[....] Starting enhanced syslogd: rsyslogd[ 10.309375] audit: type=1400 audit(1514956566.943:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.245' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.275901] ================================================================== [ 34.277045] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 [ 34.277957] Read of size 8192 at addr ffff8801c80e0018 by task syzkaller427270/3346 [ 34.278986] [ 34.279218] CPU: 0 PID: 3346 Comm: syzkaller427270 Not tainted 4.9.74-g9e5dd8e #12 [ 34.280253] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.281471] ffff8801c822f718 ffffffff81d91d19 ffffea0007203800 ffff8801c80e0018 [ 34.282614] 0000000000000000 ffff8801c80e0200 ffff8801c822f958 ffff8801c822f750 [ 34.283756] ffffffff8153b503 ffff8801c80e0018 0000000000002000 0000000000000000 [ 34.284886] Call Trace: [ 34.285244] [] dump_stack+0xc1/0x128 [ 34.285956] [] print_address_description+0x73/0x280 [ 34.286843] [] kasan_report+0x275/0x360 [ 34.287583] [] ? pfkey_add+0x153e/0x3470 [ 34.288340] [] check_memory_region+0x137/0x190 [ 34.289162] [] memcpy+0x23/0x50 [ 34.289858] [] pfkey_add+0x153e/0x3470 [ 34.290606] [] ? pfkey_delete+0x360/0x360 [ 34.291368] [] ? pfkey_seq_stop+0x80/0x80 [ 34.292152] [] ? __skb_clone+0x24a/0x7d0 [ 34.292904] [] ? pfkey_delete+0x360/0x360 [ 34.293668] [] pfkey_process+0x61e/0x730 [ 34.294419] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 34.295318] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.297464] [] pfkey_sendmsg+0x3a9/0x760 [ 34.303144] [] ? pfkey_spdget+0x820/0x820 [ 34.308907] [] sock_sendmsg+0xca/0x110 [ 34.314409] [] ___sys_sendmsg+0x6d1/0x7e0 [ 34.320174] [] ? copy_msghdr_from_user+0x550/0x550 [ 34.326721] [] ? __lock_is_held+0xa1/0xf0 [ 34.332487] [] ? __lru_cache_add+0x187/0x250 [ 34.338515] [] ? lru_cache_add+0xd9/0x1e0 [ 34.344280] [] ? handle_mm_fault+0xb12/0x2530 [ 34.350399] [] ? _raw_spin_unlock+0x2c/0x50 [ 34.356344] [] ? handle_mm_fault+0x6ee/0x2530 [ 34.362459] [] ? __fget_light+0x158/0x1e0 [ 34.368220] [] ? __fdget+0x18/0x20 [ 34.373376] [] ? sockfd_lookup_light+0x118/0x160 [ 34.379744] [] __sys_sendmsg+0xd6/0x190 [ 34.385353] [] ? SyS_shutdown+0x1b0/0x1b0 [ 34.391128] [] ? __do_page_fault+0x5ec/0xd40 [ 34.397176] [] compat_SyS_sendmsg+0x2a/0x40 [ 34.403122] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 34.409671] [] do_fast_syscall_32+0x2f7/0x890 [ 34.415782] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.422425] [] entry_SYSENTER_compat+0x51/0x60 [ 34.428620] [ 34.430215] Allocated by task 3346: [ 34.433808] save_stack_trace+0x16/0x20 [ 34.437752] save_stack+0x43/0xd0 [ 34.441173] kasan_kmalloc+0xad/0xe0 [ 34.444860] kasan_slab_alloc+0x12/0x20 [ 34.448807] __kmalloc_track_caller+0xda/0x2b0 [ 34.453357] __kmalloc_reserve.isra.37+0x33/0xc0 [ 34.458076] __alloc_skb+0x119/0x600 [ 34.461753] pfkey_sendmsg+0x135/0x760 [ 34.465604] sock_sendmsg+0xca/0x110 [ 34.469279] ___sys_sendmsg+0x6d1/0x7e0 [ 34.473217] __sys_sendmsg+0xd6/0x190 [ 34.476984] compat_SyS_sendmsg+0x2a/0x40 [ 34.481096] do_fast_syscall_32+0x2f7/0x890 [ 34.485382] entry_SYSENTER_compat+0x51/0x60 [ 34.489763] [ 34.491365] Freed by task 1914: [ 34.494612] save_stack_trace+0x16/0x20 [ 34.498548] save_stack+0x43/0xd0 [ 34.501963] kasan_slab_free+0x72/0xc0 [ 34.505811] kfree+0x103/0x300 [ 34.508966] load_elf_binary+0x1cfd/0x4690 [ 34.513163] search_binary_handler+0x142/0x6b0 [ 34.517709] do_execveat_common.isra.37+0x1594/0x1f10 [ 34.522860] SyS_execve+0x42/0x50 [ 34.526276] do_syscall_64+0x197/0x490 [ 34.530126] return_from_SYSCALL_64+0x0/0x7a [ 