[?25l[?1c7[ ok 8[?25h[?0c. [ 31.899156] random: sshd: uninitialized urandom read (32 bytes read) [ 32.125934] kauditd_printk_skb: 10 callbacks suppressed [ 32.125942] audit: type=1400 audit(1564829553.133:35): avc: denied { map } for pid=6939 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.183507] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.755668] random: sshd: uninitialized urandom read (32 bytes read) [ 50.540795] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. [ 56.079987] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 56.207776] audit: type=1400 audit(1564829577.213:36): avc: denied { map } for pid=6952 comm="syz-executor429" path="/root/syz-executor429329191" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 56.243294] ================================================================== [ 56.251738] BUG: KASAN: use-after-free in _copy_to_user+0xa4/0xd0 [ 56.258700] Read of size 924 at addr ffff8880747ffff3 by task syz-executor429/6952 [ 56.268305] [ 56.270153] CPU: 0 PID: 6952 Comm: syz-executor429 Not tainted 4.14.135 #31 [ 56.279044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.289250] Call Trace: [ 56.292176] dump_stack+0x138/0x19c [ 56.296082] ? _copy_to_user+0xa4/0xd0 [ 56.300593] print_address_description.cold+0x7c/0x1dc [ 56.306131] ? _copy_to_user+0xa4/0xd0 [ 56.310400] kasan_report.cold+0xa9/0x2af [ 56.314836] check_memory_region+0x123/0x190 [ 56.319547] kasan_check_read+0x11/0x20 [ 56.324078] _copy_to_user+0xa4/0xd0 [ 56.327947] bpf_test_finish.isra.0+0xaf/0x150 [ 56.332792] ? bpf_test_run+0x330/0x330 [ 56.337287] bpf_prog_test_run_skb+0x5af/0x9a0 [ 56.342678] ? bpf_test_init.isra.0+0xe0/0xe0 [ 56.347606] ? __bpf_prog_get+0x153/0x1a0 [ 56.351899] SyS_bpf+0x749/0x38f3 [ 56.355591] ? __do_page_fault+0x4e9/0xb80 [ 56.359995] ? bpf_test_init.isra.0+0xe0/0xe0 [ 56.364669] ? bpf_prog_get+0x20/0x20 [ 56.368912] ? lock_downgrade+0x6e0/0x6e0 [ 56.373832] ? up_read+0x1a/0x40 [ 56.377761] ? __do_page_fault+0x358/0xb80 [ 56.382464] ? bpf_prog_get+0x20/0x20 [ 56.386357] do_syscall_64+0x1e8/0x640 [ 56.390618] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.395563] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.400841] RIP: 0033:0x440379 [ 56.404200] RSP: 002b:00007ffd82ee9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 56.413219] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379 [ 56.421555] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a [ 56.429523] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 56.438153] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c00 [ 56.446068] R13: 0000000000401c90 R14: 0000000000000000 R15: 0000000000000000 [ 56.453765] [ 56.455515] The buggy address belongs to the page: [ 56.460840] page:ffffea0001d1ffc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 56.469304] flags: 0x1fffc0000000000() [ 56.473556] raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 56.482355] raw: ffffea0001d1ffe0 ffffea0001d1ffe0 0000000000000000 0000000000000000 [ 56.491292] page dumped because: kasan: bad access detected [ 56.497339] [ 56.498954] Memory state around the buggy address: [ 56.504093] ffff8880747ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.512137] ffff8880747fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.520223] >ffff8880747fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.527913] ^ [ 56.535051] ffff888074800000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.542573] ffff888074800080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.550193] ================================================================== [ 56.558012] Disabling lock debugging due to kernel taint [ 56.568273] Kernel panic - not syncing: panic_on_warn set ... [ 56.568273] [ 56.575821] CPU: 0 PID: 6952 Comm: syz-executor429 Tainted: G B 4.14.135 #31 [ 56.584556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.594872] Call Trace: [ 56.597642] dump_stack+0x138/0x19c [ 56.601616] ? _copy_to_user+0xa4/0xd0 [ 56.606399] panic+0x1f2/0x426 [ 56.610272] ? add_taint.cold+0x16/0x16 [ 56.614507] ? ___preempt_schedule+0x16/0x18 [ 56.619202] kasan_end_report+0x47/0x4f [ 56.623506] kasan_report.cold+0x130/0x2af [ 56.628018] check_memory_region+0x123/0x190 [ 56.632852] kasan_check_read+0x11/0x20 [ 56.637295] _copy_to_user+0xa4/0xd0 [ 56.641014] bpf_test_finish.isra.0+0xaf/0x150 [ 56.645973] ? bpf_test_run+0x330/0x330 [ 56.650589] bpf_prog_test_run_skb+0x5af/0x9a0 [ 56.655418] ? bpf_test_init.isra.0+0xe0/0xe0 [ 56.660719] ? __bpf_prog_get+0x153/0x1a0 [ 56.664853] SyS_bpf+0x749/0x38f3 [ 56.668307] ? __do_page_fault+0x4e9/0xb80 [ 56.673026] ? bpf_test_init.isra.0+0xe0/0xe0 [ 56.678823] ? bpf_prog_get+0x20/0x20 [ 56.683473] ? lock_downgrade+0x6e0/0x6e0 [ 56.688639] ? up_read+0x1a/0x40 [ 56.692649] ? __do_page_fault+0x358/0xb80 [ 56.697130] ? bpf_prog_get+0x20/0x20 [ 56.701359] do_syscall_64+0x1e8/0x640 [ 56.705470] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.711183] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.716976] RIP: 0033:0x440379 [ 56.720626] RSP: 002b:00007ffd82ee9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 56.728768] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379 [ 56.737853] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a [ 56.746349] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 56.754475] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c00 [ 56.763436] R13: 0000000000401c90 R14: 0000000000000000 R15: 0000000000000000 [ 56.773688] Kernel Offset: disabled [ 56.777768] Rebooting in 86400 seconds..