[....] Starting enhanced syslogd: rsyslogd[ 11.028390] audit: type=1400 audit(1515695401.220:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 22.815273] ================================================================== [ 22.816648] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 22.817659] Read of size 8 at addr ffff8801c92c6140 by task syzkaller228850/3330 [ 22.818819] [ 22.819051] CPU: 1 PID: 3330 Comm: syzkaller228850 Not tainted 4.9.76-g9154940 #20 [ 22.820160] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.821467] ffff8801c078fa50 ffffffff81d93149 ffffea000724b180 ffff8801c92c6140 [ 22.822614] 0000000000000000 ffff8801c92c6140 ffff8801c8440238 ffff8801c078fa88 [ 22.823760] ffffffff8153cb43 ffff8801c92c6140 0000000000000008 0000000000000000 [ 22.824905] Call Trace: [ 22.825276] [] dump_stack+0xc1/0x128 [ 22.826003] [] print_address_description+0x73/0x280 [ 22.826932] [] kasan_report+0x275/0x360 [ 22.827757] [] ? sg_remove_request+0x103/0x120 [ 22.828609] [] __asan_report_load8_noabort+0x14/0x20 [ 22.829512] [] sg_remove_request+0x103/0x120 [ 22.830308] [] sg_finish_rem_req+0x295/0x340 [ 22.831106] [] sg_read+0xa1c/0x1440 [ 22.831805] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 22.832682] [] ? __raw_spin_lock_init+0x1c/0x100 [ 22.833528] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 22.834468] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 22.835408] [] __vfs_read+0x103/0x670 [ 22.840824] [] ? default_llseek+0x290/0x290 [ 22.846776] [] ? fsnotify+0x86/0xf30 [ 22.852114] [] ? fsnotify+0xf30/0xf30 [ 22.857529] [] ? avc_policy_seqno+0x9/0x20 [ 22.863385] [] ? selinux_file_permission+0x82/0x460 [ 22.870025] [] ? security_file_permission+0x89/0x1e0 [ 22.876754] [] ? rw_verify_area+0xe5/0x2b0 [ 22.882612] [] vfs_read+0x11e/0x380 [ 22.887866] [] SyS_read+0xd9/0x1b0 [ 22.893039] [] ? vfs_copy_file_range+0x740/0x740 [ 22.899430] [] ? do_fast_syscall_32+0xcf/0x890 [ 22.905652] [] ? vfs_copy_file_range+0x740/0x740 [ 22.912038] [] do_fast_syscall_32+0x2f7/0x890 [ 22.918155] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 22.924790] [] entry_SYSENTER_compat+0x74/0x83 [ 22.930984] [ 22.932591] Allocated by task 0: [ 22.935922] (stack is not available) [ 22.939595] [ 22.941186] Freed by task 0: [ 22.944165] (stack is not available) [ 22.947838] [ 22.949431] The buggy address belongs to the object at ffff8801c92c6100 [ 22.949431] which belongs to the cache fasync_cache of size 96 [ 22.962057] The buggy address is located 64 bytes inside of [ 22.962057] 96-byte region [ffff8801c92c6100, ffff8801c92c6160) [ 22.973734] The buggy address belongs to the page: [ 22.978642] page:ffffea000724b180 count:1 mapcount:0 mapping: (null) index:0x0 [ 22.986879] flags: 0x8000000000000080(slab) [ 22.991180] page dumped because: kasan: bad access detected [ 22.996858] [ 22.998451] Memory state around the buggy address: [ 23.003349] ffff8801c92c6000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 23.010674] ffff8801c92c6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.018006] >ffff8801c92c6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.025337] ^ [ 23.030764] ffff8801c92c6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.038092] ffff8801c92c6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.045420] ================================================================== [ 23.052752] Disabling lock debugging due to kernel taint [ 23.059261] Kernel panic - not syncing: panic_on_warn set ... [ 23.059261] [ 23.066624] CPU: 1 PID: 3330 Comm: syzkaller228850 Tainted: G B 4.9.76-g9154940 #20 [ 23.075612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.084940] ffff8801c078f9a8 ffffffff81d93149 ffffffff84195c17 ffff8801c078fa80 [ 23.092894] 0000000000000000 ffff8801c92c6140 ffff8801c8440238 ffff8801c078fa70 [ 23.100836] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 23.108793] Call Trace: [ 23.111354] [] dump_stack+0xc1/0x128 [ 23.116691] [] panic+0x1bc/0x3a8 [ 23.121686] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 23.129882] [] ? preempt_schedule+0x25/0x30 [ 23.135822] [] ? ___preempt_schedule+0x16/0x18 [ 23.142026] [] kasan_end_report+0x50/0x50 [ 23.147789] [] kasan_report+0x167/0x360 [ 23.153392] [] ? sg_remove_request+0x103/0x120 [ 23.159589] [] __asan_report_load8_noabort+0x14/0x20 [ 23.166309] [] sg_remove_request+0x103/0x120 [ 23.172335] [] sg_finish_rem_req+0x295/0x340 [ 23.178363] [] sg_read+0xa1c/0x1440 [ 23.183612] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 23.190244] [] ? __raw_spin_lock_init+0x1c/0x100 [ 23.196618] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 23.203426] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 23.210070] [] __vfs_read+0x103/0x670 [ 23.215490] [] ? default_llseek+0x290/0x290 [ 23.221427] [] ? fsnotify+0x86/0xf30 [ 23.226767] [] ? fsnotify+0xf30/0xf30 [ 23.232186] [] ? avc_policy_seqno+0x9/0x20 [ 23.238036] [] ? selinux_file_permission+0x82/0x460 [ 23.244679] [] ? security_file_permission+0x89/0x1e0 [ 23.251406] [] ? rw_verify_area+0xe5/0x2b0 [ 23.257266] [] vfs_read+0x11e/0x380 [ 23.262684] [] SyS_read+0xd9/0x1b0 [ 23.267839] [] ? vfs_copy_file_range+0x740/0x740 [ 23.274209] [] ? do_fast_syscall_32+0xcf/0x890 [ 23.280417] [] ? vfs_copy_file_range+0x740/0x740 [ 23.286791] [] do_fast_syscall_32+0x2f7/0x890 [ 23.292902] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.299532] [] entry_SYSENTER_compat+0x74/0x83 [ 23.306123] Dumping ftrace buffer: [ 23.309633] (ftrace buffer empty) [ 23.313313] Kernel Offset: disabled [ 23.316905] Rebooting in 86400 seconds..