[....] Starting OpenBSD Secure Shell server: sshd[ 20.683104] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.562885] random: sshd: uninitialized urandom read (32 bytes read) [ 25.783893] sshd (4496) used greatest stack depth: 16712 bytes left [ 25.804550] random: sshd: uninitialized urandom read (32 bytes read) [ 26.550317] random: sshd: uninitialized urandom read (32 bytes read) [ 26.709706] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. [ 32.216339] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.308334] ================================================================== [ 32.315812] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 32.322048] Read of size 1 at addr ffff8801a910fb5d by task syz-executor170/4513 [ 32.329562] [ 32.331178] CPU: 1 PID: 4513 Comm: syz-executor170 Not tainted 4.17.0-rc6+ #68 [ 32.338524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.347895] Call Trace: [ 32.350479] dump_stack+0x1b9/0x294 [ 32.354126] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.359314] ? printk+0x9e/0xba [ 32.362596] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.367349] ? kasan_check_write+0x14/0x20 [ 32.371589] print_address_description+0x6c/0x20b [ 32.376433] ? nla_strlcpy+0x13d/0x150 [ 32.380311] kasan_report.cold.7+0x242/0x2fe [ 32.384721] __asan_report_load1_noabort+0x14/0x20 [ 32.389644] nla_strlcpy+0x13d/0x150 [ 32.393429] nfnl_acct_new+0x574/0xc50 [ 32.397300] ? nfnl_acct_overquota+0x380/0x380 [ 32.401876] ? debug_check_no_locks_freed+0x310/0x310 [ 32.407070] ? graph_lock+0x170/0x170 [ 32.410878] ? print_usage_bug+0xc0/0xc0 [ 32.414929] ? find_held_lock+0x36/0x1c0 [ 32.419064] ? graph_lock+0x170/0x170 [ 32.422859] ? lock_downgrade+0x8e0/0x8e0 [ 32.426994] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.432523] ? __lock_is_held+0xb5/0x140 [ 32.436591] ? nfnl_acct_overquota+0x380/0x380 [ 32.441175] nfnetlink_rcv_msg+0xdb5/0xff0 [ 32.445420] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 32.450436] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 32.454848] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.458991] ? graph_lock+0x170/0x170 [ 32.462801] ? find_held_lock+0x36/0x1c0 [ 32.466859] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.472393] netlink_rcv_skb+0x172/0x440 [ 32.476452] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.480591] ? netlink_ack+0xbc0/0xbc0 [ 32.484473] ? __netlink_ns_capable+0x100/0x130 [ 32.489143] nfnetlink_rcv+0x1fe/0x1ba0 [ 32.493113] ? kasan_check_read+0x11/0x20 [ 32.497253] ? rcu_is_watching+0x85/0x140 [ 32.501422] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.506629] ? nfnl_err_reset+0x2d0/0x2d0 [ 32.510790] ? netlink_remove_tap+0x610/0x610 [ 32.515307] ? refcount_add_not_zero+0x320/0x320 [ 32.520059] ? kasan_check_read+0x11/0x20 [ 32.524209] ? rcu_is_watching+0x85/0x140 [ 32.528351] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.533533] ? netlink_skb_destructor+0x210/0x210 [ 32.538384] ? kasan_check_write+0x14/0x20 [ 32.542671] netlink_unicast+0x58b/0x740 [ 32.546723] ? netlink_attachskb+0x970/0x970 [ 32.551114] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.556821] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.561828] ? security_netlink_send+0x88/0xb0 [ 32.566404] netlink_sendmsg+0x9f0/0xfa0 [ 32.570457] ? netlink_unicast+0x740/0x740 [ 32.574692] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.580236] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.585774] ? security_socket_sendmsg+0x94/0xc0 [ 32.590612] ? netlink_unicast+0x740/0x740 [ 32.594831] sock_sendmsg+0xd5/0x120 [ 32.598533] sock_write_iter+0x35a/0x5a0 [ 32.602580] ? sock_sendmsg+0x120/0x120 [ 32.606541] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.612069] ? iov_iter_init+0xc9/0x1f0 [ 32.616042] __vfs_write+0x64d/0x960 [ 32.619849] ? kernel_read+0x120/0x120 [ 32.623727] ? lock_downgrade+0x8e0/0x8e0 [ 32.628039] ? handle_mm_fault+0x8c0/0xc70 [ 32.632263] ? handle_mm_fault+0x55a/0xc70 [ 32.636486] ? rw_verify_area+0x118/0x360 [ 