[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.522068] random: sshd: uninitialized urandom read (32 bytes read) [ 32.815812] audit: type=1400 audit(1539419103.212:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.847156] random: sshd: uninitialized urandom read (32 bytes read) [ 33.297385] random: sshd: uninitialized urandom read (32 bytes read) [ 49.077077] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. [ 54.696423] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 54.789536] audit: type=1400 audit(1539419125.182:7): avc: denied { map } for pid=1794 comm="syz-executor610" path="/root/syz-executor610130765" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.815873] audit: type=1400 audit(1539419125.192:8): avc: denied { prog_load } for pid=1794 comm="syz-executor610" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 54.838869] ================================================================== [ 54.838890] BUG: KASAN: use-after-free in bpf_clone_redirect+0x29a/0x2b0 [ 54.838895] Read of size 8 at addr ffff8801d13da310 by task syz-executor610/1794 [ 54.838897] [ 54.838904] CPU: 0 PID: 1794 Comm: syz-executor610 Not tainted 4.14.75+ #18 [ 54.838907] Call Trace: [ 54.838917] dump_stack+0xb9/0x11b [ 54.838930] print_address_description+0x60/0x22b [ 54.838939] kasan_report.cold.6+0x11b/0x2dd [ 54.838944] ? bpf_clone_redirect+0x29a/0x2b0 [ 54.838952] bpf_clone_redirect+0x29a/0x2b0 [ 54.838962] ___bpf_prog_run+0x248e/0x5c70 [ 54.838971] ? __free_insn_slot+0x490/0x490 [ 54.838979] ? bpf_jit_compile+0x30/0x30 [ 54.838990] ? depot_save_stack+0x20a/0x428 [ 54.839000] ? __bpf_prog_run512+0x99/0xe0 [ 54.839006] ? ___bpf_prog_run+0x5c70/0x5c70 [ 54.839023] ? __lock_acquire+0x619/0x4320 [ 54.839036] ? trace_hardirqs_on+0x10/0x10 [ 54.839047] ? trace_hardirqs_on+0x10/0x10 [ 54.839057] ? __lock_acquire+0x619/0x4320 [ 54.839069] ? get_unused_fd_flags+0xc0/0xc0 [ 54.839084] ? bpf_test_run+0x57/0x350 [ 54.839098] ? lock_acquire+0x10f/0x380 [ 54.839109] ? check_preemption_disabled+0x34/0x160 [ 54.839122] ? bpf_test_run+0xab/0x350 [ 54.839138] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 54.839148] ? bpf_test_init.isra.1+0xc0/0xc0 [ 54.839158] ? __fget_light+0x163/0x1f0 [ 54.839163] ? bpf_prog_add+0x42/0xa0 [ 54.839173] ? bpf_test_init.isra.1+0xc0/0xc0 [ 54.839182] ? SyS_bpf+0x79d/0x3640 [ 54.839195] ? bpf_prog_get+0x20/0x20 [ 54.839202] ? __do_page_fault+0x485/0xb60 [ 54.839209] ? lock_downgrade+0x560/0x560 [ 54.839223] ? up_read+0x17/0x30 [ 54.839228] ? __do_page_fault+0x64c/0xb60 [ 54.839239] ? do_syscall_64+0x43/0x4b0 [ 54.839248] ? bpf_prog_get+0x20/0x20 [ 54.839252] ? do_syscall_64+0x19b/0x4b0 [ 54.839264] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.839280] [ 54.839283] Allocated by task 227: [ 54.839290] kasan_kmalloc.part.1+0x4f/0xd0 [ 54.839295] kmem_cache_alloc+0xe4/0x2b0 [ 54.839301] __alloc_skb+0xd8/0x550 [ 54.839306] alloc_skb_with_frags+0xab/0x500 [ 54.839311] sock_alloc_send_pskb+0x55e/0x6e0 [ 54.839317] unix_dgram_sendmsg+0x37b/0xf50 [ 54.839322] sock_sendmsg+0xb5/0x100 [ 54.839328] SyS_sendto+0x211/0x340 [ 54.839332] do_syscall_64+0x19b/0x4b0 [ 54.839337] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.839339] [ 54.839341] Freed by task 191: [ 54.839346] kasan_slab_free+0xac/0x190 [ 54.839351] kmem_cache_free+0x12d/0x350 [ 54.839356] kfree_skbmem+0x9e/0x100 [ 54.839360] consume_skb+0xc9/0x330 [ 