[ 9.472589] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.124907] random: sshd: uninitialized urandom read (32 bytes read) [ 30.447837] audit: type=1400 audit(1548822401.457:6): avc: denied { map } for pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.493059] random: sshd: uninitialized urandom read (32 bytes read) [ 30.929914] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.129' (ECDSA) to the list of known hosts. [ 36.576432] urandom_read: 1 callbacks suppressed [ 36.576435] random: sshd: uninitialized urandom read (32 bytes read) [ 36.663900] audit: type=1400 audit(1548822407.677:7): avc: denied { map } for pid=1771 comm="syz-executor974" path="/root/syz-executor974920419" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 36.950573] ================================================================== [ 36.957981] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 36.964712] Read of size 8 at addr ffff8881d62a8dd0 by task syz-executor974/1774 [ 36.972216] [ 36.973823] CPU: 1 PID: 1774 Comm: syz-executor974 Not tainted 4.14.96+ #20 [ 36.980888] Call Trace: [ 36.983450] dump_stack+0xb9/0x10e [ 36.986967] ? ip_local_deliver+0x43d/0x450 [ 36.991262] print_address_description+0x60/0x226 [ 36.996076] ? ip_local_deliver+0x43d/0x450 [ 37.000367] kasan_report.cold+0x88/0x2a5 [ 37.004501] ? ip_local_deliver+0x43d/0x450 [ 37.008804] ? ip_call_ra_chain+0x540/0x540 [ 37.013111] ? __lock_acquire+0x56a/0x3fa0 [ 37.017326] ? deref_stack_reg+0xaa/0xe0 [ 37.021376] ? ip_rcv+0x99f/0xf7a [ 37.024806] ? ip_rcv_finish+0x5c9/0x1490 [ 37.029224] ? ip_rcv+0x9e2/0xf7a [ 37.032659] ? ip_local_deliver+0x450/0x450 [ 37.036953] ? __lock_acquire+0x56a/0x3fa0 [ 37.041168] ? check_preemption_disabled+0x35/0x1f0 [ 37.046168] ? ip_local_deliver+0x450/0x450 [ 37.050474] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.055640] ? trace_hardirqs_on+0x10/0x10 [ 37.059856] ? flush_backlog+0x580/0x580 [ 37.063931] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.069098] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.074264] ? lock_acquire+0x10f/0x380 [ 37.078526] ? __netif_receive_skb+0x55/0x1f0 [ 37.082995] ? __netif_receive_skb+0x55/0x1f0 [ 37.087468] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.092549] ? dev_cpu_dead+0x810/0x810 [ 37.096500] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.101923] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.106918] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.111648] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.116644] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.121030] ? tun_get_user+0xc07/0x3790 [ 37.125065] ? __local_bh_enable_ip+0x65/0xc0 [ 37.129539] ? tun_get_user+0xd95/0x3790 [ 37.133580] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.138321] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 37.143235] ? __tun_get+0x11c/0x220 [ 37.146928] ? check_preemption_disabled+0x35/0x1f0 [ 37.151936] ? tun_chr_write_iter+0xcf/0x180 [ 37.156323] ? do_iter_readv_writev+0x379/0x580 [ 37.160973] ? clone_verify_area+0x1e0/0x1e0 [ 37.165362] ? avc_policy_seqno+0x5/0x10 [ 37.169401] ? security_file_permission+0x88/0x1e0 [ 37.174308] ? do_iter_write+0x152/0x550 [ 37.178348] ? signal_setup_done+0xac/0x270 [ 37.182653] ? vfs_writev+0x146/0x2d0 [ 37.186430] ? vfs_iter_write+0xa0/0xa0 [ 37.190386] ? do_signal+0x488/0x15c0 [ 37.194174] ? setup_sigcontext+0x810/0x810 [ 37.198477] ? pgtable_bad+0x110/0x110 [ 37.202359] ? __bad_area_nosemaphore+0x25f/0x280 [ 37.207182] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 37.212266] ? do_writev+0xc9/0x240 [ 37.216052] ? vfs_writev+0x2d0/0x2d0 [ 37.219852] ? do_syscall_64+0x43/0x4b0 [ 37.223805] ? SyS_readv+0x30/0x30 [ 37.227319] ? do_syscall_64+0x19b/0x4b0 [ 37.231372] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.236722] [ 37.238324] Allocated by task 1774: [ 37.241926] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.246224] kmem_cache_alloc+0xd2/0x2d0 [ 37.250261] __build_skb+0x2e/0x2d0 [ 37.253861] build_skb+0x1a/0x1f0 [ 37.257291] tun_get_user+0x248b/0x3790 [ 37.261242] tun_chr_write_iter+0xcf/0x180 [ 37.265449] do_iter_readv_writev+0x379/0x580 [ 37.269914] do_iter_write+0x152/0x550 [ 37.273962] vfs_writev+0x146/0x2d0 [ 37.277654] do_writev+0xc9/0x240 [ 37.281081] do_syscall_64+0x19b/0x4b0 [ 37.284937] [ 37.286546] Freed by task 1774: [ 37.289806] kasan_slab_free+0xb0/0x190 [ 37.293758] kmem_cache_free+0xc4/0x330 [ 37.297708] kfree_skbmem+0xa0/0x100 [ 37.301396] kfree_skb+0xcd/0x350 [ 37.304825] ip_defrag+0x5f4/0x3b50 [ 37.308426] ip_local_deliver+0x165/0x450 [ 37.312550] ip_rcv_finish+0x5c9/0x1490 [ 37.316508] ip_rcv+0x9e2/0xf7a [ 37.319777] __netif_receive_skb_core+0x1364/0x2c60 [ 