[....] Starting OpenBSD Secure Shell server: sshd[ 9.828178] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.250117] random: sshd: uninitialized urandom read (32 bytes read) [ 31.417285] audit: type=1400 audit(1548729381.363:6): avc: denied { map } for pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.450886] random: sshd: uninitialized urandom read (32 bytes read) [ 31.905894] random: sshd: uninitialized urandom read (32 bytes read) [ 45.685957] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. [ 51.349235] random: sshd: uninitialized urandom read (32 bytes read) [ 51.435493] audit: type=1400 audit(1548729401.383:7): avc: denied { map } for pid=1788 comm="syz-executor952" path="/root/syz-executor952459515" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 51.702228] ================================================================== [ 51.709671] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 51.716317] Read of size 8 at addr ffff8881d059fdd0 by task syz-executor952/1791 [ 51.723828] [ 51.725442] CPU: 1 PID: 1791 Comm: syz-executor952 Not tainted 4.14.96+ #20 [ 51.732515] Call Trace: [ 51.735168] dump_stack+0xb9/0x10e [ 51.738714] ? ip_local_deliver+0x43d/0x450 [ 51.743042] print_address_description+0x60/0x226 [ 51.747863] ? ip_local_deliver+0x43d/0x450 [ 51.752159] kasan_report.cold+0x88/0x2a5 [ 51.756481] ? ip_local_deliver+0x43d/0x450 [ 51.760787] ? ip_call_ra_chain+0x540/0x540 [ 51.765106] ? __lock_acquire+0x56a/0x3fa0 [ 51.769323] ? ip_rcv+0x99f/0xf7a [ 51.772802] ? ip_rcv_finish+0x5c9/0x1490 [ 51.777269] ? ip_rcv+0x9e2/0xf7a [ 51.780710] ? ip_local_deliver+0x450/0x450 [ 51.785011] ? __lock_acquire+0x56a/0x3fa0 [ 51.789231] ? check_preemption_disabled+0x35/0x1f0 [ 51.794226] ? ip_local_deliver+0x450/0x450 [ 51.798531] ? __netif_receive_skb_core+0x1364/0x2c60 [ 51.803697] ? trace_hardirqs_on+0x10/0x10 [ 51.807913] ? flush_backlog+0x580/0x580 [ 51.811954] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 51.817183] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 51.822371] ? lock_acquire+0x10f/0x380 [ 51.826336] ? __netif_receive_skb+0x55/0x1f0 [ 51.830815] ? __netif_receive_skb+0x55/0x1f0 [ 51.835423] ? netif_receive_skb_internal+0xec/0x5c0 [ 51.840572] ? dev_cpu_dead+0x810/0x810 [ 51.844590] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 51.850036] ? rcu_read_lock_sched_held+0x10a/0x130 [ 51.855043] ? tun_rx_batched.isra.0+0x45d/0x730 [ 51.859866] ? __skb_get_hash_symmetric+0x255/0x620 [ 51.864861] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 51.870290] ? tun_chr_read_iter+0x1c0/0x1c0 [ 51.874679] ? tun_get_user+0xc07/0x3790 [ 51.878717] ? __local_bh_enable_ip+0x65/0xc0 [ 51.883196] ? tun_get_user+0xd95/0x3790 [ 51.887258] ? tun_rx_batched.isra.0+0x730/0x730 [ 51.891999] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 51.896911] ? mark_held_locks+0xa6/0xf0 [ 51.900957] ? get_page_from_freelist+0x85e/0x1d60 [ 51.905868] ? preempt_count_add+0xb8/0x180 [ 51.910275] ? __tun_get+0x11c/0x220 [ 51.913982] ? check_preemption_disabled+0x35/0x1f0 [ 51.919039] ? tun_chr_write_iter+0xcf/0x180 [ 51.923434] ? do_iter_readv_writev+0x379/0x580 [ 51.928089] ? clone_verify_area+0x1e0/0x1e0 [ 51.932476] ? avc_policy_seqno+0x5/0x10 [ 51.936517] ? security_file_permission+0x88/0x1e0 [ 51.941427] ? do_iter_write+0x152/0x550 [ 51.945465] ? lock_downgrade+0x5d0/0x5d0 [ 51.949594] ? vfs_writev+0x146/0x2d0 [ 51.953650] ? vfs_iter_write+0xa0/0xa0 [ 51.957611] ? __handle_mm_fault+0x6c5/0x2640 [ 51.962097] ? __fsnotify_inode_delete+0x20/0x20 [ 51.966851] ? __do_page_fault+0x48e/0xb80 [ 51.971071] ? lock_downgrade+0x5d0/0x5d0 [ 51.975195] ? check_preemption_disabled+0x35/0x1f0 [ 51.980194] ? do_writev+0xc9/0x240 [ 51.983798] ? vfs_writev+0x2d0/0x2d0 [ 51.987590] ? do_syscall_64+0x43/0x4b0 [ 51.991545] ? SyS_readv+0x30/0x30 [ 51.995063] ? do_syscall_64+0x19b/0x4b0 [ 51.999113] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.004464] [ 52.006070] Allocated by task 1791: [ 52.009678] kasan_kmalloc.part.0+0x4f/0xd0 [ 52.013977] kmem_cache_alloc+0xd2/0x2d0 [ 52.018026] __build_skb+0x2e/0x2d0 [ 52.021630] build_skb+0x1a/0x1f0 [ 52.025174] tun_get_user+0x248b/0x3790 [ 52.029215] tun_chr_write_iter+0xcf/0x180 [ 52.033429] do_iter_readv_writev+0x379/0x580 [ 52.037911] do_iter_write+0x152/0x550 [ 52.041782] vfs_writev+0x146/0x2d0 [ 52.045398] do_writev+0xc9/0x240 [ 52.048830] do_syscall_64+0x19b/0x4b0 [ 52.052690] [ 52.054296] Freed by task 1791: [ 52.057566] kasan_slab_free+0xb0/0x190 [ 52.061561] kmem_cache_free+0xc4/0x330 [ 52.065528] kfree_skbmem+0xa0/0x100 [ 52.069225] kfree_skb+0xcd/0x350 [ 52.072656] ip_defrag+0x5f4/0x3b50 [ 52.076259] ip_local_deliver+0x165/0x450 [ 52.080380] ip_rcv_finish+0x5c9/0x1490 [ 52.084329] ip_rcv+0x9e2/0xf7a [ 52.087589] __netif_receive_skb_core+0x1364/0x2c60 [ 52.092582] __netif_receive_skb+0x55/0x1f0 [ 52.096882] netif_receive_skb_internal+0xec/0x5c0 [ 52.101794] tun_rx_batched.isra.0+0x45d/0x730 [ 52.106367] tun_get_user+0xd95/0x3790 [ 52.110248] tun_chr_write_iter+0xcf/0x180 [ 52.114468] do_iter_readv_writev+0x379/0x580 [ 52.118939] do_iter_write+0x152/0x550 [ 52.122801] vfs_writev+0x146/0x2d0 [ 52.126403] do_writev+0xc9/0x240 [ 52.129834] do_syscall_64+0x19b/0x4b0 [ 52.133696] [ 52.135301] The buggy address belongs to the object at ffff8881d059fdc0 [ 52.135301] which belongs to the cache skbuff_head_cache of size 224 [ 52.148458] The buggy address is located 16 bytes inside of [ 52.148458] 224-byte region [ffff8881d059fdc0, ffff8881d059fea0) [ 52.160236] The buggy address belongs to the page: [ 52.165155] page:ffffea00074167c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 52.173293] flags: 0x4000000000000100(slab) [ 52.177597] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 52.185463] raw: 0000000000000000 0000000100000001 ffff8881dab58200 0000000000000000 [ 52.193324] page dumped because: kasan: bad access detected [ 52.199014] [ 52.200617] Memory state around the buggy address: [ 52.205524] ffff8881d059fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.212861] ffff8881d059fd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 52.220418] >ffff8881d059fd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 52.227754] ^ [ 52.233707] ffff8881d059fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.241046] ffff8881d059fe80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 52.248510] ================================================================== [ 