[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.157672] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.341545] random: sshd: uninitialized urandom read (32 bytes read)
[   24.630234] random: sshd: uninitialized urandom read (32 bytes read)
[   25.192794] random: sshd: uninitialized urandom read (32 bytes read)
[   25.358990] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts.
[   30.866116] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 05:00:47 parsed 1 programs
[   32.568317] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 05:00:50 executed programs: 0
[   33.999232] IPVS: ftp: loaded support on port[0] = 21
[   34.205352] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.212294] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.219840] device bridge_slave_0 entered promiscuous mode
[   34.237053] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.243440] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.250769] device bridge_slave_1 entered promiscuous mode
[   34.267273] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.284030] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.327867] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   34.346904] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   34.412821] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   34.420350] team0: Port device team_slave_0 added
[   34.435184] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   34.442304] team0: Port device team_slave_1 added
[   34.457764] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   34.475785] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   34.494382] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   34.507797] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   34.630348] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.637855] bridge0: port 2(bridge_slave_1) entered forwarding state
[   34.645026] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.651403] bridge0: port 1(bridge_slave_0) entered forwarding state
[   35.082189] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.088815] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.133572] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   35.179108] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   35.187137] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   35.225568] 8021q: adding VLAN 0 to HW filter on device team0
[   36.142822] ==================================================================
[   36.150349] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x7b9/0x84b
[   36.157812] Read of size 4 at addr ffff8801ce930e5c by task syz-executor0/4723
[   36.165177] 
[   36.166892] CPU: 0 PID: 4723 Comm: syz-executor0 Not tainted 4.18.0+ #99
[   36.173744] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.183123] Call Trace:
[   36.185738]  dump_stack+0x1c9/0x2b4
[   36.189391]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.194597]  ? printk+0xa7/0xcf
[   36.197892]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   36.202831]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[   36.208087]  print_address_description+0x6c/0x20b
[   36.212954]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[   36.218095]  kasan_report.cold.7+0x242/0x30d
[   36.222550]  __asan_report_load4_noabort+0x14/0x20
[   36.227524]  tipc_group_fill_sock_diag+0x7b9/0x84b
[   36.232480]  ? tipc_group_member_evt+0xe30/0xe30
[   36.237287]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.242320]  ? skb_put+0x17b/0x1e0
[   36.245890]  ? memset+0x31/0x40
[   36.249187]  ? memcpy+0x45/0x50
[   36.252652]  ? __nla_put+0x37/0x40
[   36.256214]  ? nla_put+0x11a/0x150
[   36.259784]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[   36.264472]  ? tipc_diag_dump+0x30/0x30
[   36.268518]  ? tipc_getname+0x7f0/0x7f0
[   36.272536]  ? save_stack+0xa9/0xd0
[   36.276184]  ? graph_lock+0x170/0x170
[   36.280003]  ? graph_lock+0x170/0x170
[   36.283821]  ? __netlink_dump_start+0x4f1/0x6f0
[   36.288533]  ? sock_diag_rcv_msg+0x31d/0x410
[   36.292959]  ? netlink_rcv_skb+0x172/0x440
[   36.297209]  ? sock_diag_rcv+0x2a/0x40
