[?25l[?1c7[1[ 35.518035] audit: type=1800 audit(1583396775.049:34): pid=7280 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 G[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.614314] random: sshd: uninitialized urandom read (32 bytes read) [ 37.831890] audit: type=1400 audit(1583396777.389:35): avc: denied { map } for pid=7450 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.884412] random: sshd: uninitialized urandom read (32 bytes read) [ 38.607862] random: sshd: uninitialized urandom read (32 bytes read) [ 38.797195] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. [ 44.342927] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.467264] audit: type=1400 audit(1583396784.019:36): avc: denied { map } for pid=7462 comm="syz-executor451" path="/root/syz-executor451363011" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.553584] ================================================================== [ 44.553608] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x445/0xa40 [ 44.553612] Read of size 64 at addr ffff88809e4f31d0 by task syz-executor451/7462 [ 44.553614] [ 44.553620] CPU: 1 PID: 7462 Comm: syz-executor451 Not tainted 4.14.172-syzkaller #0 [ 44.553623] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.553625] Call Trace: [ 44.553634] dump_stack+0x13e/0x194 [ 44.553640] ? soft_cursor+0x445/0xa40 [ 44.553647] print_address_description.cold+0x7c/0x1e2 [ 44.553652] ? soft_cursor+0x445/0xa40 [ 44.553656] kasan_report.cold+0xa9/0x2ae [ 44.553662] memcpy+0x20/0x50 [ 44.553667] soft_cursor+0x445/0xa40 [ 44.553675] ? trace_hardirqs_on_caller+0x3f6/0x590 [ 44.553681] bit_cursor+0x10d9/0x1700 [ 44.553689] ? bit_clear+0x460/0x460 [ 44.553695] ? fb_get_color_depth.part.0+0xa1/0x1c0 [ 44.553700] ? fb_get_color_depth+0x5a/0x70 [ 44.553705] ? get_color+0x1b8/0x3a0 [ 44.553711] fbcon_cursor+0x4be/0x690 [ 44.553714] ? bit_clear+0x460/0x460 [ 44.553721] hide_cursor+0x96/0x2d0 [ 44.553725] ? lock_downgrade+0x6e0/0x6e0 [ 44.553730] redraw_screen+0x2a1/0x770 [ 44.553736] ? con_flush_chars+0x80/0x80 [ 44.553743] vc_do_resize+0xbf8/0xe10 [ 44.553751] ? vt_console_print+0xec0/0xec0 [ 44.553759] vt_ioctl+0x1a08/0x1f00 [ 44.553764] ? complete_change_console+0x350/0x350 [ 44.553769] ? avc_ss_reset+0x100/0x100 [ 44.553774] ? save_stack+0x32/0xa0 [ 44.553777] ? kasan_slab_free+0x75/0xc0 [ 44.553781] ? kmem_cache_free+0x7c/0x2b0 [ 44.553785] ? putname+0xcd/0x110 [ 44.553790] ? do_sys_open+0x1f9/0x3f0 [ 44.553796] ? do_syscall_64+0x1d5/0x640 [ 44.553801] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.553807] ? tty_jobctrl_ioctl+0x3b/0xbf0 [ 44.553811] ? complete_change_console+0x350/0x350 [ 44.553817] tty_ioctl+0x6c5/0x1220 [ 44.553822] ? tty_vhangup+0x30/0x30 [ 44.553826] ? lock_acquire+0x170/0x3f0 [ 44.553831] ? lock_downgrade+0x6e0/0x6e0 [ 44.553840] ? tty_vhangup+0x30/0x30 [ 44.553846] do_vfs_ioctl+0x75a/0xfe0 [ 44.553851] ? selinux_file_mprotect+0x5c0/0x5c0 [ 44.553856] ? ioctl_preallocate+0x1a0/0x1a0 [ 44.553862] ? rcu_read_lock_sched_held+0x10a/0x130 [ 44.553865] ? kmem_cache_free+0x23a/0x2b0 [ 44.553870] ? putname+0xcd/0x110 [ 44.553877] ? security_file_ioctl+0x76/0xb0 [ 44.553881] ? security_file_ioctl+0x83/0xb0 [ 44.553887] SyS_ioctl+0x7f/0xb0 [ 44.553891] ? do_vfs_ioctl+0xfe0/0xfe0 [ 44.553896] do_syscall_64+0x1d5/0x640 [ 44.553903] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.553907] RIP: 0033:0x440269 [ 44.553910] RSP: 002b:00007ffc4393a258 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.553916] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 44.553918] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 44.553921] RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8 [ 44.553923] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50 [ 44.553926] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 44.553933] [ 44.553936] Allocated by task 7462: [ 44.553940] save_stack+0x32/0xa0 [ 44.553943] kasan_kmalloc+0xbf/0xe0 [ 44.553947] __kmalloc+0x15b/0x7c0 [ 44.553951] fbcon_set_font+0x2f8/0x7c0 [ 44.553954] con_font_op+0xb73/0xf70 [ 44.553957] vt_ioctl+0x1334/0x1f00 [ 44.553961] tty_ioctl+0x6c5/0x1220 [ 44.553964] do_vfs_ioctl+0x75a/0xfe0 [ 44.553968] SyS_ioctl+0x7f/0xb0 [ 44.553971] do_syscall_64+0x1d5/0x640 [ 44.553975] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.553976] [ 