[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.085683] random: sshd: uninitialized urandom read (32 bytes read) [ 23.620488] audit: type=1400 audit(1548536262.548:6): avc: denied { map } for pid=1762 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 23.654848] random: sshd: uninitialized urandom read (32 bytes read) [ 24.076199] random: sshd: uninitialized urandom read (32 bytes read) [ 24.217314] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.141' (ECDSA) to the list of known hosts. [ 29.868269] random: sshd: uninitialized urandom read (32 bytes read) [ 29.954516] audit: type=1400 audit(1548536268.878:7): avc: denied { map } for pid=1774 comm="syz-executor121" path="/root/syz-executor121080369" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 30.230843] ================================================================== [ 30.238409] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 30.245159] Read of size 8 at addr ffff8881d6ce78d0 by task syz-executor121/1777 [ 30.252677] [ 30.254288] CPU: 0 PID: 1777 Comm: syz-executor121 Not tainted 4.14.96+ #19 [ 30.261363] Call Trace: [ 30.263932] dump_stack+0xb9/0x10e [ 30.267452] ? ip_local_deliver+0x43d/0x450 [ 30.271751] print_address_description+0x60/0x226 [ 30.276571] ? ip_local_deliver+0x43d/0x450 [ 30.281004] kasan_report.cold+0x88/0x2a5 [ 30.285135] ? ip_local_deliver+0x43d/0x450 [ 30.289432] ? ip_call_ra_chain+0x540/0x540 [ 30.293824] ? __lock_acquire+0x56a/0x3fa0 [ 30.298048] ? ip_rcv+0x99f/0xf7a [ 30.301488] ? ip_rcv_finish+0x5c9/0x1490 [ 30.305717] ? ip_rcv+0x9e2/0xf7a [ 30.309388] ? ip_local_deliver+0x450/0x450 [ 30.313689] ? __lock_acquire+0x56a/0x3fa0 [ 30.317904] ? check_preemption_disabled+0x35/0x1f0 [ 30.322896] ? ip_local_deliver+0x450/0x450 [ 30.327208] ? __netif_receive_skb_core+0x1364/0x2c60 [ 30.332389] ? trace_hardirqs_on+0x10/0x10 [ 30.336617] ? flush_backlog+0x580/0x580 [ 30.340665] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 30.345835] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 30.351004] ? lock_acquire+0x10f/0x380 [ 30.354956] ? __netif_receive_skb+0x55/0x1f0 [ 30.359423] ? __netif_receive_skb+0x55/0x1f0 [ 30.363896] ? netif_receive_skb_internal+0xec/0x5c0 [ 30.368976] ? dev_cpu_dead+0x810/0x810 [ 30.372928] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.378353] ? rcu_read_lock_sched_held+0x10a/0x130 [ 30.383346] ? tun_rx_batched.isra.0+0x45d/0x730 [ 30.388429] ? __skb_get_hash_symmetric+0x255/0x620 [ 30.393422] ? tun_chr_read_iter+0x1c0/0x1c0 [ 30.397809] ? tun_get_user+0xc07/0x3790 [ 30.401847] ? __local_bh_enable_ip+0x65/0xc0 [ 30.406318] ? tun_get_user+0xd95/0x3790 [ 30.410361] ? tun_rx_batched.isra.0+0x730/0x730 [ 30.415094] ? debug_mutex_add_waiter+0x60/0x150 [ 30.419822] ? mark_held_locks+0xa6/0xf0 [ 30.423859] ? get_page_from_freelist+0x85e/0x1d60 [ 30.428764] ? preempt_count_add+0xb8/0x180 [ 30.433067] ? __tun_get+0x11c/0x220 [ 30.436759] ? check_preemption_disabled+0x35/0x1f0 [ 30.441755] ? tun_chr_write_iter+0xcf/0x180 [ 30.446143] ? do_iter_readv_writev+0x379/0x580 [ 30.450788] ? clone_verify_area+0x1e0/0x1e0 [ 30.455237] ? avc_policy_seqno+0x5/0x10 [ 