37.324769] __netif_receive_skb+0x55/0x1f0 [ 37.329065] netif_receive_skb_internal+0xec/0x5c0 [ 37.333989] tun_rx_batched.isra.0+0x45d/0x730 [ 37.338547] tun_get_user+0xd95/0x3790 [ 37.342422] tun_chr_write_iter+0xcf/0x180 [ 37.346635] do_iter_readv_writev+0x379/0x580 [ 37.351110] do_iter_write+0x152/0x550 [ 37.354970] vfs_writev+0x146/0x2d0 [ 37.358575] do_writev+0xc9/0x240 [ 37.362007] do_syscall_64+0x19b/0x4b0 [ 37.365863] [ 37.367467] The buggy address belongs to the object at ffff8881d62a8dc0 [ 37.367467] which belongs to the cache skbuff_head_cache of size 224 [ 37.380620] The buggy address is located 16 bytes inside of [ 37.380620] 224-byte region [ffff8881d62a8dc0, ffff8881d62a8ea0) [ 37.392500] The buggy address belongs to the page: [ 37.397410] page:ffffea000758aa00 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.405529] flags: 0x4000000000000100(slab) [ 37.409829] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 37.417771] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 37.425628] page dumped because: kasan: bad access detected [ 37.431312] [ 37.432913] Memory state around the buggy address: [ 37.437815] ffff8881d62a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.445153] ffff8881d62a8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.452486] >ffff8881d62a8d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.459819] ^ [ 37.465762] ffff8881d62a8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.473099] ffff8881d62a8e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.480434] ================================================================== [ 37.487765] Disabling lock debugging due to kernel taint [ 37.493207] Kernel panic - not syncing: panic_on_warn set ... [ 37.493207] [ 37.500541] CPU: 1 PID: 1774 Comm: syz-executor974 Tainted: G B 4.14.96+ #20 [ 37.508833] Call Trace: [ 37.511396] dump_stack+0xb9/0x10e [ 37.514910] panic+0x1d9/0x3c2 [ 37.518073] ? add_taint.cold+0x16/0x16 [ 37.522018] ? retint_kernel+0x2d/0x2d [ 37.525882] ? ip_local_deliver+0x43d/0x450 [ 37.530231] kasan_end_report+0x43/0x49 [ 37.534187] kasan_report.cold+0xa4/0x2a5 [ 37.538313] ? ip_local_deliver+0x43d/0x450 [ 37.542607] ? ip_call_ra_chain+0x540/0x540 [ 37.546903] ? __lock_acquire+0x56a/0x3fa0 [ 37.551115] ? deref_stack_reg+0xaa/0xe0 [ 37.555152] ? ip_rcv+0x99f/0xf7a [ 37.558579] ? ip_rcv_finish+0x5c9/0x1490 [ 37.562703] ? ip_rcv+0x9e2/0xf7a [ 37.566303] ? ip_local_deliver+0x450/0x450 [ 37.570630] ? __lock_acquire+0x56a/0x3fa0 [ 37.574851] ? check_preemption_disabled+0x35/0x1f0 [ 37.579859] ? ip_local_deliver+0x450/0x450 [ 37.584156] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.589317] ? trace_hardirqs_on+0x10/0x10 [ 37.593535] ? flush_backlog+0x580/0x580 [ 37.597713] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.602885] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.608049] ? lock_acquire+0x10f/0x380 [ 37.611998] ? __netif_receive_skb+0x55/0x1f0 [ 37.616463] ? __netif_receive_skb+0x55/0x1f0 [ 37.620933] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.626007] ? dev_cpu_dead+0x810/0x810 [ 37.629954] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.635382] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.640423] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.645158] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.650158] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.654554] ? tun_get_user+0xc07/0x3790 [ 37.658598] ? __local_bh_enable_ip+0x65/0xc0 [ 37.663066] ? tun_get_user+0xd95/0x3790 [ 37.667100] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.671851] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 37.676755] ? __tun_get+0x11c/0x220 [ 37.680439] ? check_preemption_disabled+0x35/0x1f0 [ 37.685431] ? tun_chr_write_iter+0xcf/0x180 [ 37.689820] ? do_iter_readv_writev+0x379/0x580 [ 37.694580] ? clone_verify_area+0x1e0/0x1e0 [ 37.698964] ? avc_policy_seqno+0x5/0x10 [ 37.702999] ? security_file_permission+0x88/0x1e0 [ 37.707906] ? do_iter_write+0x152/0x550 [ 37.711941] ? signal_setup_done+0xac/0x270 [ 37.716236] ? vfs_writev+0x146/0x2d0 [ 37.720010] ? vfs_iter_write+0xa0/0xa0 [ 37.723964] ? do_signal+0x488/0x15c0 [ 37.727745] ? setup_sigcontext+0x810/0x810 [ 37.732044] ? pgtable_bad+0x110/0x110 [ 37.735904] ? __bad_area_nosemaphore+0x25f/0x280 [ 37.740719] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 37.745796] ? do_writev+0xc9/0x240 [ 37.749396] ? vfs_writev+0x2d0/0x2d0 [ 37.753167] ? do_syscall_64+0x43/0x4b0 [ 37.757111] ? SyS_readv+0x30/0x30 [ 37.760627] ? do_syscall_64+0x19b/0x4b0 [ 37.764663] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.770451] Kernel Offset: 0x33c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 37.781342] Rebooting in 86400 seconds..