[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 68.070173][ T25] audit: type=1800 audit(1575439205.768:25): pid=8992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 68.090407][ T25] audit: type=1800 audit(1575439205.768:26): pid=8992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 68.135779][ T25] audit: type=1800 audit(1575439205.778:27): pid=8992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 79.275522][ T9146] ================================================================== [ 79.275562][ T9146] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 79.275569][ T9146] Read of size 2 at addr ffff88808c8112c0 by task syz-executor892/9146 [ 79.275571][ T9146] [ 79.275580][ T9146] CPU: 0 PID: 9146 Comm: syz-executor892 Not tainted 5.4.0-syzkaller #0 [ 79.275585][ T9146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.275588][ T9146] Call Trace: [ 79.275601][ T9146] dump_stack+0x197/0x210 [ 79.275609][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.275627][ T9146] print_address_description.constprop.0.cold+0xd4/0x30b [ 79.275634][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.275641][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.275648][ T9146] __kasan_report.cold+0x1b/0x41 [ 79.275664][ T9146] ? vcs_write+0x440/0xcf0 [ 79.275673][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.275683][ T9146] kasan_report+0x12/0x20 [ 79.275694][ T9146] __asan_report_load2_noabort+0x14/0x20 [ 79.275704][ T9146] vcs_scr_readw+0xc2/0xd0 [ 79.275716][ T9146] vcs_write+0x646/0xcf0 [ 79.275737][ T9146] ? vcs_size+0x250/0x250 [ 79.275754][ T9146] ? apparmor_file_permission+0x25/0x30 [ 79.275769][ T9146] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.275784][ T9146] ? security_file_permission+0x8f/0x380 [ 79.275796][ T9146] ? trace_hardirqs_on+0x67/0x240 [ 79.275811][ T9146] __vfs_write+0x8a/0x110 [ 79.275821][ T9146] ? vcs_size+0x250/0x250 [ 79.275835][ T9146] vfs_write+0x268/0x5d0 [ 79.275850][ T9146] ksys_write+0x14f/0x290 [ 79.275864][ T9146] ? __ia32_sys_read+0xb0/0xb0 [ 79.275881][ T9146] ? do_syscall_64+0x26/0x790 [ 79.275895][ T9146] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.275908][ T9146] ? do_syscall_64+0x26/0x790 [ 79.275925][ T9146] __x64_sys_write+0x73/0xb0 [ 79.275939][ T9146] do_syscall_64+0xfa/0x790 [ 79.275954][ T9146] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.275962][ T9146] RIP: 0033:0x443e49 [ 79.275970][ T9146] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.275975][ T9146] RSP: 002b:00007ffda9a3ece8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 79.275982][ T9146] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443e49 [ 79.275987][ T9146] RDX: 0000000000001010 RSI: 0000000020006480 RDI: 0000000000000003 [ 79.276005][ T9146] RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0 [ 79.276009][ T9146] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401b50 [ 79.276014][ T9146] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 79.276025][ T9146] [ 79.276029][ T9146] Allocated by task 9125: [ 79.276036][ T9146] save_stack+0x23/0x90 [ 79.276043][ T9146] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 79.276049][ T9146] kasan_kmalloc+0x9/0x10 [ 79.276058][ T9146] __kmalloc+0x163/0x770 [ 79.276064][ T9146] vc_allocate+0x3fc/0x760 [ 79.276069][ T9146] con_install+0x52/0x410 [ 79.276077][ T9146] tty_init_dev+0xf7/0x460 [ 79.276082][ T9146] tty_open+0x4a5/0xbb0 [ 79.276090][ T9146] chrdev_open+0x245/0x6b0 [ 79.276099][ T9146] do_dentry_open+0x4e6/0x1380 [ 79.276105][ T9146] vfs_open+0xa0/0xd0 [ 79.276113][ T9146] path_openat+0x10e4/0x4710 [ 79.276120][ T9146] do_filp_open+0x1a1/0x280 [ 79.276125][ T9146] do_sys_open+0x3fe/0x5d0 [ 79.276131][ T9146] __x64_sys_open+0x7e/0xc0 [ 79.276138][ T9146] do_syscall_64+0xfa/0x790 [ 79.276146][ T9146] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.276148][ T9146] [ 79.276152][ T9146] Freed by task 8858: [ 79.276158][ T9146] save_stack+0x23/0x90 [ 79.276164][ T9146] __kasan_slab_free+0x102/0x150 [ 79.276170][ T9146] kasan_slab_free+0xe/0x10 [ 79.276177][ T9146] kfree+0x10a/0x2c0 [ 79.276185][ T9146] tomoyo_init_log+0x15b5/0x2070 [ 79.276192][ T9146] tomoyo_supervisor+0x33f/0xef0 [ 79.276200][ T9146] tomoyo_env_perm+0x18e/0x210 [ 79.276208][ T9146] tomoyo_find_next_domain+0x1354/0x1f6c [ 79.276215][ T9146] tomoyo_bprm_check_security+0x124/0x1a0 [ 79.276222][ T9146] security_bprm_check+0x63/0xb0 [ 79.276229][ T9146] search_binary_handler+0x71/0x570 [ 79.276235][ T9146] __do_execve_file.isra.0+0x1329/0x22b0 [ 79.276242][ T9146] __x64_sys_execve+0x8f/0xc0 [ 79.276249][ T9146] do_syscall_64+0xfa/0x790 [ 79.276257][ T9146] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.276259][ T9146] [ 79.276265][ T9146] The buggy address belongs to the object at ffff88808c810000 [ 79.276265][ T9146] which belongs to the cache kmalloc-8k of size 8192 [ 79.276272][ T9146] The buggy address is located 4800 bytes inside of [ 79.276272][ T9146] 8192-byte region [ffff88808c810000, ffff88808c812000) [ 79.276274][ T9146] The buggy address belongs to the page: [ 79.276283][ T9146] page:ffffea0002320400 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 79.276294][ T9146] raw: 00fffe0000010200 ffffea00025c5808 ffffea0002550d08 ffff8880aa4021c0 [ 79.276303][ T9146] raw: 0000000000000000 ffff88808c810000 0000000100000001 0000000000000000 [ 79.276307][ T9146] page dumped because: kasan: bad access detected [ 79.276309][ T9146] [ 79.276311][ T9146] Memory state around the buggy address: [ 79.276318][ T9146] ffff88808c811180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.276323][ T9146] ffff88808c811200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.276329][ T9146] >ffff88808c811280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 79.276332][ T9146] ^ [ 79.276338][ T9146] ffff88808c811300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.276344][ T9146] ffff88808c811380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.276347][ T9146] ================================================================== [ 79.276349][ T9146] Disabling lock debugging due to kernel taint [ 79.276423][ T9146] Kernel panic - not syncing: panic_on_warn set ... [ 79.276441][ T9146] CPU: 0 PID: 9146 Comm: syz-executor892 Tainted: G B 5.4.0-syzkaller #0 [ 79.276451][ T9146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.276458][ T9146] Call Trace: [ 79.276474][ T9146] dump_stack+0x197/0x210 [ 79.276491][ T9146] panic+0x2e3/0x75c [ 79.276504][ T9146] ? add_taint.cold+0x16/0x16 [ 79.276518][ T9146] ? retint_kernel+0x2b/0x2b [ 79.276533][ T9146] ? trace_hardirqs_on+0x5e/0x240 [ 79.276547][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.276560][ T9146] end_report+0x47/0x4f [ 79.276572][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.276585][ T9146] __kasan_report.cold+0xe/0x41 [ 79.276599][ T9146] ? vcs_write+0x440/0xcf0 [ 79.276611][ T9146] ? vcs_scr_readw+0xc2/0xd0 [ 79.276628][ T9146] kasan_report+0x12/0x20 [ 79.276642][ T9146] __asan_report_load2_noabort+0x14/0x20 [ 79.276655][ T9146] vcs_scr_readw+0xc2/0xd0 [ 79.276668][ T9146] vcs_write+0x646/0xcf0 [ 79.276689][ T9146] ? vcs_size+0x250/0x250 [ 79.276703][ T9146] ? apparmor_file_permission+0x25/0x30 [ 79.276719][ T9146] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.276733][ T9146] ? security_file_permission+0x8f/0x380 [ 79.276747][ T9146] ? trace_hardirqs_on+0x67/0x240 [ 79.276760][ T9146] __vfs_write+0x8a/0x110 [ 79.276773][ T9146] ? vcs_size+0x250/0x250 [ 79.276786][ T9146] vfs_write+0x268/0x5d0 [ 79.276800][ T9146] ksys_write+0x14f/0x290 [ 79.276813][ T9146] ? __ia32_sys_read+0xb0/0xb0 [ 79.276828][ T9146] ? do_syscall_64+0x26/0x790 [ 79.276842][ T9146] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.276856][ T9146] ? do_syscall_64+0x26/0x790 [ 79.276870][ T9146] __x64_sys_write+0x73/0xb0 [ 79.276884][ T9146] do_syscall_64+0xfa/0x790 [ 79.276899][ T9146] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.276911][ T9146] RIP: 0033:0x443e49 [ 79.276924][ T9146] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.276934][ T9146] RSP: 002b:00007ffda9a3ece8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 79.276954][ T9146] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443e49 [ 79.276964][ T9146] RDX: 0000000000001010 RSI: 0000000020006480 RDI: 0000000000000003 [ 79.276974][ T9146] RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0 [ 79.276985][ T9146] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401b50 [ 79.276995][ T9146] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 79.278852][ T9146] Kernel Offset: disabled [ 80.161503][ T9146] Rebooting in 86400 seconds..