[....] Starting OpenBSD Secure Shell server: sshd[ 8.953159] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.289601] random: sshd: uninitialized urandom read (32 bytes read) [ 27.504654] audit: type=1400 audit(1548027287.289:6): avc: denied { map } for pid=1753 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 27.536847] random: sshd: uninitialized urandom read (32 bytes read) [ 27.950728] random: sshd: uninitialized urandom read (32 bytes read) [ 39.577667] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.135' (ECDSA) to the list of known hosts. [ 45.197741] random: sshd: uninitialized urandom read (32 bytes read) [ 45.283068] audit: type=1400 audit(1548027305.069:7): avc: denied { map } for pid=1777 comm="syz-executor938" path="/root/syz-executor938364613" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 45.530598] ================================================================== [ 45.538012] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 45.544649] Read of size 8 at addr ffff8881dabc6b50 by task syz-executor938/1780 [ 45.552151] [ 45.553878] CPU: 0 PID: 1780 Comm: syz-executor938 Not tainted 4.14.94+ #12 [ 45.561136] Call Trace: [ 45.563700] dump_stack+0xb9/0x10e [ 45.567211] ? ip_local_deliver+0x43d/0x450 [ 45.571503] print_address_description+0x60/0x226 [ 45.576313] ? ip_local_deliver+0x43d/0x450 [ 45.580609] kasan_report.cold+0x88/0x2a5 [ 45.584861] ? ip_local_deliver+0x43d/0x450 [ 45.589167] ? ip_call_ra_chain+0x540/0x540 [ 45.593467] ? __lock_acquire+0x56a/0x3fa0 [ 45.597674] ? deref_stack_reg+0xaa/0xe0 [ 45.601707] ? ip_rcv+0x99f/0xf7a [ 45.605139] ? ip_rcv_finish+0x5c9/0x1490 [ 45.609266] ? ip_rcv+0x9e2/0xf7a [ 45.612745] ? ip_local_deliver+0x450/0x450 [ 45.617045] ? __lock_acquire+0x56a/0x3fa0 [ 45.621260] ? check_preemption_disabled+0x35/0x1f0 [ 45.626250] ? ip_local_deliver+0x450/0x450 [ 45.630550] ? __netif_receive_skb_core+0x1364/0x2c60 [ 45.635913] ? trace_hardirqs_on+0x10/0x10 [ 45.640127] ? flush_backlog+0x580/0x580 [ 45.644171] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 45.649334] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 45.654668] ? lock_acquire+0x10f/0x380 [ 45.658619] ? __netif_receive_skb+0x55/0x1f0 [ 45.663097] ? __netif_receive_skb+0x55/0x1f0 [ 45.667567] ? netif_receive_skb_internal+0xec/0x5c0 [ 45.672648] ? dev_cpu_dead+0x810/0x810 [ 45.676602] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 45.682026] ? rcu_read_lock_sched_held+0x10a/0x130 [ 45.687018] ? tun_rx_batched.isra.0+0x45d/0x730 [ 45.691748] ? __skb_get_hash_symmetric+0x255/0x620 [ 45.696736] ? tun_chr_read_iter+0x1c0/0x1c0 [ 45.701120] ? tun_get_user+0xc07/0x3790 [ 45.705151] ? __local_bh_enable_ip+0x65/0xc0 [ 45.709825] ? tun_get_user+0xd95/0x3790 [ 45.713865] ? tun_rx_batched.isra.0+0x730/0x730 [ 45.718601] ? debug_mutex_add_waiter+0x60/0x150 [ 45.723327] ? mark_held_locks+0xa6/0xf0 [ 45.727360] ? get_page_from_freelist+0x85e/0x1d60 [ 45.732262] ? preempt_count_add+0xb8/0x180 [ 45.736803] ? __tun_get+0x11c/0x220 [ 45.740678] ? check_preemption_disabled+0x35/0x1f0 [ 45.745671] ? tun_chr_write_iter+0xcf/0x180 [ 45.750056] ? do_iter_readv_writev+0x379/0x580 [ 45.754697] ? clone_verify_area+0x1e0/0x1e0 [ 