[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.812368] random: sshd: uninitialized urandom read (32 bytes read) [ 23.052738] audit: type=1400 audit(1547928452.928:6): avc: denied { map } for pid=1767 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 23.088012] random: sshd: uninitialized urandom read (32 bytes read) [ 23.552483] random: sshd: uninitialized urandom read (32 bytes read) [ 26.206569] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. [ 31.876298] random: sshd: uninitialized urandom read (32 bytes read) [ 31.967436] audit: type=1400 audit(1547928461.838:7): avc: denied { map } for pid=1785 comm="syz-executor900" path="/root/syz-executor900305561" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 32.262873] ================================================================== [ 32.270475] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 32.277156] Read of size 8 at addr ffff8881d3799650 by task syz-executor900/1788 [ 32.284669] [ 32.286278] CPU: 1 PID: 1788 Comm: syz-executor900 Not tainted 4.14.94+ #12 [ 32.293355] Call Trace: [ 32.295928] dump_stack+0xb9/0x10e [ 32.299458] ? ip_local_deliver+0x43d/0x450 [ 32.303807] print_address_description+0x60/0x226 [ 32.308655] ? ip_local_deliver+0x43d/0x450 [ 32.312997] kasan_report.cold+0x88/0x2a5 [ 32.317128] ? ip_local_deliver+0x43d/0x450 [ 32.321440] ? ip_call_ra_chain+0x540/0x540 [ 32.325737] ? __lock_acquire+0x56a/0x3fa0 [ 32.329960] ? deref_stack_reg+0xaa/0xe0 [ 32.334017] ? ip_rcv+0x99f/0xf7a [ 32.337451] ? ip_rcv_finish+0x5c9/0x1490 [ 32.341592] ? ip_rcv+0x9e2/0xf7a [ 32.345036] ? ip_local_deliver+0x450/0x450 [ 32.349459] ? __lock_acquire+0x56a/0x3fa0 [ 32.353677] ? check_preemption_disabled+0x35/0x1f0 [ 32.358679] ? ip_local_deliver+0x450/0x450 [ 32.362997] ? __netif_receive_skb_core+0x1364/0x2c60 [ 32.368166] ? trace_hardirqs_on+0x10/0x10 [ 32.372382] ? flush_backlog+0x580/0x580 [ 32.376426] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 32.381595] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 32.386768] ? lock_acquire+0x10f/0x380 [ 32.390728] ? __netif_receive_skb+0x55/0x1f0 [ 32.395208] ? __netif_receive_skb+0x55/0x1f0 [ 32.399686] ? netif_receive_skb_internal+0xec/0x5c0 [ 32.404771] ? dev_cpu_dead+0x810/0x810 [ 32.408728] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 32.414157] ? rcu_read_lock_sched_held+0x10a/0x130 [ 32.419154] ? tun_rx_batched.isra.0+0x45d/0x730 [ 32.423919] ? __skb_get_hash_symmetric+0x255/0x620 [ 32.428937] ? tun_chr_read_iter+0x1c0/0x1c0 [ 32.433379] ? tun_get_user+0xc07/0x3790 [ 32.437433] ? __local_bh_enable_ip+0x65/0xc0 [ 32.441906] ? tun_get_user+0xd95/0x3790 [ 32.445988] ? tun_rx_batched.isra.0+0x730/0x730 [ 32.451007] ? debug_mutex_add_waiter+0x60/0x150 [ 32.455741] ? mark_held_locks+0xa6/0xf0 [ 32.459920] ? get_page_from_freelist+0x85e/0x1d60 [ 32.464957] ? preempt_count_add+0xb8/0x180 [ 32.469376] ? __tun_get+0x11c/0x220 [ 32.473085] ? check_preemption_disabled+0x35/0x1f0 [ 32.478082] ? tun_chr_write_iter+0xcf/0x180 [ 32.482466] ? do_iter_readv_writev+0x379/0x580 [ 32.487228] ? clone_verify_area+0x1e0/0x1e0 [ 32.491615] ? avc_policy_seqno+0x5/0x10 [ 32.495684] ? security_file_permission+0x88/0x1e0 [ 32.500608] ? do_iter_write+0x152/0x550 [ 32.504653] ? lock_downgrade+0x5d0/0x5d0 [ 32.508800] ? vfs_writev+0x146/0x2d0 [ 32.512582] ? vfs_iter_write+0xa0/0xa0 [ 32.516542] ? __handle_mm_fault+0x6c5/0x2640 [ 32.521030] ? __fsnotify_inode_delete+0x20/0x20 [ 32.525886] ? __do_page_fault+0x48e/0xb80 [ 32.530109] ? lock_downgrade+0x5d0/0x5d0 [ 32.534244] ? check_preemption_disabled+0x35/0x1f0 [ 32.539240] ? do_writev+0xc9/0x240 [ 32.542844] ? vfs_writev+0x2d0/0x2d0 [ 32.546634] ? do_syscall_64+0x43/0x4b0 [ 32.550707] ? SyS_readv+0x30/0x30 [ 32.554228] ? do_syscall_64+0x19b/0x4b0 [ 32.558272] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.563620] [ 32.565225] Allocated by task 1788: [ 32.568831] kasan_kmalloc.part.0+0x4f/0xd0 [ 32.573132] kmem_cache_alloc+0xd2/0x2d0 [ 32.577169] __build_skb+0x2e/0x2d0 [ 32.580774] build_skb+0x1a/0x1f0 [ 32.584207] tun_get_user+0x248b/0x3790 [ 32.588176] tun_chr_write_iter+0xcf/0x180 [ 32.592389] do_iter_readv_writev+0x379/0x580 [ 32.596859] do_iter_write+0x152/0x550 [ 32.600721] vfs_writev+0x146/0x2d0 [ 32.604322] do_writev+0xc9/0x240 [ 32.607749] do_syscall_64+0x19b/0x4b0 [ 32.611610] [ 32.613216] Freed by task 1788: [ 32.616508] kasan_slab_free+0xb0/0x190 [ 32.620480] kmem_cache_free+0xc4/0x330 [ 32.624434] kfree_skbmem+0xa0/0x100 [ 32.628192] kfree_skb+0xcd/0x350 [ 32.631639] ip_defrag+0x5f4/0x3b50 [ 32.635261] ip_local_deliver+0x165/0x450 [ 32.639387] ip_rcv_finish+0x5c9/0x1490 [ 32.643370] ip_rcv+0x9e2/0xf7a [ 32.646713] __netif_receive_skb_core+0x1364/0x2c60 [ 32.651711] __netif_receive_skb+0x55/0x1f0 [ 32.656133] netif_receive_skb_internal+0xec/0x5c0 [ 32.661058] tun_rx_batched.isra.0+0x45d/0x730 [ 32.665650] tun_get_user+0xd95/0x3790 [ 32.669528] tun_chr_write_iter+0xcf/0x180 [ 32.673737] do_iter_readv_writev+0x379/0x580 [ 32.678207] do_iter_write+0x152/0x550 [ 32.682084] vfs_writev+0x146/0x2d0 [ 32.685800] do_writev+0xc9/0x240 [ 32.689344] do_syscall_64+0x19b/0x4b0 [ 32.693206] [ 32.694808] The buggy address belongs to the object at ffff8881d3799640 [ 32.694808] which belongs to the cache skbuff_head_cache of size 224 [ 32.707991] The buggy address is located 16 bytes inside of [ 32.707991] 224-byte region [ffff8881d3799640, ffff8881d3799720) [ 32.719756] The buggy address belongs to the page: [ 32.724665] page:ffffea00074de640 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.732896] flags: 0x4000000000000100(slab) [ 32.737195] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 32.745050] raw: dead000000000100 dead000000000200 ffff8881dab58800 0000000000000000 [ 32.752904] page dumped because: kasan: bad access detected [ 32.758586] [ 32.760190] Memory state around the buggy address: [ 32.765102] ffff8881d3799500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.772453] ffff8881d3799580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.779852] >ffff8881d3799600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.787197] ^ [ 32.793156] ffff8881d3799680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.800677] ffff8881d3799700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.808027] ================================================================== [ 