[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.344777][ T1666] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 14.562858][ C1] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.167' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 22.658544][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 22.898079][ T12] usb 1-1: Using ep0 maxpacket: 8 [ 23.018134][ T12] usb 1-1: config 0 has an invalid interface number: 69 but max is 0 [ 23.026359][ T12] usb 1-1: config 0 has no interface number 0 [ 23.032477][ T12] usb 1-1: config 0 interface 69 altsetting 0 endpoint 0xC has invalid maxpacket 2045, setting to 1024 [ 23.043523][ T12] usb 1-1: config 0 interface 69 altsetting 0 bulk endpoint 0xC has invalid maxpacket 1024 [ 23.053517][ T12] usb 1-1: config 0 interface 69 altsetting 0 bulk endpoint 0x8A has invalid maxpacket 762 [ 23.063512][ T12] usb 1-1: New USB device found, idVendor=05a3, idProduct=8388, bcdDevice=ca.a8 [ 23.072537][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 23.081686][ T12] usb 1-1: config 0 descriptor?? [ 23.138925][ T12] usb 1-1: Direct firmware load for libertas/usb8388_olpc.bin failed with error -2 [ 23.148492][ T12] usb 1-1: Direct firmware load for libertas/usb8388_v9.bin failed with error -2 [ 23.157686][ T12] usb 1-1: Direct firmware load for libertas/usb8388_v5.bin failed with error -2 [ 23.167165][ T12] usb 1-1: Direct firmware load for libertas/usb8388.bin failed with error -2 [ 23.176245][ T12] usb 1-1: Direct firmware load for usb8388.bin failed with error -2 [ 23.184666][ T12] ================================================================== [ 23.192769][ T12] BUG: KASAN: global-out-of-bounds in load_next_firmware_from_table+0x267/0x2d0 [ 23.201762][ T12] Read of size 8 at addr ffffffff8608e138 by task kworker/0:1/12 [ 23.209442][ T12] [ 23.211848][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #27 [ 23.219278][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.229325][ T12] Workqueue: events request_firmware_work_func [ 23.235594][ T12] Call Trace: [ 23.238865][ T12] dump_stack+0xca/0x13e [ 23.243154][ T12] ? load_next_firmware_from_table+0x267/0x2d0 [ 23.249297][ T12] ? load_next_firmware_from_table+0x267/0x2d0 [ 23.255435][ T12] print_address_description+0x6a/0x32c [ 23.260949][ T12] ? load_next_firmware_from_table+0x267/0x2d0 [ 23.267076][ T12] ? load_next_firmware_from_table+0x267/0x2d0 [ 23.273200][ T12] __kasan_report.cold+0x1a/0x33 [ 23.278123][ T12] ? load_next_firmware_from_table+0x267/0x2d0 [ 23.284248][ T12] kasan_report+0xe/0x12 [ 23.288521][ T12] load_next_firmware_from_table+0x267/0x2d0 [ 23.294491][ T12] ? main_firmware_cb+0x100/0x100 [ 23.299491][ T12] helper_firmware_cb+0xdc/0x100 [ 23.304404][ T12] request_firmware_work_func+0x126/0x242 [ 23.310093][ T12] ? request_firmware_into_buf+0x90/0x90 [ 23.315701][ T12] process_one_work+0x92b/0x1530 [ 23.320615][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 23.325960][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 23.331004][ T12] worker_thread+0x96/0xe20 [ 23.335484][ T12] ? process_one_work+0x1530/0x1530 [ 23.340668][ T12] kthread+0x318/0x420 [ 23.344722][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 23.350083][ T12] ret_from_fork+0x24/0x30 [ 23.354464][ T12] [ 23.356760][ T12] The buggy address belongs to the variable: [ 23.362715][ T12] fw_table+0x98/0x5c0 [ 23.366749][ T12] [ 23.369048][ T12] Memory state around the buggy address: [ 23.374650][ T12] ffffffff8608e000: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa [ 23.384414][ T12] ffffffff8608e080: fa fa fa fa 00 00 00 00