[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.700358] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.225994] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 25.739694] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 26.712884] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) [ 26.869356] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. [ 32.221675] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) 2018/02/27 02:39:29 parsed 1 programs 2018/02/27 02:39:29 executed programs: 0 [ 32.532942] IPVS: Creating netns size=2552 id=1 [ 33.561415] ================================================================== [ 33.568789] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1291/0x2550 [ 33.575943] Read of size 4 at addr ffff8800baadf6c0 by task syz-executor0/4044 [ 33.583266] [ 33.584865] CPU: 1 PID: 4044 Comm: syz-executor0 Not tainted 4.4.118-g239a415 #26 [ 33.592454] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.601776] 0000000000000000 1c3444b8d3fc8d4b ffff8800baaded18 ffffffff81d0402d [ 33.609734] ffffea0002eab7c0 ffff8800baadf6c0 0000000000000000 ffff8800baadf6c0 [ 33.617691] ffff8800ba13e030 ffff8800baaded50 ffffffff814fe103 ffff8800baadf6c0 [ 33.625649] Call Trace: [ 33.628205] [] dump_stack+0xc1/0x124 [ 33.633533] [] print_address_description+0x73/0x260 [ 33.640162] [] kasan_report+0x285/0x370 [ 33.645751] [] ? xfrm_state_find+0x1291/0x2550 [ 33.651951] [] __asan_report_load4_noabort+0x14/0x20 [ 33.658679] [] xfrm_state_find+0x1291/0x2550 [ 33.664704] [] ? xfrm_unregister_mode+0x200/0x200 [ 33.671171] [] ? check_usage_backwards+0x171/0x300 [ 33.677715] [] ? check_usage_forwards+0x310/0x310 [ 33.684177] [] xfrm_tmpl_resolve+0x298/0xab0 [ 33.690203] [] ? __xfrm_decode_session+0x100/0x100 [ 33.696745] [] ? mark_lock+0x99b/0xfd0 [ 33.702247] [] ? check_usage_forwards+0x310/0x310 [ 33.708703] [] ? __lock_acquire+0x1cff/0x4b50 [ 33.714812] [] ? __lock_acquire+0xb5f/0x4b50 [ 33.720839] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 33.727990] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.734968] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 33.741168] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.747450] [] ? xfrm_sk_policy_lookup+0x22c/0x360 [ 33.753995] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 33.760453] [] xfrm_lookup+0x991/0xc10 [ 33.765988] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 33.772445] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 33.779509] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 33.786572] [] ? __ip_route_output_key_hash+0xc50/0x2390 [ 33.793634] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 33.799828] [] xfrm_lookup_route+0x39/0x1a0 [ 33.805767] [] ip_route_output_flow+0x7f/0xa0 [ 33.811879] [] udp_sendmsg+0x1009/0x1c30 [ 33.817555] [] ? udp_sendmsg+0x99d/0x1c30 [ 33.823320] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 33.829430] [] ? udp_seq_next+0x80/0x80 [ 33.835020] [] ? save_stack_trace+0x26/0x50 [ 33.840956] [] ? save_stack+0x43/0xd0 [ 33.846373] [] ? kasan_slab_free+0x72/0xc0 [ 33.852221] [] ? kfree+0xfc/0x300 [ 33.857297] [] ? mark_held_locks+0xaf/0x100 [ 33.863235] [] ? __lock_acquire+0xb5f/0x4b50 [ 33.869260] [] udpv6_sendmsg+0x56d/0x2500 [ 33.875028] [] ? avc_has_perm+0x296/0x500 [ 