[....] Starting OpenBSD Secure Shell server: sshd[ 19.519853] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.757698] random: sshd: uninitialized urandom read (32 bytes read) [ 21.158418] random: sshd: uninitialized urandom read (32 bytes read) [ 21.889891] sshd (4508) used greatest stack depth: 16712 bytes left [ 21.906256] random: sshd: uninitialized urandom read (32 bytes read) [ 28.081864] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 33.541092] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.626483] ================================================================== [ 33.633908] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 33.640474] Read of size 1 at addr ffff8801ae467fdd by task syz-executor126/4523 [ 33.647978] [ 33.649585] CPU: 1 PID: 4523 Comm: syz-executor126 Not tainted 4.17.0-rc6+ #62 [ 33.656918] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.666246] Call Trace: [ 33.668812] dump_stack+0x1b9/0x294 [ 33.672418] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.677586] ? printk+0x9e/0xba [ 33.680843] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.685576] ? kasan_check_write+0x14/0x20 [ 33.689797] print_address_description+0x6c/0x20b [ 33.694617] ? nla_strlcpy+0x13d/0x150 [ 33.698485] kasan_report.cold.7+0x242/0x2fe [ 33.702874] __asan_report_load1_noabort+0x14/0x20 [ 33.707780] nla_strlcpy+0x13d/0x150 [ 33.711472] nfnl_acct_new+0x574/0xc50 [ 33.715342] ? nfnl_acct_overquota+0x380/0x380 [ 33.719907] ? debug_check_no_locks_freed+0x310/0x310 [ 33.725075] ? graph_lock+0x170/0x170 [ 33.728864] ? print_usage_bug+0xc0/0xc0 [ 33.732907] ? find_held_lock+0x36/0x1c0 [ 33.736957] ? graph_lock+0x170/0x170 [ 33.740737] ? lock_downgrade+0x8e0/0x8e0 [ 33.744868] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.750388] ? __lock_is_held+0xb5/0x140 [ 33.754429] ? nfnl_acct_overquota+0x380/0x380 [ 33.758988] nfnetlink_rcv_msg+0xdb5/0xff0 [ 33.763219] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 33.768211] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 33.772604] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.776730] ? graph_lock+0x170/0x170 [ 33.780504] ? find_held_lock+0x36/0x1c0 [ 33.784543] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.790063] netlink_rcv_skb+0x172/0x440 [ 33.794100] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.798225] ? netlink_ack+0xbc0/0xbc0 [ 33.802093] ? __netlink_ns_capable+0x100/0x130 [ 33.806741] nfnetlink_rcv+0x1fe/0x1ba0 [ 33.810692] ? kasan_check_read+0x11/0x20 [ 33.814819] ? rcu_is_watching+0x85/0x140 [ 33.818946] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.824118] ? nfnl_err_reset+0x2d0/0x2d0 [ 33.828245] ? netlink_remove_tap+0x610/0x610 [ 33.832722] ? refcount_add_not_zero+0x320/0x320 [ 33.837460] ? kasan_check_read+0x11/0x20 [ 33.841590] ? rcu_is_watching+0x85/0x140 [ 33.845718] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.850890] ? netlink_skb_destructor+0x210/0x210 [ 33.855713] ? kasan_check_write+0x14/0x20 [ 33.859928] netlink_unicast+0x58b/0x740 [ 33.863969] ? netlink_attachskb+0x970/0x970 [ 33.868361] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.873878] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.878873] ? security_netlink_send+0x88/0xb0 [ 33.883432] netlink_sendmsg+0x9f0/0xfa0 [ 33.887475] ? netlink_unicast+0x740/0x740 [ 33.891685] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.897199] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.902712] ? security_socket_sendmsg+0x94/0xc0 [ 33.907446] ? netlink_unicast+0x740/0x740 [ 33.911663] sock_sendmsg+0xd5/0x120 [ 33.915358] sock_write_iter+0x35a/0x5a0 [ 33.919398] ? sock_sendmsg+0x120/0x120 [ 33.923358] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.928877] ? iov_iter_init+0xc9/0x1f0 [ 33.932833] __vfs_write+0x64d/0x960 [ 33.936525] ? kernel_read+0x120/0x120 [ 33.940396] ? lock_downgrade+0x8e0/0x8e0 [ 33.944523] ? handle_mm_fault+0x8c0/0xc70 [ 33.948739] ? handle_mm_fault+0x55a/0xc70 [ 