[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.519220] audit: type=1400 audit(1602499870.509:8): avc: denied { execmem } for pid=6380 comm="syz-executor189" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 31.524411] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 31.549360] ================================================================== [ 31.556744] BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0x8df/0xa10 [ 31.563572] Read of size 4 at addr ffff8880973ae913 by task syz-executor189/6380 [ 31.571089] [ 31.572706] CPU: 0 PID: 6380 Comm: syz-executor189 Not tainted 4.14.198-syzkaller #0 [ 31.580557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.589981] Call Trace: [ 31.592549] dump_stack+0x1b2/0x283 [ 31.596162] print_address_description.cold+0x54/0x1d3 [ 31.601423] kasan_report_error.cold+0x8a/0x194 [ 31.606065] ? ntfs_attr_find+0x8df/0xa10 [ 31.610188] __asan_report_load_n_noabort+0x6b/0x80 [ 31.615177] ? ntfs_attr_find+0x8df/0xa10 [ 31.619299] ntfs_attr_find+0x8df/0xa10 [ 31.623266] ntfs_attr_lookup+0xeca/0x1f30 [ 31.627486] ? do_raw_spin_unlock+0x164/0x220 [ 31.631955] ? _raw_spin_unlock+0x29/0x40 [ 31.636074] ? cache_alloc_refill+0x2fa/0x350 [ 31.640544] ? check_preemption_disabled+0x35/0x240 [ 31.645532] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 31.650853] ? kmem_cache_alloc+0x2f8/0x3c0 [ 31.655160] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 31.659906] ntfs_fill_super+0x9a6/0x7170 [ 31.664046] ? vsnprintf+0x260/0x1340 [ 31.667819] ? pointer+0x9e0/0x9e0 [ 31.671337] ? lock_downgrade+0x740/0x740 [ 31.675455] ? ntfs_big_inode_init_once+0x20/0x20 [ 31.680280] ? snprintf+0xa5/0xd0 [ 31.683704] ? vsprintf+0x30/0x30 [ 31.687128] ? ns_test_super+0x50/0x50 [ 31.690989] ? set_blocksize+0x125/0x380 [ 31.695020] mount_bdev+0x2b3/0x360 [ 31.698616] ? ntfs_big_inode_init_once+0x20/0x20 [ 31.703429] mount_fs+0x92/0x2a0 [ 31.706765] vfs_kern_mount.part.0+0x5b/0x470 [ 31.711231] do_mount+0xe53/0x2a00 [ 31.714742] ? copy_mount_string+0x40/0x40 [ 31.718948] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 31.723933] ? copy_mnt_ns+0xa30/0xa30 [ 31.727792] ? copy_mount_options+0x1fa/0x2f0 [ 31.732271] ? copy_mnt_ns+0xa30/0xa30 [ 31.736126] SyS_mount+0xa8/0x120 [ 31.739548] ? copy_mnt_ns+0xa30/0xa30 [ 31.743418] do_syscall_64+0x1d5/0x640 [ 31.747293] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.752455] RIP: 0033:0x446e1a [ 31.755615] RSP: 002b:00007fff587ebf58 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 31.763291] RAX: ffffffffffffffda RBX: 00007fff587ebfb0 RCX: 0000000000446e1a [ 31.770534] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff587ebf70 [ 31.777775] RBP: 00007fff587ebf70 R08: 00007fff587ebfb0 R09: 00007fff00000015 [ 31.785017] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000002 [ 31.792257] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 31.799502] [ 31.801101] Allocated by task 6382: [ 31.804702] kasan_kmalloc+0xeb/0x160 [ 31.808480] kmem_cache_alloc+0x124/0x3c0 [ 31.812606] getname_flags+0xc8/0x550 [ 31.816377] user_path_at_empty+0x2a/0x50 [ 31.820496] vfs_statx+0xd1/0x180 [ 31.823921] SyS_newlstat+0x83/0xe0 [ 31.827519] do_syscall_64+0x1d5/0x640 [ 31.831376] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.836535] [ 31.838143] Freed by task 6382: [ 31.841394] kasan_slab_free+0xc3/0x1a0 [ 31.845339] kmem_cache_free+0x7c/0x2b0 [ 31.849288] putname+0xcd/0x110 [ 31.852626] filename_lookup+0x37b/0x510 [ 31.856656] vfs_statx+0xd1/0x180 [ 31.860080] SyS_newlstat+0x83/0xe0 [ 31.863687] do_syscall_64+0x1d5/0x640 [ 31.867544] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.872700] [ 31.874300] The buggy address belongs to the object at ffff8880973aed40 [ 31.874300] which belongs to the cache names_cache of size 4096 [ 