[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.870603] random: sshd: uninitialized urandom read (32 bytes read) [ 40.371603] audit: type=1400 audit(1547831510.305:6): avc: denied { map } for pid=1772 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 40.405339] random: sshd: uninitialized urandom read (32 bytes read) [ 40.855009] random: sshd: uninitialized urandom read (32 bytes read) [ 41.021941] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.128' (ECDSA) to the list of known hosts. [ 46.646089] random: sshd: uninitialized urandom read (32 bytes read) [ 46.737722] audit: type=1400 audit(1547831516.665:7): avc: denied { map } for pid=1790 comm="syz-executor517" path="/root/syz-executor517480709" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 47.022063] ================================================================== [ 47.029592] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 47.036235] Read of size 8 at addr ffff8881d39cdc90 by task syz-executor517/1793 [ 47.043745] [ 47.045362] CPU: 0 PID: 1793 Comm: syz-executor517 Not tainted 4.14.94+ #10 [ 47.052500] Call Trace: [ 47.055078] dump_stack+0xb9/0x10e [ 47.058610] ? ip_local_deliver+0x43d/0x450 [ 47.062908] print_address_description+0x60/0x226 [ 47.067727] ? ip_local_deliver+0x43d/0x450 [ 47.072024] kasan_report.cold+0x88/0x2a5 [ 47.076158] ? ip_local_deliver+0x43d/0x450 [ 47.080462] ? ip_call_ra_chain+0x540/0x540 [ 47.084761] ? __lock_acquire+0x56a/0x3fa0 [ 47.089085] ? deref_stack_reg+0xaa/0xe0 [ 47.093128] ? ip_rcv+0x99f/0xf7a [ 47.096562] ? ip_rcv_finish+0x5c9/0x1490 [ 47.100697] ? ip_rcv+0x9e2/0xf7a [ 47.104131] ? ip_local_deliver+0x450/0x450 [ 47.108432] ? __lock_acquire+0x56a/0x3fa0 [ 47.112647] ? check_preemption_disabled+0x35/0x1f0 [ 47.117691] ? ip_local_deliver+0x450/0x450 [ 47.121997] ? __netif_receive_skb_core+0x1364/0x2c60 [ 47.127169] ? trace_hardirqs_on+0x10/0x10 [ 47.131455] ? flush_backlog+0x580/0x580 [ 47.135502] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 47.140670] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 47.145875] ? lock_acquire+0x10f/0x380 [ 47.149832] ? __netif_receive_skb+0x55/0x1f0 [ 47.154319] ? __netif_receive_skb+0x55/0x1f0 [ 47.158790] ? netif_receive_skb_internal+0xec/0x5c0 [ 47.163869] ? dev_cpu_dead+0x810/0x810 [ 47.167831] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.173270] ? rcu_read_lock_sched_held+0x10a/0x130 [ 47.178272] ? tun_rx_batched.isra.0+0x45d/0x730 [ 47.183004] ? __skb_get_hash_symmetric+0x255/0x620 [ 47.188001] ? tun_chr_read_iter+0x1c0/0x1c0 [ 47.192391] ? tun_get_user+0xc07/0x3790 [ 47.196435] ? __local_bh_enable_ip+0x65/0xc0 [ 47.200911] ? tun_get_user+0xd95/0x3790 [ 47.204964] ? tun_rx_batched.isra.0+0x730/0x730 [ 47.209712] ? debug_mutex_add_waiter+0x60/0x150 [ 47.214495] ? mark_held_locks+0xa6/0xf0 [ 47.218544] ? get_page_from_freelist+0x85e/0x1d60 [ 47.223454] ? preempt_count_add+0xb8/0x180 [ 47.227757] ? __tun_get+0x11c/0x220 [ 47.231454] ? check_preemption_disabled+0x35/0x1f0 [ 47.236450] ? tun_chr_write_iter+0xcf/0x180 [ 47.240834] ? do_iter_readv_writev+0x379/0x580 [ 47.245586] ? clone_verify_area+0x1e0/0x1e0 [ 47.249975] ? avc_policy_seqno+0x5/0x10 [ 