[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.085248] random: sshd: uninitialized urandom read (32 bytes read) [ 17.320462] audit: type=1400 audit(1536336645.820:6): avc: denied { map } for pid=1755 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 17.358888] random: sshd: uninitialized urandom read (32 bytes read) [ 17.844282] random: sshd: uninitialized urandom read (32 bytes read) [ 36.317551] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. [ 42.013805] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.101470] audit: type=1400 audit(1536336670.610:7): avc: denied { map } for pid=1785 comm="syz-executor720" path="/root/syz-executor720430220" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.127833] audit: type=1400 audit(1536336670.610:8): avc: denied { prog_load } for pid=1785 comm="syz-executor720" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 42.151141] audit: type=1400 audit(1536336670.660:9): avc: denied { prog_run } for pid=1785 comm="syz-executor720" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 42.151176] ================================================================== [ 42.151191] BUG: KASAN: slab-out-of-bounds in skb_ensure_writable+0x290/0x2e0 [ 42.151195] Read of size 4 at addr ffff8801d016dc38 by task syz-executor720/1785 [ 42.151196] [ 42.151201] CPU: 0 PID: 1785 Comm: syz-executor720 Not tainted 4.14.68+ #4 [ 42.151202] Call Trace: [ 42.151209] dump_stack+0xb9/0x11b [ 42.151219] print_address_description+0x60/0x22b [ 42.151225] kasan_report.cold.6+0x11b/0x2dd [ 42.151229] ? skb_ensure_writable+0x290/0x2e0 [ 42.151236] skb_ensure_writable+0x290/0x2e0 [ 42.151243] bpf_l4_csum_replace+0x61/0x300 [ 42.151251] ___bpf_prog_run+0x248e/0x5c70 [ 42.151258] ? __free_insn_slot+0x490/0x490 [ 42.151264] ? bpf_jit_compile+0x30/0x30 [ 42.151272] ? depot_save_stack+0x20a/0x428 [ 42.151279] ? __bpf_prog_run512+0x99/0xe0 [ 42.151291] ? ___bpf_prog_run+0x5c70/0x5c70 [ 42.151303] ? __lock_acquire+0x619/0x4320 [ 42.151312] ? trace_hardirqs_on+0x10/0x10 [ 42.151319] ? trace_hardirqs_on+0x10/0x10 [ 42.151325] ? __lock_acquire+0x619/0x4320 [ 42.151334] ? get_unused_fd_flags+0xc0/0xc0 [ 42.151343] ? bpf_test_run+0x57/0x350 [ 42.151352] ? lock_acquire+0x10f/0x380 [ 42.151359] ? check_preemption_disabled+0x34/0x160 [ 42.151367] ? bpf_test_run+0xab/0x350 [ 42.151377] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 42.151384] ? bpf_test_init.isra.1+0xc0/0xc0 [ 42.151390] ? __fget_light+0x163/0x1f0 [ 42.151393] ? bpf_prog_add+0x42/0xa0 [ 42.151399] ? bpf_test_init.isra.1+0xc0/0xc0 [ 42.151404] ? SyS_bpf+0x79d/0x3640 [ 42.151412] ? bpf_prog_get+0x20/0x20 [ 42.151417] ? __do_page_fault+0x485/0xb60 [ 42.151422] ? lock_downgrade+0x560/0x560 [ 42.151431] ? up_read+0x17/0x30 [ 42.151435] ? __do_page_fault+0x64c/0xb60 [ 42.151443] ? do_syscall_64+0x43/0x4b0 [ 42.151449] ? bpf_prog_get+0x20/0x20 [ 42.151452] ? do_syscall_64+0x19b/0x4b0 [ 42.151461] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.151471] [ 42.151473] Allocated by task 191: [ 42.151478] kasan_kmalloc.part.1+0x4f/0xd0 [ 42.151481] kmem_cache_alloc+0xe4/0x2b0 [ 42.151485] __alloc_skb+0xd8/0x550 [ 42.151488] netlink_sendmsg+0x94b/0xbe0 [ 42.151492] sock_sendmsg+0xb5/0x100 [ 42.151495] ___sys_sendmsg+0x741/0x890 [ 42.151499] __sys_sendmsg+0xca/0x170 [ 42.151502] SyS_sendmsg+0x27/0x40 [ 42.151505] do_syscall_64+0x19b/0x4b0 [ 42.151508] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.151509] [ 42.151511] Freed by task 258: [ 42.151514] kasan_slab_free+0xac/0x190 [ 42.151517] kmem_cache_free+0x12d/0x350 [ 42.151521] kfree_skbmem+0x9e/0x100 [ 42.151524] consume_skb+0xc9/0x330 [ 42.151527] skb_free_datagram+0x15/0xd0 [ 42.151531] netlink_recvmsg+0x569/0xd10 [ 42.151534] sock_recvmsg+0xc0/0x100 [ 42.151537] ___sys_recvmsg+0x242/0x510 [ 42.151541] __sys_recvmsg+0xc7/0x170 [ 42.151544] SyS_recvmsg+0x27/0x40 [ 42.151547] do_syscall_64+0x19b/0x4b0 [ 42.151550] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.151551] [ 42.151554] The buggy address belongs to the object at ffff8801d016db40 [ 42.151554] which belongs to the cache skbuff_head_cache of size 224 [ 42.151558] The buggy address is located 24 bytes to the right of [ 42.151558] 224-byte region [ffff8801d016db40, ffff8801d016dc20) [ 42.151559] The buggy address belongs to the page: [ 42.151563] page:ffffea0007405b40 count:1 mapcount:0 mapping: (null) index:0x0 [ 42.151567] flags: 0x4000000000000100(slab) [ 42.151573] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 42.151577] raw: ffffea0007400140 0000000700000007 ffff8801dab70200 0000000000000000 [ 42.151579] page dumped because: kasan: bad access detected [ 42.151580] [ 42.151581] Memory state around the buggy address: [ 42.151584] ffff8801d016db00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.151587] ffff8801d016db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.151590] >ffff8801d016dc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 42.151591] ^ [ 42.151594] ffff8801d016dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.151597] ffff8801d016dd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 42.151598] ================================================================== [ 42.151599] Disabling lock debugging due to kernel taint [ 42.151601] Kernel panic - not syncing: panic_on_warn set ... [ 42.151601] [ 42.151605] CPU: 0 PID: 1785 Comm: syz-executor720 Tainted: G B 4.14.68+ #4 [ 42.151606] Call Trace: [ 42.151610] dump_stack+0xb9/0x11b [ 42.151616] panic+0x1bf/0x3a4 [ 42.151619] ? add_taint.cold.4+0x16/0x16 [ 42.151627] kasan_end_report+0x43/0x49 [ 42.151631] kasan_report.cold.6+0x77/0x2dd [ 42.151635] ? skb_ensure_writable+0x290/0x2e0 [ 42.151639] skb_ensure_writable+0x290/0x2e0 [ 42.151644] bpf_l4_csum_replace+0x61/0x300 [ 42.151649] ___bpf_prog_run+0x248e/0x5c70 [ 42.151654] ? __free_insn_slot+0x490/0x490 [ 42.151658] ? bpf_jit_compile+0x30/0x30 [ 42.151662] ? depot_save_stack+0x20a/0x428 [ 42.151667] ? __bpf_prog_run512+0x99/0xe0 [ 42.151671] ? ___bpf_prog_run+0x5c70/0x5c70 [ 42.151677] ? __lock_acquire+0x619/0x4320 [ 42.151683] ? trace_hardirqs_on+0x10/0x10 [ 42.151688] ? trace_hardirqs_on+0x10/0x10 [ 42.151692] ? __lock_acquire+0x619/0x4320 [ 42.151697] ? get_unused_fd_flags+0xc0/0xc0 [ 42.151702] ? bpf_test_run+0x57/0x350 [ 42.151708] ? lock_acquire+0x10f/0x380 [ 42.151712] ? check_preemption_disabled+0x34/0x160 [ 42.151717] ? bpf_test_run+0xab/0x350 [ 42.151724] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 42.151729] ? bpf_test_init.isra.1+0xc0/0xc0 [ 42.151733] ? __fget_light+0x163/0x1f0 [ 42.151736] ? bpf_prog_add+0x42/0xa0 [ 42.151741] ? bpf_test_init.isra.1+0xc0/0xc0 [ 42.151745] ? SyS_bpf+0x79d/0x3640 [ 42.151750] ? bpf_prog_get+0x20/0x20 [ 42.151753] ? __do_page_fault+0x485/0xb60 [ 42.151757] ? lock_downgrade+0x560/0x560 [ 42.151763] ? up_read+0x17/0x30 [ 42.151766] ? __do_page_fault+0x64c/0xb60 [ 42.151770] ? do_syscall_64+0x43/0x4b0 [ 42.151775] ? bpf_prog_get+0x20/0x20 [ 42.151778] ? do_syscall_64+0x19b/0x4b0 [ 42.151784] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.173827] Dumping ftrace buffer: [ 42.173829] (ftrace buffer empty) [ 42.173834] Kernel Offset: 0x1b600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 42.775399] Rebooting in 86400 seconds..