[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.843357] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.795661] random: sshd: uninitialized urandom read (32 bytes read) [ 24.125525] random: sshd: uninitialized urandom read (32 bytes read) [ 24.908960] random: sshd: uninitialized urandom read (32 bytes read) [ 27.346474] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. [ 32.762564] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.861825] ================================================================== [ 32.869312] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 32.875878] Read of size 1 at addr ffff8801d958af9d by task syz-executor329/4535 [ 32.883389] [ 32.885003] CPU: 1 PID: 4535 Comm: syz-executor329 Not tainted 4.17.0-rc6+ #68 [ 32.892349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.901686] Call Trace: [ 32.904262] dump_stack+0x1b9/0x294 [ 32.907876] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.913050] ? printk+0x9e/0xba [ 32.916314] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.921056] ? kasan_check_write+0x14/0x20 [ 32.925275] print_address_description+0x6c/0x20b [ 32.930103] ? nla_strlcpy+0x13d/0x150 [ 32.933972] kasan_report.cold.7+0x242/0x2fe [ 32.938369] __asan_report_load1_noabort+0x14/0x20 [ 32.943281] nla_strlcpy+0x13d/0x150 [ 32.946981] nfnl_acct_new+0x574/0xc50 [ 32.950855] ? nfnl_acct_overquota+0x380/0x380 [ 32.955423] ? debug_check_no_locks_freed+0x310/0x310 [ 32.960594] ? graph_lock+0x170/0x170 [ 32.964383] ? print_usage_bug+0xc0/0xc0 [ 32.968427] ? find_held_lock+0x36/0x1c0 [ 32.972473] ? graph_lock+0x170/0x170 [ 32.976260] ? lock_downgrade+0x8e0/0x8e0 [ 32.980395] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.985916] ? __lock_is_held+0xb5/0x140 [ 32.989963] ? nfnl_acct_overquota+0x380/0x380 [ 32.994528] nfnetlink_rcv_msg+0xdb5/0xff0 [ 32.998754] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 33.003753] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 33.008150] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.012282] ? graph_lock+0x170/0x170 [ 33.016075] ? find_held_lock+0x36/0x1c0 [ 33.020122] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.025648] netlink_rcv_skb+0x172/0x440 [ 33.029692] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.033822] ? netlink_ack+0xbc0/0xbc0 [ 33.037695] ? __netlink_ns_capable+0x100/0x130 [ 33.042350] nfnetlink_rcv+0x1fe/0x1ba0 [ 33.046310] ? kasan_check_read+0x11/0x20 [ 33.050442] ? rcu_is_watching+0x85/0x140 [ 33.054572] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.059752] ? nfnl_err_reset+0x2d0/0x2d0 [ 33.063896] ? netlink_remove_tap+0x610/0x610 [ 33.068379] ? refcount_add_not_zero+0x320/0x320 [ 33.073120] ? kasan_check_read+0x11/0x20 [ 33.077251] ? rcu_is_watching+0x85/0x140 [ 33.081381] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.086552] ? netlink_skb_destructor+0x210/0x210 [ 33.091375] ? kasan_check_write+0x14/0x20 [ 33.095598] netlink_unicast+0x58b/0x740 [ 33.099659] ? netlink_attachskb+0x970/0x970 [ 33.104053] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.109582] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.114584] ? security_netlink_send+0x88/0xb0 [ 33.119153] netlink_sendmsg+0x9f0/0xfa0 [ 33.123207] ? netlink_unicast+0x740/0x740 [ 33.127429] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.132952] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.138473] ? security_socket_sendmsg+0x94/0xc0 [ 33.143209] ? netlink_unicast+0x740/0x740 [ 33.147428] sock_sendmsg+0xd5/0x120 [ 33.151124] sock_write_iter+0x35a/0x5a0 [ 33.155168] ? sock_sendmsg+0x120/0x120 [ 33.159130] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.164652] ? iov_iter_init+0xc9/0x1f0 [ 33.168615] __vfs_write+0x64d/0x960 [ 33.172314] ? kernel_read+0x120/0x120 [ 33.176185] ? lock_downgrade+0x8e0/0x8e0 [ 33.180314] ? handle_mm_fault+0x8c0/0xc70 [ 33.184535] ? handle_mm_fault+0x55a/0xc70 [ 33.188756] ? rw_verify_area+0x118/0x360 [ 