[....] Starting enhanced syslogd: rsyslogd[ 13.238313] audit: type=1400 audit(1538114929.189:4): avc: denied { syslog } for pid=1910 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.534399] ================================================================== [ 41.541851] BUG: KASAN: stack-out-of-bounds in iov_iter_advance+0x4b3/0x4f0 [ 41.548940] Read of size 8 at addr ffff8800b6a77d50 by task syz-executor329/2069 [ 41.556460] [ 41.558081] CPU: 1 PID: 2069 Comm: syz-executor329 Not tainted 4.4.158+ #105 [ 41.565249] 0000000000000000 e66ae0773ea2a43f ffff8800b6a77990 ffffffff81a991dd [ 41.573307] ffffea0002da9dc0 ffff8800b6a77d50 0000000000000000 ffff8800b6a77d50 [ 41.581387] ffff8800b6a77d48 ffff8800b6a779c8 ffffffff8148a7c9 ffff8800b6a77d50 [ 41.589548] Call Trace: [ 41.592252] [] dump_stack+0xc1/0x124 [ 41.597612] [] print_address_description+0x6c/0x217 [ 41.604267] [] kasan_report.cold.6+0x175/0x2f7 [ 41.610584] [] ? iov_iter_advance+0x4b3/0x4f0 [ 41.616718] [] __asan_report_load8_noabort+0x14/0x20 [ 41.623462] [] iov_iter_advance+0x4b3/0x4f0 [ 41.629423] [] tun_do_read+0x659/0xc10 [ 41.634959] [] ? tun_sock_write_space+0x1a0/0x1a0 [ 41.641441] [] ? futex_wait_restart+0x230/0x230 [ 41.647750] [] ? __lock_acquire+0xa85/0x5f10 [ 41.653794] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.660607] [] ? do_futex+0x12d/0x1a00 [ 41.666135] [] ? check_preemption_disabled+0x3b/0x170 [ 41.672961] [] ? __tun_get+0x126/0x230 [ 41.678480] [] tun_chr_read_iter+0xe2/0x1d0 [ 41.684512] [] __vfs_read+0x301/0x3d0 [ 41.689949] [] ? vfs_iter_write+0x2c0/0x2c0 [ 41.695910] [] ? __fsnotify_inode_delete+0x30/0x30 [ 41.702473] [] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 41.710949] [] ? check_preemption_disabled+0x3b/0x170 [ 41.717773] [] ? avc_policy_seqno+0x9/0x20 [ 41.723643] [] ? selinux_file_permission+0x2f2/0x450 [ 41.730379] [] ? rw_verify_area+0x100/0x2f0 [ 41.736335] [] vfs_read+0x130/0x360 [ 41.741596] [] SyS_pread64+0x145/0x170 [ 41.747114] [] ? SyS_write+0x1c0/0x1c0 [ 41.752636] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 41.759116] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 41.765676] [ 41.767288] The buggy address belongs to the page: [ 41.772200] page:ffffea0002da9dc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 41.780322] flags: 0x0() [ 41.783106] page dumped because: kasan: bad access detected [ 41.788905] [ 41.790516] Memory state around the buggy address: [ 41.795655] ffff8800b6a77c00: 04 f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 00 00 00 00 [ 41.802997] ffff8800b6a77c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.810426] >ffff8800b6a77d00: 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2 f2 00 [ 41.817772] ^ [ 41.823725] ffff8800b6a77d80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 [ 41.831067] ffff8800b6a77e00: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.838405] ================================================================== [ 41.845751] Disabling lock debugging due to kernel taint [ 41.853878] Kernel panic - not syncing: panic_on_warn set ... [ 41.853878] [ 41.861278] CPU: 0 PID: 2069 Comm: syz-executor329 Tainted: G B 4.4.158+ #105 [ 41.869666] 0000000000000000 e66ae0773ea2a43f ffff8800b6a778f0 ffffffff81a991dd [ 41.877729] ffffffff82c4b2e1 0000000000000008 0000000000000000 ffff8800b6a77d50 [ 41.885762] ffff8800b6a77d48 ffff8800b6a779b0 ffffffff813a1024 0000000041b58ab3 [ 41.893822] Call Trace: [ 41.896400] [] dump_stack+0xc1/0x124 [ 41.901775] [] panic+0x19e/0x359 [ 41.906794] [] ? add_taint.cold.4+0x16/0x16 [ 41.912771] [] ? preempt_schedule_common+0x22/0x60 [ 41.919341] [] ? preempt_schedule+0x25/0x30 [ 41.925302] [] ? ___preempt_schedule+0x12/0x14 [ 41.931627] [] kasan_end_report+0x47/0x4f [ 41.937413] [] kasan_report.cold.6+0x192/0x2f7 [ 41.943632] [] ? iov_iter_advance+0x4b3/0x4f0 [ 41.949762] [] __asan_report_load8_noabort+0x14/0x20 [ 41.956544] [] iov_iter_advance+0x4b3/0x4f0 [ 41.962507] [] tun_do_read+0x659/0xc10 [ 41.968032] [] ? tun_sock_write_space+0x1a0/0x1a0 [ 41.974513] [] ? futex_wait_restart+0x230/0x230 [ 41.980832] [] ? __lock_acquire+0xa85/0x5f10 [ 41.986879] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.993616] [] ? do_futex+0x12d/0x1a00 [ 41.999139] [] ? check_preemption_disabled+0x3b/0x170 [ 42.005965] [] ? __tun_get+0x126/0x230 [ 42.011485] [] tun_chr_read_iter+0xe2/0x1d0 [ 42.017442] [] __vfs_read+0x301/0x3d0 [ 42.022874] [] ? vfs_iter_write+0x2c0/0x2c0 [ 42.028893] [] ? __fsnotify_inode_delete+0x30/0x30 [ 42.035459] [] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 42.043971] [] ? check_preemption_disabled+0x3b/0x170 [ 42.050805] [] ? avc_policy_seqno+0x9/0x20 [ 42.056673] [] ? selinux_file_permission+0x2f2/0x450 [ 42.063411] [] ? rw_verify_area+0x100/0x2f0 [ 42.069362] [] vfs_read+0x130/0x360 [ 42.074617] [] SyS_pread64+0x145/0x170 [ 42.080138] [] ? SyS_write+0x1c0/0x1c0 [ 42.085654] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 42.092123] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 42.099318] Kernel Offset: disabled [ 42.102927] Rebooting in 86400 seconds..