[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.865721] random: sshd: uninitialized urandom read (32 bytes read) [ 22.120795] audit: type=1400 audit(1548028799.067:6): avc: denied { map } for pid=1769 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.162688] random: sshd: uninitialized urandom read (32 bytes read) [ 22.619511] random: sshd: uninitialized urandom read (32 bytes read) [ 31.119656] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts. [ 36.769777] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 36.857193] audit: type=1400 audit(1548028813.797:7): avc: denied { map } for pid=1787 comm="syz-executor815" path="/root/syz-executor815147165" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.037879] ================================================================== [ 37.045362] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 37.051967] Write of size 4 at addr ffff8881d15ff6dc by task syz-executor815/1791 [ 37.059566] [ 37.061175] CPU: 1 PID: 1791 Comm: syz-executor815 Not tainted 4.14.94+ #12 [ 37.068252] Call Trace: [ 37.070843] dump_stack+0xb9/0x10e [ 37.074376] ? ip_check_defrag+0x4f5/0x523 [ 37.078606] print_address_description+0x60/0x226 [ 37.083447] ? ip_check_defrag+0x4f5/0x523 [ 37.087665] kasan_report.cold+0x88/0x2a5 [ 37.091806] ? ip_check_defrag+0x4f5/0x523 [ 37.096041] ? ip_defrag+0x3b50/0x3b50 [ 37.099914] ? mark_held_locks+0xa6/0xf0 [ 37.103959] ? check_preemption_disabled+0x35/0x1f0 [ 37.108972] ? packet_rcv_fanout+0x4d1/0x5e0 [ 37.113368] ? fanout_demux_rollover+0x4d0/0x4d0 [ 37.118117] ? dev_queue_xmit_nit+0x21a/0x960 [ 37.122604] ? dev_hard_start_xmit+0xa3/0x890 [ 37.127165] ? sch_direct_xmit+0x27a/0x520 [ 37.131402] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 37.137099] ? lock_acquire+0x10f/0x380 [ 37.141057] ? ip_finish_output2+0x9fe/0x12f0 [ 37.145539] ? __dev_queue_xmit+0x1565/0x1cd0 [ 37.150032] ? netdev_pick_tx+0x2e0/0x2e0 [ 37.154181] ? ip_do_fragment+0x180c/0x1ee0 [ 37.158488] ? mark_held_locks+0xa6/0xf0 [ 37.162534] ? ip_finish_output2+0xd92/0x12f0 [ 37.167014] ? ip_finish_output2+0x9fe/0x12f0 [ 37.171566] ? ip_copy_addrs+0xd0/0xd0 [ 37.175447] ? selinux_ip_postroute_compat+0x360/0x360 [ 37.180712] ? check_preemption_disabled+0x35/0x1f0 [ 37.185728] ? ip_do_fragment+0x180c/0x1ee0 [ 37.190045] ? ip_do_fragment+0x180c/0x1ee0 [ 37.194367] ? ip_copy_addrs+0xd0/0xd0 [ 37.198245] ? ip_fragment.constprop.0+0x146/0x200 [ 37.203160] ? ip_finish_output+0x7a7/0xc70 [ 37.207465] ? ip_mc_output+0x231/0xbe0 [ 37.211423] ? ip_queue_xmit+0x1a70/0x1a70 [ 37.215639] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.221075] ? ip_fragment.constprop.0+0x200/0x200 [ 37.225984] ? dst_release+0xc/0x80 [ 37.229591] ? __ip_make_skb+0xe30/0x1690 [ 37.233728] ? ip_local_out+0x98/0x170 [ 37.237599] ? ip_send_skb+0x3a/0xc0 [ 37.241294] ? ip_push_pending_frames+0x5f/0x80 [ 37.245944] ? raw_sendmsg+0x19de/0x2270 [ 37.250028] ? raw_seq_next+0x80/0x80 [ 37.253820] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 37.258473] ? lock_downgrade+0x5d0/0x5d0 [ 37.262600] ? lock_acquire+0x10f/0x380 [ 37.266552] ? finish_task_switch+0x1b7/0x620 [ 37.271028] ? _raw_spin_unlock_irq+0x24/0x50 [ 37.275546] ? sock_has_perm+0x1d3/0x260 [ 37.279588] ? __schedule+0x924/0x1f30 [ 37.283461] ? __lock_acquire+0x56a/0x3fa0 [ 37.287685] ? inet_sendmsg+0x14a/0x510 [ 37.291643] ? inet_recvmsg+0x540/0x540 [ 37.295600] ? sock_sendmsg+0xb7/0x100 [ 37.299467] ? sock_no_sendpage+0x132/0x1a0 [ 37.303771] ? sock_rfree+0x140/0x140 [ 37.307559] ? futex_wait+0x406/0x570 [ 37.311352] ? inet_sendpage+0x1bb/0x5c0 [ 37.315402] ? inet_getname+0x390/0x390 [ 37.319355] ? kernel_sendpage+0x84/0xd0 [ 37.323404] ? sock_sendpage+0x84/0xa0 [ 37.327275] ? pipe_to_sendpage+0x23d/0x300 [ 37.331578] ? kernel_sendpage+0xd0/0xd0 [ 37.335623] ? direct_splice_actor+0x160/0x160 [ 37.340209] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 37.345560] ? __splice_from_pipe+0x331/0x740 [ 37.350051] ? direct_splice_actor+0x160/0x160 [ 37.354622] ? direct_splice_actor+0x160/0x160 [ 37.359182] ? splice_from_pipe+0xd9/0x140 [ 37.363409] ? splice_shrink_spd+0xb0/0xb0 [ 37.367629] ? security_file_permission+0x88/0x1e0 [ 37.372658] ? splice_from_pipe+0x140/0x140 [ 37.376960] ? SyS_splice+0xd1c/0x12d0 [ 37.380835] ? do_futex+0x17f0/0x17f0 [ 37.384613] ? _raw_spin_unlock_irq+0x35/0x50 [ 37.389091] ? compat_SyS_vmsplice+0x150/0x150 [ 37.393658] ? do_syscall_64+0x43/0x4b0 [ 37.397613] ? compat_SyS_vmsplice+0x150/0x150 [ 37.402179] ? do_syscall_64+0x19b/0x4b0 [ 37.406225] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.411574] [ 37.413178] Allocated by task 1791: [ 37.416789] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.421090] kmem_cache_alloc+0xd2/0x2d0 [ 37.425132] skb_clone+0x126/0x310 [ 37.428651] ip_check_defrag+0x2bc/0x523 [ 37.432700] packet_rcv_fanout+0x4d1/0x5e0 [ 37.436915] dev_queue_xmit_nit+0x21a/0x960 [ 37.441208] [ 37.442810] Freed by task 1791: [ 37.446068] kasan_slab_free+0xb0/0x190 [ 37.450035] kmem_cache_free+0xc4/0x330 [ 37.454000] kfree_skbmem+0xa0/0x100 [ 37.457697] kfree_skb+0xcd/0x350 [ 37.461130] ip_defrag+0x5f4/0x3b50 [ 37.464737] ip_check_defrag+0x39b/0x523 [ 37.469108] packet_rcv_fanout+0x4d1/0x5e0 [ 37.473327] dev_queue_xmit_nit+0x21a/0x960 [ 37.477702] [ 37.479315] The buggy address belongs to the object at ffff8881d15ff640 [ 37.479315] which belongs to the cache skbuff_head_cache of size 224 [ 37.492480] The buggy address is located 156 bytes inside of [ 37.492480] 224-byte region [ffff8881d15ff640, ffff8881d15ff720) [ 37.504415] The buggy address belongs to the page: [ 37.509333] page:ffffea0007457fc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.517459] flags: 0x4000000000000100(slab) [ 37.521861] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 37.529735] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 37.537599] page dumped because: kasan: bad access detected [ 37.543286] [ 37.544887] Memory state around the buggy address: [ 37.549793] ffff8881d15ff580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 37.557189] ffff8881d15ff600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.564545] >ffff8881d15ff680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.571887] ^ [ 37.578100] ffff8881d15ff700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.585496] ffff8881d15ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.592848] ================================================================== [ 37.600190] Disabling lock debugging due to kernel taint [ 37.605663] Kernel panic - not syncing: panic_on_warn set ... [ 37.605663] [ 37.613015] CPU: 1 PID: 1791 Comm: syz-executor815 Tainted: G B 4.14.94+ #12 [ 37.621321] Call Trace: [ 37.623894] dump_stack+0xb9/0x10e [ 37.627420] panic+0x1d9/0x3c2 [ 37.630591] ? add_taint.cold+0x16/0x16 [ 37.634542] ? retint_kernel+0x2d/0x2d [ 37.638418] ? ip_check_defrag+0x4f5/0x523 [ 37.642629] kasan_end_report+0x43/0x49 [ 