[ 31.661853] audit: type=1800 audit(1567208103.195:33): pid=6795 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 31.691028] audit: type=1800 audit(1567208103.195:34): pid=6795 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.872982] random: sshd: uninitialized urandom read (32 bytes read) [ 37.459707] audit: type=1400 audit(1567208108.985:35): avc: denied { map } for pid=6970 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.503712] random: sshd: uninitialized urandom read (32 bytes read) [ 38.028954] random: sshd: uninitialized urandom read (32 bytes read) [ 38.222809] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.214' (ECDSA) to the list of known hosts. [ 43.675379] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.797950] audit: type=1400 audit(1567208115.325:36): avc: denied { map } for pid=6982 comm="syz-executor826" path="/root/syz-executor826874174" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.825909] ================================================================== [ 43.833672] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0 [ 43.841070] Read of size 8 at addr ffff88807f24b2b0 by task syz-executor826/6982 [ 43.849325] [ 43.851050] CPU: 0 PID: 6982 Comm: syz-executor826 Not tainted 4.14.141 #37 [ 43.858720] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.868596] Call Trace: [ 43.871235] dump_stack+0x138/0x197 [ 43.874876] ? bpf_clone_redirect+0x2de/0x2f0 [ 43.879472] print_address_description.cold+0x7c/0x1dc [ 43.884765] ? bpf_clone_redirect+0x2de/0x2f0 [ 43.889524] kasan_report.cold+0xa9/0x2af [ 43.893690] __asan_report_load8_noabort+0x14/0x20 [ 43.898955] bpf_clone_redirect+0x2de/0x2f0 [ 43.903439] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 43.908206] ? SyS_bpf+0x6ad/0x2da8 [ 43.911837] bpf_prog_7a8598871316c8c3+0x651/0x1000 [ 43.916928] ? trace_hardirqs_on+0x10/0x10 [ 43.921549] ? trace_hardirqs_on+0x10/0x10 [ 43.926099] ? bpf_test_run+0x44/0x330 [ 43.930082] ? find_held_lock+0x35/0x130 [ 43.934264] ? bpf_test_run+0x44/0x330 [ 43.938182] ? lock_acquire+0x16f/0x430 [ 43.942170] ? check_preemption_disabled+0x3c/0x250 [ 43.947209] ? bpf_test_run+0xa8/0x330 [ 43.951213] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 43.956649] ? bpf_test_init.isra.0+0xe0/0xe0 [ 43.961155] ? __bpf_prog_get+0x153/0x1a0 [ 43.965429] ? SyS_bpf+0x6ad/0x2da8 [ 43.969197] ? __do_page_fault+0x4e9/0xb80 [ 43.973445] ? bpf_test_init.isra.0+0xe0/0xe0 [ 43.978026] ? bpf_prog_get+0x20/0x20 [ 43.981986] ? lock_downgrade+0x6e0/0x6e0 [ 43.986283] ? up_read+0x1a/0x40 [ 43.989888] ? __do_page_fault+0x358/0xb80 [ 43.994258] ? bpf_prog_get+0x20/0x20 [ 43.998125] ? do_syscall_64+0x1e8/0x640 [ 44.002194] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.007321] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.012693] [ 44.014350] Allocated by task 0: [ 44.017745] (stack is not available) [ 44.021592] [ 44.023349] Freed by task 0: [ 44.026542] (stack is not available) [ 44.030336] [ 44.032101] The buggy address belongs to the object at ffff88807f24b200 [ 44.032101] which belongs to the cache skbuff_head_cache of size 232 [ 44.045411] The buggy address is located 176 bytes inside of [ 44.045411] 232-byte region [ffff88807f24b200, ffff88807f24b2e8) [ 44.057635] The buggy address belongs to the page: [ 44.062751] page:ffffea0001fc92c0 count:1 mapcount:0 mapping:ffff88807f24b0c0 index:0x0 [ 44.071436] flags: 0x1fffc0000000100(slab) [ 44.075942] raw: 01fffc0000000100 ffff88807f24b0c0 0000000000000000 000000010000000c [ 44.084735] raw: ffffea000287e4e0 ffffea000269a920 ffff8880a9e82d80 0000000000000000 [ 44.092953] page dumped because: kasan: bad access detected [ 44.098757] [ 44.100373] Memory state around the buggy address: [ 44.105563] ffff88807f24b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.113207] ffff88807f24b200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.120612] >ffff88807f24b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.127979] ^ [ 44.133197] ffff88807f24b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.140742] ffff88807f24b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.148193] ================================================================== [ 44.155655] Disabling lock debugging due to kernel taint [ 44.161588] Kernel panic - not syncing: panic_on_warn set ... [ 44.161588] [ 44.168956] CPU: 0 PID: 6982 Comm: syz-executor826 Tainted: G B 4.14.141 #37 [ 44.177267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.186726] Call Trace: [ 44.189518] dump_stack+0x138/0x197 [ 44.193156] ? bpf_clone_redirect+0x2de/0x2f0 [ 44.197752] panic+0x1f2/0x426 [ 44.200963] ? add_taint.cold+0x16/0x16 [ 44.205044] kasan_end_report+0x47/0x4f [ 44.209025] kasan_report.cold+0x130/0x2af [ 44.213268] __asan_report_load8_noabort+0x14/0x20 [ 44.218296] bpf_clone_redirect+0x2de/0x2f0 [ 44.222800] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 44.227669] ? SyS_bpf+0x6ad/0x2da8 [ 44.231522] bpf_prog_7a8598871316c8c3+0x651/0x1000 [ 44.236552] ? trace_hardirqs_on+0x10/0x10 [ 44.240979] ? trace_hardirqs_on+0x10/0x10 [ 44.245221] ? bpf_test_run+0x44/0x330 [ 44.249156] ? find_held_lock+0x35/0x130 [ 44.253482] ? bpf_test_run+0x44/0x330 [ 44.257622] ? lock_acquire+0x16f/0x430 [ 44.261595] ? check_preemption_disabled+0x3c/0x250 [ 44.266884] ? bpf_test_run+0xa8/0x330 [ 44.270891] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 44.275875] ? bpf_test_init.isra.0+0xe0/0xe0 [ 44.280748] ? __bpf_prog_get+0x153/0x1a0 [ 44.284901] ? SyS_bpf+0x6ad/0x2da8 [ 44.289201] ? __do_page_fault+0x4e9/0xb80 [ 44.293875] ? bpf_test_init.isra.0+0xe0/0xe0 [ 44.298479] ? bpf_prog_get+0x20/0x20 [ 44.302505] ? lock_downgrade+0x6e0/0x6e0 [ 44.307054] ? up_read+0x1a/0x40 [ 44.310676] ? __do_page_fault+0x358/0xb80 [ 44.315183] ? bpf_prog_get+0x20/0x20 [ 44.319722] ? do_syscall_64+0x1e8/0x640 [ 44.323998] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.329633] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.337337] Kernel Offset: disabled [ 44.341161] Rebooting in 86400 seconds..