[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.963528] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.136302] random: sshd: uninitialized urandom read (32 bytes read) [ 24.532577] random: sshd: uninitialized urandom read (32 bytes read) [ 25.320947] random: sshd: uninitialized urandom read (32 bytes read) [ 25.480715] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. [ 30.935890] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.024773] ================================================================== [ 31.032289] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 31.038849] Read of size 1 at addr ffff8801ad1f4fdd by task syz-executor189/4509 [ 31.046355] [ 31.047967] CPU: 1 PID: 4509 Comm: syz-executor189 Not tainted 4.17.0-rc6+ #62 [ 31.055304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.064649] Call Trace: [ 31.067243] dump_stack+0x1b9/0x294 [ 31.070867] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.076042] ? printk+0x9e/0xba [ 31.079305] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.084043] ? kasan_check_write+0x14/0x20 [ 31.088262] print_address_description+0x6c/0x20b [ 31.093090] ? nla_strlcpy+0x13d/0x150 [ 31.097739] kasan_report.cold.7+0x242/0x2fe [ 31.102131] __asan_report_load1_noabort+0x14/0x20 [ 31.107039] nla_strlcpy+0x13d/0x150 [ 31.110735] nfnl_acct_new+0x574/0xc50 [ 31.114602] ? nfnl_acct_overquota+0x380/0x380 [ 31.119169] ? debug_check_no_locks_freed+0x310/0x310 [ 31.124340] ? graph_lock+0x170/0x170 [ 31.128127] ? print_usage_bug+0xc0/0xc0 [ 31.132169] ? find_held_lock+0x36/0x1c0 [ 31.136222] ? graph_lock+0x170/0x170 [ 31.140005] ? lock_downgrade+0x8e0/0x8e0 [ 31.144137] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.149674] ? __lock_is_held+0xb5/0x140 [ 31.153738] ? nfnl_acct_overquota+0x380/0x380 [ 31.158305] nfnetlink_rcv_msg+0xdb5/0xff0 [ 31.162534] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 31.167534] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 31.171939] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.176069] ? graph_lock+0x170/0x170 [ 31.179847] ? find_held_lock+0x36/0x1c0 [ 31.183898] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.189423] netlink_rcv_skb+0x172/0x440 [ 31.193480] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.197609] ? netlink_ack+0xbc0/0xbc0 [ 31.201478] ? __netlink_ns_capable+0x100/0x130 [ 31.206128] nfnetlink_rcv+0x1fe/0x1ba0 [ 31.210084] ? kasan_check_read+0x11/0x20 [ 31.214214] ? rcu_is_watching+0x85/0x140 [ 31.218340] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.223512] ? nfnl_err_reset+0x2d0/0x2d0 [ 31.227644] ? netlink_remove_tap+0x610/0x610 [ 31.232122] ? refcount_add_not_zero+0x320/0x320 [ 31.236857] ? kasan_check_read+0x11/0x20 [ 31.240983] ? rcu_is_watching+0x85/0x140 [ 31.245113] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.250284] ? netlink_skb_destructor+0x210/0x210 [ 31.255108] ? kasan_check_write+0x14/0x20 [ 31.259326] netlink_unicast+0x58b/0x740 [ 31.263370] ? netlink_attachskb+0x970/0x970 [ 31.267762] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.273282] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.278283] ? security_netlink_send+0x88/0xb0 [ 31.282846] netlink_sendmsg+0x9f0/0xfa0 [ 31.286890] ? netlink_unicast+0x740/0x740 [ 31.291105] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.296625] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.302152] ? security_socket_sendmsg+0x94/0xc0 [ 31.306897] ? netlink_unicast+0x740/0x740 [ 31.311116] sock_sendmsg+0xd5/0x120 [ 31.314810] sock_write_iter+0x35a/0x5a0 [ 31.318851] ? sock_sendmsg+0x120/0x120 [ 31.322817] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.328333] ? iov_iter_init+0xc9/0x1f0 [ 31.332290] __vfs_write+0x64d/0x960 [ 31.335985] ? kernel_read+0x120/0x120 [ 31.339855] ? lock_downgrade+0x8e0/0x8e0 [ 31.343983] ? handle_mm_fault+0x8c0/0xc70 [ 31.348200] ? handle_mm_fault+0x55a/0xc70 [ 31.352432] ? rw_verify_area+0x118/0x360 [ 