[....] Starting enhanced syslogd: rsyslogd[ 12.341021] audit: type=1400 audit(1516822291.975:4): avc: denied { syslog } for pid=3189 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.527497] ================================================================== [ 23.534908] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 23.541040] Read of size 1 at addr ffff8801cafced50 by task syzkaller538128/3345 [ 23.548553] [ 23.550170] CPU: 1 PID: 3345 Comm: syzkaller538128 Not tainted 4.9.78-ge9dabe6 #19 [ 23.557854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.567181] ffff8801bf9ff738 ffffffff81d943a9 ffffea00072bf380 ffff8801cafced50 [ 23.575164] 0000000000000000 ffff8801cafced50 ffff8801bf9ff994 ffff8801bf9ff770 [ 23.583138] ffffffff8153dc23 ffff8801cafced50 0000000000000001 0000000000000000 [ 23.591136] Call Trace: [ 23.593697] [] dump_stack+0xc1/0x128 [ 23.599039] [] print_address_description+0x73/0x280 [ 23.605675] [] kasan_report+0x275/0x360 [ 23.611268] [] ? string+0x1e8/0x200 [ 23.616513] [] __asan_report_load1_noabort+0x14/0x20 [ 23.623233] [] string+0x1e8/0x200 [ 23.628306] [] vsnprintf+0x7ad/0x16d0 [ 23.633725] [] ? pointer+0xa90/0xa90 [ 23.639059] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 23.645788] [] __request_module+0x14f/0x750 [ 23.651732] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 23.657934] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 23.664830] [] ? xt_check_match+0x60d/0x720 [ 23.670772] [] xt_request_find_target+0x8b/0xb0 [ 23.677061] [] translate_table+0x177a/0x1e30 [ 23.683091] [] ? ipt_alloc_initial_table+0x660/0x660 [ 23.689824] [] ? check_stack_object+0x68/0x140 [ 23.696026] [] ? __check_object_size+0x174/0x3a9 [ 23.702406] [] ? 0xffffffff810002b8 [ 23.707654] [] do_ipt_set_ctl+0x2be/0x470 [ 23.713425] [] ? compat_do_ipt_set_ctl+0x150/0x150 [ 23.719985] [] ? mutex_unlock+0x9/0x10 [ 23.725505] [] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 23.732576] [] nf_setsockopt+0x67/0xc0 [ 23.738084] [] ip_setsockopt+0xa1/0xb0 [ 23.743591] [] tcp_setsockopt+0x82/0xd0 [ 23.749184] [] sock_common_setsockopt+0x95/0xd0 [ 23.755480] [] SyS_setsockopt+0x160/0x250 [ 23.761244] [] ? SyS_recv+0x40/0x40 [ 23.766493] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 23.773132] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 23.779940] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.786489] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 23.793034] [ 23.794630] Allocated by task 3345: [ 23.798226] save_stack_trace+0x16/0x20 [ 23.802170] save_stack+0x43/0xd0 [ 23.805589] kasan_kmalloc+0xad/0xe0 [ 23.809270] __kmalloc+0x11d/0x310 [ 23.812780] xt_alloc_table_info+0x71/0x100 [ 23.817071] do_ipt_set_ctl+0x242/0x470 [ 23.821024] nf_setsockopt+0x67/0xc0 [ 23.824707] ip_setsockopt+0xa1/0xb0 [ 23.828394] tcp_setsockopt+0x82/0xd0 [ 23.832164] sock_common_setsockopt+0x95/0xd0 [ 23.836623] SyS_setsockopt+0x160/0x250 [ 23.840564] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 23.845286] [ 23.846881] Freed by task 1804: [ 23.850129] save_stack_trace+0x16/0x20 [ 23.854069] save_stack+0x43/0xd0 [ 23.857492] kasan_slab_free+0x72/0xc0 [ 23.861347] kfree+0x103/0x300 [ 23.864510] seq_release+0x59/0x70 [ 23.868018] kernfs_fop_release+0xcb/0x140 [ 23.872219] __fput+0x28c/0x6e0 [ 23.875465] ____fput+0x15/0x20 [ 23.878714] task_work_run+0x115/0x190 [ 23.882567] exit_to_usermode_loop+0xfc/0x120 [ 23.887029] syscall_return_slowpath+0x1a0/0x1e0 [ 23.891755] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 