[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.920740] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.768476] random: sshd: uninitialized urandom read (32 bytes read) [ 24.161096] random: sshd: uninitialized urandom read (32 bytes read) [ 24.910117] random: sshd: uninitialized urandom read (32 bytes read) [ 25.066723] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. [ 30.523055] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.625442] ================================================================== [ 30.632891] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 30.639454] Read of size 1 at addr ffff8801ad004f9d by task syz-executor796/4510 [ 30.646967] [ 30.648581] CPU: 1 PID: 4510 Comm: syz-executor796 Not tainted 4.17.0-rc6+ #68 [ 30.655930] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.665262] Call Trace: [ 30.667869] dump_stack+0x1b9/0x294 [ 30.671483] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.676663] ? printk+0x9e/0xba [ 30.679927] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.684668] ? kasan_check_write+0x14/0x20 [ 30.688890] print_address_description+0x6c/0x20b [ 30.693715] ? nla_strlcpy+0x13d/0x150 [ 30.697584] kasan_report.cold.7+0x242/0x2fe [ 30.702011] __asan_report_load1_noabort+0x14/0x20 [ 30.706931] nla_strlcpy+0x13d/0x150 [ 30.710625] nfnl_acct_new+0x574/0xc50 [ 30.714493] ? nfnl_acct_overquota+0x380/0x380 [ 30.719068] ? debug_check_no_locks_freed+0x310/0x310 [ 30.724246] ? graph_lock+0x170/0x170 [ 30.728044] ? print_usage_bug+0xc0/0xc0 [ 30.732097] ? find_held_lock+0x36/0x1c0 [ 30.736140] ? graph_lock+0x170/0x170 [ 30.739932] ? lock_downgrade+0x8e0/0x8e0 [ 30.744068] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.749599] ? __lock_is_held+0xb5/0x140 [ 30.753655] ? nfnl_acct_overquota+0x380/0x380 [ 30.758244] nfnetlink_rcv_msg+0xdb5/0xff0 [ 30.762478] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 30.767487] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 30.771898] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.776038] ? graph_lock+0x170/0x170 [ 30.779835] ? find_held_lock+0x36/0x1c0 [ 30.783888] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.789413] netlink_rcv_skb+0x172/0x440 [ 30.793458] ? nfnetlink_bind+0x3a0/0x3a0 [ 30.797596] ? netlink_ack+0xbc0/0xbc0 [ 30.801468] ? __netlink_ns_capable+0x100/0x130 [ 30.806118] nfnetlink_rcv+0x1fe/0x1ba0 [ 30.810088] ? kasan_check_read+0x11/0x20 [ 30.814222] ? rcu_is_watching+0x85/0x140 [ 30.818352] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.823525] ? nfnl_err_reset+0x2d0/0x2d0 [ 30.827664] ? netlink_remove_tap+0x610/0x610 [ 30.832159] ? refcount_add_not_zero+0x320/0x320 [ 30.836907] ? kasan_check_read+0x11/0x20 [ 30.841047] ? rcu_is_watching+0x85/0x140 [ 30.845182] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.850363] ? netlink_skb_destructor+0x210/0x210 [ 30.855194] ? kasan_check_write+0x14/0x20 [ 30.859416] netlink_unicast+0x58b/0x740 [ 30.863468] ? netlink_attachskb+0x970/0x970 [ 30.867879] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.873399] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.878398] ? security_netlink_send+0x88/0xb0 [ 30.882961] netlink_sendmsg+0x9f0/0xfa0 [ 30.887021] ? netlink_unicast+0x740/0x740 [ 30.891255] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.896790] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.902316] ? security_socket_sendmsg+0x94/0xc0 [ 30.907055] ? netlink_unicast+0x740/0x740 [ 30.911275] sock_sendmsg+0xd5/0x120 [ 30.914975] sock_write_iter+0x35a/0x5a0 [ 30.919027] ? sock_sendmsg+0x120/0x120 [ 30.923002] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.928530] ? iov_iter_init+0xc9/0x1f0 [ 30.932501] __vfs_write+0x64d/0x960 [ 30.936200] ? kernel_read+0x120/0x120 [ 30.940076] ? lock_downgrade+0x8e0/0x8e0 [ 30.944214] ? handle_mm_fault+0x8c0/0xc70 [ 30.948430] ? handle_mm_fault+0x55a/0xc70 [ 30.952647] ? rw_verify_area+0x118/0x360 [ 30.956775] vfs_write+0x1f8/0x560 [ 