[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.190' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.495280] audit: type=1400 audit(1602424041.902:8): avc: denied { execmem } for pid=6496 comm="syz-executor380" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 41.512010] ================================================================== [ 41.523052] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1bc/0x1f0 [ 41.529985] Read of size 8 at addr ffff88808d849ba0 by task syz-executor380/6496 [ 41.537706] [ 41.539344] CPU: 0 PID: 6496 Comm: syz-executor380 Not tainted 4.19.150-syzkaller #0 [ 41.547484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.557107] Call Trace: [ 41.559699] dump_stack+0x22c/0x33e [ 41.563320] print_address_description.cold+0x56/0x25c [ 41.568694] kasan_report_error.cold+0x66/0xb9 [ 41.573276] ? squashfs_get_id+0x1bc/0x1f0 [ 41.577523] __asan_report_load8_noabort+0x88/0x90 [ 41.582455] ? squashfs_get_id+0x1bc/0x1f0 [ 41.586864] squashfs_get_id+0x1bc/0x1f0 [ 41.590923] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 41.596628] ? squashfs_read_metadata+0x2e5/0x3b0 [ 41.601579] squashfs_read_inode+0x197/0x1940 [ 41.606166] ? squashfs_read_id_index_table+0xf0/0xf0 [ 41.611941] ? find_held_lock+0x2d/0x110 [ 41.616127] ? new_inode+0xc7/0xf0 [ 41.619847] ? do_raw_spin_lock+0xcb/0x220 [ 41.624116] ? do_raw_spin_unlock+0x171/0x240 [ 41.628698] squashfs_fill_super+0x1277/0x190a [ 41.633371] mount_bdev+0x2fc/0x3b0 [ 41.637113] ? squashfs_remount+0x50/0x50 [ 41.641248] mount_fs+0xa3/0x318 [ 41.644821] vfs_kern_mount.part.0+0x68/0x470 [ 41.649319] do_mount+0x51c/0x2f10 [ 41.653425] ? __do_page_fault+0x1ca/0xe00 [ 41.657744] ? copy_mount_string+0x40/0x40 [ 41.661975] ? copy_mount_options+0x1c3/0x370 [ 41.666461] ? copy_mount_options+0x1d0/0x370 [ 41.670947] ? memset+0x20/0x40 [ 41.674231] ? copy_mount_options+0x261/0x370 [ 41.678776] ksys_mount+0xcf/0x130 [ 41.682526] __x64_sys_mount+0xba/0x150 [ 41.686929] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 41.691694] do_syscall_64+0xf9/0x670 [ 41.695648] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.700840] RIP: 0033:0x446d2a [ 41.704029] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 41.722946] RSP: 002b:00007ffd74802fe8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 41.731129] RAX: ffffffffffffffda RBX: 00007ffd74803040 RCX: 0000000000446d2a [ 41.738386] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd74803000 [ 41.746433] RBP: 00007ffd74803000 R08: 00007ffd74803040 R09: 00007ffd00000015 [ 41.753683] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 41.760934] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 41.768248] [ 41.769908] Allocated by task 6496: [ 41.773546] __kmalloc+0x15a/0x4f0 [ 41.777079] squashfs_read_table+0xc2/0x1e3 [ 41.781416] squashfs_read_xattr_id_table+0x198/0x1f0 [ 41.786588] squashfs_fill_super+0xd8a/0x190a [ 41.791192] mount_bdev+0x2fc/0x3b0 [ 41.795119] mount_fs+0xa3/0x318 [ 41.798594] vfs_kern_mount.part.0+0x68/0x470 [ 41.803091] do_mount+0x51c/0x2f10 [ 41.806620] ksys_mount+0xcf/0x130 [ 41.810221] __x64_sys_mount+0xba/0x150 [ 41.814270] do_syscall_64+0xf9/0x670 [ 41.818142] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.823338] [ 41.824945] Freed by task 6496: [ 41.828411] kfree+0xcc/0x250 [ 41.831821] squashfs_read_table+0x191/0x1e3 [ 41.836218] squashfs_read_xattr_id_table+0x198/0x1f0 [ 41.841506] squashfs_fill_super+0xd8a/0x190a [ 41.846197] mount_bdev+0x2fc/0x3b0 [ 41.849826] mount_fs+0xa3/0x318 [ 41.853180] vfs_kern_mount.part.0+0x68/0x470 [ 41.857727] do_mount+0x51c/0x2f10 [ 41.861277] ksys_mount+0xcf/0x130 [ 41.864812] __x64_sys_mount+0xba/0x150 [ 41.868770] do_syscall_64+0xf9/0x670 [ 41.872769] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.877938] [ 41.879574] The