[ 33.358826] audit: type=1800 audit(1577901194.567:33): pid=6938 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.385374] audit: type=1800 audit(1577901194.567:34): pid=6938 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.310682] random: sshd: uninitialized urandom read (32 bytes read) [ 37.611459] audit: type=1400 audit(1577901198.827:35): avc: denied { map } for pid=7113 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.668863] random: sshd: uninitialized urandom read (32 bytes read) [ 38.244918] random: sshd: uninitialized urandom read (32 bytes read) [ 38.425826] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts. [ 44.077268] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 44.191047] audit: type=1400 audit(1577901205.407:36): avc: denied { map } for pid=7125 comm="syz-executor036" path="/root/syz-executor036273740" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.225236] ================================================================== [ 44.225264] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x288/0x550 [ 44.225271] Read of size 32 at addr ffffffff87064ca0 by task syz-executor036/7127 [ 44.225273] [ 44.225282] CPU: 1 PID: 7127 Comm: syz-executor036 Not tainted 4.14.161-syzkaller #0 [ 44.225287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.225289] Call Trace: [ 44.225299] dump_stack+0x142/0x197 [ 44.225305] ? fbcon_get_font+0x288/0x550 [ 44.225312] print_address_description.cold+0x5/0x1dc [ 44.225317] ? fbcon_get_font+0x288/0x550 [ 44.225321] kasan_report.cold+0xa9/0x2af [ 44.225328] check_memory_region+0x123/0x190 [ 44.225332] memcpy+0x24/0x50 [ 44.225337] fbcon_get_font+0x288/0x550 [ 44.225343] ? display_to_var+0x7e0/0x7e0 [ 44.225348] con_font_op+0x1d5/0x1060 [ 44.225353] ? avc_has_extended_perms+0x7b7/0xe40 [ 44.225359] ? con_write+0xc0/0xc0 [ 44.225365] ? security_capable+0x8e/0xc0 [ 44.225373] ? ns_capable_common+0x12c/0x160 [ 44.225379] vt_ioctl+0xb80/0x2170 [ 44.225383] ? avc_has_extended_perms+0x8ec/0xe40 [ 44.225389] ? complete_change_console+0x360/0x360 [ 44.225394] ? avc_ss_reset+0x110/0x110 [ 44.225397] ? kasan_slab_free+0x75/0xc0 [ 44.225403] ? SyS_open+0x2d/0x40 [ 44.225409] ? do_syscall_64+0x1e8/0x640 [ 44.225414] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.225421] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 44.225426] ? tty_jobctrl_ioctl+0x44/0xc10 [ 44.225431] ? complete_change_console+0x360/0x360 [ 44.225437] tty_ioctl+0x841/0x1320 [ 44.225442] ? tty_vhangup+0x30/0x30 [ 44.225452] ? __might_sleep+0x93/0xb0 [ 44.225459] ? tty_vhangup+0x30/0x30 [ 44.225466] do_vfs_ioctl+0x7ae/0x1060 [ 44.225472] ? selinux_file_mprotect+0x5d0/0x5d0 [ 44.225478] ? ioctl_preallocate+0x1c0/0x1c0 [ 44.225482] ? putname+0xe0/0x120 [ 44.225487] ? do_sys_open+0x221/0x430 [ 44.225501] ? security_file_ioctl+0x7d/0xb0 [ 44.225505] ? security_file_ioctl+0x89/0xb0 [ 44.225511] SyS_ioctl+0x8f/0xc0 [ 44.225516] ? do_vfs_ioctl+0x1060/0x1060 [ 44.225521] do_syscall_64+0x1e8/0x640 [ 44.225525] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.225532] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.225536] RIP: 0033:0x4412d9 [ 44.225539] RSP: 002b:00007ffc5eb95078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.225545] RAX: ffffffffffffffda RBX: 00000000004a2487 RCX: 00000000004412d9 [ 44.225548] RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004 [ 44.225551] RBP: 000000000000aca1 R08: 000000000000000d R09: 00000000004002c8 [ 44.225553] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402100 [ 44.225556] R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000 [ 44.225563] [ 44.225566] The buggy address belongs to the variable: [ 44.225571] fontdata_8x16+0x1000/0x1120 [ 44.225572] [ 44.225574] Memory state around the buggy address: [ 44.225578] ffffffff87064b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.225581] ffffffff87064c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.225584] >ffffffff87064c80: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa [ 44.225586] ^ [ 44.225590] ffffffff87064d00: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa [ 44.225593] ffffffff87064d80: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 44.225595] ================================================================== [ 44.225597] Disabling lock debugging due to kernel taint [ 44.225599] Kernel panic - not syncing: panic_on_warn set ... [ 44.225599] [ 44.225603] CPU: 1 PID: 7127 Comm: syz-executor036 Tainted: G B 4.14.161-syzkaller #0 [ 44.225606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.225607] Call Trace: [ 44.225611] dump_stack+0x142/0x197 [ 44.225615] ? fbcon_get_font+0x288/0x550 [ 44.225620] panic+0x1f9/0x42d [ 44.225623] ? add_taint.cold+0x16/0x16 [ 44.225629] ? lock_downgrade+0x740/0x740 [ 44.225635] kasan_end_report+0x47/0x4f [ 44.225638] kasan_report.cold+0x130/0x2af [ 44.225643] check_memory_region+0x123/0x190 [ 44.225647] memcpy+0x24/0x50 [ 44.225651] fbcon_get_font+0x288/0x550 [ 44.225655] ? display_to_var+0x7e0/0x7e0 [ 44.225658] con_font_op+0x1d5/0x1060 [ 44.225662] ? avc_has_extended_perms+0x7b7/0xe40 [ 44.225666] ? con_write+0xc0/0xc0 [ 44.225670] ? security_capable+0x8e/0xc0 [ 44.225674] ? ns_capable_common+0x12c/0x160 [ 44.225678] vt_ioctl+0xb80/0x2170 [ 44.225681] ? avc_has_extended_perms+0x8ec/0xe40 [ 44.225686] ? complete_change_console+0x360/0x360 [ 44.225689] ? avc_ss_reset+0x110/0x110 [ 44.225693] ? kasan_slab_free+0x75/0xc0 [ 44.225697] ? SyS_open+0x2d/0x40 [ 44.225700] ? do_syscall_64+0x1e8/0x640 [ 44.225704] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.225708] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 44.225712] ? tty_jobctrl_ioctl+0x44/0xc10 [ 44.225715] ? complete_change_console+0x360/0x360 [ 44.225719] tty_ioctl+0x841/0x1320 [ 44.225723] ? tty_vhangup+0x30/0x30 [ 44.225729] ? __might_sleep+0x93/0xb0 [ 44.225735] ? tty_vhangup+0x30/0x30 [ 44.225739] do_vfs_ioctl+0x7ae/0x1060 [ 44.225743] ? selinux_file_mprotect+0x5d0/0x5d0 [ 44.225747] ? ioctl_preallocate+0x1c0/0x1c0 [ 44.225751] ? putname+0xe0/0x120 [ 44.225755] ? do_sys_open+0x221/0x430 [ 44.225760] ? security_file_ioctl+0x7d/0xb0 [ 44.225763] ? security_file_ioctl+0x89/0xb0 [ 44.225768] SyS_ioctl+0x8f/0xc0 [ 44.225772] ? do_vfs_ioctl+0x1060/0x1060 [ 44.225776] do_syscall_64+0x1e8/0x640 [ 44.225779] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.225785] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.225787] RIP: 0033:0x4412d9 [ 44.225789] RSP: 002b:00007ffc5eb95078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.225793] RAX: ffffffffffffffda RBX: 00000000004a2487 RCX: 00000000004412d9 [ 44.225796] RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004 [ 44.225798] RBP: 000000000000aca1 R08: 000000000000000d R09: 00000000004002c8 [ 44.225800] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402100 [ 44.225802] R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000 [ 44.227064] Kernel Offset: disabled [ 44.815223] Rebooting in 86400 seconds..