[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.842643] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.025534] random: sshd: uninitialized urandom read (32 bytes read)
[   25.341244] random: sshd: uninitialized urandom read (32 bytes read)
[   25.868428] random: sshd: uninitialized urandom read (32 bytes read)
[  107.431502] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts.
[  113.036133] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 04:48:09 parsed 1 programs
[  114.152113] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 04:48:10 executed programs: 0
[  115.175493] IPVS: ftp: loaded support on port[0] = 21
[  115.385587] bridge0: port 1(bridge_slave_0) entered blocking state
[  115.392152] bridge0: port 1(bridge_slave_0) entered disabled state
[  115.399793] device bridge_slave_0 entered promiscuous mode
[  115.416442] bridge0: port 2(bridge_slave_1) entered blocking state
[  115.422927] bridge0: port 2(bridge_slave_1) entered disabled state
[  115.430185] device bridge_slave_1 entered promiscuous mode
[  115.446792] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  115.463945] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  115.507801] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  115.526202] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  115.592351] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  115.600095] team0: Port device team_slave_0 added
[  115.615594] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  115.622766] team0: Port device team_slave_1 added
[  115.638537] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  115.654886] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  115.671151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  115.685938] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  115.810752] bridge0: port 2(bridge_slave_1) entered blocking state
[  115.817353] bridge0: port 2(bridge_slave_1) entered forwarding state
[  115.824443] bridge0: port 1(bridge_slave_0) entered blocking state
[  115.830876] bridge0: port 1(bridge_slave_0) entered forwarding state
[  116.276976] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  116.283186] 8021q: adding VLAN 0 to HW filter on device bond0
[  116.326746] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  116.337134] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  116.381612] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  116.387844] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  116.395721] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  116.436229] 8021q: adding VLAN 0 to HW filter on device team0
2018/08/19 04:48:15 executed programs: 223
[  121.212993] ==================================================================
[  121.220526] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x7b9/0x84b
[  121.227980] Read of size 4 at addr ffff8801b2674c5c by task syz-executor0/5812
[  121.235333] 
[  121.236967] CPU: 1 PID: 5812 Comm: syz-executor0 Not tainted 4.18.0+ #189
[  121.243890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  121.253265] Call Trace:
[  121.255872]  dump_stack+0x1c9/0x2b4
[  121.259521]  ? dump_stack_print_info.cold.2+0x52/0x52
[  121.264715]  ? printk+0xa7/0xcf
[  121.268002]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  121.272776]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  121.277906]  print_address_description+0x6c/0x20b
[  121.282756]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  121.287875]  kasan_report.cold.7+0x242/0x2fe
[  121.292301]  __asan_report_load4_noabort+0x14/0x20
[  121.297241]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  121.302208]  ? tipc_group_member_evt+0xe30/0xe30
[  121.306972]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  121.311995]  ? skb_put+0x17b/0x1e0
[  121.315538]  ? memset+0x31/0x40
[  121.318825]  ? memcpy+0x45/0x50
[  121.322110]  ? __nla_put+0x37/0x40
[  121.325655]  ? nla_put+0x11a/0x150
[  121.329205]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  121.333882]  ? tipc_diag_dump+0x30/0x30
[  121.337867]  ? tipc_getname+0x7f0/0x7f0
[  121.341846]  ? save_stack+0xa9/0xd0
[  121.345480]  ? graph_lock+0x170/0x170
[  121.349286]  ? graph_lock+0x170/0x170
