[....] Starting OpenBSD Secure Shell server: sshd[ 9.445743] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.959621] random: sshd: uninitialized urandom read (32 bytes read) [ 48.344310] audit: type=1400 audit(1548826973.339:6): avc: denied { map } for pid=1774 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 48.387770] random: sshd: uninitialized urandom read (32 bytes read) [ 48.860399] random: sshd: uninitialized urandom read (32 bytes read) [ 48.994938] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. [ 54.514690] random: sshd: uninitialized urandom read (32 bytes read) [ 54.594721] audit: type=1400 audit(1548826979.589:7): avc: denied { map } for pid=1792 comm="syz-executor412" path="/root/syz-executor412398424" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 54.882001] ================================================================== [ 54.889439] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 54.896092] Read of size 8 at addr ffff8881d2b7c010 by task syz-executor412/1795 [ 54.903607] [ 54.905216] CPU: 1 PID: 1795 Comm: syz-executor412 Not tainted 4.14.96+ #20 [ 54.912285] Call Trace: [ 54.914860] dump_stack+0xb9/0x10e [ 54.918395] ? ip_local_deliver+0x43d/0x450 [ 54.922706] print_address_description+0x60/0x226 [ 54.927541] ? ip_local_deliver+0x43d/0x450 [ 54.931837] kasan_report.cold+0x88/0x2a5 [ 54.935966] ? ip_local_deliver+0x43d/0x450 [ 54.940258] ? ip_call_ra_chain+0x540/0x540 [ 54.944553] ? __lock_acquire+0x56a/0x3fa0 [ 54.948764] ? deref_stack_reg+0xaa/0xe0 [ 54.952980] ? ip_rcv+0x99f/0xf7a [ 54.956413] ? ip_rcv_finish+0x5c9/0x1490 [ 54.960539] ? ip_rcv+0x9e2/0xf7a [ 54.963968] ? ip_local_deliver+0x450/0x450 [ 54.968318] ? __lock_acquire+0x56a/0x3fa0 [ 54.972546] ? check_preemption_disabled+0x35/0x1f0 [ 54.977702] ? ip_local_deliver+0x450/0x450 [ 54.982011] ? __netif_receive_skb_core+0x1364/0x2c60 [ 54.987316] ? trace_hardirqs_on+0x10/0x10 [ 54.991528] ? flush_backlog+0x580/0x580 [ 54.995564] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 55.000726] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 55.005894] ? lock_acquire+0x10f/0x380 [ 55.010117] ? __netif_receive_skb+0x55/0x1f0 [ 55.014585] ? __netif_receive_skb+0x55/0x1f0 [ 55.019057] ? netif_receive_skb_internal+0xec/0x5c0 [ 55.024283] ? dev_cpu_dead+0x810/0x810 [ 55.028247] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 55.033671] ? rcu_read_lock_sched_held+0x10a/0x130 [ 55.038676] ? tun_rx_batched.isra.0+0x45d/0x730 [ 55.043424] ? __skb_get_hash_symmetric+0x255/0x620 [ 55.048424] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 55.053851] ? tun_chr_read_iter+0x1c0/0x1c0 [ 55.058326] ? tun_get_user+0xc07/0x3790 [ 55.062363] ? __local_bh_enable_ip+0x65/0xc0 [ 55.066844] ? tun_get_user+0xd95/0x3790 [ 55.070893] ? tun_rx_batched.isra.0+0x730/0x730 [ 55.075652] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 55.080563] ? __tun_get+0x11c/0x220 [ 55.084256] ? check_preemption_disabled+0x35/0x1f0 [ 55.089251] ? tun_chr_write_iter+0xcf/0x180 [ 55.093633] ? do_iter_readv_writev+0x379/0x580 [ 55.098273] ? clone_verify_area+0x1e0/0x1e0 [ 55.102806] ? avc_policy_seqno+0x5/0x10 [ 