[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.682350] random: sshd: uninitialized urandom read (32 bytes read) [ 33.031928] kauditd_printk_skb: 9 callbacks suppressed [ 33.031935] audit: type=1400 audit(1571275199.194:35): avc: denied { map } for pid=6816 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.097098] random: sshd: uninitialized urandom read (32 bytes read) [ 33.653204] random: sshd: uninitialized urandom read (32 bytes read) [ 33.836712] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. [ 39.328756] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.442382] audit: type=1400 audit(1571275205.604:36): avc: denied { map } for pid=6829 comm="syz-executor505" path="/root/syz-executor505359007" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.470945] ================================================================== [ 39.478626] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x4f3/0x600 [ 39.485893] Read of size 4 at addr ffff88809fb49040 by task syz-executor505/6829 [ 39.493415] [ 39.495034] CPU: 1 PID: 6829 Comm: syz-executor505 Not tainted 4.14.149 #0 [ 39.502220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.511567] Call Trace: [ 39.514150] dump_stack+0x138/0x197 [ 39.517768] ? bpf_skb_change_head+0x4f3/0x600 [ 39.522973] print_address_description.cold+0x7c/0x1dc [ 39.528339] ? bpf_skb_change_head+0x4f3/0x600 [ 39.532925] kasan_report.cold+0xa9/0x2af [ 39.537069] __asan_report_load4_noabort+0x14/0x20 [ 39.541987] bpf_skb_change_head+0x4f3/0x600 [ 39.546382] ? __lock_acquire+0x5f7/0x4620 [ 39.550749] ? build_skb+0x1f/0x160 [ 39.554827] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 39.559605] ? SyS_bpf+0x6ad/0x2da8 [ 39.563232] bpf_prog_adaf3e3433c58482+0xbf5/0x1000 [ 39.568249] ? trace_hardirqs_on+0x10/0x10 [ 39.572533] ? trace_hardirqs_on+0x10/0x10 [ 39.576759] ? bpf_test_run+0x44/0x330 [ 39.580631] ? find_held_lock+0x35/0x130 [ 39.584680] ? bpf_test_run+0x44/0x330 [ 39.588592] ? lock_acquire+0x16f/0x430 [ 39.592708] ? check_preemption_disabled+0x3c/0x250 [ 39.597764] ? bpf_test_run+0xa8/0x330 [ 39.601652] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 39.606456] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.610947] ? __bpf_prog_get+0x153/0x1a0 [ 39.615161] ? SyS_bpf+0x6ad/0x2da8 [ 39.620088] ? __do_page_fault+0x4e9/0xb80 [ 39.624335] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.628824] ? bpf_prog_get+0x20/0x20 [ 39.632675] ? lock_downgrade+0x740/0x740 [ 39.636822] ? up_read+0x1a/0x40 [ 39.640178] ? __do_page_fault+0x358/0xb80 [ 39.644398] ? bpf_prog_get+0x20/0x20 [ 39.648217] ? do_syscall_64+0x1e8/0x640 [ 39.652263] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.657094] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.662443] [ 39.664055] Allocated by task 0: [ 39.667400] (stack is not available) [ 39.671094] [ 39.672744] Freed by task 0: [ 39.675743] (stack is not available) [ 39.679434] [ 39.681046] The buggy address belongs to the object at ffff88809fb49080 [ 39.681046] which belongs to the cache skbuff_head_cache of size 232 [ 39.694786] The buggy address is located 64 bytes to the left of [ 39.694786] 232-byte region [ffff88809fb49080, ffff88809fb49168) [ 39.708295] The buggy address belongs to the page: [ 39.713208] page:ffffea00027ed240 count:1 mapcount:0 mapping:ffff88809fb49080 index:0x0 [ 39.721455] flags: 0x1fffc0000000100(slab) [ 39.725678] raw: 01fffc0000000100 ffff88809fb49080 0000000000000000 000000010000000c [ 39.733993] raw: ffffea0002551d20 ffffea0002618420 ffff8880a9e82d80 0000000000000000 [ 39.741939] page dumped because: kasan: bad access detected [ 39.747624] [ 39.749232] Memory state around the buggy address: [ 39.754156] ffff88809fb48f00: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc [ 39.761495] ffff88809fb48f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.768830] >ffff88809fb49000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.776164] ^ [ 39.781589] ffff88809fb49080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.788925] ffff88809fb49100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.796257] ================================================================== [ 39.803588] Disabling lock debugging due to kernel taint [ 39.809248] Kernel panic - not syncing: panic_on_warn set ... [ 39.809248] [ 39.816612] CPU: 1 PID: 6829 Comm: syz-executor505 Tainted: G B 4.14.149 #0 [ 39.824821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.834148] Call Trace: [ 39.836714] dump_stack+0x138/0x197 [ 39.840316] ? bpf_skb_change_head+0x4f3/0x600 [ 39.844871] panic+0x1f2/0x426 [ 39.848037] ? add_taint.cold+0x16/0x16 [ 39.851988] kasan_end_report+0x47/0x4f [ 39.855936] kasan_report.cold+0x130/0x2af [ 39.860147] __asan_report_load4_noabort+0x14/0x20 [ 39.865138] bpf_skb_change_head+0x4f3/0x600 [ 39.869524] ? __lock_acquire+0x5f7/0x4620 [ 39.873743] ? build_skb+0x1f/0x160 [ 39.877353] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 39.882082] ? SyS_bpf+0x6ad/0x2da8 [ 39.885686] bpf_prog_adaf3e3433c58482+0xbf5/0x1000 [ 39.890679] ? trace_hardirqs_on+0x10/0x10 [ 39.895333] ? trace_hardirqs_on+0x10/0x10 [ 39.899539] ? bpf_test_run+0x44/0x330 [ 39.903408] ? find_held_lock+0x35/0x130 [ 39.908226] ? bpf_test_run+0x44/0x330 [ 39.912097] ? lock_acquire+0x16f/0x430 [ 39.916052] ? check_preemption_disabled+0x3c/0x250 [ 39.921303] ? bpf_test_run+0xa8/0x330 [ 39.925175] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 39.929905] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.934390] ? __bpf_prog_get+0x153/0x1a0 [ 39.938523] ? SyS_bpf+0x6ad/0x2da8 [ 39.942127] ? __do_page_fault+0x4e9/0xb80 [ 39.946371] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.950846] ? bpf_prog_get+0x20/0x20 [ 39.954630] ? lock_downgrade+0x740/0x740 [ 39.958767] ? up_read+0x1a/0x40 [ 39.962112] ? __do_page_fault+0x358/0xb80 [ 39.966325] ? bpf_prog_get+0x20/0x20 [ 39.970206] ? do_syscall_64+0x1e8/0x640 [ 39.974254] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.979089] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.985838] Kernel Offset: disabled [ 39.989476] Rebooting in 86400 seconds..