[  121.353094]  ? __netlink_dump_start+0x4f1/0x6f0
[  121.357773]  ? sock_diag_rcv_msg+0x31d/0x410
[  121.362186]  ? netlink_rcv_skb+0x172/0x440
[  121.366423]  ? sock_diag_rcv+0x2a/0x40
[  121.370312]  ? netlink_unicast+0x5a0/0x760
[  121.374552]  ? netlink_sendmsg+0xa18/0xfc0
[  121.378788]  ? sock_sendmsg+0xd5/0x120
[  121.382678]  ? ___sys_sendmsg+0x7fd/0x930
[  121.386838]  ? __x64_sys_sendmsg+0x78/0xb0
[  121.391078]  ? do_syscall_64+0x1b9/0x820
[  121.395143]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  121.400511]  ? print_usage_bug+0xc0/0xc0
[  121.404581]  ? find_held_lock+0x36/0x1c0
[  121.408661]  ? lock_acquire+0x1e4/0x540
[  121.412638]  ? tipc_nl_sk_walk+0x60a/0xd30
[  121.416875]  ? lock_downgrade+0x8f0/0x8f0
[  121.421038]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  121.426064]  ? skb_put+0x17b/0x1e0
[  121.429614]  ? __nlmsg_put+0x14c/0x1b0
[  121.433514]  __tipc_add_sock_diag+0x22f/0x360
[  121.438019]  tipc_nl_sk_walk+0x68d/0xd30
[  121.442093]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  121.447377]  ? __tipc_nl_add_sk+0x400/0x400
[  121.451708]  ? skb_scrub_packet+0x490/0x490
[  121.456048]  ? kasan_check_write+0x14/0x20
[  121.460297]  ? lock_downgrade+0x8f0/0x8f0
[  121.464477]  tipc_diag_dump+0x24/0x30
[  121.468287]  netlink_dump+0x519/0xd50
[  121.472112]  ? netlink_broadcast+0x50/0x50
[  121.476361]  __netlink_dump_start+0x4f1/0x6f0
[  121.480860]  ? kasan_check_read+0x11/0x20
[  121.485017]  tipc_sock_diag_handler_dump+0x234/0x340
[  121.490125]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  121.494798]  ? tipc_unregister_sysctl+0x20/0x20
[  121.499474]  ? netlink_deliver_tap+0x356/0xfb0
[  121.504073]  sock_diag_rcv_msg+0x31d/0x410
[  121.508316]  netlink_rcv_skb+0x172/0x440
[  121.512383]  ? sock_diag_bind+0x80/0x80
[  121.516368]  ? netlink_ack+0xbe0/0xbe0
[  121.520266]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  121.524959]  sock_diag_rcv+0x2a/0x40
[  121.528679]  netlink_unicast+0x5a0/0x760
[  121.532749]  ? netlink_attachskb+0x9a0/0x9a0
[  121.537189]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  121.542735]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  121.547760]  netlink_sendmsg+0xa18/0xfc0
[  121.551838]  ? netlink_unicast+0x760/0x760
[  121.556078]  ? move_addr_to_kernel.part.18+0x100/0x100
[  121.561364]  ? security_socket_sendmsg+0x94/0xc0
[  121.566122]  ? netlink_unicast+0x760/0x760
[  121.570363]  sock_sendmsg+0xd5/0x120
[  121.574085]  ___sys_sendmsg+0x7fd/0x930
[  121.578072]  ? copy_msghdr_from_user+0x580/0x580
[  121.582835]  ? kasan_check_read+0x11/0x20
[  121.586991]  ? do_raw_spin_unlock+0xa7/0x2f0
[  121.591414]  ? __fget_light+0x2f7/0x440
[  121.595423]  ? __local_bh_enable_ip+0x161/0x230
[  121.600097]  ? fget_raw+0x20/0x20
[  121.603558]  ? __release_sock+0x3a0/0x3a0
[  121.607712]  ? tipc_nametbl_build_group+0x279/0x360
[  121.612741]  ? tipc_setsockopt+0x726/0xd70
[  121.616996]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  121.622546]  ? sockfd_lookup_light+0xc5/0x160
[  121.627053]  __sys_sendmsg+0x11d/0x290
[  121.630945]  ? __ia32_sys_shutdown+0x80/0x80
[  121.635357]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  121.640898]  ? fput+0x130/0x1a0
[  121.644190]  ? __x64_sys_futex+0x47f/0x6a0
[  121.648445]  __x64_sys_sendmsg+0x78/0xb0
[  121.652514]  do_syscall_64+0x1b9/0x820
[  121.656409]  ? syscall_return_slowpath+0x5e0/0x5e0
[  121.661343]  ? syscall_return_slowpath+0x31d/0x5e0
[  121.666287]  ? __switch_to_asm+0x34/0x70
[  121.670359]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  121.675750]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  121.680605]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  121.685796] RIP: 0033:0x457089
[  121.688995] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  121.707901] RSP: 002b:00007f74da728c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  121.715643] RAX: ffffffffffffffda RBX: 00007f74da7296d4 RCX: 0000000000457089
[  121.722915] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  121.730183] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  121.737451] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  121.744727] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  121.752008] 
