[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.056476] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.566821] random: sshd: uninitialized urandom read (32 bytes read) [ 27.001478] random: sshd: uninitialized urandom read (32 bytes read) [ 27.725445] random: sshd: uninitialized urandom read (32 bytes read) [ 27.880475] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. [ 33.367805] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/01 15:30:42 parsed 1 programs 2018/05/01 15:30:42 executed programs: 0 [ 33.826341] IPVS: ftp: loaded support on port[0] = 21 [ 33.870209] ================================================================== [ 33.877680] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 33.884849] Read of size 8 at addr ffff8801d70aa020 by task syz-executor0/4563 [ 33.892182] [ 33.893794] CPU: 0 PID: 4563 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #52 [ 33.900957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.910295] Call Trace: [ 33.912867] dump_stack+0x1b9/0x294 [ 33.916475] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.921643] ? printk+0x9e/0xba [ 33.924903] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.929669] ? kasan_check_write+0x14/0x20 [ 33.933883] print_address_description+0x6c/0x20b [ 33.938705] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 33.943179] kasan_report.cold.7+0x242/0x2fe [ 33.947569] __asan_report_load8_noabort+0x14/0x20 [ 33.952480] __sctp_v6_cmp_addr+0x4c7/0x530 [ 33.956781] sctp_inet6_cmp_addr+0x169/0x1a0 [ 33.961172] sctp_bind_addr_match+0x20b/0x400 [ 33.965648] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 33.970474] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.975989] ? sctp_v4_available+0x1b1/0x200 [ 33.980378] ? sctp_inet6_bind_verify+0xb2/0x500 [ 33.985111] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.990626] sctp_do_bind+0x1c0/0x5f0 [ 33.994410] sctp_bindx_add+0x90/0x1a0 [ 33.998279] sctp_setsockopt_bindx+0x2ad/0x320 [ 34.002841] sctp_setsockopt+0x12c4/0x7000 [ 34.007057] ? graph_lock+0x170/0x170 [ 34.010839] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 34.016546] ? print_usage_bug+0xc0/0xc0 [ 34.020585] ? mark_held_locks+0xc9/0x160 [ 34.024720] ? page_add_new_anon_rmap+0x3ff/0x850 [ 34.029546] ? find_held_lock+0x36/0x1c0 [ 34.033595] ? __lock_acquire+0x7f5/0x5140 [ 34.037808] ? pudp_huge_clear_flush+0x230/0x230 [ 34.042544] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.047716] ? debug_check_no_locks_freed+0x310/0x310 [ 34.052888] ? get_futex_key+0x1e90/0x1e90 [ 34.057103] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 34.062361] ? __thp_get_unmapped_area+0x180/0x180 [ 34.067274] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.072463] ? do_futex+0x249/0x27d0 [ 34.076156] ? find_held_lock+0x36/0x1c0 [ 34.080198] ? graph_lock+0x170/0x170 [ 34.083979] ? exit_robust_list+0x290/0x290 [ 34.088281] ? kasan_check_read+0x11/0x20 [ 34.092418] ? find_held_lock+0x36/0x1c0 [ 34.096462] ? lock_downgrade+0x8e0/0x8e0 [ 34.100591] ? kasan_check_read+0x11/0x20 [ 34.104718] ? rcu_is_watching+0x85/0x140 [ 34.108845] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.114019] ? __fget+0x40c/0x650 [ 34.117456] ? expand_files.part.8+0x9a0/0x9a0 [ 34.122017] ? lock_downgrade+0x8e0/0x8e0 [ 34.126320] ? handle_mm_fault+0x8c0/0xc70 [ 34.130544] compat_sock_common_setsockopt+0x10c/0x150 [ 34.135807] ? sock_common_setsockopt+0xe0/0xe0 [ 34.140456] __compat_sys_setsockopt+0x1ab/0x7c0 [ 34.145192] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 34.150104] ? __x32_compat_sys_get_robust_list+0x430/0x430 [ 34.155797] ? mm_fault_error+0x380/0x380 [ 34.159927] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 