[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.45' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.087721] ================================================================== [ 55.095191] BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x68f/0x710 [ 55.101767] Write of size 1 at addr ffff8880aae4a84e by task syz-executor345/8134 [ 55.109374] [ 55.111002] CPU: 0 PID: 8134 Comm: syz-executor345 Not tainted 4.19.211-syzkaller #0 [ 55.118867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 55.128195] Call Trace: [ 55.130764] dump_stack+0x1fc/0x2ef [ 55.134377] print_address_description.cold+0x54/0x219 [ 55.139636] kasan_report_error.cold+0x8a/0x1b9 [ 55.144288] ? hfs_asc2mac+0x68f/0x710 [ 55.148154] __asan_report_store1_noabort+0x88/0x90 [ 55.153148] ? hfs_asc2mac+0x68f/0x710 [ 55.157014] hfs_asc2mac+0x68f/0x710 [ 55.160711] ? hfs_mac2asc+0x530/0x530 [ 55.164576] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 55.169572] ? __kmalloc+0x38e/0x3c0 [ 55.173262] ? hfs_find_init+0x91/0x230 [ 55.177225] hfs_cat_build_key+0xbe/0x1a0 [ 55.181355] hfs_lookup+0x1c2/0x300 [ 55.184960] ? hfs_rename+0x200/0x200 [ 55.188744] ? __d_lookup_rcu+0x6b0/0x6b0 [ 55.192867] ? __d_lookup+0x411/0x710 [ 55.196647] ? mark_held_locks+0xa6/0xf0 [ 55.200684] ? d_lookup+0x1aa/0x250 [ 55.204289] ? d_lookup+0x18e/0x250 [ 55.207894] ? hfs_rename+0x200/0x200 [ 55.211671] lookup_open+0x698/0x1a20 [ 55.215452] ? vfs_mkdir+0x7a0/0x7a0 [ 55.219146] ? lookup_fast+0x4e9/0x1080 [ 55.223099] ? path_openat+0x17ec/0x2df0 [ 55.227140] path_openat+0x1804/0x2df0 [ 55.231009] ? path_lookupat+0x8d0/0x8d0 [ 55.235048] ? mark_held_locks+0xf0/0xf0 [ 55.239088] ? __lock_acquire+0x6de/0x3ff0 [ 55.243304] do_filp_open+0x18c/0x3f0 [ 55.247082] ? may_open_dev+0xf0/0xf0 [ 55.250861] ? lock_downgrade+0x720/0x720 [ 55.254985] ? lock_acquire+0x170/0x3c0 [ 55.258936] ? __alloc_fd+0x34/0x570 [ 55.262627] ? do_raw_spin_unlock+0x171/0x230 [ 55.267103] ? _raw_spin_unlock+0x29/0x40 [ 55.271227] ? __alloc_fd+0x28d/0x570 [ 55.275010] do_sys_open+0x3b3/0x520 [ 55.278701] ? filp_open+0x70/0x70 [ 55.282223] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 55.287564] ? trace_hardirqs_off_caller+0x6e/0x210 [ 55.292564] ? do_syscall_64+0x21/0x620 [ 55.296518] do_syscall_64+0xf9/0x620 [ 55.300299] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.305469] RIP: 0033:0x7f8e92fbf849 [ 55.309159] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 55.328035] RSP: 002b:00007ffd03bcbff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 55.335730] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8e92fbf849 [ 55.342984] RDX: 0000000000000100 RSI: 0000000000002000 RDI: 0000000020000800 [ 55.350239] RBP: 00007f8e92f7f0e0 R08: 0000000000000245 R09: 0000000000000000 [ 55.357486] R10: 00007ffd03bcbec0 R11: 0000000000000246 R12: 00007f8e92f7f170 [ 55.364735] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.371992] [ 55.373601] Allocated by task 8134: [ 55.377208] __kmalloc+0x15a/0x3c0 [ 55.380725] hfs_find_init+0x91/0x230 [ 55.384503] hfs_lookup+0xfe/0x300 [ 55.388019] lookup_open+0x698/0x1a20 [ 55.391797] path_openat+0x1804/0x2df0 [ 55.395662] do_filp_open+0x18c/0x3f0 [ 55.399440] do_sys_open+0x3b3/0x520 [ 55.403132] do_syscall_64+0xf9/0x620 [ 55.406915] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.412076] [ 55.413680] Freed by task 6314: [ 55.416941] kfree+0xcc/0x210 [ 55.420025] apparmor_file_free_security+0x9a/0xd0 [ 55.424934] security_file_free+0x3e/0x70 [ 55.429058] __fput+0x42a/0x890 [ 55.432315] task_work_run+0x148/0x1c0 [ 55.436179] exit_to_usermode_loop+0x251/0x2a0 [ 55.440736] do_syscall_64+0x538/0x620 [ 55.444601] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.449760] [ 55.451366] The buggy address belongs to the object at ffff8880aae4a800 [ 55.451366] which belongs to the cache kmalloc-96 of size 96 [ 55.463912] The buggy address is located 78 bytes inside of [ 55.463912] 96-byte region [ffff8880aae4a800, ffff8880aae4a860) [ 55.475588] The buggy address belongs to the page: [ 55.480494] page:ffffea0002ab9280 count:1 mapcount:0 mapping:ffff88813bff04c0 index:0x0 [ 55.488610] flags: 0xfff00000000100(slab) [ 55.492735] raw: 00fff00000000100 ffffea0002aa4308 ffffea0002aaed88 ffff88813bff04c0 [ 55.500595] raw: 0000000000000000 ffff8880aae4a000 0000000100000020 0000000000000000 [ 55.508448] page dumped because: kasan: bad access detected [ 55.514130] [ 55.515731] Memory state around the buggy address: [ 55.520634] ffff8880aae4a700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 55.527968] ffff8880aae4a780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 55.535301] >ffff8880aae4a800: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc [ 55.542633] ^ [ 55.548321] ffff8880aae4a880: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 55.555654] ffff8880aae4a900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 55.562987] ================================================================== [ 55.570326] Disabling lock debugging due to kernel taint [ 55.576640] Kernel panic - not syncing: panic_on_warn set ... [ 55.576640] [ 55.584016] CPU: 1 PID: 8134 Comm: syz-executor345 Tainted: G B 4.19.211-syzkaller #0 [ 55.593278] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 55.602620] Call Trace: [ 55.605201] dump_stack+0x1fc/0x2ef [ 55.608829] panic+0x26a/0x50e [ 55.612021] ? __warn_printk+0xf3/0xf3 [ 55.615906] ? preempt_schedule_common+0x45/0xc0 [ 55.620657] ? ___preempt_schedule+0x16/0x18 [ 55.625046] ? trace_hardirqs_on+0x55/0x210 [ 55.629346] kasan_end_report+0x43/0x49 [ 55.633306] kasan_report_error.cold+0xa7/0x1b9 [ 55.637952] ? hfs_asc2mac+0x68f/0x710 [ 55.641816] __asan_report_store1_noabort+0x88/0x90 [ 55.646806] ? hfs_asc2mac+0x68f/0x710 [ 55.650666] hfs_asc2mac+0x68f/0x710 [ 55.654362] ? hfs_mac2asc+0x530/0x530 [ 55.658227] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 55.663219] ? __kmalloc+0x38e/0x3c0 [ 55.666908] ? hfs_find_init+0x91/0x230 [ 55.670858] hfs_cat_build_key+0xbe/0x1a0 [ 55.674981] hfs_lookup+0x1c2/0x300 [ 55.678584] ? hfs_rename+0x200/0x200 [ 55.682363] ? __d_lookup_rcu+0x6b0/0x6b0 [ 55.686486] ? __d_lookup+0x411/0x710 [ 55.690265] ? mark_held_locks+0xa6/0xf0 [ 55.694301] ? d_lookup+0x1aa/0x250 [ 55.697993] ? d_lookup+0x18e/0x250 [ 55.701596] ? hfs_rename+0x200/0x200 [ 55.705375] lookup_open+0x698/0x1a20 [ 55.709161] ? vfs_mkdir+0x7a0/0x7a0 [ 55.712854] ? lookup_fast+0x4e9/0x1080 [ 55.716804] ? path_openat+0x17ec/0x2df0 [ 55.720843] path_openat+0x1804/0x2df0 [ 55.724710] ? path_lookupat+0x8d0/0x8d0 [ 55.728768] ? mark_held_locks+0xf0/0xf0 [ 55.732808] ? __lock_acquire+0x6de/0x3ff0 [ 55.737018] do_filp_open+0x18c/0x3f0 [ 55.740792] ? may_open_dev+0xf0/0xf0 [ 55.744570] ? lock_downgrade+0x720/0x720 [ 55.748695] ? lock_acquire+0x170/0x3c0 [ 55.752646] ? __alloc_fd+0x34/0x570 [ 55.756337] ? do_raw_spin_unlock+0x171/0x230 [ 55.760811] ? _raw_spin_unlock+0x29/0x40 [ 55.764934] ? __alloc_fd+0x28d/0x570 [ 55.768711] do_sys_open+0x3b3/0x520 [ 55.772402] ? filp_open+0x70/0x70 [ 55.775921] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 55.781277] ? trace_hardirqs_off_caller+0x6e/0x210 [ 55.786272] ? do_syscall_64+0x21/0x620 [ 55.790222] do_syscall_64+0xf9/0x620 [ 55.794006] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.799173] RIP: 0033:0x7f8e92fbf849 [ 55.802863] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 55.821737] RSP: 002b:00007ffd03bcbff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 55.829422] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8e92fbf849 [ 55.836670] RDX: 0000000000000100 RSI: 0000000000002000 RDI: 0000000020000800 [ 55.843913] RBP: 00007f8e92f7f0e0 R08: 0000000000000245 R09: 0000000000000000 [ 55.851155] R10: 00007ffd03bcbec0 R11: 0000000000000246 R12: 00007f8e92f7f170 [ 55.858399] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.865819] Kernel Offset: disabled [ 55.869426] Rebooting in 86400 seconds..