kauditd_printk_skb: 3 callbacks suppressed audit: type=1400 audit(1584298507.132:36): avc: denied { map } for pid=8027 comm="syz-executor559" path="/root/syz-executor559645294" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline] BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102 Read of size 768 at addr ffff888097bcf334 by task syz-executor559/8027 CPU: 1 PID: 8027 Comm: syz-executor559 Not tainted 4.19.109-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396 memcpy+0x20/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:348 [inline] selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102 security_xfrm_policy_alloc+0x6c/0xb0 security/security.c:1631 copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1461 [inline] xfrm_policy_construct+0x2a8/0x660 net/xfrm/xfrm_user.c:1626 xfrm_add_acquire+0x215/0x9f0 net/xfrm/xfrm_user.c:2279 xfrm_user_rcv_msg+0x40c/0x6b0 net/xfrm/xfrm_user.c:2677 netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2685 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:632 ___sys_sendmsg+0x803/0x920 net/socket.c:2115 __sys_sendmsg+0xec/0x1b0 net/socket.c:2153 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4406e9 Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff605be978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406e9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f10 R13: 0000000000401fa0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 8027: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531 __do_kmalloc_node mm/slab.c:3689 [inline] __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703 __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137 __alloc_skb+0xef/0x5b0 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:995 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline] netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:632 ___sys_sendmsg+0x803/0x920 net/socket.c:2115 __sys_sendmsg+0xec/0x1b0 net/socket.c:2153 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888097bcf200 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 308 bytes inside of 1024-byte region [ffff888097bcf200, ffff888097bcf600) The buggy address belongs to the page: page:ffffea00025ef380 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffffea0001f7a688 ffffea0002976608 ffff88812c3dcac0 raw: 0000000000000000 ffff888097bce000 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888097bcf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888097bcf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888097bcf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888097bcf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888097bcf700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================