[....] Starting enhanced syslogd: rsyslogd[ 10.622943] audit: type=1400 audit(1514507480.928:4): avc: denied { syslog } for pid=3180 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.228' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 20.625842] ================================================================== [ 20.627090] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2702/0x3470 [ 20.627986] Read of size 8192 at addr ffff8801c8196f18 by task syzkaller085424/3329 [ 20.629015] [ 20.629248] CPU: 0 PID: 3329 Comm: syzkaller085424 Not tainted 4.9.72-gcb7518e #114 [ 20.630285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.631757] ffff8801c2ae7788 ffffffff81d922b9 ffffea0007206580 ffff8801c8196f18 [ 20.633053] 0000000000000000 ffff8801c8197100 ffff8801c2ae79c8 ffff8801c2ae77c0 [ 20.634249] ffffffff8153bab3 ffff8801c8196f18 0000000000002000 0000000000000000 [ 20.635553] Call Trace: [ 20.635984] [] dump_stack+0xc1/0x128 [ 20.636695] [] print_address_description+0x73/0x280 [ 20.637597] [] kasan_report+0x275/0x360 [ 20.638357] [] ? pfkey_add+0x2702/0x3470 [ 20.639175] [] check_memory_region+0x137/0x190 [ 20.640198] [] memcpy+0x23/0x50 [ 20.640851] [] pfkey_add+0x2702/0x3470 [ 20.641628] [] ? pfkey_delete+0x360/0x360 [ 20.642404] [] ? pfkey_seq_stop+0x80/0x80 [ 20.643182] [] ? __skb_clone+0x24a/0x7d0 [ 20.643965] [] ? pfkey_delete+0x360/0x360 [ 20.644754] [] pfkey_process+0x61e/0x730 [ 20.645534] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 20.649842] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.656647] [] pfkey_sendmsg+0x3a9/0x760 [ 20.662323] [] ? pfkey_spdget+0x820/0x820 [ 20.668091] [] sock_sendmsg+0xca/0x110 [ 20.673595] [] ___sys_sendmsg+0x6d1/0x7e0 [ 20.679360] [] ? copy_msghdr_from_user+0x550/0x550 [ 20.685914] [] ? __lru_cache_add+0x187/0x250 [ 20.691941] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 20.699020] [] ? _raw_spin_unlock+0x2c/0x50 [ 20.704959] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 20.712044] [] ? handle_mm_fault+0x6ee/0x2530 [ 20.718156] [] ? __lock_is_held+0xa1/0xf0 [ 20.723928] [] ? __pmd_alloc+0x410/0x410 [ 20.729603] [] ? __fget_light+0x158/0x1e0 [ 20.735366] [] ? __fdget+0x18/0x20 [ 20.740521] [] __sys_sendmsg+0xd6/0x190 [ 20.746110] [] ? SyS_shutdown+0x1b0/0x1b0 [ 20.751884] [] ? __do_page_fault+0x5ec/0xd40 [ 20.757916] [] ? __do_page_fault+0x3bd/0xd40 [ 20.763941] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.770746] [] SyS_sendmsg+0x2d/0x50 [ 20.776075] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.782617] [ 20.784211] Allocated by task 3329: [ 20.787805] save_stack_trace+0x16/0x20 [ 20.791750] save_stack+0x43/0xd0 [ 20.795168] kasan_kmalloc+0xad/0xe0 [ 20.798850] kasan_slab_alloc+0x12/0x20 [ 20.802793] __kmalloc_track_caller+0xda/0x2b0 [ 20.807350] __kmalloc_reserve.isra.37+0x33/0xc0 [ 20.812079] __alloc_skb+0x119/0x600 [ 20.815759] pfkey_sendmsg+0x135/0x760 [ 20.819613] sock_sendmsg+0xca/0x110 [ 20.823294] ___sys_sendmsg+0x6d1/0x7e0 [ 20.827250] __sys_sendmsg+0xd6/0x190 [ 20.831015] SyS_sendmsg+0x2d/0x50 [ 20.834520] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 20.839673] [ 20.841270] Freed by task 1930: [ 20.844519] save_stack_trace+0x16/0x20 [ 20.848461] save_stack+0x43/0xd0 [ 20.851887] kasan_slab_free+0x72/0xc0 [ 20.855737] kfree+0x103/0x300 [ 20.858896] load_elf_binary+0x1cfd/0x4690 [ 20.863094] search_binary_handler+0x142/0x6b0 [ 20.867649] do_execveat_common.isra.37+0x1594/0x1f10 [ 20.872810] SyS_execve+0x42/0x50 [ 20.876227] do_syscall_64+0x197/0x490 [ 20.880080] return_from_SYSCALL_64+0x0/0x7a [ 