[ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.242' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.641473] ================================================================== [ 26.648900] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 26.657018] Read of size 4 at addr ffff8880a4ebacd0 by task syz-executor219/7985 [ 26.664523] [ 26.666131] CPU: 0 PID: 7985 Comm: syz-executor219 Not tainted 4.14.300-syzkaller #0 [ 26.673991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 26.683667] Call Trace: [ 26.686234] dump_stack+0x1b2/0x281 [ 26.689840] print_address_description.cold+0x54/0x1d3 [ 26.695112] kasan_report_error.cold+0x8a/0x191 [ 26.699884] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 26.705437] __asan_report_load4_noabort+0x68/0x70 [ 26.710350] ? tipc_in_scope+0x10/0x60 [ 26.714222] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 26.719647] tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 26.724904] tipc_sendmcast+0x51a/0xac0 [ 26.728856] ? check_usage_forwards+0x2d0/0x2d0 [ 26.733505] ? tipc_shutdown+0x2f0/0x2f0 [ 26.737546] ? __save_stack_trace+0x63/0x160 [ 26.741972] ? deref_stack_reg+0x124/0x1a0 [ 26.746185] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 26.752045] ? unwind_next_frame+0x404/0x17d0 [ 26.756516] ? do_syscall_64+0x1d5/0x640 [ 26.760552] ? deref_stack_reg+0x1a0/0x1a0 [ 26.764763] __tipc_sendmsg+0xbab/0xf90 [ 26.768712] ? check_usage_forwards+0x2d0/0x2d0 [ 26.773357] ? tipc_sendmcast+0xac0/0xac0 [ 26.777491] ? entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 26.782832] ? save_trace+0xd6/0x290 [ 26.786609] ? mark_lock+0x64e/0x1050 [ 26.790384] ? check_usage_forwards+0x2d0/0x2d0 [ 26.795044] ? mark_held_locks+0xa6/0xf0 [ 26.799091] ? __local_bh_enable_ip+0xc1/0x170 [ 26.803667] tipc_sendmsg+0x4c/0x70 [ 26.807272] ? __tipc_sendmsg+0xf90/0xf90 [ 26.811393] sock_sendmsg+0xb5/0x100 [ 26.815093] ___sys_sendmsg+0x6c8/0x800 [ 26.819050] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 26.823794] ? lock_downgrade+0x740/0x740 [ 26.827918] ? trace_hardirqs_on+0x10/0x10 [ 26.832127] ? __fd_install+0x1ec/0x5c0 [ 26.836087] ? lock_acquire+0x170/0x3f0 [ 26.840037] ? __fd_install+0x227/0x5c0 [ 26.843984] ? __fdget+0x167/0x1f0 [ 26.847498] ? sockfd_lookup_light+0xb2/0x160 [ 26.851970] __sys_sendmsg+0xa3/0x120 [ 26.855745] ? SyS_shutdown+0x160/0x160 [ 26.859717] ? SyS_read+0x210/0x210 [ 26.863320] ? __do_page_fault+0x159/0xad0 [ 26.867535] SyS_sendmsg+0x27/0x40 [ 26.871135] ? __sys_sendmsg+0x120/0x120 [ 26.875172] do_syscall_64+0x1d5/0x640 [ 26.879035] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 26.884200] [ 26.885802] Allocated by task 1: [ 26.889145] kasan_kmalloc+0xeb/0x160 [ 26.892920] __kmalloc+0x15a/0x400 [ 26.896443] tipc_nameseq_create+0x53/0x290 [ 26.900741] tipc_nametbl_insert_publ+0xb37/0x14e0 [ 26.905643] tipc_nametbl_publish+0x211/0x3f0 [ 26.910110] tipc_bind+0x2c4/0x600 [ 26.913624] tipc_server_start+0x31f/0x880 [ 26.917834] tipc_topsrv_init_net+0x53b/0x730 [ 26.922301] ops_init+0xaa/0x3e0 [ 26.925659] register_pernet_operations+0x32f/0x750 [ 26.930658] register_pernet_device+0x28/0x70 [ 26.935141] tipc_init+0x7d/0x137 [ 26.938574] do_one_initcall+0x88/0x210 [ 26.942527] kernel_init_freeable+0x565/0x626 [ 26.946997] kernel_init+0xd/0x167 [ 26.950514] ret_from_fork+0x24/0x30 [ 26.954196] [ 26.955798] Freed by task 0: [ 26.958789] (stack is not available) [ 26.962476] [ 26.964081] The buggy address belongs to the object at ffff8880a4ebacc0 [ 26.964081] which belongs to the cache kmalloc-32 of size 32 [ 26.976558] The buggy address is located 16 bytes inside