[....] Starting enhanced syslogd: rsyslogd[ 15.224510] audit: type=1400 audit(1521536120.449:4): avc: denied { syslog } for pid=3645 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.743886] ================================================================== [ 26.751269] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 [ 26.757815] Read of size 8160 at addr ffff8801c6804cc0 by task syzkaller533698/3800 [ 26.765570] [ 26.767170] CPU: 0 PID: 3800 Comm: syzkaller533698 Not tainted 4.9.88-g71df7bb #60 [ 26.774841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.784166] ffff8801c6bdf728 ffffffff81d95f19 ffffea00071a0100 ffff8801c6804cc0 [ 26.792126] 0000000000000000 ffff8801c6804e80 ffff8801c6bdf968 ffff8801c6bdf760 [ 26.800082] ffffffff8153e793 ffff8801c6804cc0 0000000000001fe0 0000000000000000 [ 26.808042] Call Trace: [ 26.810597] [] dump_stack+0xc1/0x128 [ 26.815934] [] print_address_description+0x73/0x280 [ 26.822575] [] kasan_report+0x255/0x380 [ 26.828166] [] ? pfkey_add+0x153e/0x3470 [ 26.833844] [] check_memory_region+0x137/0x190 [ 26.840044] [] memcpy+0x23/0x50 [ 26.844942] [] pfkey_add+0x153e/0x3470 [ 26.850453] [] ? pfkey_delete+0x360/0x360 [ 26.856216] [] ? pfkey_seq_stop+0x80/0x80 [ 26.861989] [] ? __skb_clone+0x24a/0x7d0 [ 26.867668] [] ? pfkey_delete+0x360/0x360 [ 26.873433] [] pfkey_process+0x68b/0x750 [ 26.879126] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 26.885939] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.892745] [] pfkey_sendmsg+0x3a9/0x760 [ 26.898423] [] ? pfkey_spdget+0x820/0x820 [ 26.904186] [] sock_sendmsg+0xca/0x110 [ 26.909689] [] ___sys_sendmsg+0x6d1/0x7e0 [ 26.915453] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.922256] [] ? copy_msghdr_from_user+0x570/0x570 [ 26.928802] [] ? __lru_cache_add+0x187/0x250 [ 26.934830] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 26.941896] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.947834] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 26.954900] [] ? handle_mm_fault+0x4ad/0x2460 [ 26.961017] [] ? __fget_light+0x169/0x1f0 [ 26.966779] [] ? __fdget+0x18/0x20 [ 26.971938] [] ? sockfd_lookup_light+0x118/0x160 [ 26.978311] [] __sys_sendmsg+0xd6/0x190 [ 26.983901] [] ? SyS_shutdown+0x1b0/0x1b0 [ 26.989670] [] ? __do_page_fault+0x5ec/0xd40 [ 26.995694] [] SyS_sendmsg+0x2d/0x50 [ 27.001024] [] ? __sys_sendmsg+0x190/0x190 [ 27.006875] [] do_syscall_64+0x1a4/0x490 [ 27.012554] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.019443] [ 27.021038] Allocated by task 3800: [ 27.024634] save_stack_trace+0x16/0x20 [ 27.028576] save_stack+0x43/0xd0 [ 27.031998] kasan_kmalloc+0xad/0xe0 [ 27.035677] kasan_slab_alloc+0x12/0x20 [ 27.039620] __kmalloc_track_caller+0xda/0x2b0 [ 27.044170] __kmalloc_reserve.isra.37+0x33/0xc0 [ 27.048895] __alloc_skb+0x119/0x600 [ 27.052577] pfkey_sendmsg+0x135/0x760 [ 27.056428] sock_sendmsg+0xca/0x110 [ 27.060107] ___sys_sendmsg+0x6d1/0x7e0 [ 27.064048] __sys_sendmsg+0xd6/0x190 [ 27.067813] SyS_sendmsg+0x2d/0x50 [ 27.071319] do_syscall_64+0x1a4/0x490 [ 27.075175] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.080240] [ 27.081835] Freed by task 2014: [ 27.085085] save_stack_trace+0x16/0x20 [ 27.089027] save_stack+0x43/0xd0 [ 27.092445] kasan_slab_free+0x72/0xc0 [ 27.096299] kfree+0x103/0x300 [ 27.099458] skb_free_head+0x74/0xb0 [ 27.103137] skb_release_data+0x315/0x3f0 [ 27.107250] skb_release_all+0x4a/0x60 [ 27.111102] consume_skb+0xc6/0x340 [ 27.114695] skb_free_datagram+0x1a/0xe0 [ 27.118984] unix_dgram_recvmsg+0x983/0xf90 [ 27.123273] sock_recvmsg+0xc9/0x110 [ 27.126959] SYSC_recvfrom+0x1fc/0x330 [ 27.130814] SyS_recvfrom+0x40/0x50 [ 