37.646583] kasan_report.cold+0xa4/0x2a5 [ 37.650711] ? ip_check_defrag+0x4f5/0x523 [ 37.654921] ? ip_defrag+0x3b50/0x3b50 [ 37.658790] ? mark_held_locks+0xa6/0xf0 [ 37.662830] ? check_preemption_disabled+0x35/0x1f0 [ 37.667832] ? packet_rcv_fanout+0x4d1/0x5e0 [ 37.672236] ? fanout_demux_rollover+0x4d0/0x4d0 [ 37.676968] ? dev_queue_xmit_nit+0x21a/0x960 [ 37.681440] ? dev_hard_start_xmit+0xa3/0x890 [ 37.686132] ? sch_direct_xmit+0x27a/0x520 [ 37.690353] ? dev_deactivate_queue.constprop.0+0x150/0x150 [ 37.696042] ? lock_acquire+0x10f/0x380 [ 37.699994] ? ip_finish_output2+0x9fe/0x12f0 [ 37.704480] ? __dev_queue_xmit+0x1565/0x1cd0 [ 37.708955] ? netdev_pick_tx+0x2e0/0x2e0 [ 37.713079] ? ip_do_fragment+0x180c/0x1ee0 [ 37.717381] ? mark_held_locks+0xa6/0xf0 [ 37.721434] ? ip_finish_output2+0xd92/0x12f0 [ 37.725913] ? ip_finish_output2+0x9fe/0x12f0 [ 37.730386] ? ip_copy_addrs+0xd0/0xd0 [ 37.734261] ? selinux_ip_postroute_compat+0x360/0x360 [ 37.739518] ? check_preemption_disabled+0x35/0x1f0 [ 37.744594] ? ip_do_fragment+0x180c/0x1ee0 [ 37.748901] ? ip_do_fragment+0x180c/0x1ee0 [ 37.753204] ? ip_copy_addrs+0xd0/0xd0 [ 37.757076] ? ip_fragment.constprop.0+0x146/0x200 [ 37.761987] ? ip_finish_output+0x7a7/0xc70 [ 37.766288] ? ip_mc_output+0x231/0xbe0 [ 37.770242] ? ip_queue_xmit+0x1a70/0x1a70 [ 37.774455] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.779887] ? ip_fragment.constprop.0+0x200/0x200 [ 37.784797] ? dst_release+0xc/0x80 [ 37.788445] ? __ip_make_skb+0xe30/0x1690 [ 37.792582] ? ip_local_out+0x98/0x170 [ 37.796451] ? ip_send_skb+0x3a/0xc0 [ 37.800145] ? ip_push_pending_frames+0x5f/0x80 [ 37.804905] ? raw_sendmsg+0x19de/0x2270 [ 37.808949] ? raw_seq_next+0x80/0x80 [ 37.812731] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 37.817384] ? lock_downgrade+0x5d0/0x5d0 [ 37.821527] ? lock_acquire+0x10f/0x380 [ 37.825479] ? finish_task_switch+0x1b7/0x620 [ 37.829955] ? _raw_spin_unlock_irq+0x24/0x50 [ 37.834432] ? sock_has_perm+0x1d3/0x260 [ 37.838477] ? __schedule+0x924/0x1f30 [ 37.842343] ? __lock_acquire+0x56a/0x3fa0 [ 37.846557] ? inet_sendmsg+0x14a/0x510 [ 37.850569] ? inet_recvmsg+0x540/0x540 [ 37.854529] ? sock_sendmsg+0xb7/0x100 [ 37.858402] ? sock_no_sendpage+0x132/0x1a0 [ 37.862706] ? sock_rfree+0x140/0x140 [ 37.866493] ? futex_wait+0x406/0x570 [ 37.870280] ? inet_sendpage+0x1bb/0x5c0 [ 37.874326] ? inet_getname+0x390/0x390 [ 37.878278] ? kernel_sendpage+0x84/0xd0 [ 37.882323] ? sock_sendpage+0x84/0xa0 [ 37.886189] ? pipe_to_sendpage+0x23d/0x300 [ 37.890487] ? kernel_sendpage+0xd0/0xd0 [ 37.894628] ? direct_splice_actor+0x160/0x160 [ 37.899194] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 37.904540] ? __splice_from_pipe+0x331/0x740 [ 37.909015] ? direct_splice_actor+0x160/0x160 [ 37.913578] ? direct_splice_actor+0x160/0x160 [ 37.918141] ? splice_from_pipe+0xd9/0x140 [ 37.922368] ? splice_shrink_spd+0xb0/0xb0 [ 37.926598] ? security_file_permission+0x88/0x1e0 [ 37.931520] ? splice_from_pipe+0x140/0x140 [ 37.935821] ? SyS_splice+0xd1c/0x12d0 [ 37.939699] ? do_futex+0x17f0/0x17f0 [ 37.943483] ? _raw_spin_unlock_irq+0x35/0x50 [ 37.947959] ? compat_SyS_vmsplice+0x150/0x150 [ 37.952518] ? do_syscall_64+0x43/0x4b0 [ 37.956473] ? compat_SyS_vmsplice+0x150/0x150 [ 37.961032] ? do_syscall_64+0x19b/0x4b0 [ 37.965072] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.971229] Kernel Offset: 0x15a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 37.982142] Rebooting in 86400 seconds..