[....] Starting OpenBSD Secure Shell server: sshd[ 15.395812] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.661009] random: sshd: uninitialized urandom read (32 bytes read) [ 20.977698] audit: type=1400 audit(1536313289.946:6): avc: denied { map } for pid=1991 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 21.021729] random: sshd: uninitialized urandom read (32 bytes read) [ 21.520865] random: sshd: uninitialized urandom read (32 bytes read) [ 21.677082] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. [ 27.307448] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.401057] audit: type=1400 audit(1536313296.376:7): avc: denied { map } for pid=2009 comm="syz-executor122" path="/root/syz-executor122792749" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 27.429689] audit: type=1400 audit(1536313296.406:8): avc: denied { prog_load } for pid=2009 comm="syz-executor122" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 27.453741] audit: type=1400 audit(1536313296.426:9): avc: denied { prog_run } for pid=2009 comm="syz-executor122" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 27.453790] ================================================================== [ 27.453815] BUG: KASAN: slab-out-of-bounds in skb_ensure_writable+0x290/0x2e0 [ 27.453821] Read of size 4 at addr ffff8801b83185f8 by task syz-executor122/2009 [ 27.453823] [ 27.453830] CPU: 0 PID: 2009 Comm: syz-executor122 Not tainted 4.14.68+ #4 [ 27.453834] Call Trace: [ 27.453845] dump_stack+0xb9/0x11b [ 27.453860] print_address_description+0x60/0x22b [ 27.453872] kasan_report.cold.6+0x11b/0x2dd [ 27.453879] ? skb_ensure_writable+0x290/0x2e0 [ 27.453890] skb_ensure_writable+0x290/0x2e0 [ 27.453903] bpf_l4_csum_replace+0x61/0x300 [ 27.453918] ___bpf_prog_run+0x248e/0x5c70 [ 27.453930] ? __free_insn_slot+0x490/0x490 [ 27.453940] ? bpf_jit_compile+0x30/0x30 [ 27.453954] ? depot_save_stack+0x20a/0x428 [ 27.453967] ? __bpf_prog_run512+0x99/0xe0 [ 27.453975] ? ___bpf_prog_run+0x5c70/0x5c70 [ 27.453996] ? __lock_acquire+0x619/0x4320 [ 27.454012] ? trace_hardirqs_on+0x10/0x10 [ 27.454026] ? trace_hardirqs_on+0x10/0x10 [ 27.454037] ? __lock_acquire+0x619/0x4320 [ 27.454050] ? get_unused_fd_flags+0xc0/0xc0 [ 27.454066] ? bpf_test_run+0x57/0x350 [ 27.454084] ? lock_acquire+0x10f/0x380 [ 27.454096] ? check_preemption_disabled+0x34/0x160 [ 27.454110] ? bpf_test_run+0xab/0x350 [ 27.454129] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 27.454143] ? bpf_test_init.isra.1+0xc0/0xc0 [ 27.454152] ? __fget_light+0x163/0x1f0 [ 27.454159] ? bpf_prog_add+0x42/0xa0 [ 27.454170] ? bpf_test_init.isra.1+0xc0/0xc0 [ 27.454191] ? SyS_bpf+0x79d/0x3640 [ 27.454205] ? bpf_prog_get+0x20/0x20 [ 27.454213] ? __do_page_fault+0x485/0xb60 [ 27.454222] ? lock_downgrade+0x560/0x560 [ 27.454239] ? up_read+0x17/0x30 [ 27.454246] ? __do_page_fault+0x64c/0xb60 [ 27.454258] ? do_syscall_64+0x43/0x4b0 [ 27.454269] ? bpf_prog_get+0x20/0x20 [ 27.454275] ? do_syscall_64+0x19b/0x4b0 [ 27.454290] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 27.454309] [ 27.454313] Allocated by task 2009: [ 27.454320] kasan_kmalloc.part.1+0x4f/0xd0 [ 27.454339] kmem_cache_alloc+0xe4/0x2b0 [ 27.454344] __alloc_skb+0xd8/0x550 [ 27.454352] audit_log_start+0x3dd/0x6f0 [ 27.454360] common_lsm_audit+0xe8/0x1d00 [ 27.454380] slow_avc_audit+0x14a/0x1d0 [ 27.454386] avc_has_perm+0x2f2/0x390 [ 27.454392] selinux_bpf+0xb4/0x100 [ 27.454398] security_bpf+0x7c/0xb0 [ 27.454403] SyS_bpf+0x153/0x3640 [ 27.454420] do_syscall_64+0x19b/0x4b0 [ 27.454426] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 27.454428] [ 27.454431] Freed by task 32: [ 