[....] Starting enhanced syslogd: rsyslogd[ 13.601472] audit: type=1400 audit(1571017990.623:4): avc: denied { syslog } for pid=1916 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 32.620062] ================================================================== [ 32.627464] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 [ 32.634034] Read of size 8 at addr ffff8800b4d80000 by task syz-executor296/2977 [ 32.641551] [ 32.643169] CPU: 0 PID: 2977 Comm: syz-executor296 Not tainted 4.4.174+ #4 [ 32.650170] 0000000000000000 2b8de0e1c638dde3 ffff8800b40a70a8 ffffffff81aad1a1 [ 32.658218] 0000000000000000 ffffea0002d36000 ffff8800b4d80000 0000000000000008 [ 32.666255] dffffc0000000000 ffff8800b40a70e0 ffffffff81490120 0000000000000000 [ 32.674305] Call Trace: [ 32.676884] [] dump_stack+0xc1/0x120 [ 32.682241] [] print_address_description+0x6f/0x21b [ 32.688900] [] kasan_report.cold+0x8c/0x2be [ 32.694871] [] ? ip6t_do_table+0x1545/0x1860 [ 32.700923] [] __asan_report_load8_noabort+0x14/0x20 [ 32.707670] [] ip6t_do_table+0x1545/0x1860 [ 32.713543] [] ? mark_held_locks+0xb1/0x100 [ 32.719504] [] ? nf_conntrack_in+0x13ef/0x1c20 [ 32.725725] [] ? __nf_ct_refresh_acct+0x1d2/0x280 [ 32.732212] [] ? ip6t_alloc_initial_table+0x680/0x680 [ 32.739046] [] ? trace_hardirqs_on+0x10/0x10 [ 32.745100] [] ip6table_mangle_hook+0x2d6/0x710 [ 32.751411] [] nf_iterate+0x186/0x220 [ 32.756858] [] nf_hook_slow+0x1b6/0x340 [ 32.762476] [] ? nf_iterate+0x220/0x220 [ 32.768085] [] ? nf_iterate+0x220/0x220 [ 32.773686] [] ? memset+0x32/0x40 [ 32.778765] [] __ip6_local_out+0x309/0x4b0 [ 32.784622] [] ? ip6_find_1stfragopt+0x260/0x260 [ 32.790999] [] ? icmpv6_send+0x1b0/0x1b0 [ 32.796686] [] ? ip6_output+0x520/0x520 [ 32.802283] [] ? __ip6_append_data.isra.0+0xc73/0x33f0 [ 32.809187] [] ip6_local_out+0x29/0x180 [ 32.814783] [] ip6_send_skb+0xa2/0x340 [ 32.820295] [] ? csum_ipv6_magic+0x2b/0x80 [ 32.826156] [] udp_v6_send_skb+0x438/0xe90 [ 32.832016] [] udp_v6_push_pending_frames+0x245/0x360 [ 32.838892] [] ? udp_v6_send_skb+0xe90/0xe90 [ 32.844926] [] ? mark_held_locks+0xb1/0x100 [ 32.850878] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 32.856996] [] udpv6_sendmsg+0x1a37/0x24f0 [ 32.862971] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 32.869182] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 32.876085] [] ? sock_has_perm+0x2a8/0x400 [ 32.881979] [] ? sock_has_perm+0xa6/0x400 [ 32.887753] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 32.895275] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.902003] [] ? check_preemption_disabled+0x3c/0x200 [ 32.908815] [] ? check_preemption_disabled+0x3c/0x200 [ 32.915642] [] ? inet_sendmsg+0x143/0x4d0 [ 32.921427] [] inet_sendmsg+0x202/0x4d0 [ 32.927037] [] ? inet_sendmsg+0x76/0x4d0 [ 32.932720] [] ? inet_recvmsg+0x4d0/0x4d0 [ 32.938493] [] sock_sendmsg+0xbe/0x110 [ 32.944005] [] ___sys_sendmsg+0x369/0x890 [ 32.949793] [] ? copy_msghdr_from_user+0x550/0x550 [ 32.956434] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 32.963248] [] ? __alloc_pages_nodemask+0x3fb/0x14b0 [ 32.969984] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.976719] [] ? check_preemption_disabled+0x3c/0x200 [ 32.983539] [] ? check_preemption_disabled+0x3c/0x200 [ 32.990358] [] ? __fget+0x13b/0x370 [ 32.995614] [] ? __fget+0x162/0x370 [ 33.000903] [] ? __fget+0x47/0x370 [ 33.006071] [] ? __fget_light+0xa3/0x1f0 [ 33.011765] [] ? __fdget+0x1b/0x20 [ 33.016929] [] __sys_sendmmsg+0x130/0x2e0 [ 33.022707] [] ? SyS_sendmsg+0x50/0x50 [ 33.028227] [] ? handle_mm_fault+0x98d/0x3140 [ 33.034358] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.041091] [] ? __do_page_fault+0x2b3/0x7f0 [ 33.047128] [] ? retint_user+0x18/0x3c [ 33.052643] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 33.059474] [] SyS_sendmmsg+0x35/0x60 [ 33.064902] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.071452] [ 33.073056] The buggy address belongs to the page: [ 33.077959] page:ffffea0002d36000 count:0 mapcount:-127 mapping: (null) index:0x0 [ 33.086332] flags: 0x0() [ 33.089095] page dumped because: kasan: bad access detected [ 33.094775] [ 33.096374] Memory state around the buggy address: [ 