Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1[ 38.409664] audit: type=1800 audit(1575320794.051:33): pid=7443 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 G[ ok [39;[ 38.432137] audit: type=1800 audit(1575320794.051:34): pid=7443 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.418859] audit: type=1400 audit(1575320797.061:35): avc: denied { map } for pid=7621 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. executing program [ 61.435567] audit: type=1400 audit(1575320817.081:36): avc: denied { map } for pid=7633 comm="syz-executor404" path="/root/syz-executor404204206" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 61.482505] ================================================================== [ 61.482539] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 61.482550] Read of size 16 at addr ffff88808ad25710 by task syz-executor404/7633 [ 61.482553] [ 61.482569] CPU: 0 PID: 7633 Comm: syz-executor404 Not tainted 4.19.87-syzkaller #0 [ 61.482576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.482581] Call Trace: [ 61.482598] dump_stack+0x197/0x210 [ 61.482613] ? fbcon_get_font+0x2b2/0x5e0 [ 61.482630] print_address_description.cold+0x7c/0x20d [ 61.482642] ? fbcon_get_font+0x2b2/0x5e0 [ 61.482655] kasan_report.cold+0x8c/0x2ba [ 61.482671] check_memory_region+0x123/0x190 [ 61.482685] memcpy+0x24/0x50 [ 61.482698] fbcon_get_font+0x2b2/0x5e0 [ 61.482713] ? display_to_var+0x7e0/0x7e0 [ 61.482724] con_font_op+0x20b/0x1250 [ 61.482738] ? con_write+0xd0/0xd0 [ 61.482760] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 61.482774] ? _copy_from_user+0xdd/0x150 [ 61.482791] vt_ioctl+0x1784/0x2530 [ 61.482806] ? complete_change_console+0x3a0/0x3a0 [ 61.482822] ? avc_has_extended_perms+0xa78/0x10f0 [ 61.482843] ? save_stack+0xa9/0xd0 [ 61.482853] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 61.482870] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 61.482880] ? complete_change_console+0x3a0/0x3a0 [ 61.482896] tty_ioctl+0x7f3/0x1510 [ 61.482912] ? tty_vhangup+0x30/0x30 [ 61.482926] ? find_held_lock+0x35/0x130 [ 61.482941] ? debug_check_no_obj_freed+0x200/0x464 [ 61.482969] ? __might_sleep+0x95/0x190 [ 61.482982] ? trace_hardirqs_off+0x62/0x220 [ 61.482996] ? tty_vhangup+0x30/0x30 [ 61.483011] do_vfs_ioctl+0xd5f/0x1380 [ 61.483024] ? selinux_file_ioctl+0x46f/0x5e0 [ 61.483036] ? selinux_file_ioctl+0x125/0x5e0 [ 61.483051] ? ioctl_preallocate+0x210/0x210 [ 61.483063] ? selinux_file_mprotect+0x620/0x620 [ 61.483075] ? putname+0xef/0x130 [ 61.483088] ? kmem_cache_free+0x222/0x260 [ 61.483103] ? putname+0xf4/0x130 [ 61.483117] ? do_sys_open+0x31d/0x550 [ 61.483135] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.483147] ? security_file_ioctl+0x8d/0xc0 [ 61.483164] ksys_ioctl+0xab/0xd0 [ 61.483181] __x64_sys_ioctl+0x73/0xb0 [ 61.483208] do_syscall_64+0xfd/0x620 [ 61.483227] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.483238] RIP: 0033:0x4444d9 [ 61.483250] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.483257] RSP: 002b:00007fff165a01a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.483269] RAX: ffffffffffffffda RBX: 00007fff165a01b0 RCX: 00000000004444d9 [ 61.483277] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 [ 61.483284] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 [ 61.483292] R10: 00007fff1659fcf0 R11: 0000000000000246 R12: 00000000004021e0 [ 61.483299] R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 [ 61.483316] [ 61.483323] Allocated by task 7633: [ 61.483336] save_stack+0x45/0xd0 [ 61.483347] kasan_kmalloc+0xce/0xf0 [ 61.483357] __kmalloc+0x15d/0x750 [ 61.483368] fbcon_set_font+0x32d/0x860 [ 61.483378] con_font_op+0xe18/0x1250 [ 61.483388] vt_ioctl+0xd2e/0x2530 [ 61.483399] tty_ioctl+0x7f3/0x1510 [ 61.483410] do_vfs_ioctl+0xd5f/0x1380 [ 61.483420] ksys_ioctl+0xab/0xd0 [ 61.483431] __x64_sys_ioctl+0x73/0xb0 [ 61.483443] do_syscall_64+0xfd/0x620 [ 61.483453] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.483456] [ 61.483461] Freed by task 0: [ 61.483465] (stack is not available) [ 61.483468] [ 61.483477] The buggy address belongs to the object at ffff88808ad24d00 [ 