[ 13.529716] rsyslogd (2986) used greatest stack depth: 14504 bytes left [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.251477] audit: type=1400 audit(1513635311.479:6): avc: denied { map } for pid=3136 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-2,10.128.15.240' (ECDSA) to the list of known hosts. 2017/12/18 22:15:17 fuzzer started [ 26.554462] audit: type=1400 audit(1513635317.782:7): avc: denied { map } for pid=3147 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2017/12/18 22:15:17 dialing manager at 10.128.0.26:32873 2017/12/18 22:15:20 kcov=true, comps=true [ 29.419379] audit: type=1400 audit(1513635320.647:8): avc: denied { map } for pid=3147 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=8892 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2017/12/18 22:15:21 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f00004f7000-0x2)='-\x00', 0x0) mmap(&(0x7f0000000000/0xaa2000)=nil, 0xaa2000, 0x9, 0x11, r0, 0x0) rt_sigaction(0x7, &(0x7f0000ad9000)={0x42ee54, {0x400003ffffffe}, 0x0, 0x0}, &(0x7f0000255000-0x20)={0x0, {0x0}, 0x0, 0x0}, 0x8, &(0x7f0000237000)={0x0}) syz_open_dev$evdev(&(0x7f00009e9000-0x12)='/dev/input/event#\x00', 0x0, 0x0) 2017/12/18 22:15:21 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x100000003, 0x10000000003) r1 = socket$inet(0x2, 0x3, 0x4) r2 = syz_open_dev$tun(&(0x7f0000e9b000+0x18a)='/dev/net/tun\x00', 0x0, 0x20001) r3 = fcntl$dupfd(r2, 0x0, r0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000a5b000-0x28)={@common='gre0\x00', @ifru_names=@generic="4f54000cc0a1ed4f3a0a1fdc222073b5"}) r4 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_inet_SIOCSIFADDR(r4, 0x8916, &(0x7f00007ff000)={@common='gre0\x00', @ifru_addrs={0x2, 0x0, @local={0xac, 0x14, 0x0, 0xaa}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}) r5 = socket$inet(0x2, 0x8000000000000003, 0x2) setsockopt$inet_mreqn(r5, 0x0, 0x27, &(0x7f0000939000-0xc)={@multicast1=0xe0000001, @local={0xac, 0x14, 0x0, 0xaa}, 0x0}, 0xc) setsockopt$inet_msfilter(r5, 0x0, 0x29, &(0x7f0000a27000-0x2c)={@multicast1=0xe0000001, @local={0xac, 0x14, 0x0, 0xaa}, 0x0, 0x0, []}, 0x10) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000630000-0x20)={@common='gre0\x00', @ifru_flags=0x301}) write$tun(r3, &(0x7f0000baa000)=@hdr={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x2, 0x0, @rand_addr=0x0, @multicast1=0xe0000001, {[]}}, @udp={0x0, 0x0, 0x8, 0x0, ""}}}, 0x26) 2017/12/18 22:15:21 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket(0xa, 0x3, 0x2) ioctl$fiemap(0xffffffffffffffff, 0xc020660b, &(0x7f0000000000)={0x0, 0xffffffff, 0x43, 0x2, 0x0, []}) ioctl(r0, 0x8916, &(0x7f0000000000)="") ioctl(r0, 0x8936, &(0x7f0000000000)="") 2017/12/18 22:15:21 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) timer_create(0xfffffffffffffff8, &(0x7f0000004000-0x60)={0x0, 0x40, 0x3, @thr={&(0x7f00005c5000)="", &(0x7f00007fc000)=""}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000f87000-0x4)=0x0) r0 = syz_open_procfs(0x0, &(0x7f0000055000-0x7)='timers\x00') pread64(r0, &(0x7f0000acc000)=""/0, 0x0, 0x104000019) 2017/12/18 22:15:21 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000fc7000)={0x5, 0x100000000000029, 0x6d47, 0x43, 0x0, 0x0, 0x0}, 0x1c) fgetxattr(0xffffffffffffffff, &(0x7f00007ee000-0xb)=@random={'security.