[  121.753636] Allocated by task 5812:
[  121.757292]  save_stack+0x43/0xd0
[  121.760749]  kasan_kmalloc+0xc4/0xe0
[  121.764474]  kmem_cache_alloc_trace+0x152/0x780
[  121.769146]  tipc_group_create+0x155/0xa70
[  121.773384]  tipc_setsockopt+0x2d1/0xd70
[  121.777448]  __sys_setsockopt+0x1c5/0x3b0
[  121.781601]  __x64_sys_setsockopt+0xbe/0x150
[  121.786012]  do_syscall_64+0x1b9/0x820
[  121.789926]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  121.795115] 
[  121.796741] Freed by task 5811:
[  121.800024]  save_stack+0x43/0xd0
[  121.803476]  __kasan_slab_free+0x11a/0x170
[  121.807711]  kasan_slab_free+0xe/0x10
[  121.811512]  kfree+0xd9/0x260
[  121.814620]  tipc_group_delete+0x2e5/0x3f0
[  121.818877]  tipc_sk_leave+0x113/0x220
[  121.822790]  tipc_release+0x14e/0x12b0
[  121.826685]  __sock_release+0xd7/0x250
[  121.830586]  sock_close+0x19/0x20
[  121.834041]  __fput+0x39b/0x860
[  121.837322]  ____fput+0x15/0x20
[  121.840607]  task_work_run+0x1e8/0x2a0
[  121.844495]  exit_to_usermode_loop+0x318/0x380
[  121.849082]  do_syscall_64+0x6be/0x820
[  121.852981]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  121.858168] 
[  121.859798] The buggy address belongs to the object at ffff8801b2674c00
[  121.859798]  which belongs to the cache kmalloc-192 of size 192
[  121.872460] The buggy address is located 92 bytes inside of
[  121.872460]  192-byte region [ffff8801b2674c00, ffff8801b2674cc0)
[  121.884245] The buggy address belongs to the page:
[  121.889208] page:ffffea0006c99d00 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[  121.897362] flags: 0x2fffc0000000100(slab)
[  121.901608] raw: 02fffc0000000100 ffffea0006bd6f88 ffff8801dac01148 ffff8801dac00040
[  121.909494] raw: 0000000000000000 ffff8801b2674000 0000000100000010 0000000000000000
[  121.917369] page dumped because: kasan: bad access detected
[  121.923073] 
[  121.924698] Memory state around the buggy address:
[  121.929626]  ffff8801b2674b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  121.936984]  ffff8801b2674b80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  121.944345] >ffff8801b2674c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.951697]                                                     ^
[  121.957930]  ffff8801b2674c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  121.965294]  ffff8801b2674d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  121.972651] ==================================================================
[  121.980002] Disabling lock debugging due to kernel taint
[  121.985491] Kernel panic - not syncing: panic_on_warn set ...
[  121.985491] 
[  121.992884] CPU: 1 PID: 5812 Comm: syz-executor0 Tainted: G    B             4.18.0+ #189
[  122.001195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  122.010540] Call Trace:
[  122.013138]  dump_stack+0x1c9/0x2b4
[  122.016774]  ? dump_stack_print_info.cold.2+0x52/0x52
[  122.021973]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  122.026737]  panic+0x238/0x4e7
[  122.029935]  ? add_taint.cold.5+0x16/0x16
[  122.034091]  ? do_raw_spin_unlock+0xa7/0x2f0
[  122.038503]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  122.043607]  kasan_end_report+0x47/0x4f
[  122.047581]  kasan_report.cold.7+0x76/0x2fe
[  122.051908]  __asan_report_load4_noabort+0x14/0x20
[  122.056837]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  122.061776]  ? tipc_group_member_evt+0xe30/0xe30
[  122.066536]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  122.071576]  ? skb_put+0x17b/0x1e0
[  122.075117]  ? memset+0x31/0x40
[  122.078395]  ? memcpy+0x45/0x50
[  122.081674]  ? __nla_put+0x37/0x40
[  122.085217]  ? nla_put+0x11a/0x150
[  122.088769]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  122.093453]  ? tipc_diag_dump+0x30/0x30
[  122.097433]  ? tipc_getname+0x7f0/0x7f0
[  122.101410]  ? save_stack+0xa9/0xd0
[  122.105131]  ? graph_lock+0x170/0x170
[  122.108955]  ? graph_lock+0x170/0x170
[  122.112755]  ? __netlink_dump_start+0x4f1/0x6f0
[  122.117426]  ? sock_diag_rcv_msg+0x31d/0x410
[  122.121834]  ? netlink_rcv_skb+0x172/0x440
[  122.126130]  ? sock_diag_rcv+0x2a/0x40