44.553978] Freed by task 0: [ 44.553979] (stack is not available) [ 44.553981] [ 44.553984] The buggy address belongs to the object at ffff88809e4f1880 [ 44.553984] which belongs to the cache kmalloc-8192 of size 8192 [ 44.553987] The buggy address is located 6480 bytes inside of [ 44.553987] 8192-byte region [ffff88809e4f1880, ffff88809e4f3880) [ 44.553989] The buggy address belongs to the page: [ 44.553993] page:ffffea0002793c00 count:1 mapcount:0 mapping:ffff88809e4f1880 index:0x0 compound_mapcount: 0 [ 44.553999] flags: 0xfffe0000008100(slab|head) [ 44.554006] raw: 00fffe0000008100 ffff88809e4f1880 0000000000000000 0000000100000001 [ 44.554010] raw: ffffea00026fbc20 ffffea00027c9520 ffff88812fe55080 0000000000000000 [ 44.554012] page dumped because: kasan: bad access detected [ 44.554014] [ 44.554015] Memory state around the buggy address: [ 44.554018] ffff88809e4f3080: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.554022] ffff88809e4f3100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.554025] >ffff88809e4f3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.554027] ^ [ 44.554030] ffff88809e4f3200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.554033] ffff88809e4f3280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.554034] ================================================================== [ 44.554036] Disabling lock debugging due to kernel taint [ 44.554038] Kernel panic - not syncing: panic_on_warn set ... [ 44.554038] [ 44.554042] CPU: 1 PID: 7462 Comm: syz-executor451 Tainted: G B 4.14.172-syzkaller #0 [ 44.554044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.554045] Call Trace: [ 44.554050] dump_stack+0x13e/0x194 [ 44.554055] panic+0x1f9/0x42d [ 44.554058] ? add_taint.cold+0x16/0x16 [ 44.554063] ? lock_downgrade+0x6e0/0x6e0 [ 44.554068] ? soft_cursor+0x445/0xa40 [ 44.554071] kasan_end_report+0x43/0x49 [ 44.554075] kasan_report.cold+0x12f/0x2ae [ 44.554079] memcpy+0x20/0x50 [ 44.554082] soft_cursor+0x445/0xa40 [ 44.554088] ? trace_hardirqs_on_caller+0x3f6/0x590 [ 44.554092] bit_cursor+0x10d9/0x1700 [ 44.554098] ? bit_clear+0x460/0x460 [ 44.554102] ? fb_get_color_depth.part.0+0xa1/0x1c0 [ 44.554106] ? fb_get_color_depth+0x5a/0x70 [ 44.554110] ? get_color+0x1b8/0x3a0 [ 44.554114] fbcon_cursor+0x4be/0x690 [ 44.554117] ? bit_clear+0x460/0x460 [ 44.554122] hide_cursor+0x96/0x2d0 [ 44.554125] ? lock_downgrade+0x6e0/0x6e0 [ 44.554129] redraw_screen+0x2a1/0x770 [ 44.554134] ? con_flush_chars+0x80/0x80 [ 44.554139] vc_do_resize+0xbf8/0xe10 [ 44.554145] ? vt_console_print+0xec0/0xec0 [ 44.554150] vt_ioctl+0x1a08/0x1f00 [ 44.554153] ? complete_change_console+0x350/0x350 [ 44.554157] ? avc_ss_reset+0x100/0x100 [ 44.554160] ? save_stack+0x32/0xa0 [ 44.554163] ? kasan_slab_free+0x75/0xc0 [ 44.554166] ? kmem_cache_free+0x7c/0x2b0 [ 44.554169] ? putname+0xcd/0x110 [ 44.554173] ? do_sys_open+0x1f9/0x3f0 [ 44.554176] ? do_syscall_64+0x1d5/0x640 [ 44.554179] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.554183] ? tty_jobctrl_ioctl+0x3b/0xbf0 [ 44.554186] ? complete_change_console+0x350/0x350 [ 44.554191] tty_ioctl+0x6c5/0x1220 [ 44.554195] ? tty_vhangup+0x30/0x30 [ 44.554198] ? lock_acquire+0x170/0x3f0 [ 44.554202] ? lock_downgrade+0x6e0/0x6e0 [ 44.554209] ? tty_vhangup+0x30/0x30 [ 44.554213] do_vfs_ioctl+0x75a/0xfe0 [ 44.554217] ? selinux_file_mprotect+0x5c0/0x5c0 [ 44.554221] ? ioctl_preallocate+0x1a0/0x1a0 [ 44.554225] ? rcu_read_lock_sched_held+0x10a/0x130 [ 44.554228] ? kmem_cache_free+0x23a/0x2b0 [ 44.554231] ? putname+0xcd/0x110 [ 44.554236] ? security_file_ioctl+0x76/0xb0 [ 44.554240] ? security_file_ioctl+0x83/0xb0 [ 44.554244] SyS_ioctl+0x7f/0xb0 [ 44.554247] ? do_vfs_ioctl+0xfe0/0xfe0 [ 44.554251] do_syscall_64+0x1d5/0x640 [ 44.554257] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.554259] RIP: 0033:0x440269 [ 44.554261] RSP: 002b:00007ffc4393a258 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.554265] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 44.554267] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 44.554269] RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8 [ 44.554272] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50 [ 44.554274] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 44.555595] Kernel Offset: disabled [ 45.327368] Rebooting in 86400 seconds..