[....] Starting enhanced syslogd: rsyslogd[ 12.768515] audit: type=1400 audit(1515303090.358:4): avc: denied { syslog } for pid=3180 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.245' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.960589] ================================================================== [ 30.967970] BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xa08/0xad0 [ 30.975033] Read of size 2 at addr ffff8801c8c4c0cc by task kworker/0:1/25 [ 30.982005] [ 30.983599] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.75-g5f5e5d4 #7 [ 30.990663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.999984] Workqueue: events xfrm_hash_rebuild [ 31.004727] ffff8801d9977b10 ffffffff81d93049 ffffea0007231200 ffff8801c8c4c0cc [ 31.012670] 0000000000000000 ffff8801c8c4c0cc 0000000000000002 ffff8801d9977b48 [ 31.020614] ffffffff8153ca53 ffff8801c8c4c0cc 0000000000000002 0000000000000000 [ 31.028556] Call Trace: [ 31.031108] [] dump_stack+0xc1/0x128 [ 31.036439] [] print_address_description+0x73/0x280 [ 31.043074] [] kasan_report+0x275/0x360 [ 31.048671] [] ? xfrm_hash_rebuild+0xa08/0xad0 [ 31.054866] [] __asan_report_load2_noabort+0x14/0x20 [ 31.061581] [] xfrm_hash_rebuild+0xa08/0xad0 [ 31.067604] [] ? process_one_work+0x7e0/0x1610 [ 31.073799] [] process_one_work+0x7e0/0x1610 [ 31.079819] [] ? process_one_work+0x72c/0x1610 [ 31.086024] [] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 31.092480] [] worker_thread+0xe0/0x10d0 [ 31.098155] [] ? __schedule+0x683/0x1ba0 [ 31.103827] [] kthread+0x26d/0x300 [ 31.108980] [] ? process_one_work+0x1610/0x1610 [ 31.115260] [] ? kthread_park+0xa0/0xa0 [ 31.120846] [] ? kthread_park+0xa0/0xa0 [ 31.126433] [] ? kthread_park+0xa0/0xa0 [ 31.132018] [] ret_from_fork+0x46/0x60 [ 31.137518] [ 31.139112] Allocated by task 3338: [ 31.142702] save_stack_trace+0x16/0x20 [ 31.146638] save_stack+0x43/0xd0 [ 31.150053] kasan_kmalloc+0xad/0xe0 [ 31.153729] __kmalloc+0x11d/0x310 [ 31.157232] sk_prot_alloc+0x101/0x2a0 [ 31.161081] sk_alloc+0x3a/0x3a0 [ 31.164411] pfkey_create+0x1da/0x8d0 [ 31.168189] __sock_create+0x3ab/0x640 [ 31.172042] SyS_socket+0xf0/0x1b0 [ 31.175546] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 31.180264] [ 31.181870] Freed by task 0: [ 31.184848] (stack is not available) [ 31.188522] [ 31.190114] The buggy address belongs to the object at ffff8801c8c4bb80 [ 31.190114] which belongs to the cache kmalloc-2048 of size 2048 [ 31.202905] The buggy address is located 1356 bytes inside of [ 31.202905] 2048-byte region [ffff8801c8c4bb80, ffff8801c8c4c380) [ 31.214912] The buggy address belongs to the page: [ 31.219806] page:ffffea0007231200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 31.229953] flags: 0x8000000000004080(slab|head) [ 31.234667] page dumped because: kasan: bad access detected [ 31.240339] [ 31.241930] Memory state around the buggy address: [ 31.246832] ffff8801c8c4bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.254170] ffff8801c8c4c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.261505] >ffff8801c8c4c080: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.268828] ^ [ 31.274501] ffff8801c8c4c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.281822] ffff8801c8c4c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.289145] ================================================================== [ 31.296464] Disabling lock debugging due to kernel taint [ 31.301917] Kernel panic - not syncing: panic_on_warn set ... [ 31.301917] [ 31.309248] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G B 4.9.75-g5f5e5d4 #7 [ 31.317525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.326851] Workqueue: events xfrm_hash_rebuild [ 31.331594] ffff8801d9977a68 ffffffff81d93049 ffffffff84195be7 ffff8801d9977b40 [ 31.339552] 0000000000000000 ffff8801c8c4c0cc 0000000000000002 ffff8801d9977b30 [ 31.347492] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 31.355430] Call Trace: [ 31.357981] [] dump_stack+0xc1/0x128 [ 31.363308] [] panic+0x1bc/0x3a8 [ 31.368288] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 31.376485] [] kasan_end_report+0x50/0x50 [ 31.382245] [] kasan_report+0x167/0x360 [ 31.387832] [] ? xfrm_hash_rebuild+0xa08/0xad0 [ 31.394026] [] __asan_report_load2_noabort+0x14/0x20 [ 31.400741] [] xfrm_hash_rebuild+0xa08/0xad0 [ 31.406764] [] ? process_one_work+0x7e0/0x1610 [ 31.412958] [] process_one_work+0x7e0/0x1610 [ 31.418978] [] ? process_one_work+0x72c/0x1610 [ 31.425172] [] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 31.431629] [] worker_thread+0xe0/0x10d0 [ 31.437304] [] ? __schedule+0x683/0x1ba0 [ 31.442985] [] kthread+0x26d/0x300 [ 31.448156] [] ? process_one_work+0x1610/0x1610 [ 31.454439] [] ? kthread_park+0xa0/0xa0 [ 31.460025] [] ? kthread_park+0xa0/0xa0 [ 31.465611] [] ? kthread_park+0xa0/0xa0 [ 31.471199] [] ret_from_fork+0x46/0x60 [ 31.476738] Dumping ftrace buffer: [ 31.480327] (ftrace buffer empty) [ 31.484000] Kernel Offset: disabled [ 31.487592] Rebooting in 86400 seconds..