[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.675249] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.197143] random: sshd: uninitialized urandom read (32 bytes read) [ 22.628084] random: sshd: uninitialized urandom read (32 bytes read) [ 23.367683] random: sshd: uninitialized urandom read (32 bytes read) [ 35.678133] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. [ 41.061284] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/26 20:25:40 parsed 1 programs 2018/05/26 20:25:40 executed programs: 0 [ 41.545820] IPVS: ftp: loaded support on port[0] = 21 [ 41.664477] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.670933] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.678145] device bridge_slave_0 entered promiscuous mode [ 41.694243] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.700610] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.707519] device bridge_slave_1 entered promiscuous mode [ 41.721865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 41.736730] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 41.775045] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.791760] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.848722] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.855884] team0: Port device team_slave_0 added [ 41.869239] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.876308] team0: Port device team_slave_1 added [ 41.890016] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 41.905449] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 41.920705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 41.937528] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 42.043500] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.049933] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.056720] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.063064] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.444483] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.450587] 8021q: adding VLAN 0 to HW filter on device bond0 [ 42.492452] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.532347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.539643] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.573969] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 42.580084] 8021q: adding VLAN 0 to HW filter on device team0 [ 42.616226] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 42.819711] ================================================================== [ 42.827148] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150 [ 42.833360] Read of size 1 at addr ffff8801d310d05d by task syz-executor0/4737 [ 42.840699] [ 42.842311] CPU: 0 PID: 4737 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #93 [ 42.849471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.858802] Call Trace: [ 42.861375] dump_stack+0x1b9/0x294 [ 42.864993] ? dump_stack_print_info.cold.2+0x52/0x52 [ 42.870160] ? printk+0x9e/0xba [ 42.873429] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 42.878171] ? kasan_check_write+0x14/0x20 [ 42.882385] print_address_description+0x6c/0x20b [ 42.887214] ? nla_strlcpy+0x13d/0x150 [ 42.891081] kasan_report.cold.7+0x242/0x2fe [ 42.895471] __asan_report_load1_noabort+0x14/0x20 [ 42.900383] nla_strlcpy+0x13d/0x150 [ 42.904079] nfnl_acct_new+0x574/0xc50 [ 42.907945] ? nfnl_acct_overquota+0x380/0x380 [ 42.912509] ? debug_check_no_locks_freed+0x310/0x310 [ 42.917679] ? graph_lock+0x170/0x170 [ 42.921462] ? print_usage_bug+0xc0/0xc0 [ 42.925508] ? get_futex_key+0xf83/0x1e90 [ 42.929644] ? find_held_lock+0x36/0x1c0 [ 42.933683] ? graph_lock+0x170/0x170 [ 42.937550] ? lock_downgrade+0x8e0/0x8e0 [ 42.941680] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 42.947197] ? __lock_is_held+0xb5/0x140 [ 42.951241] ? nfnl_acct_overquota+0x380/0x380 [ 42.955800] nfnetlink_rcv_msg+0xdb5/0xff0 [ 42.960014] ? __lock_is_held+0xb5/0x140 [ 42.964060] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 42.969063] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 42.973454] ? nfnetlink_bind+0x3a0/0x3a0 [ 42.977583] ? graph_lock+0x170/0x170 [ 42.981359] ? find_held_lock+0x36/0x1c0 [ 42.985399] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 42.990917] netlink_rcv_skb+0x172/0x440 [ 42.994964] ? nfnetlink_bind+0x3a0/0x3a0 [ 42.999092] ? netlink_ack+0xbc0/0xbc0 [ 43.002959] ? __netlink_ns_capable+0x100/0x130 [ 43.007610] nfnetlink_rcv+0x1fe/0x1ba0 [ 43.011564] ? kasan_check_read+0x11/0x20 [ 43.015694] ? rcu_is_watching+0x85/0x140 [ 43.019822] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.024993] ? nfnl_err_reset+0x2d0/0x2d0 [ 43.029120] ? netlink_remove_tap+0x610/0x610 [ 43.033594] ? refcount_add_not_zero+0x320/0x320 [ 43.038329] ? kasan_check_read+0x11/0x20 [ 43.042455] ? rcu_is_watching+0x85/0x140 [ 43.046585] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.051753] ? netlink_skb_destructor+0x210/0x210 [ 43.056572] ? kasan_check_write+0x14/0x20 [ 43.060785] netlink_unicast+0x58b/0x740 [ 43.064830] ? netlink_attachskb+0x970/0x970 [ 43.069219] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.074741] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 43.079744] ? security_netlink_send+0x88/0xb0 [ 43.084305] netlink_sendmsg+0x9f0/0xfa0 [ 43.088347] ? netlink_unicast+0x740/0x740 [ 43.092560] ? pud_val+0x80/0xf0 [ 43.095908] ? security_socket_sendmsg+0x94/0xc0 [ 43.100641] ? netlink_unicast+0x740/0x740 [ 43.104943] sock_sendmsg+0xd5/0x120 [ 43.108636] sock_write_iter+0x35a/0x5a0 [ 43.112677] ? sock_sendmsg+0x120/0x120 [ 43.116642] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 43.121397] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.126917] ? iov_iter_init+0xc9/0x1f0 [ 43.130877] __vfs_write+0x64d/0x960 [ 43.134578] ? kernel_read+0x120/0x120 [ 43.138457] ? handle_mm_fault+0x8c0/0xc70 [ 43.142678] ? rw_verify_area+0x118/0x360 [ 43.146816] vfs_write+0x1f8/0x560 [ 43.150342] ksys_write+0xf9/0x250 [ 43.153866] ? __ia32_sys_read+0xb0/0xb0 [ 43.157918] ? mm_fault_error+0x380/0x380 [ 43.162056] __ia32_sys_write+0x71/0xb0 [ 43.166033] do_fast_syscall_32+0x345/0xf9b [ 43.170354] ? do_int80_syscall_32+0x880/0x880 [ 43.174929] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.179674] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.185196] ? syscall_return_slowpath+0x30f/0x5c0 [ 43.190114] ? sysret32_from_system_call+0x5/0x46 [ 43.194950] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.199778] entry_SYSENTER_compat+0x70/0x7f [ 43.204165] RIP: 0023:0xf7f02cb9 [ 43.207507] RSP: 002b:000000000845e91c EFLAGS: 00000202 ORIG_RAX: 0000000000000004 [ 43.215200] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000 [ 43.222450] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 43.229698] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 43.236949] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 43.244208] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 43.251468] [ 43.253074] Allocated by task 4646: [ 43.256683] save_stack+0x43/0xd0 [ 43.260120] kasan_kmalloc+0xc4/0xe0 [ 43.263811] __kmalloc_node_track_caller+0x47/0x70 [ 43.268721] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 43.273455] __alloc_skb+0x14d/0x780 [ 43.277153] netlink_ack+0x2d7/0xbc0 [ 43.280844] netlink_rcv_skb+0x35d/0x440 [ 43.284886] rtnetlink_rcv+0x1c/0x20 [ 43.288581] netlink_unicast+0x58b/0x740 [ 43.292622] netlink_sendmsg+0x9f0/0xfa0 [ 43.296672] sock_sendmsg+0xd5/0x120 [ 43.300371] __sys_sendto+0x3d7/0x670 [ 43.304149] __x64_sys_sendto+0xe1/0x1a0 [ 43.308192] do_syscall_64+0x1b1/0x800 [ 43.312061] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.317221] [ 43.318826] Freed by task 4646: [ 43.322093] save_stack+0x43/0xd0 [ 43.325528] __kasan_slab_free+0x11a/0x170 [ 43.329745] kasan_slab_free+0xe/0x10 [ 43.333524] kfree+0xd9/0x260 [ 43.336610] skb_free_head+0x99/0xc0 [ 43.340302] skb_release_data+0x690/0x860 [ 43.344429] skb_release_all+0x4a/0x60 [ 43.348297] consume_skb+0x18b/0x550 [ 43.351997] skb_free_datagram+0x1a/0xf0 [ 43.356049] netlink_recvmsg+0x6fe/0x1450 [ 43.360185] sock_recvmsg+0xd0/0x110 [ 43.363886] ___sys_recvmsg+0x2b6/0x680 [ 43.367840] __sys_recvmsg+0x112/0x260 [ 43.371707] __x64_sys_recvmsg+0x78/0xb0 [ 43.375749] do_syscall_64+0x1b1/0x800 [ 43.379618] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.384781] [ 43.386398] The buggy address belongs to the object at ffff8801d310d000 [ 43.386398] which belongs to the cache kmalloc-512 of size 512 [ 43.399038] The buggy address is located 93 bytes inside of [ 43.399038] 512-byte region [ffff8801d310d000, ffff8801d310d200) [ 43.410917] The buggy address belongs to the page: [ 43.415827] page:ffffea00074c4340 count:1 mapcount:0 mapping:ffff8801d310d000 index:0x0 [ 43.423959] flags: 0x2fffc0000000100(slab) [ 43.428176] raw: 02fffc0000000100 ffff8801d310d000 0000000000000000 0000000100000006 [ 43.436045] raw: ffffea00074d8960 ffffea00074c43a0 ffff8801da800940 0000000000000000 [ 43.443901] page dumped because: kasan: bad access detected [ 43.449585] [ 43.451194] Memory state around the buggy address: [ 43.456112] ffff8801d310cf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.463451] ffff8801d310cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.470788] >ffff8801d310d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.478135] ^ [ 43.484348] ffff8801d310d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.491689] ffff8801d310d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.499030] ================================================================== [ 