[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.929511][ T7117] ================================================================== [ 42.937805][ T7117] BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 [ 42.945154][ T7117] Read of size 1 at addr ffff888093622f42 by task syz-executor055/7117 [ 42.953365][ T7117] [ 42.955716][ T7117] CPU: 1 PID: 7117 Comm: syz-executor055 Not tainted 5.6.0-rc7-syzkaller #0 [ 42.964368][ T7117] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.974406][ T7117] Call Trace: [ 42.977850][ T7117] dump_stack+0x1e9/0x30e [ 42.982162][ T7117] print_address_description+0x74/0x5c0 [ 42.987681][ T7117] ? vprintk_emit+0x2f3/0x3b0 [ 42.992336][ T7117] ? printk+0x62/0x83 [ 42.996316][ T7117] __kasan_report+0x14b/0x1c0 [ 43.000967][ T7117] ? vsscanf+0x2666/0x2ef0 [ 43.005359][ T7117] kasan_report+0x25/0x50 [ 43.009664][ T7117] vsscanf+0x2666/0x2ef0 [ 43.013904][ T7117] ? vsscanf+0x68f/0x2ef0 [ 43.018213][ T7117] sscanf+0x6c/0x90 [ 43.022002][ T7117] smk_set_cipso+0x1ac/0x6a0 [ 43.026581][ T7117] ? do_raw_spin_unlock+0x134/0x8d0 [ 43.031757][ T7117] ? smk_write_access2+0x1c0/0x1c0 [ 43.036852][ T7117] __vfs_write+0xa7/0x710 [ 43.041172][ T7117] ? rcu_read_lock_any_held+0x138/0x1a0 [ 43.046696][ T7117] vfs_write+0x271/0x570 [ 43.050929][ T7117] ksys_write+0x115/0x220 [ 43.055234][ T7117] do_syscall_64+0xf3/0x1b0 [ 43.059723][ T7117] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.065607][ T7117] RIP: 0033:0x4401b9 [ 43.069484][ T7117] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.090026][ T7117] RSP: 002b:00007ffd20456888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 43.098431][ T7117] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 [ 43.106405][ T7117] RDX: 0000000000000001 RSI: 00000000200005c0 RDI: 0000000000000003 [ 43.114367][ T7117] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 43.122317][ T7117] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a40 [ 43.130265][ T7117] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 43.138229][ T7117] [ 43.140535][ T7117] Allocated by task 7117: [ 43.144856][ T7117] __kasan_kmalloc+0x118/0x1c0 [ 43.149591][ T7117] __kmalloc_track_caller+0x249/0x320 [ 43.154946][ T7117] memdup_user_nul+0x26/0xf0 [ 43.159630][ T7117] smk_set_cipso+0xff/0x6a0 [ 43.164160][ T7117] __vfs_write+0xa7/0x710 [ 43.168507][ T7117] vfs_write+0x271/0x570 [ 43.172728][ T7117] ksys_write+0x115/0x220 [ 43.177048][ T7117] do_syscall_64+0xf3/0x1b0 [ 43.181528][ T7117] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.187389][ T7117] [ 43.189691][ T7117] Freed by task 1: [ 43.193390][ T7117] __kasan_slab_free+0x12e/0x1e0 [ 43.198299][ T7117] kfree+0x10a/0x220 [ 43.202170][ T7117] tomoyo_path_perm+0x59b/0x740 [ 43.206997][ T7117] security_inode_getattr+0xc0/0x140 [ 43.212352][ T7117] vfs_getattr+0x27/0x6e0 [ 43.216699][ T7117] __se_sys_newlstat+0x85/0x140 [ 43.226046][ T7117] do_syscall_64+0xf3/0x1b0 [ 43.230524][ T7117] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.236386][ T7117] [ 43.238687][ T7117] The buggy address belongs to the object at ffff888093622f40 [ 43.238687][ T7117] which belongs to the cache kmalloc-32 of size 32 [ 43.252539][ T7117] The buggy address is located 2 bytes inside of [ 43.252539][ T7117] 32-byte region [ffff888093622f40, ffff888093622f60) [ 43.265517][ T7117] The buggy address belongs to the page: [ 43.271124][ T7117] page:ffffea00024d8880 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888093622fc1 [ 43.281518][ T7117] flags: 0xfffe0000000200(slab) [ 43.286345][ T7117] raw: 00fffe0000000200 ffffea000271b988 ffffea00028ae488 ffff8880aa4001c0 [ 43.295392][ T7117] raw: ffff888093622fc1 ffff888093622000 0000000100000039 0000000000000000 [ 43.303957][ T7117] page dumped because: kasan: bad access detected [ 43.310358][ T7117] [ 43.312768][ T7117] Memory state around the buggy address: [ 43.318691][ T7117] ffff888093622e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 43.327169][ T7117] ffff888093622e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc [ 43.335244][ T7117] >ffff888093622f00: fb fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc [ 43.343458][ T7117] ^ [ 43.349589][ T7117] ffff888093622f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 43.358581][ T7117] ffff888093623000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.366728][ T7117] ================================================================== [ 43.374864][ T7117] Disabling lock debugging due to kernel taint [ 43.381244][ T7117] Kernel panic - not syncing: panic_on_warn set ... [ 43.387926][ T7117] CPU: 1 PID: 7117 Comm: syz-executor055 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 43.397988][ T7117] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.408724][ T7117] Call Trace: [ 43.412003][ T7117] dump_stack+0x1e9/0x30e [ 43.416437][ T7117] panic+0x264/0x7a0 [ 43.420425][ T7117] ? trace_hardirqs_on+0x30/0x70 [ 43.425617][ T7117] __kasan_report+0x1bc/0x1c0 [ 43.430487][ T7117] ? vsscanf+0x2666/0x2ef0 [ 43.434884][ T7117] kasan_report+0x25/0x50 [ 43.439191][ T7117] vsscanf+0x2666/0x2ef0 [ 43.443431][ T7117] ? vsscanf+0x68f/0x2ef0 [ 43.447742][ T7117] sscanf+0x6c/0x90 [ 43.451528][ T7117] smk_set_cipso+0x1ac/0x6a0 [ 43.456115][ T7117] ? do_raw_spin_unlock+0x134/0x8d0 [ 43.461322][ T7117] ? smk_write_access2+0x1c0/0x1c0 [ 43.466960][ T7117] __vfs_write+0xa7/0x710 [ 43.471272][ T7117] ? rcu_read_lock_any_held+0x138/0x1a0 [ 43.476895][ T7117] vfs_write+0x271/0x570 [ 43.481340][ T7117] ksys_write+0x115/0x220 [ 43.485657][ T7117] do_syscall_64+0xf3/0x1b0 [ 43.490424][ T7117] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.496332][ T7117] RIP: 0033:0x4401b9 [ 43.501364][ T7117] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.521587][ T7117] RSP: 002b:00007ffd20456888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 43.531251][ T7117] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 [ 43.539782][ T7117] RDX: 0000000000000001 RSI: 00000000200005c0 RDI: 0000000000000003 [ 43.548456][ T7117] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 43.556626][ T7117] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a40 [ 43.564590][ T7117] R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 [ 43.576561][ T7117] Kernel Offset: disabled [ 43.580888][ T7117] Rebooting in 86400 seconds..