[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.247076] random: sshd: uninitialized urandom read (32 bytes read) [ 28.736671] audit: type=1400 audit(1548959340.605:6): avc: denied { map } for pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.777501] random: sshd: uninitialized urandom read (32 bytes read) [ 29.269099] random: sshd: uninitialized urandom read (32 bytes read) [ 29.790610] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. [ 35.290400] random: sshd: uninitialized urandom read (32 bytes read) [ 35.377021] audit: type=1400 audit(1548959347.245:7): avc: denied { map } for pid=1789 comm="syz-executor397" path="/root/syz-executor397221435" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 35.632638] ================================================================== [ 35.640093] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 35.646765] Read of size 8 at addr ffff8881d1d02010 by task syz-executor397/1792 [ 35.654313] [ 35.655926] CPU: 1 PID: 1792 Comm: syz-executor397 Not tainted 4.14.96+ #20 [ 35.663003] Call Trace: [ 35.665589] dump_stack+0xb9/0x10e [ 35.669114] ? ip_local_deliver+0x43d/0x450 [ 35.673436] print_address_description+0x60/0x226 [ 35.678268] ? ip_local_deliver+0x43d/0x450 [ 35.682568] kasan_report.cold+0x88/0x2a5 [ 35.686696] ? ip_local_deliver+0x43d/0x450 [ 35.691106] ? ip_call_ra_chain+0x540/0x540 [ 35.695412] ? __lock_acquire+0x56a/0x3fa0 [ 35.699628] ? ip_rcv+0x99f/0xf7a [ 35.703068] ? ip_rcv_finish+0x5c9/0x1490 [ 35.707208] ? ip_rcv+0x9e2/0xf7a [ 35.710642] ? ip_local_deliver+0x450/0x450 [ 35.714944] ? __lock_acquire+0x56a/0x3fa0 [ 35.719159] ? check_preemption_disabled+0x35/0x1f0 [ 35.724155] ? ip_local_deliver+0x450/0x450 [ 35.728457] ? __netif_receive_skb_core+0x1364/0x2c60 [ 35.733629] ? trace_hardirqs_on+0x10/0x10 [ 35.737845] ? flush_backlog+0x580/0x580 [ 35.741890] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 35.747066] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 35.752242] ? lock_acquire+0x10f/0x380 [ 35.756199] ? __netif_receive_skb+0x55/0x1f0 [ 35.760670] ? __netif_receive_skb+0x55/0x1f0 [ 35.765149] ? netif_receive_skb_internal+0xec/0x5c0 [ 35.770241] ? dev_cpu_dead+0x810/0x810 [ 35.774199] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 35.779634] ? rcu_read_lock_sched_held+0x10a/0x130 [ 35.784628] ? tun_rx_batched.isra.0+0x45d/0x730 [ 35.789363] ? __skb_get_hash_symmetric+0x255/0x620 [ 35.794363] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 35.799790] ? tun_chr_read_iter+0x1c0/0x1c0 [ 35.804263] ? tun_get_user+0xc07/0x3790 [ 35.808311] ? __local_bh_enable_ip+0x65/0xc0 [ 35.812849] ? tun_get_user+0xd95/0x3790 [ 35.816954] ? tun_rx_batched.isra.0+0x730/0x730 [ 35.821725] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 35.826635] ? mark_held_locks+0xa6/0xf0 [ 35.830675] ? get_page_from_freelist+0x85e/0x1d60 [ 35.835588] ? preempt_count_add+0xb8/0x180 [ 35.839891] ? __tun_get+0x11c/0x220 [ 35.843586] ? check_preemption_disabled+0x35/0x1f0 [ 35.848583] ? tun_chr_write_iter+0xcf/0x180 [ 35.852968] ? do_iter_readv_writev+0x379/0x580 [ 35.857614] ? clone_verify_area+0x1e0/0x1e0 [ 35.862004] ? avc_policy_seqno+0x5/0x10 [ 