[....] Starting enhanced syslogd: rsyslogd[ 8.843484] audit: type=1400 audit(1513562410.855:4): avc: denied { syslog } for pid=3164 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-1,10.128.15.202' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 16.073844] ================================================================== [ 16.074898] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153e/0x3470 at addr ffff8801ca2ac798 [ 16.076050] Read of size 8192 by task syzkaller072988/3316 [ 16.076793] CPU: 0 PID: 3316 Comm: syzkaller072988 Not tainted 4.9.69-g3f1d77c #108 [ 16.077828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 16.079047] ffff8801c96df748 ffffffff81d90a29 ffff8801da001280 ffff8801ca2ac780 [ 16.080174] ffff8801ca2ac980 ffffed0039455930 ffff8801ca2ac798 ffff8801c96df770 [ 16.081305] ffffffff8153a45c ffffed0039455930 ffff8801da001280 0000000000000000 [ 16.082490] Call Trace: [ 16.082861] [] dump_stack+0xc1/0x128 [ 16.083572] [] kasan_object_err+0x1c/0x70 [ 16.084349] [] kasan_report.part.1+0x21c/0x500 [ 16.085167] [] ? __kmalloc+0x19d/0x310 [ 16.085899] [] ? pfkey_add+0x153e/0x3470 [ 16.086653] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 16.087550] [] kasan_report+0x21/0x30 [ 16.088269] [] check_memory_region+0x137/0x190 [ 16.089088] [] memcpy+0x23/0x50 [ 16.089797] [] pfkey_add+0x153e/0x3470 [ 16.090567] [] ? pfkey_delete+0x360/0x360 [ 16.091331] [] ? pfkey_seq_stop+0x80/0x80 [ 16.092097] [] ? __skb_clone+0x24a/0x7d0 [ 16.092849] [] ? pfkey_delete+0x360/0x360 [ 16.093631] [] pfkey_process+0x61e/0x730 [ 16.094389] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 16.101192] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 16.107996] [] pfkey_sendmsg+0x3a9/0x760 [ 16.113673] [] ? pfkey_spdget+0x820/0x820 [ 16.119438] [] sock_sendmsg+0xca/0x110 [ 16.124939] [] ___sys_sendmsg+0x6d1/0x7e0 [ 16.130701] [] ? copy_msghdr_from_user+0x550/0x550 [ 16.137243] [] ? __lru_cache_add+0x187/0x250 [ 16.143269] [] ? do_huge_pmd_anonymous_page+0xb05/0x10d0 [ 16.150335] [] ? _raw_spin_unlock+0x2c/0x50 [ 16.156271] [] ? do_huge_pmd_anonymous_page+0x2d4/0x10d0 [ 16.163336] [] ? handle_mm_fault+0x6ee/0x2530 [ 16.169449] [] ? __lock_is_held+0xa1/0xf0 [ 16.175211] [] ? __pmd_alloc+0x410/0x410 [ 16.180887] [] ? __fget_light+0x158/0x1e0 [ 16.186647] [] ? __fdget+0x18/0x20 [ 16.191819] [] __sys_sendmsg+0xd6/0x190 [ 16.197409] [] ? SyS_shutdown+0x1b0/0x1b0 [ 16.203175] [] ? __do_page_fault+0x5ec/0xd40 [ 16.209196] [] ? __do_page_fault+0x3bd/0xd40 [ 16.215218] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 16.222024] [] SyS_sendmsg+0x2d/0x50 [ 16.227352] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 16.233895] Object at ffff8801ca2ac780, in cache kmalloc-512 size: 512 [ 16.240521] Allocated: [ 16.242980] PID = 3316 [ 16.245442] save_stack_trace+0x16/0x20 [ 16.249380] save_stack+0x43/0xd0 [ 16.252797] kasan_kmalloc+0xad/0xe0 [ 16.256476] kasan_slab_alloc+0x12/0x20 [ 16.260415] __kmalloc_track_caller+0xda/0x2b0 [ 16.264960] __kmalloc_reserve.isra.37+0x33/0xc0 [ 16.269678] __alloc_skb+0x119/0x600 [ 16.273386] pfkey_sendmsg+0x135/0x760 [ 16.277237] sock_sendmsg+0xca/0x110 [ 16.280914] ___sys_sendmsg+0x6d1/0x7e0 [ 16.284852] __sys_sendmsg+0xd6/0x190 [ 16.288617] SyS_sendmsg+0x2d/0x50 [ 16.292122] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 16.296842] Freed: [ 16.298956] PID = 0 [ 16.301153] (stack is not available) [ 16.304827] Memory state around the buggy address: [ 16.309720] ffff8801ca2ac880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.317042] ffff8801ca2ac900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.324366] >ffff8801ca2ac980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.331691] ^ [ 16.335021] ffff8801ca2aca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.342345] ffff8801ca2aca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.349666] ================================================================== [ 16.356986] Disabling lock debugging due to kernel taint