[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 12.456067] random: crng init done Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.63' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.363918] ================================================================== [ 37.371488] BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 [ 37.377697] Read of size 1 at addr ffff8801b618fab0 by task syz-executor644/2290 [ 37.385204] [ 37.388030] CPU: 0 PID: 2290 Comm: syz-executor644 Not tainted 4.9.125+ #37 [ 37.395206] ffff8801b618f388 ffffffff81af0ae9 ffffea0006d863c0 ffff8801b618fab0 [ 37.403308] 0000000000000000 ffff8801b618fab0 ffff8801b618fa98 ffff8801b618f3c0 [ 37.411301] ffffffff814e0e1d ffff8801b618fab0 0000000000000001 0000000000000000 [ 37.419381] Call Trace: [ 37.421966] [] dump_stack+0xc1/0x128 [ 37.427315] [] print_address_description+0x6c/0x234 [ 37.433957] [] kasan_report.cold.6+0x242/0x2fe [ 37.440253] [] ? memcmp+0x126/0x160 [ 37.445513] [] __asan_report_load1_noabort+0x14/0x20 [ 37.452241] [] memcmp+0x126/0x160 [ 37.457318] [] xfrm_selector_match+0x6a0/0xe40 [ 37.463721] [] xfrm_sk_policy_lookup+0x143/0x3c0 [ 37.470101] [] ? xfrm_selector_match+0xe40/0xe40 [ 37.476613] [] xfrm_lookup+0x1bd/0xb70 [ 37.482870] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 37.489538] [] ? ip6_dst_lookup_tail+0x499/0x1620 [ 37.496288] [] ? ip6_dst_lookup_tail+0x534/0x1620 [ 37.502759] [] ? ip6_copy_metadata+0x810/0x810 [ 37.508970] [] ? trace_hardirqs_on+0x10/0x10 [ 37.515094] [] xfrm_lookup_route+0x39/0x140 [ 37.521214] [] ip6_dst_lookup_flow+0x17b/0x210 [ 37.527422] [] ? ip6_dst_lookup+0x60/0x60 [ 37.533198] [] ? selinux_sk_getsecid+0x7a/0xd0 [ 37.539510] [] rawv6_sendmsg+0x9b5/0x2810 [ 37.545286] [] ? rawv6_sendmsg+0x58b/0x2810 [ 37.551238] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 37.557794] [] ? compat_rawv6_setsockopt+0x100/0x100 [ 37.564636] [] ? check_preemption_disabled+0x3b/0x170 [ 37.571458] [] ? avc_has_perm+0x15a/0x3a0 [ 37.577240] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 37.583716] [] ? trace_hardirqs_on+0x10/0x10 [ 37.589755] [] ? sock_has_perm+0x1c1/0x3e0 [ 37.595614] [] ? sock_has_perm+0x293/0x3e0 [ 37.601473] [] ? sock_has_perm+0x9f/0x3e0 [ 37.607297] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.614030] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.620759] [] ? inet_sendmsg+0x143/0x4d0 [ 37.626673] [] inet_sendmsg+0x203/0x4d0 [ 37.632318] [] ? inet_sendmsg+0x73/0x4d0 [ 37.638009] [] ? inet_recvmsg+0x4c0/0x4c0 [ 37.643782] [] sock_sendmsg+0xbb/0x110 [ 37.649293] [] sock_write_iter+0x223/0x3b0 [ 37.655155] [] ? sock_sendmsg+0x110/0x110 [ 37.660932] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.667667] [] ? iov_iter_init+0xaf/0x1d0 [ 37.673454] [] __vfs_write+0x3d7/0x580 [ 37.678973] [] ? __vfs_read+0x560/0x560 [ 37.684582] [] ? selinux_file_permission+0x82/0x470 [ 37.691225] [] ? rw_verify_area+0xe5/0x2a0 [ 37.697583] [] vfs_write+0x187/0x520 [ 37.702931] [] SyS_write+0xd9/0x1c0 [ 37.708187] [] ? SyS_read+0x1c0/0x1c0 [ 37.713618] [] ? do_syscall_64+0x48/0x480 [ 37.719392] [] ? SyS_read+0x1c0/0x1c0 [ 37.724822] [] do_syscall_64+0x19f/0x480 [ 37.730563] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.737468] [ 37.739166] The buggy address belongs to the page: [ 37.744072] page:ffffea0006d863c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 37.752312] flags: 0x4000000000000000() [ 37.756341] page dumped because: kasan: bad access detected [ 37.762126] [ 37.763732] Memory state around the buggy address: [ 37.768638] ffff8801b618f980: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 