[   36.301110]  ? netlink_unicast+0x5a0/0x760
[   36.305478]  ? netlink_sendmsg+0xa18/0xfc0
[   36.309765]  ? sock_sendmsg+0xd5/0x120
[   36.313848]  ? ___sys_sendmsg+0x7fd/0x930
[   36.318016]  ? __ia32_compat_sys_sendmsg+0x7a/0xb0
[   36.322963]  ? do_fast_syscall_32+0x34d/0xfb2
[   36.327486]  ? entry_SYSENTER_compat+0x70/0x7f
[   36.332111]  ? print_usage_bug+0xc0/0xc0
[   36.336190]  ? find_held_lock+0x36/0x1c0
[   36.340271]  ? lock_acquire+0x1e4/0x540
[   36.344259]  ? tipc_nl_sk_walk+0x60a/0xd30
[   36.348527]  ? lock_downgrade+0x8f0/0x8f0
[   36.352695]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.357723]  ? skb_put+0x17b/0x1e0
[   36.361286]  ? __nlmsg_put+0x14c/0x1b0
[   36.365190]  __tipc_add_sock_diag+0x22f/0x360
[   36.369698]  tipc_nl_sk_walk+0x68d/0xd30
[   36.373786]  ? tipc_sock_diag_handler_dump+0x340/0x340
[   36.379114]  ? __tipc_nl_add_sk+0x400/0x400
[   36.383452]  ? skb_scrub_packet+0x490/0x490
[   36.387795]  ? kasan_check_write+0x14/0x20
[   36.392060]  ? lock_downgrade+0x8f0/0x8f0
[   36.396220]  tipc_diag_dump+0x24/0x30
[   36.400030]  netlink_dump+0x519/0xd50
[   36.403836]  ? netlink_broadcast+0x50/0x50
[   36.408082]  __netlink_dump_start+0x4f1/0x6f0
[   36.412586]  ? kasan_check_read+0x11/0x20
[   36.416747]  tipc_sock_diag_handler_dump+0x234/0x340
[   36.421863]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   36.426807]  ? tipc_unregister_sysctl+0x20/0x20
[   36.431481]  ? netlink_deliver_tap+0x356/0xfb0
[   36.436090]  sock_diag_rcv_msg+0x31d/0x410
[   36.440354]  netlink_rcv_skb+0x172/0x440
[   36.444424]  ? sock_diag_bind+0x80/0x80
[   36.448408]  ? netlink_ack+0xbe0/0xbe0
[   36.452298]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.456983]  sock_diag_rcv+0x2a/0x40
[   36.460701]  netlink_unicast+0x5a0/0x760
[   36.464778]  ? netlink_attachskb+0x9a0/0x9a0
[   36.469196]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.474738]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.479782]  netlink_sendmsg+0xa18/0xfc0
[   36.483852]  ? move_addr_to_kernel.part.18+0xc6/0x100
[   36.489052]  ? netlink_unicast+0x760/0x760
[   36.493291]  ? compat_mc_getsockopt+0xb20/0xb20
[   36.497967]  ? security_socket_sendmsg+0x94/0xc0
[   36.502726]  ? netlink_unicast+0x760/0x760
[   36.506974]  sock_sendmsg+0xd5/0x120
[   36.510692]  ___sys_sendmsg+0x7fd/0x930
[   36.514672]  ? copy_msghdr_from_user+0x580/0x580
[   36.519431]  ? kasan_check_read+0x11/0x20
[   36.523591]  ? __fget_light+0x2f7/0x440
[   36.527571]  ? fget_raw+0x20/0x20
[   36.531033]  ? __release_sock+0x3a0/0x3a0
[   36.535190]  ? tipc_nametbl_build_group+0x279/0x360
[   36.540220]  ? tipc_setsockopt+0x726/0xd70
[   36.544469]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.550023]  ? sockfd_lookup_light+0xc5/0x160
[   36.554537]  __sys_sendmsg+0x11d/0x290
[   36.558439]  ? __ia32_sys_shutdown+0x80/0x80
[   36.562872]  ? __ia32_compat_sys_futex+0x3e6/0x5f0
[   36.567825]  ? syscall_slow_exit_work+0x500/0x500
[   36.572680]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[   36.577449]  do_fast_syscall_32+0x34d/0xfb2
[   36.581787]  ? do_int80_syscall_32+0x890/0x890
[   36.586378]  ? _raw_spin_unlock_irq+0x27/0x70
[   36.590922]  ? finish_task_switch+0x1d3/0x870
[   36.595429]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.600975]  ? syscall_return_slowpath+0x31d/0x5e0
[   36.605913]  ? __switch_to_asm+0x34/0x70
[   36.609986]  ? sysret32_from_system_call+0x5/0x46
[   36.614842]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.619698]  entry_SYSENTER_compat+0x70/0x7f
[   36.624115] RIP: 0023:0xf7f90ca9
[   36.627508] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[   36.646422] RSP: 002b:00000000f7f8c0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172
[   36.654252] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040
[   36.661548] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   36.668828] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   36.676157] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   36.683440] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   36.690791] 
[   36.692429] Allocated by task 4723:
[   36.696072]  save_stack+0x43/0xd0