35.866054] ? security_file_permission+0x88/0x1e0 [ 35.870977] ? do_iter_write+0x152/0x550 [ 35.875031] ? lock_downgrade+0x5d0/0x5d0 [ 35.879168] ? vfs_writev+0x146/0x2d0 [ 35.882948] ? vfs_iter_write+0xa0/0xa0 [ 35.886903] ? __handle_mm_fault+0x6c5/0x2640 [ 35.891381] ? __fsnotify_inode_delete+0x20/0x20 [ 35.896122] ? __do_page_fault+0x48e/0xb80 [ 35.900342] ? lock_downgrade+0x5d0/0x5d0 [ 35.904466] ? check_preemption_disabled+0x35/0x1f0 [ 35.909478] ? do_writev+0xc9/0x240 [ 35.913107] ? vfs_writev+0x2d0/0x2d0 [ 35.916892] ? do_syscall_64+0x43/0x4b0 [ 35.920843] ? SyS_readv+0x30/0x30 [ 35.924441] ? do_syscall_64+0x19b/0x4b0 [ 35.928491] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.933847] [ 35.935454] Allocated by task 1792: [ 35.939081] kasan_kmalloc.part.0+0x4f/0xd0 [ 35.943382] kmem_cache_alloc+0xd2/0x2d0 [ 35.947422] __build_skb+0x2e/0x2d0 [ 35.951145] build_skb+0x1a/0x1f0 [ 35.954596] tun_get_user+0x248b/0x3790 [ 35.958549] tun_chr_write_iter+0xcf/0x180 [ 35.962778] do_iter_readv_writev+0x379/0x580 [ 35.967262] do_iter_write+0x152/0x550 [ 35.971126] vfs_writev+0x146/0x2d0 [ 35.974729] do_writev+0xc9/0x240 [ 35.978163] do_syscall_64+0x19b/0x4b0 [ 35.982025] [ 35.983640] Freed by task 1792: [ 35.986899] kasan_slab_free+0xb0/0x190 [ 35.990849] kmem_cache_free+0xc4/0x330 [ 35.994819] kfree_skbmem+0xa0/0x100 [ 35.998508] kfree_skb+0xcd/0x350 [ 36.001939] ip_defrag+0x5f4/0x3b50 [ 36.005545] ip_local_deliver+0x165/0x450 [ 36.009668] ip_rcv_finish+0x5c9/0x1490 [ 36.013621] ip_rcv+0x9e2/0xf7a [ 36.016881] __netif_receive_skb_core+0x1364/0x2c60 [ 36.021880] __netif_receive_skb+0x55/0x1f0 [ 36.026236] netif_receive_skb_internal+0xec/0x5c0 [ 36.031180] tun_rx_batched.isra.0+0x45d/0x730 [ 36.035740] tun_get_user+0xd95/0x3790 [ 36.039604] tun_chr_write_iter+0xcf/0x180 [ 36.043814] do_iter_readv_writev+0x379/0x580 [ 36.048292] do_iter_write+0x152/0x550 [ 36.052167] vfs_writev+0x146/0x2d0 [ 36.055768] do_writev+0xc9/0x240 [ 36.059200] do_syscall_64+0x19b/0x4b0 [ 36.063068] [ 36.064673] The buggy address belongs to the object at ffff8881d1d02000 [ 36.064673] which belongs to the cache skbuff_head_cache of size 224 [ 36.077835] The buggy address is located 16 bytes inside of [ 36.077835] 224-byte region [ffff8881d1d02000, ffff8881d1d020e0) [ 36.089593] The buggy address belongs to the page: [ 36.094508] page:ffffea0007474080 count:1 mapcount:0 mapping: (null) index:0x0 [ 36.102785] flags: 0x4000000000000100(slab) [ 36.107084] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 36.114944] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 36.122798] page dumped because: kasan: bad access detected [ 36.128479] [ 36.130089] Memory state around the buggy address: [ 36.135007] ffff8881d1d01f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.142340] ffff8881d1d01f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.149672] >ffff8881d1d02000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.157002] ^ [ 36.160863] ffff8881d1d02080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.168212] ffff8881d1d02100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.175546] ================================================================== [ 36.182909] Disabling lock