[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.429752] random: sshd: uninitialized urandom read (32 bytes read) [ 23.950866] audit: type=1400 audit(1548074697.960:6): avc: denied { map } for pid=1750 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 24.018630] random: sshd: uninitialized urandom read (32 bytes read) [ 24.477988] random: sshd: uninitialized urandom read (32 bytes read) [ 31.197616] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts. [ 36.876270] random: sshd: uninitialized urandom read (32 bytes read) [ 36.965228] audit: type=1400 audit(1548074710.970:7): avc: denied { map } for pid=1768 comm="syz-executor996" path="/root/syz-executor996671278" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 37.241927] ================================================================== [ 37.249656] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 37.256301] Read of size 8 at addr ffff8881d45b9150 by task syz-executor996/1771 [ 37.263810] [ 37.265424] CPU: 1 PID: 1771 Comm: syz-executor996 Not tainted 4.14.94+ #12 [ 37.272497] Call Trace: [ 37.275188] dump_stack+0xb9/0x10e [ 37.278867] ? ip_local_deliver+0x43d/0x450 [ 37.283261] print_address_description+0x60/0x226 [ 37.288089] ? ip_local_deliver+0x43d/0x450 [ 37.292407] kasan_report.cold+0x88/0x2a5 [ 37.296540] ? ip_local_deliver+0x43d/0x450 [ 37.300844] ? ip_call_ra_chain+0x540/0x540 [ 37.305143] ? __lock_acquire+0x56a/0x3fa0 [ 37.309362] ? ip_rcv+0x99f/0xf7a [ 37.312797] ? ip_rcv_finish+0x5c9/0x1490 [ 37.317071] ? ip_rcv+0x9e2/0xf7a [ 37.320505] ? ip_local_deliver+0x450/0x450 [ 37.324806] ? __lock_acquire+0x56a/0x3fa0 [ 37.329023] ? check_preemption_disabled+0x35/0x1f0 [ 37.334028] ? ip_local_deliver+0x450/0x450 [ 37.338327] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.343839] ? trace_hardirqs_on+0x10/0x10 [ 37.348427] ? flush_backlog+0x580/0x580 [ 37.352474] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.358444] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.363619] ? lock_acquire+0x10f/0x380 [ 37.367583] ? __netif_receive_skb+0x55/0x1f0 [ 37.372057] ? __netif_receive_skb+0x55/0x1f0 [ 37.376530] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.381609] ? dev_cpu_dead+0x810/0x810 [ 37.385570] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.391002] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.396003] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.400739] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.405751] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.410152] ? tun_get_user+0xc07/0x3790 [ 37.414194] ? __local_bh_enable_ip+0x65/0xc0 [ 37.418694] ? tun_get_user+0xd95/0x3790 [ 37.422750] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.427604] ? debug_mutex_add_waiter+0x60/0x150 [ 37.432337] ? mark_held_locks+0xa6/0xf0 [ 37.436389] ? get_page_from_freelist+0x85e/0x1d60 [ 37.441300] ? preempt_count_add+0xb8/0x180 [ 37.445605] ? __tun_get+0x11c/0x220 [ 37.449308] ? check_preemption_disabled+0x35/0x1f0 [ 37.454452] ? tun_chr_write_iter+0xcf/0x180 [ 37.458852] ? do_iter_readv_writev+0x379/0x580 [ 37.463500] ? clone_verify_area+0x1e0/0x1e0 [ 37.467907] ? avc_policy_seqno+0x5/0x10 [ 37.471952] ? security_file_permission+0x88/0x1e0 [ 37.476865] ? do_iter_write+0x152/0x550 [ 37.480909] ? lock_downgrade+0x5d0/0x5d0 [ 37.485047] ? vfs_writev+0x146/0x2d0 [ 37.488832] ? vfs_iter_write+0xa0/0xa0 [ 37.492796] ? __handle_mm_fault+0x6c5/0x2640 [ 37.497283] ? __do_page_fault+0x48e/0xb80 [ 37.501494] ? lock_downgrade+0x5d0/0x5d0 [ 37.505804] ? check_preemption_disabled+0x35/0x1f0 [ 37.510811] ? do_writev+0xc9/0x240 [ 37.514426] ? vfs_writev+0x2d0/0x2d0 [ 37.518212] ? do_syscall_64+0x43/0x4b0 [ 37.522183] ? SyS_readv+0x30/0x30 [ 37.525703] ? do_syscall_64+0x19b/0x4b0 [ 37.529938] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.536988] [ 37.538598] Allocated by task 1771: [ 37.542206] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.546504] kmem_cache_alloc+0xd2/0x2d0 [ 37.550543] __build_skb+0x2e/0x2d0 [ 37.554302] build_skb+0x1a/0x1f0 [ 37.557735] tun_get_user+0x248b/0x3790 [ 37.561692] tun_chr_write_iter+0xcf/0x180 [ 37.565906] do_iter_readv_writev+0x379/0x580 [ 37.570802] do_iter_write+0x152/0x550 [ 37.575763] vfs_writev+0x146/0x2d0 [ 37.581179] do_writev+0xc9/0x240 [ 37.585564] do_syscall_64+0x19b/0x4b0 [ 37.589425] [ 37.591029] Freed by task 1771: [ 37.594287] kasan_slab_free+0xb0/0x190 [ 37.598242] kmem_cache_free+0xc4/0x330 [ 37.602199] kfree_skbmem+0xa0/0x100 [ 37.605893] kfree_skb+0xcd/0x350 [ 37.609327] ip_defrag+0x5f4/0x3b50 [ 37.612930] ip_local_deliver+0x165/0x450 [ 37.617058] ip_rcv_finish+0x5c9/0x1490 [ 37.621010] ip_rcv+0x9e2/0xf7a [ 37.624269] __netif_receive_skb_core+0x1364/0x2c60 [ 37.629262] __netif_receive_skb+0x55/0x1f0 [ 37.633561] netif_receive_skb_internal+0xec/0x5c0 [ 37.638645] tun_rx_batched.isra.0+0x45d/0x730 [ 37.643213] tun_get_user+0xd95/0x3790 [ 37.647082] tun_chr_write_iter+0xcf/0x180 [ 37.651296] do_iter_readv_writev+0x379/0x580 [ 37.655769] do_iter_write+0x152/0x550 [ 37.659635] vfs_writev+0x146/0x2d0 [ 37.663237] do_writev+0xc9/0x240 [ 37.666666] do_syscall_64+0x19b/0x4b0 [ 37.670527] [ 37.672131] The buggy address belongs to the object at ffff8881d45b9140 [ 37.672131] which belongs to the cache skbuff_head_cache of size 224 [ 37.685282] The buggy address is located 16 bytes inside of [ 37.685282] 224-byte region [ffff8881d45b9140, ffff8881d45b9220) [ 37.697044] The buggy address belongs to the page: [ 37.701951] page:ffffea0007516e40 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.710216] flags: 0x4000000000000100(slab) [ 37.714521] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 37.722484] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 37.730343] page dumped because: kasan: bad access detected [ 37.736026] [ 37.737627] Memory state around the buggy address: [ 37.742529] ffff8881d45b9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.749866] ffff8881d45b9080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.757204] >ffff8881d45b9100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.764541] ^ [ 37.770708] ffff8881d45b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.778059] ffff8881d45b9200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.785391] ================================================================== [ 37.792721] Disabling lock debugging due to kernel taint [ 37.798391] Kernel panic - not syncing: panic_on_warn set ... [ 37.798391] [ 37.805747] CPU: 1 PID: 1771 Comm: syz-executor996 Tainted: G B 4.14.94+ #12 [ 37.814046] Call Trace: [ 37.816626] dump_stack+0xb9/0x10e [ 37.820152] panic+0x1d9/0x3c2 [ 37.823322] ? add_taint.cold+0x16/0x16 [ 37.827273] ? retint_kernel+0x2d/0x2d [ 37.831259] ? ip_local_deliver+0x43d/0x450 [ 37.835687] kasan_end_report+0x43/0x49 [ 37.839638] kasan_report.cold+0xa4/0x2a5 [ 37.843768] ? ip_local_deliver+0x43d/0x450 [ 37.848069] ? ip_call_ra_chain+0x540/0x540 [ 37.852371] ? __lock_acquire+0x56a/0x3fa0 [ 37.856583] ? ip_rcv+0x99f/0xf7a [ 37.860017] ? ip_rcv_finish+0x5c9/0x1490 [ 37.864142] ? ip_rcv+0x9e2/0xf7a [ 37.867576] ? ip_local_deliver+0x450/0x450 [ 37.871874] ? __lock_acquire+0x56a/0x3fa0 [ 37.876086] ? check_preemption_disabled+0x35/0x1f0 [ 37.881163] ? ip_local_deliver+0x450/0x450 [ 37.885459] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.890799] ? trace_hardirqs_on+0x10/0x10 [ 37.895022] ? flush_backlog+0x580/0x580 [ 37.899065] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.904235] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.909405] ? lock_acquire+0x10f/0x380 [ 37.913355] ? __netif_receive_skb+0x55/0x1f0 [ 37.917827] ? __netif_receive_skb+0x55/0x1f0 [ 37.922305] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.927382] ? dev_cpu_dead+0x810/0x810 [ 37.931333] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.936865] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.941864] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.946601] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.951595] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.955991] ? tun_get_user+0xc07/0x3790 [ 37.960035] ? __local_bh_enable_ip+0x65/0xc0 [ 37.964509] ? tun_get_user+0xd95/0x3790 [ 37.968806] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.973917] ? debug_mutex_add_waiter+0x60/0x150 [ 37.978647] ? mark_held_locks+0xa6/0xf0 [ 37.982686] ? get_page_from_freelist+0x85e/0x1d60 [ 37.987589] ? preempt_count_add+0xb8/0x180 [ 37.991890] ? __tun_get+0x11c/0x220 [ 37.995590] ? check_preemption_disabled+0x35/0x1f0 [ 38.000593] ? tun_chr_write_iter+0xcf/0x180 [ 38.004984] ? do_iter_readv_writev+0x379/0x580 [ 38.009631] ? clone_verify_area+0x1e0/0x1e0 [ 38.014022] ? avc_policy_seqno+0x5/0x10 [ 38.018063] ? security_file_permission+0x88/0x1e0 [ 38.022969] ? do_iter_write+0x152/0x550 [ 38.027008] ? lock_downgrade+0x5d0/0x5d0 [ 38.031132] ? vfs_writev+0x146/0x2d0 [ 38.034906] ? vfs_iter_write+0xa0/0xa0 [ 38.038854] ? __handle_mm_fault+0x6c5/0x2640 [ 38.043332] ? __do_page_fault+0x48e/0xb80 [ 38.047540] ? lock_downgrade+0x5d0/0x5d0 [ 38.051664] ? check_preemption_disabled+0x35/0x1f0 [ 38.056657] ? do_writev+0xc9/0x240 [ 38.060256] ? vfs_writev+0x2d0/0x2d0 [ 38.064033] ? do_syscall_64+0x43/0x4b0 [ 38.067983] ? SyS_readv+0x30/0x30 [ 38.071497] ? do_syscall_64+0x19b/0x4b0 [ 38.075537] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.081341] Kernel Offset: 0x27a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 38.092235] Rebooting in 86400 seconds..