[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.972140] random: sshd: uninitialized urandom read (32 bytes read) [ 16.163181] audit: type=1400 audit(1571401194.501:6): avc: denied { map } for pid=1763 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 16.215460] random: sshd: uninitialized urandom read (32 bytes read) [ 16.714116] random: sshd: uninitialized urandom read (32 bytes read) [ 69.450393] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.50' (ECDSA) to the list of known hosts. [ 74.894785] random: sshd: uninitialized urandom read (32 bytes read) 2019/10/18 12:20:53 parsed 1 programs [ 74.991660] audit: type=1400 audit(1571401253.331:7): avc: denied { map } for pid=1811 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 75.050916] audit: type=1400 audit(1571401253.391:8): avc: denied { map } for pid=1811 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 75.518758] random: cc1: uninitialized urandom read (8 bytes read) 2019/10/18 12:20:55 executed programs: 0 [ 76.752052] audit: type=1400 audit(1571401255.091:9): avc: denied { map } for pid=1811 comm="syz-execprog" path="/root/syzkaller-shm078216075" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/10/18 12:21:00 executed programs: 102 [ 83.410625] ================================================================== [ 83.418041] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 83.425405] Read of size 8 at addr ffff8881c8f2f860 by task syz-executor.4/3356 [ 83.432826] [ 83.434431] CPU: 0 PID: 3356 Comm: syz-executor.4 Not tainted 4.14.150+ #0 [ 83.441421] Call Trace: [ 83.443993] dump_stack+0xca/0x134 [ 83.447512] ? unwind_next_frame+0x169f/0x1810 [ 83.452069] ? unwind_next_frame+0x169f/0x1810 [ 83.456631] print_address_description+0x60/0x226 [ 83.461450] ? unwind_next_frame+0x169f/0x1810 [ 83.466203] ? unwind_next_frame+0x169f/0x1810 [ 83.470762] __kasan_report.cold+0x1a/0x41 [ 83.474975] ? __do_page_fault+0x640/0xbb0 [ 83.479200] ? unwind_next_frame+0x169f/0x1810 [ 83.483759] unwind_next_frame+0x169f/0x1810 [ 83.488145] ? retint_kernel+0x2d/0x2d [ 83.492011] ? deref_stack_reg+0xe0/0xe0 [ 83.496049] ? retint_kernel+0x2d/0x2d [ 83.499917] perf_callchain_kernel+0x3a0/0x540 [ 83.504479] ? arch_perf_update_userpage+0x330/0x330 [ 83.509562] ? futex_wait_setup+0x132/0x330 [ 83.513867] ? perf_callchain_kernel+0x540/0x540 [ 83.518603] get_perf_callchain+0x2f5/0x770 [ 83.522906] ? put_callchain_buffers+0x60/0x60 [ 83.527466] ? put_callchain_buffers+0x60/0x60 [ 83.532026] ? native_usergs_sysret64+0x2/0x10 [ 83.536600] perf_callchain+0x147/0x190 [ 83.540565] perf_prepare_sample+0x6a8/0x1360 [ 83.545041] ? perf_output_sample+0x1700/0x1700 [ 83.549689] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 83.555377] perf_event_output_forward+0xdc/0x220 [ 83.560212] ? perf_prepare_sample+0x1360/0x1360 [ 83.564959] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 83.570661] ? perf_event_output_forward+0x156/0x220 [ 83.575742] ? perf_prepare_sample+0x1360/0x1360 [ 83.580477] ? check_preemption_disabled+0x35/0x1f0 [ 83.585483] ? check_preemption_disabled+0x35/0x1f0 [ 83.590493] __perf_event_overflow+0x12d/0x340 [ 83.595055] perf_swevent_overflow+0x7a/0xf0 [ 83.599456] perf_swevent_event+0x112/0x270 [ 83.603757] perf_tp_event+0x633/0x7f0 [ 83.607622] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 83.613314] ? put_callchain_buffers+0x60/0x60 [ 83.617877] ? perf_trace_run_bpf_submit+0x113/0x170 [ 83.622959] ? trace_hardirqs_on+0x10/0x10 [ 83.627176] ? __lock_acquire+0x5d7/0x4320 [ 83.631394] ? perf_trace_run_bpf_submit+0x113/0x170 [ 83.636495] ? check_preemption_disabled+0x35/0x1f0 [ 