[....] Starting enhanced syslogd: rsyslogd[ 11.877882] audit: type=1400 audit(1513249518.163:4): avc: denied { syslog } for pid=3164 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-3,10.128.0.18' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.589681] ================================================================== [ 19.597063] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 at addr ffff8801ccc2db98 [ 19.605776] Read of size 8192 by task syzkaller936692/3313 [ 19.611363] CPU: 1 PID: 3313 Comm: syzkaller936692 Not tainted 4.9.69-g3f1d77c #108 [ 19.619117] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.628436] ffff8801ccf17748 ffffffff81d90a29 ffff8801da001280 ffff8801ccc2db80 [ 19.636387] ffff8801ccc2dd80 ffffed0039985bb0 ffff8801ccc2db98 ffff8801ccf17770 [ 19.644341] ffffffff8153a45c ffffed0039985bb0 ffff8801da001280 0000000000000000 [ 19.652296] Call Trace: [ 19.654849] [] dump_stack+0xc1/0x128 [ 19.660182] [] kasan_object_err+0x1c/0x70 [ 19.665944] [] kasan_report.part.1+0x21c/0x500 [ 19.672138] [] ? __kmalloc+0x19d/0x310 [ 19.677643] [] ? pfkey_add+0x153e/0x3470 [ 19.683319] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 19.690125] [] kasan_report+0x21/0x30 [ 19.695545] [] check_memory_region+0x137/0x190 [ 19.701739] [] memcpy+0x23/0x50 [ 19.706640] [] pfkey_add+0x153e/0x3470 [ 19.712141] [] ? pfkey_delete+0x360/0x360 [ 19.717909] [] ? pfkey_seq_stop+0x80/0x80 [ 19.723670] [] ? __skb_clone+0x24a/0x7d0 [ 19.729349] [] ? pfkey_delete+0x360/0x360 [ 19.735110] [] pfkey_process+0x61e/0x730 [ 19.740783] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 19.747587] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.754391] [] pfkey_sendmsg+0x3a9/0x760 [ 19.760065] [] ? pfkey_spdget+0x820/0x820 [ 19.765828] [] sock_sendmsg+0xca/0x110 [ 19.771330] [] ___sys_sendmsg+0x6d1/0x7e0 [ 19.777093] [] ? copy_msghdr_from_user+0x550/0x550 [ 19.783636] [] ? __lru_cache_add+0x187/0x250 [ 19.789657] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 19.796721] [] ? _raw_spin_unlock+0x2c/0x50 [ 19.802655] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 19.809726] [] ? handle_mm_fault+0x6ee/0x2530 [ 19.815835] [] ? __lock_is_held+0xa1/0xf0 [ 19.821594] [] ? __pmd_alloc+0x410/0x410 [ 19.827276] [] ? __fget_light+0x158/0x1e0 [ 19.833035] [] ? __fdget+0x18/0x20 [ 19.838189] [] __sys_sendmsg+0xd6/0x190 [ 19.843776] [] ? SyS_shutdown+0x1b0/0x1b0 [ 19.849539] [] ? __do_page_fault+0x5ec/0xd40 [ 19.855561] [] ? __do_page_fault+0x3bd/0xd40 [ 19.861582] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.868386] [] SyS_sendmsg+0x2d/0x50 [ 19.873717] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.880261] Object at ffff8801ccc2db80, in cache kmalloc-512 size: 512 [ 19.886887] Allocated: [ 19.889346] PID = 3313 [ 19.891810] save_stack_trace+0x16/0x20 [ 19.895748] save_stack+0x43/0xd0 [ 19.899164] kasan_kmalloc+0xad/0xe0 [ 19.902839] kasan_slab_alloc+0x12/0x20 [ 19.906777] __kmalloc_track_caller+0xda/0x2b0 [ 19.911322] __kmalloc_reserve.isra.37+0x33/0xc0 [ 19.916045] __alloc_skb+0x119/0x600 [ 19.919722] pfkey_sendmsg+0x135/0x760 [ 19.923570] sock_sendmsg+0xca/0x110 [ 19.927265] ___sys_sendmsg+0x6d1/0x7e0 [ 19.931203] __sys_sendmsg+0xd6/0x190 [ 19.934979] SyS_sendmsg+0x2d/0x50 [ 19.938483] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 19.943199] Freed: [ 19.945311] PID = 0 [ 19.947508] (stack is not available) [ 19.951180] Memory state around the buggy address: [ 19.956078] ffff8801ccc2dc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.963405] ffff8801ccc2dd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.970728] >ffff8801ccc2dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.978050] ^ [ 19.981380] ffff8801ccc2de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.988702] ffff8801ccc2de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.996021] ================================================================== [ 20.003342] Disabling lock debugging due to kernel taint