33.101315] ffff8800b4d7ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.108646] ffff8800b4d7ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.115980] >ffff8800b4d80000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.123312] ^ [ 33.126654] ffff8800b4d80080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.133986] ffff8800b4d80100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.141317] ================================================================== [ 33.148665] Disabling lock debugging due to kernel taint [ 33.154132] Kernel panic - not syncing: panic_on_warn set ... [ 33.154132] [ 33.161483] CPU: 0 PID: 2977 Comm: syz-executor296 Tainted: G B 4.4.174+ #4 [ 33.169725] 0000000000000000 2b8de0e1c638dde3 ffff8800b40a6fe8 ffffffff81aad1a1 [ 33.177761] ffff8800b40a70f8 ffffffff82c5cf1b ffff8800b4d80000 0000000000000008 [ 33.185764] dffffc0000000000 ffff8800b40a70c8 ffffffff813a48c2 0000000041b58ab3 [ 33.193757] Call Trace: [ 33.196324] [] dump_stack+0xc1/0x120 [ 33.201669] [] panic+0x1b9/0x37b [ 33.206664] [] ? add_taint.cold+0x16/0x16 [ 33.212479] [] kasan_end_report+0x47/0x4f [ 33.218253] [] kasan_report.cold+0xa9/0x2be [ 33.224214] [] ? ip6t_do_table+0x1545/0x1860 [ 33.230243] [] __asan_report_load8_noabort+0x14/0x20 [ 33.236973] [] ip6t_do_table+0x1545/0x1860 [ 33.242840] [] ? mark_held_locks+0xb1/0x100 [ 33.248785] [] ? nf_conntrack_in+0x13ef/0x1c20 [ 33.255023] [] ? __nf_ct_refresh_acct+0x1d2/0x280 [ 33.261490] [] ? ip6t_alloc_initial_table+0x680/0x680 [ 33.268302] [] ? trace_hardirqs_on+0x10/0x10 [ 33.274334] [] ip6table_mangle_hook+0x2d6/0x710 [ 33.280628] [] nf_iterate+0x186/0x220 [ 33.286062] [] nf_hook_slow+0x1b6/0x340 [ 33.291660] [] ? nf_iterate+0x220/0x220 [ 33.297269] [] ? nf_iterate+0x220/0x220 [ 33.302866] [] ? memset+0x32/0x40 [ 33.307956] [] __ip6_local_out+0x309/0x4b0 [ 33.313825] [] ? ip6_find_1stfragopt+0x260/0x260 [ 33.320205] [] ? icmpv6_send+0x1b0/0x1b0 [ 33.325897] [] ? ip6_output+0x520/0x520 [ 33.331504] [] ? __ip6_append_data.isra.0+0xc73/0x33f0 [ 33.338411] [] ip6_local_out+0x29/0x180 [ 33.344009] [] ip6_send_skb+0xa2/0x340 [ 33.349524] [] ? csum_ipv6_magic+0x2b/0x80 [ 33.355381] [] udp_v6_send_skb+0x438/0xe90 [ 33.361240] [] udp_v6_push_pending_frames+0x245/0x360 [ 33.368056] [] ? udp_v6_send_skb+0xe90/0xe90 [ 33.374093] [] ? mark_held_locks+0xb1/0x100 [ 33.380050] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 33.386167] [] udpv6_sendmsg+0x1a37/0x24f0 [ 33.392023] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 33.398143] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 33.405047] [] ? sock_has_perm+0x2a8/0x400 [ 33.410903] [] ? sock_has_perm+0xa6/0x400 [ 33.416679] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 33.424197] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.430923] [] ? check_preemption_disabled+0x3c/0x200 [ 33.437737] [] ? check_preemption_disabled+0x3c/0x200 [ 33.444551] [] ? inet_sendmsg+0x143/0x4d0 [ 33.450338] [] inet_sendmsg+0x202/0x4d0 [ 33.455935] [] ? inet_sendmsg+0x76/0x4d0 [ 33.461630] [] ? inet_recvmsg+0x4d0/0x4d0 [ 33.467410] [] sock_sendmsg+0xbe/0x110 [ 33.472925] [] ___sys_sendmsg+0x369/0x890 [ 33.478703] [] ? copy_msghdr_from_user+0x550/0x550 [ 33.485265] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 33.492079] [] ? __alloc_pages_nodemask+0x3fb/0x14b0 [ 33.498913] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.505657] [] ? check_preemption_disabled+0x3c/0x200 [ 33.512471] [] ? check_preemption_disabled+0x3c/0x200 [ 33.519285] [] ? __fget+0x13b/0x370 [ 33.524534] [] ? __fget+0x162/0x370 [ 33.529791] [] ? __fget+0x47/0x370 [ 33.534954] [] ? __fget_light+0xa3/0x1f0 [ 33.540640] [] ? __fdget+0x1b/0x20 [ 33.545806] [] __sys_sendmmsg+0x130/0x2e0 [ 33.551579] [] ? SyS_sendmsg+0x50/0x50 [ 33.557092] [] ? handle_mm_fault+0x98d/0x3140 [ 33.563212] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.569952] [] ? __do_page_fault+0x2b3/0x7f0 [ 33.575985] [] ? retint_user+0x18/0x3c [ 33.581497] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 33.588310] [] SyS_sendmmsg+0x35/0x60 [ 33.593732] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.600833] Kernel Offset: disabled [ 33.604439] Rebooting in 86400 seconds..