Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. [ 59.397765] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 59.508240] audit: type=1400 audit(1575831198.005:36): avc: denied { map } for pid=6970 comm="syz-executor545" path="/root/syz-executor545112809" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 59.578820] ================================================================== [ 59.578847] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x288/0x550 [ 59.578853] Read of size 2 at addr ffff8880a0d73b10 by task syz-executor545/6970 [ 59.578856] [ 59.578873] CPU: 1 PID: 6970 Comm: syz-executor545 Not tainted 4.14.158-syzkaller #0 [ 59.578877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.578881] Call Trace: [ 59.578891] dump_stack+0x142/0x197 [ 59.578899] ? fbcon_get_font+0x288/0x550 [ 59.578909] print_address_description.cold+0x7c/0x1dc [ 59.578917] ? fbcon_get_font+0x288/0x550 [ 59.578923] kasan_report.cold+0xa9/0x2af [ 59.578933] check_memory_region+0x123/0x190 [ 59.578941] memcpy+0x24/0x50 [ 59.578948] fbcon_get_font+0x288/0x550 [ 59.578958] ? display_to_var+0x7e0/0x7e0 [ 59.578965] con_font_op+0x1d5/0x1060 [ 59.578976] ? con_write+0xc0/0xc0 [ 59.578990] ? kasan_check_write+0x14/0x20 [ 59.578999] ? _copy_from_user+0x99/0x110 [ 59.579008] vt_ioctl+0x1b72/0x2170 [ 59.579016] ? avc_has_extended_perms+0x8ec/0xe40 [ 59.579025] ? complete_change_console+0x360/0x360 [ 59.579032] ? avc_ss_reset+0x110/0x110 [ 59.579038] ? kasan_slab_free+0x75/0xc0 [ 59.579049] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.579059] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 59.579066] ? tty_jobctrl_ioctl+0x44/0xc10 [ 59.579073] ? complete_change_console+0x360/0x360 [ 59.579084] tty_ioctl+0x841/0x1320 [ 59.579092] ? tty_vhangup+0x30/0x30 [ 59.579109] ? __might_sleep+0x93/0xb0 [ 59.579121] ? tty_vhangup+0x30/0x30 [ 59.579132] do_vfs_ioctl+0x7ae/0x1060 [ 59.579140] ? selinux_file_mprotect+0x5d0/0x5d0 [ 59.579148] ? ioctl_preallocate+0x1c0/0x1c0 [ 59.579155] ? putname+0xe0/0x120 [ 59.579165] ? do_sys_open+0x221/0x430 [ 59.579176] ? security_file_ioctl+0x7d/0xb0 [ 59.579182] ? security_file_ioctl+0x89/0xb0 [ 59.579192] SyS_ioctl+0x8f/0xc0 [ 59.579199] ? do_vfs_ioctl+0x1060/0x1060 [ 59.579209] do_syscall_64+0x1e8/0x640 [ 59.579216] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.579227] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.579234] RIP: 0033:0x440299 [ 59.579239] RSP: 002b:00007ffe03fdcee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.579247] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440299 [ 59.579252] RDX: 0000000020000040 RSI: 0000000000004b6b RDI: 0000000000000005 [ 59.579256] RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8 [ 59.579260] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b80 [ 59.579264] R13: 0000000000401c10 R14: 0000000000000000 R15: 0000000000000000 [ 59.579277] [ 59.579280] Allocated by task 6970: [ 59.579289] save_stack_trace+0x16/0x20 [ 59.579294] save_stack+0x45/0xd0 [ 59.579300] kasan_kmalloc+0xce/0xf0 [ 59.579305] __kmalloc+0x15d/0x7a0 [ 59.579311] fbcon_set_font+0x2f8/0x7b0 [ 59.579316] con_font_op+0xc0f/0x1060 [ 59.579321] vt_ioctl+0xb80/0x2170 [ 59.579326] tty_ioctl+0x841/0x1320 [ 59.579333] do_vfs_ioctl+0x7ae/0x1060 [ 59.579339] SyS_ioctl+0x8f/0xc0 [ 59.579345] do_syscall_64+0x1e8/0x640 [ 59.579352] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.579354] [ 59.579358] Freed by task 3652: [ 59.579363] save_stack_trace+0x16/0x20 [ 59.579368] save_stack+0x45/0xd0 [ 59.579373] kasan_slab_free+0x75/0xc0 [ 59.579378] kfree+0xcc/0x270 [ 59.579385] kernfs_fop_release+0x112/0x180 [ 59.579391] __fput+0x275/0x7a0 [ 59.579396] ____fput+0x16/0x20 [ 59.579402] task_work_run+0x114/0x190 [ 59.579408] exit_to_usermode_loop+0x1da/0x220 [ 59.579413] do_syscall_64+0x4bc/0x640 [ 