[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 61.427239] random: sshd: uninitialized urandom read (32 bytes read) [ 61.881184] kauditd_printk_skb: 7 callbacks suppressed [ 61.881194] audit: type=1400 audit(1554999568.636:35): avc: denied { map } for pid=7355 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 61.930990] random: sshd: uninitialized urandom read (32 bytes read) [ 62.517717] random: sshd: uninitialized urandom read (32 bytes read) [ 62.714502] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.228' (ECDSA) to the list of known hosts. [ 68.290722] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 68.415435] audit: type=1400 audit(1554999575.166:36): avc: denied { map } for pid=7367 comm="syz-executor168" path="/root/syz-executor168552657" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 68.422521] ================================================================== [ 68.449419] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4cb/0x4e0 [ 68.457562] Read of size 4 at addr ffff8880a5c4c290 by task syz-executor168/7367 [ 68.465306] [ 68.466930] CPU: 1 PID: 7367 Comm: syz-executor168 Not tainted 4.14.111 #1 [ 68.473934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.483439] Call Trace: [ 68.486026] dump_stack+0x138/0x19c [ 68.490629] ? tipc_nametbl_lookup_dst_nodes+0x4cb/0x4e0 [ 68.496076] print_address_description.cold+0x7c/0x1dc [ 68.501376] ? tipc_nametbl_lookup_dst_nodes+0x4cb/0x4e0 [ 68.506826] kasan_report.cold+0xaf/0x2b5 [ 68.510973] __asan_report_load4_noabort+0x14/0x20 [ 68.515908] tipc_nametbl_lookup_dst_nodes+0x4cb/0x4e0 [ 68.521308] tipc_sendmcast+0x5a2/0xb70 [ 68.525295] ? tipc_socketpair+0x640/0x640 [ 68.529538] ? save_trace+0x290/0x290 [ 68.533339] ? __lock_acquire+0x5f9/0x45e0 [ 68.537590] ? is_bpf_text_address+0x7f/0x120 [ 68.542106] ? find_held_lock+0x35/0x130 [ 68.546174] ? is_bpf_text_address+0x7f/0x120 [ 68.550674] __tipc_sendmsg+0xc7f/0x10f0 [ 68.554748] ? __tipc_sendmsg+0xc7f/0x10f0 [ 68.559696] ? avc_has_perm+0x273/0x4b0 [ 68.563673] ? tipc_sendmcast+0xb70/0xb70 [ 68.567907] ? check_noncircular+0x20/0x20 [ 68.572410] ? __lock_acquire+0x5f9/0x45e0 [ 68.576651] ? __lockdep_init_map+0x10c/0x570 [ 68.581565] ? lockdep_init_map+0x9/0x10 [ 68.586251] __tipc_sendstream+0x71e/0x970 [ 68.590623] ? save_trace+0x290/0x290 [ 68.594438] ? tipc_connect+0x4d0/0x4d0 [ 68.598415] ? mark_held_locks+0xb1/0x100 [ 68.602758] ? __local_bh_enable_ip+0x99/0x1a0 [ 68.607368] ? __local_bh_enable_ip+0x99/0x1a0 [ 68.611971] tipc_sendstream+0x53/0x80 [ 68.615868] tipc_send_packet+0x34/0x50 [ 68.619850] ? tipc_sendstream+0x80/0x80 [ 68.623927] sock_sendmsg+0xd0/0x110 [ 68.627646] ___sys_sendmsg+0x70c/0x850 [ 68.631620] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 68.636377] ? _raw_spin_unlock+0x2d/0x50 [ 68.640919] ? do_huge_pmd_anonymous_page+0x2fc/0x1470 [ 68.646402] ? __thp_get_unmapped_area+0x130/0x130 [ 68.651339] ? __handle_mm_fault+0x6a3/0x3470 [ 68.655871] ? __do_page_fault+0x4e9/0xb80 [ 68.660134] ? __fget_light+0x172/0x1f0 [ 68.664136] ? __fdget+0x1b/0x20 [ 68.667502] ? sockfd_lookup_light+0xb4/0x160 [ 68.672022] __sys_sendmsg+0xb9/0x140 [ 68.675922] ? SyS_shutdown+0x180/0x180 [ 68.679903] SyS_sendmsg+0x2d/0x50 [ 68.683635] ? __sys_sendmsg+0x140/0x140 [ 68.687721] do_syscall_64+0x1eb/0x630 [ 68.691606] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 68.696453] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 68.701634] RIP: 0033:0x440239 [ 68.704810] RSP: 002b:00007ffc328472e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.712639] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440239 [ 68.719900] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 68.727198] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 68.734571] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ac0 [ 68.742030] R13: 0000000000401b50 R14: 0000000000000000 R15: 0000000000000000 [ 68.749333] [ 68.750960] Allocated by task 7367: [ 68.754668] save_stack_trace+0x16/0x20 [ 68.758636] save_stack+0x45/0xd0 [ 68.762096] kasan_kmalloc+0xce/0xf0 [ 68.765978] kmem_cache_alloc_trace+0x152/0x790 [ 68.770664] tipc_nameseq_create+0x83/0x2e0 [ 68.775005] tipc_nametbl_insert_publ+0x6ae/0x1400 [ 68.780026] tipc_nametbl_publish+0x20f/0x3f0 [ 68.784561] tipc_bind+0x2d3/0x610 [ 68.788098] SYSC_bind+0x1d9/0x220 [ 68.791654] SyS_bind+0x24/0x30 [ 68.794935] do_syscall_64+0x1eb/0x630 [ 68.798912] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 68.804095] [ 68.805801] Freed by task 17: [ 68.808924] save_stack_trace+0x16/0x20 [ 68.813305] save_stack+0x45/0xd0 [ 68.816850] kasan_slab_free+0x75/0xc0 [ 68.820732] kfree+0xcc/0x270 [ 68.823830] selinux_cred_free+0x51/0x80 [ 68.827881] security_cred_free+0x7f/0xc0 [ 68.832049] put_cred_rcu+0xe6/0x300 [ 68.835775] rcu_process_callbacks+0x7c0/0x12c0 [ 68.840442] __do_softirq+0x24e/0x9ae [ 68.844245] [ 68.845872] The buggy address belongs to the object at ffff8880a5c4c280 [ 68.845872] which belongs to the cache kmalloc-32 of size 32 [ 68.858376] The buggy address is located 16 bytes inside of [ 68.858376] 32-byte region [ffff8880a5c4c280, ffff8880a5c4c2a0) [ 68.870157] The buggy address belongs to the page: [ 68.875082] page:ffffea0002971300 count:1 mapcount:0 mapping:ffff8880a5c4c000 index:0xffff8880a5c4cfc1 [ 68.884718] flags: 0x1fffc0000000100(slab) [ 68.888968] raw: 01fffc0000000100 ffff8880a5c4c000 ffff8880a5c4cfc1 000000010000003b [ 68.896879] raw: ffffea0002970d60 ffffea00029b8c60 ffff8880aa8001c0 0000000000000000 [ 68.904955] page dumped because: kasan: bad access detected [ 68.910915] [ 68.912558] Memory state around the buggy address: [ 68.917532] ffff8880a5c4c180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 68.924890] ffff8880a5c4c200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 68.932246] >ffff8880a5c4c280: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 68.939679] ^ [ 68.943568] ffff8880a5c4c300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 68.950923] ffff8880a5c4c380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 68.958282] ================================================================== [ 