[ 11.643153] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.496615] random: sshd: uninitialized urandom read (32 bytes read) [ 15.662505] audit: type=1400 audit(1567013875.701:6): avc: denied { map } for pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.706656] random: sshd: uninitialized urandom read (32 bytes read) [ 16.191363] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts. [ 21.858851] urandom_read: 1 callbacks suppressed [ 21.858856] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 21.963481] audit: type=1400 audit(1567013882.001:7): avc: denied { map } for pid=1777 comm="syz-executor948" path="/root/syz-executor948494683" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 21.990936] audit: type=1400 audit(1567013882.001:8): avc: denied { prog_load } for pid=1777 comm="syz-executor948" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 22.016541] audit: type=1400 audit(1567013882.051:9): avc: denied { prog_run } for pid=1777 comm="syz-executor948" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 22.016652] ================================================================== [ 22.046350] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0 [ 22.053318] Read of size 8 at addr ffff8881d394a450 by task syz-executor948/1777 [ 22.061014] [ 22.062637] CPU: 0 PID: 1777 Comm: syz-executor948 Not tainted 4.14.140+ #39 [ 22.069917] Call Trace: [ 22.072552] dump_stack+0xca/0x134 [ 22.076189] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.080905] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.085412] ? __bpf_redirect+0xa30/0xa30 [ 22.089569] print_address_description+0x60/0x226 [ 22.094957] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.099469] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.103957] ? __bpf_redirect+0xa30/0xa30 [ 22.108101] __kasan_report.cold+0x1a/0x41 [ 22.112351] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.116872] bpf_clone_redirect+0x2a7/0x2b0 [ 22.121279] ? __bpf_redirect+0xa30/0xa30 [ 22.125533] ___bpf_prog_run+0x2478/0x5510 [ 22.131333] ? lock_downgrade+0x5d0/0x5d0 [ 22.135484] ? lock_acquire+0x12b/0x360 [ 22.139474] ? bpf_jit_compile+0x30/0x30 [ 22.143954] ? __bpf_prog_run512+0x99/0xe0 [ 22.148291] ? ___bpf_prog_run+0x5510/0x5510 [ 22.152716] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 22.158048] ? trace_hardirqs_on_caller+0x37b/0x540 [ 22.163770] ? __lock_acquire+0x5d7/0x4320 [ 22.168112] ? __lock_acquire+0x5d7/0x4320 [ 22.172478] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 22.177148] ? trace_hardirqs_on+0x10/0x10 [ 22.181382] ? __lock_acquire+0x5d7/0x4320 [ 22.185648] ? bpf_test_run+0x42/0x340 [ 22.189546] ? lock_acquire+0x12b/0x360 [ 22.193740] ? bpf_test_run+0x13a/0x340 [ 22.197850] ? check_preemption_disabled+0x35/0x1f0 [ 22.203179] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 22.208516] ? bpf_test_run+0xa8/0x340 [ 22.212430] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 22.217170] ? bpf_test_init.isra.0+0xc0/0xc0 [ 22.221806] ? bpf_prog_add+0x53/0xc0 [ 22.225609] ? bpf_test_init.isra.0+0xc0/0xc0 [ 22.230104] ? SyS_bpf+0xa3b/0x3830 [ 22.233824] ? bpf_prog_get+0x20/0x20 [ 22.238745] ? __do_page_fault+0x49f/0xbb0 [ 22.243388] ? lock_downgrade+0x5d0/0x5d0 [ 22.247638] ? __do_page_fault+0x677/0xbb0 [ 22.251998] ? do_syscall_64+0x43/0x520 [ 22.256076] ? bpf_prog_get+0x20/0x20 [ 22.259886] ? do_syscall_64+0x19b/0x520 [ 22.264396] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 22.270171] [ 22.271796] Allocated by task 1773: [ 22.275410] __kasan_kmalloc.part.0+0x53/0xc0 [ 22.279890] kmem_cache_alloc+0xd2/0x2e0 [ 22.283949] __alloc_skb+0xea/0x5c0 [ 22.287710] sock_wmalloc+0xb6/0x110 [ 22.291429] unix_stream_connect+0x1e4/0x11c0 [ 22.295907] SyS_connect+0x19b/0x280 [ 22.299737] do_syscall_64+0x19b/0x520 [ 22.303622] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 22.309773] 0xffffffffffffffff [ 22.313269] [ 22.314991] Freed by task 1773: [ 