34.165010] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.170006] do_fast_syscall_32+0x345/0xf9b [ 34.174309] ? do_int80_syscall_32+0x880/0x880 [ 34.178868] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.183604] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.189120] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.194034] ? sysret32_from_system_call+0x5/0x46 [ 34.199031] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.203941] entry_SYSENTER_compat+0x70/0x7f [ 34.208332] RIP: 0023:0xf7f7ecb9 [ 34.211675] RSP: 002b:00000000ff8668fc EFLAGS: 00000286 ORIG_RAX: 000000000000016e [ 34.219375] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000084 [ 34.226622] RDX: 0000000000000064 RSI: 0000000020d24000 RDI: 0000000000000020 [ 34.233870] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.241128] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 34.248376] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.256602] [ 34.258213] Allocated by task 4563: [ 34.261819] save_stack+0x43/0xd0 [ 34.265249] kasan_kmalloc+0xc4/0xe0 [ 34.268955] __kmalloc_node+0x47/0x70 [ 34.272735] kvmalloc_node+0x6b/0x100 [ 34.276521] vmemdup_user+0x2d/0xa0 [ 34.280132] sctp_setsockopt_bindx+0x5d/0x320 [ 34.284601] sctp_setsockopt+0x12c4/0x7000 [ 34.288814] compat_sock_common_setsockopt+0x10c/0x150 [ 34.294072] __compat_sys_setsockopt+0x1ab/0x7c0 [ 34.298807] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 34.303889] do_fast_syscall_32+0x345/0xf9b [ 34.308188] entry_SYSENTER_compat+0x70/0x7f [ 34.312567] [ 34.314172] Freed by task 2860: [ 34.317440] save_stack+0x43/0xd0 [ 34.320877] __kasan_slab_free+0x11a/0x170 [ 34.325096] kasan_slab_free+0xe/0x10 [ 34.328894] kfree+0xd9/0x260 [ 34.331980] single_release+0x8f/0xb0 [ 34.335758] __fput+0x34d/0x890 [ 34.339014] ____fput+0x15/0x20 [ 34.342274] task_work_run+0x1e4/0x290 [ 34.346152] exit_to_usermode_loop+0x2bd/0x310 [ 34.350714] do_syscall_64+0x6ac/0x800 [ 34.354580] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.359743] [ 34.361348] The buggy address belongs to the object at ffff8801d70aa000 [ 34.361348] which belongs to the cache kmalloc-32 of size 32 [ 34.373819] The buggy address is located 0 bytes to the right of [ 34.373819] 32-byte region [ffff8801d70aa000, ffff8801d70aa020) [ 34.385933] The buggy address belongs to the page: [ 34.390843] page:ffffea00075c2a80 count:1 mapcount:0 mapping:ffff8801d70aa000 index:0xffff8801d70aafc1 [ 34.400266] flags: 0x2fffc0000000100(slab) [ 34.404479] raw: 02fffc0000000100 ffff8801d70aa000 ffff8801d70aafc1 000000010000003f [ 34.412339] raw: ffffea00075c29a0 ffffea00075c2ba0 ffff8801da8001c0 0000000000000000 [ 34.420195] page dumped because: kasan: bad access detected [ 34.425964] [ 34.427565] Memory state around the buggy address: [ 34.432469] ffff8801d70a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.439803] ffff8801d70a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.447147] >ffff8801d70aa000: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 34.454479] ^ [ 34.458863] ffff8801d70aa080: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 34.466197] ffff8801d70aa100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.473536] ================================================================== [ 34.480870] Disabling lock debugging due to kernel taint [ 34.486361] Kernel panic - not syncing: panic_on_warn set ... [ 34.486361] [ 34.493713] CPU: 0 PID: 4563 Comm: syz-executor0 Tainted: G B 4.17.0-rc3+ #52 [ 34.502270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.511597] Call Trace: [ 34.514171] dump_stack+0x1b9/0x294 [ 34.517773] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.522942] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.527681] ? __sctp_v6_cmp_addr+0x3f0/0x530 [ 