[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.930775] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.185766] random: sshd: uninitialized urandom read (32 bytes read) [ 30.494127] audit: type=1400 audit(1548731297.391:6): avc: denied { map } for pid=1769 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.526381] random: sshd: uninitialized urandom read (32 bytes read) [ 31.022293] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.212' (ECDSA) to the list of known hosts. [ 36.899175] urandom_read: 1 callbacks suppressed [ 36.899179] random: sshd: uninitialized urandom read (32 bytes read) [ 37.000749] audit: type=1400 audit(1548731303.901:7): avc: denied { map } for pid=1787 comm="syz-executor161" path="/root/syz-executor161563825" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 37.253636] ================================================================== [ 37.261189] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 37.267844] Read of size 8 at addr ffff8881d0ab13d0 by task syz-executor161/1790 [ 37.275477] [ 37.277091] CPU: 1 PID: 1790 Comm: syz-executor161 Not tainted 4.14.96+ #20 [ 37.284167] Call Trace: [ 37.286754] dump_stack+0xb9/0x10e [ 37.290580] ? ip_local_deliver+0x43d/0x450 [ 37.294893] print_address_description+0x60/0x226 [ 37.299741] ? ip_local_deliver+0x43d/0x450 [ 37.304069] kasan_report.cold+0x88/0x2a5 [ 37.308213] ? ip_local_deliver+0x43d/0x450 [ 37.312522] ? ip_call_ra_chain+0x540/0x540 [ 37.316834] ? deref_stack_reg+0xaa/0xe0 [ 37.320896] ? ip_rcv+0x99f/0xf7a [ 37.324332] ? ip_rcv_finish+0x5c9/0x1490 [ 37.328459] ? ip_rcv+0x9e2/0xf7a [ 37.331894] ? ip_local_deliver+0x450/0x450 [ 37.336207] ? __lock_acquire+0x56a/0x3fa0 [ 37.340428] ? check_preemption_disabled+0x35/0x1f0 [ 37.345448] ? ip_local_deliver+0x450/0x450 [ 37.349775] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.354949] ? trace_hardirqs_on+0x10/0x10 [ 37.359166] ? flush_backlog+0x580/0x580 [ 37.363210] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.368382] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.373582] ? lock_acquire+0x10f/0x380 [ 37.377634] ? __netif_receive_skb+0x55/0x1f0 [ 37.382118] ? __netif_receive_skb+0x55/0x1f0 [ 37.386597] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.391687] ? dev_cpu_dead+0x810/0x810 [ 37.395656] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.401100] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.406206] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.410943] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.415937] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.420326] ? tun_get_user+0xc07/0x3790 [ 37.424373] ? __local_bh_enable_ip+0x65/0xc0 [ 37.428865] ? tun_get_user+0xd95/0x3790 [ 37.432917] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.437721] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 37.442644] ? __tun_get+0x11c/0x220 [ 37.446348] ? check_preemption_disabled+0x35/0x1f0 [ 37.451348] ? tun_chr_write_iter+0xcf/0x180 [ 37.455817] ? do_iter_readv_writev+0x379/0x580 [ 37.460496] ? clone_verify_area+0x1e0/0x1e0 [ 37.464937] ? avc_policy_seqno+0x5/0x10 [ 37.469089] ? security_file_permission+0x88/0x1e0 [ 37.474016] ? do_iter_write+0x152/0x550 [ 37.478061] ? signal_setup_done+0xac/0x270 [ 37.482384] ? vfs_writev+0x146/0x2d0 [ 37.486170] ? vfs_iter_write+0xa0/0xa0 [ 37.490200] ? do_signal+0x488/0x15c0 [ 37.493992] ? setup_sigcontext+0x810/0x810 [ 37.498299] ? pgtable_bad+0x110/0x110 [ 37.502339] ? __bad_area_nosemaphore+0x25f/0x280 [ 37.507283] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 37.512375] ? do_writev+0xc9/0x240 [ 37.515978] ? vfs_writev+0x2d0/0x2d0 [ 37.519898] ? do_syscall_64+0x43/0x4b0 [ 37.523894] ? SyS_readv+0x30/0x30 [ 37.527415] ? do_syscall_64+0x19b/0x4b0 [ 37.531563] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.536913] [ 37.538521] Allocated by task 1790: [ 37.542126] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.546427] kmem_cache_alloc+0xd2/0x2d0 [ 37.550475] __build_skb+0x2e/0x2d0 [ 37.554085] build_skb+0x1a/0x1f0 [ 37.557557] tun_get_user+0x248b/0x3790 [ 37.561519] tun_chr_write_iter+0xcf/0x180 [ 37.565738] do_iter_readv_writev+0x379/0x580 [ 37.570211] do_iter_write+0x152/0x550 [ 37.574082] vfs_writev+0x146/0x2d0 [ 37.577686] do_writev+0xc9/0x240 [ 37.581118] do_syscall_64+0x19b/0x4b0 [ 37.585026] [ 37.586629] Freed by task 1790: [ 37.589934] kasan_slab_free+0xb0/0x190 [ 37.593935] kmem_cache_free+0xc4/0x330 [ 37.597899] kfree_skbmem+0xa0/0x100 [ 37.601615] kfree_skb+0xcd/0x350 [ 37.605186] ip_defrag+0x5f4/0x3b50 [ 37.608910] ip_local_deliver+0x165/0x450 [ 37.613036] ip_rcv_finish+0x5c9/0x1490 [ 37.616997] ip_rcv+0x9e2/0xf7a [ 37.620361] __netif_receive_skb_core+0x1364/0x2c60 [ 