\x00', '\x00'}, &(0x7f000028e000)=""/73, 0x49) 2017/12/18 22:15:21 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_emit_ethernet(0x4e, &(0x7f0000553000)={@random="efad01006da7", @empty=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x1, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @icmp=@redirect={0x5, 0x0, 0x0, @empty=0x0, {0x9, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x29, 0x0, @broadcast=0xffffffff, @empty=0x0, {[@lsrr={0x83, 0xf, 0x0, [@broadcast=0xffffffff, @rand_addr=0x2, @broadcast=0xffffffff]}]}}, ""}}}}}, 0x0) 2017/12/18 22:15:21 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TTUNGETFILTER(0xffffffffffffffff, 0x801054db, &(0x7f0000790000-0xb6)=""/182) perf_event_open(&(0x7f0000271000)={0x2, 0x78, 0x46, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) migrate_pages(0x0, 0x2, &(0x7f00000db000-0x8)=0x0, &(0x7f0000476000)=0x0) 2017/12/18 22:15:21 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f00007e5000)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r0, &(0x7f0000129000)=[], 0x0, 0x0) [ 30.696471] audit: type=1400 audit(1513635321.924:9): avc: denied { map } for pid=3147 comm="syz-fuzzer" path="/root/syzkaller-shm547992504" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.931279] audit: type=1400 audit(1513635323.158:10): avc: denied { sys_admin } for pid=3191 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.077733] audit: type=1400 audit(1513635323.305:11): avc: denied { sys_chroot } for pid=3373 comm="syz-executor7" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2017/12/18 22:15:23 executing program 0: 2017/12/18 22:15:23 executing program 0: 2017/12/18 22:15:23 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f00004f7000-0x2)='-\x00', 0x0) mmap(&(0x7f0000000000/0xaa2000)=nil, 0xaa2000, 0x9, 0x11, r0, 0x0) rt_sigaction(0x7, &(0x7f0000ad9000)={0x42ee54, {0x400003ffffffe}, 0x0, 0x0}, &(0x7f0000255000-0x20)={0x0, {0x0}, 0x0, 0x0}, 0x8, &(0x7f0000237000)={0x0}) syz_open_dev$evdev(&(0x7f00009e9000-0x12)='/dev/input/event#\x00', 0x0, 0x0) 2017/12/18 22:15:23 executing program 6: [ 32.112483] audit: type=1400 audit(1513635323.340:12): avc: denied { map_create } for pid=3398 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 32.136251] audit: type=1400 audit(1513635323.340:13): avc: denied { map } for pid=3395 comm="syz-executor7" path=2F6D656D66643A2D202864656C6574656429 dev="tmpfs" ino=11155 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 2017/12/18 22:15:23 executing program 0: 2017/12/18 22:15:23 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f00004f7000-0x2)='-\x00', 0x0) mmap(&(0x7f0000000000/0xaa2000)=nil, 0xaa2000, 0x9, 0x11, r0, 0x0) rt_sigaction(0x7, &(0x7f0000ad9000)={0x42ee54, {0x400003ffffffe}, 0x0, 0x0}, &(0x7f0000255000-0x20)={0x0, {0x0}, 0x0, 0x0}, 0x8, &(0x7f0000237000)={0x0}) syz_open_dev$evdev(&(0x7f00009e9000-0x12)='/dev/input/event#\x00', 0x0, 0x0) 2017/12/18 22:15:23 executing program 6: 2017/12/18 22:15:23 executing program 6: 2017/12/18 22:15:23 executing program 1: [ 32.151738] device gre0 entered promiscuous mode [ 32.258494] audit: type=1400 audit(1513635323.340:14): avc: denied { net_raw } for pid=3397 comm="syz-executor3" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2017/12/18 