30.459302] ? security_file_permission+0x88/0x1e0 [ 30.464229] ? do_iter_write+0x152/0x550 [ 30.468279] ? lock_downgrade+0x5d0/0x5d0 [ 30.472411] ? vfs_writev+0x146/0x2d0 [ 30.476192] ? vfs_iter_write+0xa0/0xa0 [ 30.480144] ? __handle_mm_fault+0x6c5/0x2640 [ 30.484623] ? __fsnotify_inode_delete+0x20/0x20 [ 30.489363] ? __do_page_fault+0x48e/0xb80 [ 30.493582] ? lock_downgrade+0x5d0/0x5d0 [ 30.497709] ? check_preemption_disabled+0x35/0x1f0 [ 30.502705] ? do_writev+0xc9/0x240 [ 30.506307] ? vfs_writev+0x2d0/0x2d0 [ 30.510087] ? do_syscall_64+0x43/0x4b0 [ 30.514036] ? SyS_readv+0x30/0x30 [ 30.517552] ? do_syscall_64+0x19b/0x4b0 [ 30.521599] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.526966] [ 30.528580] Allocated by task 1777: [ 30.532200] kasan_kmalloc.part.0+0x4f/0xd0 [ 30.536494] kmem_cache_alloc+0xd2/0x2d0 [ 30.540529] __build_skb+0x2e/0x2d0 [ 30.544131] build_skb+0x1a/0x1f0 [ 30.547569] tun_get_user+0x248b/0x3790 [ 30.551515] tun_chr_write_iter+0xcf/0x180 [ 30.555745] do_iter_readv_writev+0x379/0x580 [ 30.560216] do_iter_write+0x152/0x550 [ 30.564079] vfs_writev+0x146/0x2d0 [ 30.567679] do_writev+0xc9/0x240 [ 30.571109] do_syscall_64+0x19b/0x4b0 [ 30.574967] [ 30.576582] Freed by task 1777: [ 30.579840] kasan_slab_free+0xb0/0x190 [ 30.583788] kmem_cache_free+0xc4/0x330 [ 30.587738] kfree_skbmem+0xa0/0x100 [ 30.591424] kfree_skb+0xcd/0x350 [ 30.594852] ip_defrag+0x5f4/0x3b50 [ 30.598452] ip_local_deliver+0x165/0x450 [ 30.602577] ip_rcv_finish+0x5c9/0x1490 [ 30.606527] ip_rcv+0x9e2/0xf7a [ 30.609784] __netif_receive_skb_core+0x1364/0x2c60 [ 30.614912] __netif_receive_skb+0x55/0x1f0 [ 30.619212] netif_receive_skb_internal+0xec/0x5c0 [ 30.624199] tun_rx_batched.isra.0+0x45d/0x730 [ 30.628775] tun_get_user+0xd95/0x3790 [ 30.632664] tun_chr_write_iter+0xcf/0x180 [ 30.636981] do_iter_readv_writev+0x379/0x580 [ 30.641455] do_iter_write+0x152/0x550 [ 30.645329] vfs_writev+0x146/0x2d0 [ 30.648929] do_writev+0xc9/0x240 [ 30.652360] do_syscall_64+0x19b/0x4b0 [ 30.656219] [ 30.657836] The buggy address belongs to the object at ffff8881d6ce78c0 [ 30.657836] which belongs to the cache skbuff_head_cache of size 224 [ 30.671036] The buggy address is located 16 bytes inside of [ 30.671036] 224-byte region [ffff8881d6ce78c0, ffff8881d6ce79a0) [ 30.682825] The buggy address belongs to the page: [ 30.687843] page:ffffea00075b39c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 30.696083] flags: 0x4000000000000100(slab) [ 30.700408] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 30.708274] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 30.716129] page dumped because: kasan: bad access detected [ 30.721824] [ 30.723436] Memory state around the buggy address: [ 30.728353] ffff8881d6ce7780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.735741] ffff8881d6ce7800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 30.743094] >ffff8881d6ce7880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.750431] ^ [ 30.756527] ffff8881d6ce7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.763884] ffff8881d6ce7980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 30.771225] ================================================================== [ 