[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.975753] random: sshd: uninitialized urandom read (32 bytes read) [ 26.275930] audit: type=1400 audit(1548133510.215:6): avc: denied { map } for pid=1753 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.338541] random: sshd: uninitialized urandom read (32 bytes read) [ 26.785920] random: sshd: uninitialized urandom read (32 bytes read) [ 41.656489] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 47.296346] random: sshd: uninitialized urandom read (32 bytes read) [ 47.386878] audit: type=1400 audit(1548133531.325:7): avc: denied { map } for pid=1777 comm="syz-executor634" path="/root/syz-executor634121244" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 47.671055] ================================================================== [ 47.678495] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 47.685147] Read of size 8 at addr ffff8881cb60cdd0 by task syz-executor634/1780 [ 47.692667] [ 47.694276] CPU: 1 PID: 1780 Comm: syz-executor634 Not tainted 4.14.94+ #12 [ 47.701361] Call Trace: [ 47.703928] dump_stack+0xb9/0x10e [ 47.707534] ? ip_local_deliver+0x43d/0x450 [ 47.711843] print_address_description+0x60/0x226 [ 47.716663] ? ip_local_deliver+0x43d/0x450 [ 47.720963] kasan_report.cold+0x88/0x2a5 [ 47.725089] ? ip_local_deliver+0x43d/0x450 [ 47.729385] ? ip_call_ra_chain+0x540/0x540 [ 47.733684] ? __lock_acquire+0x56a/0x3fa0 [ 47.737899] ? ip_rcv+0x99f/0xf7a [ 47.741356] ? ip_rcv_finish+0x5c9/0x1490 [ 47.745525] ? ip_rcv+0x9e2/0xf7a [ 47.748967] ? ip_local_deliver+0x450/0x450 [ 47.753274] ? __lock_acquire+0x56a/0x3fa0 [ 47.757506] ? check_preemption_disabled+0x35/0x1f0 [ 47.762514] ? ip_local_deliver+0x450/0x450 [ 47.766816] ? __netif_receive_skb_core+0x1364/0x2c60 [ 47.771984] ? trace_hardirqs_on+0x10/0x10 [ 47.776208] ? flush_backlog+0x580/0x580 [ 47.780250] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 47.785419] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 47.790587] ? lock_acquire+0x10f/0x380 [ 47.794541] ? __netif_receive_skb+0x55/0x1f0 [ 47.799020] ? __netif_receive_skb+0x55/0x1f0 [ 47.803492] ? netif_receive_skb_internal+0xec/0x5c0 [ 47.808585] ? dev_cpu_dead+0x810/0x810 [ 47.812539] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.817964] ? rcu_read_lock_sched_held+0x10a/0x130 [ 47.822978] ? tun_rx_batched.isra.0+0x45d/0x730 [ 47.827716] ? __skb_get_hash_symmetric+0x255/0x620 [ 47.832782] ? tun_chr_read_iter+0x1c0/0x1c0 [ 47.837196] ? tun_get_user+0xc07/0x3790 [ 47.841243] ? __local_bh_enable_ip+0x65/0xc0 [ 47.845716] ? tun_get_user+0xd95/0x3790 [ 47.849804] ? tun_rx_batched.isra.0+0x730/0x730 [ 47.854583] ? debug_mutex_add_waiter+0x60/0x150 [ 47.859326] ? mark_held_locks+0xa6/0xf0 [ 47.863369] ? get_page_from_freelist+0x85e/0x1d60 [ 47.868275] ? preempt_count_add+0xb8/0x180 [ 47.872576] ? __tun_get+0x11c/0x220 [ 47.876285] ? check_preemption_disabled+0x35/0x1f0 [ 47.881292] ? tun_chr_write_iter+0xcf/0x180 [ 47.885698] ? do_iter_readv_writev+0x379/0x580 [ 47.890365] ? clone_verify_area+0x1e0/0x1e0 [ 47.894764] ? avc_policy_seqno+0x5/0x10 [ 47.898806] ? security_file_permission+0x88/0x1e0 [ 47.903729] ? do_iter_write+0x152/0x550 [ 47.907780] ? lock_downgrade+0x5d0/0x5d0 [ 47.911907] ? vfs_writev+0x146/0x2d0 [ 47.915689] ? vfs_iter_write+0xa0/0xa0 [ 47.919642] ? __handle_mm_fault+0x6c5/0x2640 [ 47.924122] ? __fsnotify_inode_delete+0x20/0x20 [ 47.928864] ? __do_page_fault+0x48e/0xb80 [ 47.933096] ? lock_downgrade+0x5d0/0x5d0 [ 47.937227] ? check_preemption_disabled+0x35/0x1f0 [ 47.942242] ? do_writev+0xc9/0x240 [ 47.945921] ? vfs_writev+0x2d0/0x2d0 [ 47.949711] ? do_syscall_64+0x43/0x4b0 [ 47.953750] ? SyS_readv+0x30/0x30 [ 47.957357] ? do_syscall_64+0x19b/0x4b0 [ 47.961410] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.966758] [ 47.968363] Allocated by task 1780: [ 47.971969] kasan_kmalloc.part.0+0x4f/0xd0 [ 47.976272] kmem_cache_alloc+0xd2/0x2d0 [ 47.980307] __build_skb+0x2e/0x2d0 [ 47.983913] build_skb+0x1a/0x1f0 [ 47.987397] tun_get_user+0x248b/0x3790 [ 47.991345] tun_chr_write_iter+0xcf/0x180 [ 47.995579] do_iter_readv_writev+0x379/0x580 [ 48.000054] do_iter_write+0x152/0x550 [ 48.003918] vfs_writev+0x146/0x2d0 [ 48.007526] do_writev+0xc9/0x240 [ 48.010953] do_syscall_64+0x19b/0x4b0 [ 48.014815] [ 48.016422] Freed by task 1780: [ 48.019675] kasan_slab_free+0xb0/0x190 [ 48.023624] kmem_cache_free+0xc4/0x330 [ 48.027577] kfree_skbmem+0xa0/0x100 [ 48.031264] kfree_skb+0xcd/0x350 [ 48.034695] ip_defrag+0x5f4/0x3b50 [ 48.038297] ip_local_deliver+0x165/0x450 [ 48.042417] ip_rcv_finish+0x5c9/0x1490 [ 48.046370] ip_rcv+0x9e2/0xf7a [ 48.049633] __netif_receive_skb_core+0x1364/0x2c60 [ 48.054643] __netif_receive_skb+0x55/0x1f0 [ 48.058941] netif_receive_skb_internal+0xec/0x5c0 [ 48.063846] tun_rx_batched.isra.0+0x45d/0x730 [ 48.068408] tun_get_user+0xd95/0x3790 [ 48.072301] tun_chr_write_iter+0xcf/0x180 [ 48.076532] do_iter_readv_writev+0x379/0x580 [ 48.081004] do_iter_write+0x152/0x550 [ 48.084870] vfs_writev+0x146/0x2d0 [ 48.088471] do_writev+0xc9/0x240 [ 48.091897] do_syscall_64+0x19b/0x4b0 [ 48.095756] [ 48.097362] The buggy address belongs to the object at ffff8881cb60cdc0 [ 48.097362] which belongs to the cache skbuff_head_cache of size 224 [ 48.110518] The buggy address is located 16 bytes inside of [ 48.110518] 224-byte region [ffff8881cb60cdc0, ffff8881cb60cea0) [ 48.122337] The buggy address belongs to the page: [ 48.127252] page:ffffea00072d8300 count:1 mapcount:0 mapping: (null) index:0x0 [ 48.135380] flags: 0x4000000000000100(slab) [ 48.139679] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 48.147538] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 48.155391] page dumped because: kasan: bad access detected [ 48.161109] [ 48.162727] Memory state around the buggy address: [ 48.167630] ffff8881cb60cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.174980] ffff8881cb60cd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 48.182313] >ffff8881cb60cd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 48.189646] ^ [ 48.195603] ffff8881cb60ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.202950] ffff8881cb60ce80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 48.210281] ================================================================== [ 