[....] Starting enhanced syslogd: rsyslogd[ 11.074273] audit: type=1400 audit(1516522439.126:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.240' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.708174] ================================================================== [ 25.709235] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 25.710170] Read of size 8 at addr ffff8801cc88f140 by task syzkaller280539/3330 [ 25.711156] [ 25.711395] CPU: 0 PID: 3330 Comm: syzkaller280539 Not tainted 4.9.77-ge12a9c4 #18 [ 25.712407] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.713632] ffff8801c8a87ab0 ffffffff81d941c9 ffffea00073223c0 ffff8801cc88f140 [ 25.714796] 0000000000000000 ffff8801cc88f140 ffff8801cd5fc438 ffff8801c8a87ae8 [ 25.715967] ffffffff8153db93 ffff8801cc88f140 0000000000000008 0000000000000000 [ 25.717123] Call Trace: [ 25.717486] [] dump_stack+0xc1/0x128 [ 25.718213] [] print_address_description+0x73/0x280 [ 25.719109] [] kasan_report+0x275/0x360 [ 25.719886] [] ? sg_remove_request+0x103/0x120 [ 25.720748] [] __asan_report_load8_noabort+0x14/0x20 [ 25.721655] [] sg_remove_request+0x103/0x120 [ 25.722493] [] sg_finish_rem_req+0x295/0x340 [ 25.723296] [] sg_read+0xa1c/0x1440 [ 25.724025] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.724903] [] ? fasync_insert_entry+0x147/0x2e0 [ 25.725749] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.726628] [] __vfs_read+0x103/0x670 [ 25.727374] [] ? default_llseek+0x290/0x290 [ 25.728165] [] ? fsnotify+0x86/0xf30 [ 25.732921] [] ? fsnotify+0xf30/0xf30 [ 25.738345] [] ? avc_policy_seqno+0x9/0x20 [ 25.744201] [] ? selinux_file_permission+0x82/0x460 [ 25.750837] [] ? security_file_permission+0x89/0x1e0 [ 25.757564] [] ? rw_verify_area+0xe5/0x2b0 [ 25.763419] [] vfs_read+0x11e/0x380 [ 25.768665] [] SyS_read+0xd9/0x1b0 [ 25.773825] [] ? vfs_copy_file_range+0x740/0x740 [ 25.780201] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.787011] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.793572] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 25.800122] [ 25.801721] Allocated by task 0: [ 25.805051] (stack is not available) [ 25.808729] [ 25.810324] Freed by task 0: [ 25.813309] (stack is not available) [ 25.816987] [ 25.818584] The buggy address belongs to the object at ffff8801cc88f100 [ 25.818584] which belongs to the cache fasync_cache of size 96 [ 25.831223] The buggy address is located 64 bytes inside of [ 25.831223] 96-byte region [ffff8801cc88f100, ffff8801cc88f160) [ 25.842894] The buggy address belongs to the page: [ 25.847795] page:ffffea00073223c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 25.856017] flags: 0x8000000000000080(slab) [ 25.860305] page dumped because: kasan: bad access detected [ 25.865995] [ 25.867594] Memory state around the buggy address: [ 25.872497] ffff8801cc88f000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 25.879827] ffff8801cc88f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.887153] >ffff8801cc88f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.894673] ^ [ 25.900107] ffff8801cc88f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.907437] ffff8801cc88f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.914764] ================================================================== [ 25.922092] Disabling lock debugging due to kernel taint [ 25.927705] Kernel panic - not syncing: panic_on_warn set ... [ 25.927705] [ 25.935047] CPU: 0 PID: 3330 Comm: syzkaller280539 Tainted: G B 4.9.77-ge12a9c4 #18 [ 25.943939] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.953265] ffff8801c8a87a08 ffffffff81d941c9 ffffffff841970ff ffff8801c8a87ae0 [ 25.961238] 0000000000000000 ffff8801cc88f140 ffff8801cd5fc438 ffff8801c8a87ad0 [ 25.969215] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 25.977186] Call Trace: [ 25.979749] [] dump_stack+0xc1/0x128 [ 25.985086] [] panic+0x1bc/0x3a8 [ 25.990080] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 25.998280] [] ? preempt_schedule+0x25/0x30 [ 26.004220] [] ? ___preempt_schedule+0x16/0x18 [ 26.010424] [] kasan_end_report+0x50/0x50 [ 26.016203] [] kasan_report+0x167/0x360 [ 26.021801] [] ? sg_remove_request+0x103/0x120 [ 26.028004] [] __asan_report_load8_noabort+0x14/0x20 [ 26.034726] [] sg_remove_request+0x103/0x120 [ 26.040760] [] sg_finish_rem_req+0x295/0x340 [ 26.046789] [] sg_read+0xa1c/0x1440 [ 26.052037] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.058740] [] ? fasync_insert_entry+0x147/0x2e0 [ 26.065123] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.071772] [] __vfs_read+0x103/0x670 [ 26.077192] [] ? default_llseek+0x290/0x290 [ 26.083135] [] ? fsnotify+0x86/0xf30 [ 26.088476] [] ? fsnotify+0xf30/0xf30 [ 26.093901] [] ? avc_policy_seqno+0x9/0x20 [ 26.099768] [] ? selinux_file_permission+0x82/0x460 [ 26.106404] [] ? security_file_permission+0x89/0x1e0 [ 26.113128] [] ? rw_verify_area+0xe5/0x2b0 [ 26.118981] [] vfs_read+0x11e/0x380 [ 26.124229] [] SyS_read+0xd9/0x1b0 [ 26.129392] [] ? vfs_copy_file_range+0x740/0x740 [ 26.135792] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.142613] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.149164] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 26.156112] Dumping ftrace buffer: [ 26.160102] (ftrace buffer empty) [ 26.163786] Kernel Offset: disabled [ 26.167386] Rebooting in 86400 seconds..