[....] Starting periodic command scheduler: cron[?25l[?1c7[1[ 38.922040] audit: type=1800 audit(1576231520.533:32): pid=7476 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 G[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.710749] audit: type=1800 audit(1576231521.323:33): pid=7476 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 62.507633] kauditd_printk_skb: 2 callbacks suppressed [ 62.507647] audit: type=1400 audit(1576231544.123:36): avc: denied { map } for pid=7665 comm="syz-executor271" path="/root/syz-executor271345408" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 62.731134] ================================================================== [ 62.731169] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 62.731181] Read of size 5 at addr ffff888096616a4c by task syz-executor271/7703 [ 62.731185] [ 62.731200] CPU: 0 PID: 7703 Comm: syz-executor271 Not tainted 4.19.89-syzkaller #0 [ 62.731208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.731212] Call Trace: [ 62.731229] dump_stack+0x197/0x210 [ 62.731246] ? fbcon_get_font+0x2b2/0x5e0 [ 62.731263] print_address_description.cold+0x7c/0x20d [ 62.731278] ? fbcon_get_font+0x2b2/0x5e0 [ 62.731292] kasan_report.cold+0x8c/0x2ba [ 62.731311] check_memory_region+0x123/0x190 [ 62.731326] memcpy+0x24/0x50 [ 62.731340] fbcon_get_font+0x2b2/0x5e0 [ 62.731356] ? display_to_var+0x7e0/0x7e0 [ 62.731371] con_font_op+0x20b/0x1250 [ 62.731387] ? release_pages+0x62a/0x1990 [ 62.731401] ? con_write+0xd0/0xd0 [ 62.731418] ? selinux_capable+0x36/0x40 [ 62.731433] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.731446] ? security_capable+0x92/0xc0 [ 62.731462] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.731476] ? ns_capable_common+0x141/0x170 [ 62.731494] vt_ioctl+0xd2e/0x2530 [ 62.731510] ? complete_change_console+0x3a0/0x3a0 [ 62.731524] ? avc_has_extended_perms+0xa78/0x10f0 [ 62.731542] ? lock_downgrade+0x880/0x880 [ 62.731561] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 62.731578] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 62.731590] ? complete_change_console+0x3a0/0x3a0 [ 62.731612] tty_ioctl+0x7f3/0x1510 [ 62.731625] ? tty_vhangup+0x30/0x30 [ 62.731637] ? mark_held_locks+0x100/0x100 [ 62.731661] ? __fget+0x340/0x540 [ 62.731683] ? __might_sleep+0x95/0x190 [ 62.731695] ? tty_vhangup+0x30/0x30 [ 62.731709] do_vfs_ioctl+0xd5f/0x1380 [ 62.731721] ? selinux_file_ioctl+0x46f/0x5e0 [ 62.731732] ? selinux_file_ioctl+0x125/0x5e0 [ 62.731746] ? ioctl_preallocate+0x210/0x210 [ 62.731757] ? selinux_file_mprotect+0x620/0x620 [ 62.731777] ? iterate_fd+0x360/0x360 [ 62.731791] ? up_read+0x1a/0x110 [ 62.731803] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.731819] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.731831] ? security_file_ioctl+0x8d/0xc0 [ 62.731847] ksys_ioctl+0xab/0xd0 [ 62.731864] __x64_sys_ioctl+0x73/0xb0 [ 62.731881] do_syscall_64+0xfd/0x620 [ 62.731900] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.731911] RIP: 0033:0x447249 [ 62.731923] Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.731931] RSP: 002b:00007f520575dce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.731943] RAX: ffffffffffffffda RBX: 00000000006dcc48 RCX: 0000000000447249 [ 62.731951] RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000003 [ 62.731958] RBP: 00000000006dcc40 R08: 0000000000000000 R09: 0000000000000000 [ 62.731964] R10: 000000000000000e R11: 0000000000000246 R12: 00000000006dcc4c [ 62.731973] R13: 00007fff1bb7e39f R14: 00007f520575e9c0 R15: 20c49ba5e353f7cf [ 62.731992] [ 62.731999] Allocated by task 7698: [ 62.732011] save_stack+0x45/0xd0 [ 62.732021] kasan_kmalloc+0xce/0xf0 [ 62.732030] __kmalloc+0x15d/0x750 [ 62.732041] fbcon_set_font+0x32d/0x860 [ 62.732052] con_font_op+0xe18/0x1250 [ 62.732063] vt_ioctl+0xd2e/0x2530 [ 62.732072] tty_ioctl+0x7f3/0x1510 [ 62.732083] do_vfs_ioctl+0xd5f/0x1380 [ 62.732093] ksys_ioctl+0xab/0xd0 [ 62.732103] __x64_sys_ioctl+0x73/0xb0 [ 62.732117] do_syscall_64+0xfd/0x620 [ 62.732129] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.732132] [ 62.732138] Freed by task 0: [ 62.732141] (stack is not available) [ 62.732144] [ 62.732154] The buggy address belongs to the object at ffff888096616640 [ 62.732154] which