[....] Starting enhanced syslogd: rsyslogd[ 16.406635] audit: type=1400 audit(1520718531.117:5): avc: denied { syslog } for pid=4102 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.344981] audit: type=1400 audit(1520718534.055:6): avc: denied { map } for pid=4241 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts. executing program [ 25.747951] audit: type=1400 audit(1520718540.458:7): avc: denied { map } for pid=4255 comm="syzkaller293307" path="/root/syzkaller293307205" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.753216] ================================================================== [ 25.782430] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270 [ 25.788988] Read of size 2368 at addr ffff8801b0bfb600 by task syzkaller293307/4255 [ 25.796751] [ 25.798357] CPU: 0 PID: 4255 Comm: syzkaller293307 Not tainted 4.16.0-rc4+ #349 [ 25.805788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.815115] Call Trace: [ 25.817683] dump_stack+0x194/0x24d [ 25.821288] ? arch_local_irq_restore+0x53/0x53 [ 25.825935] ? show_regs_print_info+0x18/0x18 [ 25.830416] ? __lock_is_held+0xb6/0x140 [ 25.834460] ? pfkey_add+0x1634/0x3270 [ 25.838329] print_address_description+0x73/0x250 [ 25.843151] ? pfkey_add+0x1634/0x3270 [ 25.847027] kasan_report+0x23c/0x360 [ 25.850807] check_memory_region+0x137/0x190 [ 25.855204] memcpy+0x23/0x50 [ 25.858292] pfkey_add+0x1634/0x3270 [ 25.861995] ? set_ipsecrequest+0x310/0x310 [ 25.866297] ? lock_release+0xa40/0xa40 [ 25.870252] ? set_ipsecrequest+0x310/0x310 [ 25.874556] pfkey_process+0x67e/0x740 [ 25.878518] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 25.883512] ? kasan_check_write+0x14/0x20 [ 25.887749] ? dup_iter+0x232/0x260 [ 25.891361] pfkey_sendmsg+0x4dc/0xa00 [ 25.895234] ? pfkey_spdget+0xb00/0xb00 [ 25.899191] ? selinux_socket_sendmsg+0x36/0x40 [ 25.903848] ? security_socket_sendmsg+0x89/0xb0 [ 25.908593] ? pfkey_spdget+0xb00/0xb00 [ 25.912547] sock_sendmsg+0xca/0x110 [ 25.916242] ___sys_sendmsg+0x767/0x8b0 [ 25.920195] ? SyS_membarrier+0x700/0x700 [ 25.924325] ? copy_msghdr_from_user+0x590/0x590 [ 25.929071] ? __pmd_alloc+0x4e0/0x4e0 [ 25.932941] ? trace_hardirqs_off+0x10/0x10 [ 25.937256] ? find_held_lock+0x35/0x1d0 [ 25.941301] ? __fget_light+0x2b2/0x3c0 [ 25.945949] ? fget_raw+0x20/0x20 [ 25.949385] ? find_held_lock+0x35/0x1d0 [ 25.953435] ? __do_page_fault+0x5f7/0xc90 [ 25.957647] ? lock_downgrade+0x980/0x980 [ 25.961783] __sys_sendmsg+0xe5/0x210 [ 25.965560] ? __sys_sendmsg+0xe5/0x210 [ 25.969510] ? SyS_shutdown+0x290/0x290 [ 25.973477] ? __do_page_fault+0x3d6/0xc90 [ 25.977716] ? move_addr_to_kernel+0x60/0x60 [ 25.982110] SyS_sendmsg+0x2d/0x50 [ 25.985630] ? __sys_sendmsg+0x210/0x210 [ 25.989670] do_syscall_64+0x281/0x940 [ 25.993544] ? __do_page_fault+0xc90/0xc90 [ 25.997763] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.002497] ? syscall_return_slowpath+0x550/0x550 [ 26.007405] ? syscall_return_slowpath+0x2ac/0x550 [ 26.012314] ? prepare_exit_to_usermode+0x350/0x350 [ 26.017310] ? retint_user+0x18/0x18 [ 26.021005] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.025841] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.031004] RIP: 0033:0x43fd19 [ 26.034169] RSP: 002b:00007fff1c5edb28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 26.041852] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19 [ 26.049100] RDX: 0000000000000000 RSI: 0000000020b6dfc8 RDI: 0000000000000003 [ 26.056349] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 26.063602] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640 [ 26.070848] R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000 [ 26.078108] [ 26.079720] Allocated by task 4255: [ 26.083342] save_stack+0x43/0xd0 [ 26.086791] kasan_kmalloc+0xad/0xe0 [ 26.090507] __kmalloc_node_track_caller+0x47/0x70 [ 26.095434] __kmalloc_reserve.isra.39+0x41/0xd0 [ 26.100219] __alloc_skb+0x13b/0x780 [ 26.103932] pfkey_sendmsg+0x20f/0xa00 [ 26.107822] sock_sendmsg+0xca/0x110 [ 26.111531] ___sys_sendmsg+0x767/0x8b0 [ 26.115504] __sys_sendmsg+0xe5/0x210 [ 26.119301] SyS_sendmsg+0x2d/0x50 [ 26.122843] do_syscall_64+0x281/0x940 [ 26.126725] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.131886] [ 26.133487] Freed by task 0: [ 26.136473] (stack is not available) [ 26.140157] [ 26.141760] The buggy address belongs to the object at ffff8801b0bfb5c0 [ 26.141760] which belongs to the cache kmalloc-512 