[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.522068] random: sshd: uninitialized urandom read (32 bytes read)
[   32.815812] audit: type=1400 audit(1539419103.212:6): avc:  denied  { map } for  pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   32.847156] random: sshd: uninitialized urandom read (32 bytes read)
[   33.297385] random: sshd: uninitialized urandom read (32 bytes read)
[   49.077077] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts.
[   54.696423] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   54.789536] audit: type=1400 audit(1539419125.182:7): avc:  denied  { map } for  pid=1794 comm="syz-executor610" path="/root/syz-executor610130765" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   54.815873] audit: type=1400 audit(1539419125.192:8): avc:  denied  { prog_load } for  pid=1794 comm="syz-executor610" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   54.838869] ==================================================================
[   54.838890] BUG: KASAN: use-after-free in bpf_clone_redirect+0x29a/0x2b0
[   54.838895] Read of size 8 at addr ffff8801d13da310 by task syz-executor610/1794
[   54.838897] 
[   54.838904] CPU: 0 PID: 1794 Comm: syz-executor610 Not tainted 4.14.75+ #18
[   54.838907] Call Trace:
[   54.838917]  dump_stack+0xb9/0x11b
[   54.838930]  print_address_description+0x60/0x22b
[   54.838939]  kasan_report.cold.6+0x11b/0x2dd
[   54.838944]  ? bpf_clone_redirect+0x29a/0x2b0
[   54.838952]  bpf_clone_redirect+0x29a/0x2b0
[   54.838962]  ___bpf_prog_run+0x248e/0x5c70
[   54.838971]  ? __free_insn_slot+0x490/0x490
[   54.838979]  ? bpf_jit_compile+0x30/0x30
[   54.838990]  ? depot_save_stack+0x20a/0x428
[   54.839000]  ? __bpf_prog_run512+0x99/0xe0
[   54.839006]  ? ___bpf_prog_run+0x5c70/0x5c70
[   54.839023]  ? __lock_acquire+0x619/0x4320
[   54.839036]  ? trace_hardirqs_on+0x10/0x10
[   54.839047]  ? trace_hardirqs_on+0x10/0x10
[   54.839057]  ? __lock_acquire+0x619/0x4320
[   54.839069]  ? get_unused_fd_flags+0xc0/0xc0
[   54.839084]  ? bpf_test_run+0x57/0x350
[   54.839098]  ? lock_acquire+0x10f/0x380
[   54.839109]  ? check_preemption_disabled+0x34/0x160
[   54.839122]  ? bpf_test_run+0xab/0x350
[   54.839138]  ? bpf_prog_test_run_skb+0x6b0/0x8c0
[   54.839148]  ? bpf_test_init.isra.1+0xc0/0xc0
[   54.839158]  ? __fget_light+0x163/0x1f0
[   54.839163]  ? bpf_prog_add+0x42/0xa0
[   54.839173]  ? bpf_test_init.isra.1+0xc0/0xc0
[   54.839182]  ? SyS_bpf+0x79d/0x3640
[   54.839195]  ? bpf_prog_get+0x20/0x20
[   54.839202]  ? __do_page_fault+0x485/0xb60
[   54.839209]  ? lock_downgrade+0x560/0x560
[   54.839223]  ? up_read+0x17/0x30
[   54.839228]  ? __do_page_fault+0x64c/0xb60
[   54.839239]  ? do_syscall_64+0x43/0x4b0
[   54.839248]  ? bpf_prog_get+0x20/0x20
[   54.839252]  ? do_syscall_64+0x19b/0x4b0
[   54.839264]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   54.839280] 
[   54.839283] Allocated by task 227:
[   54.839290]  kasan_kmalloc.part.1+0x4f/0xd0
[   54.839295]  kmem_cache_alloc+0xe4/0x2b0
[   54.839301]  __alloc_skb+0xd8/0x550
[   54.839306]  alloc_skb_with_frags+0xab/0x500
[   54.839311]  sock_alloc_send_pskb+0x55e/0x6e0
[   54.839317]  unix_dgram_sendmsg+0x37b/0xf50
[   54.839322]  sock_sendmsg+0xb5/0x100
[   54.839328]  SyS_sendto+0x211/0x340
[   54.839332]  do_syscall_64+0x19b/0x4b0
[   54.839337]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   54.839339] 
[   54.839341] Freed by task 191:
[   54.839346]  kasan_slab_free+0xac/0x190
[   54.839351]  kmem_cache_free+0x12d/0x350
[   54.839356]  kfree_skbmem+0x9e/0x100
[   54.839360]  consume_skb+0xc9/0x330
