5l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.044917] random: sshd: uninitialized urandom read (32 bytes read) [ 16.327323] audit: type=1400 audit(1574189051.501:6): avc: denied { map } for pid=1760 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 16.365636] random: sshd: uninitialized urandom read (32 bytes read) [ 16.857254] random: sshd: uninitialized urandom read (32 bytes read) [ 44.586421] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.154' (ECDSA) to the list of known hosts. [ 50.116675] random: sshd: uninitialized urandom read (32 bytes read) 2019/11/19 18:44:45 parsed 1 programs [ 50.234949] audit: type=1400 audit(1574189085.411:7): avc: denied { map } for pid=1790 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 50.911744] random: cc1: uninitialized urandom read (8 bytes read) 2019/11/19 18:44:47 executed programs: 0 [ 51.963334] audit: type=1400 audit(1574189087.141:8): avc: denied { map } for pid=1790 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 52.004306] audit: type=1400 audit(1574189087.141:9): avc: denied { map } for pid=1790 comm="syz-execprog" path="/root/syzkaller-shm682814937" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 52.548152] audit: type=1400 audit(1574189087.721:10): avc: denied { create } for pid=1818 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.572516] audit: type=1400 audit(1574189087.721:11): avc: denied { write } for pid=1818 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.597817] audit: type=1400 audit(1574189087.751:12): avc: denied { read } for pid=1818 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 2019/11/19 18:44:52 executed programs: 15 [ 58.611900] ================================================================== [ 58.619327] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 58.626755] Read of size 8 at addr ffff8881c91b7860 by task syz-executor.2/3594 [ 58.634181] [ 58.635791] CPU: 0 PID: 3594 Comm: syz-executor.2 Not tainted 4.14.154+ #0 [ 58.643491] Call Trace: [ 58.646077] dump_stack+0xe5/0x154 [ 58.649595] ? unwind_next_frame+0x169f/0x1810 [ 58.654166] ? unwind_next_frame+0x169f/0x1810 [ 58.658732] print_address_description+0x60/0x226 [ 58.663559] ? unwind_next_frame+0x169f/0x1810 [ 58.668118] ? unwind_next_frame+0x169f/0x1810 [ 58.672688] __kasan_report.cold+0x1a/0x41 [ 58.676905] ? unwind_next_frame+0x169f/0x1810 [ 58.681468] unwind_next_frame+0x169f/0x1810 [ 58.685859] ? retint_kernel+0x2d/0x2d [ 58.689725] ? perf_callchain_user+0x4a7/0xf80 [ 58.694288] ? deref_stack_reg+0xe0/0xe0 [ 58.698330] ? perf_callchain_user+0x2d1/0xf80 [ 58.702903] ? retint_kernel+0x2d/0x2d [ 58.706776] perf_callchain_kernel+0x3a0/0x540 [ 58.711339] ? perf_callchain_kernel+0x540/0x540 [ 58.716085] ? arch_perf_update_userpage+0x330/0x330 [ 58.721167] ? perf_callchain+0x147/0x190 [ 58.725833] ? futex_wait_setup+0x132/0x330 [ 58.730181] get_perf_callchain+0x2f5/0x770 [ 58.734485] ? put_callchain_buffers+0x60/0x60 [ 58.739045] ? startup_64+0x1/0x30 [ 58.742583] ? __task_pid_nr_ns+0x1ea/0x450 [ 58.746884] perf_callchain+0x147/0x190 [ 58.750841] perf_prepare_sample+0x6a8/0x1360 [ 58.755318] ? perf_output_sample+0x1700/0x1700 [ 58.760061] ? perf_prepare_sample+0x1360/0x1360 [ 58.764798] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 58.770489] perf_event_output_forward+0xdc/0x220 [ 58.775398] ? perf_prepare_sample+0x1360/0x1360 [ 58.780272] ? __perf_event_overflow+0x1cc/0x340 [ 58.785189] ? check_preemption_disabled+0x35/0x1f0 [ 58.790197] __perf_event_overflow+0x12d/0x340 [ 58.794781] perf_swevent_overflow+0x7a/0xf0 [ 58.799276] perf_swevent_event+0x112/0x270 [ 58.803587] perf_tp_event+0x633/0x7f0 [ 58.807628] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 