[....] Starting enhanced syslogd: rsyslogd[ 14.701217] audit: type=1400 audit(1516821394.545:5): avc: denied { syslog } for pid=3524 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.142978] audit: type=1400 audit(1516821396.986:6): avc: denied { map } for pid=3662 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts. executing program [ 23.418934] audit: type=1400 audit(1516821403.262:7): avc: denied { map } for pid=3676 comm="syzkaller966336" path="/root/syzkaller966336375" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 23.421944] ================================================================== [ 23.421966] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 23.421974] Read of size 1 at addr ffff8801bbd8bd50 by task syzkaller966336/3676 [ 23.421976] [ 23.421984] CPU: 1 PID: 3676 Comm: syzkaller966336 Not tainted 4.15.0-rc9+ #207 [ 23.421988] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.421991] Call Trace: [ 23.422008] dump_stack+0x194/0x257 [ 23.422022] ? arch_local_irq_restore+0x53/0x53 [ 23.422035] ? show_regs_print_info+0x18/0x18 [ 23.422052] ? string+0x1e8/0x200 [ 23.422066] print_address_description+0x73/0x250 [ 23.422074] ? string+0x1e8/0x200 [ 23.422084] kasan_report+0x25b/0x340 [ 23.422100] __asan_report_load1_noabort+0x14/0x20 [ 23.422107] string+0x1e8/0x200 [ 23.422127] vsnprintf+0x863/0x1900 [ 23.422147] ? pointer+0x9e0/0x9e0 [ 23.422174] __request_module+0x1bf/0xc20 [ 23.422183] ? lock_downgrade+0x980/0x980 [ 23.422197] ? free_modprobe_argv+0xa0/0xa0 [ 23.422206] ? lock_downgrade+0x980/0x980 [ 23.422216] ? rcu_read_lock_sched_held+0x108/0x120 [ 23.422226] ? pcpu_alloc+0x146/0x10e0 [ 23.422251] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 23.422258] ? pcpu_free_area+0xa00/0xa00 [ 23.422271] ? wait_for_completion+0x770/0x770 [ 23.422287] ? __kernel_text_address+0xd/0x40 [ 23.422295] ? wait_for_completion+0x770/0x770 [ 23.422308] ? trace_hardirqs_off+0xd/0x10 [ 23.422323] ? depot_save_stack+0x3b5/0x490 [ 23.422338] ? kvfree+0x36/0x60 [ 23.422360] ? xt_find_target+0x17b/0x1e0 [ 23.422391] xt_request_find_target+0x8b/0xb0 [ 23.422405] find_check_entry.isra.8+0x612/0xcb0 [ 23.422426] ? rcu_read_lock_sched_held+0x108/0x120 [ 23.422436] ? ipt_do_table+0x1330/0x1330 [ 23.422451] ? mark_held_locks+0xaf/0x100 [ 23.422460] ? kfree+0xf0/0x260 [ 23.422472] ? kvfree+0x36/0x60 [ 23.422481] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.422491] ? trace_hardirqs_on+0xd/0x10 [ 23.422510] translate_table+0xed1/0x1610 [ 23.422548] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 23.422561] ? kasan_check_write+0x14/0x20 [ 23.422569] ? _copy_from_user+0x99/0x110 [ 23.422583] do_ipt_set_ctl+0x370/0x5f0 [ 23.422597] ? translate_compat_table+0x1b90/0x1b90 [ 23.422624] ? mutex_unlock+0xd/0x10 [ 23.422632] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 23.422646] nf_setsockopt+0x67/0xc0 [ 23.422661] ip_setsockopt+0xa1/0xb0 [ 23.422676] udp_setsockopt+0x45/0x80 [ 23.422693] sock_common_setsockopt+0x95/0xd0 [ 23.422709] SyS_setsockopt+0x189/0x360 [ 23.422724] ? SyS_recv+0x40/0x40 [ 23.422735] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 