[ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.220997] ================================================================== [ 31.228520] BUG: KASAN: slab-out-of-bounds in squashfs_export_iget+0x22f/0x250 [ 31.237105] Read of size 8 at addr ffff8880af8135b8 by task syz-executor102/8023 [ 31.244759] [ 31.246370] CPU: 0 PID: 8023 Comm: syz-executor102 Not tainted 4.14.216-syzkaller #0 [ 31.254229] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.263662] Call Trace: [ 31.266268] dump_stack+0x1b2/0x281 [ 31.269880] print_address_description.cold+0x54/0x1d3 [ 31.275300] kasan_report_error.cold+0x8a/0x191 [ 31.279974] ? squashfs_export_iget+0x22f/0x250 [ 31.284633] __asan_report_load8_noabort+0x68/0x70 [ 31.289611] ? squashfs_export_iget+0x22f/0x250 [ 31.294269] squashfs_export_iget+0x22f/0x250 [ 31.298827] ? squashfs_readdir+0xc10/0xc10 [ 31.303285] squashfs_fh_to_dentry+0x5f/0x90 [ 31.307697] exportfs_decode_fh+0x113/0x6c0 [ 31.312033] ? squashfs_get_parent+0xa0/0xa0 [ 31.316777] ? drop_caches_sysctl_handler+0xe0/0xe0 [ 31.321775] ? reconnect_path+0x730/0x730 [ 31.325909] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 31.331017] ? debug_check_no_obj_freed+0x2c0/0x680 [ 31.336038] ? __might_fault+0x104/0x1b0 [ 31.340088] ? lock_acquire+0x170/0x3f0 [ 31.344054] ? lock_downgrade+0x740/0x740 [ 31.348382] ? __might_fault+0x177/0x1b0 [ 31.352471] do_handle_open+0x248/0x570 [ 31.356447] ? SyS_name_to_handle_at+0x3f0/0x3f0 [ 31.361181] ? __close_fd+0x159/0x230 [ 31.364973] ? do_syscall_64+0x4c/0x640 [ 31.368933] ? do_handle_open+0x570/0x570 [ 31.373081] do_syscall_64+0x1d5/0x640 [ 31.377003] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.382186] RIP: 0033:0x444409 [ 31.385359] RSP: 002b:00007fffe2e371f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 31.393148] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444409 [ 31.400519] RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 [ 31.407773] RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0 [ 31.415023] R10: 00007fff00000015 R11: 0000000000000246 R12: 0000000000401ff0 [ 31.422377] R13: 0000000000402080 R14: 0000000000000000 R15: 0000000000000000 [ 31.429655] [ 31.431698] Allocated by task 6200: [ 31.435323] kasan_kmalloc+0xeb/0x160 [ 31.439125] kmem_cache_alloc_trace+0x131/0x3d0 [ 31.443774] aa_alloc_task_context+0x4d/0x90 [ 31.448161] apparmor_cred_prepare+0x1a/0xb0 [ 31.452549] security_prepare_creds+0x76/0xb0 [ 31.457043] prepare_creds+0x2ef/0x490 [ 31.460913] SyS_faccessat+0x7b/0x680 [ 31.464707] do_syscall_64+0x1d5/0x640 [ 31.468589] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.474311] [ 31.476066] Freed by task 6200: [ 31.479365] kasan_slab_free+0xc3/0x1a0 [ 31.483367] kfree+0xc9/0x250 [ 31.486525] aa_free_task_context+0xda/0x130 [ 31.491161] apparmor_cred_free+0x34/0x70 [ 31.495324] security_cred_free+0x71/0xb0 [ 31.499498] put_cred_rcu+0xe3/0x300 [ 31.503198] __put_cred+0x1a1/0x210 [ 31.506824] SyS_faccessat+0x52a/0x680 [ 31.510695] do_syscall_64+0x1d5/0x640 [ 31.514582] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.519763] [ 31.521394] The buggy address belongs to the object at ffff8880af813580 [ 31.521394] which belongs to the cache kmalloc-32 of size 32 [ 31.533866] The buggy address is located 