27.454437] kasan_slab_free+0xac/0x190 [ 27.454454] kmem_cache_free+0x12d/0x350 [ 27.454460] kfree_skbmem+0x9e/0x100 [ 27.454465] kfree_skb+0xd0/0x340 [ 27.454471] kauditd_hold_skb+0x115/0x140 [ 27.454477] kauditd_send_queue+0xf9/0x140 [ 27.454483] kauditd_thread+0x4c7/0x660 [ 27.454489] kthread+0x348/0x420 [ 27.454494] ret_from_fork+0x3a/0x50 [ 27.454496] [ 27.454501] The buggy address belongs to the object at ffff8801b8318500 [ 27.454501] which belongs to the cache skbuff_head_cache of size 224 [ 27.454506] The buggy address is located 24 bytes to the right of [ 27.454506] 224-byte region [ffff8801b8318500, ffff8801b83185e0) [ 27.454509] The buggy address belongs to the page: [ 27.454514] page:ffffea0006e0c600 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.454521] flags: 0x4000000000000100(slab) [ 27.454531] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 27.454538] raw: dead000000000100 dead000000000200 ffff8801da312200 0000000000000000 [ 27.454541] page dumped because: kasan: bad access detected [ 27.454543] [ 27.454545] Memory state around the buggy address: [ 27.454550] ffff8801b8318480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 27.454555] ffff8801b8318500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.454560] >ffff8801b8318580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 27.454563] ^ [ 27.454590] ffff8801b8318600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 27.454595] ffff8801b8318680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.454597] ================================================================== [ 27.454599] Disabling lock debugging due to kernel taint [ 27.454603] Kernel panic - not syncing: panic_on_warn set ... [ 27.454603] [ 27.454610] CPU: 0 PID: 2009 Comm: syz-executor122 Tainted: G B 4.14.68+ #4 [ 27.454612] Call Trace: [ 27.454619] dump_stack+0xb9/0x11b [ 27.454628] panic+0x1bf/0x3a4 [ 27.454635] ? add_taint.cold.4+0x16/0x16 [ 27.454650] kasan_end_report+0x43/0x49 [ 27.454657] kasan_report.cold.6+0x77/0x2dd [ 27.454663] ? skb_ensure_writable+0x290/0x2e0 [ 27.454672] skb_ensure_writable+0x290/0x2e0 [ 27.454681] bpf_l4_csum_replace+0x61/0x300 [ 27.454690] ___bpf_prog_run+0x248e/0x5c70 [ 27.454698] ? __free_insn_slot+0x490/0x490 [ 27.454705] ? bpf_jit_compile+0x30/0x30 [ 27.454714] ? depot_save_stack+0x20a/0x428 [ 27.454723] ? __bpf_prog_run512+0x99/0xe0 [ 27.454730] ? ___bpf_prog_run+0x5c70/0x5c70 [ 27.454741] ? __lock_acquire+0x619/0x4320 [ 27.454751] ? trace_hardirqs_on+0x10/0x10 [ 27.454760] ? trace_hardirqs_on+0x10/0x10 [ 27.454769] ? __lock_acquire+0x619/0x4320 [ 27.454778] ? get_unused_fd_flags+0xc0/0xc0 [ 27.454787] ? bpf_test_run+0x57/0x350 [ 27.454798] ? lock_acquire+0x10f/0x380 [ 27.454806] ? check_preemption_disabled+0x34/0x160 [ 27.454816] ? bpf_test_run+0xab/0x350 [ 27.454828] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 27.454837] ? bpf_test_init.isra.1+0xc0/0xc0 [ 27.454844] ? __fget_light+0x163/0x1f0 [ 27.454850] ? bpf_prog_add+0x42/0xa0 [ 27.454858] ? bpf_test_init.isra.1+0xc0/0xc0 [ 27.454865] ? SyS_bpf+0x79d/0x3640 [ 27.454875] ? bpf_prog_get+0x20/0x20 [ 27.454880] ? __do_page_fault+0x485/0xb60 [ 27.454887] ? lock_downgrade+0x560/0x560 [ 27.454898] ? up_read+0x17/0x30 [ 27.454904] ? __do_page_fault+0x64c/0xb60 [ 27.454912] ? do_syscall_64+0x43/0x4b0 [ 27.454920] ? bpf_prog_get+0x20/0x20 [ 27.454925] ? do_syscall_64+0x19b/0x4b0 [ 27.454934] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 27.476375] Dumping ftrace buffer: [ 27.476380] (ftrace buffer empty) [ 27.476385] Kernel Offset: 0x37a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 28.076210] Rebooting in 86400 seconds..