[....] Starting OpenBSD Secure Shell server: sshd[ 11.024226] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.254987] random: sshd: uninitialized urandom read (32 bytes read) [ 26.485245] audit: type=1400 audit(1569075712.873:6): avc: denied { map } for pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.522998] random: sshd: uninitialized urandom read (32 bytes read) [ 27.025323] random: sshd: uninitialized urandom read (32 bytes read) [ 43.762243] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. [ 49.302215] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 49.390701] audit: type=1400 audit(1569075735.783:7): avc: denied { map } for pid=1790 comm="syz-executor237" path="/root/syz-executor237239562" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.393931] ================================================================== [ 49.424254] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 49.430986] Read of size 2 at addr ffff8881c53616b0 by task syz-executor237/1790 [ 49.438621] [ 49.440230] CPU: 0 PID: 1790 Comm: syz-executor237 Not tainted 4.14.145+ #0 [ 49.447303] Call Trace: [ 49.449870] dump_stack+0xca/0x134 [ 49.453386] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.457770] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.462161] print_address_description+0x60/0x226 [ 49.466986] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.471430] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.475820] __kasan_report.cold+0x1a/0x41 [ 49.480043] ? kvm_guest_cpu_init+0x220/0x220 [ 49.484519] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.488902] tcp_init_tso_segs+0x19d/0x1f0 [ 49.493121] ? tcp_tso_segs+0x7b/0x1c0 [ 49.496984] tcp_write_xmit+0x15a/0x4730 [ 49.501026] ? memset+0x20/0x40 [ 49.504291] __tcp_push_pending_frames+0xa0/0x230 [ 49.509108] tcp_send_fin+0x154/0xbc0 [ 49.512912] tcp_close+0xc62/0xf40 [ 49.516434] inet_release+0xe9/0x1c0 [ 49.520127] __sock_release+0xd2/0x2c0 [ 49.523990] ? __sock_release+0x2c0/0x2c0 [ 49.528110] sock_close+0x15/0x20 [ 49.531546] __fput+0x25e/0x710 [ 49.534809] task_work_run+0x125/0x1a0 [ 49.538697] do_exit+0x9cb/0x2a20 [ 49.542132] ? mm_update_next_owner+0x610/0x610 [ 49.546790] do_group_exit+0x100/0x2e0 [ 49.550656] SyS_exit_group+0x19/0x20 [ 49.554432] ? do_group_exit+0x2e0/0x2e0 [ 49.558467] do_syscall_64+0x19b/0x520 [ 49.562339] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.567506] RIP: 0033:0x43ee08 [ 49.570673] RSP: 002b:00007ffd0e13d508 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 49.578370] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee08 [ 49.585615] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 49.592861] RBP: 00000000004be608 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 49.600120] R10: 0000000020000802 R11: 0000000000000246 R12: 0000000000000001 [ 49.607365] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 49.614623] [ 49.616230] Allocated by task 1790: [ 49.619838] __kasan_kmalloc.part.0+0x53/0xc0 [ 49.624311] kmem_cache_alloc+0xee/0x360 [ 49.628344] __alloc_skb+0xea/0x5c0 [ 49.631950] sk_stream_alloc_skb+0xf4/0x8a0 [ 49.636247] tcp_sendmsg_locked+0xf11/0x2f50 [ 49.640642] tcp_sendmsg+0x2b/0x40 [ 49.644165] inet_sendmsg+0x15b/0x520 [ 49.647952] sock_sendmsg+0xb7/0x100 [ 49.651642] SyS_sendto+0x1de/0x2f0 [ 49.655245] do_syscall_64+0x19b/0x520 [ 49.659140] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.664318] 0xffffffffffffffff [ 49.667573] [ 49.669180] Freed by task 1790: [ 49.672529] __kasan_slab_free+0x164/0x210 [ 49.676740] kmem_cache_free+0xd7/0x3b0 [ 49.680712] kfree_skbmem+0x84/0x110 [ 49.684402] tcp_remove_empty_skb+0x264/0x320 [ 49.688874] tcp_sendmsg_locked+0x1c09/0x2f50 [ 49.693346] tcp_sendmsg+0x2b/0x40 [ 49.696864] inet_sendmsg+0x15b/0x520 [ 49.700646] sock_sendmsg+0xb7/0x100 [ 49.704346] SyS_sendto+0x1de/0x2f0 [ 49.707950] do_syscall_64+0x19b/0x520 [ 49.711816] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.716988] 0xffffffffffffffff [ 49.720249] [ 49.721855] The buggy address belongs to the object at ffff8881c5361680 [ 49.721855] which belongs to the cache skbuff_fclone_cache of size 456 [ 49.735178] The buggy address is located 48 bytes inside of [ 49.735178] 456-byte region [ffff8881c5361680, ffff8881c5361848) [ 49.746942] The buggy address belongs to the page: [ 49.751846] page:ffffea000714d800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 49.761801] flags: 0x4000000000010200(slab|head) [ 49.766533] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 49.774389] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 49.782251] page dumped because: kasan: bad access detected [ 49.787932] [ 49.789535] Memory state around the buggy address: [ 49.794440] ffff8881c5361580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 49.801784] ffff8881c5361600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.809121] >ffff8881c5361680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.816518] ^ [ 49.821436] ffff8881c5361700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.828776] ffff8881c5361780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.836129] ================================================================== [ 49.843473] Disabling lock debugging due to kernel taint [ 49.849247] Kernel panic - not syncing: panic_on_warn set ... [ 49.849247] [ 49.856610] CPU: 0 PID: 1790 Comm: syz-executor237 Tainted: G B 4.14.145+ #0 [ 49.864899] Call Trace: [ 49.867465] dump_stack+0xca/0x134 [ 49.870987] panic+0x1ea/0x3d3 [ 49.874153] ? add_taint.cold+0x16/0x16 [ 49.878220] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.882673] ? ___preempt_schedule+0x16/0x18 [ 49.887059] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.891441] end_report+0x43/0x49 [ 49.894870] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.899251] __kasan_report.cold+0xd/0x41 [ 49.903377] ? kvm_guest_cpu_init+0x220/0x220 [ 49.907862] ? tcp_init_tso_segs+0x19d/0x1f0 [ 49.912263] tcp_init_tso_segs+0x19d/0x1f0 [ 49.916486] ? tcp_tso_segs+0x7b/0x1c0 [ 49.920349] tcp_write_xmit+0x15a/0x4730 [ 49.924397] ? memset+0x20/0x40 [ 49.927656] __tcp_push_pending_frames+0xa0/0x230 [ 49.932474] tcp_send_fin+0x154/0xbc0 [ 49.936285] tcp_close+0xc62/0xf40 [ 49.939824] inet_release+0xe9/0x1c0 [ 49.943513] __sock_release+0xd2/0x2c0 [ 49.947374] ? __sock_release+0x2c0/0x2c0 [ 49.951506] sock_close+0x15/0x20 [ 49.954935] __fput+0x25e/0x710 [ 49.958201] task_work_run+0x125/0x1a0 [ 49.962066] do_exit+0x9cb/0x2a20 [ 49.965496] ? mm_update_next_owner+0x610/0x610 [ 49.970143] do_group_exit+0x100/0x2e0 [ 49.974004] SyS_exit_group+0x19/0x20 [ 49.977777] ? do_group_exit+0x2e0/0x2e0 [ 49.981813] do_syscall_64+0x19b/0x520 [ 49.985676] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.990934] RIP: 0033:0x43ee08 [ 49.994100] RSP: 002b:00007ffd0e13d508 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 50.001781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee08 [ 50.009022] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 50.016266] RBP: 00000000004be608 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 50.023510] R10: 0000000020000802 R11: 0000000000000246 R12: 0000000000000001 [ 50.030753] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 50.038641] Kernel Offset: 0x1d200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 50.049545] Rebooting in 86400 seconds..