[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 40.085932] random: sshd: uninitialized urandom read (32 bytes read) [ 40.475082] audit: type=1400 audit(1537992385.596:6): avc: denied { map } for pid=1792 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 40.525414] random: sshd: uninitialized urandom read (32 bytes read) [ 41.005619] random: sshd: uninitialized urandom read (32 bytes read) [ 41.165465] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. [ 46.790354] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 46.881701] audit: type=1400 audit(1537992392.006:7): avc: denied { map } for pid=1810 comm="syz-executor766" path="/root/syz-executor766295278" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 46.909861] audit: type=1400 audit(1537992392.026:8): avc: denied { prog_load } for pid=1810 comm="syz-executor766" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 46.933717] audit: type=1400 audit(1537992392.056:9): avc: denied { prog_run } for pid=1810 comm="syz-executor766" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 46.933787] ================================================================== [ 46.933811] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x461/0x530 [ 46.933817] Read of size 4 at addr ffff8801d2fa6378 by task syz-executor766/1810 [ 46.933819] [ 46.933828] CPU: 1 PID: 1810 Comm: syz-executor766 Not tainted 4.14.72+ #9 [ 46.933831] Call Trace: [ 46.933842] dump_stack+0xb9/0x11b [ 46.933857] print_address_description+0x60/0x22b [ 46.933869] kasan_report.cold.6+0x11b/0x2dd [ 46.933876] ? bpf_skb_change_head+0x461/0x530 [ 46.933888] bpf_skb_change_head+0x461/0x530 [ 46.933905] ___bpf_prog_run+0x248e/0x5c70 [ 46.933931] ? __free_insn_slot+0x490/0x490 [ 46.933940] ? bpf_jit_compile+0x30/0x30 [ 46.933966] ? depot_save_stack+0x20a/0x428 [ 46.933979] ? __bpf_prog_run512+0x99/0xe0 [ 46.933986] ? ___bpf_prog_run+0x5c70/0x5c70 [ 46.934005] ? __lock_acquire+0x619/0x4320 [ 46.934021] ? trace_hardirqs_on+0x10/0x10 [ 46.934033] ? trace_hardirqs_on+0x10/0x10 [ 46.934044] ? __lock_acquire+0x619/0x4320 [ 46.934057] ? get_unused_fd_flags+0xc0/0xc0 [ 46.934072] ? bpf_test_run+0x57/0x350 [ 46.934089] ? lock_acquire+0x10f/0x380 [ 46.934111] ? check_preemption_disabled+0x34/0x160 [ 46.934146] ? bpf_test_run+0xab/0x350 [ 46.934165] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 46.934179] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.934189] ? __fget_light+0x163/0x1f0 [ 46.934207] ? bpf_prog_add+0x42/0xa0 [ 46.934219] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.934228] ? SyS_bpf+0x79d/0x3640 [ 46.934242] ? bpf_prog_get+0x20/0x20 [ 46.934251] ? __do_page_fault+0x485/0xb60 [ 46.934260] ? lock_downgrade+0x560/0x560 [ 46.934279] ? up_read+0x17/0x30 [ 46.934285] ? __do_page_fault+0x64c/0xb60 [ 46.934298] ? do_syscall_64+0x43/0x4b0 [ 46.934310] ? bpf_prog_get+0x20/0x20 [ 46.934315] ? do_syscall_64+0x19b/0x4b0 [ 46.934330] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.934350] [ 46.934354] Allocated by task 1810: [ 46.934361] kasan_kmalloc.part.1+0x4f/0xd0 [ 46.934367] kmem_cache_alloc+0xe4/0x2b0 [ 46.934375] __alloc_skb+0xd8/0x550 [ 46.934383] audit_log_start+0x3dd/0x6f0 [ 46.934392] common_lsm_audit+0xe8/0x1d00 [ 46.934401] slow_avc_audit+0x14a/0x1d0 [ 46.934407] avc_has_perm+0x2f2/0x390 [ 46.934413] selinux_bpf+0xb4/0x100 [ 46.934419] security_bpf+0x7c/0xb0 [ 46.934425] SyS_bpf+0x153/0x3640 [ 46.934430] do_syscall_64+0x19b/0x4b0 [ 46.934436] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.934438] [ 46.934441] Freed by task 