43.506368] Disabling lock debugging due to kernel taint [ 43.512368] Kernel panic - not syncing: panic_on_warn set ... [ 43.512368] [ 43.519744] CPU: 0 PID: 4737 Comm: syz-executor0 Tainted: G B 4.17.0-rc6+ #93 [ 43.528303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.537634] Call Trace: [ 43.540225] dump_stack+0x1b9/0x294 [ 43.543837] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.549007] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.553762] ? nla_strlcpy+0x70/0x150 [ 43.557543] panic+0x22f/0x4de [ 43.560716] ? add_taint.cold.5+0x16/0x16 [ 43.564843] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.569232] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.573626] ? nla_strlcpy+0x13d/0x150 [ 43.577493] kasan_end_report+0x47/0x4f [ 43.581444] kasan_report.cold.7+0x76/0x2fe [ 43.585746] __asan_report_load1_noabort+0x14/0x20 [ 43.590651] nla_strlcpy+0x13d/0x150 [ 43.594347] nfnl_acct_new+0x574/0xc50 [ 43.598211] ? nfnl_acct_overquota+0x380/0x380 [ 43.602779] ? debug_check_no_locks_freed+0x310/0x310 [ 43.607947] ? graph_lock+0x170/0x170 [ 43.611726] ? print_usage_bug+0xc0/0xc0 [ 43.615767] ? get_futex_key+0xf83/0x1e90 [ 43.619898] ? find_held_lock+0x36/0x1c0 [ 43.623940] ? graph_lock+0x170/0x170 [ 43.627719] ? lock_downgrade+0x8e0/0x8e0 [ 43.631847] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.637362] ? __lock_is_held+0xb5/0x140 [ 43.641421] ? nfnl_acct_overquota+0x380/0x380 [ 43.645980] nfnetlink_rcv_msg+0xdb5/0xff0 [ 43.650196] ? __lock_is_held+0xb5/0x140 [ 43.654242] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 43.659244] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 43.663634] ? nfnetlink_bind+0x3a0/0x3a0 [ 43.667759] ? graph_lock+0x170/0x170 [ 43.671540] ? find_held_lock+0x36/0x1c0 [ 43.675584] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.681102] netlink_rcv_skb+0x172/0x440 [ 43.685148] ? nfnetlink_bind+0x3a0/0x3a0 [ 43.689274] ? netlink_ack+0xbc0/0xbc0 [ 43.693141] ? __netlink_ns_capable+0x100/0x130 [ 43.697787] nfnetlink_rcv+0x1fe/0x1ba0 [ 43.701742] ? kasan_check_read+0x11/0x20 [ 43.705868] ? rcu_is_watching+0x85/0x140 [ 43.709992] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.715164] ? nfnl_err_reset+0x2d0/0x2d0 [ 43.719304] ? netlink_remove_tap+0x610/0x610 [ 43.723782] ? refcount_add_not_zero+0x320/0x320 [ 43.728516] ? kasan_check_read+0x11/0x20 [ 43.732642] ? rcu_is_watching+0x85/0x140 [ 43.736769] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.741939] ? netlink_skb_destructor+0x210/0x210 [ 43.746767] ? kasan_check_write+0x14/0x20 [ 43.750984] netlink_unicast+0x58b/0x740 [ 43.755038] ? netlink_attachskb+0x970/0x970 [ 43.759432] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.764947] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 43.769943] ? security_netlink_send+0x88/0xb0 [ 43.774504] netlink_sendmsg+0x9f0/0xfa0 [ 43.778552] ? netlink_unicast+0x740/0x740 [ 43.782764] ? pud_val+0x80/0xf0 [ 43.786114] ? security_socket_sendmsg+0x94/0xc0 [ 43.790849] ? netlink_unicast+0x740/0x740 [ 43.795063] sock_sendmsg+0xd5/0x120 [ 43.798762] sock_write_iter+0x35a/0x5a0 [ 43.802800] ? sock_sendmsg+0x120/0x120 [ 43.806753] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 43.811492] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.817014] ? iov_iter_init+0xc9/0x1f0 [ 43.820977] __vfs_write+0x64d/0x960 [ 43.824668] ? kernel_read+0x120/0x120 [ 43.828536] ? handle_mm_fault+0x8c0/0xc70 [ 43.832748] ? rw_verify_area+0x118/0x360 [ 43.836875] vfs_write+0x1f8/0x560 [ 43.840395] ksys_write+0xf9/0x250 [ 43.843915] ? __ia32_sys_read+0xb0/0xb0 [ 43.847954] ? mm_fault_error+0x380/0x380 [ 43.852080] __ia32_sys_write+0x71/0xb0 [ 43.856041] do_fast_syscall_32+0x345/0xf9b [ 43.860349] ? do_int80_syscall_32+0x880/0x880 [ 43.864910] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.869647] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.875165] ? syscall_return_slowpath+0x30f/0x5c0 [ 43.880078] ? sysret32_from_system_call+0x5/0x46 [ 43.884898] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.889720] entry_SYSENTER_compat+0x70/0x7f [ 43.894105] RIP: 0023:0xf7f02cb9 [ 43.897445] RSP: 002b:000000000845e91c EFLAGS: 00000202 ORIG_RAX: 0000000000000004 [ 43.905130] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000 [ 43.912374] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000 [ 43.919621] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 43.926873] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 43.934120] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 43.941830] Dumping ftrace buffer: [ 43.945350] (ftrace buffer empty) [ 43.949032] Kernel Offset: disabled [ 43.952635] Rebooting in 86400 seconds..