[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.743050] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   23.440819] random: sshd: uninitialized urandom read (32 bytes read)
[   23.687695] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.305717] random: sshd: uninitialized urandom read (32 bytes read)
[  112.485946] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts.
[  118.189683] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 06:02:30 parsed 1 programs
[  119.620343] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 06:02:33 executed programs: 0
[  121.288347] IPVS: ftp: loaded support on port[0] = 21
[  121.499910] bridge0: port 1(bridge_slave_0) entered blocking state
[  121.506643] bridge0: port 1(bridge_slave_0) entered disabled state
[  121.514245] device bridge_slave_0 entered promiscuous mode
[  121.530693] bridge0: port 2(bridge_slave_1) entered blocking state
[  121.537048] bridge0: port 2(bridge_slave_1) entered disabled state
[  121.544332] device bridge_slave_1 entered promiscuous mode
[  121.559916] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  121.576660] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  121.620052] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  121.639786] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  121.704075] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  121.711342] team0: Port device team_slave_0 added
[  121.727366] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  121.735261] team0: Port device team_slave_1 added
[  121.750753] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  121.767393] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  121.781806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  121.798828] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  121.921925] bridge0: port 2(bridge_slave_1) entered blocking state
[  121.928361] bridge0: port 2(bridge_slave_1) entered forwarding state
[  121.935297] bridge0: port 1(bridge_slave_0) entered blocking state
[  121.941774] bridge0: port 1(bridge_slave_0) entered forwarding state
[  122.374683] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  122.380973] 8021q: adding VLAN 0 to HW filter on device bond0
[  122.425491] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  122.469018] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  122.477136] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  122.483317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  122.491222] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  122.529146] 8021q: adding VLAN 0 to HW filter on device team0
[  123.355611] ==================================================================
[  123.363172] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x7b9/0x84b
[  123.371386] Read of size 4 at addr ffff8801cf395e5c by task syz-executor0/4880
[  123.378742] 
[  123.381891] CPU: 1 PID: 4880 Comm: syz-executor0 Not tainted 4.18.0+ #196
[  123.388823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  123.398785] Call Trace:
[  123.402010]  dump_stack+0x1c9/0x2b4
[  123.405645]  ? dump_stack_print_info.cold.2+0x52/0x52
[  123.410841]  ? printk+0xa7/0xcf
[  123.414128]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  123.418900]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  123.424527]  print_address_description+0x6c/0x20b
[  123.429466]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  123.438740]  kasan_report.cold.7+0x242/0x30d
[  123.448764]  __asan_report_load4_noabort+0x14/0x20
[  123.453709]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  123.458650]  ? tipc_group_member_evt+0xe30/0xe30
[  123.463416]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  123.468447]  ? skb_put+0x17b/0x1e0
[  123.471989]  ? memset+0x31/0x40
[  123.475287]  ? memcpy+0x45/0x50
[  123.478577]  ? __nla_put+0x37/0x40
[  123.482126]  ? nla_put+0x11a/0x150
[  123.485684]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  123.490382]  ? tipc_diag_dump+0x30/0x30
[  123.494363]  ? tipc_getname+0x7f0/0x7f0
[  123.498343]  ? save_stack+0xa9/0xd0
[  123.502435]  ? graph_lock+0x170/0x170
[  123.506271]  ? graph_lock+0x170/0x170
