[....] Starting OpenBSD Secure Shell server: sshd[ 11.332183] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.863345] random: sshd: uninitialized urandom read (32 bytes read) [ 23.192871] audit: type=1400 audit(1538619187.576:6): avc: denied { map } for pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 23.235723] random: sshd: uninitialized urandom read (32 bytes read) [ 23.752317] random: sshd: uninitialized urandom read (32 bytes read) [ 23.907868] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. [ 29.560513] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.653268] audit: type=1400 audit(1538619194.036:7): avc: denied { map } for pid=1778 comm="syz-executor911" path="/root/syz-executor911025427" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.680334] audit: type=1400 audit(1538619194.036:8): avc: denied { prog_load } for pid=1778 comm="syz-executor911" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 29.703228] ================================================================== [ 29.703250] BUG: KASAN: use-after-free in bpf_clone_redirect+0x29a/0x2b0 [ 29.703255] Read of size 8 at addr ffff8801d0e2f950 by task syz-executor911/1778 [ 29.703257] [ 29.703265] CPU: 0 PID: 1778 Comm: syz-executor911 Not tainted 4.14.73+ #15 [ 29.703268] Call Trace: [ 29.703278] dump_stack+0xb9/0x11b [ 29.703292] print_address_description+0x60/0x22b [ 29.703303] kasan_report.cold.6+0x11b/0x2dd [ 29.703309] ? bpf_clone_redirect+0x29a/0x2b0 [ 29.703319] bpf_clone_redirect+0x29a/0x2b0 [ 29.703334] ___bpf_prog_run+0x248e/0x5c70 [ 29.703345] ? __free_insn_slot+0x490/0x490 [ 29.703355] ? bpf_jit_compile+0x30/0x30 [ 29.703368] ? depot_save_stack+0x20a/0x428 [ 29.703381] ? __bpf_prog_run512+0x99/0xe0 [ 29.703389] ? ___bpf_prog_run+0x5c70/0x5c70 [ 29.703408] ? __lock_acquire+0x619/0x4320 [ 29.703424] ? trace_hardirqs_on+0x10/0x10 [ 29.703459] ? trace_hardirqs_on+0x10/0x10 [ 29.703471] ? __lock_acquire+0x619/0x4320 [ 29.703484] ? get_unused_fd_flags+0xc0/0xc0 [ 29.703500] ? bpf_test_run+0x57/0x350 [ 29.703518] ? lock_acquire+0x10f/0x380 [ 29.703529] ? check_preemption_disabled+0x34/0x160 [ 29.703543] ? bpf_test_run+0xab/0x350 [ 29.703562] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 29.703575] ? bpf_test_init.isra.1+0xc0/0xc0 [ 29.703585] ? __fget_light+0x163/0x1f0 [ 29.703592] ? bpf_prog_add+0x42/0xa0 [ 29.703603] ? bpf_test_init.isra.1+0xc0/0xc0 [ 29.703612] ? SyS_bpf+0x79d/0x3640 [ 29.703626] ? bpf_prog_get+0x20/0x20 [ 29.703634] ? __do_page_fault+0x485/0xb60 [ 29.703643] ? lock_downgrade+0x560/0x560 [ 29.703661] ? up_read+0x17/0x30 [ 29.703668] ? __do_page_fault+0x64c/0xb60 [ 29.703680] ? do_syscall_64+0x43/0x4b0 [ 29.703691] ? bpf_prog_get+0x20/0x20 [ 29.703697] ? do_syscall_64+0x19b/0x4b0 [ 29.703713] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.703732] [ 29.703735] Allocated by task 0: [ 29.703743] kasan_kmalloc.part.1+0x4f/0xd0 [ 29.703749] kmem_cache_alloc+0xe4/0x2b0 [ 29.703757] skb_clone+0x120/0x300 [ 29.703764] dev_queue_xmit_nit+0x2f8/0x960 [ 29.703769] dev_hard_start_xmit+0xa2/0x890 [ 29.703776] sch_direct_xmit+0x280/0x520 [ 29.703781] __dev_queue_xmit+0x16fd/0x1f40 [ 29.703788] ip_finish_output2+0xc56/0x1190 [ 29.703794] ip_finish_output+0x3a5/0xc40 [ 29.703800] ip_output+0x1c9/0x520 [ 29.703806] ip_local_out+0x94/0x170 [ 29.703812] tcp_v4_send_synack+0x1ec/0x310 [ 29.703819] tcp_conn_request+0x17d8/0x2140 [ 29.703826] tcp_v4_conn_request+0xa1/0x200 [ 29.703832] tcp_rcv_state_process+0x8f4/0x47d8 [ 29.703838] tcp_v4_do_rcv+0x2e8/0x6f0 [ 29.703843] tcp_v4_rcv+0x2c09/0x3240 [ 29.703849] ip_local_deliver_finish+0x3f1/0xaa0 [ 29.703855] ip_local_deliver+0x374/0x450 [ 29.703861] ip_rcv_finish+0x5cc/0x1490 [ 29.703867] ip_rcv+0xa19/0x1028 [ 29.703874] __netif_receive_skb_core+0x149d/0x2d10 [ 29.703880] __netif_receive_skb+0x58/0x1f0 [ 29.703886] netif_receive_skb_internal+0xfc/0x5e0 [ 29.703892] napi_gro_receive+0x20e/0x410 [ 29.703899] receive_buf+0xa55/0x42c0 [ 29.703905] virtnet_poll+0x2af/0x910 [ 29.703910] net_rx_action+0x371/0xce0 [ 29.703917] __do_softirq+0x215/0x997 [ 29.703919] [ 29.703922] Freed by task 0: [ 29.703928] kasan_slab_free+0xac/0x190 [ 29.703934] kmem_cache_free+0x12d/0x350 [ 29.703939] kfree_skbmem+0x9e/0x100 [ 29.703945] kfree_skb+0xd0/0x340 [ 29.703952] packet_rcv_spkt+0xd5/0x4b0 [ 29.703958] dev_queue_xmit_nit+0x6e6/0x960 [ 29.703963] dev_hard_start_xmit+0xa2/0x890 [ 29.703969] sch_direct_xmit+0x280/0x520 [ 29.703974] __dev_queue_xmit+0x16fd/0x1f40 [ 29.703981] ip_finish_output2+0xc56/0x1190 [ 29.703987] ip_finish_output+0x3a5/0xc40 [ 29.703993] ip_output+0x1c9/0x520 [ 29.703999] ip_local_out+0x94/0x170 [ 29.704004] tcp_v4_send_synack+0x1ec/0x310 [ 29.704010] tcp_conn_request+0x17d8/0x2140 [ 29.704017] tcp_v4_conn_request+0xa1/0x200 [ 29.704023] tcp_rcv_state_process+0x8f4/0x47d8 [ 29.704029] tcp_v4_do_rcv+0x2e8/0x6f0 [ 29.704035] tcp_v4_rcv+0x2c09/0x3240 [ 29.704041] ip_local_deliver_finish+0x3f1/0xaa0 [ 29.704047] ip_local_deliver+0x374/0x450 [ 29.704052] ip_rcv_finish+0x5cc/0x1490 [ 29.704058] ip_rcv+0xa19/0x1028 [ 29.704064] __netif_receive_skb_core+0x149d/0x2d10 [ 29.704071] __netif_receive_skb+0x58/0x1f0 [ 29.704076] netif_receive_skb_internal+0xfc/0x5e0 [ 29.704082] napi_gro_receive+0x20e/0x410 [ 29.704088] receive_buf+0xa55/0x42c0 [ 29.704094] virtnet_poll+0x2af/0x910 [ 29.704099] net_rx_action+0x371/0xce0 [ 29.704105] __do_softirq+0x215/0x997 [ 29.704107] [ 29.704112] The buggy address belongs to the object at ffff8801d0e2f8c0 [ 29.704112] which belongs to the cache skbuff_head_cache of size 224 [ 29.704118] The buggy address is located 144 bytes inside of [ 29.704118] 224-byte region [ffff8801d0e2f8c0, ffff8801d0e2f9a0) [ 29.704121] The buggy address