[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.404051] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 14.296672] random: sshd: uninitialized urandom read (32 bytes read) [ 14.523380] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.005839] random: sshd: uninitialized urandom read (32 bytes read) [ 15.157183] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. [ 20.639311] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/01 07:44:08 parsed 1 programs [ 21.715019] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/01 07:44:09 executed programs: 0 2018/09/01 07:44:17 executed programs: 8 [ 30.977642] ================================================================== [ 30.985090] BUG: KASAN: use-after-free in _copy_to_user+0x9a/0xc0 [ 30.991311] Read of size 1241 at addr ffff8801be7ffffc by task syz-executor3/5090 [ 30.998922] [ 31.000546] CPU: 0 PID: 5090 Comm: syz-executor3 Not tainted 4.14.67+ #1 [ 31.007416] Call Trace: [ 31.010001] dump_stack+0xb9/0x11b [ 31.013543] print_address_description+0x60/0x22b [ 31.018391] kasan_report.cold.6+0x11b/0x2dd [ 31.022799] ? _copy_to_user+0x9a/0xc0 [ 31.026696] _copy_to_user+0x9a/0xc0 [ 31.030415] bpf_test_finish.isra.0+0xc8/0x190 [ 31.034998] ? bpf_test_run+0x350/0x350 [ 31.038976] ? kvm_clock_read+0x1f/0x30 [ 31.042947] ? ktime_get+0x17f/0x1c0 [ 31.046663] ? bpf_test_run+0x280/0x350 [ 31.050646] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 31.055235] ? bpf_test_init.isra.1+0xc0/0xc0 [ 31.059730] ? __fget_light+0x192/0x1f0 [ 31.063699] ? bpf_prog_add+0x42/0xa0 [ 31.067493] ? fput+0xa/0x130 [ 31.070606] ? bpf_test_init.isra.1+0xc0/0xc0 [ 31.075098] SyS_bpf+0x79d/0x3640 [ 31.078553] ? bpf_prog_get+0x20/0x20 [ 31.082354] ? SyS_futex+0x1b7/0x2b5 [ 31.086066] ? SyS_futex+0x1c0/0x2b5 [ 31.089779] ? do_futex+0x17b0/0x17b0 [ 31.093578] ? up_read+0x17/0x30 [ 31.096941] ? __do_page_fault+0x64c/0xb60 [ 31.101212] ? do_syscall_64+0x43/0x4b0 [ 31.105187] ? bpf_prog_get+0x20/0x20 [ 31.108986] do_syscall_64+0x19b/0x4b0 [ 31.112898] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.118081] RIP: 0033:0x457099 [ 31.121272] RSP: 002b:00007f6b024fac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 31.128977] RAX: ffffffffffffffda RBX: 00007f6b024fb6d4 RCX: 0000000000457099 [ 31.136244] RDX: 0000000000000028 RSI: 00000000200002c0 RDI: 000000000000000a [ 31.143510] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 31.150772] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 31.158067] R13: 00000000004cb680 R14: 00000000004c3071 R15: 0000000000000000 [ 31.165347] [ 31.166970] The buggy address belongs to the page: [ 31.171893] page:ffffea0006f9ffc0 count:0 mapcount:0 mapping: (null) index:0x1 [ 31.180030] flags: 0x4000000000000000() [ 31.183998] raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffffff [ 31.191891] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 31.199765] page dumped because: kasan: bad access detected [ 31.205487] [ 31.207116] Memory state around the buggy address: [ 31.212037] ffff8801be7ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.219403] ffff8801be7fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.226754] >ffff8801be7fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.234103] ^ [ 31.241378] ffff8801be800000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.248729] ffff8801be800080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.256079] ================================================================== [ 31.263428] Disabling lock debugging due to kernel taint [ 31.270530] Kernel panic - not syncing: panic_on_warn set ... [ 31.270530] [ 31.277915] CPU: 0 PID: 5090 Comm: syz-executor3 Tainted: G B 4.14.67+ #1 [ 31.285969] Call Trace: [ 31.288567] dump_stack+0xb9/0x11b [ 31.292119] panic+0x1bf/0x3a4 [ 31.295315] ? add_taint.cold.4+0x16/0x16 [ 31.299455] ? ___preempt_schedule+0x16/0x18 [ 31.303875] kasan_end_report+0x43/0x49 [ 31.307862] kasan_report.cold.6+0x77/0x2dd [ 31.312197] ? _copy_to_user+0x9a/0xc0 [ 31.316081] _copy_to_user+0x9a/0xc0 [ 31.319795] bpf_test_finish.isra.0+0xc8/0x190 [ 31.324882] ? bpf_test_run+0x350/0x350 [ 31.328869] ? kvm_clock_read+0x1f/0x30 [ 31.332873] ? ktime_get+0x17f/0x1c0 [ 31.336590] ? bpf_test_run+0x280/0x350 [ 31.340566] bpf_prog_test_run_skb+0x4d0/0x8c0 [ 31.345156] ? bpf_test_init.isra.1+0xc0/0xc0 [ 31.349662] ? __fget_light+0x192/0x1f0 [ 31.353627] ? bpf_prog_add+0x42/0xa0 [ 31.357436] ? fput+0xa/0x130 [ 31.360536] ? bpf_test_init.isra.1+0xc0/0xc0 [ 31.365026] SyS_bpf+0x79d/0x3640 [ 31.368478] ? bpf_prog_get+0x20/0x20 [ 31.372284] ? SyS_futex+0x1b7/0x2b5 [ 31.375992] ? SyS_futex+0x1c0/0x2b5 [ 31.379704] ? do_futex+0x17b0/0x17b0 [ 31.383503] ? up_read+0x17/0x30 [ 31.386898] ? __do_page_fault+0x64c/0xb60 [ 31.391131] ? do_syscall_64+0x43/0x4b0 [ 31.395105] ? bpf_prog_get+0x20/0x20 [ 31.398900] do_syscall_64+0x19b/0x4b0 [ 31.402796] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.407973] RIP: 0033:0x457099 [ 31.411145] RSP: 002b:00007f6b024fac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 31.418841] RAX: ffffffffffffffda RBX: 00007f6b024fb6d4 RCX: 0000000000457099 [ 31.426100] RDX: 0000000000000028 RSI: 00000000200002c0 RDI: 000000000000000a [ 31.433354] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 31.440605] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 31.447863] R13: 00000000004cb680 R14: 00000000004c3071 R15: 0000000000000000 [ 31.455438] Dumping ftrace buffer: [ 31.458961] (ftrace buffer empty) [ 31.462655] Kernel Offset: 0x27c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 31.473545] Rebooting in 86400 seconds..