INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.0.14' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.704591] ================================================================== [ 55.705653] BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x1436/0x1c20 [ 55.706599] Read of size 1 at addr ffff8801d20cf302 by task syzkaller682464/2998 [ 55.707587] [ 55.707819] CPU: 0 PID: 2998 Comm: syzkaller682464 Not tainted 4.14.0-rc5-mm1+ #20 [ 55.708827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.710099] Call Trace: [ 55.710459] dump_stack+0x194/0x257 [ 55.710951] ? arch_local_irq_restore+0x53/0x53 [ 55.711576] ? show_regs_print_info+0x65/0x65 [ 55.712182] ? asn1_ber_decoder+0x1436/0x1c20 [ 55.712785] print_address_description+0x73/0x250 [ 55.713429] ? asn1_ber_decoder+0x1436/0x1c20 [ 55.714030] kasan_report+0x25b/0x340 [ 55.714559] __asan_report_load1_noabort+0x14/0x20 [ 55.715217] asn1_ber_decoder+0x1436/0x1c20 [ 55.715827] ? x509_cert_parse+0x176/0x680 [ 55.716407] ? x509_key_preparse+0x60/0x8b0 [ 55.716987] ? entry_SYSCALL_64_fastpath+0x1e/0xbe [ 55.717656] ? depot_save_stack+0x490/0x490 [ 55.718238] ? __lock_is_held+0xb6/0x140 [ 55.718798] ? __lock_is_held+0xb6/0x140 [ 55.719384] ? ecc_point_mult.isra.2+0x2882/0x28e0 [ 55.720041] ? rcu_read_lock_sched_held+0x108/0x120 [ 55.720718] ? kmem_cache_alloc_trace+0x456/0x750 [ 55.721375] x509_cert_parse+0x1dd/0x680 [ 55.721919] ? down_read+0x96/0x150 [ 55.722405] ? asymmetric_key_preparse+0x50/0x110 [ 55.723111] x509_key_preparse+0x64/0x8b0 [ 55.723673] asymmetric_key_preparse+0xa8/0x110 [ 55.724308] ? memset+0x31/0x40 [ 55.725523] ? asymmetric_key_generate_id+0xc0/0xc0 [ 55.730509] key_create_or_update+0x4c6/0xe20 [ 55.734977] ? key_type_lookup+0xd0/0xd0 [ 55.739006] ? join_session_keyring+0x300/0x300 [ 55.743649] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 55.749503] ? __check_object_size+0x25d/0x4f0 [ 55.754076] ? kasan_check_write+0x14/0x20 [ 55.758285] SyS_add_key+0x18a/0x340 [ 55.761967] ? key_get_type_from_user.constprop.10+0xd0/0xd0 [ 55.767729] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 55.772722] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 55.777443] RIP: 0033:0x43fd89 [ 55.780601] RSP: 002b:00007fffa4c8bf38 EFLAGS: 00000286 ORIG_RAX: 00000000000000f8 [ 55.788279] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd89 [ 55.795524] RDX: 00000000201d9000 RSI: 00000000205ceffb RDI: 0000000020825ff5 [ 55.802766] RBP: 0000000000000082 R08: ffffffffffffffff R09: 0000000000000000 [ 55.810001] R10: 0000000000000002 R11: 0000000000000286 R12: 00000000004016f0 [ 55.817235] R13: 0000000000401780 R14: 0000000000000000 R15: 0000000000000000 [ 55.824490] [ 55.826087] Allocated by task 2998: [ 55.829680] save_stack+0x43/0xd0 [ 55.833098] kasan_kmalloc+0xad/0xe0 [ 55.836788] __kmalloc_node+0x47/0x70 [ 55.840555] kvmalloc_node+0x99/0xd0 [ 55.844249] SyS_add_key+0x279/0x340 [ 55.847930] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 55.852647] [ 55.854249] Freed by task 1532: [ 55.857493] save_stack+0x43/0xd0 [ 55.860910] kasan_slab_free+0x71/0xc0 [ 55.864762] kfree+0xca/0x250 [ 55.867832] load_elf_binary+0x2035/0x4d80 [ 55.872033] search_binary_handler+0x142/0x6b0 [ 55.876583] do_execveat_common.isra.31+0x1703/0x21c0 [ 55.881736] SyS_execve+0x39/0x50 [ 55.885158] do_syscall_64+0x26c/0x8d0 [ 55.889010] return_from_SYSCALL_64+0x0/0x7a [ 55.893386] [ 55.894981] The buggy address belongs to the object at ffff8801d20cf300 [ 55.894981] which belongs to the cache kmalloc-32 of size 32 [ 55.907427] The buggy address is located 2 bytes inside of [ 55.907427] 32-byte region [ffff8801d20cf300, ffff8801d20cf320) [ 55.919003] The buggy address belongs to the page: [ 55.923897] page:ffffea00074833c0 