[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.787375] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.295807] random: sshd: uninitialized urandom read (32 bytes read) [ 20.496214] random: sshd: uninitialized urandom read (32 bytes read) [ 21.227872] random: sshd: uninitialized urandom read (32 bytes read) [ 33.859794] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts. [ 39.276075] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.364870] ================================================================== [ 39.372344] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 39.378915] Read of size 1 at addr ffff8801afe89fdd by task syz-executor250/4489 [ 39.386432] [ 39.388054] CPU: 1 PID: 4489 Comm: syz-executor250 Not tainted 4.17.0-rc6+ #68 [ 39.395393] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.404737] Call Trace: [ 39.407317] dump_stack+0x1b9/0x294 [ 39.410929] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.416100] ? printk+0x9e/0xba [ 39.419365] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.424109] ? kasan_check_write+0x14/0x20 [ 39.428326] print_address_description+0x6c/0x20b [ 39.433151] ? nla_strlcpy+0x13d/0x150 [ 39.437019] kasan_report.cold.7+0x242/0x2fe [ 39.441408] __asan_report_load1_noabort+0x14/0x20 [ 39.446317] nla_strlcpy+0x13d/0x150 [ 39.450013] nfnl_acct_new+0x574/0xc50 [ 39.453881] ? nfnl_acct_overquota+0x380/0x380 [ 39.458445] ? debug_check_no_locks_freed+0x310/0x310 [ 39.463628] ? graph_lock+0x170/0x170 [ 39.467415] ? print_usage_bug+0xc0/0xc0 [ 39.471462] ? find_held_lock+0x36/0x1c0 [ 39.475506] ? graph_lock+0x170/0x170 [ 39.479288] ? lock_downgrade+0x8e0/0x8e0 [ 39.483428] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.488947] ? __lock_is_held+0xb5/0x140 [ 39.493009] ? nfnl_acct_overquota+0x380/0x380 [ 39.497592] nfnetlink_rcv_msg+0xdb5/0xff0 [ 39.501815] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 39.506809] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 39.511207] ? nfnetlink_bind+0x3a0/0x3a0 [ 39.515337] ? graph_lock+0x170/0x170 [ 39.519122] ? find_held_lock+0x36/0x1c0 [ 39.523167] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.528689] netlink_rcv_skb+0x172/0x440 [ 39.532731] ? nfnetlink_bind+0x3a0/0x3a0 [ 39.536911] ? netlink_ack+0xbc0/0xbc0 [ 39.540781] ? __netlink_ns_capable+0x100/0x130 [ 39.545432] nfnetlink_rcv+0x1fe/0x1ba0 [ 39.549389] ? kasan_check_read+0x11/0x20 [ 39.553521] ? rcu_is_watching+0x85/0x140 [ 39.557652] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 39.562826] ? nfnl_err_reset+0x2d0/0x2d0 [ 39.566960] ? netlink_remove_tap+0x610/0x610 [ 39.571453] ? refcount_add_not_zero+0x320/0x320 [ 39.576187] ? kasan_check_read+0x11/0x20 [ 39.580317] ? rcu_is_watching+0x85/0x140 [ 39.584457] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 39.589642] ? netlink_skb_destructor+0x210/0x210 [ 39.594473] ? kasan_check_write+0x14/0x20 [ 39.598713] netlink_unicast+0x58b/0x740 [ 39.602757] ? netlink_attachskb+0x970/0x970 [ 39.607149] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.612672] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 39.617675] ? security_netlink_send+0x88/0xb0 [ 39.622244] netlink_sendmsg+0x9f0/0xfa0 [ 39.626288] ? netlink_unicast+0x740/0x740 [ 39.630506] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.636026] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.641553] ? security_socket_sendmsg+0x94/0xc0 [ 39.646291] ? netlink_unicast+0x740/0x740 [ 39.650512] sock_sendmsg+0xd5/0x120 [ 39.654211] sock_write_iter+0x35a/0x5a0 [ 39.658254] ? sock_sendmsg+0x120/0x120 [ 39.662214] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.667732] ? iov_iter_init+0xc9/0x1f0 [ 39.671690] __vfs_write+0x64d/0x960 [ 39.675385] ? kernel_read+0x120/0x120 [ 39.679255] ? lock_downgrade+0x8e0/0x8e0 [ 39.683396] ? handle_mm_fault+0x8c0/0xc70 [ 39.687613] ? handle_mm_fault+0x55a/0xc70 [ 39.691833] ? rw_verify_area+0x118/0x360 [ 39.695960] vfs_write+0x1f8/0x560 [ 39.699484] ksys_write+0xf9/0x250 [ 39.703007] ? __ia32_sys_read+0xb0/0xb0 [ 39.707048] ? __ia32_sys_fallocate+0xf0/0xf0 [ 39.711535] __x64_sys_write+0x73/0xb0 [ 39.715415] do_syscall_64+0x1b1/0x800 [ 39.719286] ? syscall_return_slowpath+0x5c0/0x5c0 [ 39.724200] ? syscall_return_slowpath+0x30f/0x5c0 [ 39.729120] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.734652] ? retint_user+0x18/0x18 [ 39.738380] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.743205] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.748375] RIP: 0033:0x43fcf9 [ 39.751543] RSP: 002b:00007ffef1562368 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 39.759233] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 39.766494] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 39.773753] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 39.781019] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 39.788274] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 39.795536] [ 39.797144] Allocated by task 4489: [ 39.800756] save_stack+0x43/0xd0 [ 39.804206] kasan_kmalloc+0xc4/0xe0 [ 39.807900] __kmalloc+0x14e/0x760 [ 39.811441] load_elf_phdrs+0x17a/0x250 [ 39.815398] load_elf_binary+0x9bd/0x5610 [ 39.819526] search_binary_handler+0x17d/0x570 [ 39.824096] do_execveat_common.isra.34+0x16ce/0x2590 [ 39.829267] __x64_sys_execve+0x8d/0xb0 [ 39.833227] do_syscall_64+0x1b1/0x800 [ 39.837100] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.842263] [ 39.843867] Freed by task 4489: [ 39.847137] save_stack+0x43/0xd0 [ 39.850578] __kasan_slab_free+0x11a/0x170 [ 39.854792] kasan_slab_free+0xe/0x10 [ 39.858574] kfree+0xd9/0x260 [ 39.861659] load_elf_binary+0x255d/0x5610 [ 39.865874] search_binary_handler+0x17d/0x570 [ 39.870433] do_execveat_common.isra.34+0x16ce/0x2590 [ 39.875599] __x64_sys_execve+0x8d/0xb0 [ 39.879552] do_syscall_64+0x1b1/0x800 [ 39.883421] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.888584] [ 39.890202] The buggy address belongs to the object at ffff8801afe89cc0 [ 39.890202] which belongs to the cache kmalloc-512 of size 512 [ 39.902840] The buggy address is located 285 bytes to the right of [ 39.902840] 512-byte region [ffff8801afe89cc0, ffff8801afe89ec0) [ 39.915301] The buggy address belongs to the page: [ 39.920218] page:ffffea0006bfa240 count:1 mapcount:0 mapping:ffff8801afe89040 index:0x0 [ 39.928343] flags: 0x2fffc0000000100(slab) [ 39.932559] raw: 02fffc0000000100 ffff8801afe89040 0000000000000000 0000000100000006 [ 39.940421] raw: ffffea0006c52660 ffff8801da801748 ffff8801da800940 0000000000000000 [ 39.948284] page dumped because: kasan: bad access detected [ 39.953969] [ 39.955574] Memory state around the buggy address: [ 39.960481] ffff8801afe89e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.967827] ffff8801afe89f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.975176] >ffff8801afe89f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.982511] ^ [ 39.988719] ffff8801afe8a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.996056] ffff8801afe8a080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.003390] ================================================================== [ 40.010721] Disabling lock debugging due to kernel taint [ 40.016242] Kernel panic - not syncing: panic_on_warn set ... [ 40.016242] [ 40.023596] CPU: 1 PID: 4489 Comm: syz-executor250 Tainted: G B 4.17.0-rc6+ #68 [ 40.032337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.041667] Call Trace: [ 40.044239] dump_stack+0x1b9/0x294 [ 40.047848] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.053017] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.057752] ? nla_strlcpy+0x70/0x150 [ 40.061530] panic+0x22f/0x4de [ 40.064702] ? add_taint.cold.5+0x16/0x16 [ 40.068829] ? do_raw_spin_unlock+0x9e/0x2e0 [ 40.073214] ? do_raw_spin_unlock+0x9e/0x2e0 [ 40.077602] ? nla_strlcpy+0x13d/0x150 [ 