[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 63.960655][ T23] audit: type=1800 audit(1575364263.010:25): pid=8850 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 63.985229][ T23] audit: type=1800 audit(1575364263.020:26): pid=8850 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 64.027573][ T23] audit: type=1800 audit(1575364263.020:27): pid=8850 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.231' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 76.430563][ T9004] ================================================================== [ 76.430603][ T9004] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 76.430610][ T9004] Read of size 2 at addr ffff8880a3f152c0 by task syz-executor563/9004 [ 76.430612][ T9004] [ 76.430622][ T9004] CPU: 0 PID: 9004 Comm: syz-executor563 Not tainted 5.4.0-syzkaller #0 [ 76.430627][ T9004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.430630][ T9004] Call Trace: [ 76.430643][ T9004] dump_stack+0x197/0x210 [ 76.430651][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.430663][ T9004] print_address_description.constprop.0.cold+0xd4/0x30b [ 76.430670][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.430677][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.430685][ T9004] __kasan_report.cold+0x1b/0x41 [ 76.430695][ T9004] ? vcs_write+0x460/0xcf0 [ 76.430702][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.430710][ T9004] kasan_report+0x12/0x20 [ 76.430719][ T9004] __asan_report_load2_noabort+0x14/0x20 [ 76.430726][ T9004] vcs_scr_readw+0xc2/0xd0 [ 76.430734][ T9004] vcs_write+0x646/0xcf0 [ 76.430749][ T9004] ? vcs_size+0x250/0x250 [ 76.430761][ T9004] ? apparmor_file_permission+0x25/0x30 [ 76.430771][ T9004] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.430781][ T9004] ? security_file_permission+0x8f/0x380 [ 76.430790][ T9004] ? trace_hardirqs_on+0x67/0x240 [ 76.430800][ T9004] __vfs_write+0x8a/0x110 [ 76.430807][ T9004] ? vcs_size+0x250/0x250 [ 76.430815][ T9004] vfs_write+0x268/0x5d0 [ 76.430825][ T9004] ksys_write+0x14f/0x290 [ 76.430834][ T9004] ? __ia32_sys_read+0xb0/0xb0 [ 76.430845][ T9004] ? do_fast_syscall_32+0xd1/0xe16 [ 76.430852][ T9004] ? entry_SYSENTER_compat+0x70/0x7f [ 76.430860][ T9004] ? do_fast_syscall_32+0xd1/0xe16 [ 76.430870][ T9004] __ia32_sys_write+0x71/0xb0 [ 76.430880][ T9004] do_fast_syscall_32+0x27b/0xe16 [ 76.430889][ T9004] entry_SYSENTER_compat+0x70/0x7f [ 76.430896][ T9004] RIP: 0023:0xf7f67a39 [ 76.430904][ T9004] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 76.430909][ T9004] RSP: 002b:00000000ffbc55fc EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 76.430917][ T9004] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000300 [ 76.430921][ T9004] RDX: 00000000fffffecb RSI: 0000000008048b00 RDI: 0000000000000000 [ 76.430926][ T9004] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 76.430930][ T9004] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 76.430934][ T9004] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 76.430956][ T9004] [ 76.430961][ T9004] Allocated by task 1: [ 76.430971][ T9004] save_stack+0x23/0x90 [ 76.430981][ T9004] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 76.430990][ T9004] kasan_kmalloc+0x9/0x10 [ 76.431000][ T9004] __kmalloc+0x163/0x770 [ 76.431010][ T9004] vc_do_resize+0x262/0x1460 [ 76.431019][ T9004] vc_resize+0x4d/0x60 [ 76.431032][ T9004] fbcon_init+0x122d/0x1a90 [ 76.431041][ T9004] visual_init+0x30a/0x5e0 [ 76.431050][ T9004] do_bind_con_driver+0x54c/0x8b0 [ 76.431059][ T9004] do_take_over_console+0x449/0x5a0 [ 76.431069][ T9004] do_fbcon_takeover+0x116/0x220 [ 76.431080][ T9004] fbcon_fb_registered+0x275/0x340 [ 76.431091][ T9004] register_framebuffer+0x5c3/0xa10 [ 76.431103][ T9004] vga16fb_probe+0x711/0x825 [ 76.431116][ T9004] platform_drv_probe+0x8d/0x140 [ 76.431126][ T9004] really_probe+0x291/0x710 [ 76.431136][ T9004] driver_probe_device+0x110/0x220 [ 76.431147][ T9004] __device_attach_driver+0x1c9/0x230 [ 76.431157][ T9004] bus_for_each_drv+0x172/0x1f0 [ 76.431168][ T9004] __device_attach+0x237/0x390 [ 76.431178][ T9004] device_initial_probe+0x1b/0x20 [ 76.431187][ T9004] bus_probe_device+0x1f1/0x2a0 [ 76.431196][ T9004] device_add+0x14fe/0x1d00 [ 76.431203][ T9004] platform_device_add+0x34d/0x6c0 [ 76.431212][ T9004] vga16fb_init+0x15f/0x1d6 [ 76.431220][ T9004] do_one_initcall+0x120/0x81a [ 76.431230][ T9004] kernel_init_freeable+0x4ca/0x5b9 [ 76.431239][ T9004] kernel_init+0x12/0x1bf [ 76.431248][ T9004] ret_from_fork+0x24/0x30 [ 76.431250][ T9004] [ 76.431254][ T9004] Freed by task 0: [ 76.431256][ T9004] (stack is not available) [ 76.431258][ T9004] [ 76.431265][ T9004] The buggy address belongs to the object at ffff8880a3f14000 [ 76.431265][ T9004] which belongs to the cache kmalloc-8k of size 8192 [ 76.431272][ T9004] The buggy address is located 4800 bytes inside of [ 76.431272][ T9004] 8192-byte region [ffff8880a3f14000, ffff8880a3f16000) [ 76.431275][ T9004] The buggy address belongs to the page: [ 76.431284][ T9004] page:ffffea00028fc500 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 76.431295][ T9004] raw: 00fffe0000010200 ffffea000294e408 ffffea0002810a08 ffff8880aa4021c0 [ 76.431304][ T9004] raw: 0000000000000000 ffff8880a3f14000 0000000100000001 0000000000000000 [ 76.431308][ T9004] page dumped because: kasan: bad access detected [ 76.431310][ T9004] [ 76.431313][ T9004] Memory state around the buggy address: [ 76.431319][ T9004] ffff8880a3f15180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.431325][ T9004] ffff8880a3f15200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.431330][ T9004] >ffff8880a3f15280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 76.431334][ T9004] ^ [ 76.431339][ T9004] ffff8880a3f15300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.431345][ T9004] ffff8880a3f15380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.431348][ T9004] ================================================================== [ 76.431351][ T9004] Disabling lock debugging due to kernel taint [ 76.431386][ T9004] Kernel panic - not syncing: panic_on_warn set ... [ 76.431397][ T9004] CPU: 0 PID: 9004 Comm: syz-executor563 Tainted: G B 5.4.0-syzkaller #0 [ 76.431404][ T9004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.431415][ T9004] Call Trace: [ 76.431430][ T9004] dump_stack+0x197/0x210 [ 76.431446][ T9004] panic+0x2e3/0x75c [ 76.431459][ T9004] ? add_taint.cold+0x16/0x16 [ 76.431474][ T9004] ? retint_kernel+0x2b/0x2b [ 76.431490][ T9004] ? trace_hardirqs_on+0x5e/0x240 [ 76.431504][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.431517][ T9004] end_report+0x47/0x4f [ 76.431530][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.431542][ T9004] __kasan_report.cold+0xe/0x41 [ 76.431556][ T9004] ? vcs_write+0x460/0xcf0 [ 76.431568][ T9004] ? vcs_scr_readw+0xc2/0xd0 [ 76.431581][ T9004] kasan_report+0x12/0x20 [ 76.431595][ T9004] __asan_report_load2_noabort+0x14/0x20 [ 76.431608][ T9004] vcs_scr_readw+0xc2/0xd0 [ 76.431621][ T9004] vcs_write+0x646/0xcf0 [ 76.431643][ T9004] ? vcs_size+0x250/0x250 [ 76.431658][ T9004] ? apparmor_file_permission+0x25/0x30 [ 76.431673][ T9004] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.431688][ T9004] ? security_file_permission+0x8f/0x380 [ 76.431702][ T9004] ? trace_hardirqs_on+0x67/0x240 [ 76.431715][ T9004] __vfs_write+0x8a/0x110 [ 76.431728][ T9004] ? vcs_size+0x250/0x250 [ 76.431742][ T9004] vfs_write+0x268/0x5d0 [ 76.431755][ T9004] ksys_write+0x14f/0x290 [ 76.431769][ T9004] ? __ia32_sys_read+0xb0/0xb0 [ 76.431783][ T9004] ? do_fast_syscall_32+0xd1/0xe16 [ 76.431796][ T9004] ? entry_SYSENTER_compat+0x70/0x7f [ 76.431810][ T9004] ? do_fast_syscall_32+0xd1/0xe16 [ 76.431824][ T9004] __ia32_sys_write+0x71/0xb0 [ 76.431838][ T9004] do_fast_syscall_32+0x27b/0xe16 [ 76.431852][ T9004] entry_SYSENTER_compat+0x70/0x7f [ 76.431863][ T9004] RIP: 0023:0xf7f67a39 [ 76.431876][ T9004] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 76.431886][ T9004] RSP: 002b:00000000ffbc55fc EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 76.431906][ T9004] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000300 [ 76.431916][ T9004] RDX: 00000000fffffecb RSI: 0000000008048b00 RDI: 0000000000000000 [ 76.431926][ T9004] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 76.431936][ T9004] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 76.431946][ T9004] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 76.433154][ T9004] Kernel Offset: disabled [ 77.237277][ T9004] Rebooting in 86400 seconds..