32.640615] vfs_write+0x1f8/0x560 [ 32.644138] ksys_write+0xf9/0x250 [ 32.647665] ? __ia32_sys_read+0xb0/0xb0 [ 32.651815] __x64_sys_write+0x73/0xb0 [ 32.655882] do_syscall_64+0x1b1/0x800 [ 32.659777] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.664606] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.669519] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.674441] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.679978] ? retint_user+0x18/0x18 [ 32.683681] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.688518] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.693689] RIP: 0033:0x4400e9 [ 32.696855] RSP: 002b:00007fff17c18608 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 32.704547] RAX: ffffffffffffffda RBX: 00007fff17c18630 RCX: 00000000004400e9 [ 32.711799] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 32.719059] RBP: 0000000000000000 R08: 00007fff17c18680 R09: 00007fff17c18680 [ 32.726327] R10: 00007fff17c18680 R11: 0000000000000246 R12: 0000000000401a10 [ 32.733579] R13: 0000000000401aa0 R14: 0000000000000000 R15: 0000000000000000 [ 32.740854] [ 32.742465] Allocated by task 4513: [ 32.746079] save_stack+0x43/0xd0 [ 32.749519] kasan_kmalloc+0xc4/0xe0 [ 32.753226] __kmalloc+0x14e/0x760 [ 32.756749] load_elf_phdrs+0x17a/0x250 [ 32.760720] load_elf_binary+0x32b/0x5610 [ 32.764859] search_binary_handler+0x17d/0x570 [ 32.769431] do_execveat_common.isra.34+0x16ce/0x2590 [ 32.774921] __x64_sys_execve+0x8d/0xb0 [ 32.778899] do_syscall_64+0x1b1/0x800 [ 32.782794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.788069] [ 32.789693] Freed by task 4513: [ 32.793056] save_stack+0x43/0xd0 [ 32.796500] __kasan_slab_free+0x11a/0x170 [ 32.800736] kasan_slab_free+0xe/0x10 [ 32.804526] kfree+0xd9/0x260 [ 32.807618] load_elf_binary+0x2569/0x5610 [ 32.811840] search_binary_handler+0x17d/0x570 [ 32.816416] do_execveat_common.isra.34+0x16ce/0x2590 [ 32.821597] __x64_sys_execve+0x8d/0xb0 [ 32.825563] do_syscall_64+0x1b1/0x800 [ 32.829445] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.834617] [ 32.836232] The buggy address belongs to the object at ffff8801a910fac0 [ 32.836232] which belongs to the cache kmalloc-512 of size 512 [ 32.848975] The buggy address is located 157 bytes inside of [ 32.848975] 512-byte region [ffff8801a910fac0, ffff8801a910fcc0) [ 32.860865] The buggy address belongs to the page: [ 32.865801] page:ffffea0006a443c0 count:1 mapcount:0 mapping:ffff8801a910f0c0 index:0x0 [ 32.873942] flags: 0x2fffc0000000100(slab) [ 32.878177] raw: 02fffc0000000100 ffff8801a910f0c0 0000000000000000 0000000100000006 [ 32.886180] raw: ffffea0006b48e60 ffff8801da801748 ffff8801da800940 0000000000000000 [ 32.894076] page dumped because: kasan: bad access detected [ 32.899776] [ 32.901391] Memory state around the buggy address: [ 32.906318] ffff8801a910fa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.913748] ffff8801a910fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.921096] >ffff8801a910fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.928442] ^ [ 32.934669] ffff8801a910fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.942114] ffff8801a910fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.949465] ================================================================== [ 32.956835] Disabling lock debugging due to kernel taint [ 32.962553] Kernel panic - not syncing: panic_on_warn set ... [ 32.962553] [ 32.969932] CPU: 1 PID: 4513 Comm: syz-executor170 Tainted: G B 4.17.0-rc6+ #68 [ 32.978681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.988027] Call Trace: [ 32.990612] dump_stack+0x1b9/0x294 [ 32.994243] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.999429] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.004217] ? nla_strlcpy+0x70/0x150 [ 33.008212] panic+0x22f/0x4de [ 33.011406] ? add_taint.cold.5+0x16/0x16 [ 33.015554] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.019943] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.024333] ? nla_strlcpy+0x13d/0x150 [ 33.028202] kasan_end_report+0x47/0x4f [ 33.032155] kasan_report.cold.7+0x76/0x2fe [ 33.036466] __asan_report_load1_noabort+0x14/0x20 [ 33.041377] nla_strlcpy+0x13d/0x150 [ 33.045074] nfnl_acct_new+0x574/0xc50 [ 33.048947] ? nfnl_acct_overquota+0x380/0x380 [ 33.053512] ? debug_check_no_locks_freed+0x310/0x310 [ 33.058687] ? graph_lock+0x170/0x170 [ 33.062491] ? print_usage_bug+0xc0/0xc0 [ 33.066591] ? find_held_lock+0x36/0x1c0 [ 33.070656] ? graph_lock+0x170/0x170 [ 33.074447] ? lock_downgrade+0x8e0/0x8e0 [ 33.078580] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.084099] ? __lock_is_held+0xb5/0x140 [ 33.088143] ? nfnl_acct_overquota+0x380/0x380 [ 33.092708] nfnetlink_rcv_msg+0xdb5/0xff0 [ 33.096933] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 33.101942] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 33.106345] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.110485] ? graph_lock+0x170/0x170 [ 33.114275] ? find_held_lock+0x36/0x1c0 [ 33.118332] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.123868] netlink_rcv_skb+0x172/0x440 [ 33.127913] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.132055] ? netlink_ack+0xbc0/0xbc0 [ 33.135935] ? __netlink_ns_capable+0x100/0x130 [ 33.140596] nfnetlink_rcv+0x1fe/0x1ba0 [ 33.144570] ? kasan_check_read+0x11/0x20 [ 33.148720] ? rcu_is_watching+0x85/0x140 [ 33.152848] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.158290] ? nfnl_err_reset+0x2d0/0x2d0 [ 33.162426] ? netlink_remove_tap+0x610/0x610 [ 33.166905] ? refcount_add_not_zero+0x320/0x320 [ 33.171645] ? kasan_check_read+0x11/0x20 [ 33.175787] ? rcu_is_watching+0x85/0x140 [ 33.179933] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.185115] ? netlink_skb_destructor+0x210/0x210 [ 33.189950] ? kasan_check_write+0x14/0x20 [ 33.194172] netlink_unicast+0x58b/0x740 [ 33.198216] ? netlink_attachskb+0x970/0x970 [ 33.202606] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.208215] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.213220] ? security_netlink_send+0x88/0xb0 [ 33.217786] netlink_sendmsg+0x9f0/0xfa0 [ 33.221830] ? netlink_unicast+0x740/0x740 [ 33.226045] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.231561] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.237099] ? security_socket_sendmsg+0x94/0xc0 [ 33.241849] ? netlink_unicast+0x740/0x740 [ 33.246090] sock_sendmsg+0xd5/0x120 [ 33.249787] sock_write_iter+0x35a/0x5a0 [ 33.253831] ? sock_sendmsg+0x120/0x120 [ 33.258238] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.263806] ? iov_iter_init+0xc9/0x1f0 [ 33.267781] __vfs_write+0x64d/0x960 [ 33.271482] ? kernel_read+0x120/0x120 [ 33.275353] ? lock_downgrade+0x8e0/0x8e0 [ 33.279499] ? handle_mm_fault+0x8c0/0xc70 [ 33.283717] ? handle_mm_fault+0x55a/0xc70 [ 33.287930] ? rw_verify_area+0x118/0x360 [ 33.292056] vfs_write+0x1f8/0x560 [ 33.295579] ksys_write+0xf9/0x250 [ 33.299105] ? __ia32_sys_read+0xb0/0xb0 [ 33.303159] __x64_sys_write+0x73/0xb0 [ 33.307034] do_syscall_64+0x1b1/0x800 [ 33.310905] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.315732] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.320647] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.325566] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.331086] ? retint_user+0x18/0x18 [ 33.334797] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.339618] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.344792] RIP: 0033:0x4400e9 [ 33.347973] RSP: 002b:00007fff17c18608 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 33.355679] RAX: ffffffffffffffda RBX: 00007fff17c18630 RCX: 00000000004400e9 [ 33.362952] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 33.370243] RBP: 0000000000000000 R08: 00007fff17c18680 R09: 00007fff17c18680 [ 33.377525] R10: 00007fff17c18680 R11: 0000000000000246 R12: 0000000000401a10 [ 33.384886] R13: 0000000000401aa0 R14: 0000000000000000 R15: 0000000000000000 [ 33.392695] Dumping ftrace buffer: [ 33.396235] (ftrace buffer empty) [ 33.399946] Kernel Offset: disabled [ 33.403654] Rebooting in 86400 seconds..