47.254014] ? security_file_permission+0x88/0x1e0 [ 47.258925] ? do_iter_write+0x152/0x550 [ 47.262964] ? lock_downgrade+0x5d0/0x5d0 [ 47.267092] ? vfs_writev+0x146/0x2d0 [ 47.270870] ? vfs_iter_write+0xa0/0xa0 [ 47.274824] ? __handle_mm_fault+0x6c5/0x2640 [ 47.279300] ? __fsnotify_inode_delete+0x20/0x20 [ 47.284047] ? __do_page_fault+0x48e/0xb80 [ 47.288292] ? lock_downgrade+0x5d0/0x5d0 [ 47.292433] ? check_preemption_disabled+0x35/0x1f0 [ 47.297432] ? do_writev+0xc9/0x240 [ 47.301033] ? vfs_writev+0x2d0/0x2d0 [ 47.304811] ? do_syscall_64+0x43/0x4b0 [ 47.308766] ? SyS_readv+0x30/0x30 [ 47.312283] ? do_syscall_64+0x19b/0x4b0 [ 47.316323] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.321666] [ 47.323273] Allocated by task 1793: [ 47.326879] kasan_kmalloc.part.0+0x4f/0xd0 [ 47.331175] kmem_cache_alloc+0xd2/0x2d0 [ 47.335221] __build_skb+0x2e/0x2d0 [ 47.338825] build_skb+0x1a/0x1f0 [ 47.342255] tun_get_user+0x248b/0x3790 [ 47.346203] tun_chr_write_iter+0xcf/0x180 [ 47.350482] do_iter_readv_writev+0x379/0x580 [ 47.354965] do_iter_write+0x152/0x550 [ 47.358827] vfs_writev+0x146/0x2d0 [ 47.362431] do_writev+0xc9/0x240 [ 47.365861] do_syscall_64+0x19b/0x4b0 [ 47.369723] [ 47.371329] Freed by task 1793: [ 47.374586] kasan_slab_free+0xb0/0x190 [ 47.378533] kmem_cache_free+0xc4/0x330 [ 47.382484] kfree_skbmem+0xa0/0x100 [ 47.386172] kfree_skb+0xcd/0x350 [ 47.389598] ip_defrag+0x5f4/0x3b50 [ 47.393198] ip_local_deliver+0x165/0x450 [ 47.397317] ip_rcv_finish+0x5c9/0x1490 [ 47.401276] ip_rcv+0x9e2/0xf7a [ 47.404542] __netif_receive_skb_core+0x1364/0x2c60 [ 47.409531] __netif_receive_skb+0x55/0x1f0 [ 47.413838] netif_receive_skb_internal+0xec/0x5c0 [ 47.418804] tun_rx_batched.isra.0+0x45d/0x730 [ 47.423417] tun_get_user+0xd95/0x3790 [ 47.427290] tun_chr_write_iter+0xcf/0x180 [ 47.431508] do_iter_readv_writev+0x379/0x580 [ 47.435982] do_iter_write+0x152/0x550 [ 47.439847] vfs_writev+0x146/0x2d0 [ 47.443447] do_writev+0xc9/0x240 [ 47.446881] do_syscall_64+0x19b/0x4b0 [ 47.450762] [ 47.452367] The buggy address belongs to the object at ffff8881d39cdc80 [ 47.452367] which belongs to the cache skbuff_head_cache of size 224 [ 47.465522] The buggy address is located 16 bytes inside of [ 47.465522] 224-byte region [ffff8881d39cdc80, ffff8881d39cdd60) [ 47.477282] The buggy address belongs to the page: [ 47.482185] page:ffffea00074e7340 count:1 mapcount:0 mapping: (null) index:0x0 [ 47.490301] flags: 0x4000000000000100(slab) [ 47.494599] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 47.502462] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 47.510317] page dumped because: kasan: bad access detected [ 47.515997] [ 47.517598] Memory state around the buggy address: [ 47.522501] ffff8881d39cdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.529834] ffff8881d39cdc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 47.537183] >ffff8881d39cdc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.544588] ^ [ 47.548461] ffff8881d39cdd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 47.555793] ffff8881d39cdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.563454] ================================================================== [ 