[ 33.324524] audit: type=1800 audit(1585736118.428:33): pid=7154 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.351057] audit: type=1800 audit(1585736118.428:34): pid=7154 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.457045] random: sshd: uninitialized urandom read (32 bytes read) [ 37.713913] audit: type=1400 audit(1585736122.818:35): avc: denied { map } for pid=7324 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.792878] random: sshd: uninitialized urandom read (32 bytes read) [ 38.543212] random: sshd: uninitialized urandom read (32 bytes read) [ 53.289698] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts. [ 58.766465] random: sshd: uninitialized urandom read (32 bytes read) [ 58.981236] audit: type=1400 audit(1585736144.088:36): avc: denied { map } for pid=7336 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/04/01 10:15:44 parsed 1 programs [ 59.849895] random: cc1: uninitialized urandom read (8 bytes read) [ 61.067560] audit: type=1400 audit(1585736146.168:37): avc: denied { map } for pid=7336 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15700 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/04/01 10:15:46 executed programs: 0 [ 61.108942] audit: type=1400 audit(1585736146.208:38): avc: denied { map } for pid=7336 comm="syz-execprog" path="/root/syzkaller-shm760222114" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 61.371108] IPVS: ftp: loaded support on port[0] = 21 [ 62.177713] chnl_net:caif_netlink_parms(): no params data found [ 62.227998] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.234893] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.242831] device bridge_slave_0 entered promiscuous mode [ 62.249884] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.256346] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.263292] device bridge_slave_1 entered promiscuous mode [ 62.278338] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 62.287313] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 62.303675] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 62.310955] team0: Port device team_slave_0 added [ 62.316516] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 62.323988] team0: Port device team_slave_1 added [ 62.337532] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.343840] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 62.369098] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.381574] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.387821] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 62.413078] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.423755] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 62.431345] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 62.482363] device hsr_slave_0 entered promiscuous mode [ 62.530476] device hsr_slave_1 entered promiscuous mode [ 62.600783] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 62.607927] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 62.656114] audit: type=1400 audit(1585736147.758:39): avc: denied { create } for pid=7353 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 62.680784] audit: type=1400 audit(1585736147.758:40): avc: denied { write } for pid=7353 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 62.699164] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.705319] audit: type=1400 audit(1585736147.788:41): avc: denied { read } for pid=7353 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 62.711206] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.741756] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.748094] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.780100] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 62.786191] 8021q: adding VLAN 0 to HW filter on device bond0 [ 62.796370] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 62.805212] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.823781] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.831056] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.840831] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 62.846950] 8021q: adding VLAN 0 to HW filter on device team0 [ 62.855450] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.863072] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.869407] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.878630] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.886639] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.893085] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.908125] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.915792] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 