[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.350225] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.454214] random: sshd: uninitialized urandom read (32 bytes read) [ 24.777858] random: sshd: uninitialized urandom read (32 bytes read) [ 25.316445] random: sshd: uninitialized urandom read (32 bytes read) [ 25.482462] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts. [ 30.944963] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.039580] ================================================================== [ 31.047015] BUG: KASAN: slab-out-of-bounds in _autofs_dev_ioctl+0x8f5/0x990 [ 31.054109] Read of size 4 at addr ffff8801acdecf40 by task syz-executor632/4414 [ 31.061616] [ 31.063235] CPU: 0 PID: 4414 Comm: syz-executor632 Not tainted 4.18.0-rc8+ #86 [ 31.070584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.079923] Call Trace: [ 31.082508] dump_stack+0x1c9/0x2b4 [ 31.086123] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.091296] ? printk+0xa7/0xcf [ 31.094560] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.099301] ? _autofs_dev_ioctl+0x8f5/0x990 [ 31.103704] print_address_description+0x6c/0x20b [ 31.108533] ? _autofs_dev_ioctl+0x8f5/0x990 [ 31.112928] kasan_report.cold.7+0x242/0x2fe [ 31.117323] ? find_autofs_mount.isra.5+0x2d0/0x2d0 [ 31.122321] __asan_report_load4_noabort+0x14/0x20 [ 31.127234] _autofs_dev_ioctl+0x8f5/0x990 [ 31.131468] ? autofs_dev_ioctl_closemount+0x90/0x90 [ 31.136552] ? do_sys_open+0x3cb/0x760 [ 31.140427] ? autofs_dev_ioctl+0x30/0x30 [ 31.144571] autofs_dev_ioctl_compat+0x1c/0x30 [ 31.149178] __ia32_compat_sys_ioctl+0x221/0x640 [ 31.153930] do_fast_syscall_32+0x34d/0xfb2 [ 31.158237] ? do_int80_syscall_32+0x890/0x890 [ 31.162803] ? do_syscall_64+0x497/0x820 [ 31.166857] ? syscall_slow_exit_work+0x500/0x500 [ 31.171694] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.176607] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.181547] ? sysret32_from_system_call+0x5/0x46 [ 31.186376] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.191204] entry_SYSENTER_compat+0x70/0x7f [ 31.195597] RIP: 0023:0xf7f50cb9 [ 31.198940] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 31.218245] RSP: 002b:00000000ff875acc EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 31.225986] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000000937e [ 31.233248] RDX: 0000000020000180 RSI: 00000000080ea078 RDI: 00000000ff875b20 [ 31.240524] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 31.247783] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 31.255175] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.262538] [ 31.264163] Allocated by task 4414: [ 31.267886] save_stack+0x43/0xd0 [ 31.271471] kasan_kmalloc+0xc4/0xe0 [ 31.275181] kmem_cache_alloc_trace+0x152/0x780 [ 31.279934] ramfs_fill_super+0xc4/0x580 [ 31.284027] mount_nodev+0x6b/0x110 [ 31.287679] ramfs_mount+0x2c/0x40 [ 31.291223] mount_fs+0xae/0x328 [ 31.294575] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.299150] do_mount+0x581/0x30e0 [ 31.302752] __ia32_compat_sys_mount+0x5d5/0x860 [ 31.307505] do_fast_syscall_32+0x34d/0xfb2 [ 31.311828] entry_SYSENTER_compat+0x70/0x7f [ 31.316219] [ 31.317829] Freed by task 2755: [ 31.321098] save_stack+0x43/0xd0 [ 31.324533] __kasan_slab_free+0x11a/0x170 [ 31.328769] kasan_slab_free+0xe/0x10 [ 31.332663] kfree+0xd9/0x260 [ 31.335772] single_release+0x8f/0xb0 [ 31.339565] __fput+0x355/0x8b0 [ 31.342832] ____fput+0x15/0x20 [ 31.346102] task_work_run+0x1ec/0x2a0 [ 31.350058] exit_to_usermode_loop+0x313/0x370 [ 31.354640] do_syscall_64+0x6be/0x820 [ 31.358514] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.363776] [ 31.365394] The buggy address belongs to the object at ffff8801acdecf40 [ 31.365394] which belongs to the cache kmalloc-32 of size 32 [ 31.377873] The buggy address is located 0 bytes inside of [ 31.377873] 32-byte region [ffff8801acdecf40, ffff8801acdecf60) [ 31.389481] The buggy address belongs to the page: [ 31.394414] page:ffffea0006b37b00 count:1 mapcount:0 mapping:ffff8801dac001c0 index:0xffff8801acdecfc1 [ 31.403855] flags: 0x2fffc0000000100(slab) [ 31.408077] raw: 02fffc0000000100 ffffea00072e09c8 ffffea00076b0308 ffff8801dac001c0 [ 31.415949] raw: ffff8801acdecfc1 ffff8801acdec000 0000000100000022 0000000000000000 [ 31.423812] page dumped because: kasan: bad access detected [ 31.429504] [ 31.431112] Memory state around the buggy address: [ 31.436025] ffff8801acdece00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.443365] ffff8801acdece80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.450710] >ffff8801acdecf00: fb fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc [ 31.458074] ^ [ 31.463509] ffff8801acdecf80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.470856] ffff8801acded000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.478214] ================================================================== [ 31.485566] Disabling lock debugging due to kernel taint [ 31.491100] Kernel panic - not syncing: panic_on_warn set ... [ 31.491100] [ 31.498500] CPU: 0 PID: 4414 Comm: syz-executor632 Tainted: G B 4.18.0-rc8+ #86 [ 31.507328] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.516719] Call Trace: [ 31.519303] dump_stack+0x1c9/0x2b4 [ 31.522962] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.528141] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.532890] panic+0x238/0x4e7 [ 31.536075] ? add_taint.cold.5+0x16/0x16 [ 31.540224] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.544642] ? _autofs_dev_ioctl+0x8f5/0x990 [ 31.549030] kasan_end_report+0x47/0x4f [ 31.552983] kasan_report.cold.7+0x76/0x2fe [ 31.557293] ? find_autofs_mount.isra.5+0x2d0/0x2d0 [ 31.562292] __asan_report_load4_noabort+0x14/0x20 [ 31.567303] _autofs_dev_ioctl+0x8f5/0x990 [ 31.571523] ? autofs_dev_ioctl_closemount+0x90/0x90 [ 31.576610] ? do_sys_open+0x3cb/0x760 [ 31.580487] ? autofs_dev_ioctl+0x30/0x30 [ 31.584620] autofs_dev_ioctl_compat+0x1c/0x30 [ 31.589190] __ia32_compat_sys_ioctl+0x221/0x640 [ 31.593956] do_fast_syscall_32+0x34d/0xfb2 [ 31.598308] ? do_int80_syscall_32+0x890/0x890 [ 31.602890] ? do_syscall_64+0x497/0x820 [ 31.606995] ? syscall_slow_exit_work+0x500/0x500 [ 31.611827] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.616845] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.621765] ? sysret32_from_system_call+0x5/0x46 [ 31.626587] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.631417] entry_SYSENTER_compat+0x70/0x7f [ 31.635832] RIP: 0023:0xf7f50cb9 [ 31.639188] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 31.658316] RSP: 002b:00000000ff875acc EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 31.666130] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000000937e [ 31.673525] RDX: 0000000020000180 RSI: 00000000080ea078 RDI: 00000000ff875b20 [ 31.680888] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 31.688147] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 31.695396] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.702994] Dumping ftrace buffer: [ 31.706518] (ftrace buffer empty) [ 31.710208] Kernel Offset: disabled [ 31.713813] Rebooting in 86400 seconds..