[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.592555] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.585723] random: sshd: uninitialized urandom read (32 bytes read) [ 14.831301] random: sshd: uninitialized urandom read (32 bytes read) [ 15.306493] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 21.035419] urandom_read: 1 callbacks suppressed [ 21.035423] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 21.150568] ================================================================== [ 21.157989] BUG: KASAN: use-after-free in _copy_to_user+0x9a/0xc0 [ 21.164222] Read of size 1033 at addr ffff8801cbbffffc by task syz-executor113/1961 [ 21.172003] [ 21.173610] CPU: 0 PID: 1961 Comm: syz-executor113 Not tainted 4.14.67+ #1 [ 21.180602] Call Trace: [ 21.183180] dump_stack+0xb9/0x11b [ 21.186700] print_address_description+0x60/0x22b [ 21.191786] kasan_report.cold.6+0x11b/0x2dd [ 21.196172] ? _copy_to_user+0x9a/0xc0 [ 21.200044] _copy_to_user+0x9a/0xc0 [ 21.203749] bpf_test_finish.isra.0+0xc8/0x190 [ 21.208305] ? bpf_test_run+0x350/0x350 [ 21.212257] ? kvm_clock_read+0x1f/0x30 [ 21.216210] ? ktime_get+0x17f/0x1c0 [ 21.219901] ? bpf_test_run+0x280/0x350 [ 21.223860] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 21.228428] ? bpf_test_init.isra.1+0xc0/0xc0 [ 21.232903] ? __fget_light+0x163/0x1f0 [ 21.236851] ? bpf_prog_add+0x42/0xa0 [ 21.240637] ? bpf_test_init.isra.1+0xc0/0xc0 [ 21.245108] SyS_bpf+0x79d/0x3640 [ 21.248557] ? bpf_prog_get+0x20/0x20 [ 21.252334] ? __do_page_fault+0x485/0xb60 [ 21.256546] ? lock_downgrade+0x560/0x560 [ 21.260676] ? up_read+0x17/0x30 [ 21.264036] ? __do_page_fault+0x64c/0xb60 [ 21.268247] ? do_syscall_64+0x43/0x4b0 [ 21.272198] ? bpf_prog_get+0x20/0x20 [ 21.275974] do_syscall_64+0x19b/0x4b0 [ 21.279854] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 21.285023] RIP: 0033:0x440259 [ 21.288191] RSP: 002b:00007ffe76de4bf8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 21.295874] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 21.303123] RDX: 0000000000000028 RSI: 0000000020000300 RDI: 000000000000000a [ 21.310377] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 21.317630] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401ae0 [ 21.324877] R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000 [ 21.332134] [ 21.333739] The buggy address belongs to the page: [ 21.338666] page:ffffea00072effc0 count:0 mapcount:0 mapping: (null) index:0x1 [ 21.346803] flags: 0x4000000000000000() [ 21.350758] raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffffff [ 21.358612] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 21.366479] page dumped because: kasan: bad access detected [ 21.372180] [ 21.373799] Memory state around the buggy address: [ 21.378704] ffff8801cbbffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.386043] ffff8801cbbfff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.393385] >ffff8801cbbfff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.400720] ^ [ 21.407964] ffff8801cbc00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.415300] ffff8801cbc00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.422632] ================================================================== [ 21.429982] Disabling lock debugging due to kernel taint [ 21.435957] Kernel panic - not syncing: panic_on_warn set ... [ 21.435957] [ 21.443323] CPU: 0 PID: 1961 Comm: syz-executor113 Tainted: G B 4.14.67+ #1 [ 21.451541] Call Trace: [ 21.454106] dump_stack+0xb9/0x11b [ 21.457629] panic+0x1bf/0x3a4 [ 21.460799] ? add_taint.cold.4+0x16/0x16 [ 21.464922] ? ___preempt_schedule+0x16/0x18 [ 21.469309] kasan_end_report+0x43/0x49 [ 21.473266] kasan_report.cold.6+0x77/0x2dd [ 21.477582] ? _copy_to_user+0x9a/0xc0 [ 21.481462] _copy_to_user+0x9a/0xc0 [ 21.485170] bpf_test_finish.isra.0+0xc8/0x190 [ 21.489731] ? bpf_test_run+0x350/0x350 [ 21.493687] ? kvm_clock_read+0x1f/0x30 [ 21.497643] ? ktime_get+0x17f/0x1c0 [ 21.501334] ? bpf_test_run+0x280/0x350 [ 21.505416] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 21.510060] ? bpf_test_init.isra.1+0xc0/0xc0 [ 21.514541] ? __fget_light+0x163/0x1f0 [ 21.518488] ? bpf_prog_add+0x42/0xa0 [ 21.522263] ? bpf_test_init.isra.1+0xc0/0xc0 [ 21.526737] SyS_bpf+0x79d/0x3640 [ 21.530173] ? bpf_prog_get+0x20/0x20 [ 21.533949] ? __do_page_fault+0x485/0xb60 [ 21.538158] ? lock_downgrade+0x560/0x560 [ 21.542281] ? up_read+0x17/0x30 [ 21.545626] ? __do_page_fault+0x64c/0xb60 [ 21.549848] ? do_syscall_64+0x43/0x4b0 [ 21.553805] ? bpf_prog_get+0x20/0x20 [ 21.557585] do_syscall_64+0x19b/0x4b0 [ 21.561453] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 21.566622] RIP: 0033:0x440259 [ 21.569798] RSP: 002b:00007ffe76de4bf8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 21.577482] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 21.584833] RDX: 0000000000000028 RSI: 0000000020000300 RDI: 000000000000000a [ 21.592083] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 21.599397] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401ae0 [ 21.606645] R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000 [ 21.614165] Dumping ftrace buffer: [ 21.617679] (ftrace buffer empty) [ 21.621408] Kernel Offset: 0x27200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 21.632310] Rebooting in 86400 seconds..