belongs to the cache kmalloc-2048 of size 2048 [ 62.732166] The buggy address is located 1036 bytes inside of [ 62.732166] 2048-byte region [ffff888096616640, ffff888096616e40) [ 62.732170] The buggy address belongs to the page: [ 62.732181] page:ffffea0002598580 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 62.732194] flags: 0xfffe0000008100(slab|head) [ 62.732211] raw: 00fffe0000008100 ffffea000215f688 ffffea00025aa188 ffff88812c31cc40 [ 62.732226] raw: 0000000000000000 ffff888096616640 0000000100000003 0000000000000000 [ 62.732232] page dumped because: kasan: bad access detected [ 62.732235] [ 62.732239] Memory state around the buggy address: [ 62.732250] ffff888096616900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.732260] ffff888096616980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.732270] >ffff888096616a00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 62.732274] ^ [ 62.732283] ffff888096616a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.732293] ffff888096616b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.732297] ================================================================== [ 62.732301] Disabling lock debugging due to kernel taint [ 62.738564] Kernel panic - not syncing: panic_on_warn set ... [ 62.738564] [ 62.738576] CPU: 0 PID: 7703 Comm: syz-executor271 Tainted: G B 4.19.89-syzkaller #0 [ 62.738580] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.738583] Call Trace: [ 62.738596] dump_stack+0x197/0x210 [ 62.738649] ? fbcon_get_font+0x2b2/0x5e0 [ 62.738656] panic+0x26a/0x50e [ 62.738663] ? __warn_printk+0xf3/0xf3 [ 62.738670] ? fbcon_get_font+0x2b2/0x5e0 [ 62.738679] ? preempt_schedule+0x4b/0x60 [ 62.738688] ? ___preempt_schedule+0x16/0x18 [ 62.738697] ? trace_hardirqs_on+0x5e/0x220 [ 62.738705] ? fbcon_get_font+0x2b2/0x5e0 [ 62.738713] kasan_end_report+0x47/0x4f [ 62.738721] kasan_report.cold+0xa9/0x2ba [ 62.738729] check_memory_region+0x123/0x190 [ 62.738737] memcpy+0x24/0x50 [ 62.738744] fbcon_get_font+0x2b2/0x5e0 [ 62.738751] ? display_to_var+0x7e0/0x7e0 [ 62.738760] con_font_op+0x20b/0x1250 [ 62.738768] ? release_pages+0x62a/0x1990 [ 62.738776] ? con_write+0xd0/0xd0 [ 62.738788] ? selinux_capable+0x36/0x40 [ 62.738800] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.738811] ? security_capable+0x92/0xc0 [ 62.738820] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.738828] ? ns_capable_common+0x141/0x170 [ 62.738838] vt_ioctl+0xd2e/0x2530 [ 62.738846] ? complete_change_console+0x3a0/0x3a0 [ 62.738854] ? avc_has_extended_perms+0xa78/0x10f0 [ 62.738864] ? lock_downgrade+0x880/0x880 [ 62.738873] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 62.738882] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 62.738889] ? complete_change_console+0x3a0/0x3a0 [ 62.738896] tty_ioctl+0x7f3/0x1510 [ 62.738903] ? tty_vhangup+0x30/0x30 [ 62.738910] ? mark_held_locks+0x100/0x100 [ 62.738921] ? __fget+0x340/0x540 [ 62.738932] ? __might_sleep+0x95/0x190 [ 62.738938] ? tty_vhangup+0x30/0x30 [ 62.738946] do_vfs_ioctl+0xd5f/0x1380 [ 62.738954] ? selinux_file_ioctl+0x46f/0x5e0 [ 62.738961] ? selinux_file_ioctl+0x125/0x5e0 [ 62.738968] ? ioctl_preallocate+0x210/0x210 [ 62.738975] ? selinux_file_mprotect+0x620/0x620 [ 62.738984] ? iterate_fd+0x360/0x360 [ 62.738991] ? up_read+0x1a/0x110 [ 62.738998] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.739007] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.739013] ? security_file_ioctl+0x8d/0xc0 [ 62.739021] ksys_ioctl+0xab/0xd0 [ 62.739029] __x64_sys_ioctl+0x73/0xb0 [ 62.739037] do_syscall_64+0xfd/0x620 [ 62.739047] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.739053] RIP: 0033:0x447249 [ 62.739060] Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.739065] RSP: 002b:00007f520575dce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.739072] RAX: ffffffffffffffda RBX: 00000000006dcc48 RCX: 0000000000447249 [ 62.739076] RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000003 [ 62.739080] RBP: 00000000006dcc40 R08: 0000000000000000 R09: 0000000000000000 [ 62.739084] R10: 000000000000000e R11: 0000000000000246 R12: 00000000006dcc4c [ 62.739089] R13: 00007fff1bb7e39f R14: 00007f520575e9c0 R15: 20c49ba5e353f7cf [ 62.740424] Kernel Offset: disabled