23.422746] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.422758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.422778] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.422783] RIP: 0033:0x43ffc9 [ 23.422788] RSP: 002b:00007ffcedd07848 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 23.422796] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 23.422800] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 23.422804] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 23.422808] R10: 0000000020f20000 R11: 0000000000000203 R12: 00000000004018f0 [ 23.422812] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 23.422840] [ 23.422844] Allocated by task 3676: [ 23.422851] save_stack+0x43/0xd0 [ 23.422857] kasan_kmalloc+0xad/0xe0 [ 23.422862] __kmalloc_node+0x47/0x70 [ 23.422868] kvmalloc_node+0x99/0xd0 [ 23.422874] xt_alloc_table_info+0x64/0xe0 [ 23.422880] do_ipt_set_ctl+0x29b/0x5f0 [ 23.422884] nf_setsockopt+0x67/0xc0 [ 23.422889] ip_setsockopt+0xa1/0xb0 [ 23.422895] udp_setsockopt+0x45/0x80 [ 23.422901] sock_common_setsockopt+0x95/0xd0 [ 23.422907] SyS_setsockopt+0x189/0x360 [ 23.422913] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.422915] [ 23.422918] Freed by task 2034: [ 23.422923] save_stack+0x43/0xd0 [ 23.422929] kasan_slab_free+0x71/0xc0 [ 23.422934] kfree+0xd6/0x260 [ 23.422941] single_release+0x80/0xb0 [ 23.422946] __fput+0x327/0x7e0 [ 23.422951] ____fput+0x15/0x20 [ 23.422957] task_work_run+0x199/0x270 [ 23.422963] exit_to_usermode_loop+0x296/0x310 [ 23.422970] syscall_return_slowpath+0x490/0x550 [ 23.422976] entry_SYSCALL_64_fastpath+0x9e/0xa0 [ 23.422978] [ 23.422982] The buggy address belongs to the object at ffff8801bbd8bc80 [ 23.422982] which belongs to the cache kmalloc-256 of size 256 [ 23.422988] The buggy address is located 208 bytes inside of [ 23.422988] 256-byte region [ffff8801bbd8bc80, ffff8801bbd8bd80) [ 23.422990] The buggy address belongs to the page: [ 23.422996] page:ffffea0006ef62c0 count:1 mapcount:0 mapping:ffff8801bbd8b000 index:0x0 [ 23.423003] flags: 0x2fffc0000000100(slab) [ 23.423013] raw: 02fffc0000000100 ffff8801bbd8b000 0000000000000000 000000010000000c [ 23.423020] raw: ffffea0006f77d60 ffffea000764d0e0 ffff8801dac007c0 0000000000000000 [ 23.423023] page dumped because: kasan: bad access detected [ 23.423025] [ 23.423027] Memory state around the buggy address: [ 23.423033] ffff8801bbd8bc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.423038] ffff8801bbd8bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.423043] >ffff8801bbd8bd00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 23.423045] ^ [ 23.423051] ffff8801bbd8bd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 23.423056] ffff8801bbd8be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.423058] ================================================================== [ 23.423060] Disabling lock debugging due to kernel taint [ 23.423104] Kernel panic - not syncing: panic_on_warn set ... [ 23.423104] [ 23.423110] CPU: 1 PID: 3676 Comm: syzkaller966336 Tainted: G B 4.15.0-rc9+ #207 [ 23.423114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.423115] Call Trace: [ 