[....] Starting OpenBSD Secure Shell server: sshd[ 19.052566] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.920323] random: sshd: uninitialized urandom read (32 bytes read) [ 21.147611] sshd (4448) used greatest stack depth: 16424 bytes left [ 21.164679] random: sshd: uninitialized urandom read (32 bytes read) [ 21.887427] random: sshd: uninitialized urandom read (32 bytes read) [ 22.042574] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts. [ 27.504781] random: sshd: uninitialized urandom read (32 bytes read) 2018/04/29 11:32:53 parsed 1 programs 2018/04/29 11:32:53 executed programs: 0 [ 27.965424] IPVS: ftp: loaded support on port[0] = 21 [ 28.163073] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.169564] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.177089] device bridge_slave_0 entered promiscuous mode [ 28.193598] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.199988] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.207202] device bridge_slave_1 entered promiscuous mode [ 28.222686] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.238726] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.281169] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 28.299374] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 28.362712] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 28.369982] team0: Port device team_slave_0 added [ 28.386847] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 28.393979] team0: Port device team_slave_1 added [ 28.409009] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 28.426690] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 28.443643] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.461273] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 28.580137] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.586593] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.593595] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.599950] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.008207] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.014337] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.056865] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.102283] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.110411] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 29.148200] 8021q: adding VLAN 0 to HW filter on device team0 [ 29.418508] ================================================================== [ 29.426061] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 29.433243] Read of size 8 at addr ffff8801d8cf05d0 by task syz-executor0/4729 [ 29.440583] [ 29.442204] CPU: 1 PID: 4729 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #48 [ 29.449371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.458705] Call Trace: [ 29.461284] dump_stack+0x1b9/0x294 [ 29.464909] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.470116] ? printk+0x9e/0xba [ 29.473396] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.478138] ? kasan_check_write+0x14/0x20 [ 29.482408] print_address_description+0x6c/0x20b [ 29.487242] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 29.491721] kasan_report.cold.7+0x242/0x2fe [ 29.496117] __asan_report_load8_noabort+0x14/0x20 [ 29.501037] __sctp_v6_cmp_addr+0x4c7/0x530 [ 29.505344] sctp_inet6_cmp_addr+0x169/0x1a0 [ 29.509744] sctp_bind_addr_conflict+0x28c/0x470 [ 29.514491] ? sctp_bind_addr_match+0x400/0x400 [ 29.519150] ? kasan_check_write+0x14/0x20 [ 29.523373] ? do_raw_spin_lock+0xc1/0x200 [ 29.527604] sctp_get_port_local+0x9fc/0x1540 [ 29.532099] ? print_shortest_lock_dependencies.cold.55+0xa9/0x22a [ 29.538404] ? sctp_set_owner_w+0x530/0x530 [ 29.542710] ? kasan_check_read+0x11/0x20 [ 29.546844] ? rcu_is_watching+0x85/0x140 [ 29.550975] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.556154] ? sctp_bind_addr_match+0x2c6/0x400 [ 29.560822] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 29.565663] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.571187] ? sctp_v4_available+0x1b1/0x200 [ 29.575585] ? sctp_inet6_bind_verify+0xb2/0x500 [ 29.580327] sctp_do_bind+0x21c/0x5f0 [ 29.584116] sctp_bindx_add+0x90/0x1a0 [ 29.587994] sctp_setsockopt_bindx+0x2ad/0x320 [ 29.592570] sctp_setsockopt+0x12c4/0x7000 [ 29.596805] ? get_futex_value_locked+0xcb/0xf0 [ 29.601465] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 29.607166] ? print_usage_bug+0xc0/0xc0 [ 29.611244] ? futex_wake+0x750/0x750 [ 29.615052] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.621028] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.626564] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 29.631651] ? futex_wait+0x5c1/0x9f0 [ 29.635439] ? __lock_acquire+0x7f5/0x5140 [ 29.639658] ? futex_wait_setup+0x400/0x400 [ 29.643968] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.649154] ? debug_check_no_locks_freed+0x310/0x310 [ 29.654352] ? get_futex_key+0x1e90/0x1e90 [ 29.658591] ? alloc_file+0x24/0x3e0 [ 