37.625503] __netif_receive_skb+0x55/0x1f0 [ 37.629801] netif_receive_skb_internal+0xec/0x5c0 [ 37.634716] tun_rx_batched.isra.0+0x45d/0x730 [ 37.639274] tun_get_user+0xd95/0x3790 [ 37.643138] tun_chr_write_iter+0xcf/0x180 [ 37.647411] do_iter_readv_writev+0x379/0x580 [ 37.651965] do_iter_write+0x152/0x550 [ 37.655837] vfs_writev+0x146/0x2d0 [ 37.659444] do_writev+0xc9/0x240 [ 37.662870] do_syscall_64+0x19b/0x4b0 [ 37.666732] [ 37.668342] The buggy address belongs to the object at ffff8881d0ab13c0 [ 37.668342] which belongs to the cache skbuff_head_cache of size 224 [ 37.681532] The buggy address is located 16 bytes inside of [ 37.681532] 224-byte region [ffff8881d0ab13c0, ffff8881d0ab14a0) [ 37.693609] The buggy address belongs to the page: [ 37.698526] page:ffffea000742ac40 count:1 mapcount:0 mapping: (null) index:0xffff8881d0ab1dc0 [ 37.707953] flags: 0x4000000000000100(slab) [ 37.712360] raw: 4000000000000100 0000000000000000 ffff8881d0ab1dc0 00000001800c000b [ 37.720217] raw: ffffea00074c8fc0 0000000400000004 ffff8881dab58200 0000000000000000 [ 37.728180] page dumped because: kasan: bad access detected [ 37.733881] [ 37.735491] Memory state around the buggy address: [ 37.740399] ffff8881d0ab1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.747743] ffff8881d0ab1300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.755089] >ffff8881d0ab1380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.762426] ^ [ 37.768378] ffff8881d0ab1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.775727] ffff8881d0ab1480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.783218] ================================================================== [ 37.790550] Disabling lock debugging due to kernel taint [ 37.796164] Kernel panic - not syncing: panic_on_warn set ... [ 37.796164] [ 37.803605] CPU: 1 PID: 1790 Comm: syz-executor161 Tainted: G B 4.14.96+ #20 [ 37.812031] Call Trace: [ 37.814603] dump_stack+0xb9/0x10e [ 37.818232] panic+0x1d9/0x3c2 [ 37.821412] ? add_taint.cold+0x16/0x16 [ 37.825369] ? retint_kernel+0x2d/0x2d [ 37.829241] ? ip_local_deliver+0x43d/0x450 [ 37.833547] kasan_end_report+0x43/0x49 [ 37.837557] kasan_report.cold+0xa4/0x2a5 [ 37.841689] ? ip_local_deliver+0x43d/0x450 [ 37.846218] ? ip_call_ra_chain+0x540/0x540 [ 37.850538] ? deref_stack_reg+0xaa/0xe0 [ 37.854587] ? ip_rcv+0x99f/0xf7a [ 37.858021] ? ip_rcv_finish+0x5c9/0x1490 [ 37.862160] ? ip_rcv+0x9e2/0xf7a [ 37.865631] ? ip_local_deliver+0x450/0x450 [ 37.870013] ? __lock_acquire+0x56a/0x3fa0 [ 37.874232] ? check_preemption_disabled+0x35/0x1f0 [ 37.879261] ? ip_local_deliver+0x450/0x450 [ 37.883562] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.888729] ? trace_hardirqs_on+0x10/0x10 [ 37.892958] ? flush_backlog+0x580/0x580 [ 37.897001] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.902169] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.907434] ? lock_acquire+0x10f/0x380 [ 37.911396] ? __netif_receive_skb+0x55/0x1f0 [ 37.915881] ? __netif_receive_skb+0x55/0x1f0 [ 37.920460] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.925659] ? dev_cpu_dead+0x810/0x810 [ 37.929618] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.935180] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.940290] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.945059] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.950056] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.954606] ? tun_get_user+0xc07/0x3790 [ 37.958658] ? __local_bh_enable_ip+0x65/0xc0 [ 37.963136] ? tun_get_user+0xd95/0x3790 [ 37.967176] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.971910] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 37.976816] ? __tun_get+0x11c/0x220 [ 37.980506] ? check_preemption_disabled+0x35/0x1f0 [ 37.985501] ? tun_chr_write_iter+0xcf/0x180 [ 37.989886] ? do_iter_readv_writev+0x379/0x580 [ 37.994541] ? clone_verify_area+0x1e0/0x1e0 [ 37.998932] ? avc_policy_seqno+0x5/0x10 [ 38.002997] ? security_file_permission+0x88/0x1e0 [ 38.007912] ? do_iter_write+0x152/0x550 [ 38.011953] ? signal_setup_done+0xac/0x270 [ 38.016264] ? vfs_writev+0x146/0x2d0 [ 38.020038] ? vfs_iter_write+0xa0/0xa0 [ 38.023988] ? do_signal+0x488/0x15c0 [ 38.027778] ? setup_sigcontext+0x810/0x810 [ 38.032084] ? pgtable_bad+0x110/0x110 [ 38.035963] ? __bad_area_nosemaphore+0x25f/0x280 [ 38.040779] ? is_prefetch.isra.0.part.0+0x210/0x330 [ 38.045858] ? do_writev+0xc9/0x240 [ 38.049458] ? vfs_writev+0x2d0/0x2d0 [ 38.053236] ? do_syscall_64+0x43/0x4b0 [ 38.057193] ? SyS_readv+0x30/0x30 [ 38.060724] ? do_syscall_64+0x19b/0x4b0 [ 38.064775] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.070564] Kernel Offset: 0x2a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 38.081392] Rebooting in 86400 seconds..