[  123.510094]  ? __netlink_dump_start+0x4f1/0x6f0
[  123.514766]  ? sock_diag_rcv_msg+0x31d/0x410
[  123.519173]  ? netlink_rcv_skb+0x172/0x440
[  123.523422]  ? sock_diag_rcv+0x2a/0x40
[  123.527324]  ? netlink_unicast+0x5a0/0x760
[  123.531557]  ? netlink_sendmsg+0xa18/0xfc0
[  123.535797]  ? sock_sendmsg+0xd5/0x120
[  123.539683]  ? ___sys_sendmsg+0x7fd/0x930
[  123.543839]  ? __x64_sys_sendmsg+0x78/0xb0
[  123.548080]  ? do_syscall_64+0x1b9/0x820
[  123.552144]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  123.557517]  ? print_usage_bug+0xc0/0xc0
[  123.561586]  ? find_held_lock+0x36/0x1c0
[  123.565655]  ? lock_acquire+0x1e4/0x540
[  123.569633]  ? tipc_nl_sk_walk+0x60a/0xd30
[  123.574377]  ? lock_downgrade+0x8f0/0x8f0
[  123.578537]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  123.583568]  ? skb_put+0x17b/0x1e0
[  123.587117]  ? __nlmsg_put+0x14c/0x1b0
[  123.591011]  __tipc_add_sock_diag+0x22f/0x360
[  123.595524]  tipc_nl_sk_walk+0x68d/0xd30
[  123.599598]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  123.611958]  ? __tipc_nl_add_sk+0x400/0x400
[  123.617475]  ? skb_scrub_packet+0x490/0x490
[  123.621816]  ? kasan_check_write+0x14/0x20
[  123.626069]  ? lock_downgrade+0x8f0/0x8f0
[  123.630233]  tipc_diag_dump+0x24/0x30
[  123.634047]  netlink_dump+0x519/0xd50
[  123.637858]  ? netlink_broadcast+0x50/0x50
[  123.642116]  __netlink_dump_start+0x4f1/0x6f0
[  123.646629]  ? kasan_check_read+0x11/0x20
[  123.650821]  tipc_sock_diag_handler_dump+0x234/0x340
[  123.655952]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  123.660641]  ? tipc_unregister_sysctl+0x20/0x20
[  123.665336]  ? netlink_deliver_tap+0x356/0xfb0
[  123.669940]  sock_diag_rcv_msg+0x31d/0x410
[  123.674194]  netlink_rcv_skb+0x172/0x440
[  123.678749]  ? sock_diag_bind+0x80/0x80
[  123.682726]  ? netlink_ack+0xbe0/0xbe0
[  123.686615]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  123.691297]  sock_diag_rcv+0x2a/0x40
[  123.695011]  netlink_unicast+0x5a0/0x760
[  123.699082]  ? netlink_attachskb+0x9a0/0x9a0
[  123.703496]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  123.709035]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  123.714058]  netlink_sendmsg+0xa18/0xfc0
[  123.718130]  ? netlink_unicast+0x760/0x760
[  123.722384]  ? move_addr_to_kernel.part.18+0x100/0x100
[  123.727665]  ? security_socket_sendmsg+0x94/0xc0
[  123.732432]  ? netlink_unicast+0x760/0x760
[  123.736689]  sock_sendmsg+0xd5/0x120
[  123.740407]  ___sys_sendmsg+0x7fd/0x930
[  123.744392]  ? copy_msghdr_from_user+0x580/0x580
[  123.749156]  ? kasan_check_read+0x11/0x20
[  123.753310]  ? do_raw_spin_unlock+0xa7/0x2f0
[  123.757729]  ? __fget_light+0x2f7/0x440
[  123.761708]  ? __local_bh_enable_ip+0x161/0x230
[  123.776245]  ? fget_raw+0x20/0x20
[  123.779721]  ? __release_sock+0x3a0/0x3a0
[  123.783873]  ? tipc_nametbl_build_group+0x279/0x360
[  123.788901]  ? tipc_setsockopt+0x726/0xd70
[  123.793162]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  123.798711]  ? sockfd_lookup_light+0xc5/0x160
[  123.803214]  __sys_sendmsg+0x11d/0x290
[  123.807111]  ? __ia32_sys_shutdown+0x80/0x80
[  123.811524]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  123.817064]  ? fput+0x130/0x1a0
[  123.820349]  ? __x64_sys_futex+0x47f/0x6a0
[  123.824604]  __x64_sys_sendmsg+0x78/0xb0
[  123.828684]  do_syscall_64+0x1b9/0x820
[  123.832582]  ? syscall_return_slowpath+0x5e0/0x5e0
[  123.837519]  ? syscall_return_slowpath+0x31d/0x5e0
[  123.842454]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  123.847822]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  123.853163]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  123.858353] RIP: 0033:0x457089
[  123.861554] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  123.880461] RSP: 002b:00007f38a9b99c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  123.888170] RAX: ffffffffffffffda RBX: 00007f38a9b9a6d4 RCX: 0000000000457089
[  123.895448] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  123.902713] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  123.909983] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  123.917934] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  123.934252] 
