5l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.002525] random: sshd: uninitialized urandom read (32 bytes read) [ 36.322420] audit: type=1400 audit(1575387197.602:35): avc: denied { map } for pid=7048 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.376441] random: sshd: uninitialized urandom read (32 bytes read) [ 36.948533] random: sshd: uninitialized urandom read (32 bytes read) [ 53.072648] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.1' (ECDSA) to the list of known hosts. [ 58.606460] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 58.723205] audit: type=1400 audit(1575387220.002:36): avc: denied { map } for pid=7060 comm="syz-executor145" path="/root/syz-executor145705848" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 58.828337] ================================================================== [ 58.828362] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xc09/0xdb0 [ 58.828367] Read of size 1 at addr ffff88808b9f4ff4 by task syz-executor145/7060 [ 58.828369] [ 58.828376] CPU: 0 PID: 7060 Comm: syz-executor145 Not tainted 4.14.157-syzkaller #0 [ 58.828378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.828381] Call Trace: [ 58.828392] dump_stack+0x142/0x197 [ 58.828398] ? bit_putcs+0xc09/0xdb0 [ 58.828406] print_address_description.cold+0x7c/0x1dc [ 58.828411] ? bit_putcs+0xc09/0xdb0 [ 58.828416] kasan_report.cold+0xa9/0x2af [ 58.828422] __asan_report_load1_noabort+0x14/0x20 [ 58.828426] bit_putcs+0xc09/0xdb0 [ 58.828430] ? memcpy+0x46/0x50 [ 58.828441] ? update_attr.isra.0+0x160/0x160 [ 58.828448] ? update_attr.isra.0+0x160/0x160 [ 58.828452] ? fb_get_color_depth+0x5f/0x70 [ 58.828458] ? update_attr.isra.0+0x160/0x160 [ 58.828462] fbcon_putcs+0x3c2/0x480 [ 58.828471] do_update_region+0x3b3/0x650 [ 58.828478] ? con_get_trans_old+0x230/0x230 [ 58.828482] ? fbcon_set_palette+0x203/0x5b0 [ 58.828487] ? fbcon_redraw.isra.0+0x440/0x440 [ 58.828494] redraw_screen+0x589/0x7c0 [ 58.828500] ? con_flush_chars+0x90/0x90 [ 58.828504] ? fbcon_set_palette+0x203/0x5b0 [ 58.828510] fbcon_modechanged+0x59e/0x880 [ 58.828518] fbcon_event_notify+0x11f/0x17af [ 58.828525] ? lock_acquire+0x16f/0x430 [ 58.828533] notifier_call_chain+0x111/0x1b0 [ 58.828540] blocking_notifier_call_chain+0x80/0xa0 [ 58.828547] fb_notifier_call_chain+0x25/0x30 [ 58.828552] fb_set_var+0xb09/0xcf0 [ 58.828557] ? fb_set_suspend+0x110/0x110 [ 58.828561] ? lock_acquire+0x16f/0x430 [ 58.828565] ? lock_fb_info+0x1f/0x80 [ 58.828571] ? lock_fb_info+0x1f/0x80 [ 58.828576] ? __mutex_lock+0x36a/0x1470 [ 58.828581] ? trace_hardirqs_on+0x10/0x10 [ 58.828585] ? save_trace+0x290/0x290 [ 58.828592] ? mutex_trylock+0x1c0/0x1c0 [ 58.828596] ? down+0x50/0x90 [ 58.828607] ? mutex_lock_nested+0x16/0x20 [ 58.828610] ? mutex_lock_nested+0x16/0x20 [ 58.828615] do_fb_ioctl+0x3cc/0x940 [ 58.828619] ? fb_read+0x520/0x520 [ 58.828627] ? avc_has_extended_perms+0x8ec/0xe40 [ 58.828632] ? putname+0xdb/0x120 [ 58.828638] ? avc_ss_reset+0x110/0x110 [ 58.828642] ? kmem_cache_free+0x83/0x2b0 [ 58.828649] ? do_syscall_64+0x1e8/0x640 [ 58.828654] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.828658] ? find_held_lock+0x35/0x130 [ 58.828664] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 58.828677] ? __might_sleep+0x93/0xb0 [ 58.828687] fb_ioctl+0xe6/0x130 [ 58.828692] ? do_fb_ioctl+0x940/0x940 [ 58.828697] do_vfs_ioctl+0x7ae/0x1060 [ 58.828703] ? selinux_file_mprotect+0x5d0/0x5d0 [ 58.828707] ? kmem_cache_free+0x244/0x2b0 [ 58.828712] ? ioctl_preallocate+0x1c0/0x1c0 [ 58.828715] ? putname+0xe0/0x120 [ 58.828722] ? do_sys_open+0x221/0x430 [ 58.828730] ? security_file_ioctl+0x7d/0xb0 [ 58.828734] ? security_file_ioctl+0x89/0xb0 [ 58.828740] SyS_ioctl+0x8f/0xc0 [ 58.828745] ? do_vfs_ioctl+0x1060/0x1060 [ 58.828750] do_syscall_64+0x1e8/0x640 [ 58.828754] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.828761] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.828766] RIP: 0033:0x444dd9 [ 58.828769] RSP: 002b:00007ffd79b832c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.828775] RAX: ffffffffffffffda RBX: 00007ffd79b832d0 RCX: 0000000000444dd9 [ 58.828778] RDX: 00000000200002c0 RSI: 0000000000004601 RDI: 0000000000000005 [ 58.828781] RBP: 0000000000000000 R08: 0000000000401690 R09: 0000000000401690 [ 58.828784] R10: 0000000000401690 R11: 0000000000000246 R12: 0000000000402ae0 [ 58.828787] R13: 0000000000402b70 R14: 0000000000000000 R15: 0000000000000000 [ 58.828794] [ 58.828797] Allocated by task 7060: [ 58.828803] save_stack_trace+0x16/0x20 [ 58.828807] save_stack+0x45/0xd0 [ 58.828810] kasan_kmalloc+0xce/0xf0 [ 58.828813] __kmalloc+0x15d/0x7a0 [ 58.828817] fbcon_set_font+0x2f8/0x7b0 [ 58.828821] con_font_op+0xc0f/0x1060 [ 58.828825] vt_ioctl+0xb80/0x2170 [ 58.828829] tty_ioctl+0x841/0x1320 [ 58.828832] do_vfs_ioctl+0x7ae/0x1060 [ 58.828836] SyS_ioctl+0x8f/0xc0 [ 58.828840] do_syscall_64+0x1e8/0x640 [ 58.828844] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.828845] [ 58.828847] Freed by task 0: [ 58.828848] (stack is not available) [ 58.828850] [ 58.828853] The buggy address belongs to the object at ffff88808b9f4d80 [ 58.828853] which belongs to the cache kmalloc-1024 of size 1024 [ 58.828857] The buggy address is located 628 bytes inside of [ 58.828857] 1024-byte region [ffff88808b9f4d80, ffff88808b9f5180) [ 58.828858] The buggy address belongs to the page: [ 58.828863] page:ffffea00022e7d00 count:1 mapcount:0 mapping:ffff88808b9f4000 index:0x0 compound_mapcount: 0 [ 58.828874] flags: 0xfffe0000008100(slab|head) [ 58.828881] raw: 00fffe0000008100 ffff88808b9f4000 0000000000000000 0000000100000007 [ 58.828885] raw: ffffea0002302da0 ffff8880aa801848 ffff8880aa800ac0 0000000000000000 [ 58.828887] page dumped because: kasan: bad access detected [ 58.828889] [ 58.828890] Memory state around the buggy address: [ 58.828894] ffff88808b9f4e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.828897] ffff88808b9f4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.828900] >ffff88808b9f4f80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.828902] ^ [ 58.828906] ffff88808b9f5000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.828909] ffff88808b9f5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.828911] ================================================================== [ 58.828913] Disabling lock debugging due to kernel taint [ 58.828916] Kernel panic - not syncing: panic_on_warn set ... [ 58.828916] [ 58.828921] CPU: 0 PID: 7060 Comm: syz-executor145 Tainted: G B 4.14.157-syzkaller #0 [ 58.828924] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.828925] Call Trace: [ 58.828931] dump_stack+0x142/0x197 [ 