[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   40.851717] random: sshd: uninitialized urandom read (32 bytes read)
[   41.194534] audit: type=1400 audit(1569561996.567:6): avc:  denied  { map } for  pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   41.244804] random: sshd: uninitialized urandom read (32 bytes read)
[   41.817567] random: sshd: uninitialized urandom read (32 bytes read)
[   54.482122] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.92' (ECDSA) to the list of known hosts.
[   59.906262] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   60.001199] audit: type=1400 audit(1569562015.377:7): avc:  denied  { map } for  pid=1793 comm="syz-executor263" path="/root/syz-executor263154466" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   60.027699] audit: type=1400 audit(1569562015.377:8): avc:  denied  { prog_load } for  pid=1793 comm="syz-executor263" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   60.050680] ==================================================================
[   60.051372] audit: type=1400 audit(1569562015.427:9): avc:  denied  { prog_run } for  pid=1793 comm="syz-executor263" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   60.058123] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x4ea/0x600
[   60.087846] Read of size 4 at addr ffff8881cbeb2878 by task syz-executor263/1793
[   60.095361] 
[   60.096972] CPU: 0 PID: 1793 Comm: syz-executor263 Not tainted 4.14.146+ #0
[   60.104048] Call Trace:
[   60.106622]  dump_stack+0xca/0x134
[   60.110820]  ? bpf_skb_change_head+0x4ea/0x600
[   60.115466]  ? bpf_skb_change_head+0x4ea/0x600
[   60.120262]  ? bpf_skb_change_tail+0xb80/0xb80
[   60.124835]  print_address_description+0x60/0x226
[   60.129680]  ? bpf_skb_change_head+0x4ea/0x600
[   60.134354]  ? bpf_skb_change_head+0x4ea/0x600
[   60.138934]  ? bpf_skb_change_tail+0xb80/0xb80
[   60.143533]  __kasan_report.cold+0x1a/0x41
[   60.147787]  ? bpf_skb_change_head+0x4ea/0x600
[   60.152354]  bpf_skb_change_head+0x4ea/0x600
[   60.156751]  ? bpf_skb_change_tail+0xb80/0xb80
[   60.161317]  ___bpf_prog_run+0x2478/0x5510
[   60.165536]  ? lock_downgrade+0x5d0/0x5d0
[   60.169745]  ? lock_acquire+0x12b/0x360
[   60.173714]  ? bpf_jit_compile+0x30/0x30
[   60.177778]  ? __bpf_prog_run512+0x99/0xe0
[   60.182014]  ? ___bpf_prog_run+0x5510/0x5510
[   60.186424]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   60.191531]  ? trace_hardirqs_on_caller+0x37b/0x540
[   60.196531]  ? __lock_acquire+0x5d7/0x4320
[   60.200864]  ? __lock_acquire+0x5d7/0x4320
[   60.205082]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   60.209752]  ? trace_hardirqs_on+0x10/0x10
[   60.214019]  ? __lock_acquire+0x5d7/0x4320
[   60.218254]  ? bpf_test_run+0x42/0x340
[   60.222130]  ? lock_acquire+0x12b/0x360
[   60.226085]  ? bpf_test_run+0x13a/0x340
[   60.230042]  ? check_preemption_disabled+0x35/0x1f0
[   60.235046]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   60.240317]  ? bpf_test_run+0xa8/0x340
[   60.244214]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   60.248967]  ? bpf_test_init.isra.0+0xc0/0xc0
[   60.253633]  ? bpf_prog_add+0x53/0xc0
[   60.257413]  ? bpf_test_init.isra.0+0xc0/0xc0
[   60.261888]  ? SyS_bpf+0xa3b/0x3830
[   60.265494]  ? bpf_prog_get+0x20/0x20
[   60.269298]  ? __do_page_fault+0x49f/0xbb0
[   60.273526]  ? lock_downgrade+0x5d0/0x5d0
[   60.277658]  ? __do_page_fault+0x677/0xbb0
[   60.281887]  ? do_syscall_64+0x43/0x520
[   60.285924]  ? bpf_prog_get+0x20/0x20
[   60.289706]  ? do_syscall_64+0x19b/0x520
[   60.293749]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   60.299099] 
[   60.300708] Allocated by task 222:
[   60.304230]  __kasan_kmalloc.part.0+0x53/0xc0
[   60.308722]  kmem_cache_alloc+0xee/0x360
[   60.312786]  __alloc_skb+0xea/0x5c0
[   60.316390]  netlink_sendmsg+0x958/0xbe0
[   60.320456]  sock_sendmsg+0xb7/0x100
[   60.324328]  ___sys_sendmsg+0x752/0x890
[   60.328368]  __sys_sendmsg+0xb6/0x150
[   60.332162]  SyS_sendmsg+0x27/0x40
[   60.335683]  do_syscall_64+0x19b/0x520
[   60.339563]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   60.344743]  0xffffffffffffffff
[   60.348017] 
[   60.349628] Freed by task 222:
[   60.352803]  __kasan_slab_free+0x164/0x210