[  123.935888] Allocated by task 4880:
[  123.939546]  save_stack+0x43/0xd0
[  123.943009]  kasan_kmalloc+0xc4/0xe0
[  123.946725]  kmem_cache_alloc_trace+0x152/0x780
[  123.951392]  tipc_group_create+0x155/0xa70
[  123.956077]  tipc_setsockopt+0x2d1/0xd70
[  123.960146]  __sys_setsockopt+0x1c5/0x3b0
[  123.964299]  __x64_sys_setsockopt+0xbe/0x150
[  123.968713]  do_syscall_64+0x1b9/0x820
[  123.972600]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  123.977779] 
[  123.979404] Freed by task 4879:
[  123.982689]  save_stack+0x43/0xd0
[  123.986140]  __kasan_slab_free+0x11a/0x170
[  123.990373]  kasan_slab_free+0xe/0x10
[  123.994168]  kfree+0xd9/0x260
[  123.997283]  tipc_group_delete+0x2e5/0x3f0
[  124.001520]  tipc_sk_leave+0x113/0x220
[  124.005403]  tipc_release+0x14e/0x12b0
[  124.009297]  __sock_release+0xd7/0x250
[  124.013179]  sock_close+0x19/0x20
[  124.016650]  __fput+0x39b/0x860
[  124.019952]  ____fput+0x15/0x20
[  124.023233]  task_work_run+0x1e8/0x2a0
[  124.027122]  exit_to_usermode_loop+0x318/0x380
[  124.031720]  do_syscall_64+0x6be/0x820
[  124.035610]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  124.040814] 
[  124.042438] The buggy address belongs to the object at ffff8801cf395e00
[  124.042438]  which belongs to the cache kmalloc-192 of size 192
[  124.055557] The buggy address is located 92 bytes inside of
[  124.055557]  192-byte region [ffff8801cf395e00, ffff8801cf395ec0)
[  124.067341] The buggy address belongs to the page:
[  124.072267] page:ffffea00073ce540 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[  124.080432] flags: 0x2fffc0000000100(slab)
[  124.084668] raw: 02fffc0000000100 ffffea00073b4bc8 ffffea00073b5ac8 ffff8801dac00040
[  124.103161] raw: 0000000000000000 ffff8801cf395000 0000000100000010 0000000000000000
[  124.111546] page dumped because: kasan: bad access detected
[  124.117248] 
[  124.118878] Memory state around the buggy address:
[  124.123811]  ffff8801cf395d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  124.131356]  ffff8801cf395d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  124.138719] >ffff8801cf395e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  124.146069]                                                     ^
[  124.152295]  ffff8801cf395e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  124.159652]  ffff8801cf395f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  124.167022] ==================================================================
[  124.174375] Disabling lock debugging due to kernel taint
[  124.179870] Kernel panic - not syncing: panic_on_warn set ...
[  124.179870] 
[  124.187240] CPU: 1 PID: 4880 Comm: syz-executor0 Tainted: G    B             4.18.0+ #196
[  124.196021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  124.205362] Call Trace:
[  124.207951]  dump_stack+0x1c9/0x2b4
[  124.211574]  ? dump_stack_print_info.cold.2+0x52/0x52
[  124.216764]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  124.221518]  panic+0x238/0x4e7
[  124.224707]  ? add_taint.cold.5+0x16/0x16
[  124.228860]  ? do_raw_spin_unlock+0xa7/0x2f0
[  124.233270]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  124.238874]  kasan_end_report+0x47/0x4f
[  124.242847]  kasan_report.cold.7+0x76/0x30d
[  124.247180]  __asan_report_load4_noabort+0x14/0x20
[  124.260920]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  124.265862]  ? tipc_group_member_evt+0xe30/0xe30
[  124.270633]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  124.275660]  ? skb_put+0x17b/0x1e0
[  124.279200]  ? memset+0x31/0x40
[  124.282477]  ? memcpy+0x45/0x50
[  124.286229]  ? __nla_put+0x37/0x40
[  124.289779]  ? nla_put+0x11a/0x150
[  124.293323]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  124.298018]  ? tipc_diag_dump+0x30/0x30
[  124.302013]  ? tipc_getname+0x7f0/0x7f0
[  124.305998]  ? save_stack+0xa9/0xd0
[  124.309624]  ? graph_lock+0x170/0x170
[  124.313457]  ? graph_lock+0x170/0x170
[  124.317259]  ? __netlink_dump_start+0x4f1/0x6f0
[  124.321950]  ? sock_diag_rcv_msg+0x31d/0x410
[  124.326876]  ? netlink_rcv_skb+0x172/0x440
[  124.331111]  ? sock_diag_rcv+0x2a/0x40
