[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.229309] random: sshd: uninitialized urandom read (32 bytes read) [ 34.482662] kauditd_printk_skb: 9 callbacks suppressed [ 34.482670] audit: type=1400 audit(1574356895.620:35): avc: denied { map } for pid=6915 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.538561] random: sshd: uninitialized urandom read (32 bytes read) [ 35.094468] random: sshd: uninitialized urandom read (32 bytes read) [ 35.295980] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. [ 40.844348] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 40.969672] audit: type=1400 audit(1574356902.100:36): avc: denied { map } for pid=6929 comm="syz-executor283" path="/root/syz-executor283383355" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.997240] ================================================================== [ 41.004684] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0 [ 41.011852] Read of size 8 at addr ffff88809e0c2c10 by task syz-executor283/6929 [ 41.019375] [ 41.021083] CPU: 0 PID: 6929 Comm: syz-executor283 Not tainted 4.14.155-syzkaller #0 [ 41.028946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.038278] Call Trace: [ 41.040860] dump_stack+0x142/0x197 [ 41.044470] ? bpf_clone_redirect+0x2de/0x2f0 [ 41.048947] print_address_description.cold+0x7c/0x1dc [ 41.054224] ? bpf_clone_redirect+0x2de/0x2f0 [ 41.058727] kasan_report.cold+0xa9/0x2af [ 41.062877] __asan_report_load8_noabort+0x14/0x20 [ 41.067805] bpf_clone_redirect+0x2de/0x2f0 [ 41.072117] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 41.076856] ? SyS_bpf+0x6ad/0x2da8 [ 41.080470] bpf_prog_3c8dfff8b3098609+0x3b0/0x1000 [ 41.085475] ? trace_hardirqs_on+0x10/0x10 [ 41.089694] ? trace_hardirqs_on+0x10/0x10 [ 41.093914] ? bpf_test_run+0x44/0x330 [ 41.097782] ? find_held_lock+0x35/0x130 [ 41.101828] ? bpf_test_run+0x44/0x330 [ 41.105703] ? lock_acquire+0x16f/0x430 [ 41.109676] ? check_preemption_disabled+0x3c/0x250 [ 41.114682] ? bpf_test_run+0xa8/0x330 [ 41.118553] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 41.123295] ? bpf_test_init.isra.0+0xe0/0xe0 [ 41.127785] ? __bpf_prog_get+0x153/0x1a0 [ 41.131914] ? SyS_bpf+0x6ad/0x2da8 [ 41.135520] ? __do_page_fault+0x4e9/0xb80 [ 41.139748] ? bpf_test_init.isra.0+0xe0/0xe0 [ 41.144223] ? bpf_prog_get+0x20/0x20 [ 41.148064] ? lock_downgrade+0x740/0x740 [ 41.152200] ? up_read+0x1a/0x40 [ 41.155546] ? __do_page_fault+0x358/0xb80 [ 41.159786] ? bpf_prog_get+0x20/0x20 [ 41.163571] ? do_syscall_64+0x1e8/0x640 [ 41.167614] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.172444] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.177789] [ 41.179394] Allocated by task 0: [ 41.182750] (stack is not available) [ 41.186447] [ 41.188101] Freed by task 0: [ 41.191096] (stack is not available) [ 41.194783] [ 41.196390] The buggy address belongs to the object at ffff88809e0c2b80 [ 41.196390] which belongs to the cache skbuff_head_cache of size 232 [ 41.209555] The buggy address is located 144 bytes inside of [ 41.209555] 232-byte region [ffff88809e0c2b80, ffff88809e0c2c68) [ 41.221418] The buggy address belongs to the page: [ 41.226333] page:ffffea0002783080 count:1 mapcount:0 mapping:ffff88809e0c2040 index:0x0 [ 41.234454] flags: 0x1fffc0000000100(slab) [ 41.238669] raw: 01fffc0000000100 ffff88809e0c2040 0000000000000000 000000010000000c [ 41.246527] raw: ffffea00024b78a0 ffff8880a9e1bf48 ffff8880a9e19a80 0000000000000000 [ 41.254383] page dumped because: kasan: bad access detected [ 41.260067] [ 41.261686] Memory state around the buggy address: [ 41.266591] ffff88809e0c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.273928] ffff88809e0c2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.281281] >ffff88809e0c2c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.288621] ^ [ 41.292483] ffff88809e0c2c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.299817] ffff88809e0c2d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.307162] ================================================================== [ 41.314495] Disabling lock debugging due to kernel taint [ 41.320126] Kernel panic - not syncing: panic_on_warn set ... [ 41.320126] [ 41.327485] CPU: 0 PID: 6929 Comm: syz-executor283 Tainted: G B 4.14.155-syzkaller #0 [ 41.336556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.345887] Call Trace: [ 41.348458] dump_stack+0x142/0x197 [ 41.352063] ? bpf_clone_redirect+0x2de/0x2f0 [ 41.356535] panic+0x1f9/0x42d [ 41.359699] ? add_taint.cold+0x16/0x16 [ 41.363666] kasan_end_report+0x47/0x4f [ 41.367615] kasan_report.cold+0x130/0x2af [ 41.372098] __asan_report_load8_noabort+0x14/0x20 [ 41.377024] bpf_clone_redirect+0x2de/0x2f0 [ 41.381325] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 41.386060] ? SyS_bpf+0x6ad/0x2da8 [ 41.389664] bpf_prog_3c8dfff8b3098609+0x3b0/0x1000 [ 41.394669] ? trace_hardirqs_on+0x10/0x10 [ 41.398879] ? trace_hardirqs_on+0x10/0x10 [ 41.403090] ? bpf_test_run+0x44/0x330 [ 41.406954] ? find_held_lock+0x35/0x130 [ 41.410999] ? bpf_test_run+0x44/0x330 [ 41.414864] ? lock_acquire+0x16f/0x430 [ 41.418815] ? check_preemption_disabled+0x3c/0x250 [ 41.423810] ? bpf_test_run+0xa8/0x330 [ 41.427686] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 41.432422] ? bpf_test_init.isra.0+0xe0/0xe0 [ 41.436908] ? __bpf_prog_get+0x153/0x1a0 [ 41.441034] ? SyS_bpf+0x6ad/0x2da8 [ 41.444641] ? __do_page_fault+0x4e9/0xb80 [ 41.448852] ? bpf_test_init.isra.0+0xe0/0xe0 [ 41.453323] ? bpf_prog_get+0x20/0x20 [ 41.457101] ? lock_downgrade+0x740/0x740 [ 41.461234] ? up_read+0x1a/0x40 [ 41.464574] ? __do_page_fault+0x358/0xb80 [ 41.468783] ? bpf_prog_get+0x20/0x20 [ 41.472561] ? do_syscall_64+0x1e8/0x640 [ 41.476615] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.481438] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.488236] Kernel Offset: disabled [ 41.491859] Rebooting in 86400 seconds..