54.839366] skb_free_datagram+0x15/0xd0 [ 54.839370] unix_dgram_recvmsg+0x762/0xd20 [ 54.839375] sock_recvmsg+0xc0/0x100 [ 54.839380] SyS_recvfrom+0x1d2/0x310 [ 54.839384] do_syscall_64+0x19b/0x4b0 [ 54.839388] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.839389] [ 54.839393] The buggy address belongs to the object at ffff8801d13da280 [ 54.839393] which belongs to the cache skbuff_head_cache of size 224 [ 54.839400] The buggy address is located 144 bytes inside of [ 54.839400] 224-byte region [ffff8801d13da280, ffff8801d13da360) [ 54.839402] The buggy address belongs to the page: [ 54.839407] page:ffffea000744f680 count:1 mapcount:0 mapping: (null) index:0x0 [ 54.839413] flags: 0x4000000000000100(slab) [ 54.839421] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 54.839428] raw: ffffea00074f4f80 0000000800000008 ffff8801dab70200 0000000000000000 [ 54.839431] page dumped because: kasan: bad access detected [ 54.839432] [ 54.839434] Memory state around the buggy address: [ 54.839438] ffff8801d13da200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 54.839443] ffff8801d13da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.839447] >ffff8801d13da300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 54.839449] ^ [ 54.839454] ffff8801d13da380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.839458] ffff8801d13da400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.839460] ================================================================== [ 54.839462] Disabling lock debugging due to kernel taint [ 54.839465] Kernel panic - not syncing: panic_on_warn set ... [ 54.839465] [ 54.839471] CPU: 0 PID: 1794 Comm: syz-executor610 Tainted: G B 4.14.75+ #18 [ 54.839472] Call Trace: [ 54.839488] dump_stack+0xb9/0x11b [ 54.839495] panic+0x1bf/0x3a4 [ 54.839501] ? add_taint.cold.4+0x16/0x16 [ 54.839520] kasan_end_report+0x43/0x49 [ 54.839526] kasan_report.cold.6+0x77/0x2dd [ 54.839532] ? bpf_clone_redirect+0x29a/0x2b0 [ 54.839539] bpf_clone_redirect+0x29a/0x2b0 [ 54.839547] ___bpf_prog_run+0x248e/0x5c70 [ 54.839554] ? __free_insn_slot+0x490/0x490 [ 54.839560] ? bpf_jit_compile+0x30/0x30 [ 54.839567] ? depot_save_stack+0x20a/0x428 [ 54.839575] ? __bpf_prog_run512+0x99/0xe0 [ 54.839581] ? ___bpf_prog_run+0x5c70/0x5c70 [ 54.839591] ? __lock_acquire+0x619/0x4320 [ 54.839599] ? trace_hardirqs_on+0x10/0x10 [ 54.839607] ? trace_hardirqs_on+0x10/0x10 [ 54.839614] ? __lock_acquire+0x619/0x4320 [ 54.839621] ? get_unused_fd_flags+0xc0/0xc0 [ 54.839640] ? bpf_test_run+0x57/0x350 [ 54.839649] ? lock_acquire+0x10f/0x380 [ 54.839656] ? check_preemption_disabled+0x34/0x160 [ 54.839664] ? bpf_test_run+0xab/0x350 [ 54.839674] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 54.839682] ? bpf_test_init.isra.1+0xc0/0xc0 [ 54.839688] ? __fget_light+0x163/0x1f0 [ 54.839694] ? bpf_prog_add+0x42/0xa0 [ 54.839700] ? bpf_test_init.isra.1+0xc0/0xc0 [ 54.839706] ? SyS_bpf+0x79d/0x3640 [ 54.839715] ? bpf_prog_get+0x20/0x20 [ 54.839720] ? __do_page_fault+0x485/0xb60 [ 54.839725] ? lock_downgrade+0x560/0x560 [ 54.839734] ? up_read+0x17/0x30 [ 54.839739] ? __do_page_fault+0x64c/0xb60 [ 54.839746] ? do_syscall_64+0x43/0x4b0 [ 54.839753] ? bpf_prog_get+0x20/0x20 [ 54.839757] ? do_syscall_64+0x19b/0x4b0 [ 54.839765] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.847147] Kernel Offset: 0x36600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 55.419771] Rebooting in 86400 seconds..