[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.258089] random: sshd: uninitialized urandom read (32 bytes read) [ 34.632522] kauditd_printk_skb: 9 callbacks suppressed [ 34.632530] audit: type=1400 audit(1569001536.384:35): avc: denied { map } for pid=6887 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.686904] random: sshd: uninitialized urandom read (32 bytes read) [ 35.206511] random: sshd: uninitialized urandom read (32 bytes read) [ 35.386538] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 40.903275] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.019610] audit: type=1400 audit(1569001542.764:36): avc: denied { map } for pid=6900 comm="syz-executor573" path="/root/syz-executor573485886" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.048238] ================================================================== [ 41.055830] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 41.062777] Read of size 2 at addr ffff88809f99d2f0 by task syz-executor573/6900 [ 41.070283] [ 41.071931] CPU: 1 PID: 6900 Comm: syz-executor573 Not tainted 4.14.145 #0 [ 41.078917] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.088255] Call Trace: [ 41.090841] dump_stack+0x138/0x197 [ 41.094551] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.098949] print_address_description.cold+0x7c/0x1dc [ 41.104209] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.108597] kasan_report.cold+0xa9/0x2af [ 41.112760] __asan_report_load2_noabort+0x14/0x20 [ 41.117671] tcp_init_tso_segs+0x1ae/0x200 [ 41.121889] ? tcp_tso_segs+0x7d/0x1c0 [ 41.125755] tcp_write_xmit+0x15e/0x4960 [ 41.129790] ? tcp_v6_md5_lookup+0x23/0x30 [ 41.134003] ? tcp_established_options+0x2c5/0x420 [ 41.138910] ? tcp_current_mss+0x1dc/0x2f0 [ 41.143135] ? __alloc_skb+0x3ee/0x500 [ 41.147018] __tcp_push_pending_frames+0xa6/0x260 [ 41.151841] tcp_send_fin+0x17e/0xc40 [ 41.155622] tcp_close+0xcc8/0xfb0 [ 41.159140] ? lock_acquire+0x16f/0x430 [ 41.163092] ? ip_mc_drop_socket+0x1d6/0x230 [ 41.167478] inet_release+0xec/0x1c0 [ 41.171173] inet6_release+0x53/0x80 [ 41.174863] __sock_release+0xce/0x2b0 [ 41.178728] ? __sock_release+0x2b0/0x2b0 [ 41.182852] sock_close+0x1b/0x30 [ 41.186285] __fput+0x275/0x7a0 [ 41.189543] ____fput+0x16/0x20 [ 41.192817] task_work_run+0x114/0x190 [ 41.196683] do_exit+0x7df/0x2c10 [ 41.200126] ? mm_update_next_owner+0x5d0/0x5d0 [ 41.204771] ? fd_install+0x4d/0x60 [ 41.208375] ? sock_map_fd+0x56/0x80 [ 41.212070] ? SyS_socket+0x103/0x170 [ 41.215851] do_group_exit+0x111/0x330 [ 41.219717] SyS_exit_group+0x1d/0x20 [ 41.223498] ? do_group_exit+0x330/0x330 [ 41.227536] do_syscall_64+0x1e8/0x640 [ 41.231401] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.236226] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.241570] RIP: 0033:0x43ee88 [ 41.244737] RSP: 002b:00007ffc016a0828 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.252423] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88 [ 41.259682] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.271986] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.279236] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.286483] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 41.293748] [ 41.295452] Allocated by task 6900: [ 41.299061] save_stack_trace+0x16/0x20 [ 41.303015] save_stack+0x45/0xd0 [ 41.306462] kasan_kmalloc+0xce/0xf0 [ 41.310150] kasan_slab_alloc+0xf/0x20 [ 41.314099] kmem_cache_alloc_node+0x144/0x780 [ 41.318655] __alloc_skb+0x9c/0x500 [ 41.322258] sk_stream_alloc_skb+0xb3/0x780 [ 41.326557] tcp_sendmsg_locked+0xf61/0x3200 [ 41.330940] tcp_sendmsg+0x30/0x50 [ 41.334458] inet_sendmsg+0x122/0x500 [ 41.338234] sock_sendmsg+0xce/0x110 [ 41.341921] SYSC_sendto+0x206/0x310 [ 41.345612] SyS_sendto+0x40/0x50 [ 41.349042] do_syscall_64+0x1e8/0x640 [ 41.352906] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.358081] [ 41.359685] Freed by task 6900: [ 41.362940] save_stack_trace+0x16/0x20 [ 41.366891] save_stack+0x45/0xd0 [ 41.370338] kasan_slab_free+0x75/0xc0 [ 41.374200] kmem_cache_free+0x83/0x2b0 [ 41.378149] kfree_skbmem+0x8d/0x120 [ 