[....] Starting OpenBSD Secure Shell server: sshd[ 10.444262] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.284022] random: sshd: uninitialized urandom read (32 bytes read) [ 34.864320] audit: type=1400 audit(1547755915.816:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.901171] random: sshd: uninitialized urandom read (32 bytes read) [ 35.358159] random: sshd: uninitialized urandom read (32 bytes read) [ 52.871907] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts. [ 58.710638] random: sshd: uninitialized urandom read (32 bytes read) [ 58.797067] audit: type=1400 audit(1547755939.746:7): avc: denied { map } for pid=1794 comm="syz-executor149" path="/root/syz-executor149900258" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 59.061690] ================================================================== [ 59.069213] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 59.075860] Read of size 8 at addr ffff8881d22fe8d0 by task syz-executor149/1797 [ 59.083369] [ 59.084979] CPU: 1 PID: 1797 Comm: syz-executor149 Not tainted 4.14.94+ #10 [ 59.092054] Call Trace: [ 59.094625] dump_stack+0xb9/0x10e [ 59.098145] ? ip_local_deliver+0x43d/0x450 [ 59.102462] print_address_description+0x60/0x226 [ 59.107291] ? ip_local_deliver+0x43d/0x450 [ 59.111588] kasan_report.cold+0x88/0x2a5 [ 59.115737] ? ip_local_deliver+0x43d/0x450 [ 59.120046] ? ip_call_ra_chain+0x540/0x540 [ 59.124370] ? __lock_acquire+0x56a/0x3fa0 [ 59.128584] ? deref_stack_reg+0xaa/0xe0 [ 59.132624] ? ip_rcv+0x99f/0xf7a [ 59.136055] ? ip_rcv_finish+0x5c9/0x1490 [ 59.140188] ? ip_rcv+0x9e2/0xf7a [ 59.143623] ? ip_local_deliver+0x450/0x450 [ 59.147922] ? __lock_acquire+0x56a/0x3fa0 [ 59.152142] ? check_preemption_disabled+0x35/0x1f0 [ 59.157140] ? ip_local_deliver+0x450/0x450 [ 59.161464] ? __netif_receive_skb_core+0x1364/0x2c60 [ 59.166643] ? trace_hardirqs_on+0x10/0x10 [ 59.170863] ? flush_backlog+0x580/0x580 [ 59.174911] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 59.180087] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 59.185271] ? lock_acquire+0x10f/0x380 [ 59.189229] ? __netif_receive_skb+0x55/0x1f0 [ 59.193701] ? __netif_receive_skb+0x55/0x1f0 [ 59.198175] ? netif_receive_skb_internal+0xec/0x5c0 [ 59.203264] ? dev_cpu_dead+0x810/0x810 [ 59.207233] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 59.212661] ? rcu_read_lock_sched_held+0x10a/0x130 [ 59.217658] ? tun_rx_batched.isra.0+0x45d/0x730 [ 59.222396] ? __skb_get_hash_symmetric+0x255/0x620 [ 59.227395] ? tun_chr_read_iter+0x1c0/0x1c0 [ 59.231788] ? tun_get_user+0xc07/0x3790 [ 59.235905] ? __local_bh_enable_ip+0x65/0xc0 [ 59.240388] ? tun_get_user+0xd95/0x3790 [ 59.244436] ? tun_rx_batched.isra.0+0x730/0x730 [ 59.249181] ? debug_mutex_add_waiter+0x60/0x150 [ 59.253915] ? mark_held_locks+0xa6/0xf0 [ 59.258021] ? get_page_from_freelist+0x85e/0x1d60 [ 59.262938] ? preempt_count_add+0xb8/0x180 [ 59.267244] ? __tun_get+0x11c/0x220 [ 59.270950] ? check_preemption_disabled+0x35/0x1f0 [ 59.275947] ? tun_chr_write_iter+0xcf/0x180 [ 59.280336] ? do_iter_readv_writev+0x379/0x580 [ 59.284987] ? clone_verify_area+0x1e0/0x1e0 [ 59.289372] ? avc_policy_seqno+0x5/0x10 [ 