f2 f2 [ 37.776002] ffff8801b618fa00: f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 [ 37.783443] >ffff8801b618fa80: 00 00 00 00 00 00 f2 f2 00 00 00 00 00 00 00 00 [ 37.790777] ^ [ 37.795679] ffff8801b618fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.803010] ffff8801b618fb80: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 [ 37.810347] ================================================================== [ 37.817683] Disabling lock debugging due to kernel taint [ 37.823401] Kernel panic - not syncing: panic_on_warn set ... [ 37.823401] [ 37.830750] CPU: 0 PID: 2290 Comm: syz-executor644 Tainted: G B 4.9.125+ #37 [ 37.839038] ffff8801b618f2e8 ffffffff81af0ae9 ffffffff82c34720 00000000ffffffff [ 37.847178] 0000000000000000 0000000000000000 ffff8801b618fa98 ffff8801b618f3a8 [ 37.855166] ffffffff813df095 0000000041b58ab3 ffffffff82c28773 ffffffff813deed6 [ 37.863151] Call Trace: [ 37.865726] [] dump_stack+0xc1/0x128 [ 37.871078] [] panic+0x1bf/0x39f [ 37.876071] [] ? add_taint.cold.6+0x16/0x16 [ 37.882020] [] ? ___preempt_schedule+0x16/0x18 [ 37.888238] [] kasan_end_report+0x47/0x4f [ 37.894011] [] kasan_report.cold.6+0x76/0x2fe [ 37.900130] [] ? memcmp+0x126/0x160 [ 37.905380] [] __asan_report_load1_noabort+0x14/0x20 [ 37.912107] [] memcmp+0x126/0x160 [ 37.917194] [] xfrm_selector_match+0x6a0/0xe40 [ 37.923502] [] xfrm_sk_policy_lookup+0x143/0x3c0 [ 37.929925] [] ? xfrm_selector_match+0xe40/0xe40 [ 37.936309] [] xfrm_lookup+0x1bd/0xb70 [ 37.941824] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 37.948387] [] ? ip6_dst_lookup_tail+0x499/0x1620 [ 37.954851] [] ? ip6_dst_lookup_tail+0x534/0x1620 [ 37.961319] [] ? ip6_copy_metadata+0x810/0x810 [ 37.967534] [] ? trace_hardirqs_on+0x10/0x10 [ 37.973570] [] xfrm_lookup_route+0x39/0x140 [ 37.979567] [] ip6_dst_lookup_flow+0x17b/0x210 [ 37.985783] [] ? ip6_dst_lookup+0x60/0x60 [ 37.991561] [] ? selinux_sk_getsecid+0x7a/0xd0 [ 37.997772] [] rawv6_sendmsg+0x9b5/0x2810 [ 38.003551] [] ? rawv6_sendmsg+0x58b/0x2810 [ 38.009499] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 38.016100] [] ? compat_rawv6_setsockopt+0x100/0x100 [ 38.022841] [] ? check_preemption_disabled+0x3b/0x170 [ 38.029723] [] ? avc_has_perm+0x15a/0x3a0 [ 38.035501] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 38.041967] [] ? trace_hardirqs_on+0x10/0x10 [ 38.048001] [] ? sock_has_perm+0x1c1/0x3e0 [ 38.053857] [] ? sock_has_perm+0x293/0x3e0 [ 38.059738] [] ? sock_has_perm+0x9f/0x3e0 [ 38.065520] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.072354] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.079094] [] ? inet_sendmsg+0x143/0x4d0 [ 38.084872] [] inet_sendmsg+0x203/0x4d0 [ 38.090477] [] ? inet_sendmsg+0x73/0x4d0 [ 38.096173] [] ? inet_recvmsg+0x4c0/0x4c0 [ 38.101992] [] sock_sendmsg+0xbb/0x110 [ 38.107555] [] sock_write_iter+0x223/0x3b0 [ 38.113422] [] ? sock_sendmsg+0x110/0x110 [ 38.119200] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.125931] [] ? iov_iter_init+0xaf/0x1d0 [ 38.131708] [] __vfs_write+0x3d7/0x580 [ 38.137232] [] ? __vfs_read+0x560/0x560 [ 38.142843] [] ? selinux_file_permission+0x82/0x470 [ 38.149485] [] ? rw_verify_area+0xe5/0x2a0 [ 38.155343] [] vfs_write+0x187/0x520 [ 38.160688] [] SyS_write+0xd9/0x1c0 [ 38.165939] [] ? SyS_read+0x1c0/0x1c0 [ 38.171369] [] ? do_syscall_64+0x48/0x480 [ 38.177147] [] ? SyS_read+0x1c0/0x1c0 [ 38.182576] [] do_syscall_64+0x19f/0x480 [ 38.188267] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.195475] Dumping ftrace buffer: [ 38.198995] (ftrace buffer empty) [ 38.202682] Kernel Offset: disabled [ 38.206287] Rebooting in 86400 seconds..