[ 9.510783] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.747108] random: sshd: uninitialized urandom read (32 bytes read) [ 28.005003] audit: type=1400 audit(1547345433.945:6): avc: denied { map } for pid=1769 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.044701] random: sshd: uninitialized urandom read (32 bytes read) [ 28.536536] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. [ 34.366470] urandom_read: 1 callbacks suppressed [ 34.366474] random: sshd: uninitialized urandom read (32 bytes read) [ 34.458171] audit: type=1400 audit(1547345440.395:7): avc: denied { map } for pid=1787 comm="syz-executor453" path="/root/syz-executor453145738" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 34.781527] ================================================================== [ 34.789068] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 34.795624] Write of size 4 at addr ffff8881d326695c by task syz-executor453/1790 [ 34.803279] [ 34.804897] CPU: 1 PID: 1790 Comm: syz-executor453 Not tainted 4.14.92+ #5 [ 34.811887] Call Trace: [ 34.814459] dump_stack+0xb9/0x10e [ 34.817982] ? ip_check_defrag+0x4f5/0x523 [ 34.822195] print_address_description+0x60/0x226 [ 34.827015] ? ip_check_defrag+0x4f5/0x523 [ 34.831233] kasan_report.cold+0x88/0x2a5 [ 34.835372] ? ip_check_defrag+0x4f5/0x523 [ 34.839592] ? ip_defrag+0x3b50/0x3b50 [ 34.843463] ? __lock_acquire+0x56a/0x3fa0 [ 34.847686] ? packet_rcv_fanout+0x4d1/0x5e0 [ 34.852195] ? __netif_receive_skb_core+0xa21/0x2c60 [ 34.857277] ? trace_hardirqs_on+0x10/0x10 [ 34.861497] ? flush_backlog+0x580/0x580 [ 34.865560] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 34.870734] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 34.875906] ? lock_acquire+0x10f/0x380 [ 34.879861] ? __netif_receive_skb+0x55/0x1f0 [ 34.884332] ? __netif_receive_skb+0x55/0x1f0 [ 34.888807] ? netif_receive_skb_internal+0xec/0x5c0 [ 34.893891] ? dev_cpu_dead+0x810/0x810 [ 34.897855] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 34.903296] ? rcu_read_lock_sched_held+0x10a/0x130 [ 34.908293] ? tun_rx_batched.isra.0+0x45d/0x730 [ 34.913087] ? __skb_get_hash_symmetric+0x255/0x620 [ 34.918097] ? tun_chr_read_iter+0x1c0/0x1c0 [ 34.922490] ? tun_get_user+0xc07/0x3790 [ 34.926538] ? __local_bh_enable_ip+0x65/0xc0 [ 34.931037] ? tun_get_user+0xd95/0x3790 [ 34.935091] ? tun_rx_batched.isra.0+0x730/0x730 [ 34.939838] ? mutex_remove_waiter+0x150/0x440 [ 34.944398] ? mark_held_locks+0xa6/0xf0 [ 34.948452] ? get_page_from_freelist+0x85e/0x1d60 [ 34.953369] ? preempt_count_add+0xb8/0x180 [ 34.957674] ? __tun_get+0x11c/0x220 [ 34.961373] ? check_preemption_disabled+0x35/0x1f0 [ 34.966387] ? tun_chr_write_iter+0xcf/0x180 [ 34.970785] ? do_iter_readv_writev+0x379/0x580 [ 34.975555] ? clone_verify_area+0x1e0/0x1e0 [ 34.979944] ? avc_policy_seqno+0x5/0x10 [ 34.983994] ? security_file_permission+0x88/0x1e0 [ 34.988933] ? do_iter_write+0x152/0x550 [ 34.992978] ? lock_downgrade+0x5d0/0x5d0 [ 34.997111] ? vfs_writev+0x146/0x2d0 [ 