[....] Starting enhanced syslogd: rsyslogd[ 13.927802] audit: type=1400 audit(1538115000.828:4): avc: denied { syslog } for pid=1919 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.489333] ================================================================== [ 26.496732] BUG: KASAN: stack-out-of-bounds in iov_iter_advance+0x4b3/0x4f0 [ 26.503804] Read of size 8 at addr ffff8800b6defca0 by task syz-executor156/2072 [ 26.511306] [ 26.512908] CPU: 1 PID: 2072 Comm: syz-executor156 Not tainted 4.4.158+ #41 [ 26.519978] 0000000000000000 b5905dac3498890a ffff8800b6def8e0 ffffffff81a991dd [ 26.527962] ffffea0002db7bc0 ffff8800b6defca0 0000000000000000 ffff8800b6defca0 [ 26.535946] ffff8800b6defc98 ffff8800b6def918 ffffffff8148a7c9 ffff8800b6defca0 [ 26.543935] Call Trace: [ 26.546498] [] dump_stack+0xc1/0x124 [ 26.551842] [] print_address_description+0x6c/0x217 [ 26.558484] [] kasan_report.cold.6+0x175/0x2f7 [ 26.564687] [] ? iov_iter_advance+0x4b3/0x4f0 [ 26.570804] [] __asan_report_load8_noabort+0x14/0x20 [ 26.577541] [] iov_iter_advance+0x4b3/0x4f0 [ 26.583487] [] tun_do_read+0x659/0xc10 [ 26.589005] [] ? tun_sock_write_space+0x1a0/0x1a0 [ 26.595487] [] ? futex_wait_restart+0x230/0x230 [ 26.601830] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 26.608565] [] ? check_preemption_disabled+0x3b/0x170 [ 26.615379] [] ? __tun_get+0x126/0x230 [ 26.620890] [] tun_chr_read_iter+0xe2/0x1d0 [ 26.626836] [] __vfs_read+0x301/0x3d0 [ 26.632259] [] ? vfs_iter_write+0x2c0/0x2c0 [ 26.638233] [] ? __fsnotify_inode_delete+0x30/0x30 [ 26.644802] [] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 26.653261] [] ? check_preemption_disabled+0x3b/0x170 [ 26.660101] [] ? avc_policy_seqno+0x9/0x20 [ 26.665982] [] ? selinux_file_permission+0x2f2/0x450 [ 26.672705] [] ? rw_verify_area+0x100/0x2f0 [ 26.678652] [] vfs_read+0x130/0x360 [ 26.683900] [] SyS_pread64+0x145/0x170 [ 26.689407] [] ? SyS_write+0x1c0/0x1c0 [ 26.694920] [] ? SyS_socket+0x14a/0x1f0 [ 26.700520] [] ? move_addr_to_kernel+0x50/0x50 [ 26.706783] [] ? __do_page_fault+0x2b6/0x7e0 [ 26.712820] [] sys32_pread+0x39/0x50 [ 26.718155] [] ? sys32_waitpid+0x30/0x30 [ 26.723839] [] do_fast_syscall_32+0x31e/0xa80 [ 26.729968] [] sysenter_flags_fixed+0xd/0x1a [ 26.736008] [ 26.737606] The buggy address belongs to the page: [ 26.742509] page:ffffea0002db7bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 26.750616] flags: 0x0() [ 26.753402] page dumped because: kasan: bad access detected [ 26.759082] [ 26.760680] Memory state around the buggy address: [ 26.765580] ffff8800b6defb80: f2 f2 00 02 f2 f2 00 00 00 00 00 00 00 00 00 00 [ 26.772916] ffff8800b6defc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 [ 26.780249] >ffff8800b6defc80: f1 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 [ 26.787585] ^ [ 26.791979] ffff8800b6defd00: f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 00 00 00 [ 26.799328] ffff8800b6defd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.806677] ================================================================== [ 26.814017] Disabling lock debugging due to kernel taint [ 26.819897] Kernel panic - not syncing: panic_on_warn set ... [ 26.819897] [ 26.827256] CPU: 1 PID: 2072 Comm: syz-executor156 Tainted: G B 4.4.158+ #41 [ 26.835577] 0000000000000000 b5905dac3498890a ffff8800b6def840 ffffffff81a991dd [ 26.843568] ffffffff82c4b2e1 0000000000000008 0000000000000000 ffff8800b6defca0 [ 26.851655] ffff8800b6defc98 ffff8800b6def900 ffffffff813a1024 0000000041b58ab3 [ 26.859632] Call Trace: [ 26.862256] [] dump_stack+0xc1/0x124 [ 26.867673] [] panic+0x19e/0x359 [ 26.872680] [] ? add_taint.cold.4+0x16/0x16 [ 26.878643] [] ? preempt_schedule_common+0x22/0x60 [ 26.885196] [] ? preempt_schedule+0x25/0x30 [ 26.891142] [] ? ___preempt_schedule+0x12/0x14 [ 26.897352] [] kasan_end_report+0x47/0x4f [ 26.903132] [] kasan_report.cold.6+0x192/0x2f7 [ 26.909343] [] ? iov_iter_advance+0x4b3/0x4f0 [ 26.915466] [] __asan_report_load8_noabort+0x14/0x20 [ 26.922198] [] iov_iter_advance+0x4b3/0x4f0 [ 26.928143] [] tun_do_read+0x659/0xc10 [ 26.933958] [] ? tun_sock_write_space+0x1a0/0x1a0 [ 26.940474] [] ? futex_wait_restart+0x230/0x230 [ 26.946782] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 26.953516] [] ? check_preemption_disabled+0x3b/0x170 [ 26.960436] [] ? __tun_get+0x126/0x230 [ 26.965951] [] tun_chr_read_iter+0xe2/0x1d0 [ 26.971896] [] __vfs_read+0x301/0x3d0 [ 26.977419] [] ? vfs_iter_write+0x2c0/0x2c0 [ 26.983382] [] ? __fsnotify_inode_delete+0x30/0x30 [ 26.989939] [] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 26.998622] [] ? check_preemption_disabled+0x3b/0x170 [ 27.005443] [] ? avc_policy_seqno+0x9/0x20 [ 27.011313] [] ? selinux_file_permission+0x2f2/0x450 [ 27.018137] [] ? rw_verify_area+0x100/0x2f0 [ 27.024108] [] vfs_read+0x130/0x360 [ 27.029367] [] SyS_pread64+0x145/0x170 [ 27.034879] [] ? SyS_write+0x1c0/0x1c0 [ 27.040396] [] ? SyS_socket+0x14a/0x1f0 [ 27.046010] [] ? move_addr_to_kernel+0x50/0x50 [ 27.052219] [] ? __do_page_fault+0x2b6/0x7e0 [ 27.058257] [] sys32_pread+0x39/0x50 [ 27.063608] [] ? sys32_waitpid+0x30/0x30 [ 27.069305] [] do_fast_syscall_32+0x31e/0xa80 [ 27.075471] [] sysenter_flags_fixed+0xd/0x1a [ 27.081849] Kernel Offset: disabled [ 27.085464] Rebooting in 86400 seconds..