[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.342388] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.301468] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 28.624861] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 29.159753] random: sshd: uninitialized urandom read (32 bytes read, 100 bits of entropy available) [ 29.300847] random: sshd: uninitialized urandom read (32 bytes read, 104 bits of entropy available) Warning: Permanently added 'ci-android-44-kasan-gce-2,10.128.0.61' (ECDSA) to the list of known hosts. [ 34.670580] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available) executing program [ 34.763188] ================================================================== [ 34.770548] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2596/0x3260 at addr ffff8801d35378b0 [ 34.779875] Read of size 4 by task syzkaller727451/3320 [ 34.785201] page:ffffea00074d4dc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 34.793301] flags: 0x8000000000000000() [ 34.797348] page dumped because: kasan: bad access detected [ 34.803028] CPU: 0 PID: 3320 Comm: syzkaller727451 Not tainted 4.4.104-ged884eb #2 [ 34.810697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.820014] 0000000000000000 6712db20d9b49ae2 ffff8801d3536ef0 ffffffff81cc9b0f [ 34.827947] ffffed003a6a6f16 ffffed003a6a6f16 ffff8801d3536f78 ffffffff814db3d5 [ 34.835893] 0000000000000000 fffffbff00000000 ffffffff83281756 0000000000000296 [ 34.843835] Call Trace: [ 34.846388] [] dump_stack+0x8e/0xcf [ 34.851628] [] kasan_report.part.2+0x445/0x530 [ 34.857822] [] ? xfrm_state_find+0x2596/0x3260 [ 34.864013] [] ? get_parent_ip+0xd/0x50 [ 34.869598] [] __asan_report_load4_noabort+0x29/0x30 [ 34.876309] [] xfrm_state_find+0x2596/0x3260 [ 34.882327] [] ? xfrm_unregister_mode+0x1d0/0x1d0 [ 34.888780] [] ? __module_text_address+0x13/0x140 [ 34.895240] [] ? noop_count+0x40/0x40 [ 34.900650] [] ? check_usage_backwards+0x171/0x300 [ 34.907187] [] ? check_usage_forwards+0x310/0x310 [ 34.913639] [] xfrm_tmpl_resolve+0x263/0xa70 [ 34.919669] [] ? __xfrm_decode_session+0xc0/0xc0 [ 34.926035] [] ? __module_text_address+0x13/0x140 [ 34.932485] [] ? check_usage_forwards+0x310/0x310 [ 34.938938] [] ? __lock_acquire+0x1cff/0x4b50 [ 34.945045] [] ? __lock_acquire+0xb5f/0x4b50 [ 34.951065] [] xfrm_resolve_and_create_bundle+0xbd/0x1c10 [ 34.958214] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.965188] [] ? xfrm_tmpl_resolve+0xa70/0xa70 [ 34.971388] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 34.977669] [] ? xfrm_sk_policy_lookup+0x1a6/0x2a0 [ 34.984216] [] ? xfrm_sk_policy_lookup+0x1c3/0x2a0 [ 34.990755] [] ? xfrm_sk_policy_lookup+0x3c/0x2a0 [ 34.997211] [] xfrm_lookup+0x80e/0xbc0 [ 35.002712] [] ? rt_add_uncached_list+0x85/0xb0 [ 35.008991] [] ? xfrm_bundle_lookup+0x1190/0x1190 [ 35.015444] [] ? __ip_route_output_key_hash+0x748/0x2320 [ 35.022503] [] ? __ip_route_output_key_hash+0x15b/0x2320 [ 35.029563] [] ? __module_text_address+0x13/0x140 [ 35.036017] [] xfrm_lookup_route+0x1c/0x160 [ 35.041948] [] ip_route_output_flow+0x69/0x90 [ 35.048922] [] udp_sendmsg+0xf18/0x1ce0 [ 35.054507] [] ? udp_sendmsg+0x960/0x1ce0 [ 35.060275] [] ? ip_reply_glue_bits+0x90/0x90 [ 35.066380] [] ? udp_seq_next+0x60/0x60 [ 35.071965] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.078939] [] ? mark_held_locks+0xaf/0x100 [ 35.084873] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.091154] [] udpv6_sendmsg+0x51a/0x2360 [ 35.096914] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.103718] [] ? udp_lib_get_port+0x5e3/0xf10 [ 35.109824] [] ? trace_hardirqs_on+0xd/0x10 [ 35.115758] [] ? udp6_lib_lookup+0x20/0x20 [ 35.121606] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.127885] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.134687] [] ? release_sock+0x373/0x500 [ 35.140443] [] ? trace_hardirqs_on+0xd/0x10 [ 35.146374] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.152743] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.158938] [] ? release_sock+0x373/0x500 [ 35.164699] [] inet_sendmsg+0x26c/0x430 [ 35.170285] [] ? inet_sendmsg+0x6e/0x430 [ 35.175960] [] ? security_socket_sendmsg+0x6a/0xa0 [ 35.182510] [] ? inet_recvmsg+0x490/0x490 [ 35.188271] [] sock_sendmsg+0xb5/0xf0 [ 35.193685] [] SYSC_sendto+0x267/0x300 [ 35.199186] [] ? SYSC_connect+0x2e0/0x2e0 [ 35.204948] [] ? handle_mm_fault+0x24ed/0x39b0 [ 35.211144] [] ? selinux_netlbl_sock_rcv_skb+0x370/0x370 [ 35.218211] [] ? retint_user+0x18/0x20 [ 35.223711] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.230514] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 35.237055] [] SyS_sendto+0x9/0x10 [ 35.242208] [] entry_SYSCALL_64_fastpath+0x16/0x76 [ 35.248749] Memory state around the buggy address: [ 35.253643] ffff8801d3537780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 [ 35.260965] ffff8801d3537800: f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 [ 35.268285] >ffff8801d3537880: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 [ 35.275605] ^ [ 35.280495] ffff8801d3537900: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 [ 35.287818] ffff8801d3537980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.295139] ================================================================== [ 35.302460] Disabling lock debugging due to kernel taint [ 35.307913] ================================================================== [ 35.315242] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0xa2f/0x3260 at addr ffff8801d35378b0 [ 35.324473] Read of size 4 by task syzkaller727451/3320 [ 35.329799] page:ffffea00074d4dc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 35.337900] flags: 0x8000000000000000() [ 35.341946] page dumped because: kasan: bad access detected [ 35.348201] CPU: 0 PID: 3320 Comm: syzkaller727451 Tainted: G B 4.4.104-ged884eb #2 [ 35.357085] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.366403] 0000000000000000 6712db20d9b49ae2 ffff8801d3536ef0 ffffffff81cc9b0f [ 35.374348] ffffed003a6a6f16 ffffed003a6a6f16 ffff8801d3536f78 ffffffff814db3d5 [ 35.382294] 0000000000000010 fffffbff00000000 ffffffff8327fbef 0000000000000296 [ 35.390248] Call Trace: [ 35.392800] [] dump_stack+0x8e/0xcf [ 35.398038] [] kasan_report.part.2+0x445/0x530 [ 35.404234] [] ? xfrm_state_find+0xa2f/0x3260 [ 35.410350] [] __asan_report_load4_noabort+0x29/0x30 [ 35.417064] [] xfrm_state_find+0xa2f/0x3260 [ 35.422996] [] ? xfrm_unregister_mode+0x1d0/0x1d0 [ 35.429454] [] ? __module_text_address+0x13/0x140 [ 35.435907] [] ? noop_count+0x40/0x40 [ 35.441318] [] ? check_usage_backwards+0x171/0x300 [ 35.447856] [] ? check_usage_forwards+0x310/0x310 [ 35.454310] [] xfrm_tmpl_resolve+0x263/0xa70 [ 35.460329] [] ? __xfrm_decode_session+0xc0/0xc0 [ 35.466696] [] ? __module_text_address+0x13/0x140 [ 35.473149] [] ? check_usage_forwards+0x310/0x310 [ 35.479605] [] ? __lock_acquire+0x1cff/0x4b50 [ 35.485712] [] ? __lock_acquire+0xb5f/0x4b50 [ 35.491733] [] xfrm_resolve_and_create_bundle+0xbd/0x1c10 [ 35.498893] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.505869] [] ? xfrm_tmpl_resolve+0xa70/0xa70 [ 35.512063] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.518343] [] ? xfrm_sk_policy_lookup+0x1a6/0x2a0 [ 35.524886] [] ? xfrm_sk_policy_lookup+0x1c3/0x2a0 [ 35.531426] [] ? xfrm_sk_policy_lookup+0x3c/0x2a0 [ 35.537880] [] xfrm_lookup+0x80e/0xbc0 [ 35.543379] [] ? rt_add_uncached_list+0x85/0xb0 [ 35.549657] [] ? xfrm_bundle_lookup+0x1190/0x1190 [ 35.556113] [] ? __ip_route_output_key_hash+0x748/0x2320 [ 35.563175] [] ? __ip_route_output_key_hash+0x15b/0x2320 [ 35.570237] [] ? __module_text_address+0x13/0x140 [ 35.576692] [] xfrm_lookup_route+0x1c/0x160 [ 35.582624] [] ip_route_output_flow+0x69/0x90 [ 35.588735] [] udp_sendmsg+0xf18/0x1ce0 [ 35.594319] [] ? udp_sendmsg+0x960/0x1ce0 [ 35.600086] [] ? ip_reply_glue_bits+0x90/0x90 [ 35.606193] [] ? udp_seq_next+0x60/0x60 [ 35.611781] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.618755] [] ? mark_held_locks+0xaf/0x100 [ 35.624689] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.630971] [] udpv6_sendmsg+0x51a/0x2360 [ 35.636733] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.643534] [] ? udp_lib_get_port+0x5e3/0xf10 [ 35.649641] [] ? trace_hardirqs_on+0xd/0x10 [ 35.655574] [] ? udp6_lib_lookup+0x20/0x20 [ 35.661430] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.667712] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.674519] [] ? release_sock+0x373/0x500 [ 35.680280] [] ? trace_hardirqs_on+0xd/0x10 [ 35.686214] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.692494] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.698689] [] ? release_sock+0x373/0x500 [ 35.704449] [] inet_sendmsg+0x26c/0x430 [ 35.710035] [] ? inet_sendmsg+0x6e/0x430 [ 35.715710] [] ? security_socket_sendmsg+0x6a/0xa0 [ 35.722252] [] ? inet_recvmsg+0x490/0x490 [ 35.728013] [] sock_sendmsg+0xb5/0xf0 [ 35.733424] [] SYSC_sendto+0x267/0x300 [ 35.738923] [] ? SYSC_connect+0x2e0/0x2e0 [ 35.744684] [] ? handle_mm_fault+0x24ed/0x39b0 [ 35.750880] [] ? selinux_netlbl_sock_rcv_skb+0x370/0x370 [ 35.757944] [] ? retint_user+0x18/0x20 [ 35.763440] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.770239] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 35.776782] [] SyS_sendto+0x9/0x10 [ 35.781936] [] entry_SYSCALL_64_fastpath+0x16/0x76 [ 35.788478] Memory state around the buggy address: [ 35.793370] ffff8801d3537780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 [ 35.800694] ffff8801d3537800: f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 [ 35.808016] >ffff8801d3537880: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 [ 35.815336]