30.778566] Disabling lock debugging due to kernel taint [ 30.784249] Kernel panic - not syncing: panic_on_warn set ... [ 30.784249] [ 30.791608] CPU: 0 PID: 1777 Comm: syz-executor121 Tainted: G B 4.14.96+ #19 [ 30.799897] Call Trace: [ 30.802471] dump_stack+0xb9/0x10e [ 30.805989] panic+0x1d9/0x3c2 [ 30.809160] ? add_taint.cold+0x16/0x16 [ 30.813108] ? retint_kernel+0x2d/0x2d [ 30.816976] ? ip_local_deliver+0x43d/0x450 [ 30.821270] kasan_end_report+0x43/0x49 [ 30.825215] kasan_report.cold+0xa4/0x2a5 [ 30.829339] ? ip_local_deliver+0x43d/0x450 [ 30.833634] ? ip_call_ra_chain+0x540/0x540 [ 30.837929] ? __lock_acquire+0x56a/0x3fa0 [ 30.842142] ? ip_rcv+0x99f/0xf7a [ 30.845575] ? ip_rcv_finish+0x5c9/0x1490 [ 30.849698] ? ip_rcv+0x9e2/0xf7a [ 30.853125] ? ip_local_deliver+0x450/0x450 [ 30.857417] ? __lock_acquire+0x56a/0x3fa0 [ 30.861627] ? check_preemption_disabled+0x35/0x1f0 [ 30.866627] ? ip_local_deliver+0x450/0x450 [ 30.870928] ? __netif_receive_skb_core+0x1364/0x2c60 [ 30.876099] ? trace_hardirqs_on+0x10/0x10 [ 30.880391] ? flush_backlog+0x580/0x580 [ 30.884450] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 30.889698] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 30.894879] ? lock_acquire+0x10f/0x380 [ 30.898845] ? __netif_receive_skb+0x55/0x1f0 [ 30.903321] ? __netif_receive_skb+0x55/0x1f0 [ 30.907798] ? netif_receive_skb_internal+0xec/0x5c0 [ 30.912883] ? dev_cpu_dead+0x810/0x810 [ 30.916838] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.922268] ? rcu_read_lock_sched_held+0x10a/0x130 [ 30.927266] ? tun_rx_batched.isra.0+0x45d/0x730 [ 30.931999] ? __skb_get_hash_symmetric+0x255/0x620 [ 30.937084] ? tun_chr_read_iter+0x1c0/0x1c0 [ 30.941606] ? tun_get_user+0xc07/0x3790 [ 30.945650] ? __local_bh_enable_ip+0x65/0xc0 [ 30.950126] ? tun_get_user+0xd95/0x3790 [ 30.954171] ? tun_rx_batched.isra.0+0x730/0x730 [ 30.958910] ? debug_mutex_add_waiter+0x60/0x150 [ 30.963643] ? mark_held_locks+0xa6/0xf0 [ 30.967681] ? get_page_from_freelist+0x85e/0x1d60 [ 30.972587] ? preempt_count_add+0xb8/0x180 [ 30.976890] ? __tun_get+0x11c/0x220 [ 30.980582] ? check_preemption_disabled+0x35/0x1f0 [ 30.985575] ? tun_chr_write_iter+0xcf/0x180 [ 30.989959] ? do_iter_readv_writev+0x379/0x580 [ 30.994604] ? clone_verify_area+0x1e0/0x1e0 [ 30.998986] ? avc_policy_seqno+0x5/0x10 [ 31.003025] ? security_file_permission+0x88/0x1e0 [ 31.007943] ? do_iter_write+0x152/0x550 [ 31.011995] ? lock_downgrade+0x5d0/0x5d0 [ 31.016138] ? vfs_writev+0x146/0x2d0 [ 31.019928] ? vfs_iter_write+0xa0/0xa0 [ 31.023908] ? __handle_mm_fault+0x6c5/0x2640 [ 31.028402] ? __fsnotify_inode_delete+0x20/0x20 [ 31.033382] ? __do_page_fault+0x48e/0xb80 [ 31.037609] ? lock_downgrade+0x5d0/0x5d0 [ 31.041744] ? check_preemption_disabled+0x35/0x1f0 [ 31.046748] ? do_writev+0xc9/0x240 [ 31.050358] ? vfs_writev+0x2d0/0x2d0 [ 31.054148] ? do_syscall_64+0x43/0x4b0 [ 31.058116] ? SyS_readv+0x30/0x30 [ 31.061641] ? do_syscall_64+0x19b/0x4b0 [ 31.065689] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.071437] Kernel Offset: 0x1a800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 31.082349] Rebooting in 86400 seconds..