[....] Starting OpenBSD Secure Shell server: sshd[ 10.380259] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.435985] random: sshd: uninitialized urandom read (32 bytes read) [ 20.889965] audit: type=1400 audit(1548037880.867:6): avc: denied { map } for pid=1757 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 20.919228] random: sshd: uninitialized urandom read (32 bytes read) [ 21.396191] random: sshd: uninitialized urandom read (32 bytes read) [ 21.541250] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. [ 27.054580] random: sshd: uninitialized urandom read (32 bytes read) [ 27.136415] audit: type=1400 audit(1548037887.117:7): avc: denied { map } for pid=1769 comm="syz-executor626" path="/root/syz-executor626811272" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 27.420649] ================================================================== [ 27.428274] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 27.435075] Read of size 8 at addr ffff8881d7387790 by task syz-executor626/1772 [ 27.442575] [ 27.444295] CPU: 0 PID: 1772 Comm: syz-executor626 Not tainted 4.14.94+ #12 [ 27.451368] Call Trace: [ 27.453932] dump_stack+0xb9/0x10e [ 27.457443] ? ip_local_deliver+0x43d/0x450 [ 27.461754] print_address_description+0x60/0x226 [ 27.466590] ? ip_local_deliver+0x43d/0x450 [ 27.470885] kasan_report.cold+0x88/0x2a5 [ 27.475008] ? ip_local_deliver+0x43d/0x450 [ 27.479429] ? ip_call_ra_chain+0x540/0x540 [ 27.483735] ? __lock_acquire+0x56a/0x3fa0 [ 27.487944] ? ip_options_compile+0x65b/0x1360 [ 27.492536] ? ip_rcv+0x99f/0xf7a [ 27.496071] ? ip_rcv_finish+0x5c9/0x1490 [ 27.500203] ? ip_rcv+0x9e2/0xf7a [ 27.503631] ? ip_local_deliver+0x450/0x450 [ 27.507924] ? __lock_acquire+0x56a/0x3fa0 [ 27.512266] ? check_preemption_disabled+0x35/0x1f0 [ 27.517258] ? ip_local_deliver+0x450/0x450 [ 27.521554] ? __netif_receive_skb_core+0x1364/0x2c60 [ 27.526732] ? trace_hardirqs_on+0x10/0x10 [ 27.531107] ? flush_backlog+0x580/0x580 [ 27.535146] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 27.540473] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 27.545635] ? lock_acquire+0x10f/0x380 [ 27.549580] ? __netif_receive_skb+0x55/0x1f0 [ 27.554225] ? __netif_receive_skb+0x55/0x1f0 [ 27.558700] ? netif_receive_skb_internal+0xec/0x5c0 [ 27.563784] ? dev_cpu_dead+0x810/0x810 [ 27.567819] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.573719] ? rcu_read_lock_sched_held+0x10a/0x130 [ 27.579003] ? tun_rx_batched.isra.0+0x45d/0x730 [ 27.583779] ? __skb_get_hash_symmetric+0x255/0x620 [ 27.588898] ? tun_chr_read_iter+0x1c0/0x1c0 [ 27.593641] ? tun_get_user+0xc07/0x3790 [ 27.597888] ? __local_bh_enable_ip+0x65/0xc0 [ 27.602504] ? tun_get_user+0xd95/0x3790 [ 27.606547] ? tun_rx_batched.isra.0+0x730/0x730 [ 27.611294] ? debug_mutex_add_waiter+0x60/0x150 [ 27.616056] ? mark_held_locks+0xa6/0xf0 [ 27.620284] ? get_page_from_freelist+0x85e/0x1d60 [ 27.625312] ? preempt_count_add+0xb8/0x180 [ 27.629734] ? __tun_get+0x11c/0x220 [ 27.633533] ? check_preemption_disabled+0x35/0x1f0 [ 27.638538] ? tun_chr_write_iter+0xcf/0x180 [ 27.642922] ? do_iter_readv_writev+0x379/0x580 [ 27.647850] ? clone_verify_area+0x1e0/0x1e0 [ 27.652380] ? avc_policy_seqno+0x5/0x10 [ 27.656422] ? security_file_permission+0x88/0x1e0 [ 27.661449] ? do_iter_write+0x152/0x550 [ 27.665837] ? lock_downgrade+0x5d0/0x5d0 [ 27.670052] ? vfs_writev+0x146/0x2d0 [ 27.673909] ? vfs_iter_write+0xa0/0xa0 [ 27.677975] ? __handle_mm_fault+0x6c5/0x2640 [ 27.682456] ? __fsnotify_inode_delete+0x20/0x20 [ 27.687192] ? __do_page_fault+0x48e/0xb80 [ 27.691607] ? lock_downgrade+0x5d0/0x5d0 [ 27.695923] ? check_preemption_disabled+0x35/0x1f0 [ 27.701164] ? do_writev+0xc9/0x240 [ 27.704840] ? vfs_writev+0x2d0/0x2d0 [ 27.708621] ? do_syscall_64+0x43/0x4b0 [ 27.712769] ? SyS_readv+0x30/0x30 [ 27.716582] ? do_syscall_64+0x19b/0x4b0 [ 27.720674] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 27.726186] [ 27.727793] Allocated by task 1772: [ 27.731412] kasan_kmalloc.part.0+0x4f/0xd0 [ 27.735783] kmem_cache_alloc+0xd2/0x2d0 [ 27.739830] __build_skb+0x2e/0x2d0 [ 27.743447] build_skb+0x1a/0x1f0 [ 27.746933] tun_get_user+0x248b/0x3790 [ 27.750885] tun_chr_write_iter+0xcf/0x180 [ 27.755194] do_iter_readv_writev+0x379/0x580 [ 27.759684] do_iter_write+0x152/0x550 [ 27.763685] vfs_writev+0x146/0x2d0 [ 27.767293] do_writev+0xc9/0x240 [ 27.770779] do_syscall_64+0x19b/0x4b0 [ 27.774645] [ 27.776245] Freed by task 1772: [ 27.779622] kasan_slab_free+0xb0/0x190 [ 27.783579] kmem_cache_free+0xc4/0x330 [ 27.787617] kfree_skbmem+0xa0/0x100 [ 27.791309] kfree_skb+0xcd/0x350 [ 27.794952] ip_defrag+0x5f4/0x3b50 [ 27.798787] ip_local_deliver+0x165/0x450 [ 27.802908] ip_rcv_finish+0x5c9/0x1490 [ 27.806866] ip_rcv+0x9e2/0xf7a [ 27.810124] __netif_receive_skb_core+0x1364/0x2c60 [ 27.815122] __netif_receive_skb+0x55/0x1f0 [ 27.819644] netif_receive_skb_internal+0xec/0x5c0 [ 27.824654] tun_rx_batched.isra.0+0x45d/0x730 [ 27.829416] tun_get_user+0xd95/0x3790 [ 27.833397] tun_chr_write_iter+0xcf/0x180 [ 27.837746] do_iter_readv_writev+0x379/0x580 [ 27.842322] do_iter_write+0x152/0x550 [ 27.846328] vfs_writev+0x146/0x2d0 [ 27.850061] do_writev+0xc9/0x240 [ 27.853595] do_syscall_64+0x19b/0x4b0 [ 27.857581] [ 27.859187] The buggy address belongs to the object at ffff8881d7387780 [ 27.859187] which belongs to the cache skbuff_head_cache of size 224 [ 27.872346] The buggy address is located 16 bytes inside of [ 27.872346] 224-byte region [ffff8881d7387780, ffff8881d7387860) [ 27.884708] The buggy address belongs to the page: [ 27.889621] page:ffffea00075ce1c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.897736] flags: 0x4000000000000100(slab) [ 27.902392] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 27.910627] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 27.918600] page dumped because: kasan: bad access detected [ 27.924549] [ 27.926160] Memory state around the buggy address: [ 27.931080] ffff8881d7387680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.938453] ffff8881d7387700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 27.945889] >ffff8881d7387780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.953325] ^ [ 27.957277] ffff8881d7387800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 27.964682] ffff8881d7387880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.972245] ================================================================== [ 