[....] Starting enhanced syslogd: rsyslogd[ 12.677233] audit: type=1400 audit(1515827784.521:4): avc: denied { syslog } for pid=3185 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.235' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.123002] ================================================================== [ 26.130401] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 26.137506] Read of size 8 at addr ffff8801cad4e140 by task syzkaller804689/3341 [ 26.145010] [ 26.146613] CPU: 0 PID: 3341 Comm: syzkaller804689 Not tainted 4.9.76-g8e170a5 #21 [ 26.154288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.163613] ffff8801c82af940 ffffffff81d93149 ffffea00072b5380 ffff8801cad4e140 [ 26.171601] 0000000000000000 ffff8801cad4e140 ffff8801cc760238 ffff8801c82af978 [ 26.179575] ffffffff8153cb43 ffff8801cad4e140 0000000000000008 0000000000000000 [ 26.187540] Call Trace: [ 26.190097] [] dump_stack+0xc1/0x128 [ 26.195432] [] print_address_description+0x73/0x280 [ 26.202079] [] kasan_report+0x275/0x360 [ 26.207679] [] ? sg_remove_request+0x103/0x120 [ 26.213895] [] __asan_report_load8_noabort+0x14/0x20 [ 26.220622] [] sg_remove_request+0x103/0x120 [ 26.226651] [] sg_finish_rem_req+0x295/0x340 [ 26.232677] [] sg_read+0xa1c/0x1440 [ 26.237922] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.244556] [] ? fsnotify+0xf30/0xf30 [ 26.249978] [] ? avc_policy_seqno+0x9/0x20 [ 26.255842] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 26.262823] [] ? security_file_permission+0x89/0x1e0 [ 26.269561] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.276197] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.282841] [] compat_do_readv_writev+0x522/0x760 [ 26.289310] [] ? do_pwritev+0x1a0/0x1a0 [ 26.294906] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.300855] [] ? handle_mm_fault+0x6ee/0x2530 [ 26.306969] [] ? __pmd_alloc+0x410/0x410 [ 26.312658] [] compat_readv+0xe3/0x150 [ 26.318163] [] do_compat_readv+0xf4/0x1d0 [ 26.323931] [] ? compat_readv+0x150/0x150 [ 26.329699] [] compat_SyS_readv+0x26/0x30 [ 26.335489] [] ? SyS_pwritev2+0x80/0x80 [ 26.341090] [] do_fast_syscall_32+0x2f7/0x890 [ 26.347212] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.353849] [] entry_SYSENTER_compat+0x74/0x83 [ 26.360046] [ 26.361643] Allocated by task 0: [ 26.364975] (stack is not available) [ 26.368652] [ 26.370249] Freed by task 0: [ 26.373234] (stack is not available) [ 26.376911] [ 26.378509] The buggy address belongs to the object at ffff8801cad4e100 [ 26.378509] which belongs to the cache fasync_cache of size 96 [ 26.391134] The buggy address is located 64 bytes inside of [ 26.391134] 96-byte region [ffff8801cad4e100, ffff8801cad4e160) [ 26.402809] The buggy address belongs to the page: [ 26.407706] page:ffffea00072b5380 count:1 mapcount:0 mapping: (null) index:0x0 [ 26.415939] flags: 0x8000000000000080(slab) [ 26.420319] page dumped because: kasan: bad access detected [ 26.425997] [ 26.427595] Memory state around the buggy address: [ 26.432498] ffff8801cad4e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 26.439831] ffff8801cad4e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.447253] >ffff8801cad4e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.454579] ^ [ 26.460006] ffff8801cad4e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.467340] ffff8801cad4e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.474668] ================================================================== [ 26.481994] Disabling lock debugging due to kernel taint [ 26.487696] Kernel panic - not syncing: panic_on_warn set ... [ 26.487696] [ 26.495051] CPU: 0 PID: 3341 Comm: syzkaller804689 Tainted: G B 4.9.76-g8e170a5 #21 [ 26.503946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.513273] ffff8801c82af898 ffffffff81d93149 ffffffff84195c17 ffff8801c82af970 [ 26.521237] 0000000000000000 ffff8801cad4e140 ffff8801cc760238 ffff8801c82af960 [ 26.529204] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 26.537169] Call Trace: [ 26.539728] [] dump_stack+0xc1/0x128 [ 26.545062] [] panic+0x1bc/0x3a8 [ 26.550048] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 26.558248] [] ? preempt_schedule+0x25/0x30 [ 26.564193] [] ? ___preempt_schedule+0x16/0x18 [ 26.570395] [] kasan_end_report+0x50/0x50 [ 26.576159] [] kasan_report+0x167/0x360 [ 26.581761] [] ? sg_remove_request+0x103/0x120 [ 26.587961] [] __asan_report_load8_noabort+0x14/0x20 [ 26.595162] [] sg_remove_request+0x103/0x120 [ 26.601194] [] sg_finish_rem_req+0x295/0x340 [ 26.607229] [] sg_read+0xa1c/0x1440 [ 26.612479] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.619120] [] ? fsnotify+0xf30/0xf30 [ 26.624538] [] ? avc_policy_seqno+0x9/0x20 [ 26.630393] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 26.637382] [] ? security_file_permission+0x89/0x1e0 [ 26.644104] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.650739] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.657375] [] compat_do_readv_writev+0x522/0x760 [ 26.663843] [] ? do_pwritev+0x1a0/0x1a0 [ 26.669444] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.675385] [] ? handle_mm_fault+0x6ee/0x2530 [ 26.681499] [] ? __pmd_alloc+0x410/0x410 [ 26.687191] [] compat_readv+0xe3/0x150 [ 26.692700] [] do_compat_readv+0xf4/0x1d0 [ 26.698472] [] ? compat_readv+0x150/0x150 [ 26.704246] [] compat_SyS_readv+0x26/0x30 [ 26.710019] [] ? SyS_pwritev2+0x80/0x80 [ 26.715616] [] do_fast_syscall_32+0x2f7/0x890 [ 26.721733] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.728371] [] entry_SYSENTER_compat+0x74/0x83 [ 26.734613] Dumping ftrace buffer: [ 26.738131] (ftrace buffer empty) [ 26.741818] Kernel Offset: disabled [ 26.745413] Rebooting in 86400 seconds..