[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.506702] random: sshd: uninitialized urandom read (32 bytes read) [ 23.926161] audit: type=1400 audit(1547358123.863:6): avc: denied { map } for pid=1768 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 23.967257] random: sshd: uninitialized urandom read (32 bytes read) [ 24.419700] random: sshd: uninitialized urandom read (32 bytes read) [ 24.575357] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. [ 30.098816] random: sshd: uninitialized urandom read (32 bytes read) [ 30.194584] audit: type=1400 audit(1547358130.133:7): avc: denied { map } for pid=1786 comm="syz-executor611" path="/root/syz-executor611010699" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 30.451835] ================================================================== [ 30.459488] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 30.466174] Read of size 8 at addr ffff8881d0121010 by task syz-executor611/1789 [ 30.473685] [ 30.475404] CPU: 1 PID: 1789 Comm: syz-executor611 Not tainted 4.14.92+ #5 [ 30.482423] Call Trace: [ 30.485064] dump_stack+0xb9/0x10e [ 30.488583] ? ip_local_deliver+0x43d/0x450 [ 30.492886] print_address_description+0x60/0x226 [ 30.497711] ? ip_local_deliver+0x43d/0x450 [ 30.502013] kasan_report.cold+0x88/0x2a5 [ 30.506142] ? ip_local_deliver+0x43d/0x450 [ 30.510485] ? ip_call_ra_chain+0x540/0x540 [ 30.514798] ? __lock_acquire+0x56a/0x3fa0 [ 30.519026] ? deref_stack_reg+0xaa/0xe0 [ 30.523066] ? ip_rcv+0x99f/0xf7a [ 30.526621] ? ip_rcv_finish+0x5c9/0x1490 [ 30.530761] ? ip_rcv+0x9e2/0xf7a [ 30.534196] ? ip_local_deliver+0x450/0x450 [ 30.538514] ? __lock_acquire+0x56a/0x3fa0 [ 30.542739] ? check_preemption_disabled+0x35/0x1f0 [ 30.547732] ? ip_local_deliver+0x450/0x450 [ 30.552027] ? __netif_receive_skb_core+0x1364/0x2c60 [ 30.557191] ? trace_hardirqs_on+0x10/0x10 [ 30.561470] ? flush_backlog+0x580/0x580 [ 30.565528] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 30.570710] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 30.575872] ? lock_acquire+0x10f/0x380 [ 30.579822] ? __netif_receive_skb+0x55/0x1f0 [ 30.584292] ? __netif_receive_skb+0x55/0x1f0 [ 30.588762] ? netif_receive_skb_internal+0xec/0x5c0 [ 30.593841] ? dev_cpu_dead+0x810/0x810 [ 30.597871] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.603306] ? rcu_read_lock_sched_held+0x10a/0x130 [ 30.608305] ? tun_rx_batched.isra.0+0x45d/0x730 [ 30.613053] ? __skb_get_hash_symmetric+0x255/0x620 [ 30.618042] ? tun_chr_read_iter+0x1c0/0x1c0 [ 30.622430] ? tun_get_user+0xc07/0x3790 [ 30.626465] ? __local_bh_enable_ip+0x65/0xc0 [ 30.630937] ? tun_get_user+0xd95/0x3790 [ 30.634980] ? tun_rx_batched.isra.0+0x730/0x730 [ 30.639711] ? mutex_remove_waiter+0x150/0x440 [ 30.644276] ? mark_held_locks+0xa6/0xf0 [ 30.648320] ? get_page_from_freelist+0x85e/0x1d60 [ 30.653242] ? preempt_count_add+0xb8/0x180 [ 30.657550] ? __tun_get+0x11c/0x220 [ 30.661245] ? check_preemption_disabled+0x35/0x1f0 [ 30.666240] ? tun_chr_write_iter+0xcf/0x180 [ 30.670644] ? do_iter_readv_writev+0x379/0x580 [ 30.675419] ? clone_verify_area+0x1e0/0x1e0 [ 30.679806] ? avc_policy_seqno+0x5/0x10 [ 30.683843] ? security_file_permission+0x88/0x1e0 [ 