[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 48.378929] audit: type=1400 audit(1603061229.432:8): avc: denied { execmem } for pid=6352 comm="syz-executor165" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 48.391948] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 48.409573] ================================================================== [ 48.416974] BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0x8df/0xa10 [ 48.424054] Read of size 4 at addr ffff88808774653f by task syz-executor165/6352 [ 48.431740] [ 48.433360] CPU: 1 PID: 6352 Comm: syz-executor165 Not tainted 4.14.198-syzkaller #0 [ 48.441225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.450572] Call Trace: [ 48.453142] dump_stack+0x1b2/0x283 [ 48.456749] print_address_description.cold+0x54/0x1d3 [ 48.462622] kasan_report_error.cold+0x8a/0x194 [ 48.467276] ? ntfs_attr_find+0x8df/0xa10 [ 48.471460] __asan_report_load_n_noabort+0x6b/0x80 [ 48.476475] ? ntfs_attr_find+0x8df/0xa10 [ 48.480623] ntfs_attr_find+0x8df/0xa10 [ 48.484602] ntfs_attr_lookup+0xeca/0x1f30 [ 48.488899] ? do_raw_spin_unlock+0x164/0x220 [ 48.493518] ? _raw_spin_unlock+0x29/0x40 [ 48.497671] ? cache_alloc_refill+0x2fa/0x350 [ 48.502163] ? __wait_on_bit+0x150/0x150 [ 48.506378] ? check_preemption_disabled+0x35/0x240 [ 48.511378] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 48.516812] ? kmem_cache_alloc+0x2f8/0x3c0 [ 48.521111] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 48.525761] ntfs_fill_super+0x9a6/0x7170 [ 48.529884] ? vsnprintf+0x260/0x1340 [ 48.533669] ? pointer+0x9e0/0x9e0 [ 48.537194] ? lock_downgrade+0x740/0x740 [ 48.541323] ? ntfs_big_inode_init_once+0x20/0x20 [ 48.546491] ? snprintf+0xa5/0xd0 [ 48.549935] ? vsprintf+0x30/0x30 [ 48.553368] ? ns_test_super+0x50/0x50 [ 48.557234] ? set_blocksize+0x125/0x380 [ 48.561272] mount_bdev+0x2b3/0x360 [ 48.564876] ? ntfs_big_inode_init_once+0x20/0x20 [ 48.569697] mount_fs+0x92/0x2a0 [ 48.573061] vfs_kern_mount.part.0+0x5b/0x470 [ 48.577754] do_mount+0xe53/0x2a00 [ 48.581280] ? copy_mount_string+0x40/0x40 [ 48.585556] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 48.590699] ? copy_mnt_ns+0xa30/0xa30 [ 48.594569] ? copy_mount_options+0x1fa/0x2f0 [ 48.599043] ? copy_mnt_ns+0xa30/0xa30 [ 48.602930] SyS_mount+0xa8/0x120 [ 48.606370] ? copy_mnt_ns+0xa30/0xa30 [ 48.610255] do_syscall_64+0x1d5/0x640 [ 48.614124] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.619293] RIP: 0033:0x44c1fa [ 48.622477] RSP: 002b:00007fff0c76c758 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 48.630191] RAX: ffffffffffffffda RBX: 00007fff0c76c7b0 RCX: 000000000044c1fa [ 48.637456] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff0c76c770 [ 48.644710] RBP: 00007fff0c76c770 R08: 00007fff0c76c7b0 R09: 00007fff00000015 [ 48.652024] R10: 0000000000000000 R11: 0000000000000287 R12: 000000000000025d [ 48.659805] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 48.667092] [ 48.668713] Allocated by task 3652: [ 48.672368] kasan_kmalloc+0xeb/0x160 [ 48.676155] __kmalloc_node+0x4c/0x70 [ 48.679935] kvmalloc_node+0x46/0xd0 [ 48.684582] seq_read+0x882/0x1120 [ 48.688115] __vfs_read+0xe4/0x620 [ 48.691630] vfs_read+0x139/0x340 [ 48.695074] SyS_read+0xf2/0x210 [ 48.698434] do_syscall_64+0x1d5/0x640 [ 48.702299] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.707460] [ 48.709078] Freed by task 3652: [ 48.712351] kasan_slab_free+0xc3/0x1a0 [ 48.716536] kfree+0xc9/0x250 [ 48.719644] kvfree+0x45/0x50 [ 48.722731] single_release+0x75/0xb0 [ 48.726652] __fput+0x25f/0x7a0 [ 48.729927] task_work_run+0x11f/0x190 [ 48.733793] exit_to_usermode_loop+0x1ad/0x200 [ 48.738353] do_syscall_64+0x4a3/0x640 [ 48.742229] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.747408] [ 48.749011] The buggy address belongs to the object at ffff888087746e80 [ 48.749011] which belongs to the