83.641488] perf_trace_run_bpf_submit+0x113/0x170 [ 83.646397] perf_trace_lock_acquire+0x341/0x4e0 [ 83.651131] ? HARDIRQ_verbose+0x10/0x10 [ 83.655170] ? retint_kernel+0x2d/0x2d [ 83.659036] ? get_futex_key+0x4c1/0xf90 [ 83.663075] lock_acquire+0x279/0x360 [ 83.666868] ? futex_wait_setup+0x132/0x330 [ 83.671168] _raw_spin_lock+0x2a/0x40 [ 83.674956] ? futex_wait_setup+0x132/0x330 [ 83.679253] futex_wait_setup+0x132/0x330 [ 83.683389] ? futex_wake+0x440/0x440 [ 83.687169] futex_wait+0x1ad/0x570 [ 83.690878] ? futex_wait_setup+0x330/0x330 [ 83.695189] ? wake_up_q+0xea/0x150 [ 83.698794] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 83.703800] ? futex_wake+0x15b/0x440 [ 83.707600] do_futex+0x13f/0x1980 [ 83.711118] ? trace_hardirqs_on+0x10/0x10 [ 83.715330] ? perf_trace_lock_acquire+0x341/0x4e0 [ 83.720239] ? exit_robust_list+0x240/0x240 [ 83.724536] ? HARDIRQ_verbose+0x10/0x10 [ 83.728575] ? __might_fault+0x104/0x1b0 [ 83.732613] ? lock_downgrade+0x630/0x630 [ 83.736738] ? lock_acquire+0x12b/0x360 [ 83.740703] ? __might_fault+0xd4/0x1b0 [ 83.744669] ? __might_fault+0x177/0x1b0 [ 83.748727] ? _copy_to_user+0x82/0xd0 [ 83.752614] SyS_futex+0x1c5/0x2c3 [ 83.756136] ? do_futex+0x1980/0x1980 [ 83.759931] ? SyS_clock_gettime+0x7d/0xe0 [ 83.764158] ? do_clock_gettime+0xd0/0xd0 [ 83.768292] ? do_syscall_64+0x43/0x520 [ 83.772246] ? do_futex+0x1980/0x1980 [ 83.776027] do_syscall_64+0x19b/0x520 [ 83.779898] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.785068] RIP: 0033:0x459a59 [ 83.788235] RSP: 002b:00007f56fb5b1cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 83.795920] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 0000000000459a59 [ 83.803167] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 83.810417] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 83.817664] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 83.824938] R13: 00007fff2b019aef R14: 00007f56fb5b29c0 R15: 000000000075bf2c [ 83.832192] [ 83.833796] The buggy address belongs to the page: [ 83.838715] page:ffffea000723cbc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 83.846834] flags: 0x4000000000000000() [ 83.850791] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 83.858649] raw: 0000000000000000 ffffea000723cbe0 0000000000000000 0000000000000000 [ 83.866507] page dumped because: kasan: bad access detected [ 83.872190] [ 83.873794] Memory state around the buggy address: [ 83.878697] ffff8881c8f2f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 83.886033] ffff8881c8f2f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 83.893369] >ffff8881c8f2f800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 83.900703] ^ [ 83.907200] ffff8881c8f2f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 83.914542] ffff8881c8f2f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 83.921975] ================================================================== [ 83.929309] Disabling lock debugging due to kernel taint [ 83.934835] Kernel panic - not syncing: panic_on_warn set ... [ 83.934835] [ 83.942185] CPU: 0 PID: 3356 Comm: syz-executor.4 Tainted: G B 4.14.150+ #0 [ 83.950391] Call Trace: [ 83.952964] dump_stack+0xca/0x134 [ 83.956499] panic+0x1f1/0x3da [ 83.959672] ? add_taint.cold+0x16/0x16 [ 83.963628] ? lock_downgrade+0x630/0x630 [ 83.967761] ? unwind_next_frame+0x169f/0x1810 [ 83.972321] end_report+0x43/0x49 [ 83.975753] ? unwind_next_frame+0x169f/0x1810 [ 83.980314] __kasan_report.cold+0xd/0x41 [ 83.984445] ? __do_page_fault+0x640/0xbb0 [ 83.988672] ? unwind_next_frame+0x169f/0x1810 [ 83.993231] unwind_next_frame+0x169f/0x1810 [ 83.997658] ? retint_kernel+0x2d/0x2d [ 