[ 10.141402] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.362405] random: sshd: uninitialized urandom read (32 bytes read) [ 29.658151] audit: type=1400 audit(1546400554.603:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.699117] random: sshd: uninitialized urandom read (32 bytes read) [ 30.163571] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. [ 35.853047] urandom_read: 1 callbacks suppressed [ 35.853051] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 35.947147] audit: type=1400 audit(1546400560.893:7): avc: denied { map } for pid=1783 comm="syz-executor044" path="/root/syz-executor044447084" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 35.949221] ================================================================== [ 35.980684] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2519/0x25a0 [ 35.987854] Read of size 4 at addr ffff8881d07e76d0 by task syz-executor044/1783 [ 35.995366] [ 35.996979] CPU: 0 PID: 1783 Comm: syz-executor044 Not tainted 4.14.91+ #1 [ 36.004078] Call Trace: [ 36.006659] dump_stack+0xb9/0x10e [ 36.010194] ? xfrm_state_find+0x2519/0x25a0 [ 36.014589] print_address_description+0x60/0x226 [ 36.019418] ? xfrm_state_find+0x2519/0x25a0 [ 36.023809] kasan_report.cold+0x88/0x2a5 [ 36.027944] ? xfrm_state_find+0x2519/0x25a0 [ 36.032351] ? xfrm_state_afinfo_get_rcu+0xb0/0xb0 [ 36.037275] ? depot_save_stack+0x201/0x418 [ 36.041674] ? lock_downgrade+0x5d0/0x5d0 [ 36.045810] ? lock_acquire+0x10f/0x380 [ 36.049768] ? depot_save_stack+0x176/0x418 [ 36.054081] ? xfrm_tmpl_resolve_one+0x1b5/0x7d0 [ 36.058825] ? xfrm_expand_policies.constprop.0+0x230/0x230 [ 36.064528] ? __lock_acquire+0x56a/0x3fa0 [ 36.068751] ? xfrm_resolve_and_create_bundle+0x20c/0x2460 [ 36.074362] ? trace_hardirqs_on+0x10/0x10 [ 36.078580] ? __lock_acquire+0x56a/0x3fa0 [ 36.082796] ? unwind_next_frame+0xc3f/0x1800 [ 36.087277] ? deref_stack_reg+0xaa/0xe0 [ 36.091325] ? xfrm_tmpl_resolve_one+0x7d0/0x7d0 [ 36.096187] ? xfrm_sk_policy_lookup+0x287/0x390 [ 36.100933] ? lock_downgrade+0x5d0/0x5d0 [ 36.105063] ? lock_acquire+0x10f/0x380 [ 36.109039] ? xfrm_selector_match+0xda0/0xda0 [ 36.113607] ? check_preemption_disabled+0x35/0x1f0 [ 36.118605] ? check_preemption_disabled+0x35/0x1f0 [ 36.123609] ? xfrm_sk_policy_lookup+0x2ae/0x390 [ 36.128351] ? xfrm_lookup_with_ifid+0x215/0x17d0 [ 36.133178] ? xfrm_lookup_with_ifid+0x215/0x17d0 [ 36.138026] ? xfrm_policy_lookup_bytype.constprop.0+0x11c0/0x11c0 [ 36.144477] ? ip_route_output_key_hash+0x1e3/0x2c0 [ 36.149480] ? ip_route_output_key_hash_rcu+0x2160/0x2160 [ 36.155025] ? xfrm_lookup_route+0x36/0x1b0 [ 36.159337] ? ip_route_output_flow+0x89/0xb0 [ 36.163820] ? udp_sendmsg+0x13a0/0x1b90 [ 36.167865] ? ip_reply_glue_bits+0xa0/0xa0 [ 36.172177] ? udp_v4_get_port+0xf0/0xf0 [ 36.176223] ? trace_hardirqs_on+0x10/0x10 [ 36.180454] ? trace_hardirqs_on+0x10/0x10 [ 36.184674] ? __lock_acquire+0x56a/0x3fa0 [ 36.188898] ? udpv6_sendmsg+0x12e1/0x25d0 [ 36.193118] ? trace_hardirqs_on+0x10/0x10 [ 36.197337] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 36.202428] ? reacquire_held_locks+0xb5/0x3f0 [ 36.206992] ? release_sock+0x1b/0x1b0 [ 36.210891] ? inet_autobind+0x123/0x180 [ 36.214937] ? lock_downgrade+0x5d0/0x5d0 [ 36.219074] ? __local_bh_enable_ip+0x65/0xc0 [ 36.223558] ? inet_sendmsg+0x14a/0x510 [ 36.227520] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 36.232609] ? inet_sendmsg+0x14a/0x510 [ 36.236566] ? inet_recvmsg+0x540/0x540 [ 36.240530] ? sock_sendmsg+0xb7/0x100 [ 36.244400] ? ___sys_sendmsg+0x368/0x890 [ 36.248532] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 36.253278] ? avc_has_perm+0x143/0x350 [ 36.257240] ? lock_downgrade+0x5d0/0x5d0 [ 36.261373] ? lock_acquire+0x10f/0x380 [ 36.265330] ? avc_has_perm+0x9c/0x350 [ 36.269200] ? check_preemption_disabled+0x35/0x1f0 [ 36.274217] ? __handle_mm_fault+0xd96/0x2640 [ 36.278699] ? mem_cgroup_commit_charge+0x184/0x3e0 [ 36.283702] ? lock_downgrade+0x5d0/0x5d0 [ 36.287834] ? __fget_light+0x16a/0x1f0 [ 36.291796] ? sockfd_lookup_light+0xb2/0x160 [ 36.296276] ? __sys_sendmmsg+0x13c/0x360 [ 36.300408] ? SyS_sendmsg+0x40/0x40 [ 36.304105] ? selinux_tun_dev_create+0xb0/0xb0 [ 36.308829] ? ipv6_setsockopt+0xd2/0x130 [ 36.312966] ? ipv6_setsockopt+0xa6/0x130 [ 36.317100] ? udpv6_setsockopt+0x4d/0x80 [ 36.321237] ? SyS_setsockopt+0x14b/0x210 [ 36.325367] ? SyS_recv+0x40/0x40 [ 36.328801] ? up_read+0x17/0x30 [ 36.332154] ? SyS_sendmmsg+0x2f/0x50 [ 36.335934] ? __sys_sendmmsg+0x360/0x360 [ 36.340074] ? do_syscall_64+0x19b/0x4b0 [ 36.344137] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.349486] [ 36.351095] The buggy address belongs to the page: [ 36.356023] page:ffffea000741f9c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 36.364147] flags: 0x4000000000000000() [ 36.368102] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 36.375968] raw: 0000000000000000 ffffea000741f9e0 0000000000000000 0000000000000000 [ 36.383834] page dumped because: kasan: bad access detected [ 36.389529] [ 36.391141] Memory state around the buggy address: [ 36.396056] ffff8881d07e7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.403397] ffff8881d07e7600: 00 f1 f1 f1 f1 00 00 00 f2 f2 f2 00 00 00 00 f2 [ 36.410742] >ffff8881d07e7680: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 36.418151] ^ [ 36.424114] ffff8881d07e7700: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 [ 36.431456] ffff8881d07e7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.438797] ================================================================== [ 36.446136] Disabling lock debugging due to kernel taint [ 36.451595] Kernel panic - not syncing: panic_on_warn set ... [ 36.451595] [ 36.458954] CPU: 0 PID: 1783 Comm: syz-executor044 Tainted: G B 4.14.91+ #1 [ 36.467162] Call Trace: [ 36.469735] dump_stack+0xb9/0x10e [ 36.473266] panic+0x1d9/0x3c2 [ 36.476442] ? add_taint.cold+0x16/0x16 [ 36.480398] ? retint_kernel+0x2d/0x2d [ 36.484273] ? xfrm_state_find+0x2519/0x25a0 [ 36.488662] kasan_end_report+0x43/0x49 [ 36.492619] kasan_report.cold+0xa4/0x2a5 [ 36.496755] ? xfrm_state_find+0x2519/0x25a0 [ 36.501154] ? xfrm_state_afinfo_get_rcu+0xb0/0xb0 [ 36.506077] ? depot_save_stack+0x201/0x418 [ 36.510386] ? lock_downgrade+0x5d0/0x5d0 [ 36.514515] ? lock_acquire+0x10f/0x380 [ 36.518471] ? depot_save_stack+0x176/0x418 [ 