27.134408] do_syscall_64+0x1a4/0x490 [ 27.138262] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.143329] [ 27.144923] The buggy address belongs to the object at ffff8801c6804c80 [ 27.144923] which belongs to the cache kmalloc-512 of size 512 [ 27.157552] The buggy address is located 64 bytes inside of [ 27.157552] 512-byte region [ffff8801c6804c80, ffff8801c6804e80) [ 27.169312] The buggy address belongs to the page: [ 27.174213] page:ffffea00071a0100 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.184373] flags: 0x8000000000004080(slab|head) [ 27.189095] page dumped because: kasan: bad access detected [ 27.194768] [ 27.196360] Memory state around the buggy address: [ 27.201258] ffff8801c6804d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.208585] ffff8801c6804e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.215911] >ffff8801c6804e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.223233] ^ [ 27.226564] ffff8801c6804f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.233889] ffff8801c6804f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.241217] ================================================================== [ 27.248540] Disabling lock debugging due to kernel taint [ 27.254402] Kernel panic - not syncing: panic_on_warn set ... [ 27.254402] [ 27.261760] CPU: 0 PID: 3800 Comm: syzkaller533698 Tainted: G B 4.9.88-g71df7bb #60 [ 27.270658] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.279981] ffff8801c6bdf680 ffffffff81d95f19 ffffffff841981e7 ffff8801c6bdf758 [ 27.287948] 0000000000000000 ffff8801c6804e80 ffff8801c6bdf968 ffff8801c6bdf748 [ 27.295908] ffffffff8142fa71 0000000041b58ab3 ffffffff8418bc48 ffffffff8142f8b5 [ 27.303872] Call Trace: [ 27.306430] [] dump_stack+0xc1/0x128 [ 27.311763] [] panic+0x1bc/0x3a8 [ 27.316746] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.324943] [] ? preempt_schedule+0x25/0x30 [ 27.330887] [] ? ___preempt_schedule+0x16/0x18 [ 27.337088] [] kasan_end_report+0x50/0x50 [ 27.342862] [] kasan_report+0x16b/0x380 [ 27.348451] [] ? pfkey_add+0x153e/0x3470 [ 27.354130] [] check_memory_region+0x137/0x190 [ 27.360329] [] memcpy+0x23/0x50 [ 27.365223] [] pfkey_add+0x153e/0x3470 [ 27.370725] [] ? pfkey_delete+0x360/0x360 [ 27.376488] [] ? pfkey_seq_stop+0x80/0x80 [ 27.382252] [] ? __skb_clone+0x24a/0x7d0 [ 27.387932] [] ? pfkey_delete+0x360/0x360 [ 27.393698] [] pfkey_process+0x68b/0x750 [ 27.399377] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 27.406190] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.412996] [] pfkey_sendmsg+0x3a9/0x760 [ 27.418676] [] ? pfkey_spdget+0x820/0x820 [ 27.424437] [] sock_sendmsg+0xca/0x110 [ 27.429938] [] ___sys_sendmsg+0x6d1/0x7e0 [ 27.435704] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.442519] [] ? copy_msghdr_from_user+0x570/0x570 [ 27.449064] [] ? __lru_cache_add+0x187/0x250 [ 27.455089] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 27.462157] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.468096] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 27.475163] [] ? handle_mm_fault+0x4ad/0x2460 [ 27.481274] [] ? __fget_light+0x169/0x1f0 [ 27.487038] [] ? __fdget+0x18/0x20 [ 27.492194] [] ? sockfd_lookup_light+0x118/0x160 [ 27.498566] [] __sys_sendmsg+0xd6/0x190 [ 27.504157] [] ? SyS_shutdown+0x1b0/0x1b0 [ 27.509923] [] ? __do_page_fault+0x5ec/0xd40 [ 27.515952] [] SyS_sendmsg+0x2d/0x50 [ 27.521282] [] ? __sys_sendmsg+0x190/0x190 [ 27.527131] [] do_syscall_64+0x1a4/0x490 [ 27.532807] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.540151] Dumping ftrace buffer: [ 27.543657] (ftrace buffer empty) [ 27.547337] Kernel Offset: disabled [ 27.550933] Rebooting in 86400 seconds..