61.483477] which belongs to the cache kmalloc-4096 of size 4096 [ 61.483488] The buggy address is located 2576 bytes inside of [ 61.483488] 4096-byte region [ffff88808ad24d00, ffff88808ad25d00) [ 61.483493] The buggy address belongs to the page: [ 61.483503] page:ffffea00022b4900 count:1 mapcount:0 mapping:ffff88812c31cdc0 index:0x0 compound_mapcount: 0 [ 61.483514] flags: 0xfffe0000008100(slab|head) [ 61.483532] raw: 00fffe0000008100 ffffea000231a988 ffff88812c314a48 ffff88812c31cdc0 [ 61.483546] raw: 0000000000000000 ffff88808ad24d00 0000000100000001 0000000000000000 [ 61.483552] page dumped because: kasan: bad access detected [ 61.483555] [ 61.483558] Memory state around the buggy address: [ 61.483568] ffff88808ad25600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.483578] ffff88808ad25680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.483587] >ffff88808ad25700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.483592] ^ [ 61.483602] ffff88808ad25780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.483611] ffff88808ad25800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.483616] ================================================================== [ 61.483620] Disabling lock debugging due to kernel taint [ 61.483626] Kernel panic - not syncing: panic_on_warn set ... [ 61.483626] [ 61.483638] CPU: 0 PID: 7633 Comm: syz-executor404 Tainted: G B 4.19.87-syzkaller #0 [ 61.483644] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.483648] Call Trace: [ 61.483661] dump_stack+0x197/0x210 [ 61.483673] ? fbcon_get_font+0x2b2/0x5e0 [ 61.483683] panic+0x26a/0x50e [ 61.483694] ? __warn_printk+0xf3/0xf3 [ 61.483709] ? lock_downgrade+0x880/0x880 [ 61.483723] ? trace_hardirqs_on+0x67/0x220 [ 61.483734] ? trace_hardirqs_on+0x5e/0x220 [ 61.483747] ? fbcon_get_font+0x2b2/0x5e0 [ 61.483759] kasan_end_report+0x47/0x4f [ 61.483771] kasan_report.cold+0xa9/0x2ba [ 61.483786] check_memory_region+0x123/0x190 [ 61.483797] memcpy+0x24/0x50 [ 61.483809] fbcon_get_font+0x2b2/0x5e0 [ 61.483822] ? display_to_var+0x7e0/0x7e0 [ 61.483832] con_font_op+0x20b/0x1250 [ 61.483845] ? con_write+0xd0/0xd0 [ 61.483862] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 61.483877] ? _copy_from_user+0xdd/0x150 [ 61.483889] vt_ioctl+0x1784/0x2530 [ 61.483903] ? complete_change_console+0x3a0/0x3a0 [ 61.483917] ? avc_has_extended_perms+0xa78/0x10f0 [ 61.483932] ? save_stack+0xa9/0xd0 [ 61.483944] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 61.483957] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 61.483968] ? complete_change_console+0x3a0/0x3a0 [ 61.483981] tty_ioctl+0x7f3/0x1510 [ 61.483995] ? tty_vhangup+0x30/0x30 [ 61.484007] ? find_held_lock+0x35/0x130 [ 61.484020] ? debug_check_no_obj_freed+0x200/0x464 [ 61.484040] ? __might_sleep+0x95/0x190 [ 61.484052] ? trace_hardirqs_off+0x62/0x220 [ 61.484064] ? tty_vhangup+0x30/0x30 [ 61.484077] do_vfs_ioctl+0xd5f/0x1380 [ 61.484090] ? selinux_file_ioctl+0x46f/0x5e0 [ 61.484102] ? selinux_file_ioctl+0x125/0x5e0 [ 61.484114] ? ioctl_preallocate+0x210/0x210 [ 61.484126] ? selinux_file_mprotect+0x620/0x620 [ 61.484139] ? putname+0xef/0x130 [ 61.484151] ? kmem_cache_free+0x222/0x260 [ 61.484165] ? putname+0xf4/0x130 [ 61.484177] ? do_sys_open+0x31d/0x550 [ 61.484192] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.484212] ? security_file_ioctl+0x8d/0xc0 [ 61.484223] ksys_ioctl+0xab/0xd0 [ 61.484236] __x64_sys_ioctl+0x73/0xb0 [ 61.484249] do_syscall_64+0xfd/0x620 [ 61.484262] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.484270] RIP: 0033:0x4444d9 [ 61.484280] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.484286] RSP: 002b:00007fff165a01a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.484297] RAX: ffffffffffffffda RBX: 00007fff165a01b0 RCX: 00000000004444d9 [ 61.484304] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 [ 61.484311] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 [ 61.484318] R10: 00007fff1659fcf0 R11: 0000000000000246 R12: 00000000004021e0 [ 61.484325] R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 [ 61.485680] Kernel Offset: disabled [ 62.251512] Rebooting in 86400 seconds..