[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.132634] random: sshd: uninitialized urandom read (32 bytes read)
[   34.299239] kauditd_printk_skb: 10 callbacks suppressed
[   34.299248] audit: type=1400 audit(1567423004.573:35): avc:  denied  { map } for  pid=6891 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   34.341797] random: sshd: uninitialized urandom read (32 bytes read)
[   34.851624] random: sshd: uninitialized urandom read (32 bytes read)
[   49.156971] random: sshd: uninitialized urandom read (32 bytes read)
[   50.836806] audit: type=1400 audit(1567423021.113:36): avc:  denied  { map } for  pid=6903 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.137' (ECDSA) to the list of known hosts.
[   54.644187] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   54.760633] audit: type=1400 audit(1567423025.043:37): avc:  denied  { map } for  pid=6907 comm="syz-executor057" path="/root/syz-executor057000940" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   54.788425] ==================================================================
[   54.795890] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xdbc/0x10f0
[   54.803389] Read of size 2 at addr ffff8880a55bc300 by task syz-executor057/6907
[   54.810925] 
[   54.812546] CPU: 1 PID: 6907 Comm: syz-executor057 Not tainted 4.14.141 #37
[   54.819638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.829036] Call Trace:
[   54.831685]  dump_stack+0x138/0x197
[   54.835312]  ? bpf_skb_change_proto+0xdbc/0x10f0
[   54.840072]  print_address_description.cold+0x7c/0x1dc
[   54.845360]  ? bpf_skb_change_proto+0xdbc/0x10f0
[   54.850148]  kasan_report.cold+0xa9/0x2af
[   54.854298]  __asan_report_load2_noabort+0x14/0x20
[   54.859313]  bpf_skb_change_proto+0xdbc/0x10f0
[   54.863993]  ? build_skb+0x1f/0x160
[   54.867606]  ? bpf_prog_test_run_skb+0x157/0x9a0
[   54.872439]  ? SyS_bpf+0x6ad/0x2da8
[   54.876130]  bpf_prog_4b4d9be662d00a7e+0xcfd/0x1000
[   54.881152]  ? trace_hardirqs_on+0x10/0x10
[   54.885392]  ? trace_hardirqs_on+0x10/0x10
[   54.889629]  ? bpf_test_run+0x44/0x330
[   54.893507]  ? find_held_lock+0x35/0x130
[   54.897550]  ? bpf_test_run+0x44/0x330
[   54.901442]  ? lock_acquire+0x16f/0x430
[   54.905432]  ? check_preemption_disabled+0x3c/0x250
[   54.910456]  ? bpf_test_run+0xa8/0x330
[   54.914397]  ? bpf_prog_test_run_skb+0x4d6/0x9a0
[   54.919150]  ? bpf_test_init.isra.0+0xe0/0xe0
[   54.923691]  ? __bpf_prog_get+0x153/0x1a0
[   54.927916]  ? SyS_bpf+0x6ad/0x2da8
[   54.931594]  ? __do_page_fault+0x4e9/0xb80
[   54.935822]  ? bpf_test_init.isra.0+0xe0/0xe0
[   54.940310]  ? bpf_prog_get+0x20/0x20
[   54.944122]  ? lock_downgrade+0x6e0/0x6e0
[   54.948258]  ? up_read+0x1a/0x40
[   54.951610]  ? __do_page_fault+0x358/0xb80
[   54.955848]  ? bpf_prog_get+0x20/0x20
[   54.959636]  ? do_syscall_64+0x1e8/0x640
[   54.963702]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.968560]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   54.973914] 
[   54.975527] Allocated by task 0:
[   54.978885] (stack is not available)
[   54.982580] 
[   54.984191] Freed by task 0:
[   54.987187] (stack is not available)
[   54.990874] 
[   54.992496] The buggy address belongs to the object at ffff8880a55bc300
[   54.992496]  which belongs to the cache skbuff_head_cache of size 232
[   55.005792] The buggy address is located 0 bytes inside of
[   55.005792]  232-byte region [ffff8880a55bc300, ffff8880a55bc3e8)
[   55.017505] The buggy address belongs to the page:
[   55.022506] page:ffffea0002956f00 count:1 mapcount:0 mapping:ffff8880a55bc080 index:0x0
[   55.030655] flags: 0x1fffc0000000100(slab)
[   55.034876] raw: 01fffc0000000100 ffff8880a55bc080 0000000000000000 000000010000000c
[   55.042752] raw: ffffea0002829fe0 ffffea0002783ae0 ffff88821b7203c0 0000000000000000
[   55.050816] page dumped because: kasan: bad access detected
[   55.056511] 
[   55.058117] Memory state around the buggy address:
[   55.063073]  ffff8880a55bc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.070431]  ffff8880a55bc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.077794] >ffff8880a55bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.085152]                    ^
[   55.088511]  ffff8880a55bc380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.095865]  ffff8880a55bc400: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   55.103333] ==================================================================
[   55.110705] Disabling lock debugging due to kernel taint
[   55.116618] Kernel panic - not syncing: panic_on_warn set ...
[   55.116618] 
[   55.123992] CPU: 1 PID: 6907 Comm: syz-executor057 Tainted: G    B           4.14.141 #37
[   55.132344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.141696] Call Trace:
[   55.144358]  dump_stack+0x138/0x197
[   55.148001]  ? bpf_skb_change_proto+0xdbc/0x10f0
[   55.152747]  panic+0x1f2/0x426
[   55.155938]  ? add_taint.cold+0x16/0x16
[   55.159926]  kasan_end_report+0x47/0x4f
[   55.163893]  kasan_report.cold+0x130/0x2af
[   55.168192]  __asan_report_load2_noabort+0x14/0x20
[   55.173138]  bpf_skb_change_proto+0xdbc/0x10f0
[   55.177832]  ? build_skb+0x1f/0x160
[   55.181448]  ? bpf_prog_test_run_skb+0x157/0x9a0
[   55.186262]  ? SyS_bpf+0x6ad/0x2da8
[   55.189891]  bpf_prog_4b4d9be662d00a7e+0xcfd/0x1000
[   55.194894]  ? trace_hardirqs_on+0x10/0x10
[   55.199135]  ? trace_hardirqs_on+0x10/0x10
[   55.203357]  ? bpf_test_run+0x44/0x330
[   55.207227]  ? find_held_lock+0x35/0x130
[   55.211274]  ? bpf_test_run+0x44/0x330
[   55.215146]  ? lock_acquire+0x16f/0x430
[   55.219170]  ? check_preemption_disabled+0x3c/0x250
[   55.224190]  ? bpf_test_run+0xa8/0x330
[   55.228129]  ? bpf_prog_test_run_skb+0x4d6/0x9a0
[   55.232944]  ? bpf_test_init.isra.0+0xe0/0xe0
[   55.237430]  ? __bpf_prog_get+0x153/0x1a0
[   55.241623]  ? SyS_bpf+0x6ad/0x2da8
[   55.245321]  ? __do_page_fault+0x4e9/0xb80
[   55.249548]  ? bpf_test_init.isra.0+0xe0/0xe0
[   55.254027]  ? bpf_prog_get+0x20/0x20
[   55.257812]  ? lock_downgrade+0x6e0/0x6e0
[   55.261941]  ? up_read+0x1a/0x40
[   55.265308]  ? __do_page_fault+0x358/0xb80
[   55.269537]  ? bpf_prog_get+0x20/0x20
[   55.273337]  ? do_syscall_64+0x1e8/0x640
[   55.277454]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   55.282297]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   55.288981] Kernel Offset: disabled
[   55.292690] Rebooting in 86400 seconds..