[  124.335006]  ? netlink_unicast+0x5a0/0x760
[  124.339496]  ? netlink_sendmsg+0xa18/0xfc0
[  124.343726]  ? sock_sendmsg+0xd5/0x120
[  124.347606]  ? ___sys_sendmsg+0x7fd/0x930
[  124.351747]  ? __x64_sys_sendmsg+0x78/0xb0
[  124.355978]  ? do_syscall_64+0x1b9/0x820
[  124.360039]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  124.367062]  ? print_usage_bug+0xc0/0xc0
[  124.371124]  ? find_held_lock+0x36/0x1c0
[  124.375188]  ? lock_acquire+0x1e4/0x540
[  124.379160]  ? tipc_nl_sk_walk+0x60a/0xd30
[  124.384514]  ? lock_downgrade+0x8f0/0x8f0
[  124.388665]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  124.393698]  ? skb_put+0x17b/0x1e0
[  124.397232]  ? __nlmsg_put+0x14c/0x1b0
[  124.401129]  __tipc_add_sock_diag+0x22f/0x360
[  124.405621]  tipc_nl_sk_walk+0x68d/0xd30
[  124.409689]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  124.414978]  ? __tipc_nl_add_sk+0x400/0x400
[  124.419299]  ? skb_scrub_packet+0x490/0x490
[  124.430954]  ? kasan_check_write+0x14/0x20
[  124.437564]  ? lock_downgrade+0x8f0/0x8f0
[  124.441725]  tipc_diag_dump+0x24/0x30
[  124.445525]  netlink_dump+0x519/0xd50
[  124.449325]  ? netlink_broadcast+0x50/0x50
[  124.453556]  __netlink_dump_start+0x4f1/0x6f0
[  124.458050]  ? kasan_check_read+0x11/0x20
[  124.462203]  tipc_sock_diag_handler_dump+0x234/0x340
[  124.467302]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  124.471969]  ? tipc_unregister_sysctl+0x20/0x20
[  124.477089]  ? netlink_deliver_tap+0x356/0xfb0
[  124.481681]  sock_diag_rcv_msg+0x31d/0x410
[  124.485931]  netlink_rcv_skb+0x172/0x440
[  124.489993]  ? sock_diag_bind+0x80/0x80
[  124.494474]  ? netlink_ack+0xbe0/0xbe0
[  124.498381]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  124.503054]  sock_diag_rcv+0x2a/0x40
[  124.506766]  netlink_unicast+0x5a0/0x760
[  124.510827]  ? netlink_attachskb+0x9a0/0x9a0
[  124.515252]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  124.520787]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  124.525842]  netlink_sendmsg+0xa18/0xfc0
[  124.529905]  ? netlink_unicast+0x760/0x760
[  124.534145]  ? move_addr_to_kernel.part.18+0x100/0x100
[  124.539419]  ? security_socket_sendmsg+0x94/0xc0
[  124.544184]  ? netlink_unicast+0x760/0x760
[  124.548413]  sock_sendmsg+0xd5/0x120
[  124.552126]  ___sys_sendmsg+0x7fd/0x930
[  124.556099]  ? copy_msghdr_from_user+0x580/0x580
[  124.560851]  ? kasan_check_read+0x11/0x20
[  124.564999]  ? do_raw_spin_unlock+0xa7/0x2f0
[  124.569407]  ? __fget_light+0x2f7/0x440
[  124.573377]  ? __local_bh_enable_ip+0x161/0x230
[  124.578065]  ? fget_raw+0x20/0x20
[  124.581526]  ? __release_sock+0x3a0/0x3a0
[  124.585697]  ? tipc_nametbl_build_group+0x279/0x360
[  124.590729]  ? tipc_setsockopt+0x726/0xd70
[  124.594983]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  124.605729]  ? sockfd_lookup_light+0xc5/0x160
[  124.615004]  __sys_sendmsg+0x11d/0x290
[  124.618942]  ? __ia32_sys_shutdown+0x80/0x80
[  124.623827]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  124.629365]  ? fput+0x130/0x1a0
[  124.632655]  ? __x64_sys_futex+0x47f/0x6a0
[  124.636928]  __x64_sys_sendmsg+0x78/0xb0
[  124.641002]  do_syscall_64+0x1b9/0x820
[  124.644890]  ? syscall_return_slowpath+0x5e0/0x5e0
[  124.649827]  ? syscall_return_slowpath+0x31d/0x5e0
[  124.654761]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  124.660146]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  124.664990]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  124.670173] RIP: 0033:0x457089
[  124.673406] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  124.692315] RSP: 002b:00007f38a9b99c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  124.700021] RAX: ffffffffffffffda RBX: 00007f38a9b9a6d4 RCX: 0000000000457089
[  124.707283] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  124.714546] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  124.721811] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  124.729576] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  124.737168] Dumping ftrace buffer:
[  124.740705]    (ftrace buffer empty)
[  124.744395] Kernel Offset: disabled
[  124.747999] Rebooting in 86400 seconds..