31: [ 46.934447] kasan_slab_free+0xac/0x190 [ 46.934453] kmem_cache_free+0x12d/0x350 [ 46.934459] kfree_skbmem+0x9e/0x100 [ 46.934464] kfree_skb+0xd0/0x340 [ 46.934469] kauditd_hold_skb+0x115/0x140 [ 46.934476] kauditd_send_queue+0xf9/0x140 [ 46.934482] kauditd_thread+0x4c7/0x660 [ 46.934488] kthread+0x348/0x420 [ 46.934493] ret_from_fork+0x3a/0x50 [ 46.934495] [ 46.934501] The buggy address belongs to the object at ffff8801d2fa6280 [ 46.934501] which belongs to the cache skbuff_head_cache of size 224 [ 46.934507] The buggy address is located 24 bytes to the right of [ 46.934507] 224-byte region [ffff8801d2fa6280, ffff8801d2fa6360) [ 46.934509] The buggy address belongs to the page: [ 46.934515] page:ffffea00074be980 count:1 mapcount:0 mapping: (null) index:0x0 [ 46.934523] flags: 0x4000000000000100(slab) [ 46.934533] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 46.934541] raw: dead000000000100 dead000000000200 ffff8801dab4a800 0000000000000000 [ 46.934544] page dumped because: kasan: bad access detected [ 46.934546] [ 46.934548] Memory state around the buggy address: [ 46.934554] ffff8801d2fa6200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 46.934559] ffff8801d2fa6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.934564] >ffff8801d2fa6300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.934567] ^ [ 46.934572] ffff8801d2fa6380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 46.934577] ffff8801d2fa6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.934580] ================================================================== [ 46.934582] Disabling lock debugging due to kernel taint [ 46.934586] Kernel panic - not syncing: panic_on_warn set ... [ 46.934586] [ 46.934592] CPU: 1 PID: 1810 Comm: syz-executor766 Tainted: G B 4.14.72+ #9 [ 46.934595] Call Trace: [ 46.934602] dump_stack+0xb9/0x11b [ 46.934612] panic+0x1bf/0x3a4 [ 46.934618] ? add_taint.cold.4+0x16/0x16 [ 46.934633] kasan_end_report+0x43/0x49 [ 46.934640] kasan_report.cold.6+0x77/0x2dd [ 46.934647] ? bpf_skb_change_head+0x461/0x530 [ 46.934655] bpf_skb_change_head+0x461/0x530 [ 46.934665] ___bpf_prog_run+0x248e/0x5c70 [ 46.934673] ? __free_insn_slot+0x490/0x490 [ 46.934681] ? bpf_jit_compile+0x30/0x30 [ 46.934689] ? depot_save_stack+0x20a/0x428 [ 46.934698] ? __bpf_prog_run512+0x99/0xe0 [ 46.934705] ? ___bpf_prog_run+0x5c70/0x5c70 [ 46.934716] ? __lock_acquire+0x619/0x4320 [ 46.934727] ? trace_hardirqs_on+0x10/0x10 [ 46.934735] ? trace_hardirqs_on+0x10/0x10 [ 46.934743] ? __lock_acquire+0x619/0x4320 [ 46.934752] ? get_unused_fd_flags+0xc0/0xc0 [ 46.934762] ? bpf_test_run+0x57/0x350 [ 46.934773] ? lock_acquire+0x10f/0x380 [ 46.934781] ? check_preemption_disabled+0x34/0x160 [ 46.934790] ? bpf_test_run+0xab/0x350 [ 46.934802] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 46.934811] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.934818] ? __fget_light+0x163/0x1f0 [ 46.934824] ? bpf_prog_add+0x42/0xa0 [ 46.934832] ? bpf_test_init.isra.1+0xc0/0xc0 [ 46.934839] ? SyS_bpf+0x79d/0x3640 [ 46.934850] ? bpf_prog_get+0x20/0x20 [ 46.934855] ? __do_page_fault+0x485/0xb60 [ 46.934862] ? lock_downgrade+0x560/0x560 [ 46.934873] ? up_read+0x17/0x30 [ 46.934878] ? __do_page_fault+0x64c/0xb60 [ 46.934886] ? do_syscall_64+0x43/0x4b0 [ 46.934895] ? bpf_prog_get+0x20/0x20 [ 46.934900] ? do_syscall_64+0x19b/0x4b0 [ 46.934909] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 46.956384] Kernel Offset: 0x14200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 47.540160] Rebooting in 86400 seconds..