[....] Starting enhanced syslogd: rsyslogd[ 13.434588] audit: type=1400 audit(1513323558.998:5): avc: denied { syslog } for pid=2993 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.288601] audit: type=1400 audit(1513323564.852:6): avc: denied { map } for pid=3134 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.0.45' (ECDSA) to the list of known hosts. executing program [ 25.602424] audit: type=1400 audit(1513323571.166:7): avc: denied { map } for pid=3148 comm="syzkaller437144" path="/root/syzkaller437144148" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.607704] ================================================================== [ 25.607722] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270 [ 25.607730] Read of size 8192 at addr ffff8801cdaa5798 by task syzkaller437144/3148 [ 25.607734] [ 25.607743] CPU: 1 PID: 3148 Comm: syzkaller437144 Not tainted 4.15.0-rc3+ #131 [ 25.607748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.607753] Call Trace: [ 25.607764] dump_stack+0x194/0x257 [ 25.607779] ? arch_local_irq_restore+0x53/0x53 [ 25.607790] ? show_regs_print_info+0x18/0x18 [ 25.607798] ? __lock_is_held+0xbc/0x140 [ 25.607815] ? pfkey_add+0x1634/0x3270 [ 25.607829] print_address_description+0x73/0x250 [ 25.607838] ? pfkey_add+0x1634/0x3270 [ 25.607849] kasan_report+0x25b/0x340 [ 25.607865] check_memory_region+0x137/0x190 [ 25.607876] memcpy+0x23/0x50 [ 25.607888] pfkey_add+0x1634/0x3270 [ 25.607915] ? set_ipsecrequest+0x310/0x310 [ 25.607929] ? lock_release+0xda0/0xda0 [ 25.607939] ? set_ipsecrequest+0x310/0x310 [ 25.607953] pfkey_process+0x60b/0x720 [ 25.607972] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 25.607979] ? kasan_check_write+0x14/0x20 [ 25.608042] pfkey_sendmsg+0x4d6/0x9f0 [ 25.608058] ? pfkey_spdget+0xb00/0xb00 [ 25.608075] ? selinux_socket_sendmsg+0x36/0x40 [ 25.608086] ? security_socket_sendmsg+0x89/0xb0 [ 25.608095] ? pfkey_spdget+0xb00/0xb00 [ 25.608111] sock_sendmsg+0xca/0x110 [ 25.608126] ___sys_sendmsg+0x75b/0x8a0 [ 25.608144] ? copy_msghdr_from_user+0x590/0x590 [ 25.608161] ? check_noncircular+0x20/0x20 [ 25.608180] ? __pmd_alloc+0x4e0/0x4e0 [ 25.608191] ? find_held_lock+0x39/0x1d0 [ 25.608203] ? __fget_light+0x29d/0x390 [ 25.608216] ? fget_raw+0x20/0x20 [ 25.608236] ? find_held_lock+0x39/0x1d0 [ 25.608269] ? __fdget+0x18/0x20 [ 25.608286] __sys_sendmsg+0xe5/0x210 [ 25.608295] ? __sys_sendmsg+0xe5/0x210 [ 25.608309] ? SyS_shutdown+0x290/0x290 [ 25.608316] ? handle_mm_fault+0x410/0x8d0 [ 25.608327] ? __do_page_fault+0x32d/0xc90 [ 25.608338] ? __handle_mm_fault+0x3e20/0x3e20 [ 25.608347] ? vmacache_find+0x5f/0x280 [ 25.608395] compat_SyS_sendmsg+0x2a/0x40 [ 25.608405] ? compat_SyS_getsockopt+0x420/0x420 [ 25.608416] do_fast_syscall_32+0x3ee/0xf9d [ 25.608437] ? do_int80_syscall_32+0x9d0/0x9d0 [ 25.608447] ? kasan_check_read+0x11/0x20 [ 25.608460] ? syscall_return_slowpath+0x550/0x550 [ 25.608472] ? SyS_rt_sigaction+0x94/0x1b0 [ 25.608487] ? lockdep_sys_exit+0x47/0xf0 [ 25.608496] ? retint_user+0x18/0x18 [ 