35.000892] ? vfs_iter_write+0xa0/0xa0 [ 35.004847] ? __handle_mm_fault+0x6c5/0x2640 [ 35.009337] ? __do_page_fault+0x48e/0xb80 [ 35.013562] ? lock_downgrade+0x5d0/0x5d0 [ 35.017689] ? check_preemption_disabled+0x35/0x1f0 [ 35.022692] ? do_writev+0xc9/0x240 [ 35.026297] ? vfs_writev+0x2d0/0x2d0 [ 35.030091] ? do_syscall_64+0x43/0x4b0 [ 35.034072] ? SyS_readv+0x30/0x30 [ 35.037590] ? do_syscall_64+0x19b/0x4b0 [ 35.041637] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.046982] [ 35.048590] Allocated by task 1790: [ 35.052197] kasan_kmalloc.part.0+0x4f/0xd0 [ 35.056498] kmem_cache_alloc+0xd2/0x2d0 [ 35.060539] skb_clone+0x126/0x310 [ 35.064057] ip_check_defrag+0x2bc/0x523 [ 35.068095] packet_rcv_fanout+0x4d1/0x5e0 [ 35.072312] __netif_receive_skb_core+0xa21/0x2c60 [ 35.077250] __netif_receive_skb+0x55/0x1f0 [ 35.081555] netif_receive_skb_internal+0xec/0x5c0 [ 35.086467] tun_rx_batched.isra.0+0x45d/0x730 [ 35.091026] tun_get_user+0xd95/0x3790 [ 35.094900] tun_chr_write_iter+0xcf/0x180 [ 35.099109] do_iter_readv_writev+0x379/0x580 [ 35.103578] do_iter_write+0x152/0x550 [ 35.107441] vfs_writev+0x146/0x2d0 [ 35.111064] do_writev+0xc9/0x240 [ 35.114496] do_syscall_64+0x19b/0x4b0 [ 35.118357] [ 35.119963] Freed by task 1790: [ 35.123220] kasan_slab_free+0xb0/0x190 [ 35.127174] kmem_cache_free+0xc4/0x330 [ 35.131127] kfree_skbmem+0xa0/0x100 [ 35.134817] kfree_skb+0xcd/0x350 [ 35.138255] ip_defrag+0x5f4/0x3b50 [ 35.141863] ip_check_defrag+0x39b/0x523 [ 35.145914] packet_rcv_fanout+0x4d1/0x5e0 [ 35.150136] __netif_receive_skb_core+0xa21/0x2c60 [ 35.155055] __netif_receive_skb+0x55/0x1f0 [ 35.159359] netif_receive_skb_internal+0xec/0x5c0 [ 35.164269] tun_rx_batched.isra.0+0x45d/0x730 [ 35.168827] tun_get_user+0xd95/0x3790 [ 35.172695] tun_chr_write_iter+0xcf/0x180 [ 35.176981] do_iter_readv_writev+0x379/0x580 [ 35.181459] do_iter_write+0x152/0x550 [ 35.185321] vfs_writev+0x146/0x2d0 [ 35.188922] do_writev+0xc9/0x240 [ 35.192350] do_syscall_64+0x19b/0x4b0 [ 35.196208] [ 35.197814] The buggy address belongs to the object at ffff8881d32668c0 [ 35.197814] which belongs to the cache skbuff_head_cache of size 224 [ 35.210966] The buggy address is located 156 bytes inside of [ 35.210966] 224-byte region [ffff8881d32668c0, ffff8881d32669a0) [ 35.222814] The buggy address belongs to the page: [ 35.227720] page:ffffea00074c9980 count:1 mapcount:0 mapping: (null) index:0x0 [ 35.235841] flags: 0x4000000000000100(slab) [ 35.240141] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 35.248003] raw: ffffea000743e280 0000000400000004 ffff8881dab58200 0000000000000000 [ 35.255858] page dumped because: kasan: bad access detected [ 35.261541] [ 35.263145] Memory state around the buggy address: [ 35.268062] ffff8881d3266800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.275397] ffff8881d3266880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.282731] >ffff8881d3266900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.290077] ^ [ 35.296301] ffff8881d3266980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 