45.759076] ? avc_policy_seqno+0x5/0x10 [ 45.763112] ? security_file_permission+0x88/0x1e0 [ 45.768016] ? do_iter_write+0x152/0x550 [ 45.772070] ? lock_downgrade+0x5d0/0x5d0 [ 45.776194] ? vfs_writev+0x146/0x2d0 [ 45.779967] ? vfs_iter_write+0xa0/0xa0 [ 45.783916] ? __handle_mm_fault+0x6c5/0x2640 [ 45.788393] ? __fsnotify_inode_delete+0x20/0x20 [ 45.793270] ? __do_page_fault+0x48e/0xb80 [ 45.797479] ? lock_downgrade+0x5d0/0x5d0 [ 45.801599] ? check_preemption_disabled+0x35/0x1f0 [ 45.806796] ? do_writev+0xc9/0x240 [ 45.810395] ? vfs_writev+0x2d0/0x2d0 [ 45.814177] ? do_syscall_64+0x43/0x4b0 [ 45.818134] ? SyS_readv+0x30/0x30 [ 45.821645] ? do_syscall_64+0x19b/0x4b0 [ 45.825681] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.831131] [ 45.832732] Allocated by task 1780: [ 45.836458] kasan_kmalloc.part.0+0x4f/0xd0 [ 45.840960] kmem_cache_alloc+0xd2/0x2d0 [ 45.845123] __build_skb+0x2e/0x2d0 [ 45.848743] build_skb+0x1a/0x1f0 [ 45.852175] tun_get_user+0x248b/0x3790 [ 45.856120] tun_chr_write_iter+0xcf/0x180 [ 45.860324] do_iter_readv_writev+0x379/0x580 [ 45.864788] do_iter_write+0x152/0x550 [ 45.868645] vfs_writev+0x146/0x2d0 [ 45.872361] do_writev+0xc9/0x240 [ 45.875788] do_syscall_64+0x19b/0x4b0 [ 45.879850] [ 45.881470] Freed by task 1780: [ 45.884722] kasan_slab_free+0xb0/0x190 [ 45.888795] kmem_cache_free+0xc4/0x330 [ 45.892745] kfree_skbmem+0xa0/0x100 [ 45.896426] kfree_skb+0xcd/0x350 [ 45.899852] ip_defrag+0x5f4/0x3b50 [ 45.903455] ip_local_deliver+0x165/0x450 [ 45.907571] ip_rcv_finish+0x5c9/0x1490 [ 45.911520] ip_rcv+0x9e2/0xf7a [ 45.914774] __netif_receive_skb_core+0x1364/0x2c60 [ 45.919760] __netif_receive_skb+0x55/0x1f0 [ 45.924381] netif_receive_skb_internal+0xec/0x5c0 [ 45.929287] tun_rx_batched.isra.0+0x45d/0x730 [ 45.933840] tun_get_user+0xd95/0x3790 [ 45.937701] tun_chr_write_iter+0xcf/0x180 [ 45.941907] do_iter_readv_writev+0x379/0x580 [ 45.946373] do_iter_write+0x152/0x550 [ 45.950233] vfs_writev+0x146/0x2d0 [ 45.953840] do_writev+0xc9/0x240 [ 45.957313] do_syscall_64+0x19b/0x4b0 [ 45.961293] [ 45.962920] The buggy address belongs to the object at ffff8881dabc6b40 [ 45.962920] which belongs to the cache skbuff_head_cache of size 224 [ 45.976269] The buggy address is located 16 bytes inside of [ 45.976269] 224-byte region [ffff8881dabc6b40, ffff8881dabc6c20) [ 45.988034] The buggy address belongs to the page: [ 45.993057] page:ffffea00076af180 count:1 mapcount:0 mapping: (null) index:0x0 [ 46.001177] flags: 0x4000000000000100(slab) [ 46.005714] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 46.013636] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 46.021490] page dumped because: kasan: bad access detected [ 46.027168] [ 46.028779] Memory state around the buggy address: [ 46.033686] ffff8881dabc6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.041064] ffff8881dabc6a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.048407] >ffff8881dabc6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 46.055734] ^ [ 46.061801] ffff8881dabc6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.069131] ffff8881dabc6c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 46.076544] ================================================================== [ 