[....] Starting enhanced syslogd: rsyslogd[ 16.531321] audit: type=1400 audit(1520536263.780:4): avc: denied { syslog } for pid=3651 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.145867] ================================================================== [ 26.153244] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2702/0x3470 [ 26.159790] Read of size 4096 at addr ffff8801c31c8040 by task syzkaller943373/3800 [ 26.167547] [ 26.169154] CPU: 1 PID: 3800 Comm: syzkaller943373 Not tainted 4.9.86-g00db063 #52 [ 26.176826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.186151] ffff8801d8f97728 ffffffff81d956f9 ffffea00070c7200 ffff8801c31c8040 [ 26.194116] 0000000000000000 ffff8801c31c8200 ffff8801d8f97968 ffff8801d8f97760 [ 26.202079] ffffffff8153e083 ffff8801c31c8040 0000000000001000 0000000000000000 [ 26.210036] Call Trace: [ 26.212593] [] dump_stack+0xc1/0x128 [ 26.217934] [] print_address_description+0x73/0x280 [ 26.224570] [] kasan_report+0x275/0x360 [ 26.230166] [] ? pfkey_add+0x2702/0x3470 [ 26.235849] [] check_memory_region+0x137/0x190 [ 26.242047] [] memcpy+0x23/0x50 [ 26.246947] [] pfkey_add+0x2702/0x3470 [ 26.252450] [] ? pfkey_delete+0x360/0x360 [ 26.258218] [] ? pfkey_seq_stop+0x80/0x80 [ 26.263982] [] ? __skb_clone+0x24a/0x7d0 [ 26.269660] [] ? pfkey_delete+0x360/0x360 [ 26.275422] [] pfkey_process+0x68b/0x750 [ 26.281098] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 26.287907] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.294715] [] pfkey_sendmsg+0x3a9/0x760 [ 26.300393] [] ? pfkey_spdget+0x820/0x820 [ 26.306158] [] sock_sendmsg+0xca/0x110 [ 26.311661] [] ___sys_sendmsg+0x6d1/0x7e0 [ 26.317425] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.324230] [] ? copy_msghdr_from_user+0x570/0x570 [ 26.330779] [] ? __lru_cache_add+0x187/0x250 [ 26.336807] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 26.343875] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.349815] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 26.356880] [] ? handle_mm_fault+0x4c1/0x2470 [ 26.362993] [] ? __fget_light+0x169/0x1f0 [ 26.368756] [] ? __fdget+0x18/0x20 [ 26.373912] [] ? sockfd_lookup_light+0x118/0x160 [ 26.380283] [] __sys_sendmsg+0xd6/0x190 [ 26.385871] [] ? SyS_shutdown+0x1b0/0x1b0 [ 26.391637] [] ? __do_page_fault+0x5ec/0xd40 [ 26.397662] [] SyS_sendmsg+0x2d/0x50 [ 26.402990] [] ? __sys_sendmsg+0x190/0x190 [ 26.408840] [] do_syscall_64+0x1a4/0x490 [ 26.414516] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.421405] [ 26.423000] Allocated by task 3800: [ 26.426596] save_stack_trace+0x16/0x20 [ 26.430539] save_stack+0x43/0xd0 [ 26.433958] kasan_kmalloc+0xad/0xe0 [ 26.437636] kasan_slab_alloc+0x12/0x20 [ 26.441575] __kmalloc_track_caller+0xda/0x2b0 [ 26.446123] __kmalloc_reserve.isra.37+0x33/0xc0 [ 26.450846] __alloc_skb+0x119/0x600 [ 26.454528] pfkey_sendmsg+0x135/0x760 [ 26.458382] sock_sendmsg+0xca/0x110 [ 26.462064] ___sys_sendmsg+0x6d1/0x7e0 [ 26.466006] __sys_sendmsg+0xd6/0x190 [ 26.469773] SyS_sendmsg+0x2d/0x50 [ 26.473282] do_syscall_64+0x1a4/0x490 [ 26.477140] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.482205] [ 26.483803] Freed by task 2190: [ 26.487049] save_stack_trace+0x16/0x20 [ 26.490991] save_stack+0x43/0xd0 [ 26.494416] kasan_slab_free+0x72/0xc0 [ 26.498278] kfree+0x103/0x300 [ 26.501442] kernfs_fop_release+0xff/0x140 [ 26.505644] __fput+0x28c/0x6e0 [ 26.508889] ____fput+0x15/0x20 [ 26.512136] task_work_run+0x115/0x190 [ 26.515991] exit_to_usermode_loop+0xfc/0x120 [ 26.520451] do_syscall_64+0x36f/0x490 [ 26.524740] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.529805] [ 