[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.132634] random: sshd: uninitialized urandom read (32 bytes read) [ 34.299239] kauditd_printk_skb: 10 callbacks suppressed [ 34.299248] audit: type=1400 audit(1567423004.573:35): avc: denied { map } for pid=6891 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.341797] random: sshd: uninitialized urandom read (32 bytes read) [ 34.851624] random: sshd: uninitialized urandom read (32 bytes read) [ 49.156971] random: sshd: uninitialized urandom read (32 bytes read) [ 50.836806] audit: type=1400 audit(1567423021.113:36): avc: denied { map } for pid=6903 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.137' (ECDSA) to the list of known hosts. [ 54.644187] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 54.760633] audit: type=1400 audit(1567423025.043:37): avc: denied { map } for pid=6907 comm="syz-executor057" path="/root/syz-executor057000940" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.788425] ================================================================== [ 54.795890] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xdbc/0x10f0 [ 54.803389] Read of size 2 at addr ffff8880a55bc300 by task syz-executor057/6907 [ 54.810925] [ 54.812546] CPU: 1 PID: 6907 Comm: syz-executor057 Not tainted 4.14.141 #37 [ 54.819638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.829036] Call Trace: [ 54.831685] dump_stack+0x138/0x197 [ 54.835312] ? bpf_skb_change_proto+0xdbc/0x10f0 [ 54.840072] print_address_description.cold+0x7c/0x1dc [ 54.845360] ? bpf_skb_change_proto+0xdbc/0x10f0 [ 54.850148] kasan_report.cold+0xa9/0x2af [ 54.854298] __asan_report_load2_noabort+0x14/0x20 [ 54.859313] bpf_skb_change_proto+0xdbc/0x10f0 [ 54.863993] ? build_skb+0x1f/0x160 [ 54.867606] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 54.872439] ? SyS_bpf+0x6ad/0x2da8 [ 54.876130] bpf_prog_4b4d9be662d00a7e+0xcfd/0x1000 [ 54.881152] ? trace_hardirqs_on+0x10/0x10 [ 54.885392] ? trace_hardirqs_on+0x10/0x10 [ 54.889629] ? bpf_test_run+0x44/0x330 [ 54.893507] ? find_held_lock+0x35/0x130 [ 54.897550] ? bpf_test_run+0x44/0x330 [ 54.901442] ? lock_acquire+0x16f/0x430 [ 54.905432] ? check_preemption_disabled+0x3c/0x250 [ 54.910456] ? bpf_test_run+0xa8/0x330 [ 54.914397] ? bpf_prog_test_run_skb+0x4d6/0x9a0 [ 54.919150] ? bpf_test_init.isra.0+0xe0/0xe0 [ 54.923691] ? __bpf_prog_get+0x153/0x1a0 [ 54.927916] ? SyS_bpf+0x6ad/0x2da8 [ 54.931594] ? __do_page_fault+0x4e9/0xb80 [ 54.935822] ? bpf_test_init.isra.0+0xe0/0xe0 [ 54.940310] ? bpf_prog_get+0x20/0x20 [ 54.944122] ? lock_downgrade+0x6e0/0x6e0 [ 54.948258] ? up_read+0x1a/0x40 [ 54.951610] ? __do_page_fault+0x358/0xb80 [ 54.955848] ? bpf_prog_get+0x20/0x20 [ 54.959636] ? do_syscall_64+0x1e8/0x640 [ 54.963702] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.968560] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.973914] [ 54.975527] Allocated by task 0: [ 54.978885] (stack is not available) [ 54.982580] [ 54.984191] Freed by task 0: [ 54.987187] (stack is not available) [ 54.990874] [ 54.992496] The buggy address belongs to the object at ffff8880a55bc300 [ 54.992496] which belongs to the cache skbuff_head_cache of size 232 [ 55.005792] The buggy address is located 0 bytes inside of [ 55.005792] 232-byte region [ffff8880a55bc300, ffff8880a55bc3e8) [ 55.017505] The buggy address belongs to the page: [ 55.022506] page:ffffea0002956f00 count:1 mapcount:0 mapping:ffff8880a55bc080 index:0x0 [ 55.030655] flags: 0x1fffc0000000100(slab) [ 55.034876] raw: 01fffc0000000100 ffff8880a55bc080 0000000000000000 000000010000000c [ 55.042752] raw: ffffea0002829fe0 ffffea0002783ae0 ffff88821b7203c0 0000000000000000 [ 55.050816] page dumped because: kasan: bad access detected [ 55.056511] [ 55.058117] Memory state around the buggy address: [ 55.063073] ffff8880a55bc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.070431] ffff8880a55bc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.077794] >ffff8880a55bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.085152] ^ [ 55.088511] ffff8880a55bc380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.095865] ffff8880a55bc400: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 55.103333] ================================================================== [ 55.110705] Disabling lock debugging due to kernel taint [ 55.116618] Kernel panic - not syncing: panic_on_warn set ... [ 55.116618] [ 55.123992] CPU: 1 PID: 6907 Comm: syz-executor057 Tainted: G B 4.14.141 #37 [ 55.132344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.141696] Call Trace: [ 55.144358] dump_stack+0x138/0x197 [ 55.148001] ? bpf_skb_change_proto+0xdbc/0x10f0 [ 55.152747] panic+0x1f2/0x426 [ 55.155938] ? add_taint.cold+0x16/0x16 [ 55.159926] kasan_end_report+0x47/0x4f [ 55.163893] kasan_report.cold+0x130/0x2af [ 55.168192] __asan_report_load2_noabort+0x14/0x20 [ 55.173138] bpf_skb_change_proto+0xdbc/0x10f0 [ 55.177832] ? build_skb+0x1f/0x160 [ 55.181448] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 55.186262] ? SyS_bpf+0x6ad/0x2da8 [ 55.189891] bpf_prog_4b4d9be662d00a7e+0xcfd/0x1000 [ 55.194894] ? trace_hardirqs_on+0x10/0x10 [ 55.199135] ? trace_hardirqs_on+0x10/0x10 [ 55.203357] ? bpf_test_run+0x44/0x330 [ 55.207227] ? find_held_lock+0x35/0x130 [ 55.211274] ? bpf_test_run+0x44/0x330 [ 55.215146] ? lock_acquire+0x16f/0x430 [ 55.219170] ? check_preemption_disabled+0x3c/0x250 [ 55.224190] ? bpf_test_run+0xa8/0x330 [ 55.228129] ? bpf_prog_test_run_skb+0x4d6/0x9a0 [ 55.232944] ? bpf_test_init.isra.0+0xe0/0xe0 [ 55.237430] ? __bpf_prog_get+0x153/0x1a0 [ 55.241623] ? SyS_bpf+0x6ad/0x2da8 [ 55.245321] ? __do_page_fault+0x4e9/0xb80 [ 55.249548] ? bpf_test_init.isra.0+0xe0/0xe0 [ 55.254027] ? bpf_prog_get+0x20/0x20 [ 55.257812] ? lock_downgrade+0x6e0/0x6e0 [ 55.261941] ? up_read+0x1a/0x40 [ 55.265308] ? __do_page_fault+0x358/0xb80 [ 55.269537] ? bpf_prog_get+0x20/0x20 [ 55.273337] ? do_syscall_64+0x1e8/0x640 [ 55.277454] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.282297] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 55.288981] Kernel Offset: disabled [ 55.292690] Rebooting in 86400 seconds..