[ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started System Logging Service. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.707259][ T6816] sctp: [Deprecated]: syz-executor399 (pid 6816) Use of struct sctp_assoc_value in delayed_ack socket option. [ 61.707259][ T6816] Use struct sctp_sack_info instead [ 61.724636][ T6816] ================================================================== [ 61.732960][ T6816] BUG: KASAN: slab-out-of-bounds in sctp_setsockopt+0x9488/0x95e0 [ 61.740744][ T6816] Write of size 4 at addr ffff8880a617c088 by task syz-executor399/6816 [ 61.749058][ T6816] CPU: 0 PID: 6816 Comm: syz-executor399 Not tainted 5.8.0-rc6-next-20200724-syzkaller #0 [ 61.758927][ T6816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.768958][ T6816] Call Trace: [ 61.772230][ T6816] dump_stack+0x18f/0x20d [ 61.776625][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 61.781803][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 61.787147][ T6816] print_address_description.constprop.0.cold+0xae/0x497 [ 61.794147][ T6816] ? printk+0xba/0xed [ 61.798127][ T6816] ? lockdep_hardirqs_off+0x6a/0xb0 [ 61.803301][ T6816] ? vprintk_func+0x97/0x1a6 [ 61.807874][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 61.812962][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 61.818050][ T6816] kasan_report.cold+0x1f/0x37 [ 61.822829][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 61.827923][ T6816] sctp_setsockopt+0x9488/0x95e0 [ 61.832850][ T6816] ? aa_af_perm+0x230/0x230 [ 61.837364][ T6816] ? handle_mm_fault+0xb78/0x45e0 [ 61.842366][ T6816] ? __sctp_setsockopt_connectx+0x140/0x140 [ 61.848242][ T6816] ? sock_common_recvmsg+0x1a0/0x1a0 [ 61.853764][ T6816] __sys_setsockopt+0x337/0x6a0 [ 61.858605][ T6816] ? _down_write_nest_lock+0x150/0x150 [ 61.864122][ T6816] ? __ia32_sys_recv+0x100/0x100 [ 61.869055][ T6816] ? lock_is_held_type+0xbb/0xf0 [ 61.873982][ T6816] ? lock_is_held_type+0xbb/0xf0 [ 61.878907][ T6816] __x64_sys_setsockopt+0xba/0x150 [ 61.884094][ T6816] ? lockdep_hardirqs_on+0x76/0xf0 [ 61.889201][ T6816] do_syscall_64+0x60/0xe0 [ 61.893600][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.899471][ T6816] RIP: 0033:0x440229 [ 61.903339][ T6816] Code: Bad RIP value. [ 61.907380][ T6816] RSP: 002b:00007ffe1cbbb9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 61.915767][ T6816] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440229 [ 61.923789][ T6816] RDX: 0000000000000010 RSI: 0000000000000084 RDI: 0000000000000003 [ 61.931761][ T6816] RBP: 00000000006ca018 R08: 0000000000000008 R09: 00000000004002c8 [ 61.939717][ T6816] R10: 0000000020000100 R11: 0000000000000246 R12: 0000000000401a30 [ 61.947688][ T6816] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 61.955655][ T6816] Allocated by task 6816: [ 61.959966][ T6816] kasan_save_stack+0x1b/0x40 [ 61.964620][ T6816] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.970227][ T6816] __kmalloc_track_caller+0x1a6/0x310 [ 61.975576][ T6816] memdup_user+0x22/0xd0 [ 61.979801][ T6816] sctp_setsockopt+0x17a/0x95e0 [ 61.984640][ T6816] __sys_setsockopt+0x337/0x6a0 [ 61.989469][ T6816] __x64_sys_setsockopt+0xba/0x150 [ 61.994557][ T6816] do_syscall_64+0x60/0xe0 [ 61.999125][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.004996][ T6816] The buggy address belongs to the object at ffff8880a617c080 [ 62.004996][ T6816] which belongs to the cache kmalloc-32 of size 32 [ 62.018872][ T6816] The buggy address is located 8 bytes inside of [ 62.018872][ T6816] 32-byte region [ffff8880a617c080, ffff8880a617c0a0) [ 