26.531401] The buggy address belongs to the object at ffff8801c31c8000 [ 26.531401] which belongs to the cache kmalloc-512 of size 512 [ 26.544023] The buggy address is located 64 bytes inside of [ 26.544023] 512-byte region [ffff8801c31c8000, ffff8801c31c8200) [ 26.555775] The buggy address belongs to the page: [ 26.560670] page:ffffea00070c7200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 26.570843] flags: 0x8000000000004080(slab|head) [ 26.575563] page dumped because: kasan: bad access detected [ 26.581236] [ 26.582829] Memory state around the buggy address: [ 26.587728] ffff8801c31c8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.595054] ffff8801c31c8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.602380] >ffff8801c31c8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.609717] ^ [ 26.613057] ffff8801c31c8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.620386] ffff8801c31c8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.627709] ================================================================== [ 26.635032] Disabling lock debugging due to kernel taint [ 26.640543] Kernel panic - not syncing: panic_on_warn set ... [ 26.640543] [ 26.647888] CPU: 1 PID: 3800 Comm: syzkaller943373 Tainted: G B 4.9.86-g00db063 #52 [ 26.656775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.666101] ffff8801d8f97680 ffffffff81d956f9 ffffffff84197a0f ffff8801d8f97758 [ 26.674071] 0000000000000000 ffff8801c31c8200 ffff8801d8f97968 ffff8801d8f97748 [ 26.682035] ffffffff8142f531 0000000041b58ab3 ffffffff8418b470 ffffffff8142f375 [ 26.689999] Call Trace: [ 26.692556] [] dump_stack+0xc1/0x128 [ 26.697888] [] panic+0x1bc/0x3a8 [ 26.702875] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 26.711072] [] ? preempt_schedule+0x25/0x30 [ 26.717012] [] ? ___preempt_schedule+0x16/0x18 [ 26.723213] [] kasan_end_report+0x50/0x50 [ 26.728978] [] kasan_report+0x167/0x360 [ 26.734567] [] ? pfkey_add+0x2702/0x3470 [ 26.740246] [] check_memory_region+0x137/0x190 [ 26.746443] [] memcpy+0x23/0x50 [ 26.751339] [] pfkey_add+0x2702/0x3470 [ 26.756843] [] ? pfkey_delete+0x360/0x360 [ 26.762606] [] ? pfkey_seq_stop+0x80/0x80 [ 26.768370] [] ? __skb_clone+0x24a/0x7d0 [ 26.774047] [] ? pfkey_delete+0x360/0x360 [ 26.779821] [] pfkey_process+0x68b/0x750 [ 26.785508] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 26.792318] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.799126] [] pfkey_sendmsg+0x3a9/0x760 [ 26.804806] [] ? pfkey_spdget+0x820/0x820 [ 26.810573] [] sock_sendmsg+0xca/0x110 [ 26.816084] [] ___sys_sendmsg+0x6d1/0x7e0 [ 26.821857] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.828665] [] ? copy_msghdr_from_user+0x570/0x570 [ 26.835215] [] ? __lru_cache_add+0x187/0x250 [ 26.841244] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 26.848310] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.854247] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 26.861311] [] ? handle_mm_fault+0x4c1/0x2470 [ 26.867421] [] ? __fget_light+0x169/0x1f0 [ 26.873187] [] ? __fdget+0x18/0x20 [ 26.878345] [] ? sockfd_lookup_light+0x118/0x160 [ 26.884718] [] __sys_sendmsg+0xd6/0x190 [ 26.890308] [] ? SyS_shutdown+0x1b0/0x1b0 [ 26.896072] [] ? __do_page_fault+0x5ec/0xd40 [ 26.902097] [] SyS_sendmsg+0x2d/0x50 [ 26.907428] [] ? __sys_sendmsg+0x190/0x190 [ 26.913278] [] do_syscall_64+0x1a4/0x490 [ 26.918957] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.926255] Dumping ftrace buffer: [ 26.929767] (ftrace buffer empty) [ 26.933446] Kernel Offset: disabled [ 26.937039] Rebooting in 86400 seconds..