48.217611] Disabling lock debugging due to kernel taint [ 48.223052] Kernel panic - not syncing: panic_on_warn set ... [ 48.223052] [ 48.230400] CPU: 1 PID: 1780 Comm: syz-executor634 Tainted: G B 4.14.94+ #12 [ 48.238694] Call Trace: [ 48.241256] dump_stack+0xb9/0x10e [ 48.244796] panic+0x1d9/0x3c2 [ 48.247964] ? add_taint.cold+0x16/0x16 [ 48.251911] ? retint_kernel+0x2d/0x2d [ 48.255792] ? ip_local_deliver+0x43d/0x450 [ 48.260086] kasan_end_report+0x43/0x49 [ 48.264038] kasan_report.cold+0xa4/0x2a5 [ 48.268163] ? ip_local_deliver+0x43d/0x450 [ 48.272478] ? ip_call_ra_chain+0x540/0x540 [ 48.276776] ? __lock_acquire+0x56a/0x3fa0 [ 48.280991] ? ip_rcv+0x99f/0xf7a [ 48.284422] ? ip_rcv_finish+0x5c9/0x1490 [ 48.288546] ? ip_rcv+0x9e2/0xf7a [ 48.291977] ? ip_local_deliver+0x450/0x450 [ 48.296272] ? __lock_acquire+0x56a/0x3fa0 [ 48.300489] ? check_preemption_disabled+0x35/0x1f0 [ 48.305484] ? ip_local_deliver+0x450/0x450 [ 48.309792] ? __netif_receive_skb_core+0x1364/0x2c60 [ 48.314955] ? trace_hardirqs_on+0x10/0x10 [ 48.319177] ? flush_backlog+0x580/0x580 [ 48.323213] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 48.328381] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 48.333550] ? lock_acquire+0x10f/0x380 [ 48.337499] ? __netif_receive_skb+0x55/0x1f0 [ 48.341970] ? __netif_receive_skb+0x55/0x1f0 [ 48.346439] ? netif_receive_skb_internal+0xec/0x5c0 [ 48.351516] ? dev_cpu_dead+0x810/0x810 [ 48.355466] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 48.360899] ? rcu_read_lock_sched_held+0x10a/0x130 [ 48.365900] ? tun_rx_batched.isra.0+0x45d/0x730 [ 48.370629] ? __skb_get_hash_symmetric+0x255/0x620 [ 48.375618] ? tun_chr_read_iter+0x1c0/0x1c0 [ 48.380001] ? tun_get_user+0xc07/0x3790 [ 48.384084] ? __local_bh_enable_ip+0x65/0xc0 [ 48.388575] ? tun_get_user+0xd95/0x3790 [ 48.392617] ? tun_rx_batched.isra.0+0x730/0x730 [ 48.397347] ? debug_mutex_add_waiter+0x60/0x150 [ 48.402079] ? mark_held_locks+0xa6/0xf0 [ 48.406119] ? get_page_from_freelist+0x85e/0x1d60 [ 48.411027] ? preempt_count_add+0xb8/0x180 [ 48.415351] ? __tun_get+0x11c/0x220 [ 48.419068] ? check_preemption_disabled+0x35/0x1f0 [ 48.424071] ? tun_chr_write_iter+0xcf/0x180 [ 48.428508] ? do_iter_readv_writev+0x379/0x580 [ 48.433165] ? clone_verify_area+0x1e0/0x1e0 [ 48.437549] ? avc_policy_seqno+0x5/0x10 [ 48.441594] ? security_file_permission+0x88/0x1e0 [ 48.446506] ? do_iter_write+0x152/0x550 [ 48.450550] ? lock_downgrade+0x5d0/0x5d0 [ 48.454674] ? vfs_writev+0x146/0x2d0 [ 48.458456] ? vfs_iter_write+0xa0/0xa0 [ 48.462407] ? __handle_mm_fault+0x6c5/0x2640 [ 48.466883] ? __fsnotify_inode_delete+0x20/0x20 [ 48.471619] ? __do_page_fault+0x48e/0xb80 [ 48.475832] ? lock_downgrade+0x5d0/0x5d0 [ 48.479960] ? check_preemption_disabled+0x35/0x1f0 [ 48.484952] ? do_writev+0xc9/0x240 [ 48.488557] ? vfs_writev+0x2d0/0x2d0 [ 48.492333] ? do_syscall_64+0x43/0x4b0 [ 48.496277] ? SyS_readv+0x30/0x30 [ 48.499791] ? do_syscall_64+0x19b/0x4b0 [ 48.503958] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.509613] Kernel Offset: 0x11800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 48.520521] Rebooting in 86400 seconds..