[....] Starting enhanced syslogd: rsyslogd[ 13.036544] audit: type=1400 audit(1516824085.470:5): avc: denied { syslog } for pid=3509 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.973752] audit: type=1400 audit(1516824091.407:6): avc: denied { map } for pid=3649 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts. executing program [ 31.319801] audit: type=1400 audit(1516824103.753:7): avc: denied { map } for pid=3665 comm="syzkaller784216" path="/root/syzkaller784216155" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 31.321707] ================================================================== [ 31.321721] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 31.321725] Read of size 1 at addr ffff8801d97a2ed0 by task syzkaller784216/3665 [ 31.321726] [ 31.321731] CPU: 0 PID: 3665 Comm: syzkaller784216 Not tainted 4.15.0-rc9+ #278 [ 31.321734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.321736] Call Trace: [ 31.321745] dump_stack+0x194/0x257 [ 31.321754] ? arch_local_irq_restore+0x53/0x53 [ 31.321762] ? show_regs_print_info+0x18/0x18 [ 31.321773] ? string+0x1e8/0x200 [ 31.321781] print_address_description+0x73/0x250 [ 31.321786] ? string+0x1e8/0x200 [ 31.321792] kasan_report+0x25b/0x340 [ 31.321801] __asan_report_load1_noabort+0x14/0x20 [ 31.321806] string+0x1e8/0x200 [ 31.321818] vsnprintf+0x863/0x1900 [ 31.321830] ? pointer+0x9e0/0x9e0 [ 31.321848] __request_module+0x1bf/0xc20 [ 31.321853] ? lock_downgrade+0x980/0x980 [ 31.321861] ? free_modprobe_argv+0xa0/0xa0 [ 31.321866] ? lock_downgrade+0x980/0x980 [ 31.321873] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.321880] ? pcpu_alloc+0x146/0x10e0 [ 31.321894] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 31.321899] ? pcpu_free_area+0xa00/0xa00 [ 31.321906] ? wait_for_completion+0x770/0x770 [ 31.321916] ? __kernel_text_address+0xd/0x40 [ 31.321921] ? wait_for_completion+0x770/0x770 [ 31.321929] ? trace_hardirqs_off+0xd/0x10 [ 31.321938] ? depot_save_stack+0x3b5/0x490 [ 31.321947] ? kvfree+0x36/0x60 [ 31.321960] ? xt_find_target+0x17b/0x1e0 [ 31.321977] xt_request_find_target+0x8b/0xb0 [ 31.321986] find_check_entry.isra.8+0x612/0xcb0 [ 31.321999] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.322011] ? ipt_do_table+0x1330/0x1330 [ 31.322020] ? mark_held_locks+0xaf/0x100 [ 31.322026] ? kfree+0xf0/0x260 [ 31.322030] ? kvfree+0x36/0x60 [ 31.322036] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.322041] ? trace_hardirqs_on+0xd/0x10 [ 31.322053] translate_table+0xed1/0x1610 [ 31.322075] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 31.322084] ? kasan_check_write+0x14/0x20 [ 31.322090] ? _copy_from_user+0x99/0x110 [ 31.322098] do_ipt_set_ctl+0x370/0x5f0 [ 31.322107] ? translate_compat_table+0x1b90/0x1b90 [ 31.322128] ? mutex_unlock+0xd/0x10 [ 31.322135] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 31.322143] nf_setsockopt+0x67/0xc0 [ 31.322153] ip_setsockopt+0xa1/0xb0 [ 31.322164] udp_setsockopt+0x45/0x80 [ 31.322175] sock_common_setsockopt+0x95/0xd0 [ 31.322184] SyS_setsockopt+0x189/0x360 [ 31.322193] ? SyS_recv+0x40/0x40 [ 31.322199] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 31.322206] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.322215] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.322226] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 31.322230] RIP: 0033:0x43ffc9 [ 31.322232] RSP: 002b:00007ffd8daf2498 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 31.322237] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 31.322240] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 31.322243] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 31.322245] R10: 0000000020f20000 R11: 0000000000000203 R12: 00000000004018f0 [ 31.322248] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 31.322265] [ 31.322267] Allocated by task 3665: [ 31.322271] save_stack+0x43/0xd0 [ 31.322274] kasan_kmalloc+0xad/0xe0 [ 31.322277] __kmalloc_node+0x47/0x70 [ 31.322281] kvmalloc_node+0x99/0xd0 [ 31.322284] xt_alloc_table_info+0x64/0xe0 [ 31.322287] do_ipt_set_ctl+0x29b/0x5f0 [ 31.322291] nf_setsockopt+0x67/0xc0 [ 31.322294] ip_setsockopt+0xa1/0xb0 [ 31.322297] udp_setsockopt+0x45/0x80 [ 31.322301] sock_common_setsockopt+0x95/0xd0 [ 31.322304] SyS_setsockopt+0x189/0x360 [ 31.322307] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 31.322308] [ 31.322310] Freed by task 2028: [ 31.322314] save_stack+0x43/0xd0 [ 31.322318] kasan_slab_free+0x71/0xc0 [ 31.322320] kfree+0xd6/0x260 [ 31.322326] single_release+0x80/0xb0 [ 31.322332] __fput+0x327/0x7e0 [ 31.322335] ____fput+0x15/0x20 [ 31.322339] task_work_run+0x199/0x270 [ 31.322342] exit_to_usermode_loop+0x296/0x310 [ 31.322346] syscall_return_slowpath+0x490/0x550 [ 31.322349] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 