[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.603129] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.712412] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.730143] ================================================================== [ 33.731245] BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 [ 33.732103] Read of size 1 at addr ffff8801d693f880 by task syz-executor629/2054 [ 33.733196] [ 33.733437] CPU: 0 PID: 2054 Comm: syz-executor629 Not tainted 4.9.135+ #117 [ 33.734402] ffff8801d693f350 ffffffff81b42b89 ffffea00075a4fc0 ffff8801d693f880 [ 33.735652] 0000000000000000 ffff8801d693f880 ffff8801d693f868 ffff8801d693f388 [ 33.736855] ffffffff815009ad ffff8801d693f880 0000000000000001 0000000000000000 [ 33.738047] Call Trace: [ 33.738413] [] dump_stack+0xc1/0x128 [ 33.739154] [] print_address_description+0x6c/0x234 [ 33.740058] [] kasan_report.cold.6+0x242/0x2fe [ 33.740912] [] ? memcmp+0x126/0x160 [ 33.741631] [] __asan_report_load1_noabort+0x14/0x20 [ 33.742586] [] memcmp+0x126/0x160 [ 33.743274] [] xfrm_selector_match+0x6a0/0xe40 [ 33.744196] [] xfrm_sk_policy_lookup+0x147/0x430 [ 33.745059] [] ? xfrm_selector_match+0xe40/0xe40 [ 33.745945] [] xfrm_lookup+0x1bc/0xc00 [ 33.746766] [] ? xfrm_sk_policy_lookup+0x430/0x430 [ 33.747722] [] ? ip6_dst_lookup_tail+0x499/0x1620 [ 33.748606] [] ? ip6_dst_lookup_tail+0x534/0x1620 [ 33.749495] [] ? xfrm_user_policy+0x199/0x5b0 [ 33.751056] [] ? ip6_copy_metadata+0x810/0x810 [ 33.757307] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.764042] [] xfrm_lookup_route+0x39/0x140 [ 33.769988] [] ip6_dst_lookup_flow+0x17b/0x210 [ 33.776509] [] ? ip6_dst_lookup+0x60/0x60 [ 33.782287] [] ? selinux_sk_getsecid+0x7a/0xd0 [ 33.788494] [] tcp_v6_connect+0xd34/0x1ad0 [ 33.794360] [] ? save_stack_trace+0x16/0x20 [ 33.800305] [] ? tcp_v6_init_sequence+0x170/0x170 [ 33.806778] [] __inet_stream_connect+0x6e0/0xbf0 [ 33.813166] [] ? check_preemption_disabled+0x3b/0x170 [ 33.819993] [] ? inet_bind+0x8b0/0x8b0 [ 33.825507] [] ? kasan_kmalloc+0xaf/0xc0 [ 33.831196] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 33.837839] [] tcp_sendmsg+0x218a/0x2fd0 [ 33.843526] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 33.849994] [] ? trace_hardirqs_on+0x10/0x10 [ 33.856031] [] ? tcp_sendpage+0x1910/0x1910 [ 33.861986] [] ? sock_has_perm+0x293/0x3e0 [ 33.867848] [] ? sock_has_perm+0x9f/0x3e0 [ 33.873624] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 33.881135] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.887861] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.894590] [] ? check_preemption_disabled+0x3b/0x170 [ 33.901402] [] ? check_preemption_disabled+0x3b/0x170 [ 33.908217] [] ? inet_sendmsg+0x143/0x4d0 [ 33.913989] [] inet_sendmsg+0x203/0x4d0 [ 33.919587] [] ? inet_sendmsg+0x73/0x4d0 [ 33.925271] [] ? inet_recvmsg+0x4c0/0x4c0 [ 33.931043] [] sock_sendmsg+0xbb/0x110 [ 33.936554] [] SyS_sendto+0x220/0x370 [ 33.941986] [] ? SyS_getpeername+0x2d0/0x2d0 [ 33.948023] [] ? _raw_spin_unlock+0x2c/0x50 [ 33.953974] [] ? handle_mm_fault+0x54b/0x2350 [ 33.960095] [] ? __fd_install+0x20f/0x5d0 [ 33.965932] [] ? vm_insert_page+0x6f0/0x6f0 [ 33.971886] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.978657] [] ? __do_page_fault+0x431/0xa60 [ 33.984742] [] ? up_read+0x1a/0x40 [ 33.989912] [] ? __do_page_fault+0x554/0xa60 [ 33.995947] [] ? do_syscall_64+0x48/0x550 [ 34.001721] [] ? SyS_getpeername+0x2d0/0x2d0 [ 34.007755] [] do_syscall_64+0x19f/0x550 [ 34.013443] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.020341] [ 34.021943] The buggy address belongs to the page: [ 34.026846] page:ffffea00075a4fc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 34.035079] flags: 0x4000000000000000() [ 34.039023] page dumped because: kasan: bad access detected [ 34.044705] [ 34.046305] Memory state around the buggy address: [ 34.051206] ffff8801d693f780: 