[ 29.571504] audit: type=1800 audit(1565881580.404:33): pid=6742 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 29.600935] audit: type=1800 audit(1565881580.404:34): pid=6742 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.669880] random: sshd: uninitialized urandom read (32 bytes read) [ 32.958167] audit: type=1400 audit(1565881583.784:35): avc: denied { map } for pid=6916 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.008873] random: sshd: uninitialized urandom read (32 bytes read) [ 33.524448] random: sshd: uninitialized urandom read (32 bytes read) [ 33.704493] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. [ 39.185067] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.299665] audit: type=1400 audit(1565881590.124:36): avc: denied { map } for pid=6929 comm="syz-executor301" path="/root/syz-executor301029181" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.327590] ================================================================== [ 39.335035] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_tail+0xa7f/0xba0 [ 39.342290] Read of size 8 at addr ffff88809c1cd510 by task syz-executor301/6929 [ 39.349795] [ 39.351406] CPU: 0 PID: 6929 Comm: syz-executor301 Not tainted 4.14.138 #34 [ 39.358497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.367850] Call Trace: [ 39.370422] dump_stack+0x138/0x19c [ 39.374033] ? bpf_skb_change_tail+0xa7f/0xba0 [ 39.378599] print_address_description.cold+0x7c/0x1dc [ 39.383853] ? bpf_skb_change_tail+0xa7f/0xba0 [ 39.390095] kasan_report.cold+0xa9/0x2af [ 39.394223] __asan_report_load8_noabort+0x14/0x20 [ 39.399148] bpf_skb_change_tail+0xa7f/0xba0 [ 39.403540] ? __lock_acquire+0x5f7/0x4620 [ 39.407750] ? build_skb+0x1f/0x160 [ 39.411355] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 39.416088] ? SyS_bpf+0x749/0x38f3 [ 39.419694] bpf_prog_ac477e10ee530e9d+0xe53/0x1000 [ 39.424697] ? trace_hardirqs_on+0x10/0x10 [ 39.428910] ? trace_hardirqs_on+0x10/0x10 [ 39.433145] ? bpf_test_run+0x44/0x330 [ 39.437015] ? find_held_lock+0x35/0x130 [ 39.441053] ? bpf_test_run+0x44/0x330 [ 39.444922] ? lock_acquire+0x16f/0x430 [ 39.448873] ? check_preemption_disabled+0x3c/0x250 [ 39.453871] ? bpf_test_run+0xa8/0x330 [ 39.457741] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 39.462476] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.466950] ? __bpf_prog_get+0x153/0x1a0 [ 39.471074] ? SyS_bpf+0x749/0x38f3 [ 39.474680] ? __do_page_fault+0x4e9/0xb80 [ 39.478889] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.483372] ? bpf_prog_get+0x20/0x20 [ 39.487151] ? lock_downgrade+0x6e0/0x6e0 [ 39.491285] ? up_read+0x1a/0x40 [ 39.494635] ? __do_page_fault+0x358/0xb80 [ 39.498846] ? bpf_prog_get+0x20/0x20 [ 39.502629] ? do_syscall_64+0x1e8/0x640 [ 39.506664] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.511493] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.516927] [ 39.518534] Allocated by task 0: [ 39.521870] (stack is not available) [ 39.525563] [ 39.527163] Freed by task 0: [ 39.530155] (stack is not available) [ 39.533857] [ 39.535460] The buggy address belongs to the object at ffff88809c1cd480 [ 39.535460] which belongs to the cache skbuff_head_cache of size 232 [ 39.548700] The buggy address is located 144 bytes inside of [ 39.548700] 232-byte region [ffff88809c1cd480, ffff88809c1cd568) [ 39.567830] The buggy address belongs to the page: [ 39.572769] page:ffffea0002707340 count:1 mapcount:0 mapping:ffff88809c1cd0c0 index:0x0 [ 39.580893] flags: 0x1fffc0000000100(slab) [ 39.585128] raw: 01fffc0000000100 ffff88809c1cd0c0 0000000000000000 000000010000000c [ 39.593012] raw: ffffea0002575fe0 ffff8880a9e18748 ffff88821b757240 0000000000000000 [ 39.600869] page dumped because: kasan: bad access detected [ 39.606552] [ 39.608153] Memory state around the buggy address: [ 39.613056] ffff88809c1cd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.620405] ffff88809c1cd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.627769] >ffff88809c1cd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.635189] ^ [ 39.639064] ffff88809c1cd580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.646491] ffff88809c1cd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.654003] ================================================================== [ 39.661339] Disabling lock debugging due to kernel taint [ 39.667059] Kernel panic - not syncing: panic_on_warn set ... [ 39.667059] [ 39.674419] CPU: 0 PID: 6929 Comm: syz-executor301 Tainted: G B 4.14.138 #34 [ 39.682709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.692038] Call Trace: [ 39.694605] dump_stack+0x138/0x19c [ 39.698320] ? bpf_skb_change_tail+0xa7f/0xba0 [ 39.702886] panic+0x1f2/0x426 [ 39.706058] ? add_taint.cold+0x16/0x16 [ 39.710015] kasan_end_report+0x47/0x4f [ 39.713971] kasan_report.cold+0x130/0x2af [ 39.718182] __asan_report_load8_noabort+0x14/0x20 [ 39.723122] bpf_skb_change_tail+0xa7f/0xba0 [ 39.727508] ? __lock_acquire+0x5f7/0x4620 [ 39.731720] ? build_skb+0x1f/0x160 [ 39.735321] ? bpf_prog_test_run_skb+0x157/0x9a0 [ 39.740056] ? SyS_bpf+0x749/0x38f3 [ 39.743668] bpf_prog_ac477e10ee530e9d+0xe53/0x1000 [ 39.748661] ? trace_hardirqs_on+0x10/0x10 [ 39.753412] ? trace_hardirqs_on+0x10/0x10 [ 39.757623] ? bpf_test_run+0x44/0x330 [ 39.761512] ? find_held_lock+0x35/0x130 [ 39.765585] ? bpf_test_run+0x44/0x330 [ 39.769452] ? lock_acquire+0x16f/0x430 [ 39.773405] ? check_preemption_disabled+0x3c/0x250 [ 39.778401] ? bpf_test_run+0xa8/0x330 [ 39.782352] ? bpf_prog_test_run_skb+0x6c2/0x9a0 [ 39.787083] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.791560] ? __bpf_prog_get+0x153/0x1a0 [ 39.795684] ? SyS_bpf+0x749/0x38f3 [ 39.799284] ? __do_page_fault+0x4e9/0xb80 [ 39.803494] ? bpf_test_init.isra.0+0xe0/0xe0 [ 39.807967] ? bpf_prog_get+0x20/0x20 [ 39.811742] ? lock_downgrade+0x6e0/0x6e0 [ 39.815866] ? up_read+0x1a/0x40 [ 39.819227] ? __do_page_fault+0x358/0xb80 [ 39.823441] ? bpf_prog_get+0x20/0x20 [ 39.827229] ? do_syscall_64+0x1e8/0x640 [ 39.831263] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.836086] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.842697] Kernel Offset: disabled [ 39.857858] Rebooting in 86400 seconds..