55.106846] ? security_file_permission+0x88/0x1e0 [ 55.111761] ? do_iter_write+0x152/0x550 [ 55.115810] ? signal_setup_done+0xac/0x270 [ 55.120115] ? vfs_writev+0x146/0x2d0 [ 55.123898] ? vfs_iter_write+0xa0/0xa0 [ 55.127856] ? do_signal+0x488/0x15c0 [ 55.131659] ? setup_sigcontext+0x810/0x810 [ 55.135974] ? pgtable_bad+0x110/0x110 [ 55.139851] ? __bad_area_nosemaphore+0x25f/0x280 [ 55.144683] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 55.149767] ? do_writev+0xc9/0x240 [ 55.153372] ? vfs_writev+0x2d0/0x2d0 [ 55.157154] ? do_syscall_64+0x43/0x4b0 [ 55.161158] ? SyS_readv+0x30/0x30 [ 55.164684] ? do_syscall_64+0x19b/0x4b0 [ 55.168724] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 55.174069] [ 55.175682] Allocated by task 1795: [ 55.179288] kasan_kmalloc.part.0+0x4f/0xd0 [ 55.183588] kmem_cache_alloc+0xd2/0x2d0 [ 55.187646] __build_skb+0x2e/0x2d0 [ 55.191251] build_skb+0x1a/0x1f0 [ 55.194679] tun_get_user+0x248b/0x3790 [ 55.198804] tun_chr_write_iter+0xcf/0x180 [ 55.203015] do_iter_readv_writev+0x379/0x580 [ 55.207490] do_iter_write+0x152/0x550 [ 55.211352] vfs_writev+0x146/0x2d0 [ 55.215057] do_writev+0xc9/0x240 [ 55.218489] do_syscall_64+0x19b/0x4b0 [ 55.222349] [ 55.224087] Freed by task 1795: [ 55.227616] kasan_slab_free+0xb0/0x190 [ 55.231621] kmem_cache_free+0xc4/0x330 [ 55.235576] kfree_skbmem+0xa0/0x100 [ 55.239271] kfree_skb+0xcd/0x350 [ 55.242704] ip_defrag+0x5f4/0x3b50 [ 55.246320] ip_local_deliver+0x165/0x450 [ 55.250494] ip_rcv_finish+0x5c9/0x1490 [ 55.254453] ip_rcv+0x9e2/0xf7a [ 55.257709] __netif_receive_skb_core+0x1364/0x2c60 [ 55.262701] __netif_receive_skb+0x55/0x1f0 [ 55.267174] netif_receive_skb_internal+0xec/0x5c0 [ 55.272092] tun_rx_batched.isra.0+0x45d/0x730 [ 55.276654] tun_get_user+0xd95/0x3790 [ 55.280513] tun_chr_write_iter+0xcf/0x180 [ 55.284726] do_iter_readv_writev+0x379/0x580 [ 55.289196] do_iter_write+0x152/0x550 [ 55.293077] vfs_writev+0x146/0x2d0 [ 55.296683] do_writev+0xc9/0x240 [ 55.300198] do_syscall_64+0x19b/0x4b0 [ 55.304066] [ 55.305669] The buggy address belongs to the object at ffff8881d2b7c000 [ 55.305669] which belongs to the cache skbuff_head_cache of size 224 [ 55.318833] The buggy address is located 16 bytes inside of [ 55.318833] 224-byte region [ffff8881d2b7c000, ffff8881d2b7c0e0) [ 55.330773] The buggy address belongs to the page: [ 55.335682] page:ffffea00074adf00 count:1 mapcount:0 mapping: (null) index:0x0 [ 55.343798] flags: 0x4000000000000100(slab) [ 55.348096] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 55.355955] raw: dead000000000100 dead000000000200 ffff8881d6758200 0000000000000000 [ 55.363809] page dumped because: kasan: bad access detected [ 55.369490] [ 55.371094] Memory state around the buggy address: [ 55.376041] ffff8881d2b7bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.383386] ffff8881d2b7bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.390727] >ffff8881d2b7c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.398060] ^ [ 55.401939] ffff8881d2b7c080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 55.409289] ffff8881d2b7c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.416621] ================================================================== [ 