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 [ 34.058543] ffff8801d693f800: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 [ 34.065878] >ffff8801d693f880: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.073210] ^ [ 34.076547] ffff8801d693f900: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 [ 34.083882] ffff8801d693f980: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.091212] ================================================================== [ 34.098565] Disabling lock debugging due to kernel taint [ 34.104090] Kernel panic - not syncing: panic_on_warn set ... [ 34.104090] [ 34.111453] CPU: 0 PID: 2054 Comm: syz-executor629 Tainted: G B 4.9.135+ #117 [ 34.119842] ffff8801d693f2b0 ffffffff81b42b89 ffffffff82e371c0 00000000ffffffff [ 34.127895] 0000000000000000 0000000000000000 ffff8801d693f868 ffff8801d693f370 [ 34.136013] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2b1c3 ffffffff813f68e6 [ 34.144007] Call Trace: [ 34.146572] [] dump_stack+0xc1/0x128 [ 34.151956] [] panic+0x1bf/0x39f [ 34.156954] [] ? add_taint.cold.6+0x16/0x16 [ 34.162903] [] ? ___preempt_schedule+0x16/0x18 [ 34.169116] [] kasan_end_report+0x47/0x4f [ 34.174894] [] kasan_report.cold.6+0x76/0x2fe [ 34.181015] [] ? memcmp+0x126/0x160 [ 34.186273] [] __asan_report_load1_noabort+0x14/0x20 [ 34.193005] [] memcmp+0x126/0x160 [ 34.198086] [] xfrm_selector_match+0x6a0/0xe40 [ 34.204297] [] xfrm_sk_policy_lookup+0x147/0x430 [ 34.210678] [] ? xfrm_selector_match+0xe40/0xe40 [ 34.217060] [] xfrm_lookup+0x1bc/0xc00 [ 34.222577] [] ? xfrm_sk_policy_lookup+0x430/0x430 [ 34.229134] [] ? ip6_dst_lookup_tail+0x499/0x1620 [ 34.235604] [] ? ip6_dst_lookup_tail+0x534/0x1620 [ 34.242070] [] ? xfrm_user_policy+0x199/0x5b0 [ 34.248350] [] ? ip6_copy_metadata+0x810/0x810 [ 34.254560] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.261291] [] xfrm_lookup_route+0x39/0x140 [ 34.267245] [] ip6_dst_lookup_flow+0x17b/0x210 [ 34.273458] [] ? ip6_dst_lookup+0x60/0x60 [ 34.279233] [] ? selinux_sk_getsecid+0x7a/0xd0 [ 34.285443] [] tcp_v6_connect+0xd34/0x1ad0 [ 34.291306] [] ? save_stack_trace+0x16/0x20 [ 34.297256] [] ? tcp_v6_init_sequence+0x170/0x170 [ 34.303726] [] __inet_stream_connect+0x6e0/0xbf0 [ 34.310109] [] ? check_preemption_disabled+0x3b/0x170 [ 34.316923] [] ? inet_bind+0x8b0/0x8b0 [ 34.322512] [] ? kasan_kmalloc+0xaf/0xc0 [ 34.328208] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 34.334851] [] tcp_sendmsg+0x218a/0x2fd0 [ 34.340539] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 34.347008] [] ? trace_hardirqs_on+0x10/0x10 [ 34.353045] [] ? tcp_sendpage+0x1910/0x1910 [ 34.358991] [] ? sock_has_perm+0x293/0x3e0 [ 34.364852] [] ? sock_has_perm+0x9f/0x3e0 [ 34.370625] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 34.378237] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.384969] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.391698] [] ? check_preemption_disabled+0x3b/0x170 [ 34.398512] [] ? check_preemption_disabled+0x3b/0x170 [ 34.405337] [] ? inet_sendmsg+0x143/0x4d0 [ 34.411168] [] inet_sendmsg+0x203/0x4d0 [ 34.416808] [] ? inet_sendmsg+0x73/0x4d0 [ 34.422499] [] ? inet_recvmsg+0x4c0/0x4c0 [ 34.428279] [] sock_sendmsg+0xbb/0x110 [ 34.433793] [] SyS_sendto+0x220/0x370 [ 34.439226] [] ? SyS_getpeername+0x2d0/0x2d0 [ 34.445263] [] ? _raw_spin_unlock+0x2c/0x50 [ 34.451212] [] ? handle_mm_fault+0x54b/0x2350 [ 34.457333] [] ? __fd_install+0x20f/0x5d0 [ 34.463106] [] ? vm_insert_page+0x6f0/0x6f0 [ 34.469052] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.475782] [] ? __do_page_fault+0x431/0xa60 [ 34.481825] [] ? up_read+0x1a/0x40 [ 34.486995] [] ? __do_page_fault+0x554/0xa60 [ 34.493037] [] ? do_syscall_64+0x48/0x550 [ 34.498812] [] ? SyS_getpeername+0x2d0/0x2d0 [ 34.504846] [] do_syscall_64+0x19f/0x550 [ 34.510543] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.517777] Kernel Offset: disabled [ 34.521390] Rebooting in 86400 seconds..