[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.331957] random: sshd: uninitialized urandom read (32 bytes read) [ 28.752983] audit: type=1400 audit(1549134700.519:6): avc: denied { map } for pid=1767 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.809391] random: sshd: uninitialized urandom read (32 bytes read) [ 29.279159] random: sshd: uninitialized urandom read (32 bytes read) [ 41.621509] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts. [ 47.092956] random: sshd: uninitialized urandom read (32 bytes read) [ 47.178479] audit: type=1400 audit(1549134718.939:7): avc: denied { map } for pid=1791 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/02/02 19:11:59 parsed 1 programs [ 47.964532] audit: type=1400 audit(1549134719.729:8): avc: denied { map } for pid=1791 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 48.815696] random: cc1: uninitialized urandom read (8 bytes read) 2019/02/02 19:12:02 executed programs: 0 [ 50.668520] audit: type=1400 audit(1549134722.429:9): avc: denied { map } for pid=1791 comm="syz-execprog" path="/root/syzkaller-shm434027991" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/02/02 19:12:07 executed programs: 123 2019/02/02 19:12:12 executed programs: 555 2019/02/02 19:12:17 executed programs: 983 2019/02/02 19:12:22 executed programs: 1432 2019/02/02 19:12:23 result: hanged=false err=executor 5: exit status 67 event already set (errno 0) child failed (errno 0) loop exited with status 67 event already set (errno 0) child failed (errno 0) loop exited with status 67 [ 72.320293] ================================================================== [ 72.327726] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 72.334717] Read of size 8 at addr ffff8881cba1a1b8 by task kworker/0:2/71 [ 72.341703] [ 72.343306] CPU: 0 PID: 71 Comm: kworker/0:2 Not tainted 4.14.97+ #1 [ 72.349779] Workqueue: events xfrm_state_gc_task [ 72.354520] Call Trace: [ 72.357097] dump_stack+0xb9/0x10e [ 72.360622] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 72.365269] print_address_description+0x60/0x226 [ 72.370090] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 72.374733] kasan_report.cold+0x88/0x2a5 [ 72.378876] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 72.383525] ? kfree+0x1b3/0x310 [ 72.386873] ? xfrm_state_gc_task+0x3d6/0x550 [ 72.391355] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 72.396696] ? lock_acquire+0x10f/0x380 [ 72.400650] ? process_one_work+0x7c6/0x14e0 [ 72.405044] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 72.409695] ? worker_thread+0x5d7/0x1080 [ 72.413826] ? process_one_work+0x14e0/0x14e0 [ 72.418298] ? kthread+0x310/0x420 [ 72.421814] ? kthread_create_on_node+0xf0/0xf0 [ 72.426462] ? ret_from_fork+0x3a/0x50 [ 72.430333] [ 72.431932] Allocated by task 1826: [ 72.435536] kasan_kmalloc.part.0+0x4f/0xd0 [ 72.439832] __kmalloc+0x143/0x340 [ 72.443351] ops_init+0xee/0x3e0 [ 72.446691] setup_net+0x22b/0x520 [ 72.450205] copy_net_ns+0x19b/0x440 [ 72.453894] create_new_namespaces+0x366/0x750 [ 72.458702] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 72.463607] SyS_unshare+0x300/0x690 [ 72.467300] do_syscall_64+0x19b/0x4b0 [ 72.471159] [ 72.472761] Freed by task 64: [ 72.475868] kasan_slab_free+0xb0/0x190 [ 72.479827] kfree+0xf5/0x310 [ 72.482947] ops_free_list.part.0+0x1f9/0x330 [ 72.487419] cleanup_net+0x466/0x860 [ 72.491107] process_one_work+0x7c6/0x14e0 [ 72.495315] worker_thread+0x5d7/0x1080 [ 72.499277] kthread+0x310/0x420 [ 72.502619] ret_from_fork+0x3a/0x50 [ 72.506305] [ 72.507909] The buggy address belongs to the object at ffff8881cba1a100 [ 72.507909] which belongs to the cache kmalloc-8192 of size 8192 [ 72.520733] The buggy address is located 184 bytes inside of [ 72.520733] 8192-byte region [ffff8881cba1a100, ffff8881cba1c100) [ 72.532672] The buggy address belongs to the page: [ 72.537577] page:ffffea00072e8600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 72.547521] flags: 0x4000000000008100(slab|head) [ 72.552254] raw: 4000000000008100 0000000000000000 0000000000000000 0000000180030003 [ 72.560111] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 72.567981] page dumped because: kasan: bad access detected [ 72.573663] [ 72.575260] Memory state around the buggy address: [ 72.580170] ffff8881cba1a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.587505] ffff8881cba1a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.594841] >ffff8881cba1a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.602179] ^ [ 72.607342] ffff8881cba1a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.614687] ffff8881cba1a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.622019] ================================================================== [ 72.629351] Disabling lock debugging due to kernel taint [ 72.634816] Kernel panic - not syncing: panic_on_warn set ... [ 72.634816] [ 72.642166] CPU: 0 PID: 71 Comm: kworker/0:2 Tainted: G B 4.14.97+ #1 [ 72.649861] Workqueue: events xfrm_state_gc_task [ 72.654592] Call Trace: [ 72.657157] dump_stack+0xb9/0x10e [ 72.660673] panic+0x1d9/0x3c2 [ 72.663837] ? add_taint.cold+0x16/0x16 [ 72.667796] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 72.672437] kasan_end_report+0x43/0x49 [ 72.676384] kasan_report.cold+0xa4/0x2a5 [ 72.680507] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 72.685159] ? kfree+0x1b3/0x310 [ 72.688503] ? xfrm_state_gc_task+0x3d6/0x550 [ 72.692977] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 72.698315] ? lock_acquire+0x10f/0x380 [ 72.702271] ? process_one_work+0x7c6/0x14e0 [ 72.706655] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 72.711320] ? worker_thread+0x5d7/0x1080 [ 72.715444] ? process_one_work+0x14e0/0x14e0 [ 72.719930] ? kthread+0x310/0x420 [ 72.723450] ? kthread_create_on_node+0xf0/0xf0 [ 72.728097] ? ret_from_fork+0x3a/0x50 [ 72.732353] Kernel Offset: 0x9a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 72.743171] Rebooting in 86400 seconds..