30.688762] ? do_iter_write+0x152/0x550 [ 30.692795] ? lock_downgrade+0x5d0/0x5d0 [ 30.696934] ? vfs_writev+0x146/0x2d0 [ 30.700716] ? vfs_iter_write+0xa0/0xa0 [ 30.704662] ? __handle_mm_fault+0x6c5/0x2640 [ 30.709151] ? __fsnotify_inode_delete+0x20/0x20 [ 30.713925] ? __do_page_fault+0x48e/0xb80 [ 30.718159] ? lock_downgrade+0x5d0/0x5d0 [ 30.722324] ? check_preemption_disabled+0x35/0x1f0 [ 30.727326] ? do_writev+0xc9/0x240 [ 30.730930] ? vfs_writev+0x2d0/0x2d0 [ 30.734711] ? do_syscall_64+0x43/0x4b0 [ 30.738659] ? SyS_readv+0x30/0x30 [ 30.742171] ? do_syscall_64+0x19b/0x4b0 [ 30.746225] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.751583] [ 30.753182] Allocated by task 1789: [ 30.756791] kasan_kmalloc.part.0+0x4f/0xd0 [ 30.761089] kmem_cache_alloc+0xd2/0x2d0 [ 30.765123] __build_skb+0x2e/0x2d0 [ 30.768720] build_skb+0x1a/0x1f0 [ 30.772144] tun_get_user+0x248b/0x3790 [ 30.776087] tun_chr_write_iter+0xcf/0x180 [ 30.780316] do_iter_readv_writev+0x379/0x580 [ 30.784781] do_iter_write+0x152/0x550 [ 30.788637] vfs_writev+0x146/0x2d0 [ 30.792231] do_writev+0xc9/0x240 [ 30.795656] do_syscall_64+0x19b/0x4b0 [ 30.799529] [ 30.801128] Freed by task 1789: [ 30.804377] kasan_slab_free+0xb0/0x190 [ 30.808328] kmem_cache_free+0xc4/0x330 [ 30.812278] kfree_skbmem+0xa0/0x100 [ 30.815963] kfree_skb+0xcd/0x350 [ 30.819391] ip_defrag+0x5f4/0x3b50 [ 30.822989] ip_local_deliver+0x165/0x450 [ 30.827128] ip_rcv_finish+0x5c9/0x1490 [ 30.831076] ip_rcv+0x9e2/0xf7a [ 30.834328] __netif_receive_skb_core+0x1364/0x2c60 [ 30.839323] __netif_receive_skb+0x55/0x1f0 [ 30.843616] netif_receive_skb_internal+0xec/0x5c0 [ 30.848523] tun_rx_batched.isra.0+0x45d/0x730 [ 30.853111] tun_get_user+0xd95/0x3790 [ 30.856972] tun_chr_write_iter+0xcf/0x180 [ 30.861180] do_iter_readv_writev+0x379/0x580 [ 30.865651] do_iter_write+0x152/0x550 [ 30.869513] vfs_writev+0x146/0x2d0 [ 30.873110] do_writev+0xc9/0x240 [ 30.876535] do_syscall_64+0x19b/0x4b0 [ 30.880392] [ 30.881995] The buggy address belongs to the object at ffff8881d0121000 [ 30.881995] which belongs to the cache skbuff_head_cache of size 224 [ 30.895183] The buggy address is located 16 bytes inside of [ 30.895183] 224-byte region [ffff8881d0121000, ffff8881d01210e0) [ 30.906946] The buggy address belongs to the page: [ 30.911847] page:ffffea0007404840 count:1 mapcount:0 mapping: (null) index:0xffff8881d0121dc0 [ 30.921291] flags: 0x4000000000000100(slab) [ 30.925589] raw: 4000000000000100 0000000000000000 ffff8881d0121dc0 00000001800c0009 [ 30.933459] raw: ffffea000745f600 0000000300000003 ffff8881dab58200 0000000000000000 [ 30.941316] page dumped because: kasan: bad access detected [ 30.947107] [ 30.948715] Memory state around the buggy address: [ 30.953614] ffff8881d0120f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.960978] ffff8881d0120f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.968328] >ffff8881d0121000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.975658] ^ [ 30.979513] ffff8881d0121080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 30.986842] ffff8881d0121100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.994168] ================================================================== [ 