58.828935] ? bit_putcs+0xc09/0xdb0 [ 58.828939] panic+0x1f9/0x42d [ 58.828943] ? add_taint.cold+0x16/0x16 [ 58.828947] ? lock_downgrade+0x740/0x740 [ 58.828953] kasan_end_report+0x47/0x4f [ 58.828957] kasan_report.cold+0x130/0x2af [ 58.828962] __asan_report_load1_noabort+0x14/0x20 [ 58.828965] bit_putcs+0xc09/0xdb0 [ 58.828969] ? memcpy+0x46/0x50 [ 58.828976] ? update_attr.isra.0+0x160/0x160 [ 58.828981] ? update_attr.isra.0+0x160/0x160 [ 58.828984] ? fb_get_color_depth+0x5f/0x70 [ 58.828989] ? update_attr.isra.0+0x160/0x160 [ 58.828993] fbcon_putcs+0x3c2/0x480 [ 58.828998] do_update_region+0x3b3/0x650 [ 58.829003] ? con_get_trans_old+0x230/0x230 [ 58.829006] ? fbcon_set_palette+0x203/0x5b0 [ 58.829010] ? fbcon_redraw.isra.0+0x440/0x440 [ 58.829015] redraw_screen+0x589/0x7c0 [ 58.829020] ? con_flush_chars+0x90/0x90 [ 58.829023] ? fbcon_set_palette+0x203/0x5b0 [ 58.829028] fbcon_modechanged+0x59e/0x880 [ 58.829033] fbcon_event_notify+0x11f/0x17af [ 58.829038] ? lock_acquire+0x16f/0x430 [ 58.829042] notifier_call_chain+0x111/0x1b0 [ 58.829048] blocking_notifier_call_chain+0x80/0xa0 [ 58.829052] fb_notifier_call_chain+0x25/0x30 [ 58.829056] fb_set_var+0xb09/0xcf0 [ 58.829060] ? fb_set_suspend+0x110/0x110 [ 58.829064] ? lock_acquire+0x16f/0x430 [ 58.829067] ? lock_fb_info+0x1f/0x80 [ 58.829071] ? lock_fb_info+0x1f/0x80 [ 58.829075] ? __mutex_lock+0x36a/0x1470 [ 58.829079] ? trace_hardirqs_on+0x10/0x10 [ 58.829082] ? save_trace+0x290/0x290 [ 58.829087] ? mutex_trylock+0x1c0/0x1c0 [ 58.829090] ? down+0x50/0x90 [ 58.829097] ? mutex_lock_nested+0x16/0x20 [ 58.829100] ? mutex_lock_nested+0x16/0x20 [ 58.829104] do_fb_ioctl+0x3cc/0x940 [ 58.829107] ? fb_read+0x520/0x520 [ 58.829112] ? avc_has_extended_perms+0x8ec/0xe40 [ 58.829115] ? putname+0xdb/0x120 [ 58.829119] ? avc_ss_reset+0x110/0x110 [ 58.829122] ? kmem_cache_free+0x83/0x2b0 [ 58.829126] ? do_syscall_64+0x1e8/0x640 [ 58.829130] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.829134] ? find_held_lock+0x35/0x130 [ 58.829137] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 58.829145] ? __might_sleep+0x93/0xb0 [ 58.829150] fb_ioctl+0xe6/0x130 [ 58.829153] ? do_fb_ioctl+0x940/0x940 [ 58.829157] do_vfs_ioctl+0x7ae/0x1060 [ 58.829161] ? selinux_file_mprotect+0x5d0/0x5d0 [ 58.829164] ? kmem_cache_free+0x244/0x2b0 [ 58.829168] ? ioctl_preallocate+0x1c0/0x1c0 [ 58.829171] ? putname+0xe0/0x120 [ 58.829175] ? do_sys_open+0x221/0x430 [ 58.829180] ? security_file_ioctl+0x7d/0xb0 [ 58.829183] ? security_file_ioctl+0x89/0xb0 [ 58.829188] SyS_ioctl+0x8f/0xc0 [ 58.829192] ? do_vfs_ioctl+0x1060/0x1060 [ 58.829196] do_syscall_64+0x1e8/0x640 [ 58.829199] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.829205] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.829207] RIP: 0033:0x444dd9 [ 58.829209] RSP: 002b:00007ffd79b832c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.829213] RAX: ffffffffffffffda RBX: 00007ffd79b832d0 RCX: 0000000000444dd9 [ 58.829216] RDX: 00000000200002c0 RSI: 0000000000004601 RDI: 0000000000000005 [ 58.829218] RBP: 0000000000000000 R08: 0000000000401690 R09: 0000000000401690 [ 58.829220] R10: 0000000000401690 R11: 0000000000000246 R12: 0000000000402ae0 [ 58.829222] R13: 0000000000402b70 R14: 0000000000000000 R15: 0000000000000000 [ 58.830135] Kernel Offset: disabled [ 59.744572] Rebooting in 86400 seconds..