[....] Starting enhanced syslogd: rsyslogd[ 12.453051] audit: type=1400 audit(1512830379.704:5): avc: denied { syslog } for pid=2995 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.252825] audit: type=1400 audit(1512830389.504:6): avc: denied { map } for pid=3137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-net-kasan-gce-6,10.128.0.47' (ECDSA) to the list of known hosts. executing program [ 28.524073] audit: type=1400 audit(1512830395.775:7): avc: denied { map } for pid=3151 comm="syzkaller731875" path="/root/syzkaller731875863" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.528751] ================================================================== [ 28.528766] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 28.528771] Read of size 4 at addr ffff8801c535b31c by task syzkaller731875/3151 [ 28.528774] [ 28.528780] CPU: 1 PID: 3151 Comm: syzkaller731875 Not tainted 4.15.0-rc2+ #147 [ 28.528784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.528787] Call Trace: [ 28.528795] dump_stack+0x194/0x257 [ 28.528804] ? arch_local_irq_restore+0x53/0x53 [ 28.528812] ? show_regs_print_info+0x65/0x65 [ 28.528822] ? af_alg_make_sg+0x510/0x510 [ 28.528828] ? aead_recvmsg+0x1758/0x1bc0 [ 28.528838] print_address_description+0x73/0x250 [ 28.528845] ? aead_recvmsg+0x1758/0x1bc0 [ 28.528852] kasan_report+0x25b/0x340 [ 28.528863] __asan_report_load4_noabort+0x14/0x20 [ 28.528868] aead_recvmsg+0x1758/0x1bc0 [ 28.528893] ? aead_release+0x50/0x50 [ 28.528904] ? selinux_socket_recvmsg+0x36/0x40 [ 28.528911] ? security_socket_recvmsg+0x91/0xc0 [ 28.528920] ? aead_release+0x50/0x50 [ 28.528928] sock_recvmsg+0xc9/0x110 [ 28.528934] ? __sock_recv_wifi_status+0x210/0x210 [ 28.528943] ___sys_recvmsg+0x29b/0x630 [ 28.528958] ? ___sys_sendmsg+0x8a0/0x8a0 [ 28.528984] ? __handle_mm_fault+0x3e20/0x3e20 [ 28.528990] ? vmacache_find+0x5f/0x280 [ 28.529008] ? up_read+0x1a/0x40 [ 28.529016] ? __do_page_fault+0x3d6/0xc90 [ 28.529022] ? task_work_run+0x1f4/0x270 [ 28.529041] ? __fdget+0x18/0x20 [ 28.529056] __sys_recvmsg+0xe2/0x210 [ 28.529061] ? __sys_recvmsg+0xe2/0x210 [ 28.529069] ? SyS_sendmmsg+0x60/0x60 [ 28.529077] ? __do_page_fault+0xc90/0xc90 [ 28.529103] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.529115] SyS_recvmsg+0x2d/0x50 [ 28.529125] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 28.529130] RIP: 0033:0x440009 [ 28.529134] RSP: 002b:00007ffdafbd3c58 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 28.529141] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440009 [ 28.529145] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 28.529149] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 28.529152] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401970 [ 28.529156] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 28.529179] [ 28.529182] Allocated by task 3151: [ 28.529188] save_stack+0x43/0xd0 [ 28.529192] kasan_kmalloc+0xad/0xe0 [ 28.529199] __kmalloc+0x162/0x760 [ 28.529205] crypto_create_tfm+0x82/0x2e0 [ 28.529210] crypto_alloc_tfm+0x10e/0x2f0 [ 28.529216] crypto_alloc_skcipher+0x2c/0x40 [ 28.529223] crypto_get_default_null_skcipher+0x5f/0x80 [ 28.529227] aead_bind+0x89/0x140 [ 28.529231] alg_bind+0x1ab/0x440 [ 28.529236] SYSC_bind+0x1b4/0x3f0 [ 28.529241] SyS_bind+0x24/0x30 [ 28.529245] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 28.529248] [ 28.529251] Freed by task 3151: [ 28.529255] save_stack+0x43/0xd0 [ 28.529259] kasan_slab_free+0x71/0xc0 [ 28.529264] kfree+0xca/0x250 [ 28.529269] kzfree+0x28/0x30 [ 28.529274] crypto_destroy_tfm+0x140/0x2e0 [ 28.529279] crypto_put_default_null_skcipher+0x35/0x60 [ 28.529284] aead_sock_destruct+0x13c/0x220 [ 28.529289] __sk_destruct+0xfd/0x910 [ 28.529294] sk_destruct+0x47/0x80 [ 28.529298] __sk_free+0x57/0x230 [ 28.529302] sk_free+0x2a/0x40 [ 28.529306] af_alg_release+0x5d/0x70 [ 28.529311] sock_release+0x8d/0x1e0 [ 28.529315] sock_close+0x16/0x20 [ 28.529321] __fput+0x333/0x7f0 [ 28.529325] ____fput+0x15/0x20 [ 28.529330] task_work_run+0x199/0x270 [ 28.529336] exit_to_usermode_loop+0x296/0x310 [ 28.529341] syscall_return_slowpath+0x490/0x550 [ 28.529346] entry_SYSCALL_64_fastpath+0x94/0x96 [ 28.529348] [ 28.529352] The buggy address belongs to the object at ffff8801c535b300 [ 28.529352] which belongs to the cache kmalloc-128 of size 128 [ 28.529357] The buggy address is located 28 bytes inside of [ 28.529357] 128-byte region [ffff8801c535b300, ffff8801c535b380) [ 28.529360] The buggy address belongs to the page: [ 28.529365] page:00000000f9c0935e count:1 mapcount:0 mapping:000000007ed35bfb index:0x0 [ 28.529373] flags: 0x2fffc0000000100(slab) [ 28.529383] raw: 02fffc0000000100 ffff8801c535b000 0000000000000000 0000000100000015 [ 28.529389] raw: ffffea0007122620 ffffea00071108a0 ffff8801db000640 0000000000000000 [ 28.529392] page dumped because: kasan: bad access detected [ 28.529395] [ 28.529397] Memory state around the buggy address: [ 28.529402] ffff8801c535b200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 28.529406] ffff8801c535b280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 28.529410] >ffff8801c535b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.529413] ^ [ 28.529417] ffff8801c535b380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 28.529422] ffff8801c535b400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 28.529424] ================================================================== [ 28.529426] Disabling lock debugging due to kernel taint [ 28.529439] Kernel panic - not syncing: panic_on_warn set ... [ 28.529439] [ 28.529443] CPU: 1 PID: 3151 Comm: syzkaller731875 Tainted: G B 4.15.0-rc2+ #147 [ 28.529445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.529446] Call Trace: [ 28.529450] dump_stack+0x194/0x257 [ 28.529455] ? arch_local_irq_restore+0x53/0x53 [ 28.529460] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.529465] ? vsnprintf+0x1ed/0x1900 [ 28.529470] ? aead_recvmsg+0x1700/0x1bc0 [ 28.529475] panic+0x1e4/0x41c [ 28.529478] ? refcount_error_report+0x214/0x214 [ 28.529484] ? add_taint+0x1c/0x50 [ 28.529488] ? add_taint+0x1c/0x50 [ 28.529493] ? aead_recvmsg+0x1758/0x1bc0 [ 28.529497] kasan_end_report+0x50/0x50 [ 28.529501] kasan_report+0x144/0x340 [ 28.529507] __asan_report_load4_noabort+0x14/0x20 [ 28.529511] aead_recvmsg+0x1758/0x1bc0 [ 28.529523] ? aead_release+0x50/0x50 [ 28.529529] ? selinux_socket_recvmsg+0x36/0x40 [ 28.529533] ? security_socket_recvmsg+0x91/0xc0 [ 28.529538] ? aead_release+0x50/0x50 [ 28.529542] sock_recvmsg+0xc9/0x110 [ 28.529546] ? __sock_recv_wifi_status+0x210/0x210 [ 28.529551] ___sys_recvmsg+0x29b/0x630 [ 28.529560] ? ___sys_sendmsg+0x8a0/0x8a0 [ 28.529573] ? __handle_mm_fault+0x3e20/0x3e20 [ 28.529577] ? vmacache_find+0x5f/0x280 [ 28.529587] ? up_read+0x1a/0x40 [ 28.529592] ? __do_page_fault+0x3d6/0xc90 [ 28.529595] ? task_work_run+0x1f4/0x270 [ 28.529603] ? __fdget+0x18/0x20 [ 28.529609] __sys_recvmsg+0xe2/0x210 [ 28.529613] ? __sys_recvmsg+0xe2/0x210 [ 28.529618] ? SyS_sendmmsg+0x60/0x60 [ 28.529623] ? __do_page_fault+0xc90/0xc90 [ 28.529636] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.529643] SyS_recvmsg+0x2d/0x50 [ 28.529647] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 28.529650] RIP: 0033:0x440009 [ 28.529652] RSP: 002b:00007ffdafbd3c58 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 28.529656] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440009 [ 28.529658] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 28.529660] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 28.529662] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000401970 [ 28.529664] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 28.550276] Dumping ftrace buffer: [ 28.550280] (ftrace buffer empty) [ 28.550282] Kernel Offset: disabled [ 29.253500] Rebooting in 86400 seconds..