59.293415] ? security_file_permission+0x88/0x1e0 [ 59.298326] ? do_iter_write+0x152/0x550 [ 59.302368] ? lock_downgrade+0x5d0/0x5d0 [ 59.306498] ? vfs_writev+0x146/0x2d0 [ 59.310276] ? vfs_iter_write+0xa0/0xa0 [ 59.314226] ? __handle_mm_fault+0x6c5/0x2640 [ 59.318706] ? __fsnotify_inode_delete+0x20/0x20 [ 59.323456] ? __do_page_fault+0x48e/0xb80 [ 59.327672] ? lock_downgrade+0x5d0/0x5d0 [ 59.331797] ? check_preemption_disabled+0x35/0x1f0 [ 59.336798] ? do_writev+0xc9/0x240 [ 59.340411] ? vfs_writev+0x2d0/0x2d0 [ 59.344292] ? do_syscall_64+0x43/0x4b0 [ 59.348263] ? SyS_readv+0x30/0x30 [ 59.351783] ? do_syscall_64+0x19b/0x4b0 [ 59.355836] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.361181] [ 59.362792] Allocated by task 1797: [ 59.366403] kasan_kmalloc.part.0+0x4f/0xd0 [ 59.370711] kmem_cache_alloc+0xd2/0x2d0 [ 59.374758] __build_skb+0x2e/0x2d0 [ 59.378358] build_skb+0x1a/0x1f0 [ 59.381800] tun_get_user+0x248b/0x3790 [ 59.385992] tun_chr_write_iter+0xcf/0x180 [ 59.390332] do_iter_readv_writev+0x379/0x580 [ 59.395589] do_iter_write+0x152/0x550 [ 59.399457] vfs_writev+0x146/0x2d0 [ 59.403057] do_writev+0xc9/0x240 [ 59.406493] do_syscall_64+0x19b/0x4b0 [ 59.410354] [ 59.411961] Freed by task 1797: [ 59.415236] kasan_slab_free+0xb0/0x190 [ 59.419198] kmem_cache_free+0xc4/0x330 [ 59.423156] kfree_skbmem+0xa0/0x100 [ 59.426846] kfree_skb+0xcd/0x350 [ 59.430276] ip_defrag+0x5f4/0x3b50 [ 59.433879] ip_local_deliver+0x165/0x450 [ 59.438003] ip_rcv_finish+0x5c9/0x1490 [ 59.441953] ip_rcv+0x9e2/0xf7a [ 59.445212] __netif_receive_skb_core+0x1364/0x2c60 [ 59.450212] __netif_receive_skb+0x55/0x1f0 [ 59.454532] netif_receive_skb_internal+0xec/0x5c0 [ 59.459453] tun_rx_batched.isra.0+0x45d/0x730 [ 59.464016] tun_get_user+0xd95/0x3790 [ 59.467883] tun_chr_write_iter+0xcf/0x180 [ 59.472146] do_iter_readv_writev+0x379/0x580 [ 59.476627] do_iter_write+0x152/0x550 [ 59.480490] vfs_writev+0x146/0x2d0 [ 59.484093] do_writev+0xc9/0x240 [ 59.487524] do_syscall_64+0x19b/0x4b0 [ 59.491489] [ 59.493095] The buggy address belongs to the object at ffff8881d22fe8c0 [ 59.493095] which belongs to the cache skbuff_head_cache of size 224 [ 59.506249] The buggy address is located 16 bytes inside of [ 59.506249] 224-byte region [ffff8881d22fe8c0, ffff8881d22fe9a0) [ 59.518013] The buggy address belongs to the page: [ 59.523000] page:ffffea000748bf80 count:1 mapcount:0 mapping: (null) index:0x0 [ 59.531130] flags: 0x4000000000000100(slab) [ 59.535441] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 59.543400] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 59.551262] page dumped because: kasan: bad access detected [ 59.556955] [ 59.558561] Memory state around the buggy address: [ 59.563481] ffff8881d22fe780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.570876] ffff8881d22fe800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 59.578223] >ffff8881d22fe880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 59.585558] ^ [ 59.591509] ffff8881d22fe900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.598848] ffff8881d22fe980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 59.606179] ================================================================== [ 