[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.301857] random: sshd: uninitialized urandom read (32 bytes read) [ 25.435748] audit: type=1400 audit(1568069900.611:6): avc: denied { map } for pid=1767 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.479906] random: sshd: uninitialized urandom read (32 bytes read) [ 25.991260] random: sshd: uninitialized urandom read (32 bytes read) [ 37.651772] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. [ 43.218926] random: sshd: uninitialized urandom read (32 bytes read) [ 43.311949] audit: type=1400 audit(1568069918.491:7): avc: denied { map } for pid=1791 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/09/09 22:58:38 parsed 1 programs [ 43.382493] audit: type=1400 audit(1568069918.561:8): avc: denied { map } for pid=1791 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 44.047290] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/09 22:58:40 executed programs: 0 [ 45.448017] audit: type=1400 audit(1568069920.621:9): avc: denied { map } for pid=1791 comm="syz-execprog" path="/root/syzkaller-shm742636334" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/09/09 22:58:45 executed programs: 92 2019/09/09 22:58:50 executed programs: 442 2019/09/09 22:58:55 executed programs: 804 [ 63.120927] ================================================================== [ 63.128325] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 63.135695] Read of size 8 at addr ffff8881cac67860 by task syz-executor.0/5612 [ 63.143139] [ 63.144751] CPU: 0 PID: 5612 Comm: syz-executor.0 Not tainted 4.14.142+ #0 [ 63.151846] Call Trace: [ 63.154425] dump_stack+0xca/0x134 [ 63.157949] ? unwind_next_frame+0x169f/0x1810 [ 63.162512] ? unwind_next_frame+0x169f/0x1810 [ 63.167098] print_address_description+0x60/0x226 [ 63.171941] ? unwind_next_frame+0x169f/0x1810 [ 63.176514] ? unwind_next_frame+0x169f/0x1810 [ 63.181119] __kasan_report.cold+0x1a/0x41 [ 63.185429] ? unwind_next_frame+0x169f/0x1810 [ 63.190025] unwind_next_frame+0x169f/0x1810 [ 63.194512] ? retint_kernel+0x2d/0x2d [ 63.198402] ? perf_callchain_user+0x4a7/0xf80 [ 63.202981] ? deref_stack_reg+0xe0/0xe0 [ 63.207043] ? perf_callchain_user+0x2d1/0xf80 [ 63.211623] ? retint_kernel+0x2d/0x2d [ 63.215511] perf_callchain_kernel+0x3a0/0x540 [ 63.220090] ? perf_callchain_kernel+0x540/0x540 [ 63.224910] ? arch_perf_update_userpage+0x330/0x330 [ 63.230003] ? perf_callchain+0x147/0x190 [ 63.234143] ? futex_wait_setup+0x132/0x330 [ 63.238549] get_perf_callchain+0x2f5/0x770 [ 63.242867] ? put_callchain_buffers+0x60/0x60 [ 63.247722] ? perf_event_alloc.part.0+0x1971/0x1ff0 [ 63.252835] ? perf_callchain+0x150/0x190 [ 63.256976] perf_callchain+0x147/0x190 [ 63.260938] perf_prepare_sample+0x6a8/0x1360 [ 63.265431] ? perf_output_sample+0x1700/0x1700 [ 63.270097] ? perf_prepare_sample+0x1360/0x1360 [ 63.274870] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 63.280573] perf_event_output_forward+0xdc/0x220 [ 63.285404] ? perf_prepare_sample+0x1360/0x1360 [ 63.290175] ? __perf_event_overflow+0x1cc/0x340 [ 63.295045] ? check_preemption_disabled+0x35/0x1f0 [ 63.300053] __perf_event_overflow+0x12d/0x340 [ 63.304643] perf_swevent_overflow+0x7a/0xf0 [ 63.309052] perf_swevent_event+0x112/0x270 [ 63.313364] perf_tp_event+0x633/0x7f0 [ 63.317234] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 63.322941] ? trace_hardirqs_on+0x10/0x10 [ 63.327174] ? __lock_acquire+0x5d7/0x4320 [ 63.331413] ? perf_trace_run_bpf_submit+0x113/0x170 [ 63.336498] ? check_preemption_disabled+0x35/0x1f0 [ 63.341583] perf_trace_run_bpf_submit+0x113/0x170 [ 63.346495] perf_trace_lock_acquire+0x341/0x4e0 [ 63.351234] ? HARDIRQ_verbose+0x10/0x10 [ 63.355282] ? retint_kernel+0x2d/0x2d [ 63.359150] ? get_futex_key+0x4c1/0xf90 [ 63.363192] lock_acquire+0x279/0x360 [ 63.366998] ? futex_wait_setup+0x132/0x330 [ 63.371315] _raw_spin_lock+0x2a/0x40 [ 63.375127] ? futex_wait_setup+0x132/0x330 [ 63.379499] futex_wait_setup+0x132/0x330 [ 63.383663] ? get_futex_key+0xf90/0xf90 [ 63.391022] futex_wait+0x1ad/0x570 [ 63.394634] ? futex_wait_setup+0x330/0x330 [ 63.398937] ? wake_up_q+0xea/0x150 [ 63.402545] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 63.407556] ? futex_wake+0x15b/0x440 [ 63.411376] do_futex+0x13f/0x1980 [ 63.414915] ? trace_hardirqs_on+0x10/0x10 [ 63.419135] ? perf_trace_lock_acquire+0x341/0x4e0 [ 63.424050] ? exit_robust_list+0x240/0x240 [ 63.428365] ? HARDIRQ_verbose+0x10/0x10 [ 63.432425] ? __might_fault+0x104/0x1b0 [ 63.436499] ? lock_downgrade+0x5d0/0x5d0 [ 63.440805] ? lock_acquire+0x12b/0x360 [ 63.444763] ? __might_fault+0xd4/0x1b0 [ 63.448807] ? __might_fault+0x177/0x1b0 [ 63.452936] ? _copy_to_user+0x82/0xd0 [ 63.456806] SyS_futex+0x1c5/0x2c3 [ 63.460620] ? do_futex+0x1980/0x1980 [ 63.464422] ? SyS_clock_gettime+0x7d/0xe0 [ 63.468638] ? do_clock_gettime+0xd0/0xd0 [ 63.472887] ? do_syscall_64+0x43/0x520 [ 63.476858] ? do_futex+0x1980/0x1980 [ 63.480664] do_syscall_64+0x19b/0x520 [ 63.484551] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 63.489723] RIP: 0033:0x4598e9 [ 63.492892] RSP: 002b:00007fad9ba09cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 63.500579] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 00000000004598e9 [ 63.507836] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 63.515087] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 63.522368] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 63.529646] R13: 00007ffde6882d1f R14: 00007fad9ba0a9c0 R15: 000000000075bf2c [ 63.536920] [ 63.538534] The buggy address belongs to the page: [ 63.543455] page:ffffea00072b19c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 63.551595] flags: 0x4000000000000000() [ 63.555559] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 63.563435] raw: 0000000000000000 ffffea00072b19e0 0000000000000000 0000000000000000 [ 63.571297] page dumped because: kasan: bad access detected [ 63.576998] [ 63.578603] Memory state around the buggy address: [ 63.583509] ffff8881cac67700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.590847] ffff8881cac67780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.598183] >ffff8881cac67800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 63.605518] ^ [ 63.611999] ffff8881cac67880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.619338] ffff8881cac67900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.626688] ================================================================== [ 63.634037] Disabling lock debugging due to kernel taint [ 63.639466] Kernel panic - not syncing: panic_on_warn set ... [ 63.639466] [ 63.646827] CPU: 0 PID: 5612 Comm: syz-executor.0 Tainted: G B 4.14.142+ #0 [ 63.655216] Call Trace: [ 63.657800] dump_stack+0xca/0x134 [ 63.661327] panic+0x1ea/0x3d3 [ 63.664506] ? add_taint.cold+0x16/0x16 [ 63.668472] ? lock_downgrade+0x5d0/0x5d0 [ 63.672608] ? unwind_next_frame+0x169f/0x1810 [ 63.677173] end_report+0x43/0x49 [ 63.680611] ? unwind_next_frame+0x169f/0x1810 [ 63.685176] __kasan_report.cold+0xd/0x41 [ 63.689460] ? unwind_next_frame+0x169f/0x1810 [ 63.694202] unwind_next_frame+0x169f/0x1810 [ 63.698620] ? retint_kernel+0x2d/0x2d [ 63.702510] ? perf_callchain_user+0x4a7/0xf80 [ 63.707089] ? deref_stack_reg+0xe0/0xe0 [ 63.711145] ? perf_callchain_user+0x2d1/0xf80 [ 63.715730] ? retint_kernel+0x2d/0x2d [ 63.719793] perf_callchain_kernel+0x3a0/0x540 [ 63.724534] ? perf_callchain_kernel+0x540/0x540 [ 63.729334] ? arch_perf_update_userpage+0x330/0x330 [ 63.734546] ? perf_callchain+0x147/0x190 [ 63.738739] ? futex_wait_setup+0x132/0x330 [ 63.743087] get_perf_callchain+0x2f5/0x770 [ 63.747421] ? put_callchain_buffers+0x60/0x60 [ 63.754129] ? perf_event_alloc.part.0+0x1971/0x1ff0 [ 63.759464] ? perf_callchain+0x150/0x190 [ 63.763833] perf_callchain+0x147/0x190 [ 63.767994] perf_prepare_sample+0x6a8/0x1360 [ 63.772497] ? perf_output_sample+0x1700/0x1700 [ 63.778078] ? perf_prepare_sample+0x1360/0x1360 [ 63.783282] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 63.789396] perf_event_output_forward+0xdc/0x220 [ 63.794893] ? perf_prepare_sample+0x1360/0x1360 [ 63.799795] ? __perf_event_overflow+0x1cc/0x340 [ 63.804555] ? check_preemption_disabled+0x35/0x1f0 [ 63.809703] __perf_event_overflow+0x12d/0x340 [ 63.814390] perf_swevent_overflow+0x7a/0xf0 [ 63.818821] perf_swevent_event+0x112/0x270 [ 63.826708] perf_tp_event+0x633/0x7f0 [ 63.830617] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 63.836359] ? trace_hardirqs_on+0x10/0x10 [ 63.840602] ? __lock_acquire+0x5d7/0x4320 [ 63.845053] ? perf_trace_run_bpf_submit+0x113/0x170 [ 63.850158] ? check_preemption_disabled+0x35/0x1f0 [ 63.855176] perf_trace_run_bpf_submit+0x113/0x170 [ 63.860236] perf_trace_lock_acquire+0x341/0x4e0 [ 63.865098] ? HARDIRQ_verbose+0x10/0x10 [ 63.869173] ? retint_kernel+0x2d/0x2d [ 63.873361] ? get_futex_key+0x4c1/0xf90 [ 63.877430] lock_acquire+0x279/0x360 [ 63.881225] ? futex_wait_setup+0x132/0x330 [ 63.885548] _raw_spin_lock+0x2a/0x40 [ 63.889550] ? futex_wait_setup+0x132/0x330 [ 63.894265] futex_wait_setup+0x132/0x330 [ 63.898439] ? get_futex_key+0xf90/0xf90 [ 63.902757] futex_wait+0x1ad/0x570 [ 63.907009] ? futex_wait_setup+0x330/0x330 [ 63.911484] ? wake_up_q+0xea/0x150 [ 63.915122] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 63.920306] ? futex_wake+0x15b/0x440 [ 63.924108] do_futex+0x13f/0x1980 [ 63.927826] ? trace_hardirqs_on+0x10/0x10 [ 63.932050] ? perf_trace_lock_acquire+0x341/0x4e0 [ 63.936972] ? exit_robust_list+0x240/0x240 [ 63.941272] ? HARDIRQ_verbose+0x10/0x10 [ 63.945326] ? __might_fault+0x104/0x1b0 [ 63.949633] ? lock_downgrade+0x5d0/0x5d0 [ 63.953786] ? lock_acquire+0x12b/0x360 [ 63.957742] ? __might_fault+0xd4/0x1b0 [ 63.961840] ? __might_fault+0x177/0x1b0 [ 63.965907] ? _copy_to_user+0x82/0xd0 [ 63.969775] SyS_futex+0x1c5/0x2c3 [ 63.973308] ? do_futex+0x1980/0x1980 [ 63.977088] ? SyS_clock_gettime+0x7d/0xe0 [ 63.981323] ? do_clock_gettime+0xd0/0xd0 [ 63.985453] ? do_syscall_64+0x43/0x520 [ 63.989420] ? do_futex+0x1980/0x1980 [ 63.993202] do_syscall_64+0x19b/0x520 [ 63.997073] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 64.002252] RIP: 0033:0x4598e9 [ 64.005435] RSP: 002b:00007fad9ba09cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 64.013132] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 00000000004598e9 [ 64.020399] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 64.027672] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 64.034932] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 64.042185] R13: 00007ffde6882d1f R14: 00007fad9ba0a9c0 R15: 000000000075bf2c [ 64.050140] Kernel Offset: 0x9c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 64.061499] Rebooting in 86400 seconds..