[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.481102] random: sshd: uninitialized urandom read (32 bytes read) [ 25.777170] audit: type=1400 audit(1563542355.545:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.866640] random: sshd: uninitialized urandom read (32 bytes read) [ 26.403164] random: sshd: uninitialized urandom read (32 bytes read) [ 28.009972] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.192' (ECDSA) to the list of known hosts. [ 33.598633] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.691383] audit: type=1400 audit(1563542363.465:7): avc: denied { map } for pid=1783 comm="syz-executor004" path="/root/syz-executor004711463" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 33.717728] audit: type=1400 audit(1563542363.465:8): avc: denied { prog_load } for pid=1783 comm="syz-executor004" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 33.741153] ================================================================== [ 33.741807] audit: type=1400 audit(1563542363.515:9): avc: denied { prog_run } for pid=1783 comm="syz-executor004" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 33.748729] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0 [ 33.778211] Read of size 8 at addr ffff8881d6ceb1d0 by task syz-executor004/1783 [ 33.785780] [ 33.787396] CPU: 0 PID: 1783 Comm: syz-executor004 Not tainted 4.14.133+ #17 [ 33.794569] Call Trace: [ 33.797148] dump_stack+0xca/0x134 [ 33.800718] ? bpf_clone_redirect+0x2a7/0x2b0 [ 33.805204] ? bpf_clone_redirect+0x2a7/0x2b0 [ 33.809676] ? __bpf_redirect+0xa30/0xa30 [ 33.813808] print_address_description+0x60/0x226 [ 33.818660] ? bpf_clone_redirect+0x2a7/0x2b0 [ 33.823141] ? bpf_clone_redirect+0x2a7/0x2b0 [ 33.827620] ? __bpf_redirect+0xa30/0xa30 [ 33.831752] __kasan_report.cold+0x1a/0x41 [ 33.835979] ? bpf_clone_redirect+0x2a7/0x2b0 [ 33.840462] ? bpf_clone_redirect+0x2a7/0x2b0 [ 33.844948] ? __bpf_redirect+0xa30/0xa30 [ 33.849086] ? ___bpf_prog_run+0x2478/0x5510 [ 33.853608] ? deref_stack_reg+0xaa/0xe0 [ 33.857764] ? do_syscall_64+0x19a/0x520 [ 33.861934] ? bpf_jit_compile+0x30/0x30 [ 33.865987] ? __bpf_prog_run512+0x99/0xe0 [ 33.870209] ? ___bpf_prog_run+0x5510/0x5510 [ 33.874611] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 33.879695] ? trace_hardirqs_on_caller+0x37b/0x540 [ 33.884690] ? __lock_acquire+0x5dc/0x42e0 [ 33.889109] ? __lock_acquire+0x5dc/0x42e0 [ 33.893340] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 33.898014] ? trace_hardirqs_on+0x10/0x10 [ 33.902267] ? __lock_acquire+0x5dc/0x42e0 [ 33.906494] ? bpf_test_run+0x42/0x340 [ 33.910365] ? lock_acquire+0x12b/0x360 [ 33.914315] ? bpf_test_run+0x13a/0x340 [ 33.918358] ? check_preemption_disabled+0x35/0x1f0 [ 33.923369] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 33.928542] ? bpf_test_run+0xa8/0x340 [ 33.933113] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 33.937851] ? bpf_test_init.isra.0+0xc0/0xc0 [ 33.942330] ? bpf_prog_add+0x53/0xc0 [ 33.946110] ? bpf_test_init.isra.0+0xc0/0xc0 [ 33.950632] ? SyS_bpf+0xa3b/0x3830 [ 33.954252] ? bpf_prog_get+0x20/0x20 [ 33.958040] ? __do_page_fault+0x49f/0xbb0 [ 33.962265] ? lock_downgrade+0x5d0/0x5d0 [ 33.966482] ? __do_page_fault+0x677/0xbb0 [ 33.970798] ? do_syscall_64+0x43/0x520 [ 33.974787] ? bpf_prog_get+0x20/0x20 [ 33.978619] ? do_syscall_64+0x19b/0x520 [ 33.982719] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.988076] [ 33.989753] Allocated by task 1781: [ 33.993379] __kasan_kmalloc.part.0+0x53/0xc0 [ 33.998054] kmem_cache_alloc+0xd2/0x2e0 [ 34.002100] skb_clone+0x124/0x370 [ 34.005624] dev_queue_xmit_nit+0x2f3/0x970 [ 34.009932] dev_hard_start_xmit+0xa3/0x8c0 [ 34.014241] sch_direct_xmit+0x27a/0x520 [ 34.018632] 0xffffffffffffffff [ 34.021928] [ 34.023708] Freed by task 