58.813319] ? perf_trace_run_bpf_submit+0x113/0x170 [ 58.818424] ? trace_hardirqs_on+0x10/0x10 [ 58.822641] ? __lock_acquire+0x5d7/0x4320 [ 58.826873] ? perf_trace_run_bpf_submit+0x113/0x170 [ 58.832136] ? check_preemption_disabled+0x35/0x1f0 [ 58.837149] perf_trace_run_bpf_submit+0x113/0x170 [ 58.842061] perf_trace_lock_acquire+0x341/0x4e0 [ 58.846798] ? HARDIRQ_verbose+0x10/0x10 [ 58.850951] ? retint_kernel+0x2d/0x2d [ 58.854820] ? get_futex_key+0x4c1/0xf90 [ 58.858860] lock_acquire+0x279/0x360 [ 58.862641] ? futex_wait_setup+0x132/0x330 [ 58.866942] _raw_spin_lock+0x2a/0x40 [ 58.870720] ? futex_wait_setup+0x132/0x330 [ 58.875155] futex_wait_setup+0x132/0x330 [ 58.879987] ? futex_wake+0x440/0x440 [ 58.883769] futex_wait+0x1ad/0x570 [ 58.887374] ? futex_wait_setup+0x330/0x330 [ 58.891770] ? wake_up_q+0xea/0x150 [ 58.895389] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 58.900411] ? futex_wake+0x15b/0x440 [ 58.904197] do_futex+0x13f/0x1980 [ 58.907724] ? trace_hardirqs_on+0x10/0x10 [ 58.911969] ? perf_trace_lock_acquire+0x341/0x4e0 [ 58.916884] ? exit_robust_list+0x240/0x240 [ 58.921184] ? HARDIRQ_verbose+0x10/0x10 [ 58.925227] ? __might_fault+0x104/0x1b0 [ 58.929321] ? lock_downgrade+0x630/0x630 [ 58.933486] ? lock_acquire+0x12b/0x360 [ 58.937546] ? __might_fault+0xd4/0x1b0 [ 58.941500] ? __might_fault+0x177/0x1b0 [ 58.945552] ? _copy_to_user+0x82/0xd0 [ 58.949424] SyS_futex+0x1c5/0x2c3 [ 58.952946] ? do_futex+0x1980/0x1980 [ 58.956755] ? SyS_clock_gettime+0x7d/0xe0 [ 58.960998] ? do_clock_gettime+0xd0/0xd0 [ 58.965146] ? do_syscall_64+0x43/0x520 [ 58.969101] ? do_futex+0x1980/0x1980 [ 58.972972] do_syscall_64+0x19b/0x520 [ 58.976932] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.982201] RIP: 0033:0x45a639 [ 58.985468] RSP: 002b:00007f9c19f34cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 58.993359] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 000000000045a639 [ 59.000702] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 59.008146] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.015413] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 59.022836] R13: 00007ffd4ffbc0ff R14: 00007f9c19f359c0 R15: 000000000075bf2c [ 59.030181] [ 59.031788] The buggy address belongs to the page: [ 59.036699] page:ffffea0007246dc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 59.044922] flags: 0x4000000000000000() [ 59.048885] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 59.056860] raw: 0000000000000000 ffffea0007246de0 0000000000000000 0000000000000000 [ 59.064893] page dumped because: kasan: bad access detected [ 59.070682] [ 59.072289] Memory state around the buggy address: [ 59.077198] ffff8881c91b7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.084538] ffff8881c91b7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.091877] >ffff8881c91b7800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 59.099387] ^ [ 59.105859] ffff8881c91b7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.113197] ffff8881c91b7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.120642] ================================================================== [ 59.128131] Disabling lock debugging due to kernel taint [ 59.133597] Kernel panic - not syncing: panic_on_warn set ... [ 59.133597] [ 59.140952] CPU: 0 PID: 3594 Comm: syz-executor.2 Tainted: G B 4.14.154+ #0 [ 59.149162] Call Trace: [ 59.151740] dump_stack+0xe5/0x154 [ 59.155272] panic+0x1f1/0x3da [ 59.158446] ? add_taint.cold+0x16/0x16 [ 59.162406] ? lock_downgrade+0x630/0x630 [ 59.166535] ? unwind_next_frame+0x169f/0x1810 [ 59.171203] end_report+0x43/0x49 [ 59.174722] ? unwind_next_frame+0x169f/0x1810 [ 59.179382] __kasan_report.cold+0xd/0x41 [ 59.183608] ? unwind_next_frame+0x169f/0x1810 [ 59.188278] unwind_next_frame+0x169f/0x1810 [ 59.193004] ? retint_kernel+0x2d/0x2d [ 59.196930] ? perf_callchain_user+0x4a7/0xf80 [ 59.201503] ? deref_stack_reg+0xe0/0xe0 [ 59.205916] ? perf_callchain_user+0x2d1/0xf80 [ 59.210481] ? retint_kernel+0x2d/0x2d [ 59.214356] perf_callchain_kernel+0x3a0/0x540 [ 59.219007] ? perf_callchain_kernel+0x540/0x540 [ 59.223743] ? arch_perf_update_userpage+0x330/0x330 [ 59.228843] ? perf_callchain+0x147/0x190 [ 59.233064] ? futex_wait_setup+0x132/0x330 [ 59.237370] get_perf_callchain+0x2f5/0x770 [ 59.241683] ? put_callchain_buffers+0x60/0x60 [ 59.246246] ? startup_64+0x1/0x30 [ 59.249765] ? __task_pid_nr_ns+0x1ea/0x450 [ 59.254094] perf_callchain+0x147/0x190 [ 59.258139] perf_prepare_sample+0x6a8/0x1360 [ 59.262617] ? perf_output_sample+0x1700/0x1700 [ 59.267264] ? perf_prepare_sample+0x1360/0x1360 [ 59.272017] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 59.277806] perf_event_output_forward+0xdc/0x220 [ 59.282774] ? perf_prepare_sample+0x1360/0x1360 [ 59.287517] ? __perf_event_overflow+0x1cc/0x340 [ 59.292260] ? check_preemption_disabled+0x35/0x1f0 [ 59.297416] __perf_event_overflow+0x12d/0x340 [ 59.302091] perf_swevent_overflow+0x7a/0xf0 [ 59.306516] perf_swevent_event+0x112/0x270 [ 59.310825] perf_tp_event+0x633/0x7f0 [ 59.314712] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 59.320585] ? perf_trace_run_bpf_submit+0x113/0x170 [ 59.325773] ? trace_hardirqs_on+0x10/0x10 [ 59.330004] ? __lock_acquire+0x5d7/0x4320 [ 59.334227] ? perf_trace_run_bpf_submit+0x113/0x170 [ 59.339520] ? check_preemption_disabled+0x35/0x1f0 [ 59.344517] perf_trace_run_bpf_submit+0x113/0x170 [ 59.349441] perf_trace_lock_acquire+0x341/0x4e0 [ 59.354178] ? HARDIRQ_verbose+0x10/0x10 [ 59.358227] ? retint_kernel+0x2d/0x2d [ 59.362098] ? get_futex_key+0x4c1/0xf90 [ 59.366146] lock_acquire+0x279/0x360 [ 59.370125] ? futex_wait_setup+0x132/0x330 [ 59.374617] _raw_spin_lock+0x2a/0x40 [ 59.378434] ? futex_wait_setup+0x132/0x330 [ 59.382930] futex_wait_setup+0x132/0x330 [ 59.387060] ? futex_wake+0x440/0x440 [ 59.390852] futex_wait+0x1ad/0x570 [ 59.395503] ? futex_wait_setup+0x330/0x330 [ 59.399804] ? wake_up_q+0xea/0x150 [ 59.403412] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 59.408422] ? futex_wake+0x15b/0x440 [ 59.412235] do_futex+0x13f/0x1980 [ 59.415754] ? trace_hardirqs_on+0x10/0x10 [ 59.419982] ? perf_trace_lock_acquire+0x341/0x4e0 [ 59.424981] ? exit_robust_list+0x240/0x240 [ 59.429301] ? HARDIRQ_verbose+0x10/0x10 [ 59.433373] ? __might_fault+0x104/0x1b0 [ 59.437503] ? lock_downgrade+0x630/0x630 [ 59.441641] ? lock_acquire+0x12b/0x360 [ 59.445604] ? __might_fault+0xd4/0x1b0 [ 59.449647] ? __might_fault+0x177/0x1b0 [ 59.453775] ? _copy_to_user+0x82/0xd0 [ 59.458164] SyS_futex+0x1c5/0x2c3 [ 59.461694] ? do_futex+0x1980/0x1980 [ 59.465475] ? SyS_clock_gettime+0x7d/0xe0 [ 59.472575] ? do_clock_gettime+0xd0/0xd0 [ 59.476790] ? do_syscall_64+0x43/0x520 [ 59.480745] ? do_futex+0x1980/0x1980 [ 59.484524] do_syscall_64+0x19b/0x520 [ 59.488395] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.493582] RIP: 0033:0x45a639 [ 59.496852] RSP: 002b:00007f9c19f34cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 59.504818] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 000000000045a639 [ 59.512120] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 59.521138] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.528487] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 59.535775] R13: 00007ffd4ffbc0ff R14: 00007f9c19f359c0 R15: 000000000075bf2c [ 59.544680] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 59.555961] Rebooting in 86400 seconds..