[   36.699556]  kasan_kmalloc+0xc4/0xe0
[   36.703291]  kmem_cache_alloc_trace+0x152/0x780
[   36.707978]  tipc_group_create+0x155/0xa70
[   36.712231]  tipc_setsockopt+0x2d1/0xd70
[   36.716310]  __compat_sys_setsockopt+0x329/0x860
[   36.721082]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   36.726203]  do_fast_syscall_32+0x34d/0xfb2
[   36.730559]  entry_SYSENTER_compat+0x70/0x7f
[   36.734979] 
[   36.736618] Freed by task 4722:
[   36.739938]  save_stack+0x43/0xd0
[   36.743421]  __kasan_slab_free+0x11a/0x170
[   36.747694]  kasan_slab_free+0xe/0x10
[   36.751539]  kfree+0xd9/0x260
[   36.754670]  tipc_group_delete+0x2e5/0x3f0
[   36.758927]  tipc_sk_leave+0x113/0x220
[   36.762847]  tipc_release+0x14e/0x12b0
[   36.766756]  __sock_release+0xd7/0x250
[   36.770781]  sock_close+0x19/0x20
[   36.774321]  __fput+0x39b/0x860
[   36.777621]  ____fput+0x15/0x20
[   36.780918]  task_work_run+0x1e8/0x2a0
[   36.784823]  exit_to_usermode_loop+0x318/0x380
[   36.789568]  do_fast_syscall_32+0xcd5/0xfb2
[   36.793908]  entry_SYSENTER_compat+0x70/0x7f
[   36.798320] 
[   36.799965] The buggy address belongs to the object at ffff8801ce930e00
[   36.799965]  which belongs to the cache kmalloc-192 of size 192
[   36.812729] The buggy address is located 92 bytes inside of
[   36.812729]  192-byte region [ffff8801ce930e00, ffff8801ce930ec0)
[   36.824551] The buggy address belongs to the page:
[   36.829522] page:ffffea00073a4c00 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[   36.837683] flags: 0x2fffc0000000100(slab)
[   36.841935] raw: 02fffc0000000100 ffffea00074c8fc8 ffffea00073a4f88 ffff8801dac00040
[   36.850686] raw: 0000000000000000 ffff8801ce930000 0000000100000010 0000000000000000
[   36.858662] page dumped because: kasan: bad access detected
[   36.864378] 
[   36.866013] Memory state around the buggy address:
[   36.870956]  ffff8801ce930d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.878327]  ffff8801ce930d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   36.885702] >ffff8801ce930e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.893156]                                                     ^
[   36.899401]  ffff8801ce930e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   36.906965]  ffff8801ce930f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.914333] ==================================================================
[   36.921876] Disabling lock debugging due to kernel taint
[   36.927525] Kernel panic - not syncing: panic_on_warn set ...
[   36.927525] 
[   36.934916] CPU: 0 PID: 4723 Comm: syz-executor0 Tainted: G    B             4.18.0+ #99
[   36.943149] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.952535] Call Trace:
[   36.955143]  dump_stack+0x1c9/0x2b4
[   36.958790]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.964083]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   36.968856]  panic+0x238/0x4e7
[   36.972065]  ? add_taint.cold.5+0x16/0x16
[   36.976325]  ? do_raw_spin_unlock+0xa7/0x2f0
[   36.980747]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[   36.985874]  kasan_end_report+0x47/0x4f
[   36.989928]  kasan_report.cold.7+0x76/0x30d
[   36.994267]  __asan_report_load4_noabort+0x14/0x20
[   36.999215]  tipc_group_fill_sock_diag+0x7b9/0x84b
[   37.004160]  ? tipc_group_member_evt+0xe30/0xe30
[   37.008933]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   37.013963]  ? skb_put+0x17b/0x1e0
[   37.017542]  ? memset+0x31/0x40
[   37.020833]  ? memcpy+0x45/0x50
[   37.024126]  ? __nla_put+0x37/0x40
[   37.027681]  ? nla_put+0x11a/0x150
[   37.031240]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[   37.035924]  ? tipc_diag_dump+0x30/0x30
[   37.039913]  ? tipc_getname+0x7f0/0x7f0
[   37.043903]  ? save_stack+0xa9/0xd0
[   37.047556]  ? graph_lock+0x170/0x170
[   37.051371]  ? graph_lock+0x170/0x170
[   37.055185]  ? __netlink_dump_start+0x4f1/0x6f0
[   37.059868]  ? sock_diag_rcv_msg+0x31d/0x410
[   37.064286]  ? netlink_rcv_skb+0x172/0x440
[   37.068561]  ? sock_diag_rcv+0x2a/0x40
[   37.072459]  ? netlink_unicast+0x5a0/0x760
[   37.076783]  ? netlink_sendmsg+0xa18/0xfc0
