[....] Starting enhanced syslogd: rsyslogd[ 12.727331] audit: type=1400 audit(1513652383.002:5): avc: denied { syslog } for pid=2992 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.298257] audit: type=1400 audit(1513652389.572:6): avc: denied { map } for pid=3132 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-7,10.128.0.32' (ECDSA) to the list of known hosts. 2017/12/19 02:59:55 fuzzer started [ 25.642850] audit: type=1400 audit(1513652395.917:7): avc: denied { map } for pid=3143 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2017/12/19 02:59:56 dialing manager at 10.128.0.26:32873 2017/12/19 02:59:59 kcov=true, comps=true [ 28.919465] audit: type=1400 audit(1513652399.194:8): avc: denied { map } for pid=3143 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=8783 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2017/12/19 03:00:00 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) set_mempolicy(0x0, &(0x7f0000013000)=0x0, 0x3) 2017/12/19 03:00:00 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000001000-0x78)={0x1, 0x78, 0x5, 0x0, 0x0, 0x0, 0x0, 0xd8, 0xa1, 0x0, 0xac, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x40ffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000011000)='/dev/ptmx\x00', 0x0, 0x0) syz_open_pts(r0, 0x0) 2017/12/19 03:00:00 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000740000)={0x2, 0x78, 0x46, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f0000811000-0x1c)='/dev/sg#\x00', 0x100000202) ioctl$KVM_ASSIGN_SET_INTX_MASK(0xffffffffffffffff, 0x4040aea4, &(0x7f0000b82000)={0x0, 0x0, 0x0, 0x0, 0x0}) write(r0, &(0x7f0000fbf000)="d1", 0x1) 2017/12/19 03:00:00 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket(0xa, 0x2000000001, 0x0) ptrace$pokeuser(0x6, 0x0, 0x0, 0x0) capget(&(0x7f0000001000-0x8)={0x0, 0x0}, &(0x7f0000034000)={0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0}) ioctl$DRM_IOCTL_SET_CLIENT_CAP(0xffffffffffffffff, 0x4010640d, &(0x7f0000034000)={0x0, 0xa}) getsockopt$inet6_buf(r0, 0x29, 0x10000000000030, &(0x7f0000035000-0x1000)=""/144, &(0x7f0000001000-0x4)=0x90) 2017/12/19 03:00:00 executing program 5: socketpair$inet_icmp_raw(0x2, 0x3, 0x1, &(0x7f000059e000)={0x0, 0x0}) 2017/12/19 03:00:00 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x100000003, 0x10000000003) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f000097e000)={@loopback={0x0, 0x1}, 0x0, 0x0, 0x2, 0x1, 0x0, 0x0, 0x0}, 0x20) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000e83000)={@remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x20) 2017/12/19 03:00:00 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x100000003, 0x10000000003) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f000097e000)={@loopback={0x0, 0x1}, 0x0, 0x0, 0x2, 0x1, 0x0, 0x0, 0x0}, 0x20) 2017/12/19 03:00:00 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = getpid() capget(&(0x7f0000b52000)={0x19980330, r0}, &(0x7f0000b98000-0x18)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 30.003188] audit: type=1400 audit(1513652400.277:9): avc: denied { map } for pid=3143 comm="syz-fuzzer" path="/root/syzkaller-shm095715735" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.209577] audit: type=1400 audit(1513652401.484:10): avc: denied { sys_admin } for pid=3184 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2017/12/19 03:00:01 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) listen(r0, 0x96) [ 31.331564] audit: type=1400 audit(1513652401.606:11): avc: denied { sys_chroot } for pid=3367 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2017/12/19 03:00:01 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$SO_PEERCRED(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000315000)={0x0, 0x0, 0x0}, 0xc) timer_create(0x0, &(0x7f000054d000-0x60)={0x0, 0x3a, 0x3, @tid=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000c05000)=0x0) r0 = syz_open_procfs(0x0, &(0x7f0000804000)='timers\x00') preadv(r0, &(0x7f00005e3000-0x10)=[{&(0x7f0000fa6000)=""/100, 0x64}], 0x1, 0x0) 2017/12/19 03:00:01 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = perf_event_open(&(0x7f0000271000)={0x2, 0x78, 0x46, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f00006e8000+0xb13)={0x0, 0x0}) close(r1) [ 31.388444] audit: type=1400 audit(1513652401.657:12): avc: denied { net_raw } for pid=3393 comm="syz-executor6" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.413350] audit: type=1400 audit(1513652401.662:13): avc: denied { net_admin } for pid=3393 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.452671] capability: warning: `syz-executor2' uses 32-bit capabilities (legacy support in use) [ 31.468627] ================================================================== [ 31.468656] BUG: KASAN: global-out-of-bounds in show_timer+0x278/0x2b0 [ 31.468665] Read of size 8 at addr ffffffff85742fb8 by task syz-executor0/3408 [ 31.468669] [ 31.468680] CPU: 1 PID: 3408 