31.887011] The buggy address is located 1069 bytes to the left of [ 31.887011] 4096-byte region [ffff8880973aed40, ffff8880973afd40) [ 31.899461] The buggy address belongs to the page: [ 31.904362] page:ffffea00025ceb80 count:1 mapcount:0 mapping:ffff8880973aed40 index:0x0 compound_mapcount: 0 [ 31.914390] flags: 0xfffe0000008100(slab|head) [ 31.918946] raw: 00fffe0000008100 ffff8880973aed40 0000000000000000 0000000100000001 [ 31.926801] raw: ffffea00025dd020 ffffea00025e94a0 ffff8880aa58ccc0 0000000000000000 [ 31.934661] page dumped because: kasan: bad access detected [ 31.940341] [ 31.941948] Memory state around the buggy address: [ 31.946856] ffff8880973ae800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.954188] ffff8880973ae880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.961518] >ffff8880973ae900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.968844] ^ [ 31.972711] ffff8880973ae980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.980666] ffff8880973aea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.988144] ================================================================== [ 31.995475] Disabling lock debugging due to kernel taint [ 32.001504] Kernel panic - not syncing: panic_on_warn set ... [ 32.001504] [ 32.008950] CPU: 0 PID: 6380 Comm: syz-executor189 Tainted: G B 4.14.198-syzkaller #0 [ 32.018033] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.027370] Call Trace: [ 32.029937] dump_stack+0x1b2/0x283 [ 32.033536] panic+0x1f9/0x42d [ 32.036700] ? add_taint.cold+0x16/0x16 [ 32.040697] ? ___preempt_schedule+0x16/0x18 [ 32.045093] kasan_end_report+0x43/0x49 [ 32.049050] kasan_report_error.cold+0xa7/0x194 [ 32.053693] ? ntfs_attr_find+0x8df/0xa10 [ 32.057822] __asan_report_load_n_noabort+0x6b/0x80 [ 32.062832] ? ntfs_attr_find+0x8df/0xa10 [ 32.066949] ntfs_attr_find+0x8df/0xa10 [ 32.070909] ntfs_attr_lookup+0xeca/0x1f30 [ 32.075131] ? do_raw_spin_unlock+0x164/0x220 [ 32.079606] ? _raw_spin_unlock+0x29/0x40 [ 32.083747] ? cache_alloc_refill+0x2fa/0x350 [ 32.088217] ? check_preemption_disabled+0x35/0x240 [ 32.093208] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 32.098455] ? kmem_cache_alloc+0x2f8/0x3c0 [ 32.102750] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 32.107410] ntfs_fill_super+0x9a6/0x7170 [ 32.111536] ? vsnprintf+0x260/0x1340 [ 32.115307] ? pointer+0x9e0/0x9e0 [ 32.118821] ? lock_downgrade+0x740/0x740 [ 32.122942] ? ntfs_big_inode_init_once+0x20/0x20 [ 32.127757] ? snprintf+0xa5/0xd0 [ 32.131192] ? vsprintf+0x30/0x30 [ 32.134619] ? ns_test_super+0x50/0x50 [ 32.138476] ? set_blocksize+0x125/0x380 [ 32.143056] mount_bdev+0x2b3/0x360 [ 32.146667] ? ntfs_big_inode_init_once+0x20/0x20 [ 32.151489] mount_fs+0x92/0x2a0 [ 32.154834] vfs_kern_mount.part.0+0x5b/0x470 [ 32.159303] do_mount+0xe53/0x2a00 [ 32.162826] ? copy_mount_string+0x40/0x40 [ 32.167034] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 32.172023] ? copy_mnt_ns+0xa30/0xa30 [ 32.176128] ? copy_mount_options+0x1fa/0x2f0 [ 32.180596] ? copy_mnt_ns+0xa30/0xa30 [ 32.184454] SyS_mount+0xa8/0x120 [ 32.187882] ? copy_mnt_ns+0xa30/0xa30 [ 32.191761] do_syscall_64+0x1d5/0x640 [ 32.195624] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.200802] RIP: 0033:0x446e1a [ 32.203972] RSP: 002b:00007fff587ebf58 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 32.211649] RAX: ffffffffffffffda RBX: 00007fff587ebfb0 RCX: 0000000000446e1a [ 32.218976] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff587ebf70 [ 32.226219] RBP: 00007fff587ebf70 R08: 00007fff587ebfb0 R09: 00007fff00000015 [ 32.233462] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000002 [ 32.240704] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 32.249167] Kernel Offset: disabled [ 32.252777] Rebooting in 86400 seconds..