1781: [ 34.027045] __kasan_slab_free+0x164/0x210 [ 34.031279] kmem_cache_free+0xcb/0x340 [ 34.035251] kfree_skbmem+0xa0/0x110 [ 34.038945] kfree_skb+0xeb/0x370 [ 34.042385] packet_rcv_spkt+0xd5/0x4d0 [ 34.046410] dev_queue_xmit_nit+0x6e1/0x970 [ 34.050783] 0xffffffffffffffff [ 34.054081] [ 34.055700] The buggy address belongs to the object at ffff8881d6ceb140 [ 34.055700] which belongs to the cache skbuff_head_cache of size 224 [ 34.068998] The buggy address is located 144 bytes inside of [ 34.068998] 224-byte region [ffff8881d6ceb140, ffff8881d6ceb220) [ 34.080915] The buggy address belongs to the page: [ 34.085846] page:ffffea00075b3ac0 count:1 mapcount:0 mapping: (null) index:0x0 [ 34.094107] flags: 0x4000000000000200(slab) [ 34.098583] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 34.106460] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 34.114326] page dumped because: kasan: bad access detected [ 34.120132] [ 34.121739] Memory state around the buggy address: [ 34.126792] ffff8881d6ceb080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 34.134152] ffff8881d6ceb100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.141498] >ffff8881d6ceb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.148847] ^ [ 34.154805] ffff8881d6ceb200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 34.162177] ffff8881d6ceb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.169597] ================================================================== [ 34.177189] Disabling lock debugging due to kernel taint [ 34.182806] Kernel panic - not syncing: panic_on_warn set ... [ 34.182806] [ 34.190179] CPU: 0 PID: 1783 Comm: syz-executor004 Tainted: G B 4.14.133+ #17 [ 34.198618] Call Trace: [ 34.201202] dump_stack+0xca/0x134 [ 34.204784] panic+0x1ea/0x3d3 [ 34.207986] ? add_taint.cold+0x16/0x16 [ 34.211953] ? retint_kernel+0x2d/0x2d [ 34.215834] ? bpf_clone_redirect+0x2a7/0x2b0 [ 34.220370] ? __bpf_redirect+0xa30/0xa30 [ 34.224508] end_report+0x43/0x49 [ 34.227965] ? bpf_clone_redirect+0x2a7/0x2b0 [ 34.232459] __kasan_report.cold+0xd/0x41 [ 34.236635] ? bpf_clone_redirect+0x2a7/0x2b0 [ 34.241250] ? bpf_clone_redirect+0x2a7/0x2b0 [ 34.245766] ? __bpf_redirect+0xa30/0xa30 [ 34.249896] ? ___bpf_prog_run+0x2478/0x5510 [ 34.254346] ? deref_stack_reg+0xaa/0xe0 [ 34.258392] ? do_syscall_64+0x19a/0x520 [ 34.262426] ? bpf_jit_compile+0x30/0x30 [ 34.266538] ? __bpf_prog_run512+0x99/0xe0 [ 34.270756] ? ___bpf_prog_run+0x5510/0x5510 [ 34.275149] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 34.280236] ? trace_hardirqs_on_caller+0x37b/0x540 [ 34.285234] ? __lock_acquire+0x5dc/0x42e0 [ 34.289464] ? __lock_acquire+0x5dc/0x42e0 [ 34.293686] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 34.298391] ? trace_hardirqs_on+0x10/0x10 [ 34.302611] ? __lock_acquire+0x5dc/0x42e0 [ 34.306824] ? bpf_test_run+0x42/0x340 [ 34.310685] ? lock_acquire+0x12b/0x360 [ 34.314631] ? bpf_test_run+0x13a/0x340 [ 34.318578] ? check_preemption_disabled+0x35/0x1f0 [ 34.323575] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 34.328903] ? bpf_test_run+0xa8/0x340 [ 34.332781] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 34.337526] ? bpf_test_init.isra.0+0xc0/0xc0 [ 34.342000] ? bpf_prog_add+0x53/0xc0 [ 34.345787] ? bpf_test_init.isra.0+0xc0/0xc0 [ 34.350264] ? SyS_bpf+0xa3b/0x3830 [ 34.353931] ? bpf_prog_get+0x20/0x20 [ 34.357728] ? __do_page_fault+0x49f/0xbb0 [ 34.361973] ? lock_downgrade+0x5d0/0x5d0 [ 34.366120] ? __do_page_fault+0x677/0xbb0 [ 34.370333] ? do_syscall_64+0x43/0x520 [ 34.374295] ? bpf_prog_get+0x20/0x20 [ 34.378094] ? do_syscall_64+0x19b/0x520 [ 34.382135] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 34.387789] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 34.398791] Rebooting in 86400 seconds..