[....] Starting OpenBSD Secure Shell server: sshd[   11.221072] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.933554] random: sshd: uninitialized urandom read (32 bytes read)
[   21.379611] audit: type=1400 audit(1537636487.853:6): avc:  denied  { map } for  pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   21.447735] random: sshd: uninitialized urandom read (32 bytes read)
[   21.939710] random: sshd: uninitialized urandom read (32 bytes read)
[   45.254266] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts.
[   50.870248] random: sshd: uninitialized urandom read (32 bytes read)
[   50.959776] audit: type=1400 audit(1537636517.433:7): avc:  denied  { map } for  pid=1795 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2018/09/22 17:15:17 parsed 1 programs
[   51.455629] audit: type=1400 audit(1537636517.933:8): avc:  denied  { map } for  pid=1795 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   52.010424] random: cc1: uninitialized urandom read (8 bytes read)
2018/09/22 17:15:19 executed programs: 0
[   53.282455] audit: type=1400 audit(1537636519.753:9): avc:  denied  { map } for  pid=1795 comm="syz-execprog" path="/root/syzkaller-shm917583435" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
2018/09/22 17:15:26 executed programs: 6
[   59.612386] pts pts0: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.619780] pts pts1: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.636412] pts pts2: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.644493] pts pts3: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.662100] pts pts4: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.669421] pts pts5: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.686272] pts pts6: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.693985] pts pts7: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.710342] pts pts8: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.717704] pts pts9: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.733771] pts pts10: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.741270] pts pts11: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.769155] pts pts12: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   59.776672] pts pts13: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.081470] pts pts14: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.088888] pts pts15: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.369500] pts pts16: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.377030] pts pts17: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.393147] pts pts18: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.401063] pts pts19: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.531320] pts pts20: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.538754] pts pts21: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.609915] pts pts22: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.617504] pts pts23: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.645795] pts pts25: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.651406] pts pts31: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.651500] pts pts34: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.655074] pts pts24: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.655169] pts pts30: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.655813] pts pts27: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.655952] pts pts33: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.656844] pts pts26: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.678980] pts pts28: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.679079] pts pts32: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.714497] pts pts35: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.714596] pts pts37: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.716623] pts pts36: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.716728] pts pts42: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.727547] pts pts39: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.736650] pts pts38: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.736751] pts pts40: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.739302] pts pts41: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.739401] pts pts43: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.775358] pts pts46: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.777442] pts pts44: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.804344] pts pts48: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.804440] pts pts45: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.914937] pts pts29: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.942046] pts pts50: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.945493] pts pts52: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.945590] pts pts58: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.946362] pts pts51: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.946453] pts pts57: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.948886] pts pts53: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.948978] pts pts59: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.971167] pts pts47: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.971280] pts pts54: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.981422] pts pts49: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   60.981519] pts pts56: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.002769] pts pts61: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.002866] pts pts63: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.005226] pts pts64: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.005321] pts pts65: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.008815] pts pts60: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.031598] pts pts62: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.031726] pts pts67: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
[   61.049215] ==================================================================
[   61.049240] BUG: KASAN: user-memory-access in n_tty_set_termios+0xee/0xcb0
[   61.049246] Write of size 512 at addr 0000000000001060 by task syz-executor5/4613
[   61.049248] 
[   61.049256] CPU: 0 PID: 4613 Comm: syz-executor5 Not tainted 4.14.71+ #8
[   61.049259] Call Trace:
[   61.049269]  dump_stack+0xb9/0x11b
[   61.049283]  kasan_report.cold.6+0x6d/0x2dd
[   61.049289]  ? n_tty_set_termios+0xee/0xcb0
[   61.049300]  memset+0x1f/0x40
[   61.049309]  n_tty_set_termios+0xee/0xcb0
[   61.049318]  ? process_echoes+0x140/0x140
[   61.049326]  tty_set_termios+0x5fd/0x860
[   61.049338]  ? tty_wait_until_sent+0x480/0x480
[   61.049345]  ? lock_downgrade+0x560/0x560
[   61.049367]  set_termios+0x2bf/0x440
[   61.049376]  ? __tty_perform_flush+0x200/0x200
[   61.049399]  tty_mode_ioctl+0x4a1/0x920
[   61.049408]  ? tty_perform_flush+0x70/0x70
[   61.049417]  ? __ldsem_down_read_nested+0xb6/0x5b0
[   61.049423]  ? __ldsem_down_read_nested+0xd4/0x5b0
[   61.049433]  ? hash_futex+0x12/0x200
[   61.049443]  ? __ldsem_wake+0x320/0x320
[   61.049454]  ? avc_has_extended_perms+0x406/0xd50
[   61.049470]  n_tty_ioctl_helper+0x3f/0x350
[   61.049480]  n_tty_ioctl+0x43/0x2e0
[   61.049486]  ? pty_write_room+0xc0/0xc0
[   61.049498]  tty_ioctl+0x551/0x13e0
[   61.049505]  ? n_tty_receive_buf+0x40/0x40
[   61.049512]  ? tty_vhangup+0x30/0x30
[   61.049520]  ? avc_ss_reset+0x100/0x100
[   61.049534]  ? __lock_acquire+0x619/0x4320
[   61.049545]  ? exit_robust_list+0x210/0x210
[   61.049554]  ? debug_check_no_obj_freed+0x2b2/0x77c
[   61.049563]  ? lock_downgrade+0x560/0x560
[   61.049577]  ? trace_hardirqs_on+0x10/0x10
[   61.049586]  ? trace_hardirqs_on_caller+0x381/0x520
[   61.049601]  ? tty_vhangup+0x30/0x30
[   61.049626]  do_vfs_ioctl+0x1a0/0x1030
[   61.049638]  ? ioctl_preallocate+0x1d0/0x1d0
[   61.049652]  ? selinux_parse_skb.constprop.42+0x1a90/0x1a90
[   61.049661]  ? __lockdep_init_map+0x433/0x480
[   61.049666]  ? lock_acquire+0x10f/0x380
[   61.049674]  ? check_preemption_disabled+0x34/0x160
[   61.049682]  ? assoc_array_gc+0x107b/0x1120
[   61.049698]  ? __fget+0x22b/0x3a0
[   61.049723]  ? security_file_ioctl+0x7c/0xb0
[   61.049736]  SyS_ioctl+0x7e/0xb0
[   61.049744]  ? do_vfs_ioctl+0x1030/0x1030
[   61.049754]  do_syscall_64+0x19b/0x4b0
[   61.049769]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   61.049775] RIP: 0033:0x457679
[   61.049779] RSP: 002b:00007f6f81977c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   61.049787] RAX: ffffffffffffffda RBX: 00007f6f819786d4 RCX: 0000000000457679
[   61.049792] RDX: 0000000020000040 RSI: 0000000000005403 RDI: 0000000000000006
[   61.049796] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[   61.049801] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   61.049805] R13: 00000000004d1758 R14: 00000000004c0ef8 R15: 0000000000000000
[   61.049827] ==================================================================
[   61.049829] Disabling lock debugging due to kernel taint
[   61.049902] Kernel panic - not syncing: panic_on_warn set ...
