[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.186140] random: sshd: uninitialized urandom read (32 bytes read)
[   21.534882] audit: type=1400 audit(1570155489.416:6): avc:  denied  { map } for  pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   21.573557] random: sshd: uninitialized urandom read (32 bytes read)
[   22.113940] random: sshd: uninitialized urandom read (32 bytes read)
[   22.288740] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.185' (ECDSA) to the list of known hosts.
[   27.839572] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   27.938197] audit: type=1400 audit(1570155495.816:7): avc:  denied  { map } for  pid=1788 comm="syz-executor724" path="/root/syz-executor724887516" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   27.965815] audit: type=1400 audit(1570155495.816:8): avc:  denied  { prog_load } for  pid=1788 comm="syz-executor724" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   27.992858] audit: type=1400 audit(1570155495.876:9): avc:  denied  { prog_run } for  pid=1788 comm="syz-executor724" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   27.993121] ==================================================================
[   28.025617] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x4ea/0x600
[   28.033322] Read of size 4 at addr ffff8881d5a1bfb8 by task syz-executor724/1788
[   28.041034] 
[   28.042654] CPU: 0 PID: 1788 Comm: syz-executor724 Not tainted 4.14.146+ #0
[   28.051083] Call Trace:
[   28.053707]  dump_stack+0xca/0x134
[   28.057358]  ? bpf_skb_change_head+0x4ea/0x600
[   28.062281]  ? bpf_skb_change_head+0x4ea/0x600
[   28.069262]  ? bpf_skb_change_tail+0xb80/0xb80
[   28.076870]  print_address_description+0x60/0x226
[   28.085273]  ? bpf_skb_change_head+0x4ea/0x600
[   28.095904]  ? bpf_skb_change_head+0x4ea/0x600
[   28.104828]  ? bpf_skb_change_tail+0xb80/0xb80
[   28.115620]  __kasan_report.cold+0x1a/0x41
[   28.123420]  ? bpf_skb_change_head+0x4ea/0x600
[   28.131259]  bpf_skb_change_head+0x4ea/0x600
[   28.140513]  ? bpf_skb_change_tail+0xb80/0xb80
[   28.152462]  ___bpf_prog_run+0x2478/0x5510
[   28.157811]  ? lock_downgrade+0x5d0/0x5d0
[   28.162590]  ? lock_acquire+0x12b/0x360
[   28.166599]  ? bpf_jit_compile+0x30/0x30
[   28.170962]  ? __bpf_prog_run512+0x99/0xe0
[   28.176127]  ? ___bpf_prog_run+0x5510/0x5510
[   28.181356]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   28.186679]  ? trace_hardirqs_on_caller+0x37b/0x540
[   28.191702]  ? __lock_acquire+0x5d7/0x4320
[   28.196107]  ? __lock_acquire+0x5d7/0x4320
[   28.200768]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   28.205547]  ? trace_hardirqs_on+0x10/0x10
[   28.209787]  ? __lock_acquire+0x5d7/0x4320
[   28.214423]  ? bpf_test_run+0x42/0x340
[   28.218737]  ? lock_acquire+0x12b/0x360
[   28.224629]  ? bpf_test_run+0x13a/0x340
[   28.228865]  ? check_preemption_disabled+0x35/0x1f0
[   28.234696]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   28.240828]  ? bpf_test_run+0xa8/0x340
[   28.244774]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   28.250561]  ? bpf_test_init.isra.0+0xc0/0xc0
[   28.255352]  ? bpf_prog_add+0x53/0xc0
[   28.260079]  ? bpf_test_init.isra.0+0xc0/0xc0
[   28.265453]  ? SyS_bpf+0xa3b/0x3830
[   28.269808]  ? bpf_prog_get+0x20/0x20
[   28.274482]  ? __do_page_fault+0x49f/0xbb0
[   28.279088]  ? lock_downgrade+0x5d0/0x5d0
[   28.283479]  ? __do_page_fault+0x677/0xbb0
[   28.288088]  ? do_syscall_64+0x43/0x520
[   28.292265]  ? bpf_prog_get+0x20/0x20
[   28.296064]  ? do_syscall_64+0x19b/0x520
[   28.300978]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.306525] 
[   28.308161] Allocated by task 1586:
[   28.312081]  __kasan_kmalloc.part.0+0x53/0xc0
[   28.316919]  kmem_cache_alloc+0xee/0x360
[   28.320990]  mmap_region+0x56e/0xfb0
[   28.324726]  do_mmap+0x548/0xb80
[   28.328333]  vm_mmap_pgoff+0x177/0x1c0
[   28.332593]  SyS_mmap_pgoff+0x146/0x1b0
[   28.336934]  do_syscall_64+0x19b/0x520
[   28.341010]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.346315]  0xffffffffffffffff
[   28.349680] 
[   28.351301] Freed by task 1586:
[   28.354588]  __kasan_slab_free+0x164/0x210
