[....] Starting enhanced syslogd: rsyslogd[ 12.018415] audit: type=1400 audit(1512783902.441:5): avc: denied { syslog } for pid=2991 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.562732] audit: type=1400 audit(1512783917.985:6): avc: denied { map } for pid=3137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-2,10.128.0.62' (ECDSA) to the list of known hosts. executing program [ 33.622932] audit: type=1400 audit(1512783924.045:7): avc: denied { map } for pid=3151 comm="syzkaller934629" path="/root/syzkaller934629588" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 33.657742] ================================================================== [ 33.665148] BUG: KASAN: slab-out-of-bounds in sha3_update+0xdf/0x2e0 [ 33.671610] Write of size 192 at addr ffff8801c5bb78fc by task syzkaller934629/3151 [ 33.679372] [ 33.681272] CPU: 1 PID: 3151 Comm: syzkaller934629 Not tainted 4.15.0-rc2-mm1+ #39 [ 33.688950] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.698274] Call Trace: [ 33.700851] dump_stack+0x194/0x257 [ 33.704458] ? arch_local_irq_restore+0x53/0x53 [ 33.709107] ? show_regs_print_info+0x18/0x18 [ 33.713576] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.718484] ? sha3_update+0xdf/0x2e0 [ 33.722260] print_address_description+0x73/0x250 [ 33.727075] ? sha3_update+0xdf/0x2e0 [ 33.730846] kasan_report+0x25b/0x340 [ 33.734622] check_memory_region+0x137/0x190 [ 33.739004] memcpy+0x37/0x50 [ 33.742085] sha3_update+0xdf/0x2e0 [ 33.745704] crypto_shash_update+0xcb/0x220 [ 33.750004] hmac_update+0x7e/0xa0 [ 33.753519] crypto_shash_update+0xcb/0x220 [ 33.757824] __keyctl_dh_compute+0x16d8/0x1a00 [ 33.762394] ? dh_data_from_key+0x340/0x340 [ 33.766698] ? find_held_lock+0x39/0x1d0 [ 33.770747] ? __might_fault+0xe0/0x1d0 [ 33.774702] ? lock_release+0xda0/0xda0 [ 33.778647] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 33.784523] ? kasan_check_write+0x14/0x20 [ 33.788729] ? _copy_from_user+0x99/0x110 [ 33.792850] keyctl_dh_compute+0xac/0xf3 [ 33.796884] ? __keyctl_dh_compute+0x1a00/0x1a00 [ 33.801620] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.806612] SyS_keyctl+0x72/0x2c0 [ 33.810130] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.814856] RIP: 0033:0x43fe89 [ 33.818018] RSP: 002b:00007ffdc7af3ec8 EFLAGS: 00000203 ORIG_RAX: 00000000000000fa [ 33.825702] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe89 [ 33.832944] RDX: 00000000205cd000 RSI: 00000000204c8ff4 RDI: 0000000000000017 [ 33.840185] RBP: 00000000006ca018 R08: 0000000020550000 R09: 0000000000000000 [ 33.847426] R10: 0000000000000030 R11: 0000000000000203 R12: 00000000004017f0 [ 33.854671] R13: 0000000000401880 R14: 0000000000000000 R15: 0000000000000000 [ 33.861934] [ 33.863536] Allocated by task 3151: [ 33.867140] save_stack+0x43/0xd0 [ 33.870566] kasan_kmalloc+0xad/0xe0 [ 33.874253] __kmalloc+0x162/0x760 [ 33.877769] __keyctl_dh_compute+0x2a1/0x1a00 [ 33.882234] keyctl_dh_compute+0xac/0xf3 [ 33.886266] SyS_keyctl+0x72/0x2c0 [ 33.889777] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.894498] [ 33.896095] Freed by task 1672: [ 33.899343] save_stack+0x43/0xd0 [ 33.902767] kasan_slab_free+0x71/0xc0 [ 33.906622] kfree+0xca/0x250 [ 33.909702] skb_free_head+0x74/0xb0 [ 33.913383] skb_release_data+0x58c/0x790 [ 33.917500] skb_release_all+0x4a/0x60 [ 33.921355] consume_skb+0x153/0x490 [ 33.925036] skb_free_datagram+0x1a/0xe0 [ 33.929071] netlink_recvmsg+0x5c6/0x1300 [ 33.933186] sock_recvmsg+0xc9/0x110 [ 33.936868] ___sys_recvmsg+0x29b/0x630 [ 33.940811] __sys_recvmsg+0xe2/0x210 [ 33.944582] SyS_recvmsg+0x2d/0x50 [ 