[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.691649] random: sshd: uninitialized urandom read (32 bytes read) [ 28.111663] audit: type=1400 audit(1544659775.502:6): avc: denied { map } for pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.148515] random: sshd: uninitialized urandom read (32 bytes read) [ 28.652707] random: sshd: uninitialized urandom read (32 bytes read) [ 32.181274] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. [ 37.717161] random: sshd: uninitialized urandom read (32 bytes read) [ 37.826060] audit: type=1400 audit(1544659785.212:7): avc: denied { map } for pid=1784 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/12/13 00:09:45 parsed 1 programs [ 38.479786] audit: type=1400 audit(1544659785.862:8): avc: denied { map } for pid=1784 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 39.052260] random: cc1: uninitialized urandom read (8 bytes read) 2018/12/13 00:09:48 executed programs: 0 [ 40.604301] audit: type=1400 audit(1544659787.992:9): avc: denied { map } for pid=1784 comm="syz-execprog" path="/root/syzkaller-shm497037123" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2018/12/13 00:09:54 executed programs: 6 [ 46.792013] audit: type=1400 audit(1544659794.182:10): avc: denied { associate } for pid=4223 comm="syz-executor3" name="file0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2018/12/13 00:09:59 executed programs: 258 [ 52.194998] ================================================================== [ 52.202460] BUG: KASAN: use-after-free in link_path_walk+0xd2c/0xf90 [ 52.208955] Read of size 1 at addr ffff8881c8ef446a by task syz-executor0/5614 [ 52.216312] [ 52.217938] CPU: 1 PID: 5614 Comm: syz-executor0 Not tainted 4.14.87+ #22 [ 52.224858] Call Trace: [ 52.227466] dump_stack+0xb9/0x11b [ 52.231020] print_address_description+0x60/0x22b [ 52.235861] kasan_report.cold.6+0x11b/0x2dd [ 52.240252] ? link_path_walk+0xd2c/0xf90 [ 52.244388] link_path_walk+0xd2c/0xf90 [ 52.248349] ? walk_component+0xc10/0xc10 [ 52.252479] ? security_inode_follow_link+0xd2/0x110 [ 52.257568] ? trailing_symlink+0x24d/0x770 [ 52.261876] path_lookupat.isra.11+0x1f0/0x890 [ 52.266441] ? path_parentat.isra.10+0x140/0x140 [ 52.271178] ? do_syscall_64+0x19b/0x4b0 [ 52.275219] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.280570] ? __is_insn_slot_addr+0x139/0x1f0 [ 52.285139] ? kernel_text_address+0x10b/0x120 [ 52.289705] ? __kernel_text_address+0x9/0x30 [ 52.294182] ? unwind_get_return_address+0x51/0x90 [ 52.299112] ? __save_stack_trace+0x8d/0xf0 [ 52.303421] filename_lookup.part.19+0x177/0x370 [ 52.308168] ? filename_parentat.isra.17.part.18+0x3d0/0x3d0 [ 52.313963] ? check_stack_object+0x80/0xa0 [ 52.318276] ? strncpy_from_user+0x1e3/0x2b0 [ 52.322670] ? getname_flags+0x222/0x540 [ 52.326713] user_path_at_empty+0x4b/0x80 [ 52.330844] do_mount+0x12c/0x26e0 [ 52.334368] ? __might_fault+0x104/0x1b0 [ 52.338410] ? lock_downgrade+0x560/0x560 [ 52.342542] ? copy_mount_string+0x40/0x40 [ 52.346771] ? __might_fault+0x177/0x1b0 [ 52.350818] ? _copy_from_user+0x94/0x100 [ 52.354962] ? memdup_user+0x5a/0x90 [ 52.358659] ? copy_mount_options+0x1ec/0x2c0 [ 52.363140] SyS_mount+0xe5/0x100 [ 52.366597] ? copy_mnt_ns+0x950/0x950 [ 52.370468] do_syscall_64+0x19b/0x4b0 [ 52.374344] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.379520] RIP: 0033:0x457679 [ 52.382693] RSP: 002b:00007f53c1024c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 52.390386] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457679 [ 52.397636] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 [ 52.404887] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 52.412139] R10: 0000000000200000 R11: 0000000000000246 R12: 00007f53c10256d4 [ 52.419391] R13: 00000000004c2e25 R14: 00000000004d5200 R15: 00000000ffffffff [ 52.426653] [ 52.428262] Allocated by task 5620: [ 52.431875] kasan_kmalloc.part.1+0x4f/0xd0 [ 52.436179] __kmalloc_track_caller+0x104/0x300 [ 52.440847] kstrdup+0x35/0x70 [ 52.444019] bpf_symlink+0x21/0x120 [ 52.447622] vfs_symlink2+0x321/0x550 [ 52.451412] SyS_symlinkat+0x110/0x1e0 [ 52.455279] do_syscall_64+0x19b/0x4b0 [ 