Starting mcstransd: [ 10.183667] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.376088] random: sshd: uninitialized urandom read (32 bytes read) [ 45.417847] random: crng init done Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. 2019/06/15 13:52:08 parsed 1 programs 2019/06/15 13:52:10 executed programs: 0 [ 54.822723] audit: type=1400 audit(1560606730.576:5): avc: denied { sys_admin } for pid=2079 comm="syz-executor.0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 54.860691] audit: type=1400 audit(1560606730.616:6): avc: denied { net_admin } for pid=2080 comm="syz-executor.0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 55.034916] audit: type=1400 audit(1560606730.796:7): avc: denied { sys_chroot } for pid=2080 comm="syz-executor.0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 55.099588] audit: type=1400 audit(1560606730.856:8): avc: denied { associate } for pid=2080 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 55.157311] audit: type=1400 audit(1560606730.916:9): avc: denied { dac_override } for pid=2104 comm="syz-executor.0" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 56.677254] ================================================================== [ 56.685113] BUG: KASAN: use-after-free in pneigh_get_next.isra.4+0x273/0x2b0 [ 56.692673] Read of size 8 at addr ffff8801ce9ae360 by task syz-executor.0/2170 [ 56.700104] [ 56.701831] CPU: 0 PID: 2170 Comm: syz-executor.0 Not tainted 4.9.141+ #1 [ 56.709483] ffff8801c9c3f250 ffffffff81b42e79 ffffea00073a6b80 ffff8801ce9ae360 [ 56.717807] 0000000000000000 ffff8801ce9ae360 ffff8801ce9ae360 ffff8801c9c3f288 [ 56.726171] ffffffff815009b8 ffff8801ce9ae360 0000000000000008 0000000000000000 [ 56.734711] Call Trace: [ 56.737619] [] dump_stack+0xc1/0x128 [ 56.742972] [] print_address_description+0x6c/0x234 [ 56.750136] [] kasan_report.cold.6+0x242/0x2fe [ 56.756825] [] ? pneigh_get_next.isra.4+0x273/0x2b0 [ 56.763795] [] __asan_report_load8_noabort+0x14/0x20 [ 56.770649] [] pneigh_get_next.isra.4+0x273/0x2b0 [ 56.777152] [] ? mark_held_locks+0xc7/0x130 [ 56.783422] [] neigh_seq_next+0xb1/0x1e0 [ 56.789735] [] seq_read+0xa0b/0x12d0 [ 56.795479] [] ? seq_lseek+0x3c0/0x3c0 [ 56.801098] [] ? __fsnotify_inode_delete+0x30/0x30 [ 56.807869] [] proc_reg_read+0xfd/0x180 [ 56.813704] [] ? seq_lseek+0x3c0/0x3c0 [ 56.819237] [] do_loop_readv_writev.part.1+0xd5/0x280 [ 56.826612] [] do_readv_writev+0x56e/0x7b0 [ 56.832775] [] ? vfs_write+0x520/0x520 [ 56.838322] [] ? kasan_unpoison_shadow+0x35/0x50 [ 56.844844] [] ? push_pipe+0x3e2/0x770 [ 56.850374] [] ? iov_iter_get_pages_alloc+0x2be/0xee0 [ 56.857692] [] vfs_readv+0x84/0xc0 [ 56.863090] [] default_file_splice_read+0x451/0x7f0 [ 56.872050] [] ? debug_check_no_obj_freed+0x2ce/0x890 [ 56.879148] [] ? do_splice_direct+0x270/0x270 [ 56.885417] [] ? free_hot_cold_page+0x5b3/0x9d0 [ 56.892056] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 56.899915] [] ? trace_hardirqs_on+0xd/0x10 [ 56.906158] [] ? security_file_permission+0x8f/0x1e0 [ 56.913405] [] ? default_file_splice_write+0x68/0x80 [ 56.922362] [] ? do_splice_direct+0x270/0x270 [ 56.928754] [] do_splice_to+0x10c/0x170 [ 