count:1 mapcount:0 mapping:ffff8801d20cf000 index:0xffff8801d20cffc1 [ 55.933306] flags: 0x200000000000100(slab) [ 55.937514] raw: 0200000000000100 ffff8801d20cf000 ffff8801d20cffc1 000000010000003f [ 55.945360] raw: ffffea000749f960 ffffea0007473260 ffff8801dac001c0 0000000000000000 [ 55.953211] page dumped because: kasan: bad access detected [ 55.958885] [ 55.960485] Memory state around the buggy address: [ 55.965378] ffff8801d20cf200: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 55.972705] ffff8801d20cf280: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 55.980027] >ffff8801d20cf300: 02 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 55.987353] ^ [ 55.990688] ffff8801d20cf380: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 55.998013] ffff8801d20cf400: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 56.005336] ================================================================== [ 56.012658] Disabling lock debugging due to kernel taint [ 56.018143] Kernel panic - not syncing: panic_on_warn set ... [ 56.018143] [ 56.025477] CPU: 0 PID: 2998 Comm: syzkaller682464 Tainted: G B 4.14.0-rc5-mm1+ #20 [ 56.034450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.043769] Call Trace: [ 56.046328] dump_stack+0x194/0x257 [ 56.049923] ? arch_local_irq_restore+0x53/0x53 [ 56.054559] ? kasan_end_report+0x32/0x50 [ 56.058674] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.063405] ? vsnprintf+0x1ed/0x1900 [ 56.067177] ? asn1_ber_decoder+0x13e0/0x1c20 [ 56.071640] panic+0x1e4/0x41c [ 56.074797] ? refcount_error_report+0x214/0x214 [ 56.079518] ? add_taint+0x1c/0x50 [ 56.083025] ? add_taint+0x1c/0x50 [ 56.086532] ? asn1_ber_decoder+0x1436/0x1c20 [ 56.090989] kasan_end_report+0x50/0x50 [ 56.094927] kasan_report+0x144/0x340 [ 56.098693] __asan_report_load1_noabort+0x14/0x20 [ 56.103585] asn1_ber_decoder+0x1436/0x1c20 [ 56.107871] ? x509_cert_parse+0x176/0x680 [ 56.112070] ? x509_key_preparse+0x60/0x8b0 [ 56.116531] ? entry_SYSCALL_64_fastpath+0x1e/0xbe [ 56.121430] ? depot_save_stack+0x490/0x490 [ 56.125718] ? __lock_is_held+0xb6/0x140 [ 56.129749] ? __lock_is_held+0xb6/0x140 [ 56.133780] ? ecc_point_mult.isra.2+0x2882/0x28e0 [ 56.138674] ? rcu_read_lock_sched_held+0x108/0x120 [ 56.143653] ? kmem_cache_alloc_trace+0x456/0x750 [ 56.148465] x509_cert_parse+0x1dd/0x680 [ 56.152490] ? down_read+0x96/0x150 [ 56.156104] ? asymmetric_key_preparse+0x50/0x110 [ 56.160914] x509_key_preparse+0x64/0x8b0 [ 56.165028] asymmetric_key_preparse+0xa8/0x110 [ 56.169662] ? memset+0x31/0x40 [ 56.172906] ? asymmetric_key_generate_id+0xc0/0xc0 [ 56.177895] key_create_or_update+0x4c6/0xe20 [ 56.182358] ? key_type_lookup+0xd0/0xd0 [ 56.186382] ? join_session_keyring+0x300/0x300 [ 56.191016] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 56.196874] ? __check_object_size+0x25d/0x4f0 [ 56.201428] ? kasan_check_write+0x14/0x20 [ 56.205627] SyS_add_key+0x18a/0x340 [ 56.209307] ? key_get_type_from_user.constprop.10+0xd0/0xd0 [ 56.215069] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 56.220057] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 56.224777] RIP: 0033:0x43fd89 [ 56.227933] RSP: 002b:00007fffa4c8bf38 EFLAGS: 00000286 ORIG_RAX: 00000000000000f8 [ 56.235612] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd89 [ 56.242850] RDX: 00000000201d9000 RSI: 00000000205ceffb RDI: 0000000020825ff5 [ 56.250086] RBP: 0000000000000082 R08: ffffffffffffffff R09: 0000000000000000 [ 56.257319] R10: 0000000000000002 R11: 0000000000000286 R12: 00000000004016f0 [ 56.264553] R13: 0000000000401780 R14: 0000000000000000 R15: 0000000000000000 [ 56.271837] Dumping ftrace buffer: [ 56.275342] (ftrace buffer empty) [ 56.279021] Kernel Offset: disabled [ 56.282615] Rebooting in 86400 seconds..