[....] Starting OpenBSD Secure Shell server: sshd[ 12.416928] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.465323] random: sshd: uninitialized urandom read (32 bytes read) [ 21.023051] audit: type=1400 audit(1548958242.936:6): avc: denied { map } for pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 21.068863] random: sshd: uninitialized urandom read (32 bytes read) [ 21.547388] random: sshd: uninitialized urandom read (32 bytes read) [ 22.005964] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.137' (ECDSA) to the list of known hosts. [ 27.941739] random: sshd: uninitialized urandom read (32 bytes read) [ 28.029552] audit: type=1400 audit(1548958249.936:7): avc: denied { map } for pid=1776 comm="syz-executor387" path="/root/syz-executor387880078" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 28.321605] ================================================================== [ 28.329085] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 28.335737] Read of size 8 at addr ffff8881d1d1a290 by task syz-executor387/1779 [ 28.343253] [ 28.344864] CPU: 1 PID: 1779 Comm: syz-executor387 Not tainted 4.14.96+ #20 [ 28.351941] Call Trace: [ 28.354516] dump_stack+0xb9/0x10e [ 28.358039] ? ip_local_deliver+0x43d/0x450 [ 28.362347] print_address_description+0x60/0x226 [ 28.367183] ? ip_local_deliver+0x43d/0x450 [ 28.371487] kasan_report.cold+0x88/0x2a5 [ 28.375621] ? ip_local_deliver+0x43d/0x450 [ 28.379921] ? ip_call_ra_chain+0x540/0x540 [ 28.384226] ? __lock_acquire+0x56a/0x3fa0 [ 28.388453] ? ip_rcv+0x99f/0xf7a [ 28.391885] ? ip_rcv_finish+0x5c9/0x1490 [ 28.396031] ? ip_rcv+0x9e2/0xf7a [ 28.399464] ? ip_local_deliver+0x450/0x450 [ 28.403764] ? __lock_acquire+0x56a/0x3fa0 [ 28.407983] ? check_preemption_disabled+0x35/0x1f0 [ 28.412977] ? ip_local_deliver+0x450/0x450 [ 28.417281] ? __netif_receive_skb_core+0x1364/0x2c60 [ 28.422450] ? trace_hardirqs_on+0x10/0x10 [ 28.426669] ? flush_backlog+0x580/0x580 [ 28.430848] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 28.436020] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 28.441380] ? lock_acquire+0x10f/0x380 [ 28.445349] ? __netif_receive_skb+0x55/0x1f0 [ 28.449899] ? __netif_receive_skb+0x55/0x1f0 [ 28.454388] ? netif_receive_skb_internal+0xec/0x5c0 [ 28.459480] ? dev_cpu_dead+0x810/0x810 [ 28.463444] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.468876] ? rcu_read_lock_sched_held+0x10a/0x130 [ 28.473882] ? tun_rx_batched.isra.0+0x45d/0x730 [ 28.478625] ? __skb_get_hash_symmetric+0x255/0x620 [ 28.483627] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 28.489076] ? tun_chr_read_iter+0x1c0/0x1c0 [ 28.493472] ? tun_get_user+0xc07/0x3790 [ 28.497514] ? __local_bh_enable_ip+0x65/0xc0 [ 28.501994] ? tun_get_user+0xd95/0x3790 [ 28.506043] ? tun_rx_batched.isra.0+0x730/0x730 [ 28.510780] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 28.515692] ? mark_held_locks+0xa6/0xf0 [ 28.519737] ? get_page_from_freelist+0x85e/0x1d60 [ 28.524649] ? preempt_count_add+0xb8/0x180 [ 28.528957] ? __tun_get+0x11c/0x220 [ 28.532705] ? check_preemption_disabled+0x35/0x1f0 [ 28.537715] ? tun_chr_write_iter+0xcf/0x180 [ 28.542104] ? do_iter_readv_writev+0x379/0x580 [ 28.546751] ? clone_verify_area+0x1e0/0x1e0 [ 28.551149] ? avc_policy_seqno+0x5/0x10 [ 28.555204] ? security_file_permission+0x88/0x1e0 [ 28.560130] ? do_iter_write+0x152/0x550 [ 28.564181] ? lock_downgrade+0x5d0/0x5d0 [ 28.568310] ? vfs_writev+0x146/0x2d0 [ 28.572096] ? vfs_iter_write+0xa0/0xa0 [ 28.576052] ? __handle_mm_fault+0x6c5/0x2640 [ 28.580535] ? __fsnotify_inode_delete+0x20/0x20 [ 28.585289] ? __do_page_fault+0x48e/0xb80 [ 28.589510] ? lock_downgrade+0x5d0/0x5d0 [ 28.593638] ? check_preemption_disabled+0x35/0x1f0 [ 28.598638] ? do_writev+0xc9/0x240 [ 28.602249] ? vfs_writev+0x2d0/0x2d0 [ 28.606030] ? do_syscall_64+0x43/0x4b0 [ 28.609981] ? SyS_readv+0x30/0x30 [ 28.613502] ? do_syscall_64+0x19b/0x4b0 [ 28.617545] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.622895] [ 28.624500] Allocated by task 1779: [ 28.628110] kasan_kmalloc.part.0+0x4f/0xd0 [ 28.632409] kmem_cache_alloc+0xd2/0x2d0 [ 28.636446] __build_skb+0x2e/0x2d0 [ 28.640051] build_skb+0x1a/0x1f0 [ 28.643490] tun_get_user+0x248b/0x3790 [ 28.647441] tun_chr_write_iter+0xcf/0x180 [ 28.651655] do_iter_readv_writev+0x379/0x580 [ 28.656125] do_iter_write+0x152/0x550 [ 28.659989] vfs_writev+0x146/0x2d0 [ 28.663607] do_writev+0xc9/0x240 [ 28.667049] do_syscall_64+0x19b/0x4b0 [ 28.670911] [ 28.672518] Freed by task 1779: [ 28.675780] kasan_slab_free+0xb0/0x190 [ 28.679730] kmem_cache_free+0xc4/0x330 [ 28.683683] kfree_skbmem+0xa0/0x100 [ 28.687373] kfree_skb+0xcd/0x350 [ 28.690804] ip_defrag+0x5f4/0x3b50 [ 28.694407] ip_local_deliver+0x165/0x450 [ 28.698534] ip_rcv_finish+0x5c9/0x1490 [ 28.702485] ip_rcv+0x9e2/0xf7a [ 28.705741] __netif_receive_skb_core+0x1364/0x2c60 [ 28.710736] __netif_receive_skb+0x55/0x1f0 [ 28.715036] netif_receive_skb_internal+0xec/0x5c0 [ 28.719951] tun_rx_batched.isra.0+0x45d/0x730 [ 28.724515] tun_get_user+0xd95/0x3790 [ 28.728384] tun_chr_write_iter+0xcf/0x180 [ 28.732595] do_iter_readv_writev+0x379/0x580 [ 28.737067] do_iter_write+0x152/0x550 [ 28.740931] vfs_writev+0x146/0x2d0 [ 28.744535] do_writev+0xc9/0x240 [ 28.747969] do_syscall_64+0x19b/0x4b0 [ 28.751841] [ 28.753480] The buggy address belongs to the object at ffff8881d1d1a280 [ 28.753480] which belongs to the cache skbuff_head_cache of size 224 [ 28.766638] The buggy address is located 16 bytes inside of [ 28.766638] 224-byte region [ffff8881d1d1a280, ffff8881d1d1a360) [ 28.778530] The buggy address belongs to the page: [ 28.783451] page:ffffea0007474680 count:1 mapcount:0 mapping: (null) index:0x0 [ 28.791578] flags: 0x4000000000000100(slab) [ 28.795889] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 28.803870] raw: ffffea0007459c00 0000000900000009 ffff8881dab58200 0000000000000000 [ 28.811731] page dumped because: kasan: bad access detected [ 28.817422] [ 28.819029] Memory state around the buggy address: [ 28.823937] ffff8881d1d1a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.831287] ffff8881d1d1a200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.838633] >ffff8881d1d1a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.845984] ^ [ 28.849848] ffff8881d1d1a300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.857189] ffff8881d1d1a380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.864524] ================================================================== [ 