[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.115' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.569627] ================================================================== [ 33.577062] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x364/0x370 [ 33.585008] Read of size 8 at addr ffffffff873cb1d8 by task syz-executor909/6314 [ 33.592533] [ 33.594144] CPU: 0 PID: 6314 Comm: syz-executor909 Not tainted 4.14.176-syzkaller #0 [ 33.601999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.611390] Call Trace: [ 33.613973] dump_stack+0x13e/0x194 [ 33.617584] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 33.622673] print_address_description.cold+0x5/0x1e2 [ 33.627856] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 33.632948] kasan_report.cold+0xa9/0x2ae [ 33.637111] nfnetlink_parse_nat_setup+0x364/0x370 [ 33.642021] ? nf_nat_alloc_null_binding+0x40/0x40 [ 33.646936] ? nf_nat_alloc_null_binding+0x40/0x40 [ 33.651848] ctnetlink_parse_nat_setup+0x70/0x490 [ 33.656711] ctnetlink_create_conntrack+0x437/0x1040 [ 33.661827] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 33.666738] ? __do_once_done+0x1be/0x240 [ 33.670862] ? hash_conntrack_raw+0x2ab/0x410 [ 33.675339] ? nf_ct_get_id+0x160/0x160 [ 33.679337] ctnetlink_new_conntrack+0x460/0xc30 [ 33.684082] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 33.689426] ? mutex_trylock+0x1a0/0x1a0 [ 33.693470] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 33.698812] nfnetlink_rcv_msg+0xa08/0xc00 [ 33.703034] ? __kernel_text_address+0x9/0x30 [ 33.707518] netlink_rcv_skb+0x127/0x370 [ 33.711554] ? __lock_acquire+0x583/0x4620 [ 33.715765] ? nfnetlink_bind+0x240/0x240 [ 33.719889] ? netlink_ack+0x980/0x980 [ 33.723755] ? ns_capable_common+0x127/0x150 [ 33.728140] nfnetlink_rcv+0x1ab/0x1650 [ 33.732091] ? find_held_lock+0x2d/0x110 [ 33.736144] ? __netlink_lookup+0x2de/0x590 [ 33.740440] ? save_trace+0x290/0x290 [ 33.744217] ? save_trace+0x290/0x290 [ 33.747995] ? nfnl_err_del+0x150/0x150 [ 33.751942] ? find_held_lock+0x2d/0x110 [ 33.755981] ? netlink_deliver_tap+0x90/0x860 [ 33.760471] ? rcu_is_watching+0x11/0xb0 [ 33.764524] ? lock_downgrade+0x6e0/0x6e0 [ 33.768757] netlink_unicast+0x437/0x620 [ 33.772800] ? netlink_attachskb+0x600/0x600 [ 33.777190] netlink_sendmsg+0x733/0xbe0 [ 33.781230] ? netlink_unicast+0x620/0x620 [ 33.785478] ? SYSC_sendto+0x2b0/0x2b0 [ 33.789345] ? security_socket_sendmsg+0x83/0xb0 [ 33.794077] ? netlink_unicast+0x620/0x620 [ 33.798289] sock_sendmsg+0xc5/0x100 [ 33.801981] ___sys_sendmsg+0x70a/0x840 [ 33.805933] ? copy_msghdr_from_user+0x380/0x380 [ 33.810667] ? trace_hardirqs_on+0x10/0x10 [ 33.814880] ? save_trace+0x290/0x290 [ 33.818658] ? selinux_file_alloc_security+0xaf/0x190 [ 33.823827] ? __lock_is_held+0xad/0x140 [ 33.827863] ? lock_downgrade+0x6e0/0x6e0 [ 33.831988] ? __fget_light+0x16a/0x1f0 [ 33.835937] ? sockfd_lookup_light+0xb2/0x160 [ 33.840420] __sys_sendmsg+0xa3/0x120 [ 33.844209] ? SyS_shutdown+0x160/0x160 [ 33.848172] ? move_addr_to_kernel+0x60/0x60 [ 33.852557] ? __do_page_fault+0x35b/0xb40 [ 33.856783] SyS_sendmsg+0x27/0x40 [ 33.860340] ? __sys_sendmsg+0x120/0x120 [ 33.864378] do_syscall_64+0x1d5/0x640 [ 33.868253] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.873419] RIP: 0033:0x440239 [ 33.876596] RSP: 002b:00007ffd479e5c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.884288] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440239 [ 33.891535] RDX: 0000000000000000 RSI: 0000000020000640 RDI: 0000000000000003 [ 33.898780] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 33.906029] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ac0 [ 33.913272] R13: 0000000000401b50 R14: 0000000000000000 R15: 0000000000000000 [ 33.920527] [ 33.922132] The buggy address belongs to the variable: [ 33.927438] nft_nat_ops+0xb8/0xc0 [ 33.930953] [ 33.932555] Memory state around the buggy address: [ 33.937491] ffffffff873cb080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa [ 33.944858] ffffffff873cb100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa [ 33.952198] >ffffffff873cb180: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 [ 33.959532] ^ [ 33.965739] ffffffff873cb200: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 33.973072] ffffffff873cb280: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 33.980408] ================================================================== [ 33.987751] Disabling lock debugging due to kernel taint [ 33.993482] Kernel panic - not syncing: panic_on_warn set ... [ 33.993482] [ 34.000842] CPU: 0 PID: 6314 Comm: syz-executor909 Tainted: G B 4.14.176-syzkaller #0 [ 34.009926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.019271] Call Trace: [ 34.021846] dump_stack+0x13e/0x194 [ 34.025451] panic+0x1f9/0x42d [ 34.028669] ? add_taint.cold+0x16/0x16 [ 34.032628] ? preempt_schedule_common+0x4a/0xc0 [ 34.037395] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 34.042485] ? ___preempt_schedule+0x16/0x18 [ 34.046894] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 34.051986] kasan_end_report+0x43/0x49 [ 34.055940] kasan_report.cold+0x12f/0x2ae [ 34.060161] nfnetlink_parse_nat_setup+0x364/0x370 [ 34.065073] ? nf_nat_alloc_null_binding+0x40/0x40 [ 34.069978] ? nf_nat_alloc_null_binding+0x40/0x40 [ 34.074881] ctnetlink_parse_nat_setup+0x70/0x490 [ 34.079699] ctnetlink_create_conntrack+0x437/0x1040 [ 34.084778] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 34.089687] ? __do_once_done+0x1be/0x240 [ 34.093808] ? hash_conntrack_raw+0x2ab/0x410 [ 34.098281] ? nf_ct_get_id+0x160/0x160 [ 34.102235] ctnetlink_new_conntrack+0x460/0xc30 [ 34.106974] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 34.112316] ? mutex_trylock+0x1a0/0x1a0 [ 34.116370] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 34.121744] nfnetlink_rcv_msg+0xa08/0xc00 [ 34.125958] ? __kernel_text_address+0x9/0x30 [ 34.130432] netlink_rcv_skb+0x127/0x370 [ 34.134467] ? __lock_acquire+0x583/0x4620 [ 34.138686] ? nfnetlink_bind+0x240/0x240 [ 34.142808] ? netlink_ack+0x980/0x980 [ 34.146676] ? ns_capable_common+0x127/0x150 [ 34.151061] nfnetlink_rcv+0x1ab/0x1650 [ 34.155011] ? find_held_lock+0x2d/0x110 [ 34.159046] ? __netlink_lookup+0x2de/0x590 [ 34.163339] ? save_trace+0x290/0x290 [ 34.167118] ? save_trace+0x290/0x290 [ 34.170905] ? nfnl_err_del+0x150/0x150 [ 34.174854] ? find_held_lock+0x2d/0x110 [ 34.178888] ? netlink_deliver_tap+0x90/0x860 [ 34.183357] ? rcu_is_watching+0x11/0xb0 [ 34.187395] ? lock_downgrade+0x6e0/0x6e0 [ 34.191517] netlink_unicast+0x437/0x620 [ 34.195567] ? netlink_attachskb+0x600/0x600 [ 34.199961] netlink_sendmsg+0x733/0xbe0 [ 34.203998] ? netlink_unicast+0x620/0x620 [ 34.208218] ? SYSC_sendto+0x2b0/0x2b0 [ 34.212084] ? security_socket_sendmsg+0x83/0xb0 [ 34.216817] ? netlink_unicast+0x620/0x620 [ 34.221039] sock_sendmsg+0xc5/0x100 [ 34.224732] ___sys_sendmsg+0x70a/0x840 [ 34.228694] ? copy_msghdr_from_user+0x380/0x380 [ 34.233432] ? trace_hardirqs_on+0x10/0x10 [ 34.237645] ? save_trace+0x290/0x290 [ 34.241423] ? selinux_file_alloc_security+0xaf/0x190 [ 34.246590] ? __lock_is_held+0xad/0x140 [ 34.250627] ? lock_downgrade+0x6e0/0x6e0 [ 34.254880] ? __fget_light+0x16a/0x1f0 [ 34.258830] ? sockfd_lookup_light+0xb2/0x160 [ 34.263332] __sys_sendmsg+0xa3/0x120 [ 34.267109] ? SyS_shutdown+0x160/0x160 [ 34.271061] ? move_addr_to_kernel+0x60/0x60 [ 34.275442] ? __do_page_fault+0x35b/0xb40 [ 34.279649] SyS_sendmsg+0x27/0x40 [ 34.283165] ? __sys_sendmsg+0x120/0x120 [ 34.287202] do_syscall_64+0x1d5/0x640 [ 34.291069] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 34.296239] RIP: 0033:0x440239 [ 34.299410] RSP: 002b:00007ffd479e5c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.307144] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440239 [ 34.314425] RDX: 0000000000000000 RSI: 0000000020000640 RDI: 0000000000000003 [ 34.321671] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 34.328917] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ac0 [ 34.336164] R13: 0000000000401b50 R14: 0000000000000000 R15: 0000000000000000 [ 34.344603] Kernel Offset: disabled [ 34.348219] Rebooting in 86400 seconds..