[....] Starting enhanced syslogd: rsyslogd[ 13.587760] audit: type=1400 audit(1516828008.061:4): avc: denied { syslog } for pid=3175 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.920829] ================================================================== [ 31.928240] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 31.934355] Read of size 1 at addr ffff8801c8ea9350 by task syzkaller453322/3332 [ 31.941856] [ 31.943455] CPU: 1 PID: 3332 Comm: syzkaller453322 Not tainted 4.9.78-ge9dabe6 #19 [ 31.951129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.960456] ffff8801c16f7740 ffffffff81d943a9 ffffea000723aa40 ffff8801c8ea9350 [ 31.968445] 0000000000000000 ffff8801c8ea9350 ffff8801c16f799c ffff8801c16f7778 [ 31.976439] ffffffff8153dc23 ffff8801c8ea9350 0000000000000001 0000000000000000 [ 31.984435] Call Trace: [ 31.986997] [] dump_stack+0xc1/0x128 [ 31.992430] [] print_address_description+0x73/0x280 [ 31.999076] [] kasan_report+0x275/0x360 [ 32.004692] [] ? string+0x1e8/0x200 [ 32.009964] [] __asan_report_load1_noabort+0x14/0x20 [ 32.016711] [] string+0x1e8/0x200 [ 32.021812] [] vsnprintf+0x7ad/0x16d0 [ 32.027253] [] ? pointer+0xa90/0xa90 [ 32.032606] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 32.039348] [] __request_module+0x14f/0x750 [ 32.045304] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 32.051522] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 32.058434] [] ? nft_payload_set_init+0x298/0x4b0 [ 32.064913] [] xt_request_find_target+0x8b/0xb0 [ 32.071217] [] translate_table+0x177a/0x1e30 [ 32.077259] [] ? ipt_alloc_initial_table+0x660/0x660 [ 32.084006] [] ? check_stack_object+0x68/0x140 [ 32.090231] [] ? __check_object_size+0x174/0x3a9 [ 32.096617] [] ? 0xffffffff810002b8 [ 32.101893] [] do_ipt_set_ctl+0x2be/0x470 [ 32.107688] [] ? compat_do_ipt_set_ctl+0x150/0x150 [ 32.114259] [] ? mutex_unlock+0x9/0x10 [ 32.119788] [] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 32.126880] [] nf_setsockopt+0x67/0xc0 [ 32.132404] [] ip_setsockopt+0xa1/0xb0 [ 32.137933] [] udp_setsockopt+0x45/0x80 [ 32.143547] [] sock_common_setsockopt+0x95/0xd0 [ 32.149853] [] SyS_setsockopt+0x160/0x250 [ 32.155647] [] ? SyS_recv+0x40/0x40 [ 32.160921] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 32.167597] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.174421] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.180992] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 32.187556] [ 32.189164] Allocated by task 3332: [ 32.192775] save_stack_trace+0x16/0x20 [ 32.196744] save_stack+0x43/0xd0 [ 32.200184] kasan_kmalloc+0xad/0xe0 [ 32.203877] __kmalloc+0x11d/0x310 [ 32.207395] xt_alloc_table_info+0x71/0x100 [ 32.211702] do_ipt_set_ctl+0x242/0x470 [ 32.215676] nf_setsockopt+0x67/0xc0 [ 32.219374] ip_setsockopt+0xa1/0xb0 [ 32.223082] udp_setsockopt+0x45/0x80 [ 32.226874] sock_common_setsockopt+0x95/0xd0 [ 32.231353] SyS_setsockopt+0x160/0x250 [ 32.235308] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 32.240037] [ 32.241670] Freed by task 1915: [ 32.244935] save_stack_trace+0x16/0x20 [ 32.248897] save_stack+0x43/0xd0 [ 32.252335] kasan_slab_free+0x72/0xc0 [ 32.256227] kfree+0x103/0x300 [ 32.259400] free_bprm+0x19d/0x200 [ 32.262935] do_execveat_common.isra.37+0x17df/0x1f10 [ 32.268105] SyS_execve+0x42/0x50 [ 32.271557] do_syscall_64+0x197/0x490 [ 32.275437] return_from_SYSCALL_64+0x0/0x7e [ 32.279826] [ 32.281437] The buggy address belongs to the object at ffff8801c8ea9280 [ 32.281437] which belongs to the cache kmalloc-256 of size 256 [ 32.294075] The buggy address is located 208 bytes inside of [ 32.294075] 256-byte region [ffff8801c8ea9280, ffff8801c8ea9380) [ 32.305930] The buggy address belongs to the page: [ 32.310850] page:ffffea000723aa40 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.319113] flags: 0x8000000000000080(slab) [ 32.323410] page dumped because: kasan: bad access detected [ 32.329111] [ 32.330720] Memory state around the buggy address: [ 32.335635] ffff8801c8ea9200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.342981] ffff8801c8ea9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.350340] >ffff8801c8ea9300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 32.357683] ^ [ 32.363643] ffff8801c8ea9380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.370992] ffff8801c8ea9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.378346] ================================================================== [ 32.385688] Disabling lock debugging due to kernel taint [ 32.391549] Kernel panic - not syncing: panic_on_warn set ... [ 32.391549] [ 32.398915] CPU: 1 PID: 3332 Comm: syzkaller453322 Tainted: G B 4.9.78-ge9dabe6 #19 [ 32.407828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.417171] ffff8801c16f7698 ffffffff81d943a9 ffffffff841971bf ffff8801c16f7770 [ 32.425179] 0000000000000000 ffff8801c8ea9350 ffff8801c16f799c ffff8801c16f7760 [ 32.433170] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 32.441172] Call Trace: [ 32.443748] [] dump_stack+0xc1/0x128 [ 32.449101] [] panic+0x1bc/0x3a8 [ 32.454105] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 32.462319] [] ? preempt_schedule+0x25/0x30 [ 32.468276] [] ? ___preempt_schedule+0x16/0x18 [ 32.474495] [] kasan_end_report+0x50/0x50 [ 32.480279] [] kasan_report+0x167/0x360 [ 32.485894] [] ? string+0x1e8/0x200 [ 32.491162] [] __asan_report_load1_noabort+0x14/0x20 [ 32.497904] [] string+0x1e8/0x200 [ 32.503002] [] vsnprintf+0x7ad/0x16d0 [ 32.508439] [] ? pointer+0xa90/0xa90 [ 32.513800] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 32.520554] [] __request_module+0x14f/0x750 [ 32.526510] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 32.532735] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 32.539660] [] ? nft_payload_set_init+0x298/0x4b0 [ 32.546141] [] xt_request_find_target+0x8b/0xb0 [ 32.552449] [] translate_table+0x177a/0x1e30 [ 32.558496] [] ? ipt_alloc_initial_table+0x660/0x660 [ 32.565261] [] ? check_stack_object+0x68/0x140 [ 32.571481] [] ? __check_object_size+0x174/0x3a9 [ 32.577863] [] ? 0xffffffff810002b8 [ 32.583114] [] do_ipt_set_ctl+0x2be/0x470 [ 32.588882] [] ? compat_do_ipt_set_ctl+0x150/0x150 [ 32.595433] [] ? mutex_unlock+0x9/0x10 [ 32.600945] [] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 32.608015] [] nf_setsockopt+0x67/0xc0 [ 32.613539] [] ip_setsockopt+0xa1/0xb0 [ 32.619095] [] udp_setsockopt+0x45/0x80 [ 32.624690] [] sock_common_setsockopt+0x95/0xd0 [ 32.630981] [] SyS_setsockopt+0x160/0x250 [ 32.636749] [] ? SyS_recv+0x40/0x40 [ 32.641997] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 32.648653] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.655466] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.662020] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 32.669001] Dumping ftrace buffer: [ 32.672516] (ftrace buffer empty) [ 32.676204] Kernel Offset: disabled [ 32.679814] Rebooting in 86400 seconds..