25.608514] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.608535] entry_SYSENTER_compat+0x51/0x60 [ 25.608543] RIP: 0023:0xf7f6cc79 [ 25.608549] RSP: 002b:00000000ffeeac4c EFLAGS: 00000203 ORIG_RAX: 0000000000000172 [ 25.608560] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000205f5000 [ 25.608566] RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f [ 25.608572] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 25.608578] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 25.608583] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 25.608614] [ 25.608620] Allocated by task 3148: [ 25.608627] save_stack+0x43/0xd0 [ 25.608634] kasan_kmalloc+0xad/0xe0 [ 25.608643] __kmalloc_node_track_caller+0x47/0x70 [ 25.608651] __kmalloc_reserve.isra.41+0x41/0xd0 [ 25.608658] __alloc_skb+0x13b/0x780 [ 25.608665] pfkey_sendmsg+0x20f/0x9f0 [ 25.608673] sock_sendmsg+0xca/0x110 [ 25.608680] ___sys_sendmsg+0x75b/0x8a0 [ 25.608688] __sys_sendmsg+0xe5/0x210 [ 25.608695] compat_SyS_sendmsg+0x2a/0x40 [ 25.608702] do_fast_syscall_32+0x3ee/0xf9d [ 25.608710] entry_SYSENTER_compat+0x51/0x60 [ 25.608714] [ 25.608718] Freed by task 1603: [ 25.608725] save_stack+0x43/0xd0 [ 25.608732] kasan_slab_free+0x71/0xc0 [ 25.608739] kfree+0xca/0x250 [ 25.608747] skb_free_head+0x74/0xb0 [ 25.608755] skb_release_data+0x58c/0x790 [ 25.608762] skb_release_all+0x4a/0x60 [ 25.608770] consume_skb+0x153/0x490 [ 25.608777] skb_free_datagram+0x1a/0xe0 [ 25.608785] netlink_recvmsg+0x5c6/0x1300 [ 25.608793] sock_recvmsg+0xc9/0x110 [ 25.608800] ___sys_recvmsg+0x29b/0x630 [ 25.608808] __sys_recvmsg+0xe2/0x210 [ 25.608815] SyS_recvmsg+0x2d/0x50 [ 25.608823] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 25.608826] [ 25.608833] The buggy address belongs to the object at ffff8801cdaa5780 [ 25.608833] which belongs to the cache kmalloc-512 of size 512 [ 25.608841] The buggy address is located 24 bytes inside of [ 25.608841] 512-byte region [ffff8801cdaa5780, ffff8801cdaa5980) [ 25.608845] The buggy address belongs to the page: [ 25.608853] page:00000000a689d2c9 count:1 mapcount:0 mapping:00000000b70716d5 index:0x0 [ 25.608863] flags: 0x2fffc0000000100(slab) [ 25.608874] raw: 02fffc0000000100 ffff8801cdaa5000 0000000000000000 0000000100000006 [ 25.608884] raw: ffffea000736a8a0 ffffea000736aa60 ffff8801db000940 0000000000000000 [ 25.608889] page dumped because: kasan: bad access detected [ 25.608893] [ 25.608897] Memory state around the buggy address: [ 25.608905] ffff8801cdaa5880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.608912] ffff8801cdaa5900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.608919] >ffff8801cdaa5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.608923] ^ [ 25.608930] ffff8801cdaa5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.608937] ffff8801cdaa5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.608941] ================================================================== [ 25.608945] Disabling lock debugging due to kernel taint [ 25.608964] Kernel panic - not syncing: panic_on_warn set ... [ 25.608964] [ 