[....] Starting enhanced syslogd: rsyslogd[ 12.084258] audit: type=1400 audit(1520717812.825:4): avc: denied { syslog } for pid=3499 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.530460] ================================================================== [ 38.537854] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 [ 38.544404] Read of size 2368 at addr ffff8801c9592040 by task syzkaller890091/3665 [ 38.552163] [ 38.553767] CPU: 1 PID: 3665 Comm: syzkaller890091 Not tainted 4.9.86-g00db063 #52 [ 38.561438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.570762] ffff8801cf12f728 ffffffff81d956f9 ffffea0007256480 ffff8801c9592040 [ 38.578730] 0000000000000000 ffff8801c9592200 ffff8801cf12f968 ffff8801cf12f760 [ 38.586693] ffffffff8153e083 ffff8801c9592040 0000000000000940 0000000000000000 [ 38.594660] Call Trace: [ 38.597218] [] dump_stack+0xc1/0x128 [ 38.602551] [] print_address_description+0x73/0x280 [ 38.609186] [] kasan_report+0x275/0x360 [ 38.614778] [] ? pfkey_add+0x153e/0x3470 [ 38.620458] [] check_memory_region+0x137/0x190 [ 38.626660] [] memcpy+0x23/0x50 [ 38.631559] [] pfkey_add+0x153e/0x3470 [ 38.637063] [] ? pfkey_delete+0x360/0x360 [ 38.642829] [] ? pfkey_seq_stop+0x80/0x80 [ 38.648596] [] ? __skb_clone+0x24a/0x7d0 [ 38.654274] [] ? pfkey_delete+0x360/0x360 [ 38.660036] [] pfkey_process+0x68b/0x750 [ 38.665716] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 38.672524] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 38.679330] [] pfkey_sendmsg+0x3a9/0x760 [ 38.685010] [] ? pfkey_spdget+0x820/0x820 [ 38.690776] [] sock_sendmsg+0xca/0x110 [ 38.696280] [] ___sys_sendmsg+0x6d1/0x7e0 [ 38.702044] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 38.708849] [] ? copy_msghdr_from_user+0x570/0x570 [ 38.715398] [] ? __lru_cache_add+0x187/0x250 [ 38.721425] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 38.728494] [] ? _raw_spin_unlock+0x2c/0x50 [ 38.734433] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 38.741502] [] ? handle_mm_fault+0x4c1/0x2470 [ 38.747616] [] ? __fget_light+0x169/0x1f0 [ 38.753383] [] ? __fdget+0x18/0x20 [ 38.758541] [] ? sockfd_lookup_light+0x118/0x160 [ 38.764911] [] __sys_sendmsg+0xd6/0x190 [ 38.770506] [] ? SyS_shutdown+0x1b0/0x1b0 [ 38.776276] [] ? __do_page_fault+0x5ec/0xd40 [ 38.782303] [] SyS_sendmsg+0x2d/0x50 [ 38.787640] [] ? __sys_sendmsg+0x190/0x190 [ 38.793503] [] do_syscall_64+0x1a4/0x490 [ 38.799194] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.806101] [ 38.807698] Allocated by task 3665: [ 38.811295] save_stack_trace+0x16/0x20 [ 38.815238] save_stack+0x43/0xd0 [ 38.818670] kasan_kmalloc+0xad/0xe0 [ 38.822350] kasan_slab_alloc+0x12/0x20 [ 38.826292] __kmalloc_track_caller+0xda/0x2b0 [ 38.830847] __kmalloc_reserve.isra.37+0x33/0xc0 [ 38.835571] __alloc_skb+0x119/0x600 [ 38.839256] pfkey_sendmsg+0x135/0x760 [ 38.843112] sock_sendmsg+0xca/0x110 [ 38.846794] ___sys_sendmsg+0x6d1/0x7e0 [ 38.850735] __sys_sendmsg+0xd6/0x190 [ 38.854503] SyS_sendmsg+0x2d/0x50 [ 38.858013] do_syscall_64+0x1a4/0x490 [ 38.861869] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.866940] [ 38.868547] Freed by task 2045: [ 38.871797] save_stack_trace+0x16/0x20 [ 38.875748] save_stack+0x43/0xd0 [ 38.879172] kasan_slab_free+0x72/0xc0 [ 38.883025] kfree+0x103/0x300 [ 38.886186] kernfs_fop_release+0xff/0x140 [ 38.890389] __fput+0x28c/0x6e0 [ 38.893637] ____fput+0x15/0x20 [ 38.896889] task_work_run+0x115/0x190 [ 38.900743] exit_to_usermode_loop+0xfc/0x120 [ 38.905205] do_syscall_64+0x36f/0x490 [ 38.909059] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.914580] [ 