33.880790] [] ? udp6_lib_lookup+0x60/0x60 [ 33.886638] [] ? avc_has_perm_noaudit+0x460/0x460 [ 33.893098] [] ? sock_has_perm+0x1c1/0x400 [ 33.898948] [] ? sock_has_perm+0x29f/0x400 [ 33.904796] [] ? sock_has_perm+0x9f/0x400 [ 33.910562] [] ? inet_sendmsg+0x201/0x4c0 [ 33.916323] [] inet_sendmsg+0x2bc/0x4c0 [ 33.921911] [] ? inet_sendmsg+0x73/0x4c0 [ 33.927587] [] ? inet_recvmsg+0x4c0/0x4c0 [ 33.933352] [] sock_sendmsg+0xca/0x110 [ 33.938857] [] ___sys_sendmsg+0x6c1/0x7c0 [ 33.944620] [] ? copy_msghdr_from_user+0x550/0x550 [ 33.951167] [] ? do_futex+0x3f4/0x15d0 [ 33.956672] [] ? avc_has_perm_noaudit+0x460/0x460 [ 33.963129] [] ? exit_robust_list+0x240/0x240 [ 33.969241] [] ? sock_has_perm+0x1c1/0x400 [ 33.975092] [] ? sock_has_perm+0x29f/0x400 [ 33.980942] [] ? sock_has_perm+0x9f/0x400 [ 33.986705] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.993431] [] ? __fget_light+0xa3/0x1e0 [ 33.999105] [] ? __fdget+0x18/0x20 [ 34.004258] [] ? sockfd_lookup_light+0x118/0x160 [ 34.010630] [] __sys_sendmsg+0xd3/0x190 [ 34.016219] [] ? SyS_shutdown+0x1b0/0x1b0 [ 34.021983] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 34.028094] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 34.034644] [] ? vmacache_update+0xfe/0x130 [ 34.040581] [] compat_SyS_sendmsg+0x2a/0x40 [ 34.046516] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 34.053059] [] do_fast_syscall_32+0x321/0x8a0 [ 34.059172] [] sysenter_flags_fixed+0xd/0x17 [ 34.065194] [ 34.066788] The buggy address belongs to the page: [ 34.071684] page:ffffea0002eab7c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 34.079787] flags: 0x4000000000000000() [ 34.083854] page dumped because: kasan: bad access detected [ 34.089538] [ 34.091133] Memory state around the buggy address: [ 34.096026] ffff8800baadf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 [ 34.103349] ffff8800baadf600: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 [ 34.110672] >ffff8800baadf680: f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 [ 34.117995] ^ [ 34.123413] ffff8800baadf700: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 [ 34.130736] ffff8800baadf780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.138058] ================================================================== [ 34.145381] Disabling lock debugging due to kernel taint [ 34.150842] Kernel panic - not syncing: panic_on_warn set ... [ 34.150842] [ 34.158175] CPU: 1 PID: 4044 Comm: syz-executor0 Tainted: G B 4.4.118-g239a415 #26 [ 34.166974] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.176294] 0000000000000000 1c3444b8d3fc8d4b ffff8800baadec70 ffffffff81d0402d [ 34.184249] ffffffff83fb58a5 ffff8800baaded48 0000000000000000 ffff8800baadf6c0 [ 34.192206] ffff8800ba13e030 ffff8800baaded38 ffffffff8141aaea 0000000041b58ab3 [ 34.200172] Call Trace: [ 34.202726] [] dump_stack+0xc1/0x124 [ 34.208063] [] panic+0x1aa/0x388 [ 34.213043] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 34.219933] [] ? add_taint+0x1c/0x50 [ 34.225263] [] kasan_end_report+0x50/0x50 [ 34.231039] [] kasan_report+0x15c/0x370 [ 34.236628] [] ? xfrm_state_find+0x1291/0x2550 [ 34.242829] [] __asan_report_load4_noabort+0x14/0x20 [ 34.249554] [] xfrm_state_find+0x1291/0x2550 [ 34.255576] [] ? xfrm_unregister_mode+0x200/0x200 [ 34.262037] [] ? check_usage_backwards+0x171/0x300 [ 34.268581] [] ? check_usage_forwards+0x310/0x310 [ 34.275042] [] xfrm_tmpl_resolve+0x298/0xab0 [ 34.281064] [] ? __xfrm_decode_session+0x100/0x100 [ 34.287607] [] ? mark_lock+0x99b/0xfd0 [ 34.293109] [] ? check_usage_forwards+0x310/0x310 [ 34.299566] [] ? __lock_acquire+0x1cff/0x4b50 [ 34.305674] [] ? __lock_acquire+0xb5f/0x4b50 [ 34.311700] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 34.318855] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.325833] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 34.332035] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 34.338322] [] ? xfrm_sk_policy_lookup+0x22c/0x360 [ 34.344865] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 34.351324] [] xfrm_lookup+0x991/0xc10 [ 34.356826] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 34.363285] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 34.370350] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 34.377412] [] ? __ip_route_output_key_hash+0xc50/0x2390 [ 34.384476] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 34.390671] [] xfrm_lookup_route+0x39/0x1a0 [ 34.396606] [] ip_route_output_flow+0x7f/0xa0 [ 34.402718] [] udp_sendmsg+0x1009/0x1c30 [ 34.408392] [] ? udp_sendmsg+0x99d/0x1c30 [ 34.414153] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 34.420260] [] ? udp_seq_next+0x80/0x80 [ 34.425855] [] ? save_stack_trace+0x26/0x50 [ 34.431792] [] ? save_stack+0x43/0xd0 [ 34.437209] [] ? kasan_slab_free+0x72/0xc0 [ 34.443058] [] ? kfree+0xfc/0x300 [ 34.448128] [] ? mark_held_locks+0xaf/0x100 [ 34.454063] [] ? __lock_acquire+0xb5f/0x4b50 [ 34.460087] [] udpv6_sendmsg+0x56d/0x2500 [ 34.465853] [] ? avc_has_perm+0x296/0x500 [ 34.471616] [] ? udp6_lib_lookup+0x60/0x60 [ 34.477468] [] ? avc_has_perm_noaudit+0x460/0x460 [ 34.483927] [] ? sock_has_perm+0x1c1/0x400 [ 34.489777] [] ? sock_has_perm+0x29f/0x400 [ 34.495629] [] ? sock_has_perm+0x9f/0x400 [ 34.501394] [] ? inet_sendmsg+0x201/0x4c0 [ 34.507159] [] inet_sendmsg+0x2bc/0x4c0 [ 34.512752] [] ? inet_sendmsg+0x73/0x4c0 [ 34.518427] [] ? inet_recvmsg+0x4c0/0x4c0 [ 34.524192] [] sock_sendmsg+0xca/0x110 [ 34.529695] [] ___sys_sendmsg+0x6c1/0x7c0 [ 34.535457] [] ? copy_msghdr_from_user+0x550/0x550 [ 34.542001] [] ? do_futex+0x3f4/0x15d0 [ 34.547505] [] ? avc_has_perm_noaudit+0x460/0x460 [ 34.553963] [] ? exit_robust_list+0x240/0x240 [ 34.560073] [] ? sock_has_perm+0x1c1/0x400 [ 34.566036] [] ? sock_has_perm+0x29f/0x400 [ 34.571889] [] ? sock_has_perm+0x9f/0x400 [ 34.577656] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.584373] [] ? __fget_light+0xa3/0x1e0 [ 34.590050] [] ? __fdget+0x18/0x20 [ 34.595207] [] ? sockfd_lookup_light+0x118/0x160 [ 34.601580] [] __sys_sendmsg+0xd3/0x190 [ 34.607169] [] ? SyS_shutdown+0x1b0/0x1b0 [ 34.612933] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 34.619042] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 34.625585] [] ? vmacache_update+0xfe/0x130 [ 34.631521] [] compat_SyS_sendmsg+0x2a/0x40 [ 34.637470] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 34.644016] [] do_fast_syscall_32+0x321/0x8a0 [ 34.650134] [] sysenter_flags_fixed+0xd/0x17 [ 34.656525] Dumping ftrace buffer: [ 34.660035] (ftrace buffer empty) [ 34.663721] Kernel Offset: disabled [ 34.667313] Rebooting in 86400 seconds..