23.896489] [ 23.898093] The buggy address belongs to the object at ffff8801cafcec80 [ 23.898093] which belongs to the cache kmalloc-256 of size 256 [ 23.910722] The buggy address is located 208 bytes inside of [ 23.910722] 256-byte region [ffff8801cafcec80, ffff8801cafced80) [ 23.922566] The buggy address belongs to the page: [ 23.927465] page:ffffea00072bf380 count:1 mapcount:0 mapping: (null) index:0x0 [ 23.935691] flags: 0x8000000000000080(slab) [ 23.939977] page dumped because: kasan: bad access detected [ 23.945654] [ 23.947252] Memory state around the buggy address: [ 23.952154] ffff8801cafcec00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.959481] ffff8801cafcec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.966831] >ffff8801cafced00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 23.974163] ^ [ 23.980103] ffff8801cafced80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 23.987429] ffff8801cafcee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.994767] ================================================================== [ 24.002093] Disabling lock debugging due to kernel taint [ 24.007638] Kernel panic - not syncing: panic_on_warn set ... [ 24.007638] [ 24.014987] CPU: 1 PID: 3345 Comm: syzkaller538128 Tainted: G B 4.9.78-ge9dabe6 #19 [ 24.023878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.033204] ffff8801bf9ff690 ffffffff81d943a9 ffffffff841971bf ffff8801bf9ff768 [ 24.041177] 0000000000000000 ffff8801cafced50 ffff8801bf9ff994 ffff8801bf9ff758 [ 24.049161] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 24.057132] Call Trace: [ 24.059688] [] dump_stack+0xc1/0x128 [ 24.065025] [] panic+0x1bc/0x3a8 [ 24.070015] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 24.078212] [] ? preempt_schedule+0x25/0x30 [ 24.084154] [] ? ___preempt_schedule+0x16/0x18 [ 24.090383] [] kasan_end_report+0x50/0x50 [ 24.096162] [] kasan_report+0x167/0x360 [ 24.101755] [] ? string+0x1e8/0x200 [ 24.107001] [] __asan_report_load1_noabort+0x14/0x20 [ 24.113723] [] string+0x1e8/0x200 [ 24.118794] [] vsnprintf+0x7ad/0x16d0 [ 24.124212] [] ? pointer+0xa90/0xa90 [ 24.129547] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 24.136272] [] __request_module+0x14f/0x750 [ 24.142211] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 24.148411] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 24.155309] [] ? xt_check_match+0x60d/0x720 [ 24.161249] [] xt_request_find_target+0x8b/0xb0 [ 24.167538] [] translate_table+0x177a/0x1e30 [ 24.173566] [] ? ipt_alloc_initial_table+0x660/0x660 [ 24.180290] [] ? check_stack_object+0x68/0x140 [ 24.186489] [] ? __check_object_size+0x174/0x3a9 [ 24.192861] [] ? 0xffffffff810002b8 [ 24.198105] [] do_ipt_set_ctl+0x2be/0x470 [ 24.203870] [] ? compat_do_ipt_set_ctl+0x150/0x150 [ 24.210415] [] ? mutex_unlock+0x9/0x10 [ 24.215923] [] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 24.222992] [] nf_setsockopt+0x67/0xc0 [ 24.228498] [] ip_setsockopt+0xa1/0xb0 [ 24.234003] [] tcp_setsockopt+0x82/0xd0 [ 24.239608] [] sock_common_setsockopt+0x95/0xd0 [ 24.245909] [] SyS_setsockopt+0x160/0x250 [ 24.251686] [] ? SyS_recv+0x40/0x40 [ 24.256941] [] ? entry_SYSCALL_64_fastpath+0x5/0xe8 [ 24.263580] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.270401] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.276955] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 24.284017] Dumping ftrace buffer: [ 24.287528] (ftrace buffer empty) [ 24.291213] Kernel Offset: disabled [ 24.294814] Rebooting in 86400 seconds..