[ OK ] Started Getty on tty3. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.380896] ================================================================== [ 29.388488] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x181/0x1a0 [ 29.395411] Read of size 8 at addr ffff8880a5069d18 by task syz-executor423/7995 [ 29.402922] [ 29.404563] CPU: 1 PID: 7995 Comm: syz-executor423 Not tainted 4.14.213-syzkaller #0 [ 29.412417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.421746] Call Trace: [ 29.424311] dump_stack+0x1b2/0x283 [ 29.427917] print_address_description.cold+0x54/0x1d3 [ 29.433168] kasan_report_error.cold+0x8a/0x194 [ 29.437821] ? squashfs_get_id+0x181/0x1a0 [ 29.442070] __asan_report_load8_noabort+0x68/0x70 [ 29.446989] ? squashfs_get_id+0x181/0x1a0 [ 29.451236] squashfs_get_id+0x181/0x1a0 [ 29.455271] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 29.461000] ? squashfs_read_metadata+0x2ba/0x430 [ 29.465854] squashfs_read_inode+0x1b6/0x19e0 [ 29.470362] ? squashfs_read_id_index_table+0xe0/0xe0 [ 29.475540] ? new_inode+0xc7/0xf0 [ 29.479158] ? lock_acquire+0x170/0x3f0 [ 29.483119] ? do_raw_spin_unlock+0x164/0x220 [ 29.487593] squashfs_fill_super+0x1501/0x1aa0 [ 29.492169] mount_bdev+0x2b3/0x360 [ 29.495770] ? squashfs_alloc_inode+0x40/0x40 [ 29.500250] mount_fs+0x92/0x2a0 [ 29.503594] vfs_kern_mount.part.0+0x5b/0x470 [ 29.508068] do_mount+0xe53/0x2a00 [ 29.511586] ? retint_kernel+0x2d/0x2d [ 29.515450] ? copy_mount_string+0x40/0x40 [ 29.519662] ? memset+0x20/0x40 [ 29.522918] ? copy_mount_options+0x1fa/0x2f0 [ 29.527387] ? copy_mnt_ns+0xa30/0xa30 [ 29.531247] SyS_mount+0xa8/0x120 [ 29.534673] ? copy_mnt_ns+0xa30/0xa30 [ 29.538537] do_syscall_64+0x1d5/0x640 [ 29.542404] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.547566] RIP: 0033:0x446d2a [ 29.550730] RSP: 002b:00007ffeced0c068 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 29.558412] RAX: ffffffffffffffda RBX: 00007ffeced0c0c0 RCX: 0000000000446d2a [ 29.565656] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffeced0c080 [ 29.572901] RBP: 00007ffeced0c080 R08: 00007ffeced0c0c0 R09: 00007ffe00000015 [ 29.580147] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 29.587391] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 29.594641] [ 29.596243] Allocated by task 7995: [ 29.599848] kasan_kmalloc+0xeb/0x160 [ 29.603650] __kmalloc+0x15a/0x400 [ 29.607164] squashfs_read_table+0x37/0x18d [ 29.611459] squashfs_read_id_index_table+0x97/0xe0 [ 29.616449] squashfs_fill_super+0xc2c/0x1aa0 [ 29.620936] mount_bdev+0x2b3/0x360 [ 29.624536] mount_fs+0x92/0x2a0 [ 29.627878] vfs_kern_mount.part.0+0x5b/0x470 [ 29.632345] do_mount+0xe53/0x2a00 [ 29.635857] SyS_mount+0xa8/0x120 [ 29.639286] do_syscall_64+0x1d5/0x640 [ 29.643162] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.648324] [ 29.649926] Freed by task 6246: [ 29.653181] kasan_slab_free+0xc3/0x1a0 [ 29.657129] kfree+0xc9/0x250 [ 29.660211] aa_free_task_context+0xda/0x130 [ 29.664592] apparmor_cred_free+0x34/0x70 [ 29.668715] security_cred_free+0x71/0xb0 [ 29.672835] put_cred_rcu+0xe3/0x300 [ 29.676520] __put_cred+0x1a1/0x210 [ 29.680122] SyS_faccessat+0x52a/0x680 [ 29.683982] do_syscall_64+0x1d5/0x640 [ 29.687844] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.693005] [ 29.694607] The buggy address belongs to the object at ffff8880a5069d00 [ 29.694607] which belongs to