36.522777] ? xfrm_tmpl_resolve_one+0x1b5/0x7d0 [ 36.527515] ? xfrm_expand_policies.constprop.0+0x230/0x230 [ 36.533210] ? __lock_acquire+0x56a/0x3fa0 [ 36.537431] ? xfrm_resolve_and_create_bundle+0x20c/0x2460 [ 36.543054] ? trace_hardirqs_on+0x10/0x10 [ 36.547269] ? __lock_acquire+0x56a/0x3fa0 [ 36.551487] ? unwind_next_frame+0xc3f/0x1800 [ 36.555969] ? deref_stack_reg+0xaa/0xe0 [ 36.560038] ? xfrm_tmpl_resolve_one+0x7d0/0x7d0 [ 36.564789] ? xfrm_sk_policy_lookup+0x287/0x390 [ 36.569654] ? lock_downgrade+0x5d0/0x5d0 [ 36.573788] ? lock_acquire+0x10f/0x380 [ 36.577745] ? xfrm_selector_match+0xda0/0xda0 [ 36.582314] ? check_preemption_disabled+0x35/0x1f0 [ 36.587312] ? check_preemption_disabled+0x35/0x1f0 [ 36.592321] ? xfrm_sk_policy_lookup+0x2ae/0x390 [ 36.597065] ? xfrm_lookup_with_ifid+0x215/0x17d0 [ 36.601889] ? xfrm_lookup_with_ifid+0x215/0x17d0 [ 36.606714] ? xfrm_policy_lookup_bytype.constprop.0+0x11c0/0x11c0 [ 36.613034] ? ip_route_output_key_hash+0x1e3/0x2c0 [ 36.618044] ? ip_route_output_key_hash_rcu+0x2160/0x2160 [ 36.623567] ? xfrm_lookup_route+0x36/0x1b0 [ 36.627872] ? ip_route_output_flow+0x89/0xb0 [ 36.632351] ? udp_sendmsg+0x13a0/0x1b90 [ 36.636394] ? ip_reply_glue_bits+0xa0/0xa0 [ 36.640960] ? udp_v4_get_port+0xf0/0xf0 [ 36.645018] ? trace_hardirqs_on+0x10/0x10 [ 36.649306] ? trace_hardirqs_on+0x10/0x10 [ 36.653530] ? __lock_acquire+0x56a/0x3fa0 [ 36.657747] ? udpv6_sendmsg+0x12e1/0x25d0 [ 36.661963] ? trace_hardirqs_on+0x10/0x10 [ 36.666246] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 36.671342] ? reacquire_held_locks+0xb5/0x3f0 [ 36.675909] ? release_sock+0x1b/0x1b0 [ 36.679845] ? inet_autobind+0x123/0x180 [ 36.683957] ? lock_downgrade+0x5d0/0x5d0 [ 36.688164] ? __local_bh_enable_ip+0x65/0xc0 [ 36.692652] ? inet_sendmsg+0x14a/0x510 [ 36.696620] ? udp_v6_flush_pending_frames+0xd0/0xd0 [ 36.701707] ? inet_sendmsg+0x14a/0x510 [ 36.705662] ? inet_recvmsg+0x540/0x540 [ 36.709721] ? sock_sendmsg+0xb7/0x100 [ 36.713604] ? ___sys_sendmsg+0x368/0x890 [ 36.717734] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 36.722476] ? avc_has_perm+0x143/0x350 [ 36.726434] ? lock_downgrade+0x5d0/0x5d0 [ 36.730564] ? lock_acquire+0x10f/0x380 [ 36.734519] ? avc_has_perm+0x9c/0x350 [ 36.738388] ? check_preemption_disabled+0x35/0x1f0 [ 36.743392] ? __handle_mm_fault+0xd96/0x2640 [ 36.747868] ? mem_cgroup_commit_charge+0x184/0x3e0 [ 36.752869] ? lock_downgrade+0x5d0/0x5d0 [ 36.757018] ? __fget_light+0x16a/0x1f0 [ 36.760977] ? sockfd_lookup_light+0xb2/0x160 [ 36.765453] ? __sys_sendmmsg+0x13c/0x360 [ 36.769579] ? SyS_sendmsg+0x40/0x40 [ 36.773274] ? selinux_tun_dev_create+0xb0/0xb0 [ 36.777929] ? ipv6_setsockopt+0xd2/0x130 [ 36.782066] ? ipv6_setsockopt+0xa6/0x130 [ 36.786197] ? udpv6_setsockopt+0x4d/0x80 [ 36.790329] ? SyS_setsockopt+0x14b/0x210 [ 36.794463] ? SyS_recv+0x40/0x40 [ 36.797957] ? up_read+0x17/0x30 [ 36.801315] ? SyS_sendmmsg+0x2f/0x50 [ 36.805158] ? __sys_sendmmsg+0x360/0x360 [ 36.809301] ? do_syscall_64+0x19b/0x4b0 [ 36.813350] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.819110] Kernel Offset: 0x1f600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 36.830035] Rebooting in 86400 seconds..