22:15:23 executing program 3: mmap(&(0x7f0000000000/0xffc000)=nil, 0xffc000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socket$inet6_dccp(0xa, 0x6, 0x0) r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000ffc000)='/dev/rtc\x00', 0xc0, 0x0) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socket$inet_icmp(0x2, 0x2, 0x1) getpeername$netlink(r0, &(0x7f0000274000)={0x0, 0x0, 0x0, 0x0}, &(0x7f0000b35000-0x4)=0xc) ioctl$KVM_CREATE_DEVICE(0xffffffffffffffff, 0xc00caee0, &(0x7f0000ffd000-0xc)={0x3, 0xffffffffffffffff, 0x1}) renameat2(r0, &(0x7f0000ffc000)='./file0\x00', r1, &(0x7f0000136000-0x8)='./file0\x00', 0x1) bpf$PROG_LOAD(0x5, &(0x7f0000f9c000-0x30)={0x1, 0x2, &(0x7f0000b67000-0x10)=[@generic={0xb61, 0x1000000f510, 0x2c, 0x0}, @generic={0x9595, 0x0, 0x0, 0x0}], &(0x7f000015a000)='$nodevsystem&*GPLwlan0}eth1nodev]\x00', 0x40, 0x80, &(0x7f0000b62000-0x80)=""/128, 0x0, 0x0}, 0x30) [ 32.284724] audit: type=1400 audit(1513635323.340:15): avc: denied { net_admin } for pid=3397 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.328258] audit: type=1400 audit(1513635323.555:16): avc: denied { dac_override } for pid=3426 comm="syz-executor5" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.328404] ================================================================== [ 32.328446] BUG: KASAN: global-out-of-bounds in show_timer+0x278/0x2b0 [ 32.328454] Read of size 8 at addr ffffffff85742fb8 by task syz-executor5/3428 [ 32.328459] [ 32.328470] CPU: 0 PID: 3428 Comm: syz-executor5 Not tainted 4.15.0-rc2-mm1+ #39 [ 32.328477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.328483] Call Trace: [ 32.328501] dump_stack+0x194/0x257 [ 32.328516] ? arch_local_irq_restore+0x53/0x53 [ 32.328532] ? show_regs_print_info+0x18/0x18 [ 32.328547] ? seq_printf+0xb3/0xe0 [ 32.328561] ? show_timer+0x278/0x2b0 [ 32.328576] print_address_description+0x178/0x250 [ 32.328587] ? show_timer+0x278/0x2b0 [ 32.328599] kasan_report+0x25b/0x340 [ 32.328621] __asan_report_load8_noabort+0x14/0x20 [ 32.328630] show_timer+0x278/0x2b0 [ 32.328639] ? timers_start+0x14c/0x1c0 [ 32.328655] traverse+0x248/0xa00 [ 32.328679] ? seq_hlist_next+0xc0/0xc0 [ 32.328706] seq_read+0x96a/0x13d0 [ 32.328741] ? __fget+0x362/0x580 [ 32.328753] ? seq_lseek+0x3c0/0x3c0 [ 32.328789] ? seq_lseek+0x3c0/0x3c0 [ 32.328801] __vfs_read+0xef/0xa00 [ 32.328813] ? fsnotify+0x7b3/0x1140 [ 32.328828] ? vfs_copy_file_range+0x960/0x960 [ 32.328847] ? fsnotify_first_mark+0x2b0/0x2b0 [ 32.328866] ? avc_policy_seqno+0x9/0x20 [ 32.328877] ? selinux_file_permission+0x82/0x460 [ 32.328895] ? security_file_permission+0x89/0x1f0 [ 32.328911] ? rw_verify_area+0xe5/0x2b0 [ 32.328927] vfs_read+0x124/0x360 [ 32.328946] SyS_pread64+0x161/0x190 [ 32.328959] ? SyS_write+0x220/0x220 [ 32.328974] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.328992] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.329021] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 32.329030] RIP: 0033:0x452a09 [ 32.329036] RSP: 002b:00007f51d7d1ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000011 [ 32.329050] RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09 [ 32.329056] RDX: 0000000000000000 RSI: 0000000020acc000 RDI: 0000000000000013 [ 32.329063] RBP: 00000000000005bf R08: 