84.001526] ? deref_stack_reg+0xe0/0xe0 [ 84.005598] ? retint_kernel+0x2d/0x2d [ 84.009471] perf_callchain_kernel+0x3a0/0x540 [ 84.014032] ? arch_perf_update_userpage+0x330/0x330 [ 84.019116] ? futex_wait_setup+0x132/0x330 [ 84.023416] ? perf_callchain_kernel+0x540/0x540 [ 84.028150] get_perf_callchain+0x2f5/0x770 [ 84.032464] ? put_callchain_buffers+0x60/0x60 [ 84.037028] ? put_callchain_buffers+0x60/0x60 [ 84.041588] ? native_usergs_sysret64+0x2/0x10 [ 84.046158] perf_callchain+0x147/0x190 [ 84.050115] perf_prepare_sample+0x6a8/0x1360 [ 84.054603] ? perf_output_sample+0x1700/0x1700 [ 84.059266] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 84.064961] perf_event_output_forward+0xdc/0x220 [ 84.069781] ? perf_prepare_sample+0x1360/0x1360 [ 84.074517] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 84.080834] ? perf_event_output_forward+0x156/0x220 [ 84.085913] ? perf_prepare_sample+0x1360/0x1360 [ 84.090648] ? check_preemption_disabled+0x35/0x1f0 [ 84.095640] ? check_preemption_disabled+0x35/0x1f0 [ 84.100648] __perf_event_overflow+0x12d/0x340 [ 84.105209] perf_swevent_overflow+0x7a/0xf0 [ 84.109596] perf_swevent_event+0x112/0x270 [ 84.113896] perf_tp_event+0x633/0x7f0 [ 84.117778] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 84.123474] ? put_callchain_buffers+0x60/0x60 [ 84.128123] ? perf_trace_run_bpf_submit+0x113/0x170 [ 84.133218] ? trace_hardirqs_on+0x10/0x10 [ 84.137440] ? __lock_acquire+0x5d7/0x4320 [ 84.141672] ? perf_trace_run_bpf_submit+0x113/0x170 [ 84.146766] ? check_preemption_disabled+0x35/0x1f0 [ 84.151765] perf_trace_run_bpf_submit+0x113/0x170 [ 84.156676] perf_trace_lock_acquire+0x341/0x4e0 [ 84.161409] ? HARDIRQ_verbose+0x10/0x10 [ 84.165448] ? retint_kernel+0x2d/0x2d [ 84.169313] ? get_futex_key+0x4c1/0xf90 [ 84.173357] lock_acquire+0x279/0x360 [ 84.177139] ? futex_wait_setup+0x132/0x330 [ 84.181444] _raw_spin_lock+0x2a/0x40 [ 84.185224] ? futex_wait_setup+0x132/0x330 [ 84.189521] futex_wait_setup+0x132/0x330 [ 84.193650] ? futex_wake+0x440/0x440 [ 84.197429] futex_wait+0x1ad/0x570 [ 84.201034] ? futex_wait_setup+0x330/0x330 [ 84.205333] ? wake_up_q+0xea/0x150 [ 84.208951] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 84.214222] ? futex_wake+0x15b/0x440 [ 84.218030] do_futex+0x13f/0x1980 [ 84.221550] ? trace_hardirqs_on+0x10/0x10 [ 84.225768] ? perf_trace_lock_acquire+0x341/0x4e0 [ 84.230692] ? exit_robust_list+0x240/0x240 [ 84.234992] ? HARDIRQ_verbose+0x10/0x10 [ 84.239032] ? __might_fault+0x104/0x1b0 [ 84.243116] ? lock_downgrade+0x630/0x630 [ 84.247241] ? lock_acquire+0x12b/0x360 [ 84.251194] ? __might_fault+0xd4/0x1b0 [ 84.255148] ? __might_fault+0x177/0x1b0 [ 84.259189] ? _copy_to_user+0x82/0xd0 [ 84.263069] SyS_futex+0x1c5/0x2c3 [ 84.266595] ? do_futex+0x1980/0x1980 [ 84.270371] ? SyS_clock_gettime+0x7d/0xe0 [ 84.274582] ? do_clock_gettime+0xd0/0xd0 [ 84.278719] ? do_syscall_64+0x43/0x520 [ 84.282855] ? do_futex+0x1980/0x1980 [ 84.286646] do_syscall_64+0x19b/0x520 [ 84.290523] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 84.295689] RIP: 0033:0x459a59 [ 84.298856] RSP: 002b:00007f56fb5b1cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 84.306551] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 0000000000459a59 [ 84.313811] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 84.321058] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 84.328319] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 84.335581] R13: 00007fff2b019aef R14: 00007f56fb5b29c0 R15: 000000000075bf2c [ 84.343313] Kernel Offset: 0x28600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 84.354231] Rebooting in 86400 seconds..