[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.760309] random: sshd: uninitialized urandom read (32 bytes read) [ 34.959405] audit: type=1400 audit(1548021908.875:6): avc: denied { map } for pid=1753 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.005670] random: sshd: uninitialized urandom read (32 bytes read) [ 35.502366] random: sshd: uninitialized urandom read (32 bytes read) [ 46.458814] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. [ 52.102577] random: sshd: uninitialized urandom read (32 bytes read) [ 52.187328] audit: type=1400 audit(1548021926.105:7): avc: denied { map } for pid=1777 comm="syz-executor118" path="/root/syz-executor118944543" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 52.462179] ================================================================== [ 52.469742] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 52.476389] Read of size 8 at addr ffff8881d1516790 by task syz-executor118/1780 [ 52.483900] [ 52.485508] CPU: 1 PID: 1780 Comm: syz-executor118 Not tainted 4.14.94+ #12 [ 52.492588] Call Trace: [ 52.495156] dump_stack+0xb9/0x10e [ 52.498676] ? ip_local_deliver+0x43d/0x450 [ 52.502980] print_address_description+0x60/0x226 [ 52.507999] ? ip_local_deliver+0x43d/0x450 [ 52.512319] kasan_report.cold+0x88/0x2a5 [ 52.516667] ? ip_local_deliver+0x43d/0x450 [ 52.520976] ? ip_call_ra_chain+0x540/0x540 [ 52.525280] ? __lock_acquire+0x56a/0x3fa0 [ 52.529498] ? ip_rcv+0x99f/0xf7a [ 52.532950] ? ip_rcv_finish+0x5c9/0x1490 [ 52.537075] ? ip_rcv+0x9e2/0xf7a [ 52.540654] ? ip_local_deliver+0x450/0x450 [ 52.544961] ? __lock_acquire+0x56a/0x3fa0 [ 52.549208] ? check_preemption_disabled+0x35/0x1f0 [ 52.554209] ? ip_local_deliver+0x450/0x450 [ 52.558531] ? __netif_receive_skb_core+0x1364/0x2c60 [ 52.563694] ? trace_hardirqs_on+0x10/0x10 [ 52.567930] ? flush_backlog+0x580/0x580 [ 52.571965] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 52.577132] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 52.582304] ? lock_acquire+0x10f/0x380 [ 52.586253] ? __netif_receive_skb+0x55/0x1f0 [ 52.590721] ? __netif_receive_skb+0x55/0x1f0 [ 52.595191] ? netif_receive_skb_internal+0xec/0x5c0 [ 52.600633] ? dev_cpu_dead+0x810/0x810 [ 52.604593] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 52.610026] ? rcu_read_lock_sched_held+0x10a/0x130 [ 52.615045] ? tun_rx_batched.isra.0+0x45d/0x730 [ 52.619778] ? __skb_get_hash_symmetric+0x255/0x620 [ 52.624781] ? tun_chr_read_iter+0x1c0/0x1c0 [ 52.629182] ? tun_get_user+0xc07/0x3790 [ 52.633223] ? __local_bh_enable_ip+0x65/0xc0 [ 52.637714] ? tun_get_user+0xd95/0x3790 [ 52.641761] ? tun_rx_batched.isra.0+0x730/0x730 [ 52.646494] ? debug_mutex_add_waiter+0x60/0x150 [ 52.651230] ? mark_held_locks+0xa6/0xf0 [ 52.655273] ? get_page_from_freelist+0x85e/0x1d60 [ 52.660405] ? preempt_count_add+0xb8/0x180 [ 52.664706] ? __tun_get+0x11c/0x220 [ 52.668398] ? check_preemption_disabled+0x35/0x1f0 [ 52.673392] ? tun_chr_write_iter+0xcf/0x180 [ 52.677774] ? do_iter_readv_writev+0x379/0x580 [ 52.682445] ? clone_verify_area+0x1e0/0x1e0 [ 52.686835] ? avc_policy_seqno+0x5/0x10 [ 52.690985] ? security_file_permission+0x88/0x1e0 [ 52.695899] ? do_iter_write+0x152/0x550 [ 52.699938] ? lock_downgrade+0x5d0/0x5d0 [ 52.704074] ? vfs_writev+0x146/0x2d0 [ 52.707860] ? vfs_iter_write+0xa0/0xa0 [ 52.711811] ? __handle_mm_fault+0x6c5/0x2640 [ 52.716293] ? __fsnotify_inode_delete+0x20/0x20 [ 52.721034] ? __do_page_fault+0x48e/0xb80 [ 52.725260] ? lock_downgrade+0x5d0/0x5d0 [ 52.729514] ? check_preemption_disabled+0x35/0x1f0 [ 52.734536] ? do_writev+0xc9/0x240 [ 52.738140] ? vfs_writev+0x2d0/0x2d0 [ 52.741990] ? do_syscall_64+0x43/0x4b0 [ 52.745945] ? SyS_readv+0x30/0x30 [ 52.749461] ? do_syscall_64+0x19b/0x4b0 [ 52.753502] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.758850] [ 52.760453] Allocated by task 1780: [ 52.764055] kasan_kmalloc.part.0+0x4f/0xd0 [ 52.768351] kmem_cache_alloc+0xd2/0x2d0 [ 52.772485] __build_skb+0x2e/0x2d0 [ 52.776089] build_skb+0x1a/0x1f0 [ 52.779554] tun_get_user+0x248b/0x3790 [ 52.783507] tun_chr_write_iter+0xcf/0x180 [ 52.787729] do_iter_readv_writev+0x379/0x580 [ 52.792206] do_iter_write+0x152/0x550 [ 52.796085] vfs_writev+0x146/0x2d0 [ 52.799806] do_writev+0xc9/0x240 [ 52.803322] do_syscall_64+0x19b/0x4b0 [ 52.807187] [ 52.808791] Freed by task 1780: [ 52.812049] kasan_slab_free+0xb0/0x190 [ 52.816001] kmem_cache_free+0xc4/0x330 [ 52.819956] kfree_skbmem+0xa0/0x100 [ 52.823642] kfree_skb+0xcd/0x350 [ 52.827068] ip_defrag+0x5f4/0x3b50 [ 52.830674] ip_local_deliver+0x165/0x450 [ 52.834802] ip_rcv_finish+0x5c9/0x1490 [ 52.838747] ip_rcv+0x9e2/0xf7a [ 52.842000] __netif_receive_skb_core+0x1364/0x2c60 [ 52.846992] __netif_receive_skb+0x55/0x1f0 [ 52.851415] netif_receive_skb_internal+0xec/0x5c0 [ 52.856338] tun_rx_batched.isra.0+0x45d/0x730 [ 52.860907] tun_get_user+0xd95/0x3790 [ 52.864767] tun_chr_write_iter+0xcf/0x180 [ 52.868982] do_iter_readv_writev+0x379/0x580 [ 52.873478] do_iter_write+0x152/0x550 [ 52.877343] vfs_writev+0x146/0x2d0 [ 52.880944] do_writev+0xc9/0x240 [ 52.884371] do_syscall_64+0x19b/0x4b0 [ 52.888241] [ 52.889846] The buggy address belongs to the object at ffff8881d1516780 [ 52.889846] which belongs to the cache skbuff_head_cache of size 224 [ 52.903001] The buggy address is located 16 bytes inside of [ 52.903001] 224-byte region [ffff8881d1516780, ffff8881d1516860) [ 52.914779] The buggy address belongs to the page: [ 52.919692] page:ffffea0007454580 count:1 mapcount:0 mapping: (null) index:0x0 [ 52.927808] flags: 0x4000000000000100(slab) [ 52.932123] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 52.939983] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 52.947838] page dumped because: kasan: bad access detected [ 52.953524] [ 52.955129] Memory state around the buggy address: [ 52.960034] ffff8881d1516680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.967388] ffff8881d1516700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 52.974721] >ffff8881d1516780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.982052] ^ [ 52.985912] ffff8881d1516800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 52.993345] ffff8881d1516880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.000681] ================================================================== [ 