31.322350] [ 31.322353] The buggy address belongs to the object at ffff8801d97a2e00 [ 31.322353] which belongs to the cache kmalloc-256 of size 256 [ 31.322357] The buggy address is located 208 bytes inside of [ 31.322357] 256-byte region [ffff8801d97a2e00, ffff8801d97a2f00) [ 31.322358] The buggy address belongs to the page: [ 31.322362] page:ffffea000765e880 count:1 mapcount:0 mapping:ffff8801d97a2040 index:0x0 [ 31.322366] flags: 0x2fffc0000000100(slab) [ 31.322372] raw: 02fffc0000000100 ffff8801d97a2040 0000000000000000 000000010000000c [ 31.322376] raw: ffffea000765e660 ffffea0007646120 ffff8801dac007c0 0000000000000000 [ 31.322378] page dumped because: kasan: bad access detected [ 31.322379] [ 31.322381] Memory state around the buggy address: [ 31.322385] ffff8801d97a2d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.322388] ffff8801d97a2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.322391] >ffff8801d97a2e80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 31.322393] ^ [ 31.322396] ffff8801d97a2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.322399] ffff8801d97a2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.322400] ================================================================== [ 31.322402] Disabling lock debugging due to kernel taint [ 31.322427] Kernel panic - not syncing: panic_on_warn set ... [ 31.322427] [ 31.322432] CPU: 0 PID: 3665 Comm: syzkaller784216 Tainted: G B 4.15.0-rc9+ #278 [ 31.322434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.322435] Call Trace: [ 31.322439] dump_stack+0x194/0x257 [ 31.322445] ? arch_local_irq_restore+0x53/0x53 [ 31.322450] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.322455] ? vsnprintf+0x1ed/0x1900 [ 31.322459] ? string+0x120/0x200 [ 31.322465] panic+0x1e4/0x41c [ 31.322469] ? refcount_error_report+0x214/0x214 [ 31.322474] ? add_taint+0x1c/0x50 [ 31.322479] ? add_taint+0x1c/0x50 [ 31.322484] ? string+0x1e8/0x200 [ 31.322488] kasan_end_report+0x50/0x50 [ 31.322492] kasan_report+0x144/0x340 [ 31.322498] __asan_report_load1_noabort+0x14/0x20 [ 31.322502] string+0x1e8/0x200 [ 31.322510] vsnprintf+0x863/0x1900 [ 31.322517] ? pointer+0x9e0/0x9e0 [ 31.322527] __request_module+0x1bf/0xc20 [ 31.322531] ? lock_downgrade+0x980/0x980 [ 31.322537] ? free_modprobe_argv+0xa0/0xa0 [ 31.322541] ? lock_downgrade+0x980/0x980 [ 31.322545] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.322549] ? pcpu_alloc+0x146/0x10e0 [ 31.322558] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 31.322562] ? pcpu_free_area+0xa00/0xa00 [ 31.322567] ? wait_for_completion+0x770/0x770 [ 31.322573] ? __kernel_text_address+0xd/0x40 [ 31.322577] ? wait_for_completion+0x770/0x770 [ 31.322582] ? trace_hardirqs_off+0xd/0x10 [ 31.322588] ? depot_save_stack+0x3b5/0x490 [ 31.322594] ? kvfree+0x36/0x60 [ 31.322601] ? xt_find_target+0x17b/0x1e0 [ 31.322612] xt_request_find_target+0x8b/0xb0 [ 31.322617] find_check_entry.isra.8+0x612/0xcb0 [ 31.322625] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.322630] ? ipt_do_table+0x1330/0x1330 [ 31.322636] ? mark_held_locks+0xaf/0x100 [ 31.322640] ? kfree+0xf0/0x260 [ 31.322644] ? kvfree+0x36/0x60 [ 31.322648] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.322653] ? trace_hardirqs_on+0xd/0x10 [ 31.322660] translate_table+0xed1/0x1610 [ 31.322673] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 31.322679] ? kasan_check_write+0x14/0x20 [ 31.322683] ? _copy_from_user+0x99/0x110 [ 31.322689] do_ipt_set_ctl+0x370/0x5f0 [ 31.322695] ? translate_compat_table+0x1b90/0x1b90 [ 31.322705] ? mutex_unlock+0xd/0x10 [ 31.322709] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 31.322715] nf_setsockopt+0x67/0xc0 [ 31.322721] ip_setsockopt+0xa1/0xb0 [ 31.322727] udp_setsockopt+0x45/0x80 [ 31.322733] sock_common_setsockopt+0x95/0xd0 [ 31.322738] SyS_setsockopt+0x189/0x360 [ 31.322744] ? SyS_recv+0x40/0x40 [ 31.322748] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 31.322754] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.322758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.322765] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 31.322768] RIP: 0033:0x43ffc9 [ 31.322770] RSP: 002b:00007ffd8daf2498 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 31.322774] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 31.322776] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 31.322778] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 31.322780] R10: 0000000020f20000 R11: 0000000000000203 R12: 00000000004018f0 [ 31.322782] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 31.346034] Dumping ftrace buffer: [ 31.346037] (ftrace buffer empty) [ 31.346039] Kernel Offset: disabled [ 32.204481] Rebooting in 86400 seconds..