68.965654] Disabling lock debugging due to kernel taint [ 68.971589] Kernel panic - not syncing: panic_on_warn set ... [ 68.971589] [ 68.978968] CPU: 1 PID: 7367 Comm: syz-executor168 Tainted: G B 4.14.111 #1 [ 68.987210] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.996582] Call Trace: [ 68.999169] dump_stack+0x138/0x19c [ 69.002796] ? tipc_nametbl_lookup_dst_nodes+0x4cb/0x4e0 [ 69.008259] panic+0x1f2/0x438 [ 69.011450] ? add_taint.cold+0x16/0x16 [ 69.015419] kasan_end_report+0x47/0x4f [ 69.019390] kasan_report.cold+0x136/0x2b5 [ 69.023662] __asan_report_load4_noabort+0x14/0x20 [ 69.028590] tipc_nametbl_lookup_dst_nodes+0x4cb/0x4e0 [ 69.033893] tipc_sendmcast+0x5a2/0xb70 [ 69.037967] ? tipc_socketpair+0x640/0x640 [ 69.042207] ? save_trace+0x290/0x290 [ 69.046221] ? __lock_acquire+0x5f9/0x45e0 [ 69.050469] ? is_bpf_text_address+0x7f/0x120 [ 69.055070] ? find_held_lock+0x35/0x130 [ 69.059211] ? is_bpf_text_address+0x7f/0x120 [ 69.063722] __tipc_sendmsg+0xc7f/0x10f0 [ 69.067875] ? __tipc_sendmsg+0xc7f/0x10f0 [ 69.072104] ? avc_has_perm+0x273/0x4b0 [ 69.076111] ? tipc_sendmcast+0xb70/0xb70 [ 69.080361] ? check_noncircular+0x20/0x20 [ 69.084610] ? __lock_acquire+0x5f9/0x45e0 [ 69.088866] ? __lockdep_init_map+0x10c/0x570 [ 69.093378] ? lockdep_init_map+0x9/0x10 [ 69.097433] __tipc_sendstream+0x71e/0x970 [ 69.101667] ? save_trace+0x290/0x290 [ 69.105476] ? tipc_connect+0x4d0/0x4d0 [ 69.109534] ? mark_held_locks+0xb1/0x100 [ 69.113696] ? __local_bh_enable_ip+0x99/0x1a0 [ 69.118481] ? __local_bh_enable_ip+0x99/0x1a0 [ 69.123080] tipc_sendstream+0x53/0x80 [ 69.126981] tipc_send_packet+0x34/0x50 [ 69.130976] ? tipc_sendstream+0x80/0x80 [ 69.135055] sock_sendmsg+0xd0/0x110 [ 69.139290] ___sys_sendmsg+0x70c/0x850 [ 69.143296] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 69.148054] ? _raw_spin_unlock+0x2d/0x50 [ 69.152202] ? do_huge_pmd_anonymous_page+0x2fc/0x1470 [ 69.157483] ? __thp_get_unmapped_area+0x130/0x130 [ 69.162411] ? __handle_mm_fault+0x6a3/0x3470 [ 69.167029] ? __do_page_fault+0x4e9/0xb80 [ 69.171282] ? __fget_light+0x172/0x1f0 [ 69.175271] ? __fdget+0x1b/0x20 [ 69.178658] ? sockfd_lookup_light+0xb4/0x160 [ 69.183188] __sys_sendmsg+0xb9/0x140 [ 69.186986] ? SyS_shutdown+0x180/0x180 [ 69.190958] SyS_sendmsg+0x2d/0x50 [ 69.194498] ? __sys_sendmsg+0x140/0x140 [ 69.198580] do_syscall_64+0x1eb/0x630 [ 69.202469] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 69.207317] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 69.212502] RIP: 0033:0x440239 [ 69.215796] RSP: 002b:00007ffc328472e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 69.223611] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440239 [ 69.230876] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 69.238164] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 69.245706] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ac0 [ 69.252994] R13: 0000000000401b50 R14: 0000000000000000 R15: 0000000000000000 [ 69.261317] Kernel Offset: disabled [ 69.264972] Rebooting in 86400 seconds..