56.935640] [] splice_direct_to_actor+0x23f/0x7e0 [ 56.942737] [] ? pipe_to_sendpage+0x330/0x330 [ 56.948880] [] ? do_splice_to+0x170/0x170 [ 56.955360] [] ? security_file_permission+0x8f/0x1e0 [ 56.963491] [] ? rw_verify_area+0xe5/0x2a0 [ 56.970079] [] do_splice_direct+0x1a3/0x270 [ 56.976884] [] ? splice_direct_to_actor+0x7e0/0x7e0 [ 56.983817] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 56.990489] [] ? __sb_start_write+0x161/0x300 [ 56.998675] [] do_sendfile+0x4f0/0xc30 [ 57.005124] [] ? do_compat_pwritev64+0x180/0x180 [ 57.013386] [] ? __might_fault+0x114/0x1d0 [ 57.019908] [] SyS_sendfile64+0x144/0x160 [ 57.026540] [] ? SyS_sendfile+0x160/0x160 [ 57.032965] [] ? do_syscall_64+0x48/0x550 [ 57.039513] [] ? SyS_sendfile+0x160/0x160 [ 57.053446] [] do_syscall_64+0x19f/0x550 [ 57.062703] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 57.071547] [ 57.074388] Allocated by task 2171: [ 57.083680] save_stack_trace+0x16/0x20 [ 57.088418] kasan_kmalloc.part.1+0x62/0xf0 [ 57.095259] kasan_kmalloc+0xaf/0xc0 [ 57.099299] __kmalloc+0x12f/0x310 [ 57.103387] pneigh_lookup+0x17d/0x3f0 [ 57.107258] arp_req_set+0x443/0x570 [ 57.112117] arp_ioctl+0x32a/0x670 [ 57.118019] inet_ioctl+0x90/0x1d0 [ 57.122472] sock_do_ioctl+0x6a/0xb0 [ 57.126302] sock_ioctl+0x32d/0x3c0 [ 57.133123] do_vfs_ioctl+0x1ac/0x11a0 [ 57.137728] SyS_ioctl+0x8f/0xc0 [ 57.141193] do_syscall_64+0x19f/0x550 [ 57.145868] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 57.152245] [ 57.153987] Freed by task 2168: [ 57.157254] save_stack_trace+0x16/0x20 [ 57.162211] kasan_slab_free+0xac/0x190 [ 57.167122] kfree+0xfb/0x310 [ 57.172713] neigh_ifdown+0x1da/0x2a0 [ 57.176920] arp_ifdown+0x1c/0x20 [ 57.184555] inetdev_event+0x6f2/0x10b0 [ 57.189661] notifier_call_chain+0xb4/0x1d0 [ 57.194099] raw_notifier_call_chain+0x2d/0x40 [ 57.206478] call_netdevice_notifiers_info+0x55/0x70 [ 57.218479] rollback_registered_many+0x6e5/0xb50 [ 57.224228] rollback_registered+0xee/0x1b0 [ 57.230867] unregister_netdevice_queue+0x1aa/0x230 [ 57.239992] __tun_detach+0x821/0xa00 [ 57.244431] tun_chr_close+0x44/0x60 [ 57.248656] __fput+0x263/0x700 [ 57.256450] ____fput+0x15/0x20 [ 57.261062] task_work_run+0x10c/0x180 [ 57.265351] exit_to_usermode_loop+0x129/0x150 [ 57.271114] do_syscall_64+0x3e2/0x550 [ 57.275562] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 57.281020] [ 57.282849] The buggy address belongs to the object at ffff8801ce9ae360 [ 57.282849] which belongs to the cache kmalloc-64 of size 64 [ 57.296296] The buggy address is located 0 bytes inside of [ 57.296296] 64-byte region [ffff8801ce9ae360, ffff8801ce9ae3a0) [ 57.313710] The buggy address belongs to the page: [ 57.320398] page:ffffea00073a6b80 count:1 mapcount:0 mapping: (null) index:0x0 [ 57.329187] flags: 0x4000000000000080(slab) [ 57.333899] page dumped because: kasan: bad access detected [ 57.339774] [ 57.341617] Memory state around the buggy address: [ 57.346799] ffff8801ce9ae200: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 57.355275] ffff8801ce9ae280: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 57.363635] >ffff8801ce9ae300: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 