22.318272] __kasan_slab_free+0x164/0x210 [ 22.322639] kmem_cache_free+0xcb/0x340 [ 22.327938] kfree_skbmem+0xa0/0x110 [ 22.331645] kfree_skb+0xeb/0x370 [ 22.335240] unix_stream_connect+0x1043/0x11c0 [ 22.339824] SyS_connect+0x19b/0x280 [ 22.343644] do_syscall_64+0x19b/0x520 [ 22.347613] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 22.353066] 0xffffffffffffffff [ 22.356337] [ 22.357953] The buggy address belongs to the object at ffff8881d394a3c0 [ 22.357953] which belongs to the cache skbuff_head_cache of size 224 [ 22.371719] The buggy address is located 144 bytes inside of [ 22.371719] 224-byte region [ffff8881d394a3c0, ffff8881d394a4a0) [ 22.384028] The buggy address belongs to the page: [ 22.389078] page:ffffea00074e5280 count:1 mapcount:0 mapping: (null) index:0x0 [ 22.397622] flags: 0x4000000000000200(slab) [ 22.401944] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 22.409925] raw: ffffea0007558800 0000000500000005 ffff8881dab70200 0000000000000000 [ 22.417801] page dumped because: kasan: bad access detected [ 22.423704] [ 22.425434] Memory state around the buggy address: [ 22.430513] ffff8881d394a300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 22.437873] ffff8881d394a380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 22.445230] >ffff8881d394a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.452591] ^ [ 22.458662] ffff8881d394a480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 22.468246] ffff8881d394a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.475716] ================================================================== [ 22.483295] Disabling lock debugging due to kernel taint [ 22.489455] Kernel panic - not syncing: panic_on_warn set ... [ 22.489455] [ 22.496931] CPU: 0 PID: 1777 Comm: syz-executor948 Tainted: G B 4.14.140+ #39 [ 22.505457] Call Trace: [ 22.508043] dump_stack+0xca/0x134 [ 22.511691] panic+0x1ea/0x3d3 [ 22.515216] ? add_taint.cold+0x16/0x16 [ 22.519331] ? retint_kernel+0x2d/0x2d [ 22.523222] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.527717] ? __bpf_redirect+0xa30/0xa30 [ 22.531857] end_report+0x43/0x49 [ 22.535300] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.539901] __kasan_report.cold+0xd/0x41 [ 22.544229] ? bpf_clone_redirect+0x2a7/0x2b0 [ 22.549311] bpf_clone_redirect+0x2a7/0x2b0 [ 22.553628] ? __bpf_redirect+0xa30/0xa30 [ 22.557848] ___bpf_prog_run+0x2478/0x5510 [ 22.562364] ? lock_downgrade+0x5d0/0x5d0 [ 22.566605] ? lock_acquire+0x12b/0x360 [ 22.571138] ? bpf_jit_compile+0x30/0x30 [ 22.575206] ? __bpf_prog_run512+0x99/0xe0 [ 22.579507] ? ___bpf_prog_run+0x5510/0x5510 [ 22.584015] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 22.589125] ? trace_hardirqs_on_caller+0x37b/0x540 [ 22.594276] ? __lock_acquire+0x5d7/0x4320 [ 22.598504] ? __lock_acquire+0x5d7/0x4320 [ 22.602722] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 22.607623] ? trace_hardirqs_on+0x10/0x10 [ 22.612521] ? __lock_acquire+0x5d7/0x4320 [ 22.616763] ? bpf_test_run+0x42/0x340 [ 22.620646] ? lock_acquire+0x12b/0x360 [ 22.624717] ? bpf_test_run+0x13a/0x340 [ 22.628691] ? check_preemption_disabled+0x35/0x1f0 [ 22.633717] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 22.638895] ? bpf_test_run+0xa8/0x340 [ 22.643313] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 22.648190] ? bpf_test_init.isra.0+0xc0/0xc0 [ 22.653080] ? bpf_prog_add+0x53/0xc0 [ 22.656884] ? bpf_test_init.isra.0+0xc0/0xc0 [ 22.661426] ? SyS_bpf+0xa3b/0x3830 [ 22.665125] ? bpf_prog_get+0x20/0x20 [ 22.668926] ? __do_page_fault+0x49f/0xbb0 [ 22.673241] ? lock_downgrade+0x5d0/0x5d0 [ 22.678081] ? __do_page_fault+0x677/0xbb0 [ 22.683029] ? do_syscall_64+0x43/0x520 [ 22.687079] ? bpf_prog_get+0x20/0x20 [ 22.691049] ? do_syscall_64+0x19b/0x520 [ 22.695101] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 22.701625] Kernel Offset: 0xa400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 22.712678] Rebooting in 86400 seconds..