29.662300] ? sock_alloc_file+0x1f3/0x4e0 [ 29.666533] ? __sys_socket+0x16f/0x250 [ 29.670492] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.675668] ? do_futex+0x249/0x27d0 [ 29.679376] ? lock_downgrade+0x8e0/0x8e0 [ 29.683513] ? graph_lock+0x170/0x170 [ 29.687308] ? debug_mutex_init+0x1c/0x60 [ 29.691452] ? exit_robust_list+0x290/0x290 [ 29.695758] ? graph_lock+0x170/0x170 [ 29.699542] ? lockdep_init_map+0x9/0x10 [ 29.703586] ? find_held_lock+0x36/0x1c0 [ 29.707638] ? lock_downgrade+0x8e0/0x8e0 [ 29.711774] ? kasan_check_read+0x11/0x20 [ 29.715912] ? rcu_is_watching+0x85/0x140 [ 29.720053] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.725234] ? __fget+0x40c/0x650 [ 29.728676] ? expand_files.part.8+0x9a0/0x9a0 [ 29.733242] ? get_unused_fd_flags+0x190/0x190 [ 29.737812] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.743350] ? alloc_file+0x44/0x3e0 [ 29.747057] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.752584] ? sock_alloc_file+0x2a4/0x4e0 [ 29.756808] compat_sock_common_setsockopt+0x10c/0x150 [ 29.762071] ? sock_common_setsockopt+0xe0/0xe0 [ 29.766724] __compat_sys_setsockopt+0x1ab/0x7c0 [ 29.771466] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 29.776384] ? __x32_compat_sys_get_robust_list+0x430/0x430 [ 29.782088] ? move_addr_to_kernel+0x70/0x70 [ 29.786486] ? mm_fault_error+0x380/0x380 [ 29.790632] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 29.795733] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.800743] do_fast_syscall_32+0x345/0xf9b [ 29.805057] ? do_int80_syscall_32+0x880/0x880 [ 29.809626] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.814106] ? finish_task_switch+0x1ca/0x810 [ 29.818588] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.824110] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.829035] ? sysret32_from_system_call+0x5/0x46 [ 29.833878] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.838708] entry_SYSENTER_compat+0x70/0x7f [ 29.843101] RIP: 0023:0xf7f7dcb9 [ 29.846463] RSP: 002b:00000000f7f790ac EFLAGS: 00000282 ORIG_RAX: 000000000000016e [ 29.854161] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000000084 [ 29.861415] RDX: 0000000000000064 RSI: 00000000205ba000 RDI: 0000000000000010 [ 29.868673] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.875935] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 29.883202] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.890485] [ 29.892108] Allocated by task 4729: [ 29.895727] save_stack+0x43/0xd0 [ 29.899159] kasan_kmalloc+0xc4/0xe0 [ 29.902865] __kmalloc_node+0x47/0x70 [ 29.906652] kvmalloc_node+0x6b/0x100 [ 29.910433] vmemdup_user+0x2d/0xa0 [ 29.914053] sctp_setsockopt_bindx+0x5d/0x320 [ 29.918531] sctp_setsockopt+0x12c4/0x7000 [ 29.922755] compat_sock_common_setsockopt+0x10c/0x150 [ 29.928022] __compat_sys_setsockopt+0x1ab/0x7c0 [ 29.932795] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 29.937895] do_fast_syscall_32+0x345/0xf9b [ 29.942215] entry_SYSENTER_compat+0x70/0x7f [ 29.946604] [ 29.948222] Freed by task 2806: [ 29.951510] save_stack+0x43/0xd0 [ 29.954950] __kasan_slab_free+0x11a/0x170 [ 29.959168] kasan_slab_free+0xe/0x10 [ 29.962950] kfree+0xd9/0x260 [ 29.966051] single_release+0x8f/0xb0 [ 29.969837] __fput+0x34d/0x890 [ 29.973094] ____fput+0x15/0x20 [ 29.976369] task_work_run+0x1e4/0x290 [ 29.980262] exit_to_usermode_loop+0x2bd/0x310 [ 29.984834] do_syscall_64+0x6ac/0x800 [ 29.988705] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.993869] [ 29.995484] The buggy address belongs to the object at ffff8801d8cf05c0 [ 29.995484] which belongs to the cache kmalloc-32 of size 32 [ 30.007950] The buggy address is located 16 bytes inside of [ 30.007950] 32-byte region [ffff8801d8cf05c0, ffff8801d8cf05e0) [ 30.019628] The buggy address belongs to the page: [ 30.024540] page:ffffea0007633c00 count:1 mapcount:0 mapping:ffff8801d8cf0000 index:0xffff8801d8cf0fc1 [ 30.033968] flags: 0x2fffc0000000100(slab) [ 30.038189] raw: 02fffc0000000100 ffff8801d8cf0000 ffff8801d8cf0fc1 000000010000001d [ 30.046082] raw: ffffea0007630160 ffffea00076377e0 ffff8801da8001c0 0000000000000000 [ 30.053947] page dumped because: kasan: bad access detected [ 30.059641] [ 30.061251] Memory state around the buggy address: [ 30.066161] ffff8801d8cf0480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.073510] ffff8801d8cf0500: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 30.080852] >ffff8801d8cf0580: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 30.088188] ^ [ 30.094156] ffff8801d8cf0600: fb fb fb fb fc fc fc fc 00 00 04 fc fc fc fc fc [ 30.101495] ffff8801d8cf0680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.108835] ================================================================== [ 30.116178] Disabling lock debugging due to kernel taint [ 30.121652] Kernel panic - not syncing: panic_on_warn set ... [ 30.121652] [ 30.129029] CPU: 1 PID: 4729 Comm: syz-executor0 Tainted: G B 4.17.0-rc2+ #48 [ 