57.373863] ^ [ 57.380351] ffff8801ce9ae380: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 57.388486] ffff8801ce9ae400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.396969] ================================================================== [ 57.405671] Disabling lock debugging due to kernel taint [ 57.411595] Kernel panic - not syncing: panic_on_warn set ... [ 57.411595] [ 57.419073] CPU: 0 PID: 2170 Comm: syz-executor.0 Tainted: G B 4.9.141+ #1 [ 57.427312] ffff8801c9c3f1b0 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 57.435455] 0000000000000000 0000000000000000 ffff8801ce9ae360 ffff8801c9c3f270 [ 57.444171] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 57.453850] Call Trace: [ 57.457529] [] dump_stack+0xc1/0x128 [ 57.464074] [] panic+0x1bf/0x39f [ 57.469085] [] ? add_taint.cold.5+0x16/0x16 [ 57.476405] [] kasan_end_report+0x47/0x4f [ 57.483448] [] kasan_report.cold.6+0x76/0x2fe [ 57.490101] [] ? pneigh_get_next.isra.4+0x273/0x2b0 [ 57.497821] [] __asan_report_load8_noabort+0x14/0x20 [ 57.505412] [] pneigh_get_next.isra.4+0x273/0x2b0 [ 57.512255] [] ? mark_held_locks+0xc7/0x130 [ 57.519089] [] neigh_seq_next+0xb1/0x1e0 [ 57.525328] [] seq_read+0xa0b/0x12d0 [ 57.532134] [] ? seq_lseek+0x3c0/0x3c0 [ 57.538264] [] ? __fsnotify_inode_delete+0x30/0x30 [ 57.544948] [] proc_reg_read+0xfd/0x180 [ 57.551119] [] ? seq_lseek+0x3c0/0x3c0 [ 57.557570] [] do_loop_readv_writev.part.1+0xd5/0x280 [ 57.565153] [] do_readv_writev+0x56e/0x7b0 [ 57.571141] [] ? vfs_write+0x520/0x520 [ 57.576753] [] ? kasan_unpoison_shadow+0x35/0x50 [ 57.583623] [] ? push_pipe+0x3e2/0x770 [ 57.590345] [] ? iov_iter_get_pages_alloc+0x2be/0xee0 [ 57.597958] [] vfs_readv+0x84/0xc0 [ 57.603294] [] default_file_splice_read+0x451/0x7f0 [ 57.610234] [] ? debug_check_no_obj_freed+0x2ce/0x890 [ 57.617544] [] ? do_splice_direct+0x270/0x270 [ 57.623890] [] ? free_hot_cold_page+0x5b3/0x9d0 [ 57.630827] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 57.638039] [] ? trace_hardirqs_on+0xd/0x10 [ 57.644607] [] ? security_file_permission+0x8f/0x1e0 [ 57.651767] [] ? default_file_splice_write+0x68/0x80 [ 57.660924] [] ? do_splice_direct+0x270/0x270 [ 57.668030] [] do_splice_to+0x10c/0x170 [ 57.673828] [] splice_direct_to_actor+0x23f/0x7e0 [ 57.682182] [] ? pipe_to_sendpage+0x330/0x330 [ 57.688315] [] ? do_splice_to+0x170/0x170 [ 57.694635] [] ? security_file_permission+0x8f/0x1e0 [ 57.701503] [] ? rw_verify_area+0xe5/0x2a0 [ 57.708224] [] do_splice_direct+0x1a3/0x270 [ 57.714374] [] ? splice_direct_to_actor+0x7e0/0x7e0 [ 57.722550] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 57.729871] [] ? __sb_start_write+0x161/0x300 [ 57.736539] [] do_sendfile+0x4f0/0xc30 [ 57.742324] [] ? do_compat_pwritev64+0x180/0x180 [ 57.748962] [] ? __might_fault+0x114/0x1d0 [ 57.755180] [] SyS_sendfile64+0x144/0x160 [ 57.761573] [] ? SyS_sendfile+0x160/0x160 [ 57.767569] [] ? do_syscall_64+0x48/0x550 [ 57.773533] [] ? SyS_sendfile+0x160/0x160 [ 57.779614] [] do_syscall_64+0x19f/0x550 [ 57.785451] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 57.793352] Kernel Offset: disabled [ 57.797490] Rebooting in 86400 seconds..