33.948092] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.952820] [ 33.954418] The buggy address belongs to the object at ffff8801c5bb7800 [ 33.954418] which belongs to the cache kmalloc-512 of size 512 [ 33.967045] The buggy address is located 252 bytes inside of [ 33.967045] 512-byte region [ffff8801c5bb7800, ffff8801c5bb7a00) [ 33.978889] The buggy address belongs to the page: [ 33.983791] page:00000000799d9b1c count:1 mapcount:0 mapping:0000000037a449e4 index:0x0 [ 33.991908] flags: 0x2fffc0000000100(slab) [ 33.996114] raw: 02fffc0000000100 ffff8801c5bb7080 0000000000000000 0000000100000006 [ 34.003968] raw: ffffea00071577a0 ffffea000716ee60 ffff8801dac00940 0000000000000000 [ 34.011818] page dumped because: kasan: bad access detected [ 34.017495] [ 34.019092] Memory state around the buggy address: [ 34.023991] ffff8801c5bb7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.031319] ffff8801c5bb7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.038647] >ffff8801c5bb7980: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.045985] ^ [ 34.049580] ffff8801c5bb7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.056908] ffff8801c5bb7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.064235] ================================================================== [ 34.071563] Disabling lock debugging due to kernel taint [ 34.077064] Kernel panic - not syncing: panic_on_warn set ... [ 34.077064] [ 34.084398] CPU: 1 PID: 3151 Comm: syzkaller934629 Tainted: G B 4.15.0-rc2-mm1+ #39 [ 34.093372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.102695] Call Trace: [ 34.105253] dump_stack+0x194/0x257 [ 34.108858] ? arch_local_irq_restore+0x53/0x53 [ 34.113497] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.118219] ? vsnprintf+0x1ed/0x1900 [ 34.121991] ? sha3_update+0x40/0x2e0 [ 34.125758] panic+0x1e4/0x41c [ 34.128918] ? refcount_error_report+0x214/0x214 [ 34.133648] ? add_taint+0x1c/0x50 [ 34.137156] ? add_taint+0x1c/0x50 [ 34.140665] ? sha3_update+0xdf/0x2e0 [ 34.144433] kasan_end_report+0x50/0x50 [ 34.148371] kasan_report+0x144/0x340 [ 34.152138] check_memory_region+0x137/0x190 [ 34.156509] memcpy+0x37/0x50 [ 34.159583] sha3_update+0xdf/0x2e0 [ 34.163194] crypto_shash_update+0xcb/0x220 [ 34.167487] hmac_update+0x7e/0xa0 [ 34.171007] crypto_shash_update+0xcb/0x220 [ 34.175300] __keyctl_dh_compute+0x16d8/0x1a00 [ 34.179857] ? dh_data_from_key+0x340/0x340 [ 34.184148] ? find_held_lock+0x39/0x1d0 [ 34.188182] ? __might_fault+0xe0/0x1d0 [ 34.192123] ? lock_release+0xda0/0xda0 [ 34.196063] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 34.201922] ? kasan_check_write+0x14/0x20 [ 34.206121] ? _copy_from_user+0x99/0x110 [ 34.210235] keyctl_dh_compute+0xac/0xf3 [ 34.214261] ? __keyctl_dh_compute+0x1a00/0x1a00 [ 34.218987] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.223970] SyS_keyctl+0x72/0x2c0 [ 34.227480] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 34.232200] RIP: 0033:0x43fe89 [ 34.235356] RSP: 002b:00007ffdc7af3ec8 EFLAGS: 00000203 ORIG_RAX: 00000000000000fa [ 34.243029] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe89 [ 34.250264] RDX: 00000000205cd000 RSI: 00000000204c8ff4 RDI: 0000000000000017 [ 34.257499] RBP: 00000000006ca018 R08: 0000000020550000 R09: 0000000000000000 [ 34.264735] R10: 0000000000000030 R11: 0000000000000203 R12: 00000000004017f0 [ 34.271970] R13: 0000000000401880 R14: 0000000000000000 R15: 0000000000000000 [ 34.279248] Dumping ftrace buffer: [ 34.282754] (ftrace buffer empty) [ 34.286429] Kernel Offset: disabled [ 34.290023] Rebooting in 86400 seconds..