[ 39.198088] audit: type=1800 audit(1575461450.547:32): pid=7498 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.969447] audit: type=1800 audit(1575461451.407:33): pid=7498 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.132' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.226270] kauditd_printk_skb: 2 callbacks suppressed [ 49.226284] audit: type=1400 audit(1575461460.667:36): avc: denied { map } for pid=7685 comm="syz-executor975" path="/root/syz-executor975556075" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.347322] ================================================================== [ 49.347352] BUG: KASAN: use-after-free in soft_cursor+0x439/0xa30 [ 49.347359] Read of size 9 at addr ffff8880a5169c51 by task syz-executor975/7685 [ 49.347361] [ 49.347378] CPU: 0 PID: 7685 Comm: syz-executor975 Not tainted 4.19.87-syzkaller #0 [ 49.347384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.347387] Call Trace: [ 49.347399] dump_stack+0x197/0x210 [ 49.347408] ? soft_cursor+0x439/0xa30 [ 49.347420] print_address_description.cold+0x7c/0x20d [ 49.347430] ? soft_cursor+0x439/0xa30 [ 49.347438] kasan_report.cold+0x8c/0x2ba [ 49.347449] check_memory_region+0x123/0x190 [ 49.347457] memcpy+0x24/0x50 [ 49.347467] soft_cursor+0x439/0xa30 [ 49.347479] ? lockdep_hardirqs_on+0x415/0x5d0 [ 49.347492] bit_cursor+0x12fc/0x1a60 [ 49.347505] ? bit_clear+0x530/0x530 [ 49.347515] ? tty_do_resize+0x5e/0x170 [ 49.347531] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 49.347541] ? get_color+0x225/0x430 [ 49.347550] fbcon_cursor+0x58a/0x7b0 [ 49.347557] ? bit_clear+0x530/0x530 [ 49.347567] hide_cursor+0x9e/0x300 [ 49.347576] redraw_screen+0x2ee/0x8e0 [ 49.347586] ? con_flush_chars+0xa0/0xa0 [ 49.347598] ? mutex_unlock+0xd/0x10 [ 49.347607] vc_do_resize+0x118e/0x14a0 [ 49.347625] ? vc_uniscr_alloc+0xd0/0xd0 [ 49.347634] ? lock_acquire+0x16f/0x3f0 [ 49.347642] ? vt_ioctl+0x1ec0/0x2530 [ 49.347653] vc_resize+0x4d/0x60 [ 49.347662] vt_ioctl+0x1fe0/0x2530 [ 49.347671] ? complete_change_console+0x3a0/0x3a0 [ 49.347683] ? avc_has_extended_perms+0xa78/0x10f0 [ 49.347695] ? avc_ss_reset+0x190/0x190 [ 49.347702] ? save_stack+0xa9/0xd0 [ 49.347709] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 49.347719] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 49.347727] ? complete_change_console+0x3a0/0x3a0 [ 49.347736] tty_ioctl+0x7f3/0x1510 [ 49.347746] ? tty_vhangup+0x30/0x30 [ 49.347756] ? find_held_lock+0x35/0x130 [ 49.347766] ? debug_check_no_obj_freed+0x200/0x464 [ 49.347783] ? __might_sleep+0x95/0x190 [ 49.347791] ? trace_hardirqs_off+0x62/0x220 [ 49.347799] ? tty_vhangup+0x30/0x30 [ 49.347808] do_vfs_ioctl+0xd5f/0x1380 [ 49.347816] ? selinux_file_ioctl+0x46f/0x5e0 [ 49.347824] ? selinux_file_ioctl+0x125/0x5e0 [ 49.347832] ? ioctl_preallocate+0x210/0x210 [ 49.347840] ? selinux_file_mprotect+0x620/0x620 [ 49.347847] ? putname+0xef/0x130 [ 49.347856] ? kmem_cache_free+0x222/0x260 [ 49.347865] ? putname+0xf4/0x130 [ 49.347874] ? do_sys_open+0x31d/0x550 [ 49.347885] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.347892] ? security_file_ioctl+0x8d/0xc0 [ 49.347901] ksys_ioctl+0xab/0xd0 [ 49.347911] __x64_sys_ioctl+0x73/0xb0 [ 49.347921] do_syscall_64+0xfd/0x620 [ 49.347932] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.347939] RIP: 0033:0x440219 [ 49.347949] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 49.347953] RSP: 002b:00007ffc5a43c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.347963] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 [ 49.347968] RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004 [ 49.347973] RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8 [ 49.347977] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00 [ 49.347982] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 [ 49.347992] [ 49.347996] Allocated by task 6003: [ 49.348004] save_stack+0x45/0xd0 [ 49.348011] kasan_kmalloc+0xce/0xf0 [ 49.348017] __kmalloc+0x15d/0x750 [ 49.348025] load_elf_phdrs+0x157/0x200 [ 49.348032] load_elf_binary+0x94a/0x53a0 [ 49.348039] search_binary_handler+0x179/0x570 [ 49.348046] __do_execve_file.isra.0+0x1227/0x2150 [ 49.348053] __x64_sys_execve+0x8f/0xc0 [ 49.348060] do_syscall_64+0xfd/0x620 [ 49.348067] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.348069] [ 49.348072] Freed by task 6003: [ 49.348078] save_stack+0x45/0xd0 [ 49.348085] __kasan_slab_free+0x102/0x150 [ 49.348091] kasan_slab_free+0xe/0x10 [ 49.348097] kfree+0xcf/0x220 [ 49.348104] load_elf_binary+0x249e/0x53a0 [ 49.348111] search_binary_handler+0x179/0x570 [ 49.348118] __do_execve_file.isra.0+0x1227/0x2150 [ 49.348124] __x64_sys_execve+0x8f/0xc0 [ 49.348131] do_syscall_64+0xfd/0x620 [ 