[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 71.561152][ T23] kauditd_printk_skb: 9 callbacks suppressed [ 71.561167][ T23] audit: type=1400 audit(1575441230.564:41): avc: denied { map } for pid=9688 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts. executing program [ 78.092028][ T23] audit: type=1400 audit(1575441237.094:42): avc: denied { map } for pid=9700 comm="syz-executor318" path="/root/syz-executor318858695" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 78.119579][ T9700] ================================================================== [ 78.119631][ T9700] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 78.119643][ T9700] Read of size 2 at addr ffff8880a87f92c0 by task syz-executor318/9700 [ 78.119647][ T9700] [ 78.119660][ T9700] CPU: 0 PID: 9700 Comm: syz-executor318 Not tainted 5.4.0-syzkaller #0 [ 78.119667][ T9700] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.119671][ T9700] Call Trace: [ 78.119687][ T9700] dump_stack+0x197/0x210 [ 78.119698][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.119715][ T9700] print_address_description.constprop.0.cold+0xd4/0x30b [ 78.119724][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.119734][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.119747][ T9700] __kasan_report.cold+0x1b/0x41 [ 78.119761][ T9700] ? vcs_write+0x440/0xcf0 [ 78.119770][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.119783][ T9700] kasan_report+0x12/0x20 [ 78.119795][ T9700] __asan_report_load2_noabort+0x14/0x20 [ 78.119806][ T9700] vcs_scr_readw+0xc2/0xd0 [ 78.119819][ T9700] vcs_write+0x646/0xcf0 [ 78.119832][ T9700] ? ___might_sleep+0x163/0x2c0 [ 78.119855][ T9700] ? vcs_size+0x250/0x250 [ 78.119869][ T9700] ? selinux_file_permission+0x9b/0x580 [ 78.119887][ T9700] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.119901][ T9700] ? security_file_permission+0x8f/0x380 [ 78.119910][ T9700] ? trace_hardirqs_on+0x67/0x240 [ 78.119921][ T9700] __vfs_write+0x8a/0x110 [ 78.119927][ T9700] ? vcs_size+0x250/0x250 [ 78.119936][ T9700] vfs_write+0x268/0x5d0 [ 78.119946][ T9700] ksys_write+0x14f/0x290 [ 78.119955][ T9700] ? __ia32_sys_read+0xb0/0xb0 [ 78.119966][ T9700] ? do_syscall_64+0x26/0x790 [ 78.119976][ T9700] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.119984][ T9700] ? do_syscall_64+0x26/0x790 [ 78.119994][ T9700] __x64_sys_write+0x73/0xb0 [ 78.120003][ T9700] do_syscall_64+0xfa/0x790 [ 78.120013][ T9700] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.120020][ T9700] RIP: 0033:0x443e49 [ 78.120030][ T9700] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.120034][ T9700] RSP: 002b:00007fffb2c50aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 78.120042][ T9700] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443e49 [ 78.120047][ T9700] RDX: 0000000000001010 RSI: 0000000020006480 RDI: 0000000000000003 [ 78.120052][ T9700] RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0 [ 78.120056][ T9700] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401b50 [ 78.120061][ T9700] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 78.120071][ T9700] [ 78.120076][ T9700] Allocated by task 9678: [ 78.120083][ T9700] save_stack+0x23/0x90 [ 78.120090][ T9700] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 78.120095][ T9700] kasan_kmalloc+0x9/0x10 [ 78.120104][ T9700] __kmalloc+0x163/0x770 [ 78.120110][ T9700] vc_allocate+0x3fc/0x760 [ 78.120116][ T9700] con_install+0x52/0x410 [ 78.120123][ T9700] tty_init_dev+0xf7/0x460 [ 78.120129][ T9700] tty_open+0x4a5/0xbb0 [ 78.120137][ T9700] chrdev_open+0x245/0x6b0 [ 78.120145][ T9700] do_dentry_open+0x4e6/0x1380 [ 78.120150][ T9700] vfs_open+0xa0/0xd0 [ 78.120159][ T9700] path_openat+0x10e4/0x4710 [ 78.120166][ T9700] do_filp_open+0x1a1/0x280 [ 78.120171][ T9700] do_sys_open+0x3fe/0x5d0 [ 78.120177][ T9700] __x64_sys_open+0x7e/0xc0 [ 78.120184][ T9700] do_syscall_64+0xfa/0x790 [ 78.120192][ T9700] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.120194][ T9700] [ 78.120197][ T9700] Freed by task 9401: [ 78.120204][ T9700] save_stack+0x23/0x90 [ 78.120210][ T9700] __kasan_slab_free+0x102/0x150 [ 78.120216][ T9700] kasan_slab_free+0xe/0x10 [ 78.120223][ T9700] kfree+0x10a/0x2c0 [ 78.120231][ T9700] tomoyo_init_log+0x15b5/0x2070 [ 78.120239][ T9700] tomoyo_supervisor+0x33f/0xef0 [ 78.120246][ T9700] tomoyo_env_perm+0x18e/0x210 [ 78.120254][ T9700] tomoyo_find_next_domain+0x1354/0x1f6c [ 78.120262][ T9700] tomoyo_bprm_check_security+0x124/0x1a0 [ 78.120269][ T9700] security_bprm_check+0x63/0xb0 [ 78.120276][ T9700] search_binary_handler+0x71/0x570 [ 78.120282][ T9700] __do_execve_file.isra.0+0x1329/0x22b0 [ 78.120289][ T9700] __x64_sys_execve+0x8f/0xc0 [ 78.120296][ T9700] do_syscall_64+0xfa/0x790 [ 78.120304][ T9700] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.120306][ T9700] [ 78.120311][ T9700] The buggy address belongs to the object at ffff8880a87f8000 [ 78.120311][ T9700] which belongs to the cache kmalloc-8k of size 8192 [ 78.120318][ T9700] The buggy address is located 4800 bytes inside of [ 78.120318][ T9700] 8192-byte region [ffff8880a87f8000, ffff8880a87fa000) [ 78.120321][ T9700] The buggy address belongs to the page: [ 78.120330][ T9700] page:ffffea0002a1fe00 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 78.120341][ T9700] raw: 00fffe0000010200 ffffea0002502a08 ffffea00024f5608 ffff8880aa4021c0 [ 78.120350][ T9700] raw: 0000000000000000 ffff8880a87f8000 0000000100000001 0000000000000000 [ 78.120354][ T9700] page dumped because: kasan: bad access detected [ 78.120356][ T9700] [ 78.120358][ T9700] Memory state around the buggy address: [ 78.120364][ T9700] ffff8880a87f9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.120370][ T9700] ffff8880a87f9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.120376][ T9700] >ffff8880a87f9280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 78.120379][ T9700] ^ [ 78.120385][ T9700] ffff8880a87f9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.120390][ T9700] ffff8880a87f9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.120393][ T9700] ================================================================== [ 78.120397][ T9700] Disabling lock debugging due to kernel taint [ 78.120401][ T9700] Kernel panic - not syncing: panic_on_warn set ... [ 78.120409][ T9700] CPU: 0 PID: 9700 Comm: syz-executor318 Tainted: G B 5.4.0-syzkaller #0 [ 78.120413][ T9700] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.120415][ T9700] Call Trace: [ 78.120423][ T9700] dump_stack+0x197/0x210 [ 78.120431][ T9700] panic+0x2e3/0x75c [ 78.120438][ T9700] ? add_taint.cold+0x16/0x16 [ 78.120448][ T9700] ? trace_hardirqs_on+0x67/0x240 [ 78.120455][ T9700] ? trace_hardirqs_on+0x5e/0x240 [ 78.120468][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.120474][ T9700] end_report+0x47/0x4f [ 78.120480][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.120487][ T9700] __kasan_report.cold+0xe/0x41 [ 78.120494][ T9700] ? vcs_write+0x440/0xcf0 [ 78.120500][ T9700] ? vcs_scr_readw+0xc2/0xd0 [ 78.120507][ T9700] kasan_report+0x12/0x20 [ 78.120514][ T9700] __asan_report_load2_noabort+0x14/0x20 [ 78.120520][ T9700] vcs_scr_readw+0xc2/0xd0 [ 78.120527][ T9700] vcs_write+0x646/0xcf0 [ 78.120533][ T9700] ? ___might_sleep+0x163/0x2c0 [ 78.120543][ T9700] ? vcs_size+0x250/0x250 [ 78.120549][ T9700] ? selinux_file_permission+0x9b/0x580 [ 78.120558][ T9700] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.120565][ T9700] ? security_file_permission+0x8f/0x380 [ 78.120572][ T9700] ? trace_hardirqs_on+0x67/0x240 [ 78.120579][ T9700] __vfs_write+0x8a/0x110 [ 78.120585][ T9700] ? vcs_size+0x250/0x250 [ 78.120592][ T9700] vfs_write+0x268/0x5d0 [ 78.120600][ T9700] ksys_write+0x14f/0x290 [ 78.120607][ T9700] ? __ia32_sys_read+0xb0/0xb0 [ 78.120615][ T9700] ? do_syscall_64+0x26/0x790 [ 78.120623][ T9700] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.120630][ T9700] ? do_syscall_64+0x26/0x790 [ 78.120638][ T9700] __x64_sys_write+0x73/0xb0 [ 78.120646][ T9700] do_syscall_64+0xfa/0x790 [ 78.120654][ T9700] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.120659][ T9700] RIP: 0033:0x443e49 [ 78.120666][ T9700] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.120669][ T9700] RSP: 002b:00007fffb2c50aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 78.120676][ T9700] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443e49 [ 78.120680][ T9700] RDX: 0000000000001010 RSI: 0000000020006480 RDI: 0000000000000003 [ 78.120684][ T9700] RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0 [ 78.120688][ T9700] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401b50 [ 78.120692][ T9700] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 78.122111][ T9700] Kernel Offset: disabled [ 78.942319][ T9700] Rebooting in 86400 seconds..