33.192887] vfs_write+0x1f8/0x560 [ 33.196413] ksys_write+0xf9/0x250 [ 33.199938] ? __ia32_sys_read+0xb0/0xb0 [ 33.203982] ? __ia32_sys_fallocate+0xf0/0xf0 [ 33.208462] __x64_sys_write+0x73/0xb0 [ 33.212331] do_syscall_64+0x1b1/0x800 [ 33.216200] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.221114] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.226040] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.231567] ? retint_user+0x18/0x18 [ 33.235279] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.240108] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.245279] RIP: 0033:0x43fcf9 [ 33.248448] RSP: 002b:00007ffc9ed66dd8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 33.256140] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 33.263395] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 33.270645] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.277900] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 33.285156] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 33.292412] [ 33.294028] Allocated by task 4535: [ 33.297649] save_stack+0x43/0xd0 [ 33.301083] kasan_kmalloc+0xc4/0xe0 [ 33.304779] __kmalloc+0x14e/0x760 [ 33.308300] load_elf_phdrs+0x17a/0x250 [ 33.312258] load_elf_binary+0x9bd/0x5610 [ 33.316389] search_binary_handler+0x17d/0x570 [ 33.320951] do_execveat_common.isra.34+0x16ce/0x2590 [ 33.326119] __x64_sys_execve+0x8d/0xb0 [ 33.330077] do_syscall_64+0x1b1/0x800 [ 33.333945] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.339116] [ 33.340731] Freed by task 4535: [ 33.343993] save_stack+0x43/0xd0 [ 33.347430] __kasan_slab_free+0x11a/0x170 [ 33.351643] kasan_slab_free+0xe/0x10 [ 33.355424] kfree+0xd9/0x260 [ 33.358511] load_elf_binary+0x255d/0x5610 [ 33.362724] search_binary_handler+0x17d/0x570 [ 33.367382] do_execveat_common.isra.34+0x16ce/0x2590 [ 33.372556] __x64_sys_execve+0x8d/0xb0 [ 33.376519] do_syscall_64+0x1b1/0x800 [ 33.380389] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.385559] [ 33.387170] The buggy address belongs to the object at ffff8801d958ac80 [ 33.387170] which belongs to the cache kmalloc-512 of size 512 [ 33.399808] The buggy address is located 285 bytes to the right of [ 33.399808] 512-byte region [ffff8801d958ac80, ffff8801d958ae80) [ 33.412182] The buggy address belongs to the page: [ 33.417094] page:ffffea0007656280 count:1 mapcount:0 mapping:ffff8801d958a000 index:0x0 [ 33.425222] flags: 0x2fffc0000000100(slab) [ 33.429441] raw: 02fffc0000000100 ffff8801d958a000 0000000000000000 0000000100000006 [ 33.437307] raw: ffffea0006b48b60 ffff8801da801748 ffff8801da800940 0000000000000000 [ 33.445164] page dumped because: kasan: bad access detected [ 33.450850] [ 33.452454] Memory state around the buggy address: [ 33.457361] ffff8801d958ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.464703] ffff8801d958af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.472047] >ffff8801d958af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.479385] ^ [ 33.483514] ffff8801d958b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.490854] ffff8801d958b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.498192] ================================================================== [ 33.505536] Disabling lock debugging due to kernel taint [ 33.511083] Kernel panic - not syncing: panic_on_warn set ... [ 33.511083] [ 33.518457] CPU: 1 PID: 4535 Comm: syz-executor329 Tainted: G B 4.17.0-rc6+ #68 [ 33.527196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.536529] Call Trace: [ 33.539104] dump_stack+0x1b9/0x294 [ 33.542717] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.547890] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.552624] ? nla_strlcpy+0x70/0x150 [ 33.556404] panic+0x22f/0x4de [ 33.559578] ? add_taint.cold.5+0x16/0x16 [ 33.563709] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.568095] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.572481] ? nla_strlcpy+0x13d/0x150 [ 