[   61.049902] 
[   61.049910] CPU: 0 PID: 4613 Comm: syz-executor5 Tainted: G    B           4.14.71+ #8
[   61.049912] Call Trace:
[   61.049920]  dump_stack+0xb9/0x11b
[   61.049929]  panic+0x1bf/0x3a4
[   61.049936]  ? add_taint.cold.4+0x16/0x16
[   61.049945]  ? ___preempt_schedule+0x16/0x18
[   61.049956]  kasan_end_report+0x43/0x49
[   61.049964]  kasan_report.cold.6+0x77/0x2dd
[   61.049969]  ? n_tty_set_termios+0xee/0xcb0
[   61.049978]  memset+0x1f/0x40
[   61.049985]  n_tty_set_termios+0xee/0xcb0
[   61.049992]  ? process_echoes+0x140/0x140
[   61.049999]  tty_set_termios+0x5fd/0x860
[   61.050014]  ? tty_wait_until_sent+0x480/0x480
[   61.050019]  ? lock_downgrade+0x560/0x560
[   61.050031]  set_termios+0x2bf/0x440
[   61.050038]  ? __tty_perform_flush+0x200/0x200
[   61.050051]  tty_mode_ioctl+0x4a1/0x920
[   61.050059]  ? tty_perform_flush+0x70/0x70
[   61.050066]  ? __ldsem_down_read_nested+0xb6/0x5b0
[   61.050073]  ? __ldsem_down_read_nested+0xd4/0x5b0
[   61.050080]  ? hash_futex+0x12/0x200
[   61.050088]  ? __ldsem_wake+0x320/0x320
[   61.050096]  ? avc_has_extended_perms+0x406/0xd50
[   61.050107]  n_tty_ioctl_helper+0x3f/0x350
[   61.050114]  n_tty_ioctl+0x43/0x2e0
[   61.050120]  ? pty_write_room+0xc0/0xc0
[   61.050128]  tty_ioctl+0x551/0x13e0
[   61.050134]  ? n_tty_receive_buf+0x40/0x40
[   61.050140]  ? tty_vhangup+0x30/0x30
[   61.050147]  ? avc_ss_reset+0x100/0x100
[   61.050156]  ? __lock_acquire+0x619/0x4320
[   61.050164]  ? exit_robust_list+0x210/0x210
[   61.050172]  ? debug_check_no_obj_freed+0x2b2/0x77c
[   61.050179]  ? lock_downgrade+0x560/0x560
[   61.050189]  ? trace_hardirqs_on+0x10/0x10
[   61.050196]  ? trace_hardirqs_on_caller+0x381/0x520
[   61.050205]  ? tty_vhangup+0x30/0x30
[   61.050213]  do_vfs_ioctl+0x1a0/0x1030
[   61.050223]  ? ioctl_preallocate+0x1d0/0x1d0
[   61.050232]  ? selinux_parse_skb.constprop.42+0x1a90/0x1a90
[   61.050239]  ? __lockdep_init_map+0x433/0x480
[   61.050245]  ? lock_acquire+0x10f/0x380
[   61.050251]  ? check_preemption_disabled+0x34/0x160
[   61.050258]  ? assoc_array_gc+0x107b/0x1120
[   61.050268]  ? __fget+0x22b/0x3a0
[   61.050277]  ? security_file_ioctl+0x7c/0xb0
[   61.050286]  SyS_ioctl+0x7e/0xb0
[   61.050293]  ? do_vfs_ioctl+0x1030/0x1030
[   61.050300]  do_syscall_64+0x19b/0x4b0
[   61.050310]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   61.050315] RIP: 0033:0x457679
[   61.050318] RSP: 002b:00007f6f81977c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   61.050325] RAX: ffffffffffffffda RBX: 00007f6f819786d4 RCX: 0000000000457679
[   61.050329] RDX: 0000000020000040 RSI: 0000000000005403 RDI: 0000000000000006
[   61.050333] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[   61.050337] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   61.050341] R13: 00000000004d1758 R14: 00000000004c0ef8 R15: 0000000000000000
[   61.050682] Kernel Offset: 0x27000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   61.712931] Rebooting in 86400 seconds..