38.916179] The buggy address belongs to the object at ffff8801c9592000 [ 38.916179] which belongs to the cache kmalloc-512 of size 512 [ 38.928802] The buggy address is located 64 bytes inside of [ 38.928802] 512-byte region [ffff8801c9592000, ffff8801c9592200) [ 38.940556] The buggy address belongs to the page: [ 38.945455] page:ffffea0007256480 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 38.955630] flags: 0x8000000000004080(slab|head) [ 38.960351] page dumped because: kasan: bad access detected [ 38.966025] [ 38.967620] Memory state around the buggy address: [ 38.972516] ffff8801c9592100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.979843] ffff8801c9592180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.987168] >ffff8801c9592200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.994490] ^ [ 38.997824] ffff8801c9592280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.005161] ffff8801c9592300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.012485] ================================================================== [ 39.019809] Disabling lock debugging due to kernel taint [ 39.025607] Kernel panic - not syncing: panic_on_warn set ... [ 39.025607] [ 39.032949] CPU: 1 PID: 3665 Comm: syzkaller890091 Tainted: G B 4.9.86-g00db063 #52 [ 39.041841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.051176] ffff8801cf12f680 ffffffff81d956f9 ffffffff84197a0f ffff8801cf12f758 [ 39.059143] 0000000000000000 ffff8801c9592200 ffff8801cf12f968 ffff8801cf12f748 [ 39.067117] ffffffff8142f531 0000000041b58ab3 ffffffff8418b470 ffffffff8142f375 [ 39.075076] Call Trace: [ 39.077636] [] dump_stack+0xc1/0x128 [ 39.082968] [] panic+0x1bc/0x3a8 [ 39.087954] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 39.096152] [] ? preempt_schedule+0x25/0x30 [ 39.102091] [] ? ___preempt_schedule+0x16/0x18 [ 39.108291] [] kasan_end_report+0x50/0x50 [ 39.114057] [] kasan_report+0x167/0x360 [ 39.119648] [] ? pfkey_add+0x153e/0x3470 [ 39.125327] [] check_memory_region+0x137/0x190 [ 39.131536] [] memcpy+0x23/0x50 [ 39.136443] [] pfkey_add+0x153e/0x3470 [ 39.141953] [] ? pfkey_delete+0x360/0x360 [ 39.147721] [] ? pfkey_seq_stop+0x80/0x80 [ 39.153492] [] ? __skb_clone+0x24a/0x7d0 [ 39.159173] [] ? pfkey_delete+0x360/0x360 [ 39.164940] [] pfkey_process+0x68b/0x750 [ 39.170631] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 39.177440] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.184249] [] pfkey_sendmsg+0x3a9/0x760 [ 39.189925] [] ? pfkey_spdget+0x820/0x820 [ 39.195694] [] sock_sendmsg+0xca/0x110 [ 39.201198] [] ___sys_sendmsg+0x6d1/0x7e0 [ 39.206962] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.213768] [] ? copy_msghdr_from_user+0x570/0x570 [ 39.220318] [] ? __lru_cache_add+0x187/0x250 [ 39.226344] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 39.233411] [] ? _raw_spin_unlock+0x2c/0x50 [ 39.239351] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 39.246416] [] ? handle_mm_fault+0x4c1/0x2470 [ 39.252527] [] ? __fget_light+0x169/0x1f0 [ 39.258289] [] ? __fdget+0x18/0x20 [ 39.263446] [] ? sockfd_lookup_light+0x118/0x160 [ 39.269820] [] __sys_sendmsg+0xd6/0x190 [ 39.275418] [] ? SyS_shutdown+0x1b0/0x1b0 [ 39.281184] [] ? __do_page_fault+0x5ec/0xd40 [ 39.287207] [] SyS_sendmsg+0x2d/0x50 [ 39.292535] [] ? __sys_sendmsg+0x190/0x190 [ 39.298386] [] do_syscall_64+0x1a4/0x490 [ 39.304065] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.311001] Dumping ftrace buffer: [ 39.314507] (ftrace buffer empty) [ 39.318188] Kernel Offset: disabled [ 39.321785] Rebooting in 86400 seconds..