of [ 26.976558] 32-byte region [ffff8880a4ebacc0, ffff8880a4ebace0) [ 26.988317] The buggy address belongs to the page: [ 26.993222] page:ffffea000293ae80 count:1 mapcount:0 mapping:ffff8880a4eba000 index:0xffff8880a4ebafc1 [ 27.002640] flags: 0xfff00000000100(slab) [ 27.006762] raw: 00fff00000000100 ffff8880a4eba000 ffff8880a4ebafc1 0000000100000029 [ 27.014619] raw: ffffea0002919aa0 ffffea0002931ba0 ffff88813fe741c0 0000000000000000 [ 27.022470] page dumped because: kasan: bad access detected [ 27.028149] [ 27.029749] Memory state around the buggy address: [ 27.034650] ffff8880a4ebab80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.042070] ffff8880a4ebac00: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 27.049416] >ffff8880a4ebac80: 04 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 27.056757] ^ [ 27.062701] ffff8880a4ebad00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.070044] ffff8880a4ebad80: 00 00 00 fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 27.077374] ================================================================== [ 27.084704] Disabling lock debugging due to kernel taint [ 27.090188] Kernel panic - not syncing: panic_on_warn set ... [ 27.090188] [ 27.097538] CPU: 0 PID: 7985 Comm: syz-executor219 Tainted: G B 4.14.300-syzkaller #0 [ 27.106621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 27.115961] Call Trace: [ 27.118536] dump_stack+0x1b2/0x281 [ 27.122148] panic+0x1f9/0x42d [ 27.125313] ? add_taint.cold+0x16/0x16 [ 27.129262] kasan_end_report+0x43/0x49 [ 27.133208] kasan_report_error.cold+0xa7/0x191 [ 27.137850] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 27.143286] __asan_report_load4_noabort+0x68/0x70 [ 27.148187] ? tipc_in_scope+0x10/0x60 [ 27.152045] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 27.157467] tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 27.162718] tipc_sendmcast+0x51a/0xac0 [ 27.166665] ? check_usage_forwards+0x2d0/0x2d0 [ 27.171310] ? tipc_shutdown+0x2f0/0x2f0 [ 27.175348] ? __save_stack_trace+0x63/0x160 [ 27.179747] ? deref_stack_reg+0x124/0x1a0 [ 27.183955] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 27.189813] ? unwind_next_frame+0x404/0x17d0 [ 27.194282] ? do_syscall_64+0x1d5/0x640 [ 27.198318] ? deref_stack_reg+0x1a0/0x1a0 [ 27.202544] __tipc_sendmsg+0xbab/0xf90 [ 27.206493] ? check_usage_forwards+0x2d0/0x2d0 [ 27.211134] ? tipc_sendmcast+0xac0/0xac0 [ 27.215256] ? entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.220592] ? save_trace+0xd6/0x290 [ 27.224279] ? mark_lock+0x64e/0x1050 [ 27.228106] ? check_usage_forwards+0x2d0/0x2d0 [ 27.232764] ? mark_held_locks+0xa6/0xf0 [ 27.236825] ? __local_bh_enable_ip+0xc1/0x170 [ 27.241382] tipc_sendmsg+0x4c/0x70 [ 27.244999] ? __tipc_sendmsg+0xf90/0xf90 [ 27.249136] sock_sendmsg+0xb5/0x100 [ 27.252829] ___sys_sendmsg+0x6c8/0x800 [ 27.256780] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 27.261513] ? lock_downgrade+0x740/0x740 [ 27.265635] ? trace_hardirqs_on+0x10/0x10 [ 27.269844] ? __fd_install+0x1ec/0x5c0 [ 27.273791] ? lock_acquire+0x170/0x3f0 [ 27.277739] ? __fd_install+0x227/0x5c0 [ 27.281685] ? __fdget+0x167/0x1f0 [ 27.285200] ? sockfd_lookup_light+0xb2/0x160 [ 27.289671] __sys_sendmsg+0xa3/0x120 [ 27.293472] ? SyS_shutdown+0x160/0x160 [ 27.297425] ? SyS_read+0x210/0x210 [ 27.301027] ? __do_page_fault+0x159/0xad0 [ 27.305241] SyS_sendmsg+0x27/0x40 [ 27.308753] ? __sys_sendmsg+0x120/0x120 [ 27.312787] do_syscall_64+0x1d5/0x640 [ 27.316649] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.321977] Kernel Offset: disabled [ 27.325583] Rebooting in 86400 seconds..