[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.262807] audit: type=1400 audit(1601384703.135:8): avc: denied { execmem } for pid=6363 comm="syz-executor906" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.272118] ================================================================== [ 33.290266] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x181/0x1a0 [ 33.297197] Read of size 8 at addr ffff8880a42149e0 by task syz-executor906/6363 [ 33.304825] [ 33.306454] CPU: 0 PID: 6363 Comm: syz-executor906 Not tainted 4.14.198-syzkaller #0 [ 33.314331] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.324323] Call Trace: [ 33.326929] dump_stack+0x1b2/0x283 [ 33.330567] print_address_description.cold+0x54/0x1d3 [ 33.336109] kasan_report_error.cold+0x8a/0x194 [ 33.341014] ? squashfs_get_id+0x181/0x1a0 [ 33.345250] __asan_report_load8_noabort+0x68/0x70 [ 33.350284] ? squashfs_get_id+0x181/0x1a0 [ 33.354496] squashfs_get_id+0x181/0x1a0 [ 33.358736] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 33.364427] ? squashfs_read_metadata+0x2a6/0x370 [ 33.369253] squashfs_read_inode+0x171/0x1840 [ 33.373797] ? squashfs_read_id_index_table+0xc0/0xc0 [ 33.378973] ? new_inode+0xc7/0xf0 [ 33.382494] ? lock_acquire+0x170/0x3f0 [ 33.386471] ? do_raw_spin_unlock+0x164/0x220 [ 33.390962] squashfs_fill_super+0x1138/0x1640 [ 33.396232] mount_bdev+0x2b3/0x360 [ 33.399863] ? squashfs_alloc_inode+0x40/0x40 [ 33.405033] mount_fs+0x92/0x2a0 [ 33.408557] vfs_kern_mount.part.0+0x5b/0x470 [ 33.413089] do_mount+0xe53/0x2a00 [ 33.416628] ? retint_kernel+0x2d/0x2d [ 33.420526] ? copy_mount_string+0x40/0x40 [ 33.424756] ? memset+0x20/0x40 [ 33.431072] ? copy_mount_options+0x1fa/0x2f0 [ 33.435833] ? copy_mnt_ns+0xa30/0xa30 [ 33.439700] SyS_mount+0xa8/0x120 [ 33.443140] ? copy_mnt_ns+0xa30/0xa30 [ 33.447024] do_syscall_64+0x1d5/0x640 [ 33.450906] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.456098] RIP: 0033:0x446d2a [ 33.459289] RSP: 002b:00007ffe83cc92b8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 33.466976] RAX: ffffffffffffffda RBX: 00007ffe83cc9310 RCX: 0000000000446d2a [ 33.474229] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe83cc92d0 [ 33.481475] RBP: 00007ffe83cc92d0 R08: 00007ffe83cc9310 R09: 00007ffe00000015 [ 33.488724] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 33.495971] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 33.503254] [ 33.504887] Allocated by task 4674: [ 33.508502] kasan_kmalloc+0xeb/0x160 [ 33.512291] __kmalloc_track_caller+0x155/0x400 [ 33.516953] kmemdup_nul+0x2d/0xa0 [ 33.520477] security_context_to_sid_core+0x94/0x3d0 [ 33.525571] selinux_inode_setsecurity+0x155/0x350 [ 33.530481] selinux_inode_notifysecctx+0x2b/0x50 [ 33.535307] security_inode_notifysecctx+0x76/0xb0 [ 33.540318] kernfs_refresh_inode+0x328/0x4a0 [ 33.544889] kernfs_iop_permission+0x59/0x90 [ 33.549305] __inode_permission+0x1f1/0x2f0 [ 33.553667] link_path_walk+0x86a/0x10a0 [ 33.557724] path_lookupat+0xcb/0x780 [ 33.561519] filename_lookup+0x18a/0x510 [ 33.565585] vfs_statx+0xd1/0x180 [ 33.569024] SyS_newlstat+0x83/0xe0 [ 33.572649] do_syscall_64+0x1d5/0x640 [ 33.576522] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.581840] [ 33.583446] Freed by task 4674: [ 33.586704] kasan_slab_free+0xc3/0x1a0 [ 33.590665] kfree+0xc9/0x250 [ 33.593893] security_context_to_sid_core+0x28a/0x3d0 [ 33.599074] selinux_inode_setsecurity+0x155/0x350 [ 33.604005] selinux_inode_notifysecctx+0x2b/0x50 [ 33.608987] security_inode_notifysecctx+0x76/0xb0 [ 33.614014] kernfs_refresh_inode+0x328/0x4a0 [ 33.618489] kernfs_iop_permission+0x59/0x90 [ 33.622893] __inode_permission+0x1f1/0x2f0 [ 33.627308] link_path_walk+0x86a/0x10a0 [ 33.631348] path_lookupat+0xcb/0x780 [ 33.635126] filename_lookup+0x18a/0x510 [ 33.639275] vfs_statx+0xd1/0x180 [ 33.642716] SyS_newlstat+0x83/0xe0 [ 33.646335] do_syscall_64+0x1d5/0x640 [ 33.650201] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.655376] [ 33.656980] The buggy address belongs to the object at ffff8880a42149c0 [ 33.656980] which belongs to the cache kmalloc-32 of size 32 [ 33.669435] The buggy address is located 0 bytes to the right of [ 33.669435] 32-byte region [ffff8880a42149c0, ffff8880a42149e0) [ 33.681554] The buggy address belongs to the page: [ 33.686457] page:ffffea0002908500 count:1 mapcount:0 mapping:ffff8880a4214000 index:0xffff8880a4214fc1 [ 33.695998] flags: 0xfffe0000000100(slab) [ 33.700163] raw: 00fffe0000000100 ffff8880a4214000 ffff8880a4214fc1 0000000100000010 [ 33.708025] raw: ffffea0002905a20 ffffea0002902660 ffff88812fe501c0 0000000000000000 [ 33.715886] page dumped because: kasan: bad access detected [ 33.721571] [ 33.723171] Memory state around the buggy address: [ 33.728073] ffff8880a4214880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.735409] ffff8880a4214900: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc [ 33.742829] >ffff8880a4214980: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 33.750169] ^ [ 33.756663] ffff8880a4214a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.764012] ffff8880a4214a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.772220] ================================================================== [ 33.779563] Disabling lock debugging due to kernel taint [ 33.786687] Kernel panic - not syncing: panic_on_warn set ... [ 33.786687] [ 33.794063] CPU: 0 PID: 6363 Comm: syz-executor906 Tainted: G B 4.14.198-syzkaller #0 [ 33.803146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.812486] Call Trace: [ 33.815070] dump_stack+0x1b2/0x283 [ 33.818698] panic+0x1f9/0x42d [ 33.821936] ? add_taint.cold+0x16/0x16 [ 33.825902] ? ___preempt_schedule+0x16/0x18 [ 33.830303] kasan_end_report+0x43/0x49 [ 33.834287] kasan_report_error.cold+0xa7/0x194 [ 33.838950] ? squashfs_get_id+0x181/0x1a0 [ 33.843252] __asan_report_load8_noabort+0x68/0x70 [ 33.848191] ? squashfs_get_id+0x181/0x1a0 [ 33.852464] squashfs_get_id+0x181/0x1a0 [ 33.856516] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 33.862221] ? squashfs_read_metadata+0x2a6/0x370 [ 33.867043] squashfs_read_inode+0x171/0x1840 [ 33.871530] ? squashfs_read_id_index_table+0xc0/0xc0 [ 33.876777] ? new_inode+0xc7/0xf0 [ 33.880408] ? lock_acquire+0x170/0x3f0 [ 33.884367] ? do_raw_spin_unlock+0x164/0x220 [ 33.888850] squashfs_fill_super+0x1138/0x1640 [ 33.893426] mount_bdev+0x2b3/0x360 [ 33.897041] ? squashfs_alloc_inode+0x40/0x40 [ 33.901524] mount_fs+0x92/0x2a0 [ 33.904909] vfs_kern_mount.part.0+0x5b/0x470 [ 33.909390] do_mount+0xe53/0x2a00 [ 33.913036] ? retint_kernel+0x2d/0x2d [ 33.916901] ? copy_mount_string+0x40/0x40 [ 33.921116] ? memset+0x20/0x40 [ 33.924384] ? copy_mount_options+0x1fa/0x2f0 [ 33.928919] ? copy_mnt_ns+0xa30/0xa30 [ 33.932893] SyS_mount+0xa8/0x120 [ 33.936340] ? copy_mnt_ns+0xa30/0xa30 [ 33.940468] do_syscall_64+0x1d5/0x640 [ 33.945034] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.950206] RIP: 0033:0x446d2a [ 33.953417] RSP: 002b:00007ffe83cc92b8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 33.961292] RAX: ffffffffffffffda RBX: 00007ffe83cc9310 RCX: 0000000000446d2a [ 33.968551] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe83cc92d0 [ 33.975812] RBP: 00007ffe83cc92d0 R08: 00007ffe83cc9310 R09: 00007ffe00000015 [ 33.983070] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 33.990329] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 33.998953] Kernel Offset: disabled [ 34.002640] Rebooting in 86400 seconds..