[....] Starting enhanced syslogd: rsyslogd[ 10.390959] audit: type=1400 audit(1517043386.764:4): avc: denied { syslog } for pid=3169 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 19.314049] ================================================================== [ 19.315151] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 19.316087] Read of size 8 at addr ffff8801caab7240 by task syzkaller145027/3319 [ 19.317091] [ 19.317344] CPU: 1 PID: 3319 Comm: syzkaller145027 Not tainted 4.9.78-g68d447c #23 [ 19.318534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.319811] ffff8801c8fef9b0 ffffffff81d943a9 ffffea00072aadc0 ffff8801caab7240 [ 19.321003] 0000000000000000 ffff8801caab7240 ffff8801c8fd0238 ffff8801c8fef9e8 [ 19.322148] ffffffff8153dc23 ffff8801caab7240 0000000000000008 0000000000000000 [ 19.323294] Call Trace: [ 19.323655] [] dump_stack+0xc1/0x128 [ 19.324371] [] print_address_description+0x73/0x280 [ 19.325251] [] kasan_report+0x275/0x360 [ 19.326012] [] ? sg_remove_request+0x103/0x120 [ 19.326837] [] __asan_report_load8_noabort+0x14/0x20 [ 19.327742] [] sg_remove_request+0x103/0x120 [ 19.328619] [] sg_finish_rem_req+0x295/0x340 [ 19.329429] [] sg_read+0xa16/0x1440 [ 19.330192] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 19.331076] [] ? fsnotify+0xf30/0xf30 [ 19.331820] [] ? avc_policy_seqno+0x9/0x20 [ 19.332601] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 19.333551] [] ? security_file_permission+0x89/0x1e0 [ 19.336448] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 19.343168] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 19.349807] [] do_readv_writev+0x520/0x750 [ 19.355657] [] ? vfs_write+0x530/0x530 [ 19.361165] [] ? __fget+0x201/0x3a0 [ 19.366424] [] ? __fget+0x228/0x3a0 [ 19.371681] [] ? __fget+0x47/0x3a0 [ 19.376842] [] vfs_readv+0x84/0xc0 [ 19.382003] [] do_readv+0xe6/0x250 [ 19.387158] [] ? vfs_readv+0xc0/0xc0 [ 19.392503] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 19.399141] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.405948] [] SyS_readv+0x27/0x30 [ 19.411104] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.417654] [ 19.419253] Allocated by task 0: [ 19.422584] (stack is not available) [ 19.426262] [ 19.427856] Freed by task 0: [ 19.430838] (stack is not available) [ 19.434515] [ 19.436114] The buggy address belongs to the object at ffff8801caab7200 [ 19.436114] which belongs to the cache fasync_cache of size 96 [ 19.448739] The buggy address is located 64 bytes inside of [ 19.448739] 96-byte region [ffff8801caab7200, ffff8801caab7260) [ 19.460404] The buggy address belongs to the page: [ 19.465301] page:ffffea00072aadc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 19.473524] flags: 0x8000000000000080(slab) [ 19.477815] page dumped because: kasan: bad access detected [ 19.483491] [ 19.485086] Memory state around the buggy address: [ 19.489980] ffff8801caab7100: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 19.497307] ffff8801caab7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.504647] >ffff8801caab7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc executing program [ 19.511974] ^ [ 19.517391] ffff8801caab7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.524720] ffff8801caab7300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.532048] ================================================================== [ 19.539374] Disabling lock debugging due to kernel taint [ 19.546059] Kernel panic - not syncing: panic_on_warn set ... [ 19.546059] [ 19.553420] CPU: 1 PID: 3319 Comm: syzkaller145027 Tainted: G B 4.9.78-g68d447c #23 [ 19.562311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.571634] ffff8801c8fef908 ffffffff81d943a9 ffffffff841971bf ffff8801c8fef9e0 [ 19.579613] 0000000000000000 ffff8801caab7240 ffff8801c8fd0238 ffff8801c8fef9d0 [ 19.587582] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 19.595560] Call Trace: [ 19.598119] [] dump_stack+0xc1/0x128 [ 19.603451] [] panic+0x1bc/0x3a8 [ 19.608441] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 19.616642] [] ? preempt_schedule+0x25/0x30 [ 19.622584] [] ? ___preempt_schedule+0x16/0x18 [ 19.628785] [] kasan_end_report+0x50/0x50 [ 19.634551] [] kasan_report+0x167/0x360 [ 19.640144] [] ? sg_remove_request+0x103/0x120 [ 19.646346] [] __asan_report_load8_noabort+0x14/0x20 [ 19.653070] [] sg_remove_request+0x103/0x120 [ 19.659097] [] sg_finish_rem_req+0x295/0x340 [ 19.665124] [] sg_read+0xa16/0x1440 [ 19.670371] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 19.677016] [] ? fsnotify+0xf30/0xf30 [ 19.682439] [] ? avc_policy_seqno+0x9/0x20 [ 19.688304] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 19.695286] [] ? security_file_permission+0x89/0x1e0 [ 19.702008] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 19.708642] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 19.715278] [] do_readv_writev+0x520/0x750 [ 19.721133] [] ? vfs_write+0x530/0x530 [ 19.726649] [] ? __fget+0x201/0x3a0 [ 19.731893] [] ? __fget+0x228/0x3a0 [ 19.737137] [] ? __fget+0x47/0x3a0 [ 19.742296] [] vfs_readv+0x84/0xc0 [ 19.747455] [] do_readv+0xe6/0x250 [ 19.752615] [] ? vfs_readv+0xc0/0xc0 [ 19.757948] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 19.764585] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.771396] [] SyS_readv+0x27/0x30 [ 19.776556] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 19.783540] Dumping ftrace buffer: [ 19.787053] (ftrace buffer empty) [ 19.790733] Kernel Offset: disabled [ 19.794334] Rebooting in 86400 seconds..