debugging due to kernel taint [ 36.188355] Kernel panic - not syncing: panic_on_warn set ... [ 36.188355] [ 36.195698] CPU: 1 PID: 1792 Comm: syz-executor397 Tainted: G B 4.14.96+ #20 [ 36.203984] Call Trace: [ 36.206554] dump_stack+0xb9/0x10e [ 36.210083] panic+0x1d9/0x3c2 [ 36.213258] ? add_taint.cold+0x16/0x16 [ 36.217207] ? retint_kernel+0x2d/0x2d [ 36.221076] ? ip_local_deliver+0x43d/0x450 [ 36.225373] kasan_end_report+0x43/0x49 [ 36.229320] kasan_report.cold+0xa4/0x2a5 [ 36.233442] ? ip_local_deliver+0x43d/0x450 [ 36.237740] ? ip_call_ra_chain+0x540/0x540 [ 36.242037] ? __lock_acquire+0x56a/0x3fa0 [ 36.246253] ? ip_rcv+0x99f/0xf7a [ 36.249696] ? ip_rcv_finish+0x5c9/0x1490 [ 36.253819] ? ip_rcv+0x9e2/0xf7a [ 36.257246] ? ip_local_deliver+0x450/0x450 [ 36.261542] ? __lock_acquire+0x56a/0x3fa0 [ 36.265754] ? check_preemption_disabled+0x35/0x1f0 [ 36.270747] ? ip_local_deliver+0x450/0x450 [ 36.275043] ? __netif_receive_skb_core+0x1364/0x2c60 [ 36.280228] ? trace_hardirqs_on+0x10/0x10 [ 36.284436] ? flush_backlog+0x580/0x580 [ 36.288472] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 36.293655] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 36.298822] ? lock_acquire+0x10f/0x380 [ 36.302778] ? __netif_receive_skb+0x55/0x1f0 [ 36.307271] ? __netif_receive_skb+0x55/0x1f0 [ 36.311757] ? netif_receive_skb_internal+0xec/0x5c0 [ 36.316836] ? dev_cpu_dead+0x810/0x810 [ 36.320795] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 36.326358] ? rcu_read_lock_sched_held+0x10a/0x130 [ 36.331357] ? tun_rx_batched.isra.0+0x45d/0x730 [ 36.336093] ? __skb_get_hash_symmetric+0x255/0x620 [ 36.341088] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 36.346512] ? tun_chr_read_iter+0x1c0/0x1c0 [ 36.350895] ? tun_get_user+0xc07/0x3790 [ 36.354931] ? __local_bh_enable_ip+0x65/0xc0 [ 36.359406] ? tun_get_user+0xd95/0x3790 [ 36.363453] ? tun_rx_batched.isra.0+0x730/0x730 [ 36.368188] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 36.373092] ? mark_held_locks+0xa6/0xf0 [ 36.377134] ? get_page_from_freelist+0x85e/0x1d60 [ 36.382053] ? preempt_count_add+0xb8/0x180 [ 36.386360] ? __tun_get+0x11c/0x220 [ 36.390069] ? check_preemption_disabled+0x35/0x1f0 [ 36.395131] ? tun_chr_write_iter+0xcf/0x180 [ 36.399586] ? do_iter_readv_writev+0x379/0x580 [ 36.404241] ? clone_verify_area+0x1e0/0x1e0 [ 36.408642] ? avc_policy_seqno+0x5/0x10 [ 36.412684] ? security_file_permission+0x88/0x1e0 [ 36.417603] ? do_iter_write+0x152/0x550 [ 36.421642] ? lock_downgrade+0x5d0/0x5d0 [ 36.425767] ? vfs_writev+0x146/0x2d0 [ 36.429542] ? vfs_iter_write+0xa0/0xa0 [ 36.433493] ? __handle_mm_fault+0x6c5/0x2640 [ 36.437969] ? __fsnotify_inode_delete+0x20/0x20 [ 36.442703] ? __do_page_fault+0x48e/0xb80 [ 36.446931] ? lock_downgrade+0x5d0/0x5d0 [ 36.451061] ? check_preemption_disabled+0x35/0x1f0 [ 36.456059] ? do_writev+0xc9/0x240 [ 36.459679] ? vfs_writev+0x2d0/0x2d0 [ 36.463471] ? do_syscall_64+0x43/0x4b0 [ 36.467419] ? SyS_readv+0x30/0x30 [ 36.471029] ? do_syscall_64+0x19b/0x4b0 [ 36.475076] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.480781] Kernel Offset: 0x2b800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 36.491679] Rebooting in 86400 seconds..