[   37.081030]  ? sock_sendmsg+0xd5/0x120
[   37.085063]  ? ___sys_sendmsg+0x7fd/0x930
[   37.089225]  ? __ia32_compat_sys_sendmsg+0x7a/0xb0
[   37.094176]  ? do_fast_syscall_32+0x34d/0xfb2
[   37.098689]  ? entry_SYSENTER_compat+0x70/0x7f
[   37.103286]  ? print_usage_bug+0xc0/0xc0
[   37.107361]  ? find_held_lock+0x36/0x1c0
[   37.111562]  ? lock_acquire+0x1e4/0x540
[   37.115639]  ? tipc_nl_sk_walk+0x60a/0xd30
[   37.119898]  ? lock_downgrade+0x8f0/0x8f0
[   37.124066]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   37.129095]  ? skb_put+0x17b/0x1e0
[   37.132673]  ? __nlmsg_put+0x14c/0x1b0
[   37.136649]  __tipc_add_sock_diag+0x22f/0x360
[   37.141175]  tipc_nl_sk_walk+0x68d/0xd30
[   37.145322]  ? tipc_sock_diag_handler_dump+0x340/0x340
[   37.150614]  ? __tipc_nl_add_sk+0x400/0x400
[   37.154951]  ? skb_scrub_packet+0x490/0x490
[   37.159408]  ? kasan_check_write+0x14/0x20
[   37.163725]  ? lock_downgrade+0x8f0/0x8f0
[   37.167897]  tipc_diag_dump+0x24/0x30
[   37.171713]  netlink_dump+0x519/0xd50
[   37.175548]  ? netlink_broadcast+0x50/0x50
[   37.179866]  __netlink_dump_start+0x4f1/0x6f0
[   37.184382]  ? kasan_check_read+0x11/0x20
[   37.188578]  tipc_sock_diag_handler_dump+0x234/0x340
[   37.193711]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   37.198393]  ? tipc_unregister_sysctl+0x20/0x20
[   37.203079]  ? netlink_deliver_tap+0x356/0xfb0
[   37.207989]  sock_diag_rcv_msg+0x31d/0x410
[   37.212238]  netlink_rcv_skb+0x172/0x440
[   37.216316]  ? sock_diag_bind+0x80/0x80
[   37.220305]  ? netlink_ack+0xbe0/0xbe0
[   37.224234]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   37.229049]  sock_diag_rcv+0x2a/0x40
[   37.232783]  netlink_unicast+0x5a0/0x760
[   37.236862]  ? netlink_attachskb+0x9a0/0x9a0
[   37.241289]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.246842]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   37.251875]  netlink_sendmsg+0xa18/0xfc0
[   37.255952]  ? move_addr_to_kernel.part.18+0xc6/0x100
[   37.261157]  ? netlink_unicast+0x760/0x760
[   37.265522]  ? compat_mc_getsockopt+0xb20/0xb20
[   37.270211]  ? security_socket_sendmsg+0x94/0xc0
[   37.275049]  ? netlink_unicast+0x760/0x760
[   37.279300]  sock_sendmsg+0xd5/0x120
[   37.283030]  ___sys_sendmsg+0x7fd/0x930
[   37.287173]  ? copy_msghdr_from_user+0x580/0x580
[   37.292183]  ? kasan_check_read+0x11/0x20
[   37.296882]  ? __fget_light+0x2f7/0x440
[   37.300888]  ? fget_raw+0x20/0x20
[   37.304358]  ? __release_sock+0x3a0/0x3a0
[   37.308552]  ? tipc_nametbl_build_group+0x279/0x360
[   37.313590]  ? tipc_setsockopt+0x726/0xd70
[   37.317845]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   37.323396]  ? sockfd_lookup_light+0xc5/0x160
[   37.327908]  __sys_sendmsg+0x11d/0x290
[   37.331810]  ? __ia32_sys_shutdown+0x80/0x80
[   37.336234]  ? __ia32_compat_sys_futex+0x3e6/0x5f0
[   37.341184]  ? syscall_slow_exit_work+0x500/0x500
[   37.346043]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[   37.350901]  do_fast_syscall_32+0x34d/0xfb2
[   37.355238]  ? do_int80_syscall_32+0x890/0x890
[   37.359832]  ? _raw_spin_unlock_irq+0x27/0x70
[   37.364338]  ? finish_task_switch+0x1d3/0x870
[   37.368852]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.374547]  ? syscall_return_slowpath+0x31d/0x5e0
[   37.379578]  ? __switch_to_asm+0x34/0x70
[   37.383656]  ? sysret32_from_system_call+0x5/0x46
[   37.388540]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.393401]  entry_SYSENTER_compat+0x70/0x7f
[   37.397819] RIP: 0023:0xf7f90ca9
[   37.401198] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[   37.420195] RSP: 002b:00000000f7f8c0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172
[   37.428005] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040
[   37.435287] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   37.442634] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   37.449916] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   37.457197] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.464978] Dumping ftrace buffer:
[   37.468541]    (ftrace buffer empty)
[   37.472324] Kernel Offset: disabled
[   37.475948] Rebooting in 86400 seconds..