[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.515054] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.535236] random: sshd: uninitialized urandom read (32 bytes read) [ 24.882199] random: sshd: uninitialized urandom read (32 bytes read) [ 25.654195] random: sshd: uninitialized urandom read (32 bytes read) [ 31.774746] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. [ 37.198932] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 37.305587] ================================================================== [ 37.313162] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 37.320372] Read of size 8 at addr ffff8801b4bb98e0 by task syz-executor112/4517 [ 37.327919] [ 37.329574] CPU: 1 PID: 4517 Comm: syz-executor112 Not tainted 4.17.0-rc2+ #19 [ 37.336950] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.346312] Call Trace: [ 37.348919] dump_stack+0x1b9/0x294 [ 37.352590] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.357801] ? printk+0x9e/0xba [ 37.361098] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.365877] ? kasan_check_write+0x14/0x20 [ 37.370134] print_address_description+0x6c/0x20b [ 37.375002] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 37.379525] kasan_report.cold.7+0x242/0x2fe [ 37.383950] __asan_report_load8_noabort+0x14/0x20 [ 37.388916] __sctp_v6_cmp_addr+0x4c7/0x530 [ 37.393263] sctp_inet6_cmp_addr+0x169/0x1a0 [ 37.397692] sctp_bind_addr_match+0x20b/0x400 [ 37.402210] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 37.407068] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.412621] ? sctp_v4_available+0x1b1/0x200 [ 37.417058] ? sctp_inet6_bind_verify+0xb2/0x500 [ 37.421834] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 37.427392] sctp_do_bind+0x1c0/0x5f0 [ 37.431217] sctp_bindx_add+0x90/0x1a0 [ 37.435130] sctp_setsockopt_bindx+0x2ad/0x320 [ 37.439745] sctp_setsockopt+0x12c4/0x7000 [ 37.443992] ? mark_held_locks+0xc9/0x160 [ 37.448141] ? page_add_new_anon_rmap+0x3ff/0x850 [ 37.452998] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 37.458733] ? find_held_lock+0x36/0x1c0 [ 37.462829] ? lock_downgrade+0x8e0/0x8e0 [ 37.466989] ? pudp_huge_clear_flush+0x230/0x230 [ 37.474494] ? kasan_check_read+0x11/0x20 [ 37.478668] ? do_raw_spin_unlock+0x9e/0x2e0 [ 37.483106] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.487711] ? kasan_check_write+0x14/0x20 [ 37.491972] ? do_raw_spin_lock+0xc1/0x200 [ 37.496249] ? _raw_spin_unlock+0x22/0x30 [ 37.500438] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 37.505749] ? __thp_get_unmapped_area+0x180/0x180 [ 37.510711] ? debug_check_no_locks_freed+0x310/0x310 [ 37.515935] ? alloc_file+0x24/0x3e0 [ 37.519676] ? sock_alloc_file+0x1f3/0x4e0 [ 37.523919] ? __sys_socket+0x16f/0x250 [ 37.527915] ? do_syscall_64+0x1b1/0x800 [ 37.531988] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.537363] ? debug_mutex_init+0x1c/0x60 [ 37.541510] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.546525] ? graph_lock+0x170/0x170 [ 37.550314] ? pud_val+0x80/0xf0 [ 37.553666] ? pmd_val+0xf0/0xf0 [ 37.557040] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.562602] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.568144] ? __handle_mm_fault+0x93a/0x4310 [ 37.572647] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 37.577399] ? graph_lock+0x170/0x170 [ 37.581200] ? graph_lock+0x170/0x170 [ 37.584998] ? find_held_lock+0x36/0x1c0 [ 37.589065] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.594604] ? __fget_light+0x2ef/0x430 [ 37.598579] ? fget_raw+0x20/0x20 [ 37.602037] ? lock_downgrade+0x8e0/0x8e0 [ 37.606185] ? handle_mm_fault+0x8c0/0xc70 [ 37.610423] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.615967] ? handle_mm_fault+0x55a/0xc70 [ 37.620205] sock_common_setsockopt+0x9a/0xe0 [ 37.624700] __sys_setsockopt+0x1bd/0x390 [ 37.628856] ? kernel_accept+0x310/0x310 [ 37.632927] ? mm_fault_error+0x380/0x380 [ 37.637077] ? __ia32_sys_fallocate+0xf0/0xf0 [ 37.641587] __x64_sys_setsockopt+0xbe/0x150 [ 37.646002] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.651020] do_syscall_64+0x1b1/0x800 [ 37.654911] ? syscall_return_slowpath+0x5c0/0x5c0 [ 37.659851] ? syscall_return_slowpath+0x30f/0x5c0 [ 37.664802] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 37.670171] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.675017] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.680202] RIP: 0033:0x43fda9 [ 37.683382] RSP: 002b:00007fff11cbd088 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 37.691088] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 37.698357] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 37.705633] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 37.712907] R10: 0000000020d24000 R11: 0000000000000217 R12: 00000000004016d0 [ 37.720177] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 37.727457] [ 37.729089] Allocated by task 4517: [ 37.732727] save_stack+0x43/0xd0 [ 37.736180] kasan_kmalloc+0xc4/0xe0 [ 37.739896] __kmalloc_node+0x47/0x70 [ 37.743700] kvmalloc_node+0x6b/0x100 [ 37.747504] vmemdup_user+0x2d/0xa0 [ 37.751131] sctp_setsockopt_bindx+0x5d/0x320 [ 37.755620] sctp_setsockopt+0x12c4/0x7000 [ 37.759848] sock_common_setsockopt+0x9a/0xe0 [ 37.764343] __sys_setsockopt+0x1bd/0x390 [ 37.768498] __x64_sys_setsockopt+0xbe/0x150 [ 37.772915] do_syscall_64+0x1b1/0x800 [ 37.776801] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.781975] [ 37.783591] Freed by task 2811: [ 37.786871] save_stack+0x43/0xd0 [ 37.790319] __kasan_slab_free+0x11a/0x170 [ 37.794559] kasan_slab_free+0xe/0x10 [ 37.798360] kfree+0xd9/0x260 [ 37.801473] single_release+0x8f/0xb0 [ 37.805269] __fput+0x34d/0x890 [ 37.808555] ____fput+0x15/0x20 [ 37.811843] task_work_run+0x1e4/0x290 [ 37.815726] exit_to_usermode_loop+0x2bd/0x310 [ 37.820305] do_syscall_64+0x6ac/0x800 [ 37.824190] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.829365] [ 37.830984] The buggy address belongs to the object at ffff8801b4bb98c0 [ 37.830984] which belongs to the cache kmalloc-32 of size 32 [ 37.843480] The buggy address is located 0 bytes to the right of [ 37.843480] 32-byte region [ffff8801b4bb98c0, ffff8801b4bb98e0) [ 37.855626] The buggy address belongs to the page: [ 37.860566] page:ffffea0006d2ee40 count:1 mapcount:0 mapping:ffff8801b4bb9000 index:0xffff8801b4bb9fc1 [ 37.870013] flags: 0x2fffc0000000100(slab) [ 37.874251] raw: 02fffc0000000100 ffff8801b4bb9000 ffff8801b4bb9fc1 000000010000003a [ 37.882133] raw: ffffea00075c26e0 ffffea000766f460 ffff8801da8001c0 0000000000000000 [ 37.890004] page dumped because: kasan: bad access detected [ 37.895707] [ 37.897319] Memory state around the buggy address: [ 37.902247] ffff8801b4bb9780: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 37.909619] ffff8801b4bb9800: 00 03 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 37.916983] >ffff8801b4bb9880: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 37.924343] ^ [ 37.930835] ffff8801b4bb9900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 37.938199] ffff8801b4bb9980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 37.945560] ================================================================== [ 37.952920] Disabling lock debugging due to kernel taint [ 37.958465] Kernel panic - not syncing: panic_on_warn set ... [ 37.958465] [ 37.965837] CPU: 1 PID: 4517 Comm: syz-executor112 Tainted: G B 4.17.0-rc2+ #19 [ 37.974591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.983947] Call Trace: [ 37.986553] dump_stack+0x1b9/0x294 [ 37.990189] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.995381] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.000142] ? __sctp_v6_cmp_addr+0x3f0/0x530 [ 38.004637] panic+0x22f/0x4de [ 38.007826] ? add_taint.cold.5+0x16/0x16 [ 38.011978] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.016401] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.020822] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 