53.008034] Disabling lock debugging due to kernel taint [ 53.013498] Kernel panic - not syncing: panic_on_warn set ... [ 53.013498] [ 53.020848] CPU: 1 PID: 1780 Comm: syz-executor118 Tainted: G B 4.14.94+ #12 [ 53.029138] Call Trace: [ 53.031711] dump_stack+0xb9/0x10e [ 53.035229] panic+0x1d9/0x3c2 [ 53.038398] ? add_taint.cold+0x16/0x16 [ 53.042347] ? retint_kernel+0x2d/0x2d [ 53.046221] ? ip_local_deliver+0x43d/0x450 [ 53.050526] kasan_end_report+0x43/0x49 [ 53.054475] kasan_report.cold+0xa4/0x2a5 [ 53.058602] ? ip_local_deliver+0x43d/0x450 [ 53.062905] ? ip_call_ra_chain+0x540/0x540 [ 53.067210] ? __lock_acquire+0x56a/0x3fa0 [ 53.071435] ? ip_rcv+0x99f/0xf7a [ 53.074876] ? ip_rcv_finish+0x5c9/0x1490 [ 53.079004] ? ip_rcv+0x9e2/0xf7a [ 53.082439] ? ip_local_deliver+0x450/0x450 [ 53.086738] ? __lock_acquire+0x56a/0x3fa0 [ 53.090953] ? check_preemption_disabled+0x35/0x1f0 [ 53.095942] ? ip_local_deliver+0x450/0x450 [ 53.100239] ? __netif_receive_skb_core+0x1364/0x2c60 [ 53.105414] ? trace_hardirqs_on+0x10/0x10 [ 53.109791] ? flush_backlog+0x580/0x580 [ 53.113947] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 53.119114] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 53.124405] ? lock_acquire+0x10f/0x380 [ 53.128373] ? __netif_receive_skb+0x55/0x1f0 [ 53.132842] ? __netif_receive_skb+0x55/0x1f0 [ 53.137310] ? netif_receive_skb_internal+0xec/0x5c0 [ 53.142603] ? dev_cpu_dead+0x810/0x810 [ 53.146567] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 53.152107] ? rcu_read_lock_sched_held+0x10a/0x130 [ 53.157120] ? tun_rx_batched.isra.0+0x45d/0x730 [ 53.161850] ? __skb_get_hash_symmetric+0x255/0x620 [ 53.166854] ? tun_chr_read_iter+0x1c0/0x1c0 [ 53.171251] ? tun_get_user+0xc07/0x3790 [ 53.175313] ? __local_bh_enable_ip+0x65/0xc0 [ 53.179783] ? tun_get_user+0xd95/0x3790 [ 53.183820] ? tun_rx_batched.isra.0+0x730/0x730 [ 53.188554] ? debug_mutex_add_waiter+0x60/0x150 [ 53.193280] ? mark_held_locks+0xa6/0xf0 [ 53.197317] ? get_page_from_freelist+0x85e/0x1d60 [ 53.202237] ? preempt_count_add+0xb8/0x180 [ 53.206560] ? __tun_get+0x11c/0x220 [ 53.210386] ? check_preemption_disabled+0x35/0x1f0 [ 53.215397] ? tun_chr_write_iter+0xcf/0x180 [ 53.219886] ? do_iter_readv_writev+0x379/0x580 [ 53.224541] ? clone_verify_area+0x1e0/0x1e0 [ 53.228923] ? avc_policy_seqno+0x5/0x10 [ 53.232968] ? security_file_permission+0x88/0x1e0 [ 53.237875] ? do_iter_write+0x152/0x550 [ 53.241915] ? lock_downgrade+0x5d0/0x5d0 [ 53.246036] ? vfs_writev+0x146/0x2d0 [ 53.249813] ? vfs_iter_write+0xa0/0xa0 [ 53.253783] ? __handle_mm_fault+0x6c5/0x2640 [ 53.258254] ? __fsnotify_inode_delete+0x20/0x20 [ 53.263057] ? __do_page_fault+0x48e/0xb80 [ 53.267272] ? lock_downgrade+0x5d0/0x5d0 [ 53.271408] ? check_preemption_disabled+0x35/0x1f0 [ 53.276402] ? do_writev+0xc9/0x240 [ 53.280004] ? vfs_writev+0x2d0/0x2d0 [ 53.283777] ? do_syscall_64+0x43/0x4b0 [ 53.287730] ? SyS_readv+0x30/0x30 [ 53.291246] ? do_syscall_64+0x19b/0x4b0 [ 53.295281] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.300930] Kernel Offset: 0x7200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 53.311747] Rebooting in 86400 seconds..