0000000000000000 R09: 0000000000000000 [ 32.329070] R10: 0000000104000019 R11: 0000000000000212 R12: 00000000006f5a88 [ 32.329076] R13: 00000000ffffffff R14: 00007f51d7d1f6d4 R15: 0000000000000000 [ 32.329108] [ 32.329113] The buggy address belongs to the variable: [ 32.329124] nstr.44378+0x18/0x40 [ 32.329128] [ 32.329133] Memory state around the buggy address: [ 32.329143] ffffffff85742e80: fa fa fa fa 00 06 fa fa fa fa fa fa 07 fa fa fa [ 32.329151] ffffffff85742f00: fa fa fa fa 05 fa fa fa fa fa fa fa 07 fa fa fa [ 32.329158] >ffffffff85742f80: fa fa fa fa 00 00 00 fa fa fa fa fa 00 fa fa fa [ 32.329164] ^ [ 32.329172] ffffffff85743000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.329180] ffffffff85743080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.329184] ================================================================== [ 32.329188] Disabling lock debugging due to kernel taint [ 32.329192] Kernel panic - not syncing: panic_on_warn set ... [ 32.329192] [ 32.329200] CPU: 0 PID: 3428 Comm: syz-executor5 Tainted: G B 4.15.0-rc2-mm1+ #39 [ 32.329204] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.329206] Call Trace: [ 32.329213] dump_stack+0x194/0x257 [ 32.329223] ? arch_local_irq_restore+0x53/0x53 [ 32.329231] ? vprintk_default+0x28/0x30 [ 32.329241] ? vsnprintf+0x1ed/0x1900 [ 32.329249] ? show_timer+0x1e0/0x2b0 [ 32.329259] panic+0x1e4/0x41c [ 32.329266] ? refcount_error_report+0x214/0x214 [ 32.329277] ? add_taint+0x40/0x50 [ 32.329284] ? add_taint+0x1c/0x50 [ 32.329292] ? show_timer+0x278/0x2b0 [ 32.329300] kasan_end_report+0x50/0x50 [ 32.329307] kasan_report+0x144/0x340 [ 32.329318] __asan_report_load8_noabort+0x14/0x20 [ 32.329324] show_timer+0x278/0x2b0 [ 32.329330] ? timers_start+0x14c/0x1c0 [ 32.329339] traverse+0x248/0xa00 [ 32.329353] ? seq_hlist_next+0xc0/0xc0 [ 32.329368] seq_read+0x96a/0x13d0 [ 32.329385] ? __fget+0x362/0x580 [ 32.329393] ? seq_lseek+0x3c0/0x3c0 [ 32.329412] ? seq_lseek+0x3c0/0x3c0 [ 32.329417] __vfs_read+0xef/0xa00 [ 32.329424] ? fsnotify+0x7b3/0x1140 [ 32.329433] ? vfs_copy_file_range+0x960/0x960 [ 32.329445] ? fsnotify_first_mark+0x2b0/0x2b0 [ 32.329454] ? avc_policy_seqno+0x9/0x20 [ 32.329462] ? selinux_file_permission+0x82/0x460 [ 32.329472] ? security_file_permission+0x89/0x1f0 [ 32.329481] ? rw_verify_area+0xe5/0x2b0 [ 32.329490] vfs_read+0x124/0x360 [ 32.329500] SyS_pread64+0x161/0x190 [ 32.329508] ? SyS_write+0x220/0x220 [ 32.329515] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.329523] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.329536] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 32.329541] RIP: 0033:0x452a09 [ 32.329544] RSP: 002b:00007f51d7d1ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000011 [ 32.329551] RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09 [ 32.329555] RDX: 0000000000000000 RSI: 0000000020acc000 RDI: 0000000000000013 [ 32.329559] RBP: 00000000000005bf R08: 0000000000000000 R09: 0000000000000000 [ 32.329563] R10: 0000000104000019 R11: 0000000000000212 R12: 00000000006f5a88 [ 32.329567] R13: 00000000ffffffff R14: 00007f51d7d1f6d4 R15: 0000000000000000 [ 32.353251] Dumping ftrace buffer: [ 32.353257] (ftrace buffer empty) [ 32.353260] Kernel Offset: disabled [ 32.864624] Rebooting in 86400 seconds..