Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.518734] audit: type=1800 audit(1583347849.144:33): pid=7852 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 49.890916] kauditd_printk_skb: 1 callbacks suppressed [ 49.890930] audit: type=1400 audit(1583347853.514:35): avc: denied { map } for pid=8026 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.224' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 71.007569] audit: type=1400 audit(1583347874.634:36): avc: denied { map } for pid=8038 comm="syz-executor921" path="/root/syz-executor921584840" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 71.071968] ================================================================== [ 71.072002] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 71.072010] Write of size 8 at addr ffff888089de8588 by task syz-executor921/8045 [ 71.072013] [ 71.072023] CPU: 0 PID: 8045 Comm: syz-executor921 Not tainted 4.19.107-syzkaller #0 [ 71.072029] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.072032] Call Trace: [ 71.072046] dump_stack+0x188/0x20d [ 71.072057] ? con_shutdown+0x7f/0x90 [ 71.072071] print_address_description.cold+0x7c/0x212 [ 71.072081] ? con_shutdown+0x7f/0x90 [ 71.072090] kasan_report.cold+0x88/0x2b9 [ 71.072100] ? set_palette+0x1b0/0x1b0 [ 71.072110] con_shutdown+0x7f/0x90 [ 71.072120] release_tty+0xda/0x4c0 [ 71.072130] tty_release_struct+0x37/0x50 [ 71.072150] tty_release+0xbc7/0xe90 [ 71.072165] ? tty_release_struct+0x50/0x50 [ 71.072175] __fput+0x2cd/0x890 [ 71.072189] task_work_run+0x13f/0x1b0 [ 71.072202] do_exit+0xbcd/0x2f30 [ 71.072217] ? mm_update_next_owner+0x650/0x650 [ 71.072230] ? up_read+0x17/0x110 [ 71.072240] ? __do_page_fault+0x44e/0xdd0 [ 71.072254] do_group_exit+0x125/0x350 [ 71.072265] __x64_sys_exit_group+0x3a/0x50 [ 71.072277] do_syscall_64+0xf9/0x620 [ 71.072290] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.072298] RIP: 0033:0x43ff38 [ 71.072313] Code: Bad RIP value. [ 71.072318] RSP: 002b:00007ffec2725928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 71.072328] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 71.072333] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 71.072339] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 71.072344] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 71.072350] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 71.072363] [ 71.072367] Allocated by task 8045: [ 71.072376] kasan_kmalloc+0xbf/0xe0 [ 71.072384] kmem_cache_alloc_trace+0x14d/0x7a0 [ 71.072392] vc_allocate+0x1db/0x6d0 [ 71.072400] con_install+0x4f/0x400 [ 71.072408] tty_init_dev+0xee/0x450 [ 71.072415] tty_open+0x4b0/0xb00 [ 71.072422] chrdev_open+0x219/0x5c0 [ 71.072430] do_dentry_open+0x4a8/0x1160 [ 71.072438] path_openat+0x1031/0x4200 [ 71.072445] do_filp_open+0x1a1/0x280 [ 71.072452] do_sys_open+0x3c0/0x500 [ 71.072460] do_syscall_64+0xf9/0x620 [ 71.072469] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.072471] [ 71.072475] Freed by task 8046: [ 71.072483] __kasan_slab_free+0xf7/0x140 [ 71.072490] kfree+0xce/0x220 [ 71.072499] vt_disallocate_all+0x293/0x3b0 [ 71.072507] vt_ioctl+0xb79/0x2310 [ 71.072515] tty_ioctl+0x7a1/0x1420 [ 71.072523] do_vfs_ioctl+0xcda/0x12e0 [ 71.072530] ksys_ioctl+0x9b/0xc0 [ 71.072538] __x64_sys_ioctl+0x6f/0xb0 [ 71.072546] do_syscall_64+0xf9/0x620 [ 71.072555] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.072557] [ 71.072564] The buggy address belongs to the object at ffff888089de8480 [ 71.072564] which belongs to the cache kmalloc-2048 of size 2048 [ 71.072572] The buggy address is located 264 bytes inside of [ 71.072572] 2048-byte region [ffff888089de8480, ffff888089de8c80) [ 71.072574] The buggy address belongs to the page: [ 71.072583] page:ffffea0002277a00 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 71.072593] flags: 0xfffe0000008100(slab|head) [ 71.072606] raw: 00fffe0000008100 ffffea000298ec88 ffffea0002978208 ffff88812c3dcc40 [ 71.072616] raw: 0000000000000000 ffff888089de8480 0000000100000003 0000000000000000 [ 71.072620] page dumped because: kasan: bad access detected [ 71.072622] [ 71.072625] Memory state around the buggy address: [ 71.072633] ffff888089de8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.072640] ffff888089de8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.072647] >ffff888089de8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.072651] ^ [ 71.072658] ffff888089de8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.072665] ffff888089de8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.072668] ================================================================== [ 71.072672] Disabling lock debugging due to kernel taint [ 71.072702] Kernel panic - not syncing: panic_on_warn set ... [ 71.072702] [ 71.072711] CPU: 0 PID: 8045 Comm: syz-executor921 Tainted: G B 4.19.107-syzkaller #0 [ 71.072716] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.072718] Call Trace: [ 71.072728] dump_stack+0x188/0x20d [ 71.072738] panic+0x26a/0x50e [ 71.072748] ? __warn_printk+0xf3/0xf3 [ 71.072756] ? retint_kernel+0x2d/0x2d [ 71.072768] ? trace_hardirqs_on+0x55/0x210 [ 71.072777] ? con_shutdown+0x7f/0x90 [ 71.072786] kasan_end_report+0x43/0x49 [ 71.072795] kasan_report.cold+0xa4/0x2b9 [ 71.072807] ? set_palette+0x1b0/0x1b0 [ 71.072816] con_shutdown+0x7f/0x90 [ 71.072824] release_tty+0xda/0x4c0 [ 71.072833] tty_release_struct+0x37/0x50 [ 71.072841] tty_release+0xbc7/0xe90 [ 71.072852] ? tty_release_struct+0x50/0x50 [ 71.072862] __fput+0x2cd/0x890 [ 71.072873] task_work_run+0x13f/0x1b0 [ 71.072884] do_exit+0xbcd/0x2f30 [ 71.072897] ? mm_update_next_owner+0x650/0x650 [ 71.072907] ? up_read+0x17/0x110 [ 71.072917] ? __do_page_fault+0x44e/0xdd0 [ 71.072929] do_group_exit+0x125/0x350 [ 71.072942] __x64_sys_exit_group+0x3a/0x50 [ 71.072954] do_syscall_64+0xf9/0x620 [ 71.072968] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.072975] RIP: 0033:0x43ff38 [ 71.072983] Code: Bad RIP value. [ 71.072989] RSP: 002b:00007ffec2725928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 71.073000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 71.073006] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 71.073013] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 71.073019] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 71.073025] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 71.074371] Kernel Offset: disabled [ 71.656176] Rebooting in 86400 seconds..