belongs to the page: [ 29.704127] page:ffffea0007438bc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 29.704134] flags: 0x4000000000000100(slab) [ 29.704143] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 29.704151] raw: 0000000000000000 0000000100000001 ffff8801dab70200 0000000000000000 [ 29.704154] page dumped because: kasan: bad access detected [ 29.704155] [ 29.704157] Memory state around the buggy address: [ 29.704163] ffff8801d0e2f800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.704168] ffff8801d0e2f880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.704173] >ffff8801d0e2f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.704176] ^ [ 29.704181] ffff8801d0e2f980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 29.704187] ffff8801d0e2fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.704189] ================================================================== [ 29.704191] Disabling lock debugging due to kernel taint [ 29.704195] Kernel panic - not syncing: panic_on_warn set ... [ 29.704195] [ 29.704207] CPU: 0 PID: 1778 Comm: syz-executor911 Tainted: G B 4.14.73+ #15 [ 29.704209] Call Trace: [ 29.704217] dump_stack+0xb9/0x11b [ 29.704225] panic+0x1bf/0x3a4 [ 29.704232] ? add_taint.cold.4+0x16/0x16 [ 29.704246] kasan_end_report+0x43/0x49 [ 29.704253] kasan_report.cold.6+0x77/0x2dd [ 29.704260] ? bpf_clone_redirect+0x29a/0x2b0 [ 29.704269] bpf_clone_redirect+0x29a/0x2b0 [ 29.704278] ___bpf_prog_run+0x248e/0x5c70 [ 29.704286] ? __free_insn_slot+0x490/0x490 [ 29.704293] ? bpf_jit_compile+0x30/0x30 [ 29.704302] ? depot_save_stack+0x20a/0x428 [ 29.704311] ? __bpf_prog_run512+0x99/0xe0 [ 29.704318] ? ___bpf_prog_run+0x5c70/0x5c70 [ 29.704329] ? __lock_acquire+0x619/0x4320 [ 29.704340] ? trace_hardirqs_on+0x10/0x10 [ 29.704349] ? trace_hardirqs_on+0x10/0x10 [ 29.704357] ? __lock_acquire+0x619/0x4320 [ 29.704366] ? get_unused_fd_flags+0xc0/0xc0 [ 29.704376] ? bpf_test_run+0x57/0x350 [ 29.704387] ? lock_acquire+0x10f/0x380 [ 29.704395] ? check_preemption_disabled+0x34/0x160 [ 29.704404] ? bpf_test_run+0xab/0x350 [ 29.704417] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 29.704426] ? bpf_test_init.isra.1+0xc0/0xc0 [ 29.704451] ? __fget_light+0x163/0x1f0 [ 29.704457] ? bpf_prog_add+0x42/0xa0 [ 29.704466] ? bpf_test_init.isra.1+0xc0/0xc0 [ 29.704473] ? SyS_bpf+0x79d/0x3640 [ 29.704482] ? bpf_prog_get+0x20/0x20 [ 29.704488] ? __do_page_fault+0x485/0xb60 [ 29.704495] ? lock_downgrade+0x560/0x560 [ 29.704506] ? up_read+0x17/0x30 [ 29.704512] ? __do_page_fault+0x64c/0xb60 [ 29.704520] ? do_syscall_64+0x43/0x4b0 [ 29.704528] ? bpf_prog_get+0x20/0x20 [ 29.704533] ? do_syscall_64+0x19b/0x4b0 [ 29.704543] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.710999] Kernel Offset: 0x1e200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 30.450571] Rebooting in 86400 seconds..