[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.053875] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.486786] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 22.782748] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 23.729403] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. 2018/06/16 14:42:38 parsed 1 programs 2018/06/16 14:42:40 executed programs: 0 [ 32.304211] IPVS: Creating netns size=2552 id=1 [ 32.530214] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.544707] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.621593] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 32.637468] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 32.713266] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 32.727576] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 32.744568] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.761137] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 33.446656] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.483628] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.751363] ================================================================== [ 33.758762] BUG: KASAN: stack-out-of-bounds in iov_iter_advance+0x4b3/0x4f0 [ 33.765834] Read of size 8 at addr ffff8800b9167cc0 by task syz-executor0/4207 [ 33.773209] [ 33.774810] CPU: 1 PID: 4207 Comm: syz-executor0 Not tainted 4.4.138-g07c0138 #60 [ 33.782398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.791727] 0000000000000000 1362dfa68f8ff8c7 ffff8800b9167978 ffffffff81e0ed0d [ 33.799729] ffffea0002e459c0 ffff8800b9167cc0 0000000000000000 ffff8800b9167cc0 [ 33.807725] ffff8800b9167cb8 ffff8800b91679b0 ffffffff81515a16 ffff8800b9167cc0 [ 33.815704] Call Trace: [ 33.818263] [] dump_stack+0xc1/0x124 [ 33.823601] [] print_address_description+0x6c/0x216 [ 33.830237] [] kasan_report.cold.7+0x175/0x2f7 [ 33.836448] [] ? iov_iter_advance+0x4b3/0x4f0 [ 33.842574] [] __asan_report_load8_noabort+0x14/0x20 [ 33.849298] [] iov_iter_advance+0x4b3/0x4f0 [ 33.855241] [] tun_get_user+0x2cd/0x2410 [ 33.860921] [] ? tun_net_xmit+0xe60/0xe60 [ 33.866693] [] ? tun_chr_close+0x60/0x60 [ 33.872373] [] ? __tun_get+0x126/0x230 [ 33.877879] [] tun_chr_write_iter+0xd5/0x190 [ 33.883906] [] __vfs_write+0x30d/0x3f0 [ 33.889420] [] ? __vfs_read+0x3e0/0x3e0 [ 33.895012] [] ? __tun_chr_ioctl+0x3130/0x3130 [ 33.901213] [] ? tun_chr_compat_ioctl+0x29/0x30 [ 33.907506] [] ? compat_SyS_ioctl+0x1d5/0x2270 [ 33.913718] [] ? avc_policy_seqno+0x9/0x20 [ 33.919571] [] ? selinux_file_permission+0x2f2/0x450 [ 33.926294] [] ? rw_verify_area+0x100/0x300 [ 33.932235] [] vfs_write+0x191/0x4e0 [ 33.937574] [] SyS_write+0xd9/0x1c0 [ 33.942820] [] ? SyS_read+0x1c0/0x1c0 [ 33.948239] [] ? do_fast_syscall_32+0xdb/0x8b0 [ 33.954439] [] ? SyS_read+0x1c0/0x1c0 [ 33.959859] [] do_fast_syscall_32+0x326/0x8b0 [ 33.965974] [] sysenter_flags_fixed+0xd/0x17 [ 33.972005] [ 33.973609] The buggy address belongs to the page: [ 33.978510] page:ffffea0002e459c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 33.986623] flags: 0x4000000000000000() [ 33.990680] page dumped because: kasan: bad access detected [ 33.996356] [ 33.997952] Memory state around the buggy address: [ 34.002849] ffff8800b9167b80: f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 00 00 00 00 [ 34.010187] ffff8800b9167c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.017515] >ffff8800b9167c80: 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2 f2 00 00 00 [ 34.024844] ^ [ 34.030262] ffff8800b9167d00: 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 [ 34.037590] ffff8800b9167d80: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.045042] ================================================================== [ 34.052370] Disabling lock debugging due to kernel taint [ 34.059928] Kernel panic - not syncing: panic_on_warn set ... [ 34.059928] [ 34.067292] CPU: 1 PID: 4207 Comm: syz-executor0 Tainted: G B 4.4.138-g07c0138 #60 [ 34.076096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.085421] 0000000000000000 1362dfa68f8ff8c7 ffff8800b91678d8 ffffffff81e0ed0d [ 34.093399] ffffffff841ed4ef 0000000000000008 0000000000000000 ffff8800b9167cc0 [ 34.101383] ffff8800b9167cb8 ffff8800b9167998 ffffffff8140a184 0000000041b58ab3 [ 34.109362] Call Trace: [ 34.111923] [] dump_stack+0xc1/0x124 [ 34.117269] [] panic+0x19e/0x38d [ 34.122256] [] ? add_taint.cold.4+0x16/0x16 [ 34.128198] [] ? preempt_schedule_common+0x22/0x60 [ 34.134749] [] ? preempt_schedule+0x25/0x30 [ 34.140693] [] ? ___preempt_schedule+0x12/0x14 [ 34.146899] [] kasan_end_report+0x47/0x4f [ 34.152669] [] kasan_report.cold.7+0x192/0x2f7 [ 34.158875] [] ? iov_iter_advance+0x4b3/0x4f0 [ 34.165000] [] __asan_report_load8_noabort+0x14/0x20 [ 34.171726] [] iov_iter_advance+0x4b3/0x4f0 [ 34.177671] [] tun_get_user+0x2cd/0x2410 [ 34.183350] [] ? tun_net_xmit+0xe60/0xe60 [ 34.189117] [] ? tun_chr_close+0x60/0x60 [ 34.194799] [] ? __tun_get+0x126/0x230 [ 34.200309] [] tun_chr_write_iter+0xd5/0x190 [ 34.206338] [] __vfs_write+0x30d/0x3f0 [ 34.211843] [] ? __vfs_read+0x3e0/0x3e0 [ 34.217441] [] ? __tun_chr_ioctl+0x3130/0x3130 [ 34.223646] [] ? tun_chr_compat_ioctl+0x29/0x30 [ 34.229942] [] ? compat_SyS_ioctl+0x1d5/0x2270 [ 34.236151] [] ? avc_policy_seqno+0x9/0x20 [ 34.242012] [] ? selinux_file_permission+0x2f2/0x450 [ 34.248736] [] ? rw_verify_area+0x100/0x300 [ 34.254679] [] vfs_write+0x191/0x4e0 [ 34.260015] [] SyS_write+0xd9/0x1c0 [ 34.265264] [] ? SyS_read+0x1c0/0x1c0 [ 34.270687] [] ? do_fast_syscall_32+0xdb/0x8b0 [ 34.276888] [] ? SyS_read+0x1c0/0x1c0 [ 34.282307] [] do_fast_syscall_32+0x326/0x8b0 [ 34.288429] [] sysenter_flags_fixed+0xd/0x17 [ 34.295075] Dumping ftrace buffer: [ 34.298590] (ftrace buffer empty) [ 34.302270] Kernel Offset: disabled [ 34.305875] Rebooting in 86400 seconds..