cache kmalloc-4096 of size 4096 [ 48.762045] The buggy address is located 2369 bytes to the left of [ 48.762045] 4096-byte region [ffff888087746e80, ffff888087747e80) [ 48.774509] The buggy address belongs to the page: [ 48.779431] page:ffffea00021dd180 count:1 mapcount:0 mapping:ffff888087746e80 index:0x0 compound_mapcount: 0 [ 48.789373] flags: 0xfffe0000008100(slab|head) [ 48.794110] raw: 00fffe0000008100 ffff888087746e80 0000000000000000 0000000100000001 [ 48.801988] raw: ffffea00021c0120 ffffea00021dd620 ffff88812fe50dc0 0000000000000000 [ 48.809947] page dumped because: kasan: bad access detected [ 48.815657] [ 48.817390] Memory state around the buggy address: [ 48.822326] ffff888087746400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.829762] ffff888087746480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.837105] >ffff888087746500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.844440] ^ [ 48.849622] ffff888087746580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.856983] ffff888087746600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.864318] ================================================================== [ 48.872172] Disabling lock debugging due to kernel taint [ 48.878187] Kernel panic - not syncing: panic_on_warn set ... [ 48.878187] [ 48.885609] CPU: 1 PID: 6352 Comm: syz-executor165 Tainted: G B 4.14.198-syzkaller #0 [ 48.894823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.904269] Call Trace: [ 48.906858] dump_stack+0x1b2/0x283 [ 48.910489] panic+0x1f9/0x42d [ 48.913661] ? add_taint.cold+0x16/0x16 [ 48.917874] ? ___preempt_schedule+0x16/0x18 [ 48.922290] kasan_end_report+0x43/0x49 [ 48.926251] kasan_report_error.cold+0xa7/0x194 [ 48.930923] ? ntfs_attr_find+0x8df/0xa10 [ 48.935069] __asan_report_load_n_noabort+0x6b/0x80 [ 48.940178] ? ntfs_attr_find+0x8df/0xa10 [ 48.944313] ntfs_attr_find+0x8df/0xa10 [ 48.948267] ntfs_attr_lookup+0xeca/0x1f30 [ 48.953811] ? do_raw_spin_unlock+0x164/0x220 [ 48.958312] ? _raw_spin_unlock+0x29/0x40 [ 48.962439] ? cache_alloc_refill+0x2fa/0x350 [ 48.966909] ? __wait_on_bit+0x150/0x150 [ 48.970945] ? check_preemption_disabled+0x35/0x240 [ 48.975941] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 48.981192] ? kmem_cache_alloc+0x2f8/0x3c0 [ 48.986202] ntfs_read_inode_mount+0x6b4/0x1fb0 [ 48.990881] ntfs_fill_super+0x9a6/0x7170 [ 48.995107] ? vsnprintf+0x260/0x1340 [ 48.998897] ? pointer+0x9e0/0x9e0 [ 49.002427] ? lock_downgrade+0x740/0x740 [ 49.006675] ? ntfs_big_inode_init_once+0x20/0x20 [ 49.011492] ? snprintf+0xa5/0xd0 [ 49.014923] ? vsprintf+0x30/0x30 [ 49.018387] ? ns_test_super+0x50/0x50 [ 49.022284] ? set_blocksize+0x125/0x380 [ 49.026340] mount_bdev+0x2b3/0x360 [ 49.029945] ? ntfs_big_inode_init_once+0x20/0x20 [ 49.035562] mount_fs+0x92/0x2a0 [ 49.038921] vfs_kern_mount.part.0+0x5b/0x470 [ 49.043399] do_mount+0xe53/0x2a00 [ 49.046917] ? copy_mount_string+0x40/0x40 [ 49.051143] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 49.056356] ? copy_mnt_ns+0xa30/0xa30 [ 49.060283] ? copy_mount_options+0x1fa/0x2f0 [ 49.065740] ? copy_mnt_ns+0xa30/0xa30 [ 49.069638] SyS_mount+0xa8/0x120 [ 49.073096] ? copy_mnt_ns+0xa30/0xa30 [ 49.076964] do_syscall_64+0x1d5/0x640 [ 49.080832] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.086003] RIP: 0033:0x44c1fa [ 49.089179] RSP: 002b:00007fff0c76c758 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 49.096878] RAX: ffffffffffffffda RBX: 00007fff0c76c7b0 RCX: 000000000044c1fa [ 49.104133] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff0c76c770 [ 49.111388] RBP: 00007fff0c76c770 R08: 00007fff0c76c7b0 R09: 00007fff00000015 [ 49.118661] R10: 0000000000000000 R11: 0000000000000287 R12: 000000000000025d [ 49.125934] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 49.134728] Kernel Offset: disabled [ 49.138364] Rebooting in 86400 seconds..