28.871866] Disabling lock debugging due to kernel taint [ 28.877318] Kernel panic - not syncing: panic_on_warn set ... [ 28.877318] [ 28.884672] CPU: 1 PID: 1779 Comm: syz-executor387 Tainted: G B 4.14.96+ #20 [ 28.892961] Call Trace: [ 28.895531] dump_stack+0xb9/0x10e [ 28.899057] panic+0x1d9/0x3c2 [ 28.902257] ? add_taint.cold+0x16/0x16 [ 28.906207] ? retint_kernel+0x2d/0x2d [ 28.910098] ? ip_local_deliver+0x43d/0x450 [ 28.914396] kasan_end_report+0x43/0x49 [ 28.918347] kasan_report.cold+0xa4/0x2a5 [ 28.922473] ? ip_local_deliver+0x43d/0x450 [ 28.926775] ? ip_call_ra_chain+0x540/0x540 [ 28.931073] ? __lock_acquire+0x56a/0x3fa0 [ 28.935295] ? ip_rcv+0x99f/0xf7a [ 28.938725] ? ip_rcv_finish+0x5c9/0x1490 [ 28.942852] ? ip_rcv+0x9e2/0xf7a [ 28.946283] ? ip_local_deliver+0x450/0x450 [ 28.950581] ? __lock_acquire+0x56a/0x3fa0 [ 28.954794] ? check_preemption_disabled+0x35/0x1f0 [ 28.959788] ? ip_local_deliver+0x450/0x450 [ 28.964107] ? __netif_receive_skb_core+0x1364/0x2c60 [ 28.969273] ? trace_hardirqs_on+0x10/0x10 [ 28.973484] ? flush_backlog+0x580/0x580 [ 28.977521] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 28.982707] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 28.987876] ? lock_acquire+0x10f/0x380 [ 28.991830] ? __netif_receive_skb+0x55/0x1f0 [ 28.996298] ? __netif_receive_skb+0x55/0x1f0 [ 29.000770] ? netif_receive_skb_internal+0xec/0x5c0 [ 29.005847] ? dev_cpu_dead+0x810/0x810 [ 29.009803] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.015248] ? rcu_read_lock_sched_held+0x10a/0x130 [ 29.020274] ? tun_rx_batched.isra.0+0x45d/0x730 [ 29.025011] ? __skb_get_hash_symmetric+0x255/0x620 [ 29.030016] ? __slab_alloc.isra.0.constprop.0+0x76/0x90 [ 29.035452] ? tun_chr_read_iter+0x1c0/0x1c0 [ 29.039838] ? tun_get_user+0xc07/0x3790 [ 29.043878] ? __local_bh_enable_ip+0x65/0xc0 [ 29.048451] ? tun_get_user+0xd95/0x3790 [ 29.052530] ? tun_rx_batched.isra.0+0x730/0x730 [ 29.057269] ? debug_mutex_wake_waiter+0x1d0/0x370 [ 29.062180] ? mark_held_locks+0xa6/0xf0 [ 29.066221] ? get_page_from_freelist+0x85e/0x1d60 [ 29.071137] ? preempt_count_add+0xb8/0x180 [ 29.075456] ? __tun_get+0x11c/0x220 [ 29.079159] ? check_preemption_disabled+0x35/0x1f0 [ 29.084159] ? tun_chr_write_iter+0xcf/0x180 [ 29.088547] ? do_iter_readv_writev+0x379/0x580 [ 29.093193] ? clone_verify_area+0x1e0/0x1e0 [ 29.097577] ? avc_policy_seqno+0x5/0x10 [ 29.101691] ? security_file_permission+0x88/0x1e0 [ 29.106612] ? do_iter_write+0x152/0x550 [ 29.110813] ? lock_downgrade+0x5d0/0x5d0 [ 29.115072] ? vfs_writev+0x146/0x2d0 [ 29.118855] ? vfs_iter_write+0xa0/0xa0 [ 29.122817] ? __handle_mm_fault+0x6c5/0x2640 [ 29.127296] ? __fsnotify_inode_delete+0x20/0x20 [ 29.132033] ? __do_page_fault+0x48e/0xb80 [ 29.136254] ? lock_downgrade+0x5d0/0x5d0 [ 29.140391] ? check_preemption_disabled+0x35/0x1f0 [ 29.145388] ? do_writev+0xc9/0x240 [ 29.149137] ? vfs_writev+0x2d0/0x2d0 [ 29.152917] ? do_syscall_64+0x43/0x4b0 [ 29.156868] ? SyS_readv+0x30/0x30 [ 29.160394] ? do_syscall_64+0x19b/0x4b0 [ 29.164443] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.170181] Kernel Offset: 0x14200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 29.181094] Rebooting in 86400 seconds..