27.979789] Disabling lock debugging due to kernel taint [ 27.985259] Kernel panic - not syncing: panic_on_warn set ... [ 27.985259] [ 27.992799] CPU: 0 PID: 1772 Comm: syz-executor626 Tainted: G B 4.14.94+ #12 [ 28.001307] Call Trace: [ 28.003995] dump_stack+0xb9/0x10e [ 28.007513] panic+0x1d9/0x3c2 [ 28.010771] ? add_taint.cold+0x16/0x16 [ 28.014818] ? retint_kernel+0x2d/0x2d [ 28.018816] ? ip_local_deliver+0x43d/0x450 [ 28.023112] kasan_end_report+0x43/0x49 [ 28.027063] kasan_report.cold+0xa4/0x2a5 [ 28.031336] ? ip_local_deliver+0x43d/0x450 [ 28.035746] ? ip_call_ra_chain+0x540/0x540 [ 28.040059] ? __lock_acquire+0x56a/0x3fa0 [ 28.044299] ? ip_options_compile+0x65b/0x1360 [ 28.049291] ? ip_rcv+0x99f/0xf7a [ 28.052833] ? ip_rcv_finish+0x5c9/0x1490 [ 28.057300] ? ip_rcv+0x9e2/0xf7a [ 28.061283] ? ip_local_deliver+0x450/0x450 [ 28.065795] ? __lock_acquire+0x56a/0x3fa0 [ 28.070154] ? check_preemption_disabled+0x35/0x1f0 [ 28.075421] ? ip_local_deliver+0x450/0x450 [ 28.080064] ? __netif_receive_skb_core+0x1364/0x2c60 [ 28.085349] ? trace_hardirqs_on+0x10/0x10 [ 28.089797] ? flush_backlog+0x580/0x580 [ 28.093983] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 28.099280] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 28.104640] ? lock_acquire+0x10f/0x380 [ 28.108724] ? __netif_receive_skb+0x55/0x1f0 [ 28.113210] ? __netif_receive_skb+0x55/0x1f0 [ 28.117683] ? netif_receive_skb_internal+0xec/0x5c0 [ 28.122921] ? dev_cpu_dead+0x810/0x810 [ 28.126942] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.132390] ? rcu_read_lock_sched_held+0x10a/0x130 [ 28.137500] ? tun_rx_batched.isra.0+0x45d/0x730 [ 28.142232] ? __skb_get_hash_symmetric+0x255/0x620 [ 28.147366] ? tun_chr_read_iter+0x1c0/0x1c0 [ 28.151752] ? tun_get_user+0xc07/0x3790 [ 28.155808] ? __local_bh_enable_ip+0x65/0xc0 [ 28.160558] ? tun_get_user+0xd95/0x3790 [ 28.164660] ? tun_rx_batched.isra.0+0x730/0x730 [ 28.169393] ? debug_mutex_add_waiter+0x60/0x150 [ 28.174333] ? mark_held_locks+0xa6/0xf0 [ 28.178383] ? get_page_from_freelist+0x85e/0x1d60 [ 28.183333] ? preempt_count_add+0xb8/0x180 [ 28.187649] ? __tun_get+0x11c/0x220 [ 28.191347] ? check_preemption_disabled+0x35/0x1f0 [ 28.196342] ? tun_chr_write_iter+0xcf/0x180 [ 28.200741] ? do_iter_readv_writev+0x379/0x580 [ 28.205385] ? clone_verify_area+0x1e0/0x1e0 [ 28.209874] ? avc_policy_seqno+0x5/0x10 [ 28.214121] ? security_file_permission+0x88/0x1e0 [ 28.219054] ? do_iter_write+0x152/0x550 [ 28.223104] ? lock_downgrade+0x5d0/0x5d0 [ 28.227463] ? vfs_writev+0x146/0x2d0 [ 28.231320] ? vfs_iter_write+0xa0/0xa0 [ 28.235575] ? __handle_mm_fault+0x6c5/0x2640 [ 28.240156] ? __fsnotify_inode_delete+0x20/0x20 [ 28.245066] ? __do_page_fault+0x48e/0xb80 [ 28.249454] ? lock_downgrade+0x5d0/0x5d0 [ 28.253819] ? check_preemption_disabled+0x35/0x1f0 [ 28.258961] ? do_writev+0xc9/0x240 [ 28.262580] ? vfs_writev+0x2d0/0x2d0 [ 28.266532] ? do_syscall_64+0x43/0x4b0 [ 28.270484] ? SyS_readv+0x30/0x30 [ 28.273996] ? do_syscall_64+0x19b/0x4b0 [ 28.278251] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.284029] Kernel Offset: 0x2e400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 28.294931] Rebooting in 86400 seconds..