24 bytes to the right of [ 31.533866] 32-byte region [ffff8880af813580, ffff8880af8135a0) [ 31.546130] The buggy address belongs to the page: [ 31.551060] page:ffffea0002be04c0 count:1 mapcount:0 mapping:ffff8880af813000 index:0xffff8880af813fc1 [ 31.560506] flags: 0xfff00000000100(slab) [ 31.564661] raw: 00fff00000000100 ffff8880af813000 ffff8880af813fc1 0000000100000020 [ 31.572551] raw: ffffea0002be5360 ffff88813fe81238 ffff88813fe801c0 0000000000000000 [ 31.580908] page dumped because: kasan: bad access detected [ 31.586618] [ 31.588357] Memory state around the buggy address: [ 31.593390] ffff8880af813480: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 31.600786] ffff8880af813500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.608135] >ffff8880af813580: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 31.615484] ^ [ 31.620658] ffff8880af813600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.627997] ffff8880af813680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.635341] ================================================================== [ 31.642724] Disabling lock debugging due to kernel taint [ 31.659074] Kernel panic - not syncing: panic_on_warn set ... [ 31.659074] [ 31.666496] CPU: 1 PID: 8023 Comm: syz-executor102 Tainted: G B 4.14.216-syzkaller #0 [ 31.675580] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.684921] Call Trace: [ 31.687496] dump_stack+0x1b2/0x281 [ 31.691106] panic+0x1f9/0x42d [ 31.694279] ? add_taint.cold+0x16/0x16 [ 31.698231] ? ___preempt_schedule+0x16/0x18 [ 31.702621] kasan_end_report+0x43/0x49 [ 31.706607] kasan_report_error.cold+0xa7/0x191 [ 31.711264] ? squashfs_export_iget+0x22f/0x250 [ 31.715912] __asan_report_load8_noabort+0x68/0x70 [ 31.720844] ? squashfs_export_iget+0x22f/0x250 [ 31.725495] squashfs_export_iget+0x22f/0x250 [ 31.729992] ? squashfs_readdir+0xc10/0xc10 [ 31.734292] squashfs_fh_to_dentry+0x5f/0x90 [ 31.738685] exportfs_decode_fh+0x113/0x6c0 [ 31.743086] ? squashfs_get_parent+0xa0/0xa0 [ 31.747486] ? drop_caches_sysctl_handler+0xe0/0xe0 [ 31.752486] ? reconnect_path+0x730/0x730 [ 31.756616] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 31.761727] ? debug_check_no_obj_freed+0x2c0/0x680 [ 31.766744] ? __might_fault+0x104/0x1b0 [ 31.770819] ? lock_acquire+0x170/0x3f0 [ 31.774776] ? lock_downgrade+0x740/0x740 [ 31.778905] ? __might_fault+0x177/0x1b0 [ 31.782949] do_handle_open+0x248/0x570 [ 31.786913] ? SyS_name_to_handle_at+0x3f0/0x3f0 [ 31.791661] ? __close_fd+0x159/0x230 [ 31.795441] ? do_syscall_64+0x4c/0x640 [ 31.799399] ? do_handle_open+0x570/0x570 [ 31.803527] do_syscall_64+0x1d5/0x640 [ 31.807418] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.812602] RIP: 0033:0x444409 [ 31.815875] RSP: 002b:00007fffe2e371f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 31.823575] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444409 [ 31.830845] RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 [ 31.838092] RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0 [ 31.845340] R10: 00007fff00000015 R11: 0000000000000246 R12: 0000000000401ff0 [ 31.852712] R13: 0000000000402080 R14: 0000000000000000 R15: 0000000000000000 [ 31.860528] Kernel Offset: disabled [ 31.864141] Rebooting in 86400 seconds..