31.001494] Disabling lock debugging due to kernel taint [ 31.006952] Kernel panic - not syncing: panic_on_warn set ... [ 31.006952] [ 31.014293] CPU: 1 PID: 1789 Comm: syz-executor611 Tainted: G B 4.14.92+ #5 [ 31.022489] Call Trace: [ 31.025153] dump_stack+0xb9/0x10e [ 31.028673] panic+0x1d9/0x3c2 [ 31.031841] ? add_taint.cold+0x16/0x16 [ 31.035785] ? retint_kernel+0x2d/0x2d [ 31.039661] ? ip_local_deliver+0x43d/0x450 [ 31.043972] kasan_end_report+0x43/0x49 [ 31.047915] kasan_report.cold+0xa4/0x2a5 [ 31.052049] ? ip_local_deliver+0x43d/0x450 [ 31.056474] ? ip_call_ra_chain+0x540/0x540 [ 31.060777] ? __lock_acquire+0x56a/0x3fa0 [ 31.064993] ? deref_stack_reg+0xaa/0xe0 [ 31.069029] ? ip_rcv+0x99f/0xf7a [ 31.072456] ? ip_rcv_finish+0x5c9/0x1490 [ 31.076581] ? ip_rcv+0x9e2/0xf7a [ 31.080005] ? ip_local_deliver+0x450/0x450 [ 31.084296] ? __lock_acquire+0x56a/0x3fa0 [ 31.088611] ? check_preemption_disabled+0x35/0x1f0 [ 31.093606] ? ip_local_deliver+0x450/0x450 [ 31.097901] ? __netif_receive_skb_core+0x1364/0x2c60 [ 31.103062] ? trace_hardirqs_on+0x10/0x10 [ 31.107279] ? flush_backlog+0x580/0x580 [ 31.111322] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 31.116502] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 31.121665] ? lock_acquire+0x10f/0x380 [ 31.125685] ? __netif_receive_skb+0x55/0x1f0 [ 31.130160] ? __netif_receive_skb+0x55/0x1f0 [ 31.134628] ? netif_receive_skb_internal+0xec/0x5c0 [ 31.139720] ? dev_cpu_dead+0x810/0x810 [ 31.143671] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 31.149095] ? rcu_read_lock_sched_held+0x10a/0x130 [ 31.154086] ? tun_rx_batched.isra.0+0x45d/0x730 [ 31.158814] ? __skb_get_hash_symmetric+0x255/0x620 [ 31.163804] ? tun_chr_read_iter+0x1c0/0x1c0 [ 31.168184] ? tun_get_user+0xc07/0x3790 [ 31.172218] ? __local_bh_enable_ip+0x65/0xc0 [ 31.176688] ? tun_get_user+0xd95/0x3790 [ 31.180722] ? tun_rx_batched.isra.0+0x730/0x730 [ 31.185452] ? mutex_remove_waiter+0x150/0x440 [ 31.190008] ? mark_held_locks+0xa6/0xf0 [ 31.194041] ? get_page_from_freelist+0x85e/0x1d60 [ 31.198944] ? preempt_count_add+0xb8/0x180 [ 31.203239] ? __tun_get+0x11c/0x220 [ 31.206934] ? check_preemption_disabled+0x35/0x1f0 [ 31.211930] ? tun_chr_write_iter+0xcf/0x180 [ 31.216327] ? do_iter_readv_writev+0x379/0x580 [ 31.220968] ? clone_verify_area+0x1e0/0x1e0 [ 31.225351] ? avc_policy_seqno+0x5/0x10 [ 31.229397] ? security_file_permission+0x88/0x1e0 [ 31.234299] ? do_iter_write+0x152/0x550 [ 31.238334] ? lock_downgrade+0x5d0/0x5d0 [ 31.242454] ? vfs_writev+0x146/0x2d0 [ 31.246225] ? vfs_iter_write+0xa0/0xa0 [ 31.250171] ? __handle_mm_fault+0x6c5/0x2640 [ 31.254658] ? __fsnotify_inode_delete+0x20/0x20 [ 31.259388] ? __do_page_fault+0x48e/0xb80 [ 31.263596] ? lock_downgrade+0x5d0/0x5d0 [ 31.267718] ? check_preemption_disabled+0x35/0x1f0 [ 31.272708] ? do_writev+0xc9/0x240 [ 31.276340] ? vfs_writev+0x2d0/0x2d0 [ 31.280114] ? do_syscall_64+0x43/0x4b0 [ 31.284067] ? SyS_readv+0x30/0x30 [ 31.287583] ? do_syscall_64+0x19b/0x4b0 [ 31.291634] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.297316] Kernel Offset: 0x2da00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 31.308212] Rebooting in 86400 seconds..