30.137599] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.146950] Call Trace: [ 30.149524] dump_stack+0x1b9/0x294 [ 30.153135] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.158310] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.163047] ? __sctp_v6_cmp_addr+0x3f0/0x530 [ 30.167525] panic+0x22f/0x4de [ 30.170700] ? add_taint.cold.5+0x16/0x16 [ 30.174840] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.179228] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.183619] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.188105] kasan_end_report+0x47/0x4f [ 30.192066] kasan_report.cold.7+0x76/0x2fe [ 30.196385] __asan_report_load8_noabort+0x14/0x20 [ 30.201299] __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.205609] sctp_inet6_cmp_addr+0x169/0x1a0 [ 30.210001] sctp_bind_addr_conflict+0x28c/0x470 [ 30.214744] ? sctp_bind_addr_match+0x400/0x400 [ 30.219395] ? kasan_check_write+0x14/0x20 [ 30.223609] ? do_raw_spin_lock+0xc1/0x200 [ 30.227826] sctp_get_port_local+0x9fc/0x1540 [ 30.232301] ? print_shortest_lock_dependencies.cold.55+0xa9/0x22a [ 30.238613] ? sctp_set_owner_w+0x530/0x530 [ 30.242944] ? kasan_check_read+0x11/0x20 [ 30.247090] ? rcu_is_watching+0x85/0x140 [ 30.251221] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.256397] ? sctp_bind_addr_match+0x2c6/0x400 [ 30.261049] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 30.265874] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.271403] ? sctp_v4_available+0x1b1/0x200 [ 30.275801] ? sctp_inet6_bind_verify+0xb2/0x500 [ 30.280537] sctp_do_bind+0x21c/0x5f0 [ 30.284316] sctp_bindx_add+0x90/0x1a0 [ 30.288183] sctp_setsockopt_bindx+0x2ad/0x320 [ 30.292748] sctp_setsockopt+0x12c4/0x7000 [ 30.296962] ? get_futex_value_locked+0xcb/0xf0 [ 30.301610] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 30.307302] ? print_usage_bug+0xc0/0xc0 [ 30.311350] ? futex_wake+0x750/0x750 [ 30.315132] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.320312] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.325829] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 30.330911] ? futex_wait+0x5c1/0x9f0 [ 30.334691] ? __lock_acquire+0x7f5/0x5140 [ 30.338909] ? futex_wait_setup+0x400/0x400 [ 30.343215] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.348390] ? debug_check_no_locks_freed+0x310/0x310 [ 30.353569] ? get_futex_key+0x1e90/0x1e90 [ 30.357791] ? alloc_file+0x24/0x3e0 [ 30.361488] ? sock_alloc_file+0x1f3/0x4e0 [ 30.365712] ? __sys_socket+0x16f/0x250 [ 30.369671] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.374845] ? do_futex+0x249/0x27d0 [ 30.378543] ? lock_downgrade+0x8e0/0x8e0 [ 30.382669] ? graph_lock+0x170/0x170 [ 30.386462] ? debug_mutex_init+0x1c/0x60 [ 30.390595] ? exit_robust_list+0x290/0x290 [ 30.394905] ? graph_lock+0x170/0x170 [ 30.398685] ? lockdep_init_map+0x9/0x10 [ 30.402728] ? find_held_lock+0x36/0x1c0 [ 30.406769] ? lock_downgrade+0x8e0/0x8e0 [ 30.410899] ? kasan_check_read+0x11/0x20 [ 30.415033] ? rcu_is_watching+0x85/0x140 [ 30.419161] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.424330] ? __fget+0x40c/0x650 [ 30.427762] ? expand_files.part.8+0x9a0/0x9a0 [ 30.432324] ? get_unused_fd_flags+0x190/0x190 [ 30.436889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.442407] ? alloc_file+0x44/0x3e0 [ 30.446100] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.451617] ? sock_alloc_file+0x2a4/0x4e0 [ 30.455833] compat_sock_common_setsockopt+0x10c/0x150 [ 30.461089] ? sock_common_setsockopt+0xe0/0xe0 [ 30.465738] __compat_sys_setsockopt+0x1ab/0x7c0 [ 30.470473] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 30.475384] ? __x32_compat_sys_get_robust_list+0x430/0x430 [ 30.481080] ? move_addr_to_kernel+0x70/0x70 [ 30.485469] ? mm_fault_error+0x380/0x380 [ 30.489595] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 30.494680] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.499678] do_fast_syscall_32+0x345/0xf9b [ 30.503981] ? do_int80_syscall_32+0x880/0x880 [ 30.508544] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.513026] ? finish_task_switch+0x1ca/0x810 [ 30.517503] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.523029] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.527940] ? sysret32_from_system_call+0x5/0x46 [ 30.532763] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.537591] entry_SYSENTER_compat+0x70/0x7f [ 30.541976] RIP: 0023:0xf7f7dcb9 [ 30.545317] RSP: 002b:00000000f7f790ac EFLAGS: 00000282 ORIG_RAX: 000000000000016e [ 30.553005] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000000084 [ 30.560261] RDX: 0000000000000064 RSI: 00000000205ba000 RDI: 0000000000000010 [ 30.567510] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.574757] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.582010] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.589736] Dumping ftrace buffer: [ 30.593262] (ftrace buffer empty) [ 30.596961] Kernel Offset: disabled [ 30.600564] Rebooting in 86400 seconds..