46.083890] Disabling lock debugging due to kernel taint [ 46.089366] Kernel panic - not syncing: panic_on_warn set ... [ 46.089366] [ 46.096709] CPU: 0 PID: 1780 Comm: syz-executor938 Tainted: G B 4.14.94+ #12 [ 46.104996] Call Trace: [ 46.107563] dump_stack+0xb9/0x10e [ 46.111077] panic+0x1d9/0x3c2 [ 46.114247] ? add_taint.cold+0x16/0x16 [ 46.118192] ? retint_kernel+0x2d/0x2d [ 46.122054] ? ip_local_deliver+0x43d/0x450 [ 46.126346] kasan_end_report+0x43/0x49 [ 46.130425] kasan_report.cold+0xa4/0x2a5 [ 46.134648] ? ip_local_deliver+0x43d/0x450 [ 46.139077] ? ip_call_ra_chain+0x540/0x540 [ 46.143376] ? __lock_acquire+0x56a/0x3fa0 [ 46.147593] ? deref_stack_reg+0xaa/0xe0 [ 46.151628] ? ip_rcv+0x99f/0xf7a [ 46.155202] ? ip_rcv_finish+0x5c9/0x1490 [ 46.159327] ? ip_rcv+0x9e2/0xf7a [ 46.162752] ? ip_local_deliver+0x450/0x450 [ 46.167047] ? __lock_acquire+0x56a/0x3fa0 [ 46.171372] ? check_preemption_disabled+0x35/0x1f0 [ 46.176363] ? ip_local_deliver+0x450/0x450 [ 46.180668] ? __netif_receive_skb_core+0x1364/0x2c60 [ 46.185969] ? trace_hardirqs_on+0x10/0x10 [ 46.190247] ? flush_backlog+0x580/0x580 [ 46.194286] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 46.199517] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 46.204867] ? lock_acquire+0x10f/0x380 [ 46.208824] ? __netif_receive_skb+0x55/0x1f0 [ 46.213301] ? __netif_receive_skb+0x55/0x1f0 [ 46.217768] ? netif_receive_skb_internal+0xec/0x5c0 [ 46.222850] ? dev_cpu_dead+0x810/0x810 [ 46.226921] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 46.232359] ? rcu_read_lock_sched_held+0x10a/0x130 [ 46.237356] ? tun_rx_batched.isra.0+0x45d/0x730 [ 46.242085] ? __skb_get_hash_symmetric+0x255/0x620 [ 46.247074] ? tun_chr_read_iter+0x1c0/0x1c0 [ 46.251462] ? tun_get_user+0xc07/0x3790 [ 46.255650] ? __local_bh_enable_ip+0x65/0xc0 [ 46.260126] ? tun_get_user+0xd95/0x3790 [ 46.264282] ? tun_rx_batched.isra.0+0x730/0x730 [ 46.269013] ? debug_mutex_add_waiter+0x60/0x150 [ 46.273869] ? mark_held_locks+0xa6/0xf0 [ 46.277904] ? get_page_from_freelist+0x85e/0x1d60 [ 46.282932] ? preempt_count_add+0xb8/0x180 [ 46.287230] ? __tun_get+0x11c/0x220 [ 46.292699] ? check_preemption_disabled+0x35/0x1f0 [ 46.297691] ? tun_chr_write_iter+0xcf/0x180 [ 46.302083] ? do_iter_readv_writev+0x379/0x580 [ 46.306726] ? clone_verify_area+0x1e0/0x1e0 [ 46.311109] ? avc_policy_seqno+0x5/0x10 [ 46.315209] ? security_file_permission+0x88/0x1e0 [ 46.320120] ? do_iter_write+0x152/0x550 [ 46.324154] ? lock_downgrade+0x5d0/0x5d0 [ 46.328274] ? vfs_writev+0x146/0x2d0 [ 46.332048] ? vfs_iter_write+0xa0/0xa0 [ 46.335998] ? __handle_mm_fault+0x6c5/0x2640 [ 46.340490] ? __fsnotify_inode_delete+0x20/0x20 [ 46.345220] ? __do_page_fault+0x48e/0xb80 [ 46.349439] ? lock_downgrade+0x5d0/0x5d0 [ 46.353565] ? check_preemption_disabled+0x35/0x1f0 [ 46.358562] ? do_writev+0xc9/0x240 [ 46.362169] ? vfs_writev+0x2d0/0x2d0 [ 46.365948] ? do_syscall_64+0x43/0x4b0 [ 46.369899] ? SyS_readv+0x30/0x30 [ 46.373513] ? do_syscall_64+0x19b/0x4b0 [ 46.377561] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.383304] Kernel Offset: 0x39600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 46.394214] Rebooting in 86400 seconds..