59.613576] Disabling lock debugging due to kernel taint [ 59.619080] Kernel panic - not syncing: panic_on_warn set ... [ 59.619080] [ 59.626455] CPU: 1 PID: 1797 Comm: syz-executor149 Tainted: G B 4.14.94+ #10 [ 59.634747] Call Trace: [ 59.637316] dump_stack+0xb9/0x10e [ 59.640961] panic+0x1d9/0x3c2 [ 59.644197] ? add_taint.cold+0x16/0x16 [ 59.648153] ? retint_kernel+0x2d/0x2d [ 59.652022] ? ip_local_deliver+0x43d/0x450 [ 59.656322] kasan_end_report+0x43/0x49 [ 59.660272] kasan_report.cold+0xa4/0x2a5 [ 59.664397] ? ip_local_deliver+0x43d/0x450 [ 59.668693] ? ip_call_ra_chain+0x540/0x540 [ 59.673054] ? __lock_acquire+0x56a/0x3fa0 [ 59.677271] ? deref_stack_reg+0xaa/0xe0 [ 59.681315] ? ip_rcv+0x99f/0xf7a [ 59.684766] ? ip_rcv_finish+0x5c9/0x1490 [ 59.688898] ? ip_rcv+0x9e2/0xf7a [ 59.692330] ? ip_local_deliver+0x450/0x450 [ 59.696627] ? __lock_acquire+0x56a/0x3fa0 [ 59.700842] ? check_preemption_disabled+0x35/0x1f0 [ 59.705835] ? ip_local_deliver+0x450/0x450 [ 59.710145] ? __netif_receive_skb_core+0x1364/0x2c60 [ 59.715312] ? trace_hardirqs_on+0x10/0x10 [ 59.719525] ? flush_backlog+0x580/0x580 [ 59.723562] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 59.728734] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 59.733905] ? lock_acquire+0x10f/0x380 [ 59.737858] ? __netif_receive_skb+0x55/0x1f0 [ 59.742335] ? __netif_receive_skb+0x55/0x1f0 [ 59.746808] ? netif_receive_skb_internal+0xec/0x5c0 [ 59.751889] ? dev_cpu_dead+0x810/0x810 [ 59.755844] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 59.761270] ? rcu_read_lock_sched_held+0x10a/0x130 [ 59.766285] ? tun_rx_batched.isra.0+0x45d/0x730 [ 59.771018] ? __skb_get_hash_symmetric+0x255/0x620 [ 59.776009] ? tun_chr_read_iter+0x1c0/0x1c0 [ 59.780399] ? tun_get_user+0xc07/0x3790 [ 59.784476] ? __local_bh_enable_ip+0x65/0xc0 [ 59.788959] ? tun_get_user+0xd95/0x3790 [ 59.792999] ? tun_rx_batched.isra.0+0x730/0x730 [ 59.797733] ? debug_mutex_add_waiter+0x60/0x150 [ 59.802474] ? mark_held_locks+0xa6/0xf0 [ 59.806511] ? get_page_from_freelist+0x85e/0x1d60 [ 59.811418] ? preempt_count_add+0xb8/0x180 [ 59.815719] ? __tun_get+0x11c/0x220 [ 59.819411] ? check_preemption_disabled+0x35/0x1f0 [ 59.824407] ? tun_chr_write_iter+0xcf/0x180 [ 59.828796] ? do_iter_readv_writev+0x379/0x580 [ 59.833439] ? clone_verify_area+0x1e0/0x1e0 [ 59.837833] ? avc_policy_seqno+0x5/0x10 [ 59.841875] ? security_file_permission+0x88/0x1e0 [ 59.846813] ? do_iter_write+0x152/0x550 [ 59.850865] ? lock_downgrade+0x5d0/0x5d0 [ 59.854992] ? vfs_writev+0x146/0x2d0 [ 59.858777] ? vfs_iter_write+0xa0/0xa0 [ 59.862840] ? __handle_mm_fault+0x6c5/0x2640 [ 59.867323] ? __fsnotify_inode_delete+0x20/0x20 [ 59.872058] ? __do_page_fault+0x48e/0xb80 [ 59.876271] ? lock_downgrade+0x5d0/0x5d0 [ 59.880394] ? check_preemption_disabled+0x35/0x1f0 [ 59.885388] ? do_writev+0xc9/0x240 [ 59.889195] ? vfs_writev+0x2d0/0x2d0 [ 59.892977] ? do_syscall_64+0x43/0x4b0 [ 59.896932] ? SyS_readv+0x30/0x30 [ 59.900465] ? do_syscall_64+0x19b/0x4b0 [ 59.904505] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.910236] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 59.921136] Rebooting in 86400 seconds..