59.579420] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.579422] [ 59.579427] The buggy address belongs to the object at ffff8880a0d73a00 [ 59.579427] which belongs to the cache kmalloc-512 of size 512 [ 59.579433] The buggy address is located 272 bytes inside of [ 59.579433] 512-byte region [ffff8880a0d73a00, ffff8880a0d73c00) [ 59.579435] The buggy address belongs to the page: [ 59.579441] page:ffffea0002835cc0 count:1 mapcount:0 mapping:ffff8880a0d73000 index:0x0 [ 59.579448] flags: 0xfffe0000000100(slab) [ 59.579457] raw: 00fffe0000000100 ffff8880a0d73000 0000000000000000 0000000100000006 [ 59.579465] raw: ffffea0002839be0 ffffea000282cea0 ffff8880aa800940 0000000000000000 [ 59.579468] page dumped because: kasan: bad access detected [ 59.579470] [ 59.579472] Memory state around the buggy address: [ 59.579478] ffff8880a0d73a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.579483] ffff8880a0d73a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.579488] >ffff8880a0d73b00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.579492] ^ [ 59.579497] ffff8880a0d73b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.579503] ffff8880a0d73c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.579506] ================================================================== [ 59.579508] Disabling lock debugging due to kernel taint [ 59.579512] Kernel panic - not syncing: panic_on_warn set ... [ 59.579512] [ 59.579518] CPU: 1 PID: 6970 Comm: syz-executor545 Tainted: G B 4.14.158-syzkaller #0 [ 59.579521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.579523] Call Trace: [ 59.579528] dump_stack+0x142/0x197 [ 59.579535] ? fbcon_get_font+0x288/0x550 [ 59.579541] panic+0x1f9/0x42d [ 59.579546] ? add_taint.cold+0x16/0x16 [ 59.579554] ? lock_downgrade+0x740/0x740 [ 59.579563] kasan_end_report+0x47/0x4f [ 59.579569] kasan_report.cold+0x130/0x2af [ 59.579577] check_memory_region+0x123/0x190 [ 59.579582] memcpy+0x24/0x50 [ 59.579588] fbcon_get_font+0x288/0x550 [ 59.579595] ? display_to_var+0x7e0/0x7e0 [ 59.579599] con_font_op+0x1d5/0x1060 [ 59.579605] ? con_write+0xc0/0xc0 [ 59.579614] ? kasan_check_write+0x14/0x20 [ 59.579619] ? _copy_from_user+0x99/0x110 [ 59.579625] vt_ioctl+0x1b72/0x2170 [ 59.579629] ? avc_has_extended_perms+0x8ec/0xe40 [ 59.579636] ? complete_change_console+0x360/0x360 [ 59.579642] ? avc_ss_reset+0x110/0x110 [ 59.579647] ? kasan_slab_free+0x75/0xc0 [ 59.579655] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.579662] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 59.579667] ? tty_jobctrl_ioctl+0x44/0xc10 [ 59.579672] ? complete_change_console+0x360/0x360 [ 59.579678] tty_ioctl+0x841/0x1320 [ 59.579685] ? tty_vhangup+0x30/0x30 [ 59.579694] ? __might_sleep+0x93/0xb0 [ 59.579702] ? tty_vhangup+0x30/0x30 [ 59.579707] do_vfs_ioctl+0x7ae/0x1060 [ 59.579715] ? selinux_file_mprotect+0x5d0/0x5d0 [ 59.579722] ? ioctl_preallocate+0x1c0/0x1c0 [ 59.579727] ? putname+0xe0/0x120 [ 59.579734] ? do_sys_open+0x221/0x430 [ 59.579741] ? security_file_ioctl+0x7d/0xb0 [ 59.579746] ? security_file_ioctl+0x89/0xb0 [ 59.579752] SyS_ioctl+0x8f/0xc0 [ 59.579758] ? do_vfs_ioctl+0x1060/0x1060 [ 59.579764] do_syscall_64+0x1e8/0x640 [ 59.579769] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.579777] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.579781] RIP: 0033:0x440299 [ 59.579784] RSP: 002b:00007ffe03fdcee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.579791] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440299 [ 59.579795] RDX: 0000000020000040 RSI: 0000000000004b6b RDI: 0000000000000005 [ 59.579798] RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8 [ 59.579802] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b80 [ 59.579806] R13: 0000000000401c10 R14: 0000000000000000 R15: 0000000000000000 [ 59.581146] Kernel Offset: disabled [ 60.295940] Rebooting in 86400 seconds..