[....] Starting enhanced syslogd: rsyslogd[ 11.233680] audit: type=1400 audit(1516825118.173:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.374584] ================================================================== [ 30.375761] BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 [ 30.376678] Read of size 1 at addr ffff8801c8a5d5d0 by task syzkaller102848/3332 [ 30.377743] [ 30.377978] CPU: 1 PID: 3332 Comm: syzkaller102848 Not tainted 4.9.78-ge9dabe6 #28 [ 30.379007] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.380262] ffff8801c92d7610 ffffffff81d943a9 ffffea0007229740 ffff8801c8a5d5d0 [ 30.381535] 0000000000000000 ffff8801c8a5d5d0 ffff8801c92d786c ffff8801c92d7648 [ 30.382762] ffffffff8153dc23 ffff8801c8a5d5d0 0000000000000001 0000000000000000 [ 30.383938] Call Trace: [ 30.384320] [] dump_stack+0xc1/0x128 [ 30.385054] [] print_address_description+0x73/0x280 [ 30.385951] [] kasan_report+0x275/0x360 [ 30.386737] [] ? string+0x1e8/0x200 [ 30.387456] [] __asan_report_load1_noabort+0x14/0x20 [ 30.388432] [] string+0x1e8/0x200 [ 30.389131] [] vsnprintf+0x7ad/0x16d0 [ 30.389886] [] ? pointer+0xa90/0xa90 [ 30.390619] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 30.391548] [] __request_module+0x14f/0x750 [ 30.392407] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 30.393256] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 30.394185] [] ? xt_unregister_table+0x57/0xf0 [ 30.396935] [] xt_request_find_target+0x8b/0xb0 [ 30.403228] [] translate_compat_table+0x568/0x1760 [ 30.409779] [] ? ipt_register_table+0x2d0/0x2d0 [ 30.416085] [] ? __lock_is_held+0xa1/0xf0 [ 30.421856] [] ? check_stack_object+0x68/0x140 [ 30.428059] [] ? __check_object_size+0x174/0x3a9 [ 30.434432] [] ? 0xffffffff810002b8 [ 30.439679] [] compat_do_replace.isra.15+0x1a7/0x3a0 [ 30.446404] [] ? translate_compat_table+0x1760/0x1760 [ 30.453213] [] ? mark_held_locks+0xaf/0x100 [ 30.459168] [] ? __cap_capable+0x168/0x1c0 [ 30.465029] [] ? ns_capable_common+0xcf/0x160 [ 30.471147] [] compat_do_ipt_set_ctl+0x106/0x150 [ 30.477540] [] compat_nf_setsockopt+0x88/0x130 [ 30.483743] [] ? compat_do_replace.isra.15+0x3a0/0x3a0 [ 30.490754] [] compat_ip_setsockopt+0x9d/0xf0 [ 30.496868] [] compat_udp_setsockopt+0x45/0x80 [ 30.503072] [] compat_sock_common_setsockopt+0xb2/0x140 [ 30.510056] [] ? udp_lib_setsockopt+0x560/0x560 [ 30.516346] [] compat_SyS_setsockopt+0x149/0x290 [ 30.522721] [] ? sock_common_setsockopt+0xd0/0xd0 [ 30.529184] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 30.535734] [] ? do_fast_syscall_32+0xcf/0x890 [ 30.541936] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 30.548487] [] do_fast_syscall_32+0x2f7/0x890 [ 30.554607] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.561262] [] entry_SYSENTER_compat+0x74/0x83 [ 30.567463] [ 30.569063] Allocated by task 3332: [ 30.572663] save_stack_trace+0x16/0x20 [ 30.576608] save_stack+0x43/0xd0 [ 30.580041] kasan_kmalloc+0xad/0xe0 [ 30.583722] __kmalloc+0x11d/0x310 [ 30.587234] xt_alloc_table_info+0x71/0x100 [ 30.591527] compat_do_replace.isra.15+0x116/0x3a0 [ 30.596424] compat_do_ipt_set_ctl+0x106/0x150 [ 30.600977] compat_nf_setsockopt+0x88/0x130 [ 30.605356] compat_ip_setsockopt+0x9d/0xf0 [ 30.609645] compat_udp_setsockopt+0x45/0x80 [ 30.614033] compat_sock_common_setsockopt+0xb2/0x140 [ 30.619191] compat_SyS_setsockopt+0x149/0x290 [ 30.623743] do_fast_syscall_32+0x2f7/0x890 [ 30.628036] entry_SYSENTER_compat+0x74/0x83 [ 30.632411] [ 30.634007] Freed by task 1917: [ 30.637257] save_stack_trace+0x16/0x20 [ 30.641211] save_stack+0x43/0xd0 [ 30.644633] kasan_slab_free+0x72/0xc0 [ 30.648491] kfree+0x103/0x300 [ 30.651654] free_bprm+0x19d/0x200 [ 30.655165] do_execveat_common.isra.37+0x17df/0x1f10 [ 30.660323] SyS_execve+0x42/0x50 [ 30.663748] do_syscall_64+0x197/0x490 [ 30.667606] return_from_SYSCALL_64+0x0/0x7e [ 30.671980] [ 30.673593] The