62.925175] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.935333] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.946302] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 62.956966] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 62.963697] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 62.971015] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.987371] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 62.995698] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 63.002517] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 63.014350] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.073261] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 63.082950] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 63.115831] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 63.123292] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 63.129756] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 63.139085] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 63.147337] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 63.154269] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 63.161671] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 63.170556] device veth0_vlan entered promiscuous mode [ 63.178737] device veth1_vlan entered promiscuous mode [ 63.193045] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 63.202999] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 63.209827] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 63.218497] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 63.227941] device veth0_macvtap entered promiscuous mode [ 63.234128] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 63.243393] device veth1_macvtap entered promiscuous mode [ 63.249406] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 63.258222] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 63.267544] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 63.277114] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 63.284568] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 63.291418] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 63.298706] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 63.306136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 63.313848] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 63.323875] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 63.330809] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 63.337501] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 63.345814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 64.606288] ================================================================== [ 64.606322] BUG: KASAN: global-out-of-bounds in fb_pad_aligned_buffer+0xfc/0x120 [ 64.606328] Read of size 1 at addr ffffffff86e695a0 by task syz-executor.0/7404 [ 64.606330] [ 64.606338] CPU: 1 PID: 7404 Comm: syz-executor.0 Not tainted 4.14.174-syzkaller #0 [ 64.606342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.606345] Call Trace: [ 64.606356] dump_stack+0x13e/0x194 [ 64.606365] ? fb_pad_aligned_buffer+0xfc/0x120 [ 64.606375] print_address_description.cold+0x5/0x1e2 [ 64.606381] ? fb_pad_aligned_buffer+0xfc/0x120 [ 64.606388] kasan_report.cold+0xa9/0x2ae [ 64.606397] fb_pad_aligned_buffer+0xfc/0x120 [ 64.606411] bit_putcs+0xae7/0xcd0 [ 64.606431] ? update_attr.isra.0+0x160/0x160 [ 64.606443] ? fb_get_color_depth+0x5a/0x70 [ 64.606454] ? update_attr.isra.0+0x160/0x160 [ 64.606460] fbcon_putcs+0x3c6/0x490 [ 64.606473] do_update_region+0x34b/0x5b0 [ 64.606484] ? con_get_trans_old+0x200/0x200 [ 64.606499] redraw_screen+0x561/0x770 [ 64.606508] ? con_flush_chars+0x80/0x80 [ 64.606520] fbcon_do_set_font+0x6bd/0x990 [ 64.606532] ? fbcon_do_set_font+0x990/0x990 [ 64.606538] fbcon_copy_font+0x125/0x190 [ 64.606548] con_font_op+0x58b/0xf70 [ 64.606559] ? con_write+0xc0/0xc0 [ 64.606567] ? lock_downgrade+0x6e0/0x6e0 [ 64.606581] ? __might_fault+0x177/0x1b0 [ 64.606591] vt_ioctl+0x1334/0x1f00 [ 64.606599] ? futex_wake+0x11c/0x3d0 [ 64.606607] ? complete_change_console+0x350/0x350 [ 64.606615] ? avc_ss_reset+0x100/0x100 [ 64.606621] ? __lock_acquire+0x5f7/0x4620 [ 64.606633] ? __lock_acquire+0x5f7/0x4620 [ 64.606641] ? tty_jobctrl_ioctl+0x3b/0xbf0 [ 64.606647] ? complete_change_console+0x350/0x350 [ 64.606657] tty_ioctl+0x6c5/0x1220 [ 64.606665] ? tty_vhangup+0x30/0x30 [ 64.606675] ? trace_hardirqs_on+0x10/0x10 [ 64.606692] ? tty_vhangup+0x30/0x30 [ 64.606703] do_vfs_ioctl+0x75a/0xfe0 [ 64.606711] ? selinux_file_mprotect+0x5c0/0x5c0 [ 64.606720] ? ioctl_preallocate+0x1a0/0x1a0 [ 64.606747] ? security_file_ioctl+0x76/0xb0 [ 64.606753] ? security_file_ioctl+0x83/0xb0 [ 64.606760] SyS_ioctl+0x7f/0xb0 [ 64.606765] ? do_vfs_ioctl+0xfe0/0xfe0 [ 64.606791] do_syscall_64+0x1d5/0x640 [ 64.606804] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 64.606810] RIP: 0033:0x45c849 [ 64.606814] RSP: 002b:00007f54d2d82c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 64.606839] RAX: ffffffffffffffda RBX: 00007f54d2d836d4 RCX: 000000000045c849 [ 64.606843] RDX: 0000000020000080 RSI: 0000000000004b72 RDI: 0000000000000003 [ 64.606847] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 64.606851] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 64.606856] R13: 000000000000036c R14: 00000000004c5dd7 R15: 000000000076bf0c [ 64.606869] [ 64.606871] The buggy address belongs to the variable: [ 64.606878] fontdata_8x16+0x1000/0x1120 [ 64.606880] [ 64.606883] Memory state around the buggy address: [ 64.606890] ffffffff86e69480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.606895] ffffffff86e69500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.606901] >ffffffff86e69580: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa [ 64.606904] ^ [ 64.606910] ffffffff86e69600: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa [ 64.606915] ffffffff86e69680: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 64.606918] ================================================================== [ 64.606920] Disabling lock debugging due to kernel taint [ 64.606924] Kernel panic - not syncing: panic_on_warn set ... [ 64.606924] [ 64.606931] CPU: 1 PID: 7404 Comm: syz-executor.0 Tainted: G B 4.14.174-syzkaller #0 [ 64.606935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.606936] Call Trace: [ 64.606943] dump_stack+0x13e/0x194 [ 64.606950] panic+0x1f9/0x42d [ 64.606955] ? add_taint.cold+0x16/0x16 [ 64.606962] ? lock_downgrade+0x6e0/0x6e0 [ 64.606970] ? fb_pad_aligned_buffer+0xfc/0x120 [ 64.606976] kasan_end_report+0x43/0x49 [ 64.606981] kasan_report.cold+0x12f/0x2ae [ 64.606988] fb_pad_aligned_buffer+0xfc/0x120 [ 64.606997] bit_putcs+0xae7/0xcd0 [ 64.607010] ? update_attr.isra.0+0x160/0x160 [ 64.607018] ? fb_get_color_depth+0x5a/0x70 [ 64.607026] ? update_attr.isra.0+0x160/0x160 [ 64.607031] fbcon_putcs+0x3c6/0x490 [ 64.607039] do_update_region+0x34b/0x5b0 [ 64.607048] ? con_get_trans_old+0x200/0x200 [ 64.607056] redraw_screen+0x561/0x770 [ 64.607064] ? con_flush_chars+0x80/0x80 [ 64.607073] fbcon_do_set_font+0x6bd/0x990 [ 64.607082] ? fbcon_do_set_font+0x990/0x990 [ 64.607088] fbcon_copy_font+0x125/0x190 [ 64.607095] con_font_op+0x58b/0xf70 [ 64.607103] ? con_write+0xc0/0xc0 [ 64.607109] ? lock_downgrade+0x6e0/0x6e0 [ 64.607126] ? __might_fault+0x177/0x1b0 [ 64.607134] vt_ioctl+0x1334/0x1f00 [ 64.607141] ? futex_wake+0x11c/0x3d0 [ 64.607147] ? complete_change_console+0x350/0x350 [ 64.607152] ? avc_ss_reset+0x100/0x100 [ 64.607157] ? __lock_acquire+0x5f7/0x4620 [ 64.607167] ? __lock_acquire+0x5f7/0x4620 [ 64.607173] ? tty_jobctrl_ioctl+0x3b/0xbf0 [ 64.607178] ? complete_change_console+0x350/0x350 [ 64.607185] tty_ioctl+0x6c5/0x1220 [ 64.607192] ? tty_vhangup+0x30/0x30 [ 64.607200] ? trace_hardirqs_on+0x10/0x10 [ 64.607211] ? tty_vhangup+0x30/0x30 [ 64.607218] do_vfs_ioctl+0x75a/0xfe0 [ 64.607225] ? selinux_file_mprotect+0x5c0/0x5c0 [ 64.607232] ? ioctl_preallocate+0x1a0/0x1a0 [ 64.607243] ? security_file_ioctl+0x76/0xb0 [ 64.607249] ? security_file_ioctl+0x83/0xb0 [ 64.607256] SyS_ioctl+0x7f/0xb0 [ 64.607262] ? do_vfs_ioctl+0xfe0/0xfe0 [ 64.607269] do_syscall_64+0x1d5/0x640 [ 64.607278] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 64.607283] RIP: 0033:0x45c849 [ 64.607286] RSP: 002b:00007f54d2d82c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 64.607293] RAX: ffffffffffffffda RBX: 00007f54d2d836d4 RCX: 000000000045c849 [ 64.607296] RDX: 0000000020000080 RSI: 0000000000004b72 RDI: 0000000000000003 [ 64.607299] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 64.607303] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 64.607307] R13: 000000000000036c R14: 00000000004c5dd7 R15: 000000000076bf0c [ 64.608462] Kernel Offset: disabled [ 65.214234] Rebooting in 86400 seconds..