34.534493] [ 34.536086] The buggy address belongs to the object at ffff8801c80e0000 [ 34.536086] which belongs to the cache kmalloc-512 of size 512 [ 34.548704] The buggy address is located 24 bytes inside of [ 34.548704] 512-byte region [ffff8801c80e0000, ffff8801c80e0200) [ 34.560451] The buggy address belongs to the page: [ 34.565348] page:ffffea0007203800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.575498] flags: 0x8000000000004080(slab|head) [ 34.580213] page dumped because: kasan: bad access detected [ 34.585884] [ 34.587491] Memory state around the buggy address: [ 34.592386] ffff8801c80e0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.599709] ffff8801c80e0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.607030] >ffff8801c80e0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.614351] ^ [ 34.617679] ffff8801c80e0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.625000] ffff8801c80e0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.632322] ================================================================== [ 34.639644] Disabling lock debugging due to kernel taint [ 34.645309] Kernel panic - not syncing: panic_on_warn set ... [ 34.645309] [ 34.652643] CPU: 0 PID: 3346 Comm: syzkaller427270 Tainted: G B 4.9.74-g9e5dd8e #12 [ 34.661526] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.670845] ffff8801c822f670 ffffffff81d91d19 ffffffff8419562f ffff8801c822f748 [ 34.678789] 0000000000000000 ffff8801c80e0200 ffff8801c822f958 ffff8801c822f738 [ 34.686740] ffffffff8142d161 0000000041b58ab3 ffffffff84189070 ffffffff8142cfa5 [ 34.694680] Call Trace: [ 34.697233] [] dump_stack+0xc1/0x128 [ 34.702563] [] panic+0x1bc/0x3a8 [ 34.707546] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 34.715745] [] ? preempt_schedule+0x25/0x30 [ 34.721679] [] ? ___preempt_schedule+0x16/0x18 [ 34.727877] [] kasan_end_report+0x50/0x50 [ 34.733638] [] kasan_report+0x167/0x360 [ 34.739225] [] ? pfkey_add+0x153e/0x3470 [ 34.744900] [] check_memory_region+0x137/0x190 [ 34.751095] [] memcpy+0x23/0x50 [ 34.755986] [] pfkey_add+0x153e/0x3470 [ 34.761486] [] ? pfkey_delete+0x360/0x360 [ 34.767244] [] ? pfkey_seq_stop+0x80/0x80 [ 34.773005] [] ? __skb_clone+0x24a/0x7d0 [ 34.778677] [] ? pfkey_delete+0x360/0x360 [ 34.784437] [] pfkey_process+0x61e/0x730 [ 34.790110] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 34.796927] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.803731] [] pfkey_sendmsg+0x3a9/0x760 [ 34.809405] [] ? pfkey_spdget+0x820/0x820 [ 34.815171] [] sock_sendmsg+0xca/0x110 [ 34.820676] [] ___sys_sendmsg+0x6d1/0x7e0 [ 34.826439] [] ? copy_msghdr_from_user+0x550/0x550 [ 34.832982] [] ? __lock_is_held+0xa1/0xf0 [ 34.838744] [] ? __lru_cache_add+0x187/0x250 [ 34.844766] [] ? lru_cache_add+0xd9/0x1e0 [ 34.850528] [] ? handle_mm_fault+0xb12/0x2530 [ 34.856657] [] ? _raw_spin_unlock+0x2c/0x50 [ 34.862596] [] ? handle_mm_fault+0x6ee/0x2530 [ 34.868705] [] ? __fget_light+0x158/0x1e0 [ 34.874463] [] ? __fdget+0x18/0x20 [ 34.879617] [] ? sockfd_lookup_light+0x118/0x160 [ 34.885985] [] __sys_sendmsg+0xd6/0x190 [ 34.891575] [] ? SyS_shutdown+0x1b0/0x1b0 [ 34.897336] [] ? __do_page_fault+0x5ec/0xd40 [ 34.903361] [] compat_SyS_sendmsg+0x2a/0x40 [ 34.909300] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 34.915854] [] do_fast_syscall_32+0x2f7/0x890 [ 34.921963] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.928593] [] entry_SYSENTER_compat+0x51/0x60 [ 34.935174] Dumping ftrace buffer: [ 34.938691] (ftrace buffer empty) [ 34.942365] Kernel Offset: disabled [ 34.945958] Rebooting in 86400 seconds..