[ 9.689094] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.409478] random: sshd: uninitialized urandom read (32 bytes read) [ 15.533099] audit: type=1400 audit(1567956414.183:6): avc: denied { map } for pid=1744 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.568100] random: sshd: uninitialized urandom read (32 bytes read) [ 16.030814] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.192' (ECDSA) to the list of known hosts. [ 21.660351] urandom_read: 1 callbacks suppressed [ 21.660354] random: sshd: uninitialized urandom read (32 bytes read) [ 21.747707] audit: type=1400 audit(1567956420.393:7): avc: denied { map } for pid=1762 comm="syz-executor451" path="/root/syz-executor451891443" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 23.820235] ================================================================== [ 23.827689] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.834673] Read of size 8 at addr ffff8881d0aa4378 by task kworker/0:1/22 [ 23.841650] [ 23.843250] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.142+ #0 [ 23.849799] Workqueue: events xfrm_state_gc_task [ 23.854524] Call Trace: [ 23.857084] dump_stack+0xca/0x134 [ 23.860595] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.865236] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.869879] print_address_description+0x60/0x226 [ 23.874691] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.879329] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.883965] __kasan_report.cold+0x1a/0x41 [ 23.888200] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.892837] xfrm6_tunnel_destroy+0x4e0/0x560 [ 23.897303] ? kfree+0x1ca/0x3a0 [ 23.900640] xfrm_state_gc_task+0x3d6/0x550 [ 23.904933] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 23.910265] ? lock_acquire+0x12b/0x360 [ 23.914214] process_one_work+0x7f1/0x1580 [ 23.918425] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 23.923070] worker_thread+0xdd/0xdf0 [ 23.926874] ? process_one_work+0x1580/0x1580 [ 23.931343] kthread+0x31f/0x430 [ 23.934678] ? kthread_create_on_node+0xf0/0xf0 [ 23.939316] ret_from_fork+0x3a/0x50 [ 23.943006] [ 23.944618] Allocated by task 1769: [ 23.948215] __kasan_kmalloc.part.0+0x53/0xc0 [ 23.952682] ops_init+0xee/0x3f0 [ 23.956019] setup_net+0x259/0x550 [ 23.959525] copy_net_ns+0x195/0x480 [ 23.963207] create_new_namespaces+0x373/0x760 [ 23.967761] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 23.972659] SyS_unshare+0x34e/0x6c0 [ 23.976352] do_syscall_64+0x19b/0x520 [ 23.980225] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.985403] 0xffffffffffffffff [ 23.988649] [ 23.990255] Freed by task 369: [ 23.993448] __kasan_slab_free+0x164/0x210 [ 23.997649] kfree+0x108/0x3a0 [ 24.000809] ops_free_list.part.0+0x1f9/0x330 [ 24.005273] cleanup_net+0x466/0x870 [ 24.008967] process_one_work+0x7f1/0x1580 [ 24.013175] worker_thread+0xdd/0xdf0 [ 24.016942] kthread+0x31f/0x430 [ 24.020274] ret_from_fork+0x3a/0x50 [ 24.023954] 0xffffffffffffffff [ 24.027198] [ 24.028793] The buggy address belongs to the object at ffff8881d0aa4200 [ 24.028793] which belongs to the cache kmalloc-8192 of size 8192 [ 24.041588] The buggy address is located 376 bytes inside of [ 24.041588] 8192-byte region [ffff8881d0aa4200, ffff8881d0aa6200) [ 24.053515] The buggy address belongs to the page: [ 24.058413] page:ffffea000742a800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 24.068346] flags: 0x4000000000010200(slab|head) [ 24.073070] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003 [ 24.080919] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 24.088765] page dumped because: kasan: bad access detected [ 24.094490] [ 24.096089] Memory state around the buggy address: [ 24.100987] ffff8881d0aa4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.108317] ffff8881d0aa4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.115643] >ffff8881d0aa4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.122976] ^ [ 24.130218] ffff8881d0aa4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.137565] ffff8881d0aa4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.144893] ================================================================== [ 24.152223] Disabling lock debugging due to kernel taint [ 24.157705] Kernel panic - not syncing: panic_on_warn set ... [ 24.157705] [ 24.165053] CPU: 0 PID: 22 Comm: kworker/0:1 Tainted: G B 4.14.142+ #0 [ 24.172821] Workqueue: events xfrm_state_gc_task [ 24.177545] Call Trace: [ 24.180101] dump_stack+0xca/0x134 [ 24.183622] panic+0x1ea/0x3d3 [ 24.186780] ? add_taint.cold+0x16/0x16 [ 24.190726] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.195376] end_report+0x43/0x49 [ 24.198797] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.203433] __kasan_report.cold+0xd/0x41 [ 24.207548] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.212215] xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.216678] ? kfree+0x1ca/0x3a0 [ 24.220019] xfrm_state_gc_task+0x3d6/0x550 [ 24.224315] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 24.229647] ? lock_acquire+0x12b/0x360 [ 24.233590] process_one_work+0x7f1/0x1580 [ 24.237795] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 24.242441] worker_thread+0xdd/0xdf0 [ 24.246229] ? process_one_work+0x1580/0x1580 [ 24.250706] kthread+0x31f/0x430 [ 24.254060] ? kthread_create_on_node+0xf0/0xf0 [ 24.258709] ret_from_fork+0x3a/0x50 [ 24.262996] Kernel Offset: 0x35000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 24.273897] Rebooting in 86400 seconds..