[  122.130018]  ? netlink_unicast+0x5a0/0x760
[  122.134259]  ? netlink_sendmsg+0xa18/0xfc0
[  122.138498]  ? sock_sendmsg+0xd5/0x120
[  122.142386]  ? ___sys_sendmsg+0x7fd/0x930
[  122.146537]  ? __x64_sys_sendmsg+0x78/0xb0
[  122.150772]  ? do_syscall_64+0x1b9/0x820
[  122.154833]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  122.160195]  ? print_usage_bug+0xc0/0xc0
[  122.164263]  ? find_held_lock+0x36/0x1c0
[  122.168331]  ? lock_acquire+0x1e4/0x540
[  122.172308]  ? tipc_nl_sk_walk+0x60a/0xd30
[  122.176569]  ? lock_downgrade+0x8f0/0x8f0
[  122.180726]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  122.185744]  ? skb_put+0x17b/0x1e0
[  122.189288]  ? __nlmsg_put+0x14c/0x1b0
[  122.193181]  __tipc_add_sock_diag+0x22f/0x360
[  122.197678]  tipc_nl_sk_walk+0x68d/0xd30
[  122.201741]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  122.207020]  ? __tipc_nl_add_sk+0x400/0x400
[  122.211345]  ? skb_scrub_packet+0x490/0x490
[  122.215677]  ? kasan_check_write+0x14/0x20
[  122.219914]  ? lock_downgrade+0x8f0/0x8f0
[  122.224065]  tipc_diag_dump+0x24/0x30
[  122.227866]  netlink_dump+0x519/0xd50
[  122.231694]  ? netlink_broadcast+0x50/0x50
[  122.235934]  __netlink_dump_start+0x4f1/0x6f0
[  122.240428]  ? kasan_check_read+0x11/0x20
[  122.244603]  tipc_sock_diag_handler_dump+0x234/0x340
[  122.249716]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  122.254382]  ? tipc_unregister_sysctl+0x20/0x20
[  122.259050]  ? netlink_deliver_tap+0x356/0xfb0
[  122.263637]  sock_diag_rcv_msg+0x31d/0x410
[  122.267908]  netlink_rcv_skb+0x172/0x440
[  122.271972]  ? sock_diag_bind+0x80/0x80
[  122.275946]  ? netlink_ack+0xbe0/0xbe0
[  122.279835]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  122.284527]  sock_diag_rcv+0x2a/0x40
[  122.288239]  netlink_unicast+0x5a0/0x760
[  122.292310]  ? netlink_attachskb+0x9a0/0x9a0
[  122.296721]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  122.302268]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  122.307292]  netlink_sendmsg+0xa18/0xfc0
[  122.311363]  ? netlink_unicast+0x760/0x760
[  122.315600]  ? move_addr_to_kernel.part.18+0x100/0x100
[  122.320883]  ? security_socket_sendmsg+0x94/0xc0
[  122.325642]  ? netlink_unicast+0x760/0x760
[  122.329966]  sock_sendmsg+0xd5/0x120
[  122.333684]  ___sys_sendmsg+0x7fd/0x930
[  122.337662]  ? copy_msghdr_from_user+0x580/0x580
[  122.342426]  ? kasan_check_read+0x11/0x20
[  122.346573]  ? do_raw_spin_unlock+0xa7/0x2f0
[  122.350984]  ? __fget_light+0x2f7/0x440
[  122.354964]  ? __local_bh_enable_ip+0x161/0x230
[  122.359650]  ? fget_raw+0x20/0x20
[  122.363109]  ? __release_sock+0x3a0/0x3a0
[  122.367267]  ? tipc_nametbl_build_group+0x279/0x360
[  122.372303]  ? tipc_setsockopt+0x726/0xd70
[  122.376565]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  122.382106]  ? sockfd_lookup_light+0xc5/0x160
[  122.386602]  __sys_sendmsg+0x11d/0x290
[  122.390497]  ? __ia32_sys_shutdown+0x80/0x80
[  122.394911]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  122.400448]  ? fput+0x130/0x1a0
[  122.403734]  ? __x64_sys_futex+0x47f/0x6a0
[  122.407979]  __x64_sys_sendmsg+0x78/0xb0
[  122.412051]  do_syscall_64+0x1b9/0x820
[  122.415940]  ? syscall_return_slowpath+0x5e0/0x5e0
[  122.420869]  ? syscall_return_slowpath+0x31d/0x5e0
[  122.425801]  ? __switch_to_asm+0x34/0x70
[  122.430239]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  122.435650]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  122.440497]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  122.445686] RIP: 0033:0x457089
[  122.448885] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  122.467784] RSP: 002b:00007f74da728c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  122.475493] RAX: ffffffffffffffda RBX: 00007f74da7296d4 RCX: 0000000000457089
[  122.482762] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  122.490037] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  122.497325] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  122.504592] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  122.512146] Dumping ftrace buffer:
[  122.515684]    (ftrace buffer empty)
[  122.519373] Kernel Offset: disabled
[  122.522982] Rebooting in 86400 seconds..