30.960296] ksys_write+0xf9/0x250 [ 30.963819] ? __ia32_sys_read+0xb0/0xb0 [ 30.967861] ? __ia32_sys_fallocate+0xf0/0xf0 [ 30.972339] __x64_sys_write+0x73/0xb0 [ 30.976209] do_syscall_64+0x1b1/0x800 [ 30.980084] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.984999] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.989923] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.995443] ? retint_user+0x18/0x18 [ 30.999154] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.003987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.009156] RIP: 0033:0x43fcf9 [ 31.012326] RSP: 002b:00007fffa6c51818 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 31.020017] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 31.027286] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 31.034538] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.041789] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 31.049044] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 31.056304] [ 31.057912] Allocated by task 4510: [ 31.061524] save_stack+0x43/0xd0 [ 31.064964] kasan_kmalloc+0xc4/0xe0 [ 31.068664] __kmalloc+0x14e/0x760 [ 31.072197] load_elf_phdrs+0x17a/0x250 [ 31.076150] load_elf_binary+0x9bd/0x5610 [ 31.080277] search_binary_handler+0x17d/0x570 [ 31.084840] do_execveat_common.isra.34+0x16ce/0x2590 [ 31.090013] __x64_sys_execve+0x8d/0xb0 [ 31.093979] do_syscall_64+0x1b1/0x800 [ 31.097849] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.103017] [ 31.104631] Freed by task 4510: [ 31.107903] save_stack+0x43/0xd0 [ 31.111343] __kasan_slab_free+0x11a/0x170 [ 31.115560] kasan_slab_free+0xe/0x10 [ 31.119338] kfree+0xd9/0x260 [ 31.122424] load_elf_binary+0x255d/0x5610 [ 31.126727] search_binary_handler+0x17d/0x570 [ 31.131296] do_execveat_common.isra.34+0x16ce/0x2590 [ 31.136466] __x64_sys_execve+0x8d/0xb0 [ 31.140423] do_syscall_64+0x1b1/0x800 [ 31.144291] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.149453] [ 31.151060] The buggy address belongs to the object at ffff8801ad004c80 [ 31.151060] which belongs to the cache kmalloc-512 of size 512 [ 31.163696] The buggy address is located 285 bytes to the right of [ 31.163696] 512-byte region [ffff8801ad004c80, ffff8801ad004e80) [ 31.176077] The buggy address belongs to the page: [ 31.180996] page:ffffea0006b40100 count:1 mapcount:0 mapping:ffff8801ad004000 index:0x0 [ 31.189130] flags: 0x2fffc0000000100(slab) [ 31.193349] raw: 02fffc0000000100 ffff8801ad004000 0000000000000000 0000000100000006 [ 31.201214] raw: ffffea0006b41ca0 ffff8801da801748 ffff8801da800940 0000000000000000 [ 31.209071] page dumped because: kasan: bad access detected [ 31.214761] [ 31.216365] Memory state around the buggy address: [ 31.221287] ffff8801ad004e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.228624] ffff8801ad004f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.235970] >ffff8801ad004f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.243315] ^ [ 31.247442] ffff8801ad005000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.254780] ffff8801ad005080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.262117] ================================================================== [ 31.269457] Disabling lock debugging due to kernel taint [ 31.274938] Kernel panic - not syncing: panic_on_warn set ... [ 31.274938] [ 31.282312] CPU: 1 PID: 4510 Comm: syz-executor796 Tainted: G B 4.17.0-rc6+ #68 [ 31.291059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.300395] Call Trace: [ 31.302970] dump_stack+0x1b9/0x294 [ 31.306582] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.311842] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.316579] ? nla_strlcpy+0x70/0x150 [ 31.320365] panic+0x22f/0x4de [ 31.323541] ? add_taint.cold.5+0x16/0x16 [ 31.327702] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.332091] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.336500] ? nla_strlcpy+0x13d/0x150 [ 31.340371] kasan_end_report+0x47/0x4f [ 