[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.243026] audit: type=1800 audit(1575353204.902:33): pid=7480 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.698822] kauditd_printk_skb: 1 callbacks suppressed [ 44.698835] audit: type=1400 audit(1575353209.352:35): avc: denied { map } for pid=7658 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.217' (ECDSA) to the list of known hosts. executing program [ 51.483917] audit: type=1400 audit(1575353216.142:36): avc: denied { map } for pid=7670 comm="syz-executor473" path="/root/syz-executor473333360" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.510969] ================================================================== [ 51.510997] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 51.511004] Read of size 2 at addr ffff888095f0a500 by task syz-executor473/7670 [ 51.511006] [ 51.511016] CPU: 0 PID: 7670 Comm: syz-executor473 Not tainted 4.19.87-syzkaller #0 [ 51.511021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.511024] Call Trace: [ 51.511035] dump_stack+0x197/0x210 [ 51.511044] ? vcs_scr_readw+0xc2/0xd0 [ 51.511056] print_address_description.cold+0x7c/0x20d [ 51.511064] ? vcs_scr_readw+0xc2/0xd0 [ 51.511072] kasan_report.cold+0x8c/0x2ba [ 51.511083] __asan_report_load2_noabort+0x14/0x20 [ 51.511089] vcs_scr_readw+0xc2/0xd0 [ 51.511098] vcs_write+0x646/0xcf0 [ 51.511105] ? save_stack+0xa9/0xd0 [ 51.511113] ? __kasan_slab_free+0x102/0x150 [ 51.511125] ? vcs_size+0x240/0x240 [ 51.511135] ? find_held_lock+0x35/0x130 [ 51.511150] __vfs_write+0x114/0x810 [ 51.511157] ? vcs_size+0x240/0x240 [ 51.511165] ? kernel_read+0x120/0x120 [ 51.511175] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 51.511184] ? __inode_security_revalidate+0xda/0x120 [ 51.511194] ? avc_policy_seqno+0xd/0x70 [ 51.511200] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 51.511208] ? selinux_file_permission+0x92/0x550 [ 51.511218] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.511225] ? security_file_permission+0x89/0x230 [ 51.511234] ? rw_verify_area+0x118/0x360 [ 51.511250] vfs_write+0x20c/0x560 [ 51.511261] ksys_write+0x14f/0x2d0 [ 51.511270] ? __ia32_sys_read+0xb0/0xb0 [ 51.511281] ? do_syscall_64+0x26/0x620 [ 51.511289] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.511297] ? do_syscall_64+0x26/0x620 [ 51.511307] __x64_sys_write+0x73/0xb0 [ 51.511316] do_syscall_64+0xfd/0x620 [ 51.511325] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.511332] RIP: 0033:0x443e49 [ 51.511340] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.511344] RSP: 002b:00007ffe7e575428 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 51.511352] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443e49 [ 51.511357] RDX: 0000000000001010 RSI: 0000000020006480 RDI: 0000000000000003 [ 51.511362] RBP: 00000000006cf018 R08: 0000f8ff00000000 R09: 00000000004002e0 [ 51.511366] R10: 000000000000ffff R11: 0000000000000246 R12: 0000000000401b50 [ 51.511371] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 51.511382] [ 51.511386] Allocated by task 7645: [ 51.511394] save_stack+0x45/0xd0 [ 51.511400] kasan_kmalloc+0xce/0xf0 [ 51.511406] __kmalloc+0x15d/0x750 [ 51.511412] vc_allocate+0x3f5/0x760 [ 51.511418] con_install+0x52/0x410 [ 51.511424] tty_init_dev+0xf7/0x460 [ 51.511429] tty_open+0x4bf/0xb70 [ 51.511436] chrdev_open+0x245/0x6b0 [ 51.511442] do_dentry_open+0x4c3/0x1210 [ 51.511447] vfs_open+0xa0/0xd0 [ 51.511455] path_openat+0x10d7/0x45e0 [ 51.511461] do_filp_open+0x1a1/0x280 [ 51.511466] do_sys_open+0x3fe/0x550 [ 51.511472] __x64_sys_open+0x7e/0xc0 [ 51.511479] do_syscall_64+0xfd/0x620 [ 51.511486] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.511488] [ 51.511491] Freed by task 0: [ 51.511493] (stack is not available) [ 51.511495] [ 51.511500] The