38.025315] kasan_end_report+0x47/0x4f [ 38.029286] kasan_report.cold.7+0x76/0x2fe [ 38.033620] __asan_report_load8_noabort+0x14/0x20 [ 38.038556] __sctp_v6_cmp_addr+0x4c7/0x530 [ 38.042873] sctp_inet6_cmp_addr+0x169/0x1a0 [ 38.047279] sctp_bind_addr_match+0x20b/0x400 [ 38.051773] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 38.056624] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 38.062165] ? sctp_v4_available+0x1b1/0x200 [ 38.066578] ? sctp_inet6_bind_verify+0xb2/0x500 [ 38.071333] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 38.076872] sctp_do_bind+0x1c0/0x5f0 [ 38.080665] sctp_bindx_add+0x90/0x1a0 [ 38.084545] sctp_setsockopt_bindx+0x2ad/0x320 [ 38.089121] sctp_setsockopt+0x12c4/0x7000 [ 38.093349] ? mark_held_locks+0xc9/0x160 [ 38.097503] ? page_add_new_anon_rmap+0x3ff/0x850 [ 38.102348] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 38.108060] ? find_held_lock+0x36/0x1c0 [ 38.112123] ? lock_downgrade+0x8e0/0x8e0 [ 38.116262] ? pudp_huge_clear_flush+0x230/0x230 [ 38.121013] ? kasan_check_read+0x11/0x20 [ 38.125162] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.129575] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 38.134161] ? kasan_check_write+0x14/0x20 [ 38.138398] ? do_raw_spin_lock+0xc1/0x200 [ 38.142641] ? _raw_spin_unlock+0x22/0x30 [ 38.146787] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 38.152061] ? __thp_get_unmapped_area+0x180/0x180 [ 38.156988] ? debug_check_no_locks_freed+0x310/0x310 [ 38.162175] ? alloc_file+0x24/0x3e0 [ 38.165884] ? sock_alloc_file+0x1f3/0x4e0 [ 38.170111] ? __sys_socket+0x16f/0x250 [ 38.174084] ? do_syscall_64+0x1b1/0x800 [ 38.178140] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.183508] ? debug_mutex_init+0x1c/0x60 [ 38.187657] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.192756] ? graph_lock+0x170/0x170 [ 38.196553] ? pud_val+0x80/0xf0 [ 38.199914] ? pmd_val+0xf0/0xf0 [ 38.203276] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.208810] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.214346] ? __handle_mm_fault+0x93a/0x4310 [ 38.218850] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 38.223599] ? graph_lock+0x170/0x170 [ 38.227397] ? graph_lock+0x170/0x170 [ 38.231191] ? find_held_lock+0x36/0x1c0 [ 38.235250] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.240790] ? __fget_light+0x2ef/0x430 [ 38.244764] ? fget_raw+0x20/0x20 [ 38.248210] ? lock_downgrade+0x8e0/0x8e0 [ 38.252378] ? handle_mm_fault+0x8c0/0xc70 [ 38.256613] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 38.262144] ? handle_mm_fault+0x55a/0xc70 [ 38.266367] sock_common_setsockopt+0x9a/0xe0 [ 38.270861] __sys_setsockopt+0x1bd/0x390 [ 38.274999] ? kernel_accept+0x310/0x310 [ 38.279058] ? mm_fault_error+0x380/0x380 [ 38.283198] ? __ia32_sys_fallocate+0xf0/0xf0 [ 38.287687] __x64_sys_setsockopt+0xbe/0x150 [ 38.292086] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.297097] do_syscall_64+0x1b1/0x800 [ 38.300979] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.305905] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.310837] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 38.316196] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.321047] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.326228] RIP: 0033:0x43fda9 [ 38.329413] RSP: 002b:00007fff11cbd088 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 38.337121] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 38.344389] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 38.351667] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 38.358940] R10: 0000000020d24000 R11: 0000000000000217 R12: 00000000004016d0 [ 38.366206] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 38.374087] Dumping ftrace buffer: [ 38.377620] (ftrace buffer empty) [ 38.381323] Kernel Offset: disabled [ 38.384949] Rebooting in 86400 seconds..