55.423952] Disabling lock debugging due to kernel taint [ 55.429402] Kernel panic - not syncing: panic_on_warn set ... [ 55.429402] [ 55.436746] CPU: 1 PID: 1795 Comm: syz-executor412 Tainted: G B 4.14.96+ #20 [ 55.445034] Call Trace: [ 55.447608] dump_stack+0xb9/0x10e [ 55.451130] panic+0x1d9/0x3c2 [ 55.454346] ? add_taint.cold+0x16/0x16 [ 55.458303] ? retint_kernel+0x2d/0x2d [ 55.462175] ? ip_local_deliver+0x43d/0x450 [ 55.466472] kasan_end_report+0x43/0x49 [ 55.470425] kasan_report.cold+0xa4/0x2a5 [ 55.474562] ? ip_local_deliver+0x43d/0x450 [ 55.478864] ? ip_call_ra_chain+0x540/0x540 [ 55.483170] ? __lock_acquire+0x56a/0x3fa0 [ 55.487385] ? deref_stack_reg+0xaa/0xe0 [ 55.491579] ? ip_rcv+0x99f/0xf7a [ 55.495012] ? ip_rcv_finish+0x5c9/0x1490 [ 55.499367] ? ip_rcv+0x9e2/0xf7a [ 55.502805] ? ip_local_deliver+0x450/0x450 [ 55.507106] ? __lock_acquire+0x56a/0x3fa0 [ 55.511324] ? check_preemption_disabled+0x35/0x1f0 [ 55.516319] ? ip_local_deliver+0x450/0x450 [ 55.520625] ? __netif_receive_skb_core+0x1364/0x2c60 [ 55.525796] ? trace_hardirqs_on+0x10/0x10 [ 55.530026] ? flush_backlog+0x580/0x580 [ 55.534081] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 55.539257] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 55.544429] ? lock_acquire+0x10f/0x380 [ 55.548388] ? __netif_receive_skb+0x55/0x1f0 [ 55.552873] ? __netif_receive_skb+0x55/0x1f0 [ 55.557423] ? netif_receive_skb_internal+0xec/0x5c0 [ 55.562520] ? dev_cpu_dead+0x810/0x810 [ 55.566485] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 55.571924] ? rcu_read_lock_sched_held+0x10a/0x130 [ 55.576932] ? tun_rx_batched.isra.0+0x45d/0x730 [ 55.581683] ? __skb_get_hash_symmetric+0x255/0x620 [ 55.586691] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 55.592135] ? tun_chr_read_iter+0x1c0/0x1c0 [ 55.596539] ? tun_get_user+0xc07/0x3790 [ 55.600600] ? __local_bh_enable_ip+0x65/0xc0 [ 55.605082] ? tun_get_user+0xd95/0x3790 [ 55.609139] ? tun_rx_batched.isra.0+0x730/0x730 [ 55.613880] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 55.618800] ? __tun_get+0x11c/0x220 [ 55.622524] ? check_preemption_disabled+0x35/0x1f0 [ 55.627532] ? tun_chr_write_iter+0xcf/0x180 [ 55.631930] ? do_iter_readv_writev+0x379/0x580 [ 55.636587] ? clone_verify_area+0x1e0/0x1e0 [ 55.640982] ? avc_policy_seqno+0x5/0x10 [ 55.645033] ? security_file_permission+0x88/0x1e0 [ 55.649954] ? do_iter_write+0x152/0x550 [ 55.654000] ? signal_setup_done+0xac/0x270 [ 55.658306] ? vfs_writev+0x146/0x2d0 [ 55.662091] ? vfs_iter_write+0xa0/0xa0 [ 55.666055] ? do_signal+0x488/0x15c0 [ 55.669846] ? setup_sigcontext+0x810/0x810 [ 55.674159] ? pgtable_bad+0x110/0x110 [ 55.678030] ? __bad_area_nosemaphore+0x25f/0x280 [ 55.682860] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 55.687953] ? do_writev+0xc9/0x240 [ 55.691565] ? vfs_writev+0x2d0/0x2d0 [ 55.695353] ? do_syscall_64+0x43/0x4b0 [ 55.699420] ? SyS_readv+0x30/0x30 [ 55.703055] ? do_syscall_64+0x19b/0x4b0 [ 55.707117] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 55.712879] Kernel Offset: 0x29a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 55.723787] Rebooting in 86400 seconds..