buggy address belongs to the object at ffff888095f09240 [ 51.511500] which belongs to the cache kmalloc-8192 of size 8192 [ 51.511507] The buggy address is located 4800 bytes inside of [ 51.511507] 8192-byte region [ffff888095f09240, ffff888095f0b240) [ 51.511510] The buggy address belongs to the page: [ 51.511518] page:ffffea000257c200 count:1 mapcount:0 mapping:ffff88812c315080 index:0x0 compound_mapcount: 0 [ 51.511526] flags: 0xfffe0000008100(slab|head) [ 51.511537] raw: 00fffe0000008100 ffffea0002488a08 ffffea0002518508 ffff88812c315080 [ 51.511545] raw: 0000000000000000 ffff888095f09240 0000000100000001 0000000000000000 [ 51.511548] page dumped because: kasan: bad access detected [ 51.511551] [ 51.511553] Memory state around the buggy address: [ 51.511559] ffff888095f0a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.511565] ffff888095f0a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.511571] >ffff888095f0a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.511573] ^ [ 51.511579] ffff888095f0a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.511584] ffff888095f0a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.511588] ================================================================== [ 51.511590] Disabling lock debugging due to kernel taint [ 51.511594] Kernel panic - not syncing: panic_on_warn set ... [ 51.511594] [ 51.511602] CPU: 0 PID: 7670 Comm: syz-executor473 Tainted: G B 4.19.87-syzkaller #0 [ 51.511606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.511608] Call Trace: [ 51.511615] dump_stack+0x197/0x210 [ 51.511622] ? vcs_scr_readw+0xc2/0xd0 [ 51.511629] panic+0x26a/0x50e [ 51.511635] ? __warn_printk+0xf3/0xf3 [ 51.511644] ? lock_downgrade+0x880/0x880 [ 51.511653] ? trace_hardirqs_on+0x67/0x220 [ 51.511659] ? trace_hardirqs_on+0x5e/0x220 [ 51.511666] ? vcs_scr_readw+0xc2/0xd0 [ 51.511674] kasan_end_report+0x47/0x4f [ 51.511681] kasan_report.cold+0xa9/0x2ba [ 51.511690] __asan_report_load2_noabort+0x14/0x20 [ 51.511696] vcs_scr_readw+0xc2/0xd0 [ 51.511702] vcs_write+0x646/0xcf0 [ 51.511708] ? save_stack+0xa9/0xd0 [ 51.511716] ? __kasan_slab_free+0x102/0x150 [ 51.511725] ? vcs_size+0x240/0x240 [ 51.511732] ? find_held_lock+0x35/0x130 [ 51.511741] __vfs_write+0x114/0x810 [ 51.511747] ? vcs_size+0x240/0x240 [ 51.511754] ? kernel_read+0x120/0x120 [ 51.511761] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 51.511768] ? __inode_security_revalidate+0xda/0x120 [ 51.511776] ? avc_policy_seqno+0xd/0x70 [ 51.511782] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 51.511789] ? selinux_file_permission+0x92/0x550 [ 51.511797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.511803] ? security_file_permission+0x89/0x230 [ 51.511811] ? rw_verify_area+0x118/0x360 [ 51.511818] vfs_write+0x20c/0x560 [ 51.511826] ksys_write+0x14f/0x2d0 [ 51.511834] ? __ia32_sys_read+0xb0/0xb0 [ 51.511842] ? do_syscall_64+0x26/0x620 [ 51.511848] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.511855] ? do_syscall_64+0x26/0x620 [ 51.511863] __x64_sys_write+0x73/0xb0 [ 51.511871] do_syscall_64+0xfd/0x620 [ 51.511879] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.511883] RIP: 0033:0x443e49 [ 51.511890] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.511893] RSP: 002b:00007ffe7e575428 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 51.511900] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443e49 [ 51.511904] RDX: 0000000000001010 RSI: 0000000020006480 RDI: 0000000000000003 [ 51.511908] RBP: 00000000006cf018 R08: 0000f8ff00000000 R09: 00000000004002e0 [ 51.511912] R10: 000000000000ffff R11: 0000000000000246 R12: 0000000000401b50 [ 51.511916] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 51.513468] Kernel Offset: disabled [ 52.213393] Rebooting in 86400 seconds..