40.081474] kasan_end_report+0x47/0x4f [ 40.085426] kasan_report.cold.7+0x76/0x2fe [ 40.089727] __asan_report_load1_noabort+0x14/0x20 [ 40.094633] nla_strlcpy+0x13d/0x150 [ 40.098328] nfnl_acct_new+0x574/0xc50 [ 40.102196] ? nfnl_acct_overquota+0x380/0x380 [ 40.106755] ? debug_check_no_locks_freed+0x310/0x310 [ 40.111943] ? graph_lock+0x170/0x170 [ 40.115722] ? print_usage_bug+0xc0/0xc0 [ 40.119762] ? find_held_lock+0x36/0x1c0 [ 40.123802] ? graph_lock+0x170/0x170 [ 40.127594] ? lock_downgrade+0x8e0/0x8e0 [ 40.131725] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.137252] ? __lock_is_held+0xb5/0x140 [ 40.141311] ? nfnl_acct_overquota+0x380/0x380 [ 40.151616] nfnetlink_rcv_msg+0xdb5/0xff0 [ 40.155841] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 40.160845] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 40.165242] ? nfnetlink_bind+0x3a0/0x3a0 [ 40.169380] ? graph_lock+0x170/0x170 [ 40.173172] ? find_held_lock+0x36/0x1c0 [ 40.177215] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.182746] netlink_rcv_skb+0x172/0x440 [ 40.186788] ? nfnetlink_bind+0x3a0/0x3a0 [ 40.190929] ? netlink_ack+0xbc0/0xbc0 [ 40.194795] ? __netlink_ns_capable+0x100/0x130 [ 40.199440] nfnetlink_rcv+0x1fe/0x1ba0 [ 40.203394] ? kasan_check_read+0x11/0x20 [ 40.207519] ? rcu_is_watching+0x85/0x140 [ 40.211645] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 40.216841] ? nfnl_err_reset+0x2d0/0x2d0 [ 40.220975] ? netlink_remove_tap+0x610/0x610 [ 40.225453] ? refcount_add_not_zero+0x320/0x320 [ 40.230191] ? kasan_check_read+0x11/0x20 [ 40.234319] ? rcu_is_watching+0x85/0x140 [ 40.238445] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 40.243621] ? netlink_skb_destructor+0x210/0x210 [ 40.248442] ? kasan_check_write+0x14/0x20 [ 40.252655] netlink_unicast+0x58b/0x740 [ 40.256697] ? netlink_attachskb+0x970/0x970 [ 40.261083] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.266597] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 40.271594] ? security_netlink_send+0x88/0xb0 [ 40.276153] netlink_sendmsg+0x9f0/0xfa0 [ 40.280193] ? netlink_unicast+0x740/0x740 [ 40.284408] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.289935] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.295459] ? security_socket_sendmsg+0x94/0xc0 [ 40.300196] ? netlink_unicast+0x740/0x740 [ 40.304430] sock_sendmsg+0xd5/0x120 [ 40.308124] sock_write_iter+0x35a/0x5a0 [ 40.312163] ? sock_sendmsg+0x120/0x120 [ 40.316117] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.321632] ? iov_iter_init+0xc9/0x1f0 [ 40.325584] __vfs_write+0x64d/0x960 [ 40.329275] ? kernel_read+0x120/0x120 [ 40.333154] ? lock_downgrade+0x8e0/0x8e0 [ 40.337283] ? handle_mm_fault+0x8c0/0xc70 [ 40.341499] ? handle_mm_fault+0x55a/0xc70 [ 40.345715] ? rw_verify_area+0x118/0x360 [ 40.349841] vfs_write+0x1f8/0x560 [ 40.353368] ksys_write+0xf9/0x250 [ 40.356885] ? __ia32_sys_read+0xb0/0xb0 [ 40.360924] ? __ia32_sys_fallocate+0xf0/0xf0 [ 40.365400] __x64_sys_write+0x73/0xb0 [ 40.369276] do_syscall_64+0x1b1/0x800 [ 40.373152] ? syscall_return_slowpath+0x5c0/0x5c0 [ 40.378060] ? syscall_return_slowpath+0x30f/0x5c0 [ 40.382980] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.388496] ? retint_user+0x18/0x18 [ 40.392189] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.397035] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.402204] RIP: 0033:0x43fcf9 [ 40.405384] RSP: 002b:00007ffef1562368 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 40.413095] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 40.420365] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 40.427634] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 40.434905] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 40.442171] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 40.449986] Dumping ftrace buffer: [ 40.453509] (ftrace buffer empty) [ 40.457197] Kernel Offset: disabled [ 40.460812] Rebooting in 86400 seconds..