[   28.359606]  kmem_cache_free+0xd7/0x3b0
[   28.363668]  remove_vma+0x117/0x160
[   28.367485]  exit_mmap+0x2a0/0x440
[   28.371188]  mmput+0xeb/0x370
[   28.374402]  do_exit+0x905/0x2a20
[   28.378092]  do_group_exit+0x100/0x2e0
[   28.382255]  SyS_exit_group+0x19/0x20
[   28.386766]  do_syscall_64+0x19b/0x520
[   28.390650]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.396639]  0xffffffffffffffff
[   28.399922] 
[   28.401669] The buggy address belongs to the object at ffff8881d5a1be88
[   28.401669]  which belongs to the cache vm_area_struct of size 184
[   28.414707] The buggy address is located 120 bytes to the right of
[   28.414707]  184-byte region [ffff8881d5a1be88, ffff8881d5a1bf40)
[   28.427565] The buggy address belongs to the page:
[   28.432652] page:ffffea00075686c0 count:1 mapcount:0 mapping:          (null) index:0x0
[   28.441742] flags: 0x4000000000000200(slab)
[   28.446518] raw: 4000000000000200 0000000000000000 0000000000000000 0000000100100010
[   28.454414] raw: dead000000000100 dead000000000200 ffff8881da952a00 0000000000000000
[   28.462817] page dumped because: kasan: bad access detected
[   28.468823] 
[   28.470615] Memory state around the buggy address:
[   28.475565]  ffff8881d5a1be80: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.483204]  ffff8881d5a1bf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.490877] >ffff8881d5a1bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.498237]                                         ^
[   28.503498]  ffff8881d5a1c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.510840]  ffff8881d5a1c080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   28.518188] ==================================================================
[   28.525532] Disabling lock debugging due to kernel taint
[   28.531053] Kernel panic - not syncing: panic_on_warn set ...
[   28.531053] 
[   28.538436] CPU: 0 PID: 1788 Comm: syz-executor724 Tainted: G    B           4.14.146+ #0
[   28.546744] Call Trace:
[   28.549339]  dump_stack+0xca/0x134
[   28.552867]  panic+0x1ea/0x3d3
[   28.556040]  ? add_taint.cold+0x16/0x16
[   28.560000]  ? bpf_skb_change_head+0x4ea/0x600
[   28.564579]  ? bpf_skb_change_tail+0xb80/0xb80
[   28.569156]  end_report+0x43/0x49
[   28.572594]  ? bpf_skb_change_head+0x4ea/0x600
[   28.577165]  __kasan_report.cold+0xd/0x41
[   28.581301]  ? bpf_skb_change_head+0x4ea/0x600
[   28.585864]  bpf_skb_change_head+0x4ea/0x600
[   28.590309]  ? bpf_skb_change_tail+0xb80/0xb80
[   28.594874]  ___bpf_prog_run+0x2478/0x5510
[   28.599091]  ? lock_downgrade+0x5d0/0x5d0
[   28.603218]  ? lock_acquire+0x12b/0x360
[   28.607171]  ? bpf_jit_compile+0x30/0x30
[   28.611215]  ? __bpf_prog_run512+0x99/0xe0
[   28.615516]  ? ___bpf_prog_run+0x5510/0x5510
[   28.619902]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   28.625073]  ? trace_hardirqs_on_caller+0x37b/0x540
[   28.630080]  ? __lock_acquire+0x5d7/0x4320
[   28.634301]  ? __lock_acquire+0x5d7/0x4320
[   28.638512]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   28.643162]  ? trace_hardirqs_on+0x10/0x10
[   28.647634]  ? __lock_acquire+0x5d7/0x4320
[   28.651850]  ? bpf_test_run+0x42/0x340
[   28.655820]  ? lock_acquire+0x12b/0x360
[   28.659775]  ? bpf_test_run+0x13a/0x340
[   28.663731]  ? check_preemption_disabled+0x35/0x1f0
[   28.668760]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   28.674116]  ? bpf_test_run+0xa8/0x340
[   28.677998]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   28.682743]  ? bpf_test_init.isra.0+0xc0/0xc0
[   28.687216]  ? bpf_prog_add+0x53/0xc0
[   28.690996]  ? bpf_test_init.isra.0+0xc0/0xc0
[   28.695472]  ? SyS_bpf+0xa3b/0x3830
[   28.699213]  ? bpf_prog_get+0x20/0x20
[   28.703265]  ? __do_page_fault+0x49f/0xbb0
[   28.707739]  ? lock_downgrade+0x5d0/0x5d0
[   28.712128]  ? __do_page_fault+0x677/0xbb0
[   28.716574]  ? do_syscall_64+0x43/0x520
[   28.720977]  ? bpf_prog_get+0x20/0x20
[   28.725226]  ? do_syscall_64+0x19b/0x520
[   28.729557]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.736002] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   28.747424] Rebooting in 86400 seconds..