[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.017989] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.915902] random: sshd: uninitialized urandom read (32 bytes read) [ 25.222043] audit: type=1400 audit(1548139481.128:6): avc: denied { map } for pid=1777 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.259681] random: sshd: uninitialized urandom read (32 bytes read) [ 25.757806] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.225' (ECDSA) to the list of known hosts. [ 31.439430] urandom_read: 1 callbacks suppressed [ 31.439434] random: sshd: uninitialized urandom read (32 bytes read) [ 31.539316] audit: type=1400 audit(1548139487.438:7): avc: denied { map } for pid=1795 comm="syz-executor831" path="/root/syz-executor831962113" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 31.801923] ================================================================== [ 31.809338] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 31.816049] Read of size 8 at addr ffff8881d0cde650 by task syz-executor831/1798 [ 31.823562] [ 31.825167] CPU: 0 PID: 1798 Comm: syz-executor831 Not tainted 4.14.94+ #12 [ 31.832305] Call Trace: [ 31.834884] dump_stack+0xb9/0x10e [ 31.838401] ? ip_local_deliver+0x43d/0x450 [ 31.842699] print_address_description+0x60/0x226 [ 31.847529] ? ip_local_deliver+0x43d/0x450 [ 31.851821] kasan_report.cold+0x88/0x2a5 [ 31.856065] ? ip_local_deliver+0x43d/0x450 [ 31.860371] ? ip_call_ra_chain+0x540/0x540 [ 31.864672] ? __lock_acquire+0x56a/0x3fa0 [ 31.868887] ? ip_rcv+0x99f/0xf7a [ 31.872318] ? ip_rcv_finish+0x5c9/0x1490 [ 31.876443] ? ip_rcv+0x9e2/0xf7a [ 31.879876] ? ip_local_deliver+0x450/0x450 [ 31.884179] ? __lock_acquire+0x56a/0x3fa0 [ 31.888395] ? check_preemption_disabled+0x35/0x1f0 [ 31.893403] ? ip_local_deliver+0x450/0x450 [ 31.897701] ? __netif_receive_skb_core+0x1364/0x2c60 [ 31.902866] ? trace_hardirqs_on+0x10/0x10 [ 31.907078] ? flush_backlog+0x580/0x580 [ 31.911115] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 31.916280] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 31.921511] ? lock_acquire+0x10f/0x380 [ 31.925471] ? __netif_receive_skb+0x55/0x1f0 [ 31.929941] ? __netif_receive_skb+0x55/0x1f0 [ 31.934410] ? netif_receive_skb_internal+0xec/0x5c0 [ 31.939494] ? dev_cpu_dead+0x810/0x810 [ 31.943450] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 31.948878] ? rcu_read_lock_sched_held+0x10a/0x130 [ 31.953877] ? tun_rx_batched.isra.0+0x45d/0x730 [ 31.958736] ? __skb_get_hash_symmetric+0x255/0x620 [ 31.963740] ? tun_chr_read_iter+0x1c0/0x1c0 [ 31.968136] ? tun_get_user+0xc07/0x3790 [ 31.972173] ? __local_bh_enable_ip+0x65/0xc0 [ 31.976643] ? tun_get_user+0xd95/0x3790 [ 31.980699] ? tun_rx_batched.isra.0+0x730/0x730 [ 31.985431] ? debug_mutex_add_waiter+0x60/0x150 [ 31.990227] ? mark_held_locks+0xa6/0xf0 [ 31.994270] ? get_page_from_freelist+0x85e/0x1d60 [ 31.999255] ? preempt_count_add+0xb8/0x180 [ 32.003565] ? __tun_get+0x11c/0x220 [ 32.007262] ? check_preemption_disabled+0x35/0x1f0 [ 32.012260] ? tun_chr_write_iter+0xcf/0x180 [ 32.016647] ? do_iter_readv_writev+0x379/0x580 [ 32.021294] ? clone_verify_area+0x1e0/0x1e0 [ 32.025677] ? avc_policy_seqno+0x5/0x10 [ 