33.576348] kasan_end_report+0x47/0x4f [ 33.580305] kasan_report.cold.7+0x76/0x2fe [ 33.584611] __asan_report_load1_noabort+0x14/0x20 [ 33.589518] nla_strlcpy+0x13d/0x150 [ 33.593215] nfnl_acct_new+0x574/0xc50 [ 33.597091] ? nfnl_acct_overquota+0x380/0x380 [ 33.601651] ? debug_check_no_locks_freed+0x310/0x310 [ 33.606820] ? graph_lock+0x170/0x170 [ 33.610600] ? print_usage_bug+0xc0/0xc0 [ 33.614639] ? find_held_lock+0x36/0x1c0 [ 33.618676] ? graph_lock+0x170/0x170 [ 33.622459] ? lock_downgrade+0x8e0/0x8e0 [ 33.626587] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.632104] ? __lock_is_held+0xb5/0x140 [ 33.636147] ? nfnl_acct_overquota+0x380/0x380 [ 33.640709] nfnetlink_rcv_msg+0xdb5/0xff0 [ 33.644931] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 33.649931] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 33.654324] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.658453] ? graph_lock+0x170/0x170 [ 33.662232] ? find_held_lock+0x36/0x1c0 [ 33.666276] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.671808] netlink_rcv_skb+0x172/0x440 [ 33.675850] ? nfnetlink_bind+0x3a0/0x3a0 [ 33.679982] ? netlink_ack+0xbc0/0xbc0 [ 33.683852] ? __netlink_ns_capable+0x100/0x130 [ 33.688515] nfnetlink_rcv+0x1fe/0x1ba0 [ 33.692483] ? kasan_check_read+0x11/0x20 [ 33.696612] ? rcu_is_watching+0x85/0x140 [ 33.700740] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.705913] ? nfnl_err_reset+0x2d0/0x2d0 [ 33.710046] ? netlink_remove_tap+0x610/0x610 [ 33.714526] ? refcount_add_not_zero+0x320/0x320 [ 33.719271] ? kasan_check_read+0x11/0x20 [ 33.723402] ? rcu_is_watching+0x85/0x140 [ 33.727532] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.732716] ? netlink_skb_destructor+0x210/0x210 [ 33.737543] ? kasan_check_write+0x14/0x20 [ 33.741760] netlink_unicast+0x58b/0x740 [ 33.745804] ? netlink_attachskb+0x970/0x970 [ 33.750199] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.755718] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.760717] ? security_netlink_send+0x88/0xb0 [ 33.765285] netlink_sendmsg+0x9f0/0xfa0 [ 33.769329] ? netlink_unicast+0x740/0x740 [ 33.773546] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.779068] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.784600] ? security_socket_sendmsg+0x94/0xc0 [ 33.789342] ? netlink_unicast+0x740/0x740 [ 33.793560] sock_sendmsg+0xd5/0x120 [ 33.797259] sock_write_iter+0x35a/0x5a0 [ 33.801301] ? sock_sendmsg+0x120/0x120 [ 33.805259] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.810776] ? iov_iter_init+0xc9/0x1f0 [ 33.814740] __vfs_write+0x64d/0x960 [ 33.818437] ? kernel_read+0x120/0x120 [ 33.822306] ? lock_downgrade+0x8e0/0x8e0 [ 33.826434] ? handle_mm_fault+0x8c0/0xc70 [ 33.830649] ? handle_mm_fault+0x55a/0xc70 [ 33.834865] ? rw_verify_area+0x118/0x360 [ 33.839003] vfs_write+0x1f8/0x560 [ 33.842538] ksys_write+0xf9/0x250 [ 33.846061] ? __ia32_sys_read+0xb0/0xb0 [ 33.850103] ? __ia32_sys_fallocate+0xf0/0xf0 [ 33.854587] __x64_sys_write+0x73/0xb0 [ 33.858462] do_syscall_64+0x1b1/0x800 [ 33.862346] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.867264] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.872178] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.877696] ? retint_user+0x18/0x18 [ 33.881390] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.886215] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.891387] RIP: 0033:0x43fcf9 [ 33.894557] RSP: 002b:00007ffc9ed66dd8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 33.902247] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 33.909499] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 33.916760] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.924018] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 33.931276] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 33.939025] Dumping ftrace buffer: [ 33.942553] (ftrace buffer empty) [ 33.946241] Kernel Offset: disabled [ 33.949846] Rebooting in 86400 seconds..