[   60.357018]  kmem_cache_free+0xd7/0x3b0
[   60.360972]  kfree_skbmem+0xa0/0x110
[   60.364662]  kfree_skb+0xeb/0x370
[   60.368091]  netlink_unicast+0x595/0x650
[   60.372130]  netlink_sendmsg+0x66a/0xbe0
[   60.376187]  sock_sendmsg+0xb7/0x100
[   60.380073]  ___sys_sendmsg+0x752/0x890
[   60.384222]  __sys_sendmsg+0xb6/0x150
[   60.387999]  SyS_sendmsg+0x27/0x40
[   60.391518]  do_syscall_64+0x19b/0x520
[   60.395383]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   60.400547]  0xffffffffffffffff
[   60.403799] 
[   60.405407] The buggy address belongs to the object at ffff8881cbeb2780
[   60.405407]  which belongs to the cache skbuff_head_cache of size 224
[   60.418563] The buggy address is located 24 bytes to the right of
[   60.418563]  224-byte region [ffff8881cbeb2780, ffff8881cbeb2860)
[   60.430862] The buggy address belongs to the page:
[   60.435783] page:ffffea00072fac80 count:1 mapcount:0 mapping:          (null) index:0x0
[   60.443918] flags: 0x4000000000000200(slab)
[   60.448260] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c
[   60.456124] raw: ffffea00072fda40 0000000200000002 ffff8881d6770200 0000000000000000
[   60.463984] page dumped because: kasan: bad access detected
[   60.469670] 
[   60.471276] Memory state around the buggy address:
[   60.476195]  ffff8881cbeb2700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   60.483548]  ffff8881cbeb2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.490908] >ffff8881cbeb2800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   60.498243]                                                                 ^
[   60.505492]  ffff8881cbeb2880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   60.512920]  ffff8881cbeb2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.520345] ==================================================================
[   60.527687] Disabling lock debugging due to kernel taint
[   60.533381] Kernel panic - not syncing: panic_on_warn set ...
[   60.533381] 
[   60.540757] CPU: 0 PID: 1793 Comm: syz-executor263 Tainted: G    B           4.14.146+ #0
[   60.549061] Call Trace:
[   60.551634]  dump_stack+0xca/0x134
[   60.555154]  panic+0x1ea/0x3d3
[   60.558323]  ? add_taint.cold+0x16/0x16
[   60.562282]  ? bpf_skb_change_head+0x4ea/0x600
[   60.566840]  ? bpf_skb_change_tail+0xb80/0xb80
[   60.571422]  end_report+0x43/0x49
[   60.574851]  ? bpf_skb_change_head+0x4ea/0x600
[   60.580381]  __kasan_report.cold+0xd/0x41
[   60.584529]  ? bpf_skb_change_head+0x4ea/0x600
[   60.589102]  bpf_skb_change_head+0x4ea/0x600
[   60.593487]  ? bpf_skb_change_tail+0xb80/0xb80
[   60.598057]  ___bpf_prog_run+0x2478/0x5510
[   60.602272]  ? lock_downgrade+0x5d0/0x5d0
[   60.606408]  ? lock_acquire+0x12b/0x360
[   60.610372]  ? bpf_jit_compile+0x30/0x30
[   60.614414]  ? __bpf_prog_run512+0x99/0xe0
[   60.618627]  ? ___bpf_prog_run+0x5510/0x5510
[   60.623019]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   60.628119]  ? trace_hardirqs_on_caller+0x37b/0x540
[   60.633130]  ? __lock_acquire+0x5d7/0x4320
[   60.637352]  ? __lock_acquire+0x5d7/0x4320
[   60.641567]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   60.646218]  ? trace_hardirqs_on+0x10/0x10
[   60.650561]  ? __lock_acquire+0x5d7/0x4320
[   60.654788]  ? bpf_test_run+0x42/0x340
[   60.658678]  ? lock_acquire+0x12b/0x360
[   60.662653]  ? bpf_test_run+0x13a/0x340
[   60.666613]  ? check_preemption_disabled+0x35/0x1f0
[   60.671615]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   60.676778]  ? bpf_test_run+0xa8/0x340
[   60.680660]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   60.685403]  ? bpf_test_init.isra.0+0xc0/0xc0
[   60.689877]  ? bpf_prog_add+0x53/0xc0
[   60.693755]  ? bpf_test_init.isra.0+0xc0/0xc0
[   60.698234]  ? SyS_bpf+0xa3b/0x3830
[   60.701838]  ? bpf_prog_get+0x20/0x20
[   60.705616]  ? __do_page_fault+0x49f/0xbb0
[   60.709829]  ? lock_downgrade+0x5d0/0x5d0
[   60.713958]  ? __do_page_fault+0x677/0xbb0
[   60.718184]  ? do_syscall_64+0x43/0x520
[   60.722140]  ? bpf_prog_get+0x20/0x20
[   60.725932]  ? do_syscall_64+0x19b/0x520
[   60.729972]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   60.736245] Kernel Offset: 0x5800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   60.747080] Rebooting in 86400 seconds..