[....] Starting enhanced syslogd: rsyslogd[ 15.535698] audit: type=1400 audit(1519584354.323:4): avc: denied { syslog } for pid=3652 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.229' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.257608] ================================================================== [ 27.264988] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2702/0x3470 [ 27.271536] Read of size 4096 at addr ffff8801c3db8a40 by task syzkaller715050/3808 [ 27.279295] [ 27.280897] CPU: 1 PID: 3808 Comm: syzkaller715050 Not tainted 4.9.83-ga92bb8d #51 [ 27.288602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.297933] ffff8801d7fa7718 ffffffff81d95149 ffffea00070f6e00 ffff8801c3db8a40 [ 27.305899] 0000000000000000 ffff8801c3db8c00 ffff8801d7fa7958 ffff8801d7fa7750 [ 27.313867] ffffffff8153e213 ffff8801c3db8a40 0000000000001000 0000000000000000 [ 27.321826] Call Trace: [ 27.324386] [] dump_stack+0xc1/0x128 [ 27.329718] [] print_address_description+0x73/0x280 [ 27.336350] [] kasan_report+0x275/0x360 [ 27.341949] [] ? pfkey_add+0x2702/0x3470 [ 27.347630] [] check_memory_region+0x137/0x190 [ 27.353831] [] memcpy+0x23/0x50 [ 27.358726] [] pfkey_add+0x2702/0x3470 [ 27.364230] [] ? pfkey_delete+0x360/0x360 [ 27.369998] [] ? pfkey_seq_stop+0x80/0x80 [ 27.375767] [] ? __skb_clone+0x24a/0x7d0 [ 27.381446] [] ? pfkey_delete+0x360/0x360 [ 27.387215] [] pfkey_process+0x68b/0x750 [ 27.392894] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 27.399704] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.406511] [] pfkey_sendmsg+0x3a9/0x760 [ 27.412188] [] ? pfkey_spdget+0x820/0x820 [ 27.417952] [] sock_sendmsg+0xca/0x110 [ 27.423458] [] ___sys_sendmsg+0x6d1/0x7e0 [ 27.429222] [] ? copy_msghdr_from_user+0x570/0x570 [ 27.435770] [] ? __lru_cache_add+0x187/0x250 [ 27.441799] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 27.448865] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.454803] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 27.461873] [] ? __fget_light+0x169/0x1f0 [ 27.467643] [] ? __fdget+0x18/0x20 [ 27.472805] [] ? sockfd_lookup_light+0x118/0x160 [ 27.479176] [] __sys_sendmsg+0xd6/0x190 [ 27.484772] [] ? SyS_shutdown+0x1b0/0x1b0 [ 27.490539] [] ? __do_page_fault+0x5ec/0xd40 [ 27.496568] [] compat_SyS_sendmsg+0x2a/0x40 [ 27.502509] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 27.509054] [] do_fast_syscall_32+0x2f5/0x870 [ 27.515168] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.521802] [] entry_SYSENTER_compat+0x90/0xa2 [ 27.527997] [ 27.529595] Allocated by task 3808: [ 27.533191] save_stack_trace+0x16/0x20 [ 27.537133] save_stack+0x43/0xd0 [ 27.540553] kasan_kmalloc+0xad/0xe0 [ 27.544231] kasan_slab_alloc+0x12/0x20 [ 27.548173] __kmalloc_track_caller+0xda/0x2b0 [ 27.552723] __kmalloc_reserve.isra.37+0x33/0xc0 [ 27.557447] __alloc_skb+0x119/0x600 [ 27.561127] pfkey_sendmsg+0x135/0x760 [ 27.564983] sock_sendmsg+0xca/0x110 [ 27.568660] ___sys_sendmsg+0x6d1/0x7e0 [ 27.572601] __sys_sendmsg+0xd6/0x190 [ 27.576368] compat_SyS_sendmsg+0x2a/0x40 [ 27.580483] do_fast_syscall_32+0x2f5/0x870 [ 27.584768] entry_SYSENTER_compat+0x90/0xa2 [ 27.589139] [ 27.590739] Freed by task 2176: [ 27.593986] save_stack_trace+0x16/0x20 [ 27.597926] save_stack+0x43/0xd0 [ 27.601344] kasan_slab_free+0x72/0xc0 [ 27.605197] kfree+0x103/0x300 [ 27.608362] kernfs_fop_release+0xff/0x140 [ 27.612564] __fput+0x28c/0x6e0 [ 27.615820] ____fput+0x15/0x20 [ 27.619067] task_work_run+0x115/0x190 [ 27.622922] exit_to_usermode_loop+0xfc/0x120 [ 27.627382] do_syscall_64+0x36f/0x490 [ 