buggy address belongs to the object at ffff8801c8a5d500 [ 30.673593] which belongs to the cache kmalloc-256 of size 256 [ 30.686233] The buggy address is located 208 bytes inside of [ 30.686233] 256-byte region [ffff8801c8a5d500, ffff8801c8a5d600) [ 30.698079] The buggy address belongs to the page: [ 30.702987] page:ffffea0007229740 count:1 mapcount:0 mapping: (null) index:0x0 [ 30.711230] flags: 0x8000000000000080(slab) [ 30.715519] page dumped because: kasan: bad access detected [ 30.721196] [ 30.722803] Memory state around the buggy address: [ 30.727699] ffff8801c8a5d480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.735040] ffff8801c8a5d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.742405] >ffff8801c8a5d580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 30.749734] ^ [ 30.755691] ffff8801c8a5d600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.763108] ffff8801c8a5d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.770434] ================================================================== [ 30.777761] Disabling lock debugging due to kernel taint [ 30.783298] Kernel panic - not syncing: panic_on_warn set ... [ 30.783298] [ 30.790644] CPU: 1 PID: 3332 Comm: syzkaller102848 Tainted: G B 4.9.78-ge9dabe6 #28 [ 30.799549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.808885] ffff8801c92d7568 ffffffff81d943a9 ffffffff841971bf ffff8801c92d7640 [ 30.816857] 0000000000000000 ffff8801c8a5d5d0 ffff8801c92d786c ffff8801c92d7630 [ 30.824839] ffffffff8142f451 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f295 [ 30.832810] Call Trace: [ 30.835370] [] dump_stack+0xc1/0x128 [ 30.840703] [] panic+0x1bc/0x3a8 [ 30.845689] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 30.853903] [] ? preempt_schedule+0x25/0x30 [ 30.859854] [] ? ___preempt_schedule+0x16/0x18 [ 30.866060] [] kasan_end_report+0x50/0x50 [ 30.871829] [] kasan_report+0x167/0x360 [ 30.877423] [] ? string+0x1e8/0x200 [ 30.882669] [] __asan_report_load1_noabort+0x14/0x20 [ 30.889390] [] string+0x1e8/0x200 [ 30.894459] [] vsnprintf+0x7ad/0x16d0 [ 30.899876] [] ? pointer+0xa90/0xa90 [ 30.905213] [] ? __mutex_unlock_slowpath+0x25a/0x3d0 [ 30.911939] [] __request_module+0x14f/0x750 [ 30.917879] [] ? __ww_mutex_lock+0x14a0/0x14a0 [ 30.924080] [] ? call_usermodehelper_setup+0x2c0/0x2c0 [ 30.930988] [] ? xt_unregister_table+0x57/0xf0 [ 30.937191] [] xt_request_find_target+0x8b/0xb0 [ 30.943482] [] translate_compat_table+0x568/0x1760 [ 30.950038] [] ? ipt_register_table+0x2d0/0x2d0 [ 30.956329] [] ? __lock_is_held+0xa1/0xf0 [ 30.962105] [] ? check_stack_object+0x68/0x140 [ 30.968308] [] ? __check_object_size+0x174/0x3a9 [ 30.974683] [] ? 0xffffffff810002b8 [ 30.979945] [] compat_do_replace.isra.15+0x1a7/0x3a0 [ 30.986671] [] ? translate_compat_table+0x1760/0x1760 [ 30.993481] [] ? mark_held_locks+0xaf/0x100 [ 30.999435] [] ? __cap_capable+0x168/0x1c0 [ 31.005292] [] ? ns_capable_common+0xcf/0x160 [ 31.011421] [] compat_do_ipt_set_ctl+0x106/0x150 [ 31.017797] [] compat_nf_setsockopt+0x88/0x130 [ 31.023998] [] ? compat_do_replace.isra.15+0x3a0/0x3a0 [ 31.030905] [] compat_ip_setsockopt+0x9d/0xf0 [ 31.037019] [] compat_udp_setsockopt+0x45/0x80 [ 31.043222] [] compat_sock_common_setsockopt+0xb2/0x140 [ 31.050204] [] ? udp_lib_setsockopt+0x560/0x560 [ 31.056491] [] compat_SyS_setsockopt+0x149/0x290 [ 31.062864] [] ? sock_common_setsockopt+0xd0/0xd0 [ 31.069327] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 31.075875] [] ? do_fast_syscall_32+0xcf/0x890 [ 31.082076] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 31.088624] [] do_fast_syscall_32+0x2f7/0x890 [ 31.094746] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.101384] [] entry_SYSENTER_compat+0x74/0x83 [ 31.107942] Dumping ftrace buffer: [ 31.111455] (ftrace buffer empty) [ 31.115137] Kernel Offset: disabled [ 31.118736] Rebooting in 86400 seconds..