 comm="syz-executor612" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 19.684738] ================================================================== [ 19.714739] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xcc2/0x1080 [ 19.722527] Read of size 2 at addr ffff8881d0836eb8 by task syz-executor612/1769 [ 19.730193] [ 19.731833] CPU: 1 PID: 1769 Comm: syz-executor612 Not tainted 4.14.141+ #40 [ 19.739000] Call Trace: [ 19.741582] dump_stack+0xca/0x134 [ 19.745109] ? bpf_skb_change_proto+0xcc2/0x1080 [ 19.749956] ? bpf_skb_change_proto+0xcc2/0x1080 [ 19.754958] print_address_description+0x60/0x226 [ 19.759794] ? bpf_skb_change_proto+0xcc2/0x1080 [ 19.764543] ? bpf_skb_change_proto+0xcc2/0x1080 [ 19.769284] __kasan_report.cold+0x1a/0x41 [ 19.773567] ? bpf_skb_change_proto+0xcc2/0x1080 [ 19.778312] bpf_skb_change_proto+0xcc2/0x1080 [ 19.782887] ? bpf_skb_generic_pop+0x3e0/0x3e0 [ 19.787458] ___bpf_prog_run+0x2478/0x5510 [ 19.791691] ? lock_downgrade+0x5d0/0x5d0 [ 19.795950] ? lock_acquire+0x12b/0x360 [ 19.799917] ? bpf_jit_compile+0x30/0x30 [ 19.804046] ? __bpf_prog_run512+0x99/0xe0 [ 19.808356] ? ___bpf_prog_run+0x5510/0x5510 [ 19.812888] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 19.817980] ? trace_hardirqs_on_caller+0x37b/0x540 [ 19.823045] ? __lock_acquire+0x5d7/0x4320 [ 19.827448] ? __lock_acquire+0x5d7/0x4320 [ 19.831705] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 19.836372] ? trace_hardirqs_on+0x10/0x10 [ 19.840596] ? __lock_acquire+0x5d7/0x4320 [ 19.844823] ? bpf_test_run+0x42/0x340 [ 19.848729] ? lock_acquire+0x12b/0x360 [ 19.852861] ? bpf_test_run+0x13a/0x340 [ 19.856977] ? check_preemption_disabled+0x35/0x1f0 [ 19.862313] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 19.867725] ? bpf_test_run+0xa8/0x340 [ 19.872408] ? bpf_prog_test_run_skb+0x45c/0x8c0 [ 19.877366] ? bpf_test_init.isra.0+0xc0/0xc0 [ 19.882200] ? bpf_prog_add+0x53/0xc0 [ 19.886332] ? bpf_test_init.isra.0+0xc0/0xc0 [ 19.890975] ? SyS_bpf+0xa3b/0x3830 [ 19.894715] ? bpf_prog_get+0x20/0x20 [ 19.899024] ? __do_page_fault+0x49f/0xbb0 [ 19.903717] ? lock_downgrade+0x5d0/0x5d0 [ 19.907895] ? __do_page_fault+0x677/0xbb0 [ 19.912300] ? do_syscall_64+0x43/0x520 [ 19.916263] ? bpf_prog_get+0x20/0x20 [ 19.920066] ? do_syscall_64+0x19b/0x520 [ 19.924230] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 19.929913] [ 19.931613] Allocated by task 269: [ 19.935188] __kasan_kmalloc.part.0+0x53/0xc0 [ 19.939670] kmem_cache_alloc+0xee/0x360 [ 19.943847] prepare_creds+0x25/0x370 [ 19.947835] selinux_setprocattr+0x2a3/0x870 [ 19.952735] security_setprocattr+0x7a/0xb0 [ 19.957118] proc_pid_attr_write+0x1cb/0x290 [ 19.961637] __vfs_write+0xf9/0x5a0 [ 19.965505] vfs_write+0x17f/0x4d0 [ 19.969183] SyS_write+0x102/0x250 [ 19.972816] do_syscall_64+0x19b/0x520 [ 19.976964] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 19.982351] 0xffffffffffffffff [ 19.985638] [ 19.987344] Freed by task 347: [ 19.990653] __kasan_slab_free+0x164/0x210 [ 19.994876] kmem_cache_free+0xd7/0x3b0 [ 19.998838] rcu_process_callbacks+0x59f/0xf60 [ 20.003407] __do_softirq+0x234/0x9ec [ 20.007454] [ 20.009116] The buggy address belongs to the object at ffff8881d0836e00 [ 20.009116] which belongs to the cache cred_jar of size 168 [ 20.021505] The buggy address is located 16 bytes to the