32.029717] ? security_file_permission+0x88/0x1e0 [ 32.034623] ? do_iter_write+0x152/0x550 [ 32.038661] ? lock_downgrade+0x5d0/0x5d0 [ 32.042790] ? vfs_writev+0x146/0x2d0 [ 32.046563] ? vfs_iter_write+0xa0/0xa0 [ 32.050520] ? __handle_mm_fault+0x6c5/0x2640 [ 32.054998] ? __fsnotify_inode_delete+0x20/0x20 [ 32.059735] ? __do_page_fault+0x48e/0xb80 [ 32.063945] ? lock_downgrade+0x5d0/0x5d0 [ 32.068068] ? check_preemption_disabled+0x35/0x1f0 [ 32.073060] ? do_writev+0xc9/0x240 [ 32.076677] ? vfs_writev+0x2d0/0x2d0 [ 32.080455] ? do_syscall_64+0x43/0x4b0 [ 32.084403] ? SyS_readv+0x30/0x30 [ 32.087917] ? do_syscall_64+0x19b/0x4b0 [ 32.091956] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.097303] [ 32.098908] Allocated by task 1798: [ 32.102511] kasan_kmalloc.part.0+0x4f/0xd0 [ 32.106806] kmem_cache_alloc+0xd2/0x2d0 [ 32.110849] __build_skb+0x2e/0x2d0 [ 32.114563] build_skb+0x1a/0x1f0 [ 32.118002] tun_get_user+0x248b/0x3790 [ 32.121956] tun_chr_write_iter+0xcf/0x180 [ 32.126165] do_iter_readv_writev+0x379/0x580 [ 32.130631] do_iter_write+0x152/0x550 [ 32.134489] vfs_writev+0x146/0x2d0 [ 32.138088] do_writev+0xc9/0x240 [ 32.141550] do_syscall_64+0x19b/0x4b0 [ 32.145423] [ 32.147026] Freed by task 1798: [ 32.150280] kasan_slab_free+0xb0/0x190 [ 32.154231] kmem_cache_free+0xc4/0x330 [ 32.158180] kfree_skbmem+0xa0/0x100 [ 32.161870] kfree_skb+0xcd/0x350 [ 32.165300] ip_defrag+0x5f4/0x3b50 [ 32.168898] ip_local_deliver+0x165/0x450 [ 32.173018] ip_rcv_finish+0x5c9/0x1490 [ 32.176980] ip_rcv+0x9e2/0xf7a [ 32.180314] __netif_receive_skb_core+0x1364/0x2c60 [ 32.185326] __netif_receive_skb+0x55/0x1f0 [ 32.189620] netif_receive_skb_internal+0xec/0x5c0 [ 32.194608] tun_rx_batched.isra.0+0x45d/0x730 [ 32.199212] tun_get_user+0xd95/0x3790 [ 32.203110] tun_chr_write_iter+0xcf/0x180 [ 32.207348] do_iter_readv_writev+0x379/0x580 [ 32.211814] do_iter_write+0x152/0x550 [ 32.215670] vfs_writev+0x146/0x2d0 [ 32.219359] do_writev+0xc9/0x240 [ 32.222794] do_syscall_64+0x19b/0x4b0 [ 32.226650] [ 32.228269] The buggy address belongs to the object at ffff8881d0cde640 [ 32.228269] which belongs to the cache skbuff_head_cache of size 224 [ 32.241418] The buggy address is located 16 bytes inside of [ 32.241418] 224-byte region [ffff8881d0cde640, ffff8881d0cde720) [ 32.253175] The buggy address belongs to the page: [ 32.258091] page:ffffea0007433780 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.266211] flags: 0x4000000000000100(slab) [ 32.270509] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 32.278364] raw: dead000000000100 dead000000000200 ffff8881dab58800 0000000000000000 [ 32.286221] page dumped because: kasan: bad access detected [ 32.291900] [ 32.293495] Memory state around the buggy address: [ 32.298394] ffff8881d0cde500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.305723] ffff8881d0cde580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.313054] >ffff8881d0cde600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.320586] ^ [ 32.326533] ffff8881d0cde680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.333890] ffff8881d0cde700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.341229] ================================================================== [ 