33.952956] ? rw_verify_area+0x118/0x360 [ 33.957083] vfs_write+0x1f8/0x560 [ 33.960602] ksys_write+0xf9/0x250 [ 33.964120] ? __ia32_sys_read+0xb0/0xb0 [ 33.968159] ? __ia32_sys_fallocate+0xf0/0xf0 [ 33.972642] __x64_sys_write+0x73/0xb0 [ 33.976514] do_syscall_64+0x1b1/0x800 [ 33.980380] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.985286] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.990211] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.995725] ? retint_user+0x18/0x18 [ 33.999769] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.004593] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.009757] RIP: 0033:0x43fcf9 [ 34.012923] RSP: 002b:00007ffdafd3b8f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 34.020607] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 34.027851] RDX: 000000000000001f RSI: 0000000020000040 RDI: 0000000000000003 [ 34.035098] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 34.042344] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 34.049598] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 34.056849] [ 34.058452] Allocated by task 4523: [ 34.062056] save_stack+0x43/0xd0 [ 34.065486] kasan_kmalloc+0xc4/0xe0 [ 34.069175] __kmalloc+0x14e/0x760 [ 34.072692] load_elf_phdrs+0x17a/0x250 [ 34.076643] load_elf_binary+0x9bd/0x5610 [ 34.080769] search_binary_handler+0x17d/0x570 [ 34.085330] do_execveat_common.isra.34+0x16ce/0x2590 [ 34.090501] __x64_sys_execve+0x8d/0xb0 [ 34.094452] do_syscall_64+0x1b1/0x800 [ 34.098319] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.103484] [ 34.105089] Freed by task 4523: [ 34.108345] save_stack+0x43/0xd0 [ 34.111773] __kasan_slab_free+0x11a/0x170 [ 34.115986] kasan_slab_free+0xe/0x10 [ 34.119762] kfree+0xd9/0x260 [ 34.122845] load_elf_binary+0x255d/0x5610 [ 34.127059] search_binary_handler+0x17d/0x570 [ 34.131616] do_execveat_common.isra.34+0x16ce/0x2590 [ 34.136779] __x64_sys_execve+0x8d/0xb0 [ 34.140731] do_syscall_64+0x1b1/0x800 [ 34.144594] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.149753] [ 34.151358] The buggy address belongs to the object at ffff8801ae467cc0 [ 34.151358] which belongs to the cache kmalloc-512 of size 512 [ 34.164000] The buggy address is located 285 bytes to the right of [ 34.164000] 512-byte region [ffff8801ae467cc0, ffff8801ae467ec0) [ 34.176370] The buggy address belongs to the page: [ 34.181276] page:ffffea0006b919c0 count:1 mapcount:0 mapping:ffff8801ae467040 index:0x0 [ 34.189395] flags: 0x2fffc0000000100(slab) [ 34.193611] raw: 02fffc0000000100 ffff8801ae467040 0000000000000000 0000000100000006 [ 34.201470] raw: ffffea0006b11ae0 ffff8801da801748 ffff8801da800940 0000000000000000 [ 34.209321] page dumped because: kasan: bad access detected [ 34.215005] [ 34.216609] Memory state around the buggy address: [ 34.221514] ffff8801ae467e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.228851] ffff8801ae467f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.236184] >ffff8801ae467f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.243522] ^ [ 34.249727] ffff8801ae468000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 34.257064] ffff8801ae468080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.264395] ================================================================== [ 34.271811] Disabling lock debugging due to kernel taint [ 34.277316] Kernel panic - not syncing: panic_on_warn set ... [ 34.277316] [ 34.284671] CPU: 1 PID: 4523 Comm: syz-executor126 Tainted: G B 4.17.0-rc6+ #62 [ 34.293392] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.302719] Call Trace: [ 34.305288] dump_stack+0x1b9/0x294 [ 34.308903] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.314068] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.318803] ? nla_strlcpy+0x110/0x150 [ 34.322668] panic+0x22f/0x4de [ 34.325836] ? add_taint.cold.5+0x16/0x16 [ 34.329963] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.334349] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.338739] ? nla_strlcpy+0x13d/0x150 [ 34.342603] kasan_end_report+0x47/0x4f [ 34.346554] kasan_report.cold.7+0x76/0x2fe [ 34.350851] __asan_report_load1_noabort+0x14/0x20 [ 34.355755] nla_strlcpy+0x13d/0x150 [ 34.359446] nfnl_acct_new+0x574/0xc50 [ 34.363310] ? nfnl_acct_overquota+0x380/0x380 [ 34.367871] ? debug_check_no_locks_freed+0x310/0x310 [ 34.373037] ? graph_lock+0x170/0x170 [ 34.376814] ? print_usage_bug+0xc0/0xc0 [ 34.380848] ? find_held_lock+0x36/0x1c0 [ 34.384884] ? graph_lock+0x170/0x170 [ 34.388660] ? lock_downgrade+0x8e0/0x8e0 [ 34.392783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.398294] ? __lock_is_held+0xb5/0x140 [ 34.402335] ? nfnl_acct_overquota+0x380/0x380 [ 34.406891] nfnetlink_rcv_msg+0xdb5/0xff0 [ 34.411105] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 34.416094] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 34.420477] ? nfnetlink_bind+0x3a0/0x3a0 [ 34.424598] ? graph_lock+0x170/0x170 [ 34.428461] ? find_held_lock+0x36/0x1c0 [ 34.432501] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.438019] netlink_rcv_skb+0x172/0x440 [ 34.442065] ? nfnetlink_bind+0x3a0/0x3a0 [ 34.446190] ? netlink_ack+0xbc0/0xbc0 [ 34.450062] ? __netlink_ns_capable+0x100/0x130 [ 34.454711] nfnetlink_rcv+0x1fe/0x1ba0 [ 34.458667] ? kasan_check_read+0x11/0x20 [ 34.462800] ? rcu_is_watching+0x85/0x140 [ 34.466925] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.472094] ? nfnl_err_reset+0x2d0/0x2d0 [ 34.476219] ? netlink_remove_tap+0x610/0x610 [ 34.480692] ? refcount_add_not_zero+0x320/0x320 [ 34.485426] ? kasan_check_read+0x11/0x20 [ 34.489549] ? rcu_is_watching+0x85/0x140 [ 34.493672] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.498845] ? netlink_skb_destructor+0x210/0x210 [ 34.503663] ? kasan_check_write+0x14/0x20 [ 34.507880] netlink_unicast+0x58b/0x740 [ 34.511921] ? netlink_attachskb+0x970/0x970 [ 34.516308] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.521818] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 34.526811] ? security_netlink_send+0x88/0xb0 [ 34.531374] netlink_sendmsg+0x9f0/0xfa0 [ 34.535412] ? netlink_unicast+0x740/0x740 [ 34.539619] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.545132] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.550643] ? security_socket_sendmsg+0x94/0xc0 [ 34.555372] ? netlink_unicast+0x740/0x740 [ 34.559582] sock_sendmsg+0xd5/0x120 [ 34.563269] sock_write_iter+0x35a/0x5a0 [ 34.567310] ? sock_sendmsg+0x120/0x120 [ 34.571261] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.576772] ? iov_iter_init+0xc9/0x1f0 [ 34.580719] __vfs_write+0x64d/0x960 [ 34.584410] ? kernel_read+0x120/0x120 [ 34.588273] ? lock_downgrade+0x8e0/0x8e0 [ 34.592397] ? handle_mm_fault+0x8c0/0xc70 [ 34.596607] ? handle_mm_fault+0x55a/0xc70 [ 34.600818] ? rw_verify_area+0x118/0x360 [ 34.604941] vfs_write+0x1f8/0x560 [ 34.608458] ksys_write+0xf9/0x250 [ 34.611974] ? __ia32_sys_read+0xb0/0xb0 [ 34.616010] ? __ia32_sys_fallocate+0xf0/0xf0 [ 34.620484] __x64_sys_write+0x73/0xb0 [ 34.624349] do_syscall_64+0x1b1/0x800 [ 34.628214] ? syscall_return_slowpath+0x5c0/0x5c0 [ 34.633120] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.638033] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.643546] ? retint_user+0x18/0x18 [ 34.647236] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.652055] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.657217] RIP: 0033:0x43fcf9 [ 34.660382] RSP: 002b:00007ffdafd3b8f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 34.668066] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 34.675310] RDX: 000000000000001f RSI: 0000000020000040 RDI: 0000000000000003 [ 34.682554] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 34.689798] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 34.697042] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 34.704691] Dumping ftrace buffer: [ 34.708205] (ftrace buffer empty) [ 34.711888] Kernel Offset: disabled [ 34.715491] Rebooting in 86400 seconds..