62.031859][ T6816] The buggy address belongs to the page: [ 62.037484][ T6816] page:000000002e2e6ecb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a617cfc1 pfn:0xa617c [ 62.048919][ T6816] flags: 0xfffe0000000200(slab) [ 62.053748][ T6816] raw: 00fffe0000000200 ffffea0002985948 ffffea000292d5c8 ffff8880aa000100 [ 62.062312][ T6816] raw: ffff8880a617cfc1 ffff8880a617c000 000000010000003f 0000000000000000 [ 62.070867][ T6816] page dumped because: kasan: bad access detected [ 62.077518][ T6816] Memory state around the buggy address: [ 62.083134][ T6816] ffff8880a617bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.091179][ T6816] ffff8880a617c000: 00 05 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 62.099232][ T6816] >ffff8880a617c080: 00 fc fc fc fc fc fc fc 00 05 fc fc fc fc fc fc [ 62.107304][ T6816] ^ [ 62.111754][ T6816] ffff8880a617c100: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 62.119897][ T6816] ffff8880a617c180: 00 fc fc fc fc fc fc fc 00 02 fc fc fc fc fc fc [ 62.127930][ T6816] ================================================================== [ 62.135966][ T6816] Disabling lock debugging due to kernel taint [ 62.142641][ T6816] Kernel panic - not syncing: panic_on_warn set ... [ 62.149239][ T6816] CPU: 0 PID: 6816 Comm: syz-executor399 Tainted: G B 5.8.0-rc6-next-20200724-syzkaller #0 [ 62.160506][ T6816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.170551][ T6816] Call Trace: [ 62.173822][ T6816] dump_stack+0x18f/0x20d [ 62.178135][ T6816] ? sctp_setsockopt+0x9480/0x95e0 [ 62.183395][ T6816] panic+0x2e3/0x75c [ 62.187266][ T6816] ? __warn_printk+0xf3/0xf3 [ 62.191834][ T6816] ? preempt_schedule_common+0x59/0xc0 [ 62.197700][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 62.202788][ T6816] ? preempt_schedule_thunk+0x16/0x18 [ 62.208657][ T6816] ? trace_hardirqs_on+0x55/0x220 [ 62.213655][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 62.218738][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 62.223823][ T6816] end_report+0x4d/0x53 [ 62.227958][ T6816] kasan_report.cold+0xd/0x37 [ 62.232610][ T6816] ? sctp_setsockopt+0x9488/0x95e0 [ 62.237701][ T6816] sctp_setsockopt+0x9488/0x95e0 [ 62.242615][ T6816] ? aa_af_perm+0x230/0x230 [ 62.247115][ T6816] ? handle_mm_fault+0xb78/0x45e0 [ 62.252118][ T6816] ? __sctp_setsockopt_connectx+0x140/0x140 [ 62.257990][ T6816] ? sock_common_recvmsg+0x1a0/0x1a0 [ 62.263272][ T6816] __sys_setsockopt+0x337/0x6a0 [ 62.268126][ T6816] ? _down_write_nest_lock+0x150/0x150 [ 62.273566][ T6816] ? __ia32_sys_recv+0x100/0x100 [ 62.278505][ T6816] ? lock_is_held_type+0xbb/0xf0 [ 62.283422][ T6816] ? lock_is_held_type+0xbb/0xf0 [ 62.288337][ T6816] __x64_sys_setsockopt+0xba/0x150 [ 62.293426][ T6816] ? lockdep_hardirqs_on+0x76/0xf0 [ 62.298526][ T6816] do_syscall_64+0x60/0xe0 [ 62.302919][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.308786][ T6816] RIP: 0033:0x440229 [ 62.312662][ T6816] Code: Bad RIP value. [ 62.316716][ T6816] RSP: 002b:00007ffe1cbbb9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 62.325104][ T6816] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440229 [ 62.333073][ T6816] RDX: 0000000000000010 RSI: 0000000000000084 RDI: 0000000000000003 [ 62.343143][ T6816] RBP: 00000000006ca018 R08: 0000000000000008 R09: 00000000004002c8 [ 62.351107][ T6816] R10: 0000000020000100 R11: 0000000000000246 R12: 0000000000401a30 [ 62.359064][ T6816] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 62.368883][ T6816] Kernel Offset: disabled [ 62.373230][ T6816] Rebooting in 86400 seconds..