32.348570] Disabling lock debugging due to kernel taint [ 32.354118] Kernel panic - not syncing: panic_on_warn set ... [ 32.354118] [ 32.361481] CPU: 0 PID: 1798 Comm: syz-executor831 Tainted: G B 4.14.94+ #12 [ 32.369800] Call Trace: [ 32.372365] dump_stack+0xb9/0x10e [ 32.375881] panic+0x1d9/0x3c2 [ 32.379049] ? add_taint.cold+0x16/0x16 [ 32.382997] ? retint_kernel+0x2d/0x2d [ 32.386870] ? ip_local_deliver+0x43d/0x450 [ 32.391166] kasan_end_report+0x43/0x49 [ 32.395111] kasan_report.cold+0xa4/0x2a5 [ 32.399236] ? ip_local_deliver+0x43d/0x450 [ 32.403536] ? ip_call_ra_chain+0x540/0x540 [ 32.407836] ? __lock_acquire+0x56a/0x3fa0 [ 32.412054] ? ip_rcv+0x99f/0xf7a [ 32.415477] ? ip_rcv_finish+0x5c9/0x1490 [ 32.419605] ? ip_rcv+0x9e2/0xf7a [ 32.423032] ? ip_local_deliver+0x450/0x450 [ 32.427326] ? __lock_acquire+0x56a/0x3fa0 [ 32.431535] ? check_preemption_disabled+0x35/0x1f0 [ 32.436524] ? ip_local_deliver+0x450/0x450 [ 32.440819] ? __netif_receive_skb_core+0x1364/0x2c60 [ 32.446102] ? trace_hardirqs_on+0x10/0x10 [ 32.450313] ? flush_backlog+0x580/0x580 [ 32.454355] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 32.459520] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 32.464701] ? lock_acquire+0x10f/0x380 [ 32.468676] ? __netif_receive_skb+0x55/0x1f0 [ 32.473142] ? __netif_receive_skb+0x55/0x1f0 [ 32.477624] ? netif_receive_skb_internal+0xec/0x5c0 [ 32.482696] ? dev_cpu_dead+0x810/0x810 [ 32.486645] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 32.492074] ? rcu_read_lock_sched_held+0x10a/0x130 [ 32.497071] ? tun_rx_batched.isra.0+0x45d/0x730 [ 32.501909] ? __skb_get_hash_symmetric+0x255/0x620 [ 32.506903] ? tun_chr_read_iter+0x1c0/0x1c0 [ 32.511300] ? tun_get_user+0xc07/0x3790 [ 32.515340] ? __local_bh_enable_ip+0x65/0xc0 [ 32.519813] ? tun_get_user+0xd95/0x3790 [ 32.523850] ? tun_rx_batched.isra.0+0x730/0x730 [ 32.528594] ? debug_mutex_add_waiter+0x60/0x150 [ 32.533324] ? mark_held_locks+0xa6/0xf0 [ 32.537359] ? get_page_from_freelist+0x85e/0x1d60 [ 32.542263] ? preempt_count_add+0xb8/0x180 [ 32.546559] ? __tun_get+0x11c/0x220 [ 32.550269] ? check_preemption_disabled+0x35/0x1f0 [ 32.555269] ? tun_chr_write_iter+0xcf/0x180 [ 32.559662] ? do_iter_readv_writev+0x379/0x580 [ 32.564307] ? clone_verify_area+0x1e0/0x1e0 [ 32.568707] ? avc_policy_seqno+0x5/0x10 [ 32.572844] ? security_file_permission+0x88/0x1e0 [ 32.577762] ? do_iter_write+0x152/0x550 [ 32.581913] ? lock_downgrade+0x5d0/0x5d0 [ 32.586148] ? vfs_writev+0x146/0x2d0 [ 32.590114] ? vfs_iter_write+0xa0/0xa0 [ 32.594065] ? __handle_mm_fault+0x6c5/0x2640 [ 32.598538] ? __fsnotify_inode_delete+0x20/0x20 [ 32.603271] ? __do_page_fault+0x48e/0xb80 [ 32.607509] ? lock_downgrade+0x5d0/0x5d0 [ 32.611646] ? check_preemption_disabled+0x35/0x1f0 [ 32.616651] ? do_writev+0xc9/0x240 [ 32.620252] ? vfs_writev+0x2d0/0x2d0 [ 32.624104] ? do_syscall_64+0x43/0x4b0 [ 32.628059] ? SyS_readv+0x30/0x30 [ 32.631572] ? do_syscall_64+0x19b/0x4b0 [ 32.635610] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.641248] Kernel Offset: 0x35c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 32.652142] Rebooting in 86400 seconds..