[   54.839366]  skb_free_datagram+0x15/0xd0
[   54.839370]  unix_dgram_recvmsg+0x762/0xd20
[   54.839375]  sock_recvmsg+0xc0/0x100
[   54.839380]  SyS_recvfrom+0x1d2/0x310
[   54.839384]  do_syscall_64+0x19b/0x4b0
[   54.839388]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   54.839389] 
[   54.839393] The buggy address belongs to the object at ffff8801d13da280
[   54.839393]  which belongs to the cache skbuff_head_cache of size 224
[   54.839400] The buggy address is located 144 bytes inside of
[   54.839400]  224-byte region [ffff8801d13da280, ffff8801d13da360)
[   54.839402] The buggy address belongs to the page:
[   54.839407] page:ffffea000744f680 count:1 mapcount:0 mapping:          (null) index:0x0
[   54.839413] flags: 0x4000000000000100(slab)
[   54.839421] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   54.839428] raw: ffffea00074f4f80 0000000800000008 ffff8801dab70200 0000000000000000
[   54.839431] page dumped because: kasan: bad access detected
[   54.839432] 
[   54.839434] Memory state around the buggy address:
[   54.839438]  ffff8801d13da200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   54.839443]  ffff8801d13da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.839447] >ffff8801d13da300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   54.839449]                          ^
[   54.839454]  ffff8801d13da380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   54.839458]  ffff8801d13da400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.839460] ==================================================================
[   54.839462] Disabling lock debugging due to kernel taint
[   54.839465] Kernel panic - not syncing: panic_on_warn set ...
[   54.839465] 
[   54.839471] CPU: 0 PID: 1794 Comm: syz-executor610 Tainted: G    B           4.14.75+ #18
[   54.839472] Call Trace:
[   54.839488]  dump_stack+0xb9/0x11b
[   54.839495]  panic+0x1bf/0x3a4
[   54.839501]  ? add_taint.cold.4+0x16/0x16
[   54.839520]  kasan_end_report+0x43/0x49
[   54.839526]  kasan_report.cold.6+0x77/0x2dd
[   54.839532]  ? bpf_clone_redirect+0x29a/0x2b0
[   54.839539]  bpf_clone_redirect+0x29a/0x2b0
[   54.839547]  ___bpf_prog_run+0x248e/0x5c70
[   54.839554]  ? __free_insn_slot+0x490/0x490
[   54.839560]  ? bpf_jit_compile+0x30/0x30
[   54.839567]  ? depot_save_stack+0x20a/0x428
[   54.839575]  ? __bpf_prog_run512+0x99/0xe0
[   54.839581]  ? ___bpf_prog_run+0x5c70/0x5c70
[   54.839591]  ? __lock_acquire+0x619/0x4320
[   54.839599]  ? trace_hardirqs_on+0x10/0x10
[   54.839607]  ? trace_hardirqs_on+0x10/0x10
[   54.839614]  ? __lock_acquire+0x619/0x4320
[   54.839621]  ? get_unused_fd_flags+0xc0/0xc0
[   54.839640]  ? bpf_test_run+0x57/0x350
[   54.839649]  ? lock_acquire+0x10f/0x380
[   54.839656]  ? check_preemption_disabled+0x34/0x160
[   54.839664]  ? bpf_test_run+0xab/0x350
[   54.839674]  ? bpf_prog_test_run_skb+0x6b0/0x8c0
[   54.839682]  ? bpf_test_init.isra.1+0xc0/0xc0
[   54.839688]  ? __fget_light+0x163/0x1f0
[   54.839694]  ? bpf_prog_add+0x42/0xa0
[   54.839700]  ? bpf_test_init.isra.1+0xc0/0xc0
[   54.839706]  ? SyS_bpf+0x79d/0x3640
[   54.839715]  ? bpf_prog_get+0x20/0x20
[   54.839720]  ? __do_page_fault+0x485/0xb60
[   54.839725]  ? lock_downgrade+0x560/0x560
[   54.839734]  ? up_read+0x17/0x30
[   54.839739]  ? __do_page_fault+0x64c/0xb60
[   54.839746]  ? do_syscall_64+0x43/0x4b0
[   54.839753]  ? bpf_prog_get+0x20/0x20
[   54.839757]  ? do_syscall_64+0x19b/0x4b0
[   54.839765]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   54.847147] Kernel Offset: 0x36600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   55.419771] Rebooting in 86400 seconds..