47.570788] Disabling lock debugging due to kernel taint [ 47.576347] Kernel panic - not syncing: panic_on_warn set ... [ 47.576347] [ 47.583699] CPU: 0 PID: 1793 Comm: syz-executor517 Tainted: G B 4.14.94+ #10 [ 47.592086] Call Trace: [ 47.594719] dump_stack+0xb9/0x10e [ 47.598246] panic+0x1d9/0x3c2 [ 47.601420] ? add_taint.cold+0x16/0x16 [ 47.605376] ? retint_kernel+0x2d/0x2d [ 47.609242] ? ip_local_deliver+0x43d/0x450 [ 47.613535] kasan_end_report+0x43/0x49 [ 47.617492] kasan_report.cold+0xa4/0x2a5 [ 47.621617] ? ip_local_deliver+0x43d/0x450 [ 47.625910] ? ip_call_ra_chain+0x540/0x540 [ 47.630205] ? __lock_acquire+0x56a/0x3fa0 [ 47.634416] ? deref_stack_reg+0xaa/0xe0 [ 47.638450] ? ip_rcv+0x99f/0xf7a [ 47.641881] ? ip_rcv_finish+0x5c9/0x1490 [ 47.646009] ? ip_rcv+0x9e2/0xf7a [ 47.649439] ? ip_local_deliver+0x450/0x450 [ 47.653734] ? __lock_acquire+0x56a/0x3fa0 [ 47.657944] ? check_preemption_disabled+0x35/0x1f0 [ 47.662933] ? ip_local_deliver+0x450/0x450 [ 47.667234] ? __netif_receive_skb_core+0x1364/0x2c60 [ 47.672400] ? trace_hardirqs_on+0x10/0x10 [ 47.676613] ? flush_backlog+0x580/0x580 [ 47.680649] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 47.685812] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 47.691086] ? lock_acquire+0x10f/0x380 [ 47.695039] ? __netif_receive_skb+0x55/0x1f0 [ 47.699509] ? __netif_receive_skb+0x55/0x1f0 [ 47.703978] ? netif_receive_skb_internal+0xec/0x5c0 [ 47.709054] ? dev_cpu_dead+0x810/0x810 [ 47.713003] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.718428] ? rcu_read_lock_sched_held+0x10a/0x130 [ 47.723426] ? tun_rx_batched.isra.0+0x45d/0x730 [ 47.728158] ? __skb_get_hash_symmetric+0x255/0x620 [ 47.733148] ? tun_chr_read_iter+0x1c0/0x1c0 [ 47.737533] ? tun_get_user+0xc07/0x3790 [ 47.741571] ? __local_bh_enable_ip+0x65/0xc0 [ 47.746160] ? tun_get_user+0xd95/0x3790 [ 47.750232] ? tun_rx_batched.isra.0+0x730/0x730 [ 47.754964] ? debug_mutex_add_waiter+0x60/0x150 [ 47.759691] ? mark_held_locks+0xa6/0xf0 [ 47.763731] ? get_page_from_freelist+0x85e/0x1d60 [ 47.768644] ? preempt_count_add+0xb8/0x180 [ 47.772946] ? __tun_get+0x11c/0x220 [ 47.776647] ? check_preemption_disabled+0x35/0x1f0 [ 47.781644] ? tun_chr_write_iter+0xcf/0x180 [ 47.786029] ? do_iter_readv_writev+0x379/0x580 [ 47.790796] ? clone_verify_area+0x1e0/0x1e0 [ 47.795195] ? avc_policy_seqno+0x5/0x10 [ 47.799235] ? security_file_permission+0x88/0x1e0 [ 47.804140] ? do_iter_write+0x152/0x550 [ 47.808175] ? lock_downgrade+0x5d0/0x5d0 [ 47.812303] ? vfs_writev+0x146/0x2d0 [ 47.816079] ? vfs_iter_write+0xa0/0xa0 [ 47.820031] ? __handle_mm_fault+0x6c5/0x2640 [ 47.824502] ? __fsnotify_inode_delete+0x20/0x20 [ 47.829238] ? __do_page_fault+0x48e/0xb80 [ 47.833452] ? lock_downgrade+0x5d0/0x5d0 [ 47.837575] ? check_preemption_disabled+0x35/0x1f0 [ 47.842567] ? do_writev+0xc9/0x240 [ 47.846167] ? vfs_writev+0x2d0/0x2d0 [ 47.849958] ? do_syscall_64+0x43/0x4b0 [ 47.853924] ? SyS_readv+0x30/0x30 [ 47.857449] ? do_syscall_64+0x19b/0x4b0 [ 47.861489] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.867191] Kernel Offset: 0x4200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 47.878004] Rebooting in 86400 seconds..