[ 32.219510] audit: type=1800 audit(1578064566.899:33): pid=6888 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.247187] audit: type=1800 audit(1578064566.909:34): pid=6888 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.593635] random: sshd: uninitialized urandom read (32 bytes read) [ 37.824017] audit: type=1400 audit(1578064572.509:35): avc: denied { map } for pid=7062 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.862466] random: sshd: uninitialized urandom read (32 bytes read) [ 38.470739] random: sshd: uninitialized urandom read (32 bytes read) [ 38.653000] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.193' (ECDSA) to the list of known hosts. [ 44.233978] random: sshd: uninitialized urandom read (32 bytes read) [ 44.420699] audit: type=1400 audit(1578064579.109:36): avc: denied { map } for pid=7074 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/01/03 15:16:19 parsed 1 programs [ 45.230188] random: cc1: uninitialized urandom read (8 bytes read) [ 46.299194] audit: type=1400 audit(1578064580.979:37): avc: denied { map } for pid=7074 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15736 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/01/03 15:16:21 executed programs: 0 [ 46.340534] audit: type=1400 audit(1578064581.019:38): avc: denied { map } for pid=7074 comm="syz-execprog" path="/root/syzkaller-shm698973603" dev="sda1" ino=16490 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 46.620858] IPVS: ftp: loaded support on port[0] = 21 [ 47.506358] chnl_net:caif_netlink_parms(): no params data found [ 47.539508] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.546328] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.553637] device bridge_slave_0 entered promiscuous mode [ 47.560804] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.567180] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.574150] device bridge_slave_1 entered promiscuous mode [ 47.589186] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 47.598422] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 47.614623] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.622000] team0: Port device team_slave_0 added [ 47.627460] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.634669] team0: Port device team_slave_1 added [ 47.640168] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 47.647555] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 47.702111] device hsr_slave_0 entered promiscuous mode [ 47.770270] device hsr_slave_1 entered promiscuous mode [ 47.840967] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 47.847990] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 47.865530] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.871945] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.878674] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.885050] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.913666] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 47.919749] 8021q: adding VLAN 0 to HW filter on device bond0 [ 47.928442] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 47.937120] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.955379] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.962374] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.972017] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 47.978100] 8021q: adding VLAN 0 to HW filter on device team0 [ 47.986677] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.994258] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.000645] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.009348] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.017049] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.023436] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.040769] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 48.048327] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 48.055875] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 48.063981] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 48.072035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 48.081812] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 48.087799] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 48.099365] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 48.107016] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 48.113808] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 48.124285] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 48.500528] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.290339] ================================================================== [ 49.290363] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x288/0x550 [ 49.290367] Read of size 16 at addr ffff888096872f10 by task syz-executor.0/7123 [ 49.290368] [ 49.290374] CPU: 0 PID: 7123 Comm: syz-executor.0 Not tainted 4.14.161-syzkaller #0 [ 49.290377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.290379] Call Trace: [ 49.290387] dump_stack+0x142/0x197 [ 49.290392] ? fbcon_get_font+0x288/0x550 [ 49.290400] print_address_description.cold+0x7c/0x1dc [ 49.290405] ? fbcon_get_font+0x288/0x550 [ 49.290409] kasan_report.cold+0xa9/0x2af [ 49.290415] check_memory_region+0x123/0x190 [ 49.290420] memcpy+0x24/0x50 [ 49.290425] fbcon_get_font+0x288/0x550 [ 49.290430] ? display_to_var+0x7e0/0x7e0 [ 49.290435] con_font_op+0x1d5/0x1060 [ 49.290441] ? con_write+0xc0/0xc0 [ 49.290449] ? kasan_check_write+0x14/0x20 [ 49.290455] ? _copy_from_user+0x99/0x110 [ 49.290462] vt_ioctl+0x179f/0x2170 [ 49.290467] ? avc_has_extended_perms+0x8ec/0xe40 [ 49.290471] ? futex_wake+0x134/0x430 [ 49.290476] ? complete_change_console+0x360/0x360 [ 49.290481] ? avc_ss_reset+0x110/0x110 [ 49.290490] ? tty_jobctrl_ioctl+0x44/0xc10 [ 49.290494] ? complete_change_console+0x360/0x360 [ 49.290500] tty_ioctl+0x841/0x1320 [ 49.290505] ? tty_vhangup+0x30/0x30 [ 49.290511] ? __might_fault+0x110/0x1d0 [ 