41.381851] __kfree_skb+0x1e/0x30 [ 41.385373] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 41.390452] tcp_sendmsg_locked+0x1ced/0x3200 [ 41.394922] tcp_sendmsg+0x30/0x50 [ 41.398452] inet_sendmsg+0x122/0x500 [ 41.402234] sock_sendmsg+0xce/0x110 [ 41.405924] SYSC_sendto+0x206/0x310 [ 41.409613] SyS_sendto+0x40/0x50 [ 41.413052] do_syscall_64+0x1e8/0x640 [ 41.416916] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.422078] [ 41.423683] The buggy address belongs to the object at ffff88809f99d2c0 [ 41.423683] which belongs to the cache skbuff_fclone_cache of size 472 [ 41.437010] The buggy address is located 48 bytes inside of [ 41.437010] 472-byte region [ffff88809f99d2c0, ffff88809f99d498) [ 41.448790] The buggy address belongs to the page: [ 41.453695] page:ffffea00027e6740 count:1 mapcount:0 mapping:ffff88809f99d040 index:0x0 [ 41.461816] flags: 0x1fffc0000000100(slab) [ 41.466028] raw: 01fffc0000000100 ffff88809f99d040 0000000000000000 0000000100000006 [ 41.473885] raw: ffffea00029b8120 ffff8880a9e1bd48 ffff8880a9e19a80 0000000000000000 [ 41.481741] page dumped because: kasan: bad access detected [ 41.487432] [ 41.489048] Memory state around the buggy address: [ 41.493953] ffff88809f99d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.501289] ffff88809f99d200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.508635] >ffff88809f99d280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.515984] ^ [ 41.522975] ffff88809f99d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.530324] ffff88809f99d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.537660] ================================================================== [ 41.544992] Disabling lock debugging due to kernel taint [ 41.550865] Kernel panic - not syncing: panic_on_warn set ... [ 41.550865] [ 41.558235] CPU: 1 PID: 6900 Comm: syz-executor573 Tainted: G B 4.14.145 #0 [ 41.566453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.575795] Call Trace: [ 41.578367] dump_stack+0x138/0x197 [ 41.582794] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.587193] panic+0x1f2/0x426 [ 41.590360] ? add_taint.cold+0x16/0x16 [ 41.594312] ? ___preempt_schedule+0x16/0x18 [ 41.598695] kasan_end_report+0x47/0x4f [ 41.602645] kasan_report.cold+0x130/0x2af [ 41.606861] __asan_report_load2_noabort+0x14/0x20 [ 41.611763] tcp_init_tso_segs+0x1ae/0x200 [ 41.615973] ? tcp_tso_segs+0x7d/0x1c0 [ 41.619833] tcp_write_xmit+0x15e/0x4960 [ 41.623871] ? tcp_v6_md5_lookup+0x23/0x30 [ 41.628082] ? tcp_established_options+0x2c5/0x420 [ 41.632987] ? tcp_current_mss+0x1dc/0x2f0 [ 41.637201] ? __alloc_skb+0x3ee/0x500 [ 41.641065] __tcp_push_pending_frames+0xa6/0x260 [ 41.645878] tcp_send_fin+0x17e/0xc40 [ 41.649653] tcp_close+0xcc8/0xfb0 [ 41.653168] ? lock_acquire+0x16f/0x430 [ 41.657117] ? ip_mc_drop_socket+0x1d6/0x230 [ 41.661516] inet_release+0xec/0x1c0 [ 41.665205] inet6_release+0x53/0x80 [ 41.668910] __sock_release+0xce/0x2b0 [ 41.672773] ? __sock_release+0x2b0/0x2b0 [ 41.676893] sock_close+0x1b/0x30 [ 41.680321] __fput+0x275/0x7a0 [ 41.683590] ____fput+0x16/0x20 [ 41.686846] task_work_run+0x114/0x190 [ 41.690710] do_exit+0x7df/0x2c10 [ 41.694492] ? mm_update_next_owner+0x5d0/0x5d0 [ 41.699148] ? fd_install+0x4d/0x60 [ 41.702751] ? sock_map_fd+0x56/0x80 [ 41.706439] ? SyS_socket+0x103/0x170 [ 41.710220] do_group_exit+0x111/0x330 [ 41.714083] SyS_exit_group+0x1d/0x20 [ 41.717858] ? do_group_exit+0x330/0x330 [ 41.721909] do_syscall_64+0x1e8/0x640 [ 41.725771] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.730606] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.735768] RIP: 0033:0x43ee88 [ 41.738957] RSP: 002b:00007ffc016a0828 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.746640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88 [ 41.753887] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.761131] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.768462] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.775709] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 41.784248] Kernel Offset: disabled [ 41.787883] Rebooting in 86400 seconds..