buggy address belongs to the object at ffff88808d849b80 [ 41.879574] which belongs to the cache kmalloc-32 of size 32 [ 41.892056] The buggy address is located 0 bytes to the right of [ 41.892056] 32-byte region [ffff88808d849b80, ffff88808d849ba0) [ 41.904280] The buggy address belongs to the page: [ 41.909208] page:ffffea0002361240 count:1 mapcount:0 mapping:ffff88812c3f61c0 index:0xffff88808d849fc1 [ 41.918634] flags: 0xfffe0000000100(slab) [ 41.922856] raw: 00fffe0000000100 ffffea00023c3108 ffffea00024b6708 ffff88812c3f61c0 [ 41.930825] raw: ffff88808d849fc1 ffff88808d849000 000000010000003d 0000000000000000 [ 41.938794] page dumped because: kasan: bad access detected [ 41.944945] [ 41.946552] Memory state around the buggy address: [ 41.951459] ffff88808d849a80: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 41.959098] ffff88808d849b00: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 41.966462] >ffff88808d849b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 41.973820] ^ [ 41.978228] ffff88808d849c00: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 41.985595] ffff88808d849c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 41.992957] ================================================================== [ 42.000307] Disabling lock debugging due to kernel taint [ 42.006882] Kernel panic - not syncing: panic_on_warn set ... [ 42.006882] [ 42.014271] CPU: 0 PID: 6496 Comm: syz-executor380 Tainted: G B 4.19.150-syzkaller #0 [ 42.023546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.032903] Call Trace: [ 42.035504] dump_stack+0x22c/0x33e [ 42.039156] panic+0x2ac/0x565 [ 42.042357] ? __warn_printk+0xf3/0xf3 [ 42.046349] ? preempt_schedule_common+0x45/0xc0 [ 42.051712] ? ___preempt_schedule+0x16/0x18 [ 42.056138] ? trace_hardirqs_on+0x55/0x210 [ 42.060445] kasan_end_report+0x43/0x49 [ 42.064413] kasan_report_error.cold+0x83/0xb9 [ 42.068979] ? squashfs_get_id+0x1bc/0x1f0 [ 42.073221] __asan_report_load8_noabort+0x88/0x90 [ 42.078260] ? squashfs_get_id+0x1bc/0x1f0 [ 42.082474] squashfs_get_id+0x1bc/0x1f0 [ 42.086831] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 42.094105] ? squashfs_read_metadata+0x2e5/0x3b0 [ 42.099388] squashfs_read_inode+0x197/0x1940 [ 42.103866] ? squashfs_read_id_index_table+0xf0/0xf0 [ 42.109157] ? find_held_lock+0x2d/0x110 [ 42.113220] ? new_inode+0xc7/0xf0 [ 42.116758] ? do_raw_spin_lock+0xcb/0x220 [ 42.121070] ? do_raw_spin_unlock+0x171/0x240 [ 42.125555] squashfs_fill_super+0x1277/0x190a [ 42.130140] mount_bdev+0x2fc/0x3b0 [ 42.133769] ? squashfs_remount+0x50/0x50 [ 42.138274] mount_fs+0xa3/0x318 [ 42.141704] vfs_kern_mount.part.0+0x68/0x470 [ 42.146189] do_mount+0x51c/0x2f10 [ 42.150653] ? __do_page_fault+0x1ca/0xe00 [ 42.154878] ? copy_mount_string+0x40/0x40 [ 42.159102] ? copy_mount_options+0x1c3/0x370 [ 42.163588] ? copy_mount_options+0x1d0/0x370 [ 42.168110] ? memset+0x20/0x40 [ 42.171399] ? copy_mount_options+0x261/0x370 [ 42.175892] ksys_mount+0xcf/0x130 [ 42.179422] __x64_sys_mount+0xba/0x150 [ 42.183634] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 42.188311] do_syscall_64+0xf9/0x670 [ 42.192625] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.197823] RIP: 0033:0x446d2a [ 42.201005] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 42.220121] RSP: 002b:00007ffd74802fe8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 42.227837] RAX: ffffffffffffffda RBX: 00007ffd74803040 RCX: 0000000000446d2a [ 42.235107] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd74803000 [ 42.242371] RBP: 00007ffd74803000 R08: 00007ffd74803040 R09: 00007ffd00000015 [ 42.250097] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 42.257360] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 42.266065] Kernel Offset: disabled [ 42.269692] Rebooting in 86400 seconds..