31.356581] vfs_write+0x1f8/0x560 [ 31.360118] ksys_write+0xf9/0x250 [ 31.363646] ? __ia32_sys_read+0xb0/0xb0 [ 31.367696] __x64_sys_write+0x73/0xb0 [ 31.371573] do_syscall_64+0x1b1/0x800 [ 31.375453] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.380365] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.385280] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.390989] ? retint_user+0x18/0x18 [ 31.394692] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.399520] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.404688] RIP: 0033:0x43ff39 [ 31.407858] RSP: 002b:00007ffc33f38e88 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 31.415548] RAX: ffffffffffffffda RBX: 00007ffc33f38ea0 RCX: 000000000043ff39 [ 31.422800] RDX: 000000000000001f RSI: 0000000020000040 RDI: 0000000000000003 [ 31.430050] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 31.437298] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401800 [ 31.444545] R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000 [ 31.451799] [ 31.453408] Allocated by task 4509: [ 31.457021] save_stack+0x43/0xd0 [ 31.460452] kasan_kmalloc+0xc4/0xe0 [ 31.464143] __kmalloc+0x14e/0x760 [ 31.467668] load_elf_phdrs+0x17a/0x250 [ 31.471622] load_elf_binary+0x9bd/0x5610 [ 31.475748] search_binary_handler+0x17d/0x570 [ 31.480306] do_execveat_common.isra.34+0x16ce/0x2590 [ 31.485474] __x64_sys_execve+0x8d/0xb0 [ 31.489430] do_syscall_64+0x1b1/0x800 [ 31.493299] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.498472] [ 31.500078] Freed by task 4509: [ 31.503345] save_stack+0x43/0xd0 [ 31.506776] __kasan_slab_free+0x11a/0x170 [ 31.511000] kasan_slab_free+0xe/0x10 [ 31.514780] kfree+0xd9/0x260 [ 31.517865] load_elf_binary+0x255d/0x5610 [ 31.522077] search_binary_handler+0x17d/0x570 [ 31.526635] do_execveat_common.isra.34+0x16ce/0x2590 [ 31.531812] __x64_sys_execve+0x8d/0xb0 [ 31.535764] do_syscall_64+0x1b1/0x800 [ 31.539630] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.544790] [ 31.546397] The buggy address belongs to the object at ffff8801ad1f4cc0 [ 31.546397] which belongs to the cache kmalloc-512 of size 512 [ 31.559034] The buggy address is located 285 bytes to the right of [ 31.559034] 512-byte region [ffff8801ad1f4cc0, ffff8801ad1f4ec0) [ 31.571420] The buggy address belongs to the page: [ 31.576336] page:ffffea0006b47d00 count:1 mapcount:0 mapping:ffff8801ad1f4040 index:0x0 [ 31.584470] flags: 0x2fffc0000000100(slab) [ 31.588688] raw: 02fffc0000000100 ffff8801ad1f4040 0000000000000000 0000000100000006 [ 31.596550] raw: ffffea0006b393a0 ffff8801da801748 ffff8801da800940 0000000000000000 [ 31.604404] page dumped because: kasan: bad access detected [ 31.610087] [ 31.611691] Memory state around the buggy address: [ 31.616600] ffff8801ad1f4e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.623938] ffff8801ad1f4f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.631460] >ffff8801ad1f4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.638800] ^ [ 31.645013] ffff8801ad1f5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.652351] ffff8801ad1f5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.659688] ================================================================== [ 31.667021] Disabling lock debugging due to kernel taint [ 31.672508] Kernel panic - not syncing: panic_on_warn set ... [ 31.672508] [ 31.679857] CPU: 1 PID: 4509 Comm: syz-executor189 Tainted: G B 4.17.0-rc6+ #62 [ 31.688595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.697939] Call Trace: [ 31.700526] dump_stack+0x1b9/0x294 [ 31.704134] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.709305] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.714042] ? nla_strlcpy+0x110/0x150 [ 31.717908] panic+0x22f/0x4de [ 31.721077] ? add_taint.cold.5+0x16/0x16 [ 31.725206] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.729593] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.733978] ? nla_strlcpy+0x13d/0x150 [ 