[....] Starting enhanced syslogd: rsyslogd[ 10.606850] audit: type=1400 audit(1515313156.297:4): avc: denied { syslog } for pid=3170 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.018499] ================================================================== [ 37.019638] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2702/0x3470 [ 37.020573] Read of size 6144 at addr ffff8801cc9a1b98 by task syzkaller437161/3336 [ 37.021592] [ 37.021822] CPU: 0 PID: 3336 Comm: syzkaller437161 Not tainted 4.9.75-g5f5e5d4 #17 [ 37.022829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.024072] ffff8801c80bf718 ffffffff81d93049 ffffea0007326800 ffff8801cc9a1b98 [ 37.025200] 0000000000000000 ffff8801cc9a1d80 ffff8801c80bf958 ffff8801c80bf750 [ 37.026349] ffffffff8153ca53 ffff8801cc9a1b98 0000000000001800 0000000000000000 [ 37.027593] Call Trace: [ 37.027982] [] dump_stack+0xc1/0x128 [ 37.028719] [] print_address_description+0x73/0x280 [ 37.029621] [] kasan_report+0x275/0x360 [ 37.030407] [] ? pfkey_add+0x2702/0x3470 [ 37.031205] [] check_memory_region+0x137/0x190 [ 37.032046] [] memcpy+0x23/0x50 [ 37.032712] [] pfkey_add+0x2702/0x3470 [ 37.033454] [] ? pfkey_delete+0x360/0x360 [ 37.034274] [] ? pfkey_seq_stop+0x80/0x80 [ 37.035042] [] ? __skb_clone+0x24a/0x7d0 [ 37.035794] [] ? pfkey_delete+0x360/0x360 [ 37.036561] [] pfkey_process+0x61e/0x730 [ 37.037369] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 37.038275] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.039172] [] pfkey_sendmsg+0x3a9/0x760 [ 37.044856] [] ? pfkey_spdget+0x820/0x820 [ 37.050624] [] sock_sendmsg+0xca/0x110 [ 37.056127] [] ___sys_sendmsg+0x6d1/0x7e0 [ 37.061892] [] ? copy_msghdr_from_user+0x550/0x550 [ 37.068438] [] ? __lru_cache_add+0x187/0x250 [ 37.074483] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 37.081555] [] ? _raw_spin_unlock+0x2c/0x50 [ 37.087499] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 37.094572] [] ? handle_mm_fault+0x6ee/0x2530 [ 37.100682] [] ? __fget_light+0x158/0x1e0 [ 37.106452] [] ? __fdget+0x18/0x20 [ 37.111704] [] ? sockfd_lookup_light+0x118/0x160 [ 37.118075] [] __sys_sendmsg+0xd6/0x190 [ 37.123670] [] ? SyS_shutdown+0x1b0/0x1b0 [ 37.129435] [] ? __do_page_fault+0x5ec/0xd40 [ 37.135472] [] compat_SyS_sendmsg+0x2a/0x40 [ 37.141408] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 37.147966] [] do_fast_syscall_32+0x2f7/0x890 [ 37.154087] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.160721] [] entry_SYSENTER_compat+0x74/0x83 [ 37.166919] [ 37.168523] Allocated by task 3336: [ 37.172250] save_stack_trace+0x16/0x20 [ 37.176226] save_stack+0x43/0xd0 [ 37.179665] kasan_kmalloc+0xad/0xe0 [ 37.183365] kasan_slab_alloc+0x12/0x20 [ 37.187329] __kmalloc_track_caller+0xda/0x2b0 [ 37.191899] __kmalloc_reserve.isra.37+0x33/0xc0 [ 37.196642] __alloc_skb+0x119/0x600 [ 37.200346] pfkey_sendmsg+0x135/0x760 [ 37.204225] sock_sendmsg+0xca/0x110 [ 37.207928] ___sys_sendmsg+0x6d1/0x7e0 [ 37.211905] __sys_sendmsg+0xd6/0x190 [ 37.215696] compat_SyS_sendmsg+0x2a/0x40 [ 37.219834] do_fast_syscall_32+0x2f7/0x890 [ 37.224144] entry_SYSENTER_compat+0x74/0x83 [ 37.228530] [ 37.230139] Freed by task 1792: [ 37.233410] save_stack_trace+0x16/0x20 [ 37.237359] save_stack+0x43/0xd0 [ 37.240777] kasan_slab_free+0x72/0xc0 [ 37.244649] kfree+0x103/0x300 [ 37.247807] kernfs_fop_release+0xff/0x140 [ 37.252006] __fput+0x28c/0x6e0 [ 37.255252] ____fput+0x15/0x20 [ 37.258505] task_work_run+0x115/0x190 [ 37.262366] exit_to_usermode_loop+0xfc/0x120 [ 37.266825] syscall_return_slowpath+0x1a0/0x1e0 [ 37.271547] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 