34.532152] panic+0x22f/0x4de [ 34.535322] ? add_taint.cold.5+0x16/0x16 [ 34.539451] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.543837] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.548223] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 34.552695] kasan_end_report+0x47/0x4f [ 34.556643] kasan_report.cold.7+0x76/0x2fe [ 34.560944] __asan_report_load8_noabort+0x14/0x20 [ 34.565849] __sctp_v6_cmp_addr+0x4c7/0x530 [ 34.570148] sctp_inet6_cmp_addr+0x169/0x1a0 [ 34.574535] sctp_bind_addr_match+0x20b/0x400 [ 34.579009] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 34.583832] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.589347] ? sctp_v4_available+0x1b1/0x200 [ 34.593732] ? sctp_inet6_bind_verify+0xb2/0x500 [ 34.598462] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.603975] sctp_do_bind+0x1c0/0x5f0 [ 34.607752] sctp_bindx_add+0x90/0x1a0 [ 34.611616] sctp_setsockopt_bindx+0x2ad/0x320 [ 34.616173] sctp_setsockopt+0x12c4/0x7000 [ 34.620382] ? graph_lock+0x170/0x170 [ 34.624161] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 34.629847] ? print_usage_bug+0xc0/0xc0 [ 34.633885] ? mark_held_locks+0xc9/0x160 [ 34.638014] ? page_add_new_anon_rmap+0x3ff/0x850 [ 34.642833] ? find_held_lock+0x36/0x1c0 [ 34.646872] ? __lock_acquire+0x7f5/0x5140 [ 34.651083] ? pudp_huge_clear_flush+0x230/0x230 [ 34.655821] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.660992] ? debug_check_no_locks_freed+0x310/0x310 [ 34.666163] ? get_futex_key+0x1e90/0x1e90 [ 34.670374] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 34.675629] ? __thp_get_unmapped_area+0x180/0x180 [ 34.680537] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.685703] ? do_futex+0x249/0x27d0 [ 34.689397] ? find_held_lock+0x36/0x1c0 [ 34.693444] ? graph_lock+0x170/0x170 [ 34.697224] ? exit_robust_list+0x290/0x290 [ 34.701522] ? kasan_check_read+0x11/0x20 [ 34.705646] ? find_held_lock+0x36/0x1c0 [ 34.709688] ? lock_downgrade+0x8e0/0x8e0 [ 34.713817] ? kasan_check_read+0x11/0x20 [ 34.717943] ? rcu_is_watching+0x85/0x140 [ 34.722067] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.727234] ? __fget+0x40c/0x650 [ 34.730667] ? expand_files.part.8+0x9a0/0x9a0 [ 34.735226] ? lock_downgrade+0x8e0/0x8e0 [ 34.739352] ? handle_mm_fault+0x8c0/0xc70 [ 34.743565] compat_sock_common_setsockopt+0x10c/0x150 [ 34.748819] ? sock_common_setsockopt+0xe0/0xe0 [ 34.753465] __compat_sys_setsockopt+0x1ab/0x7c0 [ 34.758199] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 34.763106] ? __x32_compat_sys_get_robust_list+0x430/0x430 [ 34.768793] ? mm_fault_error+0x380/0x380 [ 34.772920] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 34.778001] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.782994] do_fast_syscall_32+0x345/0xf9b [ 34.787293] ? do_int80_syscall_32+0x880/0x880 [ 34.791853] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.796588] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.802274] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.807182] ? sysret32_from_system_call+0x5/0x46 [ 34.812000] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.816820] entry_SYSENTER_compat+0x70/0x7f [ 34.821204] RIP: 0023:0xf7f7ecb9 [ 34.824541] RSP: 002b:00000000ff8668fc EFLAGS: 00000286 ORIG_RAX: 000000000000016e [ 34.832226] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000084 [ 34.839472] RDX: 0000000000000064 RSI: 0000000020d24000 RDI: 0000000000000020 [ 34.846720] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.853965] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 34.861210] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.868830] Dumping ftrace buffer: [ 34.872351] (ftrace buffer empty) [ 34.876035] Kernel Offset: disabled [ 34.879638] Rebooting in 86400 seconds..