[ 30.662118] audit: type=1800 audit(1566015240.598:33): pid=6782 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 30.690548] audit: type=1800 audit(1566015240.598:34): pid=6782 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 [ 31.600368] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.969644] audit: type=1400 audit(1566015241.898:35): avc: denied { map } for pid=6955 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.050713] random: sshd: uninitialized urandom read (32 bytes read) [ 32.645055] random: sshd: uninitialized urandom read (32 bytes read) [ 36.175010] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.180' (ECDSA) to the list of known hosts. [ 41.767160] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.898943] audit: type=1400 audit(1566015251.828:36): avc: denied { map } for pid=6968 comm="syz-executor346" path="/root/syz-executor346662995" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.927103] ================================================================== [ 41.934739] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0 [ 41.941916] Read of size 8 at addr ffff888099f56ad0 by task syz-executor346/6968 [ 41.949620] [ 41.951422] CPU: 1 PID: 6968 Comm: syz-executor346 Not tainted 4.14.139 #35 [ 41.958589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.967979] Call Trace: [ 41.970568] dump_stack+0x138/0x19c [ 41.974183] ? bpf_clone_redirect+0x2de/0x2f0 [ 41.978854] print_address_description.cold+0x7c/0x1dc [ 41.984126] ? bpf_clone_redirect+0x2de/0x2f0 [ 41.988831] kasan_report.cold+0xa9/0x2af [ 41.992972] __asan_report_load8_noabort+0x14/0x20 [ 41.997891] bpf_clone_redirect+0x2de/0x2f0 [ 42.002201] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 42.006939] ? SyS_bpf+0x749/0x38f3 [ 42.010575] bpf_prog_71e1d56bce5f38ff+0x63d/0x1000 [ 42.015935] ? trace_hardirqs_on+0x10/0x10 [ 42.020166] ? trace_hardirqs_on+0x10/0x10 [ 42.024397] ? bpf_test_run+0x44/0x330 [ 42.028296] ? find_held_lock+0x35/0x130 [ 42.032342] ? bpf_test_run+0x44/0x330 [ 42.036341] ? lock_acquire+0x16f/0x430 [ 42.040315] ? check_preemption_disabled+0x3c/0x250 [ 42.045321] ? bpf_test_run+0xa8/0x330 [ 42.049196] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 42.053940] ? bpf_test_init.isra.0+0xe0/0xe0 [ 42.058422] ? __bpf_prog_get+0x153/0x1a0 [ 42.062559] ? SyS_bpf+0x749/0x38f3 [ 42.066197] ? __do_page_fault+0x4e9/0xb80 [ 42.070423] ? bpf_test_init.isra.0+0xe0/0xe0 [ 42.074988] ? bpf_prog_get+0x20/0x20 [ 42.078805] ? lock_downgrade+0x6e0/0x6e0 [ 42.082947] ? up_read+0x1a/0x40 [ 42.086312] ? __do_page_fault+0x358/0xb80 [ 42.090634] ? bpf_prog_get+0x20/0x20 [ 42.094494] ? do_syscall_64+0x1e8/0x640 [ 42.098542] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.103404] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.108760] [ 42.110409] Allocated by task 0: [ 42.113761] (stack is not available) [ 42.118214] [ 42.119825] Freed by task 0: [ 42.123115] (stack is not available) [ 42.126957] [ 42.128578] The buggy address belongs to the object at ffff888099f56a40 [ 42.128578] which belongs to the cache skbuff_head_cache of size 232 [ 42.141853] The buggy address is located 144 bytes inside of [ 42.141853] 232-byte region [ffff888099f56a40, ffff888099f56b28) [ 42.153838] The buggy address belongs to the page: [ 42.159529] page:ffffea000267d580 count:1 mapcount:0 mapping:ffff888099f56040 index:0x0 [ 42.167783] flags: 0x1fffc0000000100(slab) [ 42.172621] raw: 01fffc0000000100 ffff888099f56040 0000000000000000 000000010000000c [ 42.180500] raw: ffffea000282d920 ffff8880a9e63648 ffff88821b75f240 0000000000000000 [ 42.188383] page dumped because: kasan: bad access detected [ 42.194078] [ 42.195687] Memory state around the buggy address: [ 42.200638] ffff888099f56980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.214820] ffff888099f56a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.222354] >ffff888099f56a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.229712] ^ [ 42.235672] ffff888099f56b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.243446] ffff888099f56b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.251065] ================================================================== [ 42.258503] Disabling lock debugging due to kernel taint [ 42.264248] Kernel panic - not syncing: panic_on_warn set ... [ 42.264248] [ 42.271676] CPU: 1 PID: 6968 Comm: syz-executor346 Tainted: G B 4.14.139 #35 [ 42.279998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.289347] Call Trace: [ 42.292024] dump_stack+0x138/0x19c [ 42.295646] ? bpf_clone_redirect+0x2de/0x2f0 [ 42.300132] panic+0x1f2/0x426 [ 42.303331] ? add_taint.cold+0x16/0x16 [ 42.307317] kasan_end_report+0x47/0x4f [ 42.311957] kasan_report.cold+0x130/0x2af [ 42.316377] __asan_report_load8_noabort+0x14/0x20 [ 42.321681] bpf_clone_redirect+0x2de/0x2f0 [ 42.326007] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 42.330768] ? SyS_bpf+0x749/0x38f3 [ 42.334385] bpf_prog_71e1d56bce5f38ff+0x63d/0x1000 [ 42.339498] ? trace_hardirqs_on+0x10/0x10 [ 42.343981] ? trace_hardirqs_on+0x10/0x10 [ 42.348309] ? bpf_test_run+0x44/0x330 [ 42.352449] ? find_held_lock+0x35/0x130 [ 42.356858] ? bpf_test_run+0x44/0x330 [ 42.361160] ? lock_acquire+0x16f/0x430 [ 42.365144] ? check_preemption_disabled+0x3c/0x250 [ 42.370285] ? bpf_test_run+0xa8/0x330 [ 42.374244] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 42.379609] ? bpf_test_init.isra.0+0xe0/0xe0 [ 42.384120] ? __bpf_prog_get+0x153/0x1a0 [ 42.388751] ? SyS_bpf+0x749/0x38f3 [ 42.392677] ? __do_page_fault+0x4e9/0xb80 [ 42.397232] ? bpf_test_init.isra.0+0xe0/0xe0 [ 42.402019] ? bpf_prog_get+0x20/0x20 [ 42.405828] ? lock_downgrade+0x6e0/0x6e0 [ 42.410433] ? up_read+0x1a/0x40 [ 42.414014] ? __do_page_fault+0x358/0xb80 [ 42.418310] ? bpf_prog_get+0x20/0x20 [ 42.422107] ? do_syscall_64+0x1e8/0x640 [ 42.426583] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.431696] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.438752] Kernel Offset: disabled [ 42.442513] Rebooting in 86400 seconds..