of size 512 [ 26.154393] The buggy address is located 64 bytes inside of [ 26.154393] 512-byte region [ffff8801b0bfb5c0, ffff8801b0bfb7c0) [ 26.166173] The buggy address belongs to the page: [ 26.171079] page:ffffea0006c2fec0 count:1 mapcount:0 mapping:ffff8801b0bfb0c0 index:0x0 [ 26.179206] flags: 0x2fffc0000000100(slab) [ 26.183424] raw: 02fffc0000000100 ffff8801b0bfb0c0 0000000000000000 0000000100000006 [ 26.191289] raw: ffffea0006c3fb20 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 26.199164] page dumped because: kasan: bad access detected [ 26.204853] [ 26.206456] Memory state around the buggy address: [ 26.211368] ffff8801b0bfb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.218702] ffff8801b0bfb700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.226045] >ffff8801b0bfb780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 26.233388] ^ [ 26.238822] ffff8801b0bfb800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.246162] ffff8801b0bfb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.253504] ================================================================== [ 26.260836] Disabling lock debugging due to kernel taint [ 26.266728] Kernel panic - not syncing: panic_on_warn set ... [ 26.266728] [ 26.274089] CPU: 0 PID: 4255 Comm: syzkaller293307 Tainted: G B 4.16.0-rc4+ #349 [ 26.282812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.292142] Call Trace: [ 26.294708] dump_stack+0x194/0x24d [ 26.298314] ? arch_local_irq_restore+0x53/0x53 [ 26.302966] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.307708] ? vsnprintf+0x1ed/0x1900 [ 26.311489] ? pfkey_add+0x1540/0x3270 [ 26.315355] panic+0x1e4/0x41c [ 26.318522] ? refcount_error_report+0x214/0x214 [ 26.323254] ? add_taint+0x1c/0x50 [ 26.326769] ? add_taint+0x1c/0x50 [ 26.330284] ? pfkey_add+0x1634/0x3270 [ 26.334149] kasan_end_report+0x50/0x50 [ 26.338119] kasan_report+0x149/0x360 [ 26.341906] check_memory_region+0x137/0x190 [ 26.346287] memcpy+0x23/0x50 [ 26.349377] pfkey_add+0x1634/0x3270 [ 26.353075] ? set_ipsecrequest+0x310/0x310 [ 26.357380] ? lock_release+0xa40/0xa40 [ 26.361328] ? set_ipsecrequest+0x310/0x310 [ 26.365630] pfkey_process+0x67e/0x740 [ 26.369493] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 26.374482] ? kasan_check_write+0x14/0x20 [ 26.378709] ? dup_iter+0x232/0x260 [ 26.382312] pfkey_sendmsg+0x4dc/0xa00 [ 26.386176] ? pfkey_spdget+0xb00/0xb00 [ 26.390126] ? selinux_socket_sendmsg+0x36/0x40 [ 26.394786] ? security_socket_sendmsg+0x89/0xb0 [ 26.399517] ? pfkey_spdget+0xb00/0xb00 [ 26.403466] sock_sendmsg+0xca/0x110 [ 26.407157] ___sys_sendmsg+0x767/0x8b0 [ 26.411104] ? SyS_membarrier+0x700/0x700 [ 26.415228] ? copy_msghdr_from_user+0x590/0x590 [ 26.419971] ? __pmd_alloc+0x4e0/0x4e0 [ 26.423838] ? trace_hardirqs_off+0x10/0x10 [ 26.428136] ? find_held_lock+0x35/0x1d0 [ 26.432187] ? __fget_light+0x2b2/0x3c0 [ 26.436138] ? fget_raw+0x20/0x20 [ 26.439570] ? find_held_lock+0x35/0x1d0 [ 26.443611] ? __do_page_fault+0x5f7/0xc90 [ 26.447829] ? lock_downgrade+0x980/0x980 [ 26.451959] __sys_sendmsg+0xe5/0x210 [ 26.455743] ? __sys_sendmsg+0xe5/0x210 [ 26.459712] ? SyS_shutdown+0x290/0x290 [ 26.463681] ? __do_page_fault+0x3d6/0xc90 [ 26.467912] ? move_addr_to_kernel+0x60/0x60 [ 26.472301] SyS_sendmsg+0x2d/0x50 [ 26.475814] ? __sys_sendmsg+0x210/0x210 [ 26.479851] do_syscall_64+0x281/0x940 [ 26.483712] ? __do_page_fault+0xc90/0xc90 [ 26.487923] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.492652] ? syscall_return_slowpath+0x550/0x550 [ 26.497556] ? syscall_return_slowpath+0x2ac/0x550 [ 26.502459] ? prepare_exit_to_usermode+0x350/0x350 [ 26.507453] ? retint_user+0x18/0x18 [ 26.511146] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.515976] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.521139] RIP: 0033:0x43fd19 [ 26.524301] RSP: 002b:00007fff1c5edb28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 26.531982] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19 [ 26.539233] RDX: 0000000000000000 RSI: 0000000020b6dfc8 RDI: 0000000000000003 [ 26.546484] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 26.553728] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640 [ 26.560975] R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000 [ 26.568877] Dumping ftrace buffer: [ 26.572404] (ftrace buffer empty) [ 26.576090] Kernel Offset: disabled [ 26.579696] Rebooting in 86400 seconds..