31.344325] kasan_report.cold.7+0x76/0x2fe [ 31.348722] __asan_report_load1_noabort+0x14/0x20 [ 31.353631] nla_strlcpy+0x13d/0x150 [ 31.357326] nfnl_acct_new+0x574/0xc50 [ 31.361201] ? nfnl_acct_overquota+0x380/0x380 [ 31.365773] ? debug_check_no_locks_freed+0x310/0x310 [ 31.370943] ? graph_lock+0x170/0x170 [ 31.374723] ? print_usage_bug+0xc0/0xc0 [ 31.378781] ? find_held_lock+0x36/0x1c0 [ 31.382821] ? graph_lock+0x170/0x170 [ 31.386603] ? lock_downgrade+0x8e0/0x8e0 [ 31.390735] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.396255] ? __lock_is_held+0xb5/0x140 [ 31.400301] ? nfnl_acct_overquota+0x380/0x380 [ 31.404864] nfnetlink_rcv_msg+0xdb5/0xff0 [ 31.409087] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 31.414087] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 31.418486] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.422614] ? graph_lock+0x170/0x170 [ 31.426396] ? find_held_lock+0x36/0x1c0 [ 31.430444] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.435963] netlink_rcv_skb+0x172/0x440 [ 31.440002] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.444137] ? netlink_ack+0xbc0/0xbc0 [ 31.448004] ? __netlink_ns_capable+0x100/0x130 [ 31.452657] nfnetlink_rcv+0x1fe/0x1ba0 [ 31.456615] ? kasan_check_read+0x11/0x20 [ 31.460742] ? rcu_is_watching+0x85/0x140 [ 31.464878] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.470053] ? nfnl_err_reset+0x2d0/0x2d0 [ 31.474181] ? netlink_remove_tap+0x610/0x610 [ 31.478656] ? refcount_add_not_zero+0x320/0x320 [ 31.483389] ? kasan_check_read+0x11/0x20 [ 31.487523] ? rcu_is_watching+0x85/0x140 [ 31.491659] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.496832] ? netlink_skb_destructor+0x210/0x210 [ 31.501653] ? kasan_check_write+0x14/0x20 [ 31.505867] netlink_unicast+0x58b/0x740 [ 31.509912] ? netlink_attachskb+0x970/0x970 [ 31.514302] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.519819] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.524824] ? security_netlink_send+0x88/0xb0 [ 31.529388] netlink_sendmsg+0x9f0/0xfa0 [ 31.533432] ? netlink_unicast+0x740/0x740 [ 31.537648] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.543166] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.548685] ? security_socket_sendmsg+0x94/0xc0 [ 31.553422] ? netlink_unicast+0x740/0x740 [ 31.557641] sock_sendmsg+0xd5/0x120 [ 31.561336] sock_write_iter+0x35a/0x5a0 [ 31.565376] ? sock_sendmsg+0x120/0x120 [ 31.569337] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.574860] ? iov_iter_init+0xc9/0x1f0 [ 31.578815] __vfs_write+0x64d/0x960 [ 31.582508] ? kernel_read+0x120/0x120 [ 31.586376] ? lock_downgrade+0x8e0/0x8e0 [ 31.590508] ? handle_mm_fault+0x8c0/0xc70 [ 31.594727] ? handle_mm_fault+0x55a/0xc70 [ 31.598943] ? rw_verify_area+0x118/0x360 [ 31.603069] vfs_write+0x1f8/0x560 [ 31.606594] ksys_write+0xf9/0x250 [ 31.610115] ? __ia32_sys_read+0xb0/0xb0 [ 31.614176] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.618654] __x64_sys_write+0x73/0xb0 [ 31.622525] do_syscall_64+0x1b1/0x800 [ 31.626395] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.631304] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.636218] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.641741] ? retint_user+0x18/0x18 [ 31.645438] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.650263] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.655439] RIP: 0033:0x43fcf9 [ 31.658621] RSP: 002b:00007fffa6c51818 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 31.666395] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9 [ 31.674263] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003 [ 31.681518] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.688765] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620 [ 31.696014] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000 [ 31.703934] Dumping ftrace buffer: [ 31.707463] (ftrace buffer empty) [ 31.711152] Kernel Offset: disabled [ 31.714754] Rebooting in 86400 seconds..