[ 33.791518] audit: type=1800 audit(1584789108.249:33): pid=7199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.818819] audit: type=1800 audit(1584789108.249:34): pid=7199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.525196] random: sshd: uninitialized urandom read (32 bytes read) [ 38.830638] audit: type=1400 audit(1584789113.289:35): avc: denied { map } for pid=7370 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.875738] random: sshd: uninitialized urandom read (32 bytes read) [ 39.575170] random: sshd: uninitialized urandom read (32 bytes read) [ 39.760525] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. [ 45.326440] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.442950] audit: type=1400 audit(1584789119.899:36): avc: denied { map } for pid=7382 comm="syz-executor804" path="/root/syz-executor804102285" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.503505] ================================================================== [ 45.503537] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 45.503544] Write of size 8 at addr ffff888091326c88 by task syz-executor804/7395 [ 45.503546] [ 45.503554] CPU: 1 PID: 7395 Comm: syz-executor804 Not tainted 4.14.174-syzkaller #0 [ 45.503558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.503562] Call Trace: [ 45.503573] dump_stack+0x13e/0x194 [ 45.503591] ? con_shutdown+0x7f/0x90 [ 45.503602] print_address_description.cold+0x7c/0x1e2 [ 45.503611] ? con_shutdown+0x7f/0x90 [ 45.503622] kasan_report.cold+0xa9/0x2ae [ 45.503630] ? set_palette+0x130/0x130 [ 45.503638] con_shutdown+0x7f/0x90 [ 45.503646] release_tty+0xb6/0x7a0 [ 45.503656] tty_release_struct+0x37/0x50 [ 45.503664] tty_release+0xaa6/0xd60 [ 45.503677] ? tty_release_struct+0x50/0x50 [ 45.503685] __fput+0x25f/0x790 [ 45.503699] task_work_run+0x113/0x190 [ 45.503710] do_exit+0x9f2/0x2b00 [ 45.503720] ? __do_page_fault+0x4e4/0xb40 [ 45.503730] ? mm_update_next_owner+0x5b0/0x5b0 [ 45.503739] ? lock_downgrade+0x6e0/0x6e0 [ 45.503752] do_group_exit+0x100/0x310 [ 45.503762] SyS_exit_group+0x19/0x20 [ 45.503768] ? do_group_exit+0x310/0x310 [ 45.503776] do_syscall_64+0x1d5/0x640 [ 45.503790] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.503796] RIP: 0033:0x43ff38 [ 45.503801] RSP: 002b:00007ffffccc8cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 45.503809] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 45.503814] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 45.503818] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 45.503822] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 45.503827] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 45.503839] [ 45.503843] Allocated by task 7389: [ 45.503851] save_stack+0x32/0xa0 [ 45.503857] kasan_kmalloc+0xbf/0xe0 [ 45.503863] kmem_cache_alloc_trace+0x14d/0x7b0 [ 45.503869] vc_allocate+0x142/0x550 [ 45.503876] con_install+0x4f/0x3e0 [ 45.503882] tty_init_dev+0xe1/0x3a0 [ 45.503888] tty_open+0x410/0x9c0 [ 45.503895] chrdev_open+0x1fc/0x540 [ 45.503902] do_dentry_open+0x732/0xe90 [ 45.503908] vfs_open+0x105/0x220 [ 45.503914] path_openat+0x8ca/0x3c50 [ 45.503920] do_filp_open+0x18e/0x250 [ 45.503927] do_sys_open+0x29d/0x3f0 [ 45.503933] do_syscall_64+0x1d5/0x640 [ 45.503939] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.503942] [ 45.503945] Freed by task 7390: [ 45.503950] save_stack+0x32/0xa0 [ 45.503955] kasan_slab_free+0x75/0xc0 [ 45.503960] kfree+0xcb/0x260 [ 45.503966] vt_disallocate_all+0x25c/0x340 [ 45.503972] vt_ioctl+0x6e3/0x1f00 [ 45.503978] tty_ioctl+0x6c5/0x1220 [ 45.503985] do_vfs_ioctl+0x75a/0xfe0 [ 45.503991] SyS_ioctl+0x7f/0xb0 [ 45.503997] do_syscall_64+0x1d5/0x640 [ 45.504004] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.504006] [ 45.504011] The buggy address belongs to the object at ffff888091326b80 [ 45.504011] which belongs to the cache kmalloc-2048 of size 2048 [ 45.504017] The buggy address is located 264 bytes inside of [ 45.504017] 2048-byte region [ffff888091326b80, ffff888091327380) [ 45.504020] The buggy address belongs to the page: [ 45.504026] page:ffffea000244c980 count:1 mapcount:0 mapping:ffff888091326300 index:0x0 compound_mapcount: 0 [ 45.504036] flags: 0xfffe0000008100(slab|head) [ 45.504046] raw: 00fffe0000008100 ffff888091326300 0000000000000000 0000000100000003 [ 45.504055] raw: ffffea0001f755a0 ffffea00023bbc20 ffff88812fe56c40 0000000000000000 [ 45.504058] page dumped because: kasan: bad access detected [ 45.504060] [ 45.504062] Memory state around the buggy address: [ 45.504068] ffff888091326b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.504074] ffff888091326c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.504079] >ffff888091326c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.504082] ^ [ 45.504087] ffff888091326d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.504093] ffff888091326d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.504095] ================================================================== [ 45.504098] Disabling lock debugging due to kernel taint [ 45.504117] Kernel panic - not syncing: panic_on_warn set ... [ 45.504117] [ 45.504124] CPU: 1 PID: 7395 Comm: syz-executor804 Tainted: G B 4.14.174-syzkaller #0 [ 45.504128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.504130] Call Trace: [ 45.504138] dump_stack+0x13e/0x194 [ 45.504145] panic+0x1f9/0x42d [ 45.504151] ? add_taint.cold+0x16/0x16 [ 45.504162] ? con_shutdown+0x7f/0x90 [ 45.504168] kasan_end_report+0x43/0x49 [ 45.504175] kasan_report.cold+0x12f/0x2ae [ 45.504181] ? set_palette+0x130/0x130 [ 45.504188] con_shutdown+0x7f/0x90 [ 45.504194] release_tty+0xb6/0x7a0 [ 45.504202] tty_release_struct+0x37/0x50 [ 45.504213] tty_release+0xaa6/0xd60 [ 45.504224] ? tty_release_struct+0x50/0x50 [ 45.504229] __fput+0x25f/0x790 [ 45.504239] task_work_run+0x113/0x190 [ 45.504247] do_exit+0x9f2/0x2b00 [ 45.504254] ? __do_page_fault+0x4e4/0xb40 [ 45.504262] ? mm_update_next_owner+0x5b0/0x5b0 [ 45.504269] ? lock_downgrade+0x6e0/0x6e0 [ 45.504279] do_group_exit+0x100/0x310 [ 45.504286] SyS_exit_group+0x19/0x20 [ 45.504292] ? do_group_exit+0x310/0x310 [ 45.504298] do_syscall_64+0x1d5/0x640 [ 45.504308] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.504312] RIP: 0033:0x43ff38 [ 45.504316] RSP: 002b:00007ffffccc8cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 45.504322] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 45.504326] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 45.504330] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 45.504333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 45.504337] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 45.505632] Kernel Offset: disabled