49.348138] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.348140] [ 49.348146] The buggy address belongs to the object at ffff8880a5169a80 [ 49.348146] which belongs to the cache kmalloc-512 of size 512 [ 49.348153] The buggy address is located 465 bytes inside of [ 49.348153] 512-byte region [ffff8880a5169a80, ffff8880a5169c80) [ 49.348155] The buggy address belongs to the page: [ 49.348162] page:ffffea0002945a40 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0 [ 49.348169] flags: 0xfffe0000000100(slab) [ 49.348180] raw: 00fffe0000000100 ffffea0002153ac8 ffffea000281f648 ffff88812c31c940 [ 49.348196] raw: 0000000000000000 ffff8880a5169080 0000000100000006 0000000000000000 [ 49.348200] page dumped because: kasan: bad access detected [ 49.348202] [ 49.348204] Memory state around the buggy address: [ 49.348211] ffff8880a5169b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.348217] ffff8880a5169b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.348222] >ffff8880a5169c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.348225] ^ [ 49.348231] ffff8880a5169c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.348237] ffff8880a5169d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.348240] ================================================================== [ 49.348242] Disabling lock debugging due to kernel taint [ 49.348247] Kernel panic - not syncing: panic_on_warn set ... [ 49.348247] [ 49.348254] CPU: 0 PID: 7685 Comm: syz-executor975 Tainted: G B 4.19.87-syzkaller #0 [ 49.348258] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.348260] Call Trace: [ 49.348268] dump_stack+0x197/0x210 [ 49.348275] ? soft_cursor+0x439/0xa30 [ 49.348282] panic+0x26a/0x50e [ 49.348288] ? __warn_printk+0xf3/0xf3 [ 49.348296] ? lock_downgrade+0x880/0x880 [ 49.348304] ? trace_hardirqs_on+0x67/0x220 [ 49.348310] ? trace_hardirqs_on+0x5e/0x220 [ 49.348318] ? soft_cursor+0x439/0xa30 [ 49.348325] kasan_end_report+0x47/0x4f [ 49.348333] kasan_report.cold+0xa9/0x2ba [ 49.348341] check_memory_region+0x123/0x190 [ 49.348348] memcpy+0x24/0x50 [ 49.348355] soft_cursor+0x439/0xa30 [ 49.348363] ? lockdep_hardirqs_on+0x415/0x5d0 [ 49.348376] bit_cursor+0x12fc/0x1a60 [ 49.348385] ? bit_clear+0x530/0x530 [ 49.348392] ? tty_do_resize+0x5e/0x170 [ 49.348402] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 49.348408] ? get_color+0x225/0x430 [ 49.348416] fbcon_cursor+0x58a/0x7b0 [ 49.348422] ? bit_clear+0x530/0x530 [ 49.348429] hide_cursor+0x9e/0x300 [ 49.348436] redraw_screen+0x2ee/0x8e0 [ 49.348444] ? con_flush_chars+0xa0/0xa0 [ 49.348452] ? mutex_unlock+0xd/0x10 [ 49.348460] vc_do_resize+0x118e/0x14a0 [ 49.348471] ? vc_uniscr_alloc+0xd0/0xd0 [ 49.348479] ? lock_acquire+0x16f/0x3f0 [ 49.348486] ? vt_ioctl+0x1ec0/0x2530 [ 49.348494] vc_resize+0x4d/0x60 [ 49.348501] vt_ioctl+0x1fe0/0x2530 [ 49.348509] ? complete_change_console+0x3a0/0x3a0 [ 49.348517] ? avc_has_extended_perms+0xa78/0x10f0 [ 49.348526] ? avc_ss_reset+0x190/0x190 [ 49.348533] ? save_stack+0xa9/0xd0 [ 49.348539] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 49.348547] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 49.348556] ? complete_change_console+0x3a0/0x3a0 [ 49.348564] tty_ioctl+0x7f3/0x1510 [ 49.348572] ? tty_vhangup+0x30/0x30 [ 49.348579] ? find_held_lock+0x35/0x130 [ 49.348587] ? debug_check_no_obj_freed+0x200/0x464 [ 49.348598] ? __might_sleep+0x95/0x190 [ 49.348605] ? trace_hardirqs_off+0x62/0x220 [ 49.348612] ? tty_vhangup+0x30/0x30 [ 49.348620] do_vfs_ioctl+0xd5f/0x1380 [ 49.348626] ? selinux_file_ioctl+0x46f/0x5e0 [ 49.348633] ? selinux_file_ioctl+0x125/0x5e0 [ 49.348640] ? ioctl_preallocate+0x210/0x210 [ 49.348647] ? selinux_file_mprotect+0x620/0x620 [ 49.348654] ? putname+0xef/0x130 [ 49.348661] ? kmem_cache_free+0x222/0x260 [ 49.348669] ? putname+0xf4/0x130 [ 49.348676] ? do_sys_open+0x31d/0x550 [ 49.348685] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.348691] ? security_file_ioctl+0x8d/0xc0 [ 49.348698] ksys_ioctl+0xab/0xd0 [ 49.348706] __x64_sys_ioctl+0x73/0xb0 [ 49.348714] do_syscall_64+0xfd/0x620 [ 49.348722] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.348727] RIP: 0033:0x440219 [ 49.348733] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 49.348737] RSP: 002b:00007ffc5a43c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.348743] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 [ 49.348747] RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004 [ 49.348751] RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8 [ 49.348755] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00 [ 49.348759] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 [ 49.350230] Kernel Offset: disabled [ 50.248684] Rebooting in 86400 seconds..