Comm: syz-executor0 Not tainted 4.15.0-rc2-mm1+ #39 [ 31.468696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.468702] Call Trace: [ 31.468718] dump_stack+0x194/0x257 [ 31.468735] ? arch_local_irq_restore+0x53/0x53 [ 31.468751] ? show_regs_print_info+0x18/0x18 [ 31.468767] ? seq_printf+0xb3/0xe0 [ 31.468781] ? show_timer+0x278/0x2b0 [ 31.468796] print_address_description+0x178/0x250 [ 31.468808] ? show_timer+0x278/0x2b0 [ 31.468821] kasan_report+0x25b/0x340 [ 31.468840] __asan_report_load8_noabort+0x14/0x20 [ 31.468851] show_timer+0x278/0x2b0 [ 31.468860] ? timers_start+0x14c/0x1c0 [ 31.468876] seq_read+0x385/0x13d0 [ 31.468909] ? seq_lseek+0x3c0/0x3c0 [ 31.468920] ? selinux_file_permission+0x82/0x460 [ 31.468942] ? security_file_permission+0x89/0x1f0 [ 31.468964] ? rw_verify_area+0xe5/0x2b0 [ 31.468983] do_iter_read+0x3db/0x5b0 [ 31.468996] ? dup_iter+0x260/0x260 [ 31.469028] vfs_readv+0x121/0x1c0 [ 31.469038] ? may_open_dev+0xe0/0xe0 [ 31.469055] ? compat_rw_copy_check_uvector+0x2e0/0x2e0 [ 31.469087] ? fget_raw+0x20/0x20 [ 31.469099] ? putname+0xee/0x130 [ 31.469111] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.469125] ? kmem_cache_free+0x249/0x280 [ 31.469148] ? SyS_futex+0x269/0x390 [ 31.469178] do_preadv+0x11b/0x1a0 [ 31.469188] ? do_preadv+0x11b/0x1a0 [ 31.469209] SyS_preadv+0x30/0x40 [ 31.469228] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 31.469237] RIP: 0033:0x452a09 [ 31.469244] RSP: 002b:00007f09c5e3ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000127 [ 31.469258] RAX: ffffffffffffffda RBX: 00007f09c5e3e950 RCX: 0000000000452a09 [ 31.469266] RDX: 0000000000000001 RSI: 00000000205e2ff0 RDI: 0000000000000013 [ 31.469273] RBP: 00007f09c5e3e940 R08: 0000000000000000 R09: 0000000000000000 [ 31.469280] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7366 [ 31.469288] R13: 00007f09c5e3eac8 R14: 00000000004b7371 R15: 0000000000000000 [ 31.469324] [ 31.469330] The buggy address belongs to the variable: [ 31.469341] nstr.44378+0x18/0x40 [ 31.469345] [ 31.469350] Memory state around the buggy address: [ 31.469361] ffffffff85742e80: fa fa fa fa 00 06 fa fa fa fa fa fa 07 fa fa fa [ 31.469370] ffffffff85742f00: fa fa fa fa 05 fa fa fa fa fa fa fa 07 fa fa fa [ 31.469378] >ffffffff85742f80: fa fa fa fa 00 00 00 fa fa fa fa fa 00 fa fa fa [ 31.469384] ^ [ 31.469392] ffffffff85743000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.469400] ffffffff85743080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.469405] ================================================================== [ 31.469409] Disabling lock debugging due to kernel taint [ 31.469414] Kernel panic - not syncing: panic_on_warn set ... [ 31.469414] [ 31.469422] CPU: 1 PID: 3408 Comm: syz-executor0 Tainted: G B 4.15.0-rc2-mm1+ #39 [ 31.469426] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.469428] Call Trace: [ 31.469437] dump_stack+0x194/0x257 [ 31.469450] ? arch_local_irq_restore+0x53/0x53 [ 31.469462] ? vprintk_default+0x28/0x30 [ 31.469470] ? vsnprintf+0x1ed/0x1900 [ 31.469478] ? show_timer+0x1e0/0x2b0 [ 31.469486] panic+0x1e4/0x41c [ 31.469493] ? refcount_error_report+0x214/0x214 [ 31.469504] ? add_taint+0x40/0x50 [ 31.469510] ? add_taint+0x1c/0x50 [ 31.469519] ? show_timer+0x278/0x2b0 [ 31.469526] kasan_end_report+0x50/0x50 [ 31.469533] kasan_report+0x144/0x340 [ 31.469544] __asan_report_load8_noabort+0x14/0x20 [ 31.469550] show_timer+0x278/0x2b0 [ 31.469557] ? timers_start+0x14c/0x1c0 [ 31.469566] seq_read+0x385/0x13d0 [ 31.469585] ? seq_lseek+0x3c0/0x3c0 [ 31.469593] ? selinux_file_permission+0x82/0x460 [ 31.469606] ? security_file_permission+0x89/0x1f0 [ 31.469615] ? rw_verify_area+0xe5/0x2b0 [ 31.469625] do_iter_read+0x3db/0x5b0 [ 31.469634] ? dup_iter+0x260/0x260 [ 31.469649] vfs_readv+0x121/0x1c0 [ 31.469656] ? may_open_dev+0xe0/0xe0 [ 31.469666] ? compat_rw_copy_check_uvector+0x2e0/0x2e0 [ 31.469690] ? fget_raw+0x20/0x20 [ 31.469698] ? putname+0xee/0x130 [ 31.469705] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.469715] ? kmem_cache_free+0x249/0x280 [ 31.469730] ? SyS_futex+0x269/0x390 [ 31.469744] do_preadv+0x11b/0x1a0 [ 31.469751] ? do_preadv+0x11b/0x1a0 [ 31.469761] SyS_preadv+0x30/0x40 [ 31.469774] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 31.469780] RIP: 0033:0x452a09 [ 31.469784] RSP: 002b:00007f09c5e3ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000127 [ 31.469791] RAX: ffffffffffffffda RBX: 00007f09c5e3e950 RCX: 0000000000452a09 [ 31.469795] RDX: 0000000000000001 RSI: 00000000205e2ff0 RDI: 0000000000000013 [ 31.469799] RBP: 00007f09c5e3e940 R08: 0000000000000000 R09: 0000000000000000 [ 31.469803] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7366 [ 31.469807] R13: 00007f09c5e3eac8 R14: 00000000004b7371 R15: 0000000000000000 [ 31.470212] Dumping ftrace buffer: [ 31.470216] (ftrace buffer empty) [ 31.470219] Kernel Offset: disabled [ 31.983989] Rebooting in 86400 seconds..