52.255853] Disabling lock debugging due to kernel taint [ 52.261321] Kernel panic - not syncing: panic_on_warn set ... [ 52.261321] [ 52.268669] CPU: 1 PID: 1791 Comm: syz-executor952 Tainted: G B 4.14.96+ #20 [ 52.276956] Call Trace: [ 52.279578] dump_stack+0xb9/0x10e [ 52.283106] panic+0x1d9/0x3c2 [ 52.286284] ? add_taint.cold+0x16/0x16 [ 52.290238] ? retint_kernel+0x2d/0x2d [ 52.294115] ? ip_local_deliver+0x43d/0x450 [ 52.298427] kasan_end_report+0x43/0x49 [ 52.302490] kasan_report.cold+0xa4/0x2a5 [ 52.306618] ? ip_local_deliver+0x43d/0x450 [ 52.310919] ? ip_call_ra_chain+0x540/0x540 [ 52.315221] ? __lock_acquire+0x56a/0x3fa0 [ 52.319447] ? ip_rcv+0x99f/0xf7a [ 52.322879] ? ip_rcv_finish+0x5c9/0x1490 [ 52.327007] ? ip_rcv+0x9e2/0xf7a [ 52.330445] ? ip_local_deliver+0x450/0x450 [ 52.334747] ? __lock_acquire+0x56a/0x3fa0 [ 52.338970] ? check_preemption_disabled+0x35/0x1f0 [ 52.344114] ? ip_local_deliver+0x450/0x450 [ 52.348432] ? __netif_receive_skb_core+0x1364/0x2c60 [ 52.353608] ? trace_hardirqs_on+0x10/0x10 [ 52.357820] ? flush_backlog+0x580/0x580 [ 52.361858] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 52.367037] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 52.372206] ? lock_acquire+0x10f/0x380 [ 52.376157] ? __netif_receive_skb+0x55/0x1f0 [ 52.380627] ? __netif_receive_skb+0x55/0x1f0 [ 52.385110] ? netif_receive_skb_internal+0xec/0x5c0 [ 52.390190] ? dev_cpu_dead+0x810/0x810 [ 52.394143] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 52.399572] ? rcu_read_lock_sched_held+0x10a/0x130 [ 52.404571] ? tun_rx_batched.isra.0+0x45d/0x730 [ 52.409307] ? __skb_get_hash_symmetric+0x255/0x620 [ 52.414304] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 52.419734] ? tun_chr_read_iter+0x1c0/0x1c0 [ 52.424122] ? tun_get_user+0xc07/0x3790 [ 52.428163] ? __local_bh_enable_ip+0x65/0xc0 [ 52.432635] ? tun_get_user+0xd95/0x3790 [ 52.436677] ? tun_rx_batched.isra.0+0x730/0x730 [ 52.441411] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 52.446314] ? mark_held_locks+0xa6/0xf0 [ 52.450359] ? get_page_from_freelist+0x85e/0x1d60 [ 52.455282] ? preempt_count_add+0xb8/0x180 [ 52.459599] ? __tun_get+0x11c/0x220 [ 52.463298] ? check_preemption_disabled+0x35/0x1f0 [ 52.468295] ? tun_chr_write_iter+0xcf/0x180 [ 52.472686] ? do_iter_readv_writev+0x379/0x580 [ 52.477335] ? clone_verify_area+0x1e0/0x1e0 [ 52.481719] ? avc_policy_seqno+0x5/0x10 [ 52.485757] ? security_file_permission+0x88/0x1e0 [ 52.490713] ? do_iter_write+0x152/0x550 [ 52.494757] ? lock_downgrade+0x5d0/0x5d0 [ 52.498883] ? vfs_writev+0x146/0x2d0 [ 52.502657] ? vfs_iter_write+0xa0/0xa0 [ 52.506762] ? __handle_mm_fault+0x6c5/0x2640 [ 52.511238] ? __fsnotify_inode_delete+0x20/0x20 [ 52.515979] ? __do_page_fault+0x48e/0xb80 [ 52.520192] ? lock_downgrade+0x5d0/0x5d0 [ 52.524328] ? check_preemption_disabled+0x35/0x1f0 [ 52.529328] ? do_writev+0xc9/0x240 [ 52.532933] ? vfs_writev+0x2d0/0x2d0 [ 52.536708] ? do_syscall_64+0x43/0x4b0 [ 52.540656] ? SyS_readv+0x30/0x30 [ 52.544172] ? do_syscall_64+0x19b/0x4b0 [ 52.548211] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.554079] Kernel Offset: 0x17800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 52.564988] Rebooting in 86400 seconds..