37.276271] [ 37.277867] The buggy address belongs to the object at ffff8801cc9a1b80 [ 37.277867] which belongs to the cache kmalloc-512 of size 512 [ 37.290495] The buggy address is located 24 bytes inside of [ 37.290495] 512-byte region [ffff8801cc9a1b80, ffff8801cc9a1d80) [ 37.302253] The buggy address belongs to the page: [ 37.307158] page:ffffea0007326800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 37.317315] flags: 0x8000000000004080(slab|head) [ 37.322032] page dumped because: kasan: bad access detected [ 37.327705] [ 37.329298] Memory state around the buggy address: [ 37.334194] ffff8801cc9a1c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.341537] ffff8801cc9a1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.348873] >ffff8801cc9a1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.356205] ^ [ 37.359537] ffff8801cc9a1e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.366862] ffff8801cc9a1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.374184] ================================================================== [ 37.381513] Disabling lock debugging due to kernel taint [ 37.387171] Kernel panic - not syncing: panic_on_warn set ... [ 37.387171] [ 37.394510] CPU: 0 PID: 3336 Comm: syzkaller437161 Tainted: G B 4.9.75-g5f5e5d4 #17 [ 37.403404] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.412726] ffff8801c80bf670 ffffffff81d93049 ffffffff84195be7 ffff8801c80bf748 [ 37.420673] 0000000000000000 ffff8801cc9a1d80 ffff8801c80bf958 ffff8801c80bf738 [ 37.428633] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 37.436588] Call Trace: [ 37.439143] [] dump_stack+0xc1/0x128 [ 37.444473] [] panic+0x1bc/0x3a8 [ 37.449467] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 37.457673] [] ? preempt_schedule+0x25/0x30 [ 37.463786] [] ? ___preempt_schedule+0x16/0x18 [ 37.470001] [] kasan_end_report+0x50/0x50 [ 37.475772] [] kasan_report+0x167/0x360 [ 37.481369] [] ? pfkey_add+0x2702/0x3470 [ 37.487047] [] check_memory_region+0x137/0x190 [ 37.493256] [] memcpy+0x23/0x50 [ 37.498163] [] pfkey_add+0x2702/0x3470 [ 37.503668] [] ? pfkey_delete+0x360/0x360 [ 37.509429] [] ? pfkey_seq_stop+0x80/0x80 [ 37.515194] [] ? __skb_clone+0x24a/0x7d0 [ 37.520876] [] ? pfkey_delete+0x360/0x360 [ 37.526649] [] pfkey_process+0x61e/0x730 [ 37.532332] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 37.539140] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.545947] [] pfkey_sendmsg+0x3a9/0x760 [ 37.551635] [] ? pfkey_spdget+0x820/0x820 [ 37.557409] [] sock_sendmsg+0xca/0x110 [ 37.562917] [] ___sys_sendmsg+0x6d1/0x7e0 [ 37.568682] [] ? copy_msghdr_from_user+0x550/0x550 [ 37.575230] [] ? __lru_cache_add+0x187/0x250 [ 37.581256] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 37.588323] [] ? _raw_spin_unlock+0x2c/0x50 [ 37.594272] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 37.601339] [] ? handle_mm_fault+0x6ee/0x2530 [ 37.607457] [] ? __fget_light+0x158/0x1e0 [ 37.613241] [] ? __fdget+0x18/0x20 [ 37.618406] [] ? sockfd_lookup_light+0x118/0x160 [ 37.624785] [] __sys_sendmsg+0xd6/0x190 [ 37.630374] [] ? SyS_shutdown+0x1b0/0x1b0 [ 37.636142] [] ? __do_page_fault+0x5ec/0xd40 [ 37.642169] [] compat_SyS_sendmsg+0x2a/0x40 [ 37.648108] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 37.654654] [] do_fast_syscall_32+0x2f7/0x890 [ 37.660762] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.667396] [] entry_SYSENTER_compat+0x74/0x83 [ 37.674154] Dumping ftrace buffer: [ 37.677664] (ftrace buffer empty) [ 37.681342] Kernel Offset: disabled [ 37.684935] Rebooting in 86400 seconds..