20.884450] [ 20.886044] The buggy address belongs to the object at ffff8801c8196f00 [ 20.886044] which belongs to the cache kmalloc-512 of size 512 [ 20.898666] The buggy address is located 24 bytes inside of [ 20.898666] 512-byte region [ffff8801c8196f00, ffff8801c8197100) [ 20.910424] The buggy address belongs to the page: [ 20.915332] page:ffffea0007206580 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 20.925490] flags: 0x8000000000004080(slab|head) [ 20.930208] page dumped because: kasan: bad access detected [ 20.935879] [ 20.937471] Memory state around the buggy address: [ 20.942365] ffff8801c8197000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.949688] ffff8801c8197080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.957013] >ffff8801c8197100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.964337] ^ [ 20.967668] ffff8801c8197180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.974992] ffff8801c8197200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.982313] ================================================================== [ 20.989634] Disabling lock debugging due to kernel taint [ 20.995147] Kernel panic - not syncing: panic_on_warn set ... [ 20.995147] [ 21.002500] CPU: 0 PID: 3329 Comm: syzkaller085424 Tainted: G B 4.9.72-gcb7518e #114 [ 21.011495] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.020819] ffff8801c2ae76e0 ffffffff81d922b9 ffffffff841955bf ffff8801c2ae77b8 [ 21.028774] 0000000000000000 ffff8801c8197100 ffff8801c2ae79c8 ffff8801c2ae77a8 [ 21.036740] ffffffff8142d741 0000000041b58ab3 ffffffff84189000 ffffffff8142d585 [ 21.044713] Call Trace: [ 21.047269] [] dump_stack+0xc1/0x128 [ 21.052599] [] panic+0x1bc/0x3a8 [ 21.057582] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 21.065777] [] ? preempt_schedule+0x25/0x30 [ 21.071715] [] ? ___preempt_schedule+0x16/0x18 [ 21.077923] [] kasan_end_report+0x50/0x50 [ 21.083689] [] kasan_report+0x167/0x360 [ 21.089279] [] ? pfkey_add+0x2702/0x3470 [ 21.094959] [] check_memory_region+0x137/0x190 [ 21.101243] [] memcpy+0x23/0x50 [ 21.106141] [] pfkey_add+0x2702/0x3470 [ 21.111652] [] ? pfkey_delete+0x360/0x360 [ 21.117413] [] ? pfkey_seq_stop+0x80/0x80 [ 21.123184] [] ? __skb_clone+0x24a/0x7d0 [ 21.128865] [] ? pfkey_delete+0x360/0x360 [ 21.134628] [] pfkey_process+0x61e/0x730 [ 21.140306] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 21.147112] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.153919] [] pfkey_sendmsg+0x3a9/0x760 [ 21.159605] [] ? pfkey_spdget+0x820/0x820 [ 21.165378] [] sock_sendmsg+0xca/0x110 [ 21.170882] [] ___sys_sendmsg+0x6d1/0x7e0 [ 21.176654] [] ? copy_msghdr_from_user+0x550/0x550 [ 21.183205] [] ? __lru_cache_add+0x187/0x250 [ 21.189231] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 21.196295] [] ? _raw_spin_unlock+0x2c/0x50 [ 21.202233] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 21.209300] [] ? handle_mm_fault+0x6ee/0x2530 [ 21.215411] [] ? __lock_is_held+0xa1/0xf0 [ 21.221180] [] ? __pmd_alloc+0x410/0x410 [ 21.226878] [] ? __fget_light+0x158/0x1e0 [ 21.232640] [] ? __fdget+0x18/0x20 [ 21.237806] [] __sys_sendmsg+0xd6/0x190 [ 21.243404] [] ? SyS_shutdown+0x1b0/0x1b0 [ 21.249169] [] ? __do_page_fault+0x5ec/0xd40 [ 21.255207] [] ? __do_page_fault+0x3bd/0xd40 [ 21.261261] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.261267] [] SyS_sendmsg+0x2d/0x50 [ 21.261277] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 21.268533] Dumping ftrace buffer: [ 21.268536] (ftrace buffer empty) [ 21.268538] Kernel Offset: disabled [ 21.291188] Rebooting in 86400 seconds..