[....] Starting enhanced syslogd: rsyslogd[ 9.576856] audit: type=1400 audit(1512921358.931:4): avc: denied { syslog } for pid=3163 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-386-1,10.128.15.202' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.008211] ================================================================== [ 29.009442] BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 at addr ffff8801cf1ef158 [ 29.010728] Read of size 1280 by task syzkaller254444/3327 [ 29.011589] CPU: 1 PID: 3327 Comm: syzkaller254444 Not tainted 4.9.67-gf26d3c7 #2 [ 29.012653] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.014037] ffff8801cb7677d8 ffffffff81d906e9 ffff8801da0013c0 ffff8801cf1ef140 [ 29.015238] ffff8801cf1ef240 ffffed0039e3de40 ffff8801cf1ef158 ffff8801cb767800 [ 29.016367] ffffffff8153a2cc ffffed0039e3de40 ffff8801da0013c0 0000000000000000 [ 29.017498] Call Trace: [ 29.017855] [] dump_stack+0xc1/0x128 [ 29.018602] [] kasan_object_err+0x1c/0x70 [ 29.019389] [] kasan_report.part.1+0x21c/0x500 [ 29.020281] [] ? pfkey_compile_policy+0x8e6/0xd40 [ 29.021136] [] ? kasan_unpoison_shadow+0x35/0x50 [ 29.022027] [] kasan_report+0x21/0x30 [ 29.022750] [] check_memory_region+0x137/0x190 [ 29.023589] [] memcpy+0x23/0x50 [ 29.024271] [] pfkey_compile_policy+0x8e6/0xd40 [ 29.025105] [] xfrm_user_policy+0x2fe/0x530 [ 29.025913] [] ? xfrm_user_policy+0x21a/0x530 [ 29.026722] [] ? xfrm_replay_timer_handler+0x320/0x320 [ 29.027634] [] ? ns_capable_common+0xcf/0x160 [ 29.029076] [] do_ip_setsockopt.isra.12+0x1977/0x2960 [ 29.035884] [] ? ip_ra_control+0x440/0x440 [ 29.041737] [] ? __lock_acquire+0x629/0x3640 [ 29.047764] [] ? release_pages+0x595/0x930 [ 29.053626] [] ? check_preemption_disabled+0x3b/0x200 [ 29.060439] [] ? avc_has_perm+0x28b/0x4f0 [ 29.066202] [] ? avc_has_perm+0x2fd/0x4f0 [ 29.071966] [] ? avc_has_perm+0xb0/0x4f0 [ 29.077644] [] ? avc_has_perm_noaudit+0x450/0x450 [ 29.084103] [] ? check_preemption_disabled+0x3b/0x200 [ 29.090919] [] ? sock_has_perm+0x1c2/0x3e0 [ 29.096770] [] ? sock_has_perm+0x292/0x3e0 [ 29.102620] [] ? sock_has_perm+0x9f/0x3e0 [ 29.108385] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 29.115453] [] compat_ip_setsockopt+0x4f/0xf0 [ 29.121566] [] inet_csk_compat_setsockopt+0x95/0x120 [ 29.128291] [] ? ip_setsockopt+0xb0/0xb0 [ 29.133970] [] compat_tcp_setsockopt+0x3d/0x70 [ 29.140173] [] compat_sock_common_setsockopt+0xb2/0x140 [ 29.147152] [] ? tcp_setsockopt+0xd0/0xd0 [ 29.152916] [] compat_SyS_setsockopt+0x149/0x290 [ 29.159288] [] ? sock_common_setsockopt+0xd0/0xd0 [ 29.165745] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 29.172290] [] ? do_fast_syscall_32+0xcf/0x890 [ 29.178489] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 29.185033] [] do_fast_syscall_32+0x2f7/0x890 [ 29.191146] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.197787] [] entry_SYSENTER_compat+0x51/0x60 [ 29.204001] Object at ffff8801cf1ef140, in cache kmalloc-256 size: 256 [ 29.210631] Allocated: [ 29.213092] PID = 3327 [ 29.215571] save_stack_trace+0x16/0x20 [ 29.219520] save_stack+0x43/0xd0 [ 29.222938] kasan_kmalloc+0xad/0xe0 [ 29.226625] __kmalloc+0x11d/0x310 [ 29.230130] xfrm_user_policy+0xc1/0x530 [ 29.234164] do_ip_setsockopt.isra.12+0x1977/0x2960 [ 29.239145] compat_ip_setsockopt+0x4f/0xf0 [ 29.243432] inet_csk_compat_setsockopt+0x95/0x120 [ 29.248327] compat_tcp_setsockopt+0x3d/0x70 [ 29.252700] compat_sock_common_setsockopt+0xb2/0x140 [ 29.257855] compat_SyS_setsockopt+0x149/0x290 [ 29.262400] do_fast_syscall_32+0x2f7/0x890 [ 29.266685] entry_SYSENTER_compat+0x51/0x60 [ 29.271063] Freed: [ 29.273181] PID = 2996 [ 29.275644] save_stack_trace+0x16/0x20 [ 29.279596] save_stack+0x43/0xd0 [ 29.283013] kasan_slab_free+0x73/0xc0 [ 29.286863] kfree+0xf0/0x2f0 [ 29.289944] free_bprm+0x19d/0x200 [ 29.293460] do_execveat_common.isra.37+0x17df/0x1f10 [ 29.298612] SyS_execve+0x42/0x50 [ 29.302030] do_syscall_64+0x197/0x490 [ 29.305882] return_from_SYSCALL_64+0x0/0x7a [ 29.310260] Memory state around the buggy address: [ 29.315155] ffff8801cf1ef100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 29.322488] ffff8801cf1ef180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.329813] >ffff8801cf1ef200: 02 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.337135] ^ [ 29.340473] ffff8801cf1ef280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.347797] ffff8801cf1ef300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.355120] ======================================