the cache kmalloc-32 of size 32 [ 29.707062] The buggy address is located 24 bytes inside of [ 29.707062] 32-byte region [ffff8880a5069d00, ffff8880a5069d20) [ 29.718746] The buggy address belongs to the page: [ 29.723648] page:ffffea0002941a40 count:1 mapcount:0 mapping:ffff8880a5069000 index:0xffff8880a5069fc1 [ 29.733067] flags: 0xfff00000000100(slab) [ 29.737197] raw: 00fff00000000100 ffff8880a5069000 ffff8880a5069fc1 0000000100000014 [ 29.745053] raw: ffffea00029343e0 ffffea0002941460 ffff88813fe801c0 0000000000000000 [ 29.752907] page dumped because: kasan: bad access detected [ 29.758588] [ 29.760189] Memory state around the buggy address: [ 29.765104] ffff8880a5069c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.772446] ffff8880a5069c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.779778] >ffff8880a5069d00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 29.787109] ^ [ 29.791231] ffff8880a5069d80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.798579] ffff8880a5069e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.805912] ================================================================== [ 29.813254] Disabling lock debugging due to kernel taint [ 29.821154] Kernel panic - not syncing: panic_on_warn set ... [ 29.821154] [ 29.828546] CPU: 0 PID: 7995 Comm: syz-executor423 Tainted: G B 4.14.213-syzkaller #0 [ 29.837632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.846984] Call Trace: [ 29.849552] dump_stack+0x1b2/0x283 [ 29.853173] panic+0x1f9/0x42d [ 29.856352] ? add_taint.cold+0x16/0x16 [ 29.860304] ? ___preempt_schedule+0x16/0x18 [ 29.864729] kasan_end_report+0x43/0x49 [ 29.868681] kasan_report_error.cold+0xa7/0x194 [ 29.873323] ? squashfs_get_id+0x181/0x1a0 [ 29.877536] __asan_report_load8_noabort+0x68/0x70 [ 29.882483] ? squashfs_get_id+0x181/0x1a0 [ 29.886733] squashfs_get_id+0x181/0x1a0 [ 29.890768] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 29.896650] ? squashfs_read_metadata+0x2ba/0x430 [ 29.901465] squashfs_read_inode+0x1b6/0x19e0 [ 29.905943] ? squashfs_read_id_index_table+0xe0/0xe0 [ 29.911109] ? new_inode+0xc7/0xf0 [ 29.914737] ? lock_acquire+0x170/0x3f0 [ 29.918702] ? do_raw_spin_unlock+0x164/0x220 [ 29.923226] squashfs_fill_super+0x1501/0x1aa0 [ 29.927786] mount_bdev+0x2b3/0x360 [ 29.931424] ? squashfs_alloc_inode+0x40/0x40 [ 29.935950] mount_fs+0x92/0x2a0 [ 29.939290] vfs_kern_mount.part.0+0x5b/0x470 [ 29.944754] do_mount+0xe53/0x2a00 [ 29.948271] ? retint_kernel+0x2d/0x2d [ 29.952130] ? copy_mount_string+0x40/0x40 [ 29.956337] ? memset+0x20/0x40 [ 29.959642] ? copy_mount_options+0x1fa/0x2f0 [ 29.964154] ? copy_mnt_ns+0xa30/0xa30 [ 29.968023] SyS_mount+0xa8/0x120 [ 29.971447] ? copy_mnt_ns+0xa30/0xa30 [ 29.975308] do_syscall_64+0x1d5/0x640 [ 29.979180] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.984344] RIP: 0033:0x446d2a [ 29.987532] RSP: 002b:00007ffeced0c068 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 29.995213] RAX: ffffffffffffffda RBX: 00007ffeced0c0c0 RCX: 0000000000446d2a [ 30.002472] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffeced0c080 [ 30.009719] RBP: 00007ffeced0c080 R08: 00007ffeced0c0c0 R09: 00007ffe00000015 [ 30.016965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 30.024206] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 30.032113] Kernel Offset: disabled [ 30.035722] Rebooting in 86400 seconds..