right of [ 20.021505] 168-byte region [ffff8881d0836e00, ffff8881d0836ea8) [ 20.034426] The buggy address belongs to the page: [ 20.039359] page:ffffea0007420d80 count:1 mapcount:0 mapping: (null) index:0x0 [ 20.047814] flags: 0x4000000000000200(slab) [ 20.052365] raw: 4000000000000200 0000000000000000 0000000000000000 0000000100100010 [ 20.060434] raw: dead000000000100 dead000000000200 ffff8881da823c00 0000000000000000 [ 20.068313] page dumped because: kasan: bad access detected [ 20.074151] [ 20.075766] Memory state around the buggy address: [ 20.081159] ffff8881d0836d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 20.088683] ffff8881d0836e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.096856] >ffff8881d0836e80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 20.104813] ^ [ 20.110392] ffff8881d0836f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.118061] ffff8881d0836f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 20.125935] ================================================================== [ 20.133804] Disabling lock debugging due to kernel taint [ 20.139565] Kernel panic - not syncing: panic_on_warn set ... [ 20.139565] [ 20.146954] CPU: 1 PID: 1769 Comm: syz-executor612 Tainted: G B 4.14.141+ #40 [ 20.155673] Call Trace: [ 20.158362] dump_stack+0xca/0x134 [ 20.162261] panic+0x1ea/0x3d3 [ 20.166094] ? add_taint.cold+0x16/0x16 [ 20.170321] ? retint_kernel+0x2d/0x2d [ 20.174404] ? bpf_skb_change_proto+0xcc2/0x1080 [ 20.179372] end_report+0x43/0x49 [ 20.182821] ? bpf_skb_change_proto+0xcc2/0x1080 [ 20.187703] __kasan_report.cold+0xd/0x41 [ 20.191856] ? bpf_skb_change_proto+0xcc2/0x1080 [ 20.197728] bpf_skb_change_proto+0xcc2/0x1080 [ 20.202399] ? bpf_skb_generic_pop+0x3e0/0x3e0 [ 20.207093] ___bpf_prog_run+0x2478/0x5510 [ 20.211466] ? lock_downgrade+0x5d0/0x5d0 [ 20.215734] ? lock_acquire+0x12b/0x360 [ 20.219719] ? bpf_jit_compile+0x30/0x30 [ 20.223948] ? __bpf_prog_run512+0x99/0xe0 [ 20.228257] ? ___bpf_prog_run+0x5510/0x5510 [ 20.232742] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 20.238284] ? trace_hardirqs_on_caller+0x37b/0x540 [ 20.243391] ? __lock_acquire+0x5d7/0x4320 [ 20.247755] ? __lock_acquire+0x5d7/0x4320 [ 20.252164] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 20.257272] ? trace_hardirqs_on+0x10/0x10 [ 20.261625] ? __lock_acquire+0x5d7/0x4320 [ 20.266011] ? bpf_test_run+0x42/0x340 [ 20.269907] ? lock_acquire+0x12b/0x360 [ 20.273956] ? bpf_test_run+0x13a/0x340 [ 20.278267] ? check_preemption_disabled+0x35/0x1f0 [ 20.283528] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 20.288814] ? bpf_test_run+0xa8/0x340 [ 20.292703] ? bpf_prog_test_run_skb+0x45c/0x8c0 [ 20.297602] ? bpf_test_init.isra.0+0xc0/0xc0 [ 20.302108] ? bpf_prog_add+0x53/0xc0 [ 20.306817] ? bpf_test_init.isra.0+0xc0/0xc0 [ 20.311548] ? SyS_bpf+0xa3b/0x3830 [ 20.315177] ? bpf_prog_get+0x20/0x20 [ 20.318964] ? __do_page_fault+0x49f/0xbb0 [ 20.324447] ? lock_downgrade+0x5d0/0x5d0 [ 20.329111] ? __do_page_fault+0x677/0xbb0 [ 20.333495] ? do_syscall_64+0x43/0x520 [ 20.337575] ? bpf_prog_get+0x20/0x20 [ 20.341495] ? do_syscall_64+0x19b/0x520 [ 20.345644] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 20.351799] Kernel Offset: 0xe200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 20.363336] Rebooting in 86400 seconds..