35.303639] ffff8881d3266a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.310974] ================================================================== [ 35.318314] Disabling lock debugging due to kernel taint [ 35.323777] Kernel panic - not syncing: panic_on_warn set ... [ 35.323777] [ 35.331134] CPU: 1 PID: 1790 Comm: syz-executor453 Tainted: G B 4.14.92+ #5 [ 35.339337] Call Trace: [ 35.341907] dump_stack+0xb9/0x10e [ 35.345425] panic+0x1d9/0x3c2 [ 35.348597] ? add_taint.cold+0x16/0x16 [ 35.352548] ? retint_kernel+0x2d/0x2d [ 35.356414] ? ip_check_defrag+0x4f5/0x523 [ 35.360624] kasan_end_report+0x43/0x49 [ 35.364574] kasan_report.cold+0xa4/0x2a5 [ 35.368698] ? ip_check_defrag+0x4f5/0x523 [ 35.372910] ? ip_defrag+0x3b50/0x3b50 [ 35.376784] ? __lock_acquire+0x56a/0x3fa0 [ 35.380996] ? packet_rcv_fanout+0x4d1/0x5e0 [ 35.385382] ? __netif_receive_skb_core+0xa21/0x2c60 [ 35.390462] ? trace_hardirqs_on+0x10/0x10 [ 35.394680] ? flush_backlog+0x580/0x580 [ 35.398890] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 35.404060] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 35.409230] ? lock_acquire+0x10f/0x380 [ 35.413195] ? __netif_receive_skb+0x55/0x1f0 [ 35.417698] ? __netif_receive_skb+0x55/0x1f0 [ 35.422174] ? netif_receive_skb_internal+0xec/0x5c0 [ 35.427253] ? dev_cpu_dead+0x810/0x810 [ 35.431208] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 35.436634] ? rcu_read_lock_sched_held+0x10a/0x130 [ 35.441709] ? tun_rx_batched.isra.0+0x45d/0x730 [ 35.446448] ? __skb_get_hash_symmetric+0x255/0x620 [ 35.451448] ? tun_chr_read_iter+0x1c0/0x1c0 [ 35.455851] ? tun_get_user+0xc07/0x3790 [ 35.459901] ? __local_bh_enable_ip+0x65/0xc0 [ 35.464376] ? tun_get_user+0xd95/0x3790 [ 35.468416] ? tun_rx_batched.isra.0+0x730/0x730 [ 35.473153] ? mutex_remove_waiter+0x150/0x440 [ 35.477713] ? mark_held_locks+0xa6/0xf0 [ 35.481753] ? get_page_from_freelist+0x85e/0x1d60 [ 35.486660] ? preempt_count_add+0xb8/0x180 [ 35.490964] ? __tun_get+0x11c/0x220 [ 35.494657] ? check_preemption_disabled+0x35/0x1f0 [ 35.499782] ? tun_chr_write_iter+0xcf/0x180 [ 35.504166] ? do_iter_readv_writev+0x379/0x580 [ 35.508808] ? clone_verify_area+0x1e0/0x1e0 [ 35.513191] ? avc_policy_seqno+0x5/0x10 [ 35.517227] ? security_file_permission+0x88/0x1e0 [ 35.522133] ? do_iter_write+0x152/0x550 [ 35.526168] ? lock_downgrade+0x5d0/0x5d0 [ 35.530291] ? vfs_writev+0x146/0x2d0 [ 35.534068] ? vfs_iter_write+0xa0/0xa0 [ 35.538024] ? __handle_mm_fault+0x6c5/0x2640 [ 35.542520] ? __do_page_fault+0x48e/0xb80 [ 35.546836] ? lock_downgrade+0x5d0/0x5d0 [ 35.550971] ? check_preemption_disabled+0x35/0x1f0 [ 35.555967] ? do_writev+0xc9/0x240 [ 35.559570] ? vfs_writev+0x2d0/0x2d0 [ 35.563350] ? do_syscall_64+0x43/0x4b0 [ 35.567300] ? SyS_readv+0x30/0x30 [ 35.570953] ? do_syscall_64+0x19b/0x4b0 [ 35.574998] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.580662] Kernel Offset: 0x27400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 35.591568] Rebooting in 86400 seconds..