31.737845] kasan_end_report+0x47/0x4f [ 31.741798] kasan_report.cold.7+0x76/0x2fe [ 31.746098] __asan_report_load1_noabort+0x14/0x20 [ 31.751003] nla_strlcpy+0x13d/0x150 [ 31.754698] nfnl_acct_new+0x574/0xc50 [ 31.758567] ? nfnl_acct_overquota+0x380/0x380 [ 31.763130] ? debug_check_no_locks_freed+0x310/0x310 [ 31.768299] ? graph_lock+0x170/0x170 [ 31.772081] ? print_usage_bug+0xc0/0xc0 [ 31.776123] ? find_held_lock+0x36/0x1c0 [ 31.780162] ? graph_lock+0x170/0x170 [ 31.783941] ? lock_downgrade+0x8e0/0x8e0 [ 31.788073] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.793588] ? __lock_is_held+0xb5/0x140 [ 31.797649] ? nfnl_acct_overquota+0x380/0x380 [ 31.802207] nfnetlink_rcv_msg+0xdb5/0xff0 [ 31.806433] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 31.811422] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 31.815812] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.819938] ? graph_lock+0x170/0x170 [ 31.823715] ? find_held_lock+0x36/0x1c0 [ 31.827758] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.833273] netlink_rcv_skb+0x172/0x440 [ 31.837310] ? nfnetlink_bind+0x3a0/0x3a0 [ 31.841436] ? netlink_ack+0xbc0/0xbc0 [ 31.845389] ? __netlink_ns_capable+0x100/0x130 [ 31.850039] nfnetlink_rcv+0x1fe/0x1ba0 [ 31.853992] ? kasan_check_read+0x11/0x20 [ 31.858120] ? rcu_is_watching+0x85/0x140 [ 31.862245] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.867414] ? nfnl_err_reset+0x2d0/0x2d0 [ 31.871542] ? netlink_remove_tap+0x610/0x610 [ 31.876019] ? refcount_add_not_zero+0x320/0x320 [ 31.880766] ? kasan_check_read+0x11/0x20 [ 31.884896] ? rcu_is_watching+0x85/0x140 [ 31.889023] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.894191] ? netlink_skb_destructor+0x210/0x210 [ 31.899098] ? kasan_check_write+0x14/0x20 [ 31.903310] netlink_unicast+0x58b/0x740 [ 31.907354] ? netlink_attachskb+0x970/0x970 [ 31.911742] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.917264] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.922278] ? security_netlink_send+0x88/0xb0 [ 31.926841] netlink_sendmsg+0x9f0/0xfa0 [ 31.930881] ? netlink_unicast+0x740/0x740 [ 31.935096] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.940614] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.946130] ? security_socket_sendmsg+0x94/0xc0 [ 31.950864] ? netlink_unicast+0x740/0x740 [ 31.955080] sock_sendmsg+0xd5/0x120 [ 31.958774] sock_write_iter+0x35a/0x5a0 [ 31.962819] ? sock_sendmsg+0x120/0x120 [ 31.966778] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.972295] ? iov_iter_init+0xc9/0x1f0 [ 31.976250] __vfs_write+0x64d/0x960 [ 31.979941] ? kernel_read+0x120/0x120 [ 31.983809] ? lock_downgrade+0x8e0/0x8e0 [ 31.987937] ? handle_mm_fault+0x8c0/0xc70 [ 31.992150] ? handle_mm_fault+0x55a/0xc70 [ 31.996363] ? rw_verify_area+0x118/0x360 [ 32.000496] vfs_write+0x1f8/0x560 [ 32.004016] ksys_write+0xf9/0x250 [ 32.007536] ? __ia32_sys_read+0xb0/0xb0 [ 32.011576] __x64_sys_write+0x73/0xb0 [ 32.015444] do_syscall_64+0x1b1/0x800 [ 32.019320] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.024235] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.029146] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.034663] ? retint_user+0x18/0x18 [ 32.038361] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.043184] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.048361] RIP: 0033:0x43ff39 [ 32.051535] RSP: 002b:00007ffc33f38e88 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 32.059234] RAX: ffffffffffffffda RBX: 00007ffc33f38ea0 RCX: 000000000043ff39 [ 32.066483] RDX: 000000000000001f RSI: 0000000020000040 RDI: 0000000000000003 [ 32.073732] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 32.080978] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401800 [ 32.088227] R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000 [ 32.095866] Dumping ftrace buffer: [ 32.099389] (ftrace buffer empty) [ 32.103078] Kernel Offset: disabled [ 32.106690] Rebooting in 86400 seconds..