32.815366] Disabling lock debugging due to kernel taint [ 32.820830] Kernel panic - not syncing: panic_on_warn set ... [ 32.820830] [ 32.828199] CPU: 1 PID: 1788 Comm: syz-executor900 Tainted: G B 4.14.94+ #12 [ 32.836594] Call Trace: [ 32.839164] dump_stack+0xb9/0x10e [ 32.842683] panic+0x1d9/0x3c2 [ 32.845854] ? add_taint.cold+0x16/0x16 [ 32.849805] ? retint_kernel+0x2d/0x2d [ 32.853675] ? ip_local_deliver+0x43d/0x450 [ 32.857970] kasan_end_report+0x43/0x49 [ 32.862015] kasan_report.cold+0xa4/0x2a5 [ 32.866142] ? ip_local_deliver+0x43d/0x450 [ 32.870449] ? ip_call_ra_chain+0x540/0x540 [ 32.874772] ? __lock_acquire+0x56a/0x3fa0 [ 32.879008] ? deref_stack_reg+0xaa/0xe0 [ 32.883118] ? ip_rcv+0x99f/0xf7a [ 32.886700] ? ip_rcv_finish+0x5c9/0x1490 [ 32.890828] ? ip_rcv+0x9e2/0xf7a [ 32.894260] ? ip_local_deliver+0x450/0x450 [ 32.898559] ? __lock_acquire+0x56a/0x3fa0 [ 32.902773] ? check_preemption_disabled+0x35/0x1f0 [ 32.907781] ? ip_local_deliver+0x450/0x450 [ 32.912078] ? __netif_receive_skb_core+0x1364/0x2c60 [ 32.917249] ? trace_hardirqs_on+0x10/0x10 [ 32.921464] ? flush_backlog+0x580/0x580 [ 32.925521] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 32.930687] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 32.936013] ? lock_acquire+0x10f/0x380 [ 32.940000] ? __netif_receive_skb+0x55/0x1f0 [ 32.944493] ? __netif_receive_skb+0x55/0x1f0 [ 32.948986] ? netif_receive_skb_internal+0xec/0x5c0 [ 32.954090] ? dev_cpu_dead+0x810/0x810 [ 32.958047] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 32.963473] ? rcu_read_lock_sched_held+0x10a/0x130 [ 32.968469] ? tun_rx_batched.isra.0+0x45d/0x730 [ 32.973202] ? __skb_get_hash_symmetric+0x255/0x620 [ 32.978193] ? tun_chr_read_iter+0x1c0/0x1c0 [ 32.982578] ? tun_get_user+0xc07/0x3790 [ 32.986614] ? __local_bh_enable_ip+0x65/0xc0 [ 32.991090] ? tun_get_user+0xd95/0x3790 [ 32.995129] ? tun_rx_batched.isra.0+0x730/0x730 [ 33.000022] ? debug_mutex_add_waiter+0x60/0x150 [ 33.004771] ? mark_held_locks+0xa6/0xf0 [ 33.008809] ? get_page_from_freelist+0x85e/0x1d60 [ 33.013717] ? preempt_count_add+0xb8/0x180 [ 33.018037] ? __tun_get+0x11c/0x220 [ 33.021729] ? check_preemption_disabled+0x35/0x1f0 [ 33.026738] ? tun_chr_write_iter+0xcf/0x180 [ 33.031123] ? do_iter_readv_writev+0x379/0x580 [ 33.035770] ? clone_verify_area+0x1e0/0x1e0 [ 33.040168] ? avc_policy_seqno+0x5/0x10 [ 33.044207] ? security_file_permission+0x88/0x1e0 [ 33.049326] ? do_iter_write+0x152/0x550 [ 33.053368] ? lock_downgrade+0x5d0/0x5d0 [ 33.057494] ? vfs_writev+0x146/0x2d0 [ 33.061300] ? vfs_iter_write+0xa0/0xa0 [ 33.065269] ? __handle_mm_fault+0x6c5/0x2640 [ 33.069753] ? __fsnotify_inode_delete+0x20/0x20 [ 33.074486] ? __do_page_fault+0x48e/0xb80 [ 33.078703] ? lock_downgrade+0x5d0/0x5d0 [ 33.082829] ? check_preemption_disabled+0x35/0x1f0 [ 33.087820] ? do_writev+0xc9/0x240 [ 33.091427] ? vfs_writev+0x2d0/0x2d0 [ 33.095218] ? do_syscall_64+0x43/0x4b0 [ 33.099167] ? SyS_readv+0x30/0x30 [ 33.102688] ? do_syscall_64+0x19b/0x4b0 [ 33.106835] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.112500] Kernel Offset: 0x34400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 33.123398] Rebooting in 86400 seconds..