25.608970] CPU: 1 PID: 3148 Comm: syzkaller437144 Tainted: G B 4.15.0-rc3+ #131 [ 25.608973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.608975] Call Trace: [ 25.608981] dump_stack+0x194/0x257 [ 25.608988] ? arch_local_irq_restore+0x53/0x53 [ 25.608996] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.609009] ? vsnprintf+0x1ed/0x1900 [ 25.609015] ? pfkey_add+0x15b0/0x3270 [ 25.609023] panic+0x1e4/0x41c [ 25.609029] ? refcount_error_report+0x214/0x214 [ 25.609038] ? add_taint+0x1c/0x50 [ 25.609045] ? add_taint+0x1c/0x50 [ 25.609052] ? pfkey_add+0x1634/0x3270 [ 25.609058] kasan_end_report+0x50/0x50 [ 25.609064] kasan_report+0x144/0x340 [ 25.609074] check_memory_region+0x137/0x190 [ 25.609080] memcpy+0x23/0x50 [ 25.609087] pfkey_add+0x1634/0x3270 [ 25.609101] ? set_ipsecrequest+0x310/0x310 [ 25.609109] ? lock_release+0xda0/0xda0 [ 25.609116] ? set_ipsecrequest+0x310/0x310 [ 25.609124] pfkey_process+0x60b/0x720 [ 25.609135] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 25.609139] ? kasan_check_write+0x14/0x20 [ 25.609167] pfkey_sendmsg+0x4d6/0x9f0 [ 25.609176] ? pfkey_spdget+0xb00/0xb00 [ 25.609185] ? selinux_socket_sendmsg+0x36/0x40 [ 25.609192] ? security_socket_sendmsg+0x89/0xb0 [ 25.609198] ? pfkey_spdget+0xb00/0xb00 [ 25.609206] sock_sendmsg+0xca/0x110 [ 25.609214] ___sys_sendmsg+0x75b/0x8a0 [ 25.609225] ? copy_msghdr_from_user+0x590/0x590 [ 25.609234] ? check_noncircular+0x20/0x20 [ 25.609244] ? __pmd_alloc+0x4e0/0x4e0 [ 25.609251] ? find_held_lock+0x39/0x1d0 [ 25.609258] ? __fget_light+0x29d/0x390 [ 25.609265] ? fget_raw+0x20/0x20 [ 25.609276] ? find_held_lock+0x39/0x1d0 [ 25.609294] ? __fdget+0x18/0x20 [ 25.609304] __sys_sendmsg+0xe5/0x210 [ 25.609310] ? __sys_sendmsg+0xe5/0x210 [ 25.609318] ? SyS_shutdown+0x290/0x290 [ 25.609323] ? handle_mm_fault+0x410/0x8d0 [ 25.609329] ? __do_page_fault+0x32d/0xc90 [ 25.609336] ? __handle_mm_fault+0x3e20/0x3e20 [ 25.609341] ? vmacache_find+0x5f/0x280 [ 25.609364] compat_SyS_sendmsg+0x2a/0x40 [ 25.609371] ? compat_SyS_getsockopt+0x420/0x420 [ 25.609377] do_fast_syscall_32+0x3ee/0xf9d [ 25.609389] ? do_int80_syscall_32+0x9d0/0x9d0 [ 25.609395] ? kasan_check_read+0x11/0x20 [ 25.609403] ? syscall_return_slowpath+0x550/0x550 [ 25.609410] ? SyS_rt_sigaction+0x94/0x1b0 [ 25.609418] ? lockdep_sys_exit+0x47/0xf0 [ 25.609424] ? retint_user+0x18/0x18 [ 25.609434] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.609446] entry_SYSENTER_compat+0x51/0x60 [ 25.609450] RIP: 0023:0xf7f6cc79 [ 25.609452] RSP: 002b:00000000ffeeac4c EFLAGS: 00000203 ORIG_RAX: 0000000000000172 [ 25.609458] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000205f5000 [ 25.609462] RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f [ 25.609465] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 25.609468] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 25.609471] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 25.628688] Dumping ftrace buffer: [ 25.628691] (ftrace buffer empty) [ 25.628694] Kernel Offset: disabled [ 26.466345] Rebooting in 86400 seconds..