[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.625049] random: sshd: uninitialized urandom read (32 bytes read) [ 33.905510] kauditd_printk_skb: 9 callbacks suppressed [ 33.905518] audit: type=1400 audit(1575380929.587:35): avc: denied { map } for pid=6906 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.997638] random: sshd: uninitialized urandom read (32 bytes read) [ 34.525678] random: sshd: uninitialized urandom read (32 bytes read) [ 34.705046] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts. [ 40.264308] random: sshd: uninitialized urandom read (32 bytes read) [ 40.380248] audit: type=1400 audit(1575380936.057:36): avc: denied { map } for pid=6919 comm="syz-executor428" path="/root/syz-executor428217023" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.630935] IPVS: ftp: loaded support on port[0] = 21 [ 41.424605] audit: type=1400 audit(1575380937.107:37): avc: denied { create } for pid=6920 comm="syz-executor428" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 41.449504] audit: type=1400 audit(1575380937.107:38): avc: denied { write } for pid=6920 comm="syz-executor428" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 executing program [ 41.473786] audit: type=1400 audit(1575380937.107:39): avc: denied { read } for pid=6920 comm="syz-executor428" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 41.680325] ================================================================== [ 41.680346] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x43d/0xa50 [ 41.680351] Read of size 9 at addr ffff888099af0bf0 by task kworker/1:2/2568 [ 41.680352] [ 41.680359] CPU: 1 PID: 2568 Comm: kworker/1:2 Not tainted 4.14.157-syzkaller #0 [ 41.680362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.680369] Workqueue: events_power_efficient fb_flashcursor [ 41.680373] Call Trace: [ 41.680383] dump_stack+0x142/0x197 [ 41.680389] ? soft_cursor+0x43d/0xa50 [ 41.680396] print_address_description.cold+0x7c/0x1dc [ 41.680401] ? soft_cursor+0x43d/0xa50 [ 41.680405] kasan_report.cold+0xa9/0x2af [ 41.680411] check_memory_region+0x123/0x190 [ 41.680416] memcpy+0x24/0x50 [ 41.680421] soft_cursor+0x43d/0xa50 [ 41.680425] ? kfree+0x183/0x270 [ 41.680433] bit_cursor+0x11be/0x1830 [ 41.680441] ? bit_clear+0x4a0/0x4a0 [ 41.680464] ? fb_get_color_depth+0x5f/0x70 [ 41.680469] ? get_color+0x1bf/0x3b0 [ 41.680473] ? bit_clear+0x4a0/0x4a0 [ 41.680479] fb_flashcursor+0x36d/0x410 [ 41.680486] process_one_work+0x863/0x1600 [ 41.680494] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 41.680502] worker_thread+0x5d9/0x1050 [ 41.680514] kthread+0x319/0x430 [ 41.680518] ? process_one_work+0x1600/0x1600 [ 41.680522] ? kthread_create_on_node+0xd0/0xd0 [ 41.680528] ret_from_fork+0x24/0x30 [ 41.680536] [ 41.680539] Allocated by task 6922: [ 41.680544] save_stack_trace+0x16/0x20 [ 41.680548] save_stack+0x45/0xd0 [ 41.680551] kasan_kmalloc+0xce/0xf0 [ 41.680554] __kmalloc+0x15d/0x7a0 [ 41.680558] fbcon_set_font+0x2f8/0x7b0 [ 41.680564] con_font_op+0xc0f/0x1060 [ 41.680568] vt_ioctl+0xb80/0x2170 [ 41.680574] tty_ioctl+0x841/0x1320 [ 41.680579] do_vfs_ioctl+0x7ae/0x1060 [ 41.680583] SyS_ioctl+0x8f/0xc0 [ 41.680589] do_syscall_64+0x1e8/0x640 [ 41.680593] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.680595] [ 41.680597] Freed by task 3606: [ 41.680600] save_stack_trace+0x16/0x20 [ 41.680603] save_stack+0x45/0xd0 [ 41.680607] kasan_slab_free+0x75/0xc0 [ 41.680610] kfree+0xcc/0x270 [ 41.680615] kernfs_fop_release+0x112/0x180 [ 41.680619] __fput+0x275/0x7a0 [ 41.680622] ____fput+0x16/0x20 [ 41.680625] task_work_run+0x114/0x190 [ 41.680630] exit_to_usermode_loop+0x1da/0x220 [ 41.680633] do_syscall_64+0x4bc/0x640 [ 41.680637] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.680639] [ 41.680642] The buggy address belongs to the object at ffff888099af0ac0 [ 41.680642] which belongs to the cache kmalloc-512 of size 512 [ 41.680646] The buggy address is located 304 bytes inside of [ 41.680646] 512-byte region [ffff888099af0ac0, ffff888099af0cc0) [ 41.680647] The buggy address belongs to the page: [ 41.680651] page:ffffea000266bc00 count:1 mapcount:0 mapping:ffff888099af00c0 index:0x0 [ 41.680657] flags: 0xfffe0000000100(slab) [ 41.680663] raw: 00fffe0000000100 ffff888099af00c0 0000000000000000 0000000100000006 [ 41.680668] raw: ffffea0002a63be0 ffffea0002644aa0 ffff8880aa800940 0000000000000000 [ 41.680670] page dumped because: kasan: bad access detected [ 41.680671] [ 41.680673] Memory state around the buggy address: [ 41.680676] ffff888099af0a80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 41.680679] ffff888099af0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.680682] >ffff888099af0b80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 41.680684] ^ [ 41.680687] ffff888099af0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.680690] ffff888099af0c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.680692] ================================================================== [ 41.680694] Disabling lock debugging due to kernel taint [ 41.680697] Kernel panic - not syncing: panic_on_warn set ... [ 41.680697] [ 41.680701] CPU: 1 PID: 2568 Comm: kworker/1:2 Tainted: G B 4.14.157-syzkaller #0 [ 41.680703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.680706] Workqueue: events_power_efficient fb_flashcursor [ 41.680709] Call Trace: [ 41.680713] dump_stack+0x142/0x197 [ 41.680718] ? soft_cursor+0x43d/0xa50 [ 41.680721] panic+0x1f9/0x42d [ 41.680725] ? add_taint.cold+0x16/0x16 [ 41.680731] ? lock_downgrade+0x740/0x740 [ 41.680737] kasan_end_report+0x47/0x4f [ 41.680740] kasan_report.cold+0x130/0x2af [ 41.680745] check_memory_region+0x123/0x190 [ 41.680748] memcpy+0x24/0x50 [ 41.680752] soft_cursor+0x43d/0xa50 [ 41.680756] ? kfree+0x183/0x270 [ 41.680761] bit_cursor+0x11be/0x1830 [ 41.680767] ? bit_clear+0x4a0/0x4a0 [ 41.680772] ? fb_get_color_depth+0x5f/0x70 [ 41.680776] ? get_color+0x1bf/0x3b0 [ 41.680779] ? bit_clear+0x4a0/0x4a0 [ 41.680783] fb_flashcursor+0x36d/0x410 [ 41.680788] process_one_work+0x863/0x1600 [ 41.680793] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 41.680799] worker_thread+0x5d9/0x1050 [ 41.680805] kthread+0x319/0x430 [ 41.680809] ? process_one_work+0x1600/0x1600 [ 41.680812] ? kthread_create_on_node+0xd0/0xd0 [ 41.680816] ret_from_fork+0x24/0x30 [ 41.682127] Kernel Offset: disabled [ 42.174232] Rebooting in 86400 seconds..