27.631237] entry_SYSCALL_64_after_swapgs+0x47/0xc5 [ 27.636306] [ 27.637901] The buggy address belongs to the object at ffff8801c3db8a00 [ 27.637901] which belongs to the cache kmalloc-512 of size 512 [ 27.650523] The buggy address is located 64 bytes inside of [ 27.650523] 512-byte region [ffff8801c3db8a00, ffff8801c3db8c00) [ 27.662278] The buggy address belongs to the page: [ 27.667174] page:ffffea00070f6e00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.677339] flags: 0x8000000000004080(slab|head) [ 27.682062] page dumped because: kasan: bad access detected [ 27.687737] [ 27.689334] Memory state around the buggy address: [ 27.694236] ffff8801c3db8b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.701564] ffff8801c3db8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.708900] >ffff8801c3db8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.716229] ^ [ 27.719563] ffff8801c3db8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.726889] ffff8801c3db8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.734212] ================================================================== [ 27.741536] Disabling lock debugging due to kernel taint [ 27.747051] Kernel panic - not syncing: panic_on_warn set ... [ 27.747051] [ 27.754389] CPU: 1 PID: 3808 Comm: syzkaller715050 Tainted: G B 4.9.83-ga92bb8d #51 [ 27.763280] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.772610] ffff8801d7fa7670 ffffffff81d95149 ffffffff8419777f ffff8801d7fa7748 [ 27.780580] 0000000000000000 ffff8801c3db8c00 ffff8801d7fa7958 ffff8801d7fa7738 [ 27.788553] ffffffff8142f6c1 0000000041b58ab3 ffffffff8418b1f0 ffffffff8142f505 [ 27.796515] Call Trace: [ 27.799083] [] dump_stack+0xc1/0x128 [ 27.804415] [] panic+0x1bc/0x3a8 [ 27.809404] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.817618] [] ? preempt_schedule+0x25/0x30 [ 27.823560] [] ? ___preempt_schedule+0x16/0x18 [ 27.829759] [] kasan_end_report+0x50/0x50 [ 27.835523] [] kasan_report+0x167/0x360 [ 27.841116] [] ? pfkey_add+0x2702/0x3470 [ 27.846883] [] check_memory_region+0x137/0x190 [ 27.853082] [] memcpy+0x23/0x50 [ 27.857980] [] pfkey_add+0x2702/0x3470 [ 27.863488] [] ? pfkey_delete+0x360/0x360 [ 27.869255] [] ? pfkey_seq_stop+0x80/0x80 [ 27.875024] [] ? __skb_clone+0x24a/0x7d0 [ 27.880704] [] ? pfkey_delete+0x360/0x360 [ 27.886471] [] pfkey_process+0x68b/0x750 [ 27.892157] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 27.898974] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.905782] [] pfkey_sendmsg+0x3a9/0x760 [ 27.911459] [] ? pfkey_spdget+0x820/0x820 [ 27.917227] [] sock_sendmsg+0xca/0x110 [ 27.922734] [] ___sys_sendmsg+0x6d1/0x7e0 [ 27.928500] [] ? copy_msghdr_from_user+0x570/0x570 [ 27.935051] [] ? __lru_cache_add+0x187/0x250 [ 27.941087] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 27.948158] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.954099] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 27.961167] [] ? __fget_light+0x169/0x1f0 [ 27.966931] [] ? __fdget+0x18/0x20 [ 27.972089] [] ? sockfd_lookup_light+0x118/0x160 [ 27.978459] [] __sys_sendmsg+0xd6/0x190 [ 27.984048] [] ? SyS_shutdown+0x1b0/0x1b0 [ 27.989817] [] ? __do_page_fault+0x5ec/0xd40 [ 27.995849] [] compat_SyS_sendmsg+0x2a/0x40 [ 28.001791] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 28.008340] [] do_fast_syscall_32+0x2f5/0x870 [ 28.014454] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.021088] [] entry_SYSENTER_compat+0x90/0xa2 [ 28.027641] Dumping ftrace buffer: [ 28.031149] (ftrace buffer empty) [ 28.034836] Kernel Offset: disabled [ 28.038430] Rebooting in 86400 seconds..