49.290519] ? __might_sleep+0x93/0xb0 [ 49.290525] ? __fget+0x210/0x370 [ 49.290532] ? tty_vhangup+0x30/0x30 [ 49.290538] do_vfs_ioctl+0x7ae/0x1060 [ 49.290543] ? selinux_file_mprotect+0x5d0/0x5d0 [ 49.290548] ? lock_downgrade+0x740/0x740 [ 49.290554] ? ioctl_preallocate+0x1c0/0x1c0 [ 49.290559] ? __fget+0x237/0x370 [ 49.290568] ? security_file_ioctl+0x7d/0xb0 [ 49.290572] ? security_file_ioctl+0x89/0xb0 [ 49.290578] SyS_ioctl+0x8f/0xc0 [ 49.290582] ? do_vfs_ioctl+0x1060/0x1060 [ 49.290589] do_syscall_64+0x1e8/0x640 [ 49.290593] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.290601] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.290605] RIP: 0033:0x45a9e9 [ 49.290608] RSP: 002b:00007f7eb548ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.290614] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 49.290616] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 49.290619] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 49.290621] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7eb548f6d4 [ 49.290624] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 49.290632] [ 49.290634] Allocated by task 7122: [ 49.290640] save_stack_trace+0x16/0x20 [ 49.290643] save_stack+0x45/0xd0 [ 49.290647] kasan_kmalloc+0xce/0xf0 [ 49.290650] __kmalloc+0x15d/0x7a0 [ 49.290654] fbcon_set_font+0x2f8/0x7b0 [ 49.290657] con_font_op+0xc0f/0x1060 [ 49.290660] vt_ioctl+0xb80/0x2170 [ 49.290664] tty_ioctl+0x841/0x1320 [ 49.290667] do_vfs_ioctl+0x7ae/0x1060 [ 49.290671] SyS_ioctl+0x8f/0xc0 [ 49.290674] do_syscall_64+0x1e8/0x640 [ 49.290678] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.290680] [ 49.290682] Freed by task 5553: [ 49.290685] save_stack_trace+0x16/0x20 [ 49.290688] save_stack+0x45/0xd0 [ 49.290692] kasan_slab_free+0x75/0xc0 [ 49.290695] kfree+0xcc/0x270 [ 49.290699] kvfree+0x4d/0x60 [ 49.290703] seq_release+0x54/0x80 [ 49.290708] kernfs_fop_release+0xe0/0x180 [ 49.290712] __fput+0x275/0x7a0 [ 49.290715] ____fput+0x16/0x20 [ 49.290719] task_work_run+0x114/0x190 [ 49.290723] exit_to_usermode_loop+0x1da/0x220 [ 49.290727] do_syscall_64+0x4bc/0x640 [ 49.290731] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.290732] [ 49.290735] The buggy address belongs to the object at ffff888096872200 [ 49.290735] which belongs to the cache kmalloc-4096 of size 4096 [ 49.290739] The buggy address is located 3344 bytes inside of [ 49.290739] 4096-byte region [ffff888096872200, ffff888096873200) [ 49.290741] The buggy address belongs to the page: [ 49.290745] page:ffffea00025a1c80 count:1 mapcount:0 mapping:ffff888096872200 index:0x0 compound_mapcount: 0 [ 49.290752] flags: 0xfffe0000008100(slab|head) [ 49.290758] raw: 00fffe0000008100 ffff888096872200 0000000000000000 0000000100000001 [ 49.290763] raw: ffffea00025cb6a0 ffffea00026186a0 ffff8880aa800dc0 0000000000000000 [ 49.290765] page dumped because: kasan: bad access detected [ 49.290766] [ 49.290768] Memory state around the buggy address: [ 49.290771] ffff888096872e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.290775] ffff888096872e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.290778] >ffff888096872f00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.290780] ^ [ 49.290783] ffff888096872f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.290786] ffff888096873000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.290788] ================================================================== [ 49.290789] Disabling lock debugging due to kernel taint [ 49.290792] Kernel panic - not syncing: panic_on_warn set ... [ 49.290792] [ 49.290796] CPU: 0 PID: 7123 Comm: syz-executor.0 Tainted: G B 4.14.161-syzkaller #0 [ 49.290798] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.290799] Call Trace: [ 49.290803] dump_stack+0x142/0x197 [ 49.290808] ? fbcon_get_font+0x288/0x550 [ 49.290812] panic+0x1f9/0x42d [ 49.290816] ? add_taint.cold+0x16/0x16 [ 49.290820] ? lock_downgrade+0x740/0x740 [ 49.290826] kasan_end_report+0x47/0x4f [ 49.290830] kasan_report.cold+0x130/0x2af [ 49.290834] check_memory_region+0x123/0x190 [ 49.290838] memcpy+0x24/0x50 [ 49.290842] fbcon_get_font+0x288/0x550 [ 49.290846] ? display_to_var+0x7e0/0x7e0 [ 49.290849] con_font_op+0x1d5/0x1060 [ 49.290854] ? con_write+0xc0/0xc0 [ 49.290859] ? kasan_check_write+0x14/0x20 [ 49.290863] ? _copy_from_user+0x99/0x110 [ 49.290867] vt_ioctl+0x179f/0x2170 [ 49.290870] ? avc_has_extended_perms+0x8ec/0xe40 [ 49.290873] ? futex_wake+0x134/0x430 [ 49.290877] ? complete_change_console+0x360/0x360 [ 49.290881] ? avc_ss_reset+0x110/0x110 [ 49.290886] ? tty_jobctrl_ioctl+0x44/0xc10 [ 49.290890] ? complete_change_console+0x360/0x360 [ 49.290894] tty_ioctl+0x841/0x1320 [ 49.290898] ? tty_vhangup+0x30/0x30 [ 49.290902] ? __might_fault+0x110/0x1d0 [ 49.290914] ? __might_sleep+0x93/0xb0 [ 49.290918] ? __fget+0x210/0x370 [ 49.290923] ? tty_vhangup+0x30/0x30 [ 49.290927] do_vfs_ioctl+0x7ae/0x1060 [ 49.290931] ? selinux_file_mprotect+0x5d0/0x5d0 [ 49.290935] ? lock_downgrade+0x740/0x740 [ 49.290939] ? ioctl_preallocate+0x1c0/0x1c0 [ 49.290944] ? __fget+0x237/0x370 [ 49.290949] ? security_file_ioctl+0x7d/0xb0 [ 49.290952] ? security_file_ioctl+0x89/0xb0 [ 49.290957] SyS_ioctl+0x8f/0xc0 [ 49.290961] ? do_vfs_ioctl+0x1060/0x1060 [ 49.290965] do_syscall_64+0x1e8/0x640 [ 49.290969] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.290974] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.290977] RIP: 0033:0x45a9e9 [ 49.290979] RSP: 002b:00007f7eb548ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.290983] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 49.290985] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 49.290988] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 49.290990] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7eb548f6d4 [ 49.290992] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 49.292315] Kernel Offset: disabled [ 50.015102] Rebooting in 86400 seconds..