52.459144] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.464307] [ 52.465913] Freed by task 5624: [ 52.469178] kasan_slab_free+0xac/0x190 [ 52.473142] kfree+0xf5/0x310 [ 52.476269] bpf_evict_inode+0x102/0x130 [ 52.480362] evict+0x2cb/0x5f0 [ 52.483539] iput+0x373/0x8e0 [ 52.486622] do_unlinkat+0x4bf/0x650 [ 52.490312] do_syscall_64+0x19b/0x4b0 [ 52.494195] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.499359] [ 52.500965] The buggy address belongs to the object at ffff8881c8ef4468 [ 52.500965] which belongs to the cache kmalloc-8 of size 8 [ 52.513254] The buggy address is located 2 bytes inside of [ 52.513254] 8-byte region [ffff8881c8ef4468, ffff8881c8ef4470) [ 52.524765] The buggy address belongs to the page: [ 52.529680] page:ffffea000723bd00 count:1 mapcount:0 mapping: (null) index:0x0 [ 52.537808] flags: 0x4000000000000100(slab) [ 52.542109] raw: 4000000000000100 0000000000000000 0000000000000000 0000000100aa00aa [ 52.549989] raw: 0000000000000000 0000000100000001 ffff8881da803c00 0000000000000000 [ 52.557871] page dumped because: kasan: bad access detected [ 52.563609] [ 52.565212] Memory state around the buggy address: [ 52.570122] ffff8881c8ef4300: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb [ 52.577461] ffff8881c8ef4380: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc [ 52.584803] >ffff8881c8ef4400: fc fb fc fc fb fc fc fb fc fc 00 fc fc fb fc fc [ 52.592142] ^ [ 52.598877] ffff8881c8ef4480: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb [ 52.606230] ffff8881c8ef4500: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc [ 52.613570] ================================================================== [ 52.620905] Disabling lock debugging due to kernel taint [ 52.626764] Kernel panic - not syncing: panic_on_warn set ... [ 52.626764] [ 52.634146] CPU: 1 PID: 5614 Comm: syz-executor0 Tainted: G B 4.14.87+ #22 [ 52.642290] Call Trace: [ 52.644863] dump_stack+0xb9/0x11b [ 52.648388] panic+0x1bf/0x3a4 [ 52.651564] ? add_taint.cold.4+0x16/0x16 [ 52.655694] ? ___preempt_schedule+0x16/0x18 [ 52.660096] kasan_end_report+0x43/0x49 [ 52.664098] kasan_report.cold.6+0x77/0x2dd [ 52.668399] ? link_path_walk+0xd2c/0xf90 [ 52.672532] link_path_walk+0xd2c/0xf90 [ 52.676489] ? walk_component+0xc10/0xc10 [ 52.680625] ? security_inode_follow_link+0xd2/0x110 [ 52.685711] ? trailing_symlink+0x24d/0x770 [ 52.690019] path_lookupat.isra.11+0x1f0/0x890 [ 52.694597] ? path_parentat.isra.10+0x140/0x140 [ 52.699333] ? do_syscall_64+0x19b/0x4b0 [ 52.703406] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.708753] ? __is_insn_slot_addr+0x139/0x1f0 [ 52.713315] ? kernel_text_address+0x10b/0x120 [ 52.717875] ? __kernel_text_address+0x9/0x30 [ 52.722348] ? unwind_get_return_address+0x51/0x90 [ 52.727257] ? __save_stack_trace+0x8d/0xf0 [ 52.731565] filename_lookup.part.19+0x177/0x370 [ 52.736330] ? filename_parentat.isra.17.part.18+0x3d0/0x3d0 [ 52.742107] ? check_stack_object+0x80/0xa0 [ 52.746414] ? strncpy_from_user+0x1e3/0x2b0 [ 52.750799] ? getname_flags+0x222/0x540 [ 52.754835] user_path_at_empty+0x4b/0x80 [ 52.758962] do_mount+0x12c/0x26e0 [ 52.762482] ? __might_fault+0x104/0x1b0 [ 52.766525] ? lock_downgrade+0x560/0x560 [ 52.770653] ? copy_mount_string+0x40/0x40 [ 52.774869] ? __might_fault+0x177/0x1b0 [ 52.778916] ? _copy_from_user+0x94/0x100 [ 52.783058] ? memdup_user+0x5a/0x90 [ 52.786755] ? copy_mount_options+0x1ec/0x2c0 [ 52.791416] SyS_mount+0xe5/0x100 [ 52.794848] ? copy_mnt_ns+0x950/0x950 [ 52.798717] do_syscall_64+0x19b/0x4b0 [ 52.802593] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.807762] RIP: 0033:0x457679 [ 52.810929] RSP: 002b:00007f53c1024c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 52.818613] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457679 [ 52.825868] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 [ 52.833131] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 52.840390] R10: 0000000000200000 R11: 0000000000000246 R12: 00007f53c10256d4 [ 52.847649] R13: 00000000004c2e25 R14: 00000000004d5200 R15: 00000000ffffffff [ 52.855239] Kernel Offset: 0xb800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 52.866076] Rebooting in 86400 seconds..