23.423123] dump_stack+0x194/0x257 [ 23.423133] ? arch_local_irq_restore+0x53/0x53 [ 23.423140] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.423148] ? vsnprintf+0x1ed/0x1900 [ 23.423156] ? string+0x160/0x200 [ 23.423164] panic+0x1e4/0x41c [ 23.423171] ? refcount_error_report+0x214/0x214 [ 23.423180] ? add_taint+0x1c/0x50 [ 23.423187] ? add_taint+0x1c/0x50 [ 23.423196] ? string+0x1e8/0x200 [ 23.423203] kasan_end_report+0x50/0x50 [ 23.423210] kasan_report+0x144/0x340 [ 23.423220] __asan_report_load1_noabort+0x14/0x20 [ 23.423226] string+0x1e8/0x200 [ 23.423239] vsnprintf+0x863/0x1900 [ 23.423251] ? pointer+0x9e0/0x9e0 [ 23.423266] __request_module+0x1bf/0xc20 [ 23.423272] ? lock_downgrade+0x980/0x980 [ 23.423282] ? free_modprobe_argv+0xa0/0xa0 [ 23.423289] ? lock_downgrade+0x980/0x980 [ 23.423296] ? rcu_read_lock_sched_held+0x108/0x120 [ 23.423303] ? pcpu_alloc+0x146/0x10e0 [ 23.423317] ? __mutex_unlock_slowpath+0xe9/0xac0 [ 23.423323] ? pcpu_free_area+0xa00/0xa00 [ 23.423332] ? wait_for_completion+0x770/0x770 [ 23.423342] ? __kernel_text_address+0xd/0x40 [ 23.423349] ? wait_for_completion+0x770/0x770 [ 23.423357] ? trace_hardirqs_off+0xd/0x10 [ 23.423366] ? depot_save_stack+0x3b5/0x490 [ 23.423376] ? kvfree+0x36/0x60 [ 23.423389] ? xt_find_target+0x17b/0x1e0 [ 23.423407] xt_request_find_target+0x8b/0xb0 [ 23.423415] find_check_entry.isra.8+0x612/0xcb0 [ 23.423428] ? rcu_read_lock_sched_held+0x108/0x120 [ 23.423435] ? ipt_do_table+0x1330/0x1330 [ 23.423445] ? mark_held_locks+0xaf/0x100 [ 23.423452] ? kfree+0xf0/0x260 [ 23.423458] ? kvfree+0x36/0x60 [ 23.423469] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.423477] ? trace_hardirqs_on+0xd/0x10 [ 23.423488] translate_table+0xed1/0x1610 [ 23.423509] ? alloc_counters.isra.11+0x7d0/0x7d0 [ 23.423519] ? kasan_check_write+0x14/0x20 [ 23.423524] ? _copy_from_user+0x99/0x110 [ 23.423533] do_ipt_set_ctl+0x370/0x5f0 [ 23.423543] ? translate_compat_table+0x1b90/0x1b90 [ 23.423559] ? mutex_unlock+0xd/0x10 [ 23.423565] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 23.423574] nf_setsockopt+0x67/0xc0 [ 23.423583] ip_setsockopt+0xa1/0xb0 [ 23.423592] udp_setsockopt+0x45/0x80 [ 23.423601] sock_common_setsockopt+0x95/0xd0 [ 23.423612] SyS_setsockopt+0x189/0x360 [ 23.423621] ? SyS_recv+0x40/0x40 [ 23.423630] ? entry_SYSCALL_64_fastpath+0x5/0xa0 [ 23.423638] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.423646] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.423658] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 23.423662] RIP: 0033:0x43ffc9 [ 23.423665] RSP: 002b:00007ffcedd07848 EFLAGS: 00000203 ORIG_RAX: 0000000000000036 [ 23.423672] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffc9 [ 23.423675] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 23.423678] RBP: 00000000006ca018 R08: 00000000000000f0 R09: 0000000000000000 [ 23.423682] R10: 0000000020f20000 R11: 0000000000000203 R12: 00000000004018f0 [ 23.423685] R13: 0000000000401980 R14: 0000000000000000 R15: 0000000000000000 [ 23.445251] Dumping ftrace buffer: [ 23.445255] (ftrace buffer empty) [ 23.445258] Kernel Offset: disabled [ 24.306881] Rebooting in 86400 seconds..