[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.184' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.922696][ T8468] ================================================================== [ 68.930875][ T8468] BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 [ 68.938429][ T8468] Write of size 4 at addr ffff888027eb5018 by task syz-executor843/8468 [ 68.946736][ T8468] [ 68.949045][ T8468] CPU: 1 PID: 8468 Comm: syz-executor843 Not tainted 5.14.0-rc1-syzkaller #0 [ 68.959004][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.969044][ T8468] Call Trace: [ 68.972327][ T8468] dump_stack_lvl+0xcd/0x134 [ 68.976937][ T8468] print_address_description.constprop.0.cold+0x6c/0x309 [ 68.983964][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 68.989150][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 68.994333][ T8468] kasan_report.cold+0x83/0xdf [ 68.999087][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 69.004291][ T8468] kasan_check_range+0x13d/0x180 [ 69.009229][ T8468] sctp_auth_shkey_hold+0x22/0xa0 [ 69.014253][ T8468] sctp_sendmsg_to_asoc+0x152e/0x2180 [ 69.019632][ T8468] ? lock_release+0x720/0x720 [ 69.024306][ T8468] ? sctp_set_owner_w+0x4d0/0x4d0 [ 69.029316][ T8468] ? do_raw_spin_lock+0x120/0x2b0 [ 69.034330][ T8468] ? mark_held_locks+0x9f/0xe0 [ 69.039081][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.045482][ T8468] ? sctp_sendmsg_check_sflags+0x1b2/0x2e0 [ 69.051373][ T8468] sctp_sendmsg+0x103b/0x1d30 [ 69.056043][ T8468] ? sctp_setsockopt+0xa5e0/0xa5e0 [ 69.061149][ T8468] ? aa_af_perm+0x230/0x230 [ 69.065639][ T8468] ? kfree+0xeb/0x650 [ 69.069613][ T8468] ? sctp_setsockopt+0x348/0xa5e0 [ 69.074711][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.080939][ T8468] inet_sendmsg+0x99/0xe0 [ 69.085259][ T8468] ? inet_send_prepare+0x4e0/0x4e0 [ 69.090357][ T8468] sock_sendmsg+0xcf/0x120 [ 69.094762][ T8468] __sys_sendto+0x21c/0x320 [ 69.099250][ T8468] ? __ia32_sys_getpeername+0xb0/0xb0 [ 69.104610][ T8468] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 69.110584][ T8468] ? kfree+0x226/0x650 [ 69.114650][ T8468] ? __context_tracking_exit+0xb8/0xe0 [ 69.120099][ T8468] ? lock_downgrade+0x6e0/0x6e0 [ 69.124938][ T8468] ? lock_downgrade+0x6e0/0x6e0 [ 69.129784][ T8468] __x64_sys_sendto+0xdd/0x1b0 [ 69.134535][ T8468] ? lockdep_hardirqs_on+0x79/0x100 [ 69.139723][ T8468] ? syscall_enter_from_user_mode+0x21/0x70 [ 69.145690][ T8468] do_syscall_64+0x35/0xb0 [ 69.150091][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.155984][ T8468] RIP: 0033:0x43efe9 [ 69.159878][ T8468] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 69.179556][ T8468] RSP: 002b:00007fff191e50c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 69.187954][ T8468] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043efe9 [ 69.196084][ T8468] RDX: 000000000000ffa0 RSI: 0000000020000140 RDI: 0000000000000003 [ 69.204042][ T8468] RBP: 0000000000402fd0 R08: 0000000000000000 R09: 0000000000000000 [ 69.212011][ T8468] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403060 [ 69.219969][ T8468] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 69.227938][ T8468] [ 69.230245][ T8468] Allocated by task 8468: [ 69.234576][ T8468] kasan_save_stack+0x1b/0x40 [ 69.239259][ T8468] __kasan_kmalloc+0x9b/0xd0 [ 69.243947][ T8468] sctp_auth_shkey_create+0x85/0x1f0 [ 69.249215][ T8468] sctp_auth_asoc_copy_shkeys+0x1e8/0x350 [ 69.254923][ T8468] sctp_association_new+0x1829/0x2250 [ 69.260283][ T8468] sctp_connect_new_asoc+0x1ac/0x770 [ 69.265552][ T8468] __sctp_connect+0x3d0/0xc30 [ 69.270212][ T8468] sctp_inet_connect+0x15e/0x200 [ 69.275132][ T8468] __sys_connect_file+0x155/0x1a0 [ 69.280139][ T8468] __sys_connect+0x161/0x190 [ 69.284816][ T8468] __x64_sys_connect+0x6f/0xb0 [ 69.289562][ T8468] do_syscall_64+0x35/0xb0 [ 69.293983][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.299859][ T8468] [ 69.302166][ T8468] Freed by task 8468: [ 69.306125][ T8468] kasan_save_stack+0x1b/0x40 [ 69.310788][ T8468] kasan_set_track+0x1c/0x30 [ 69.315361][ T8468] kasan_set_free_info+0x20/0x30 [ 69.320286][ T8468] __kasan_slab_free+0xfb/0x130 [ 69.325119][ T8468] slab_free_freelist_hook+0xdf/0x240 [ 69.330474][ T8468] kfree+0xeb/0x650 [ 69.334281][ T8468] sctp_auth_shkey_release+0x100/0x160 [ 69.339723][ T8468] sctp_auth_set_key+0x508/0x6d0 [ 69.344644][ T8468] sctp_setsockopt+0x4919/0xa5e0 [ 69.349566][ T8468] __sys_setsockopt+0x2db/0x610 [ 69.354401][ T8468] __x64_sys_setsockopt+0xba/0x150 [ 69.359502][ T8468] do_syscall_64+0x35/0xb0 [ 69.363911][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.369808][ T8468] [ 69.372117][ T8468] The buggy address belongs to the object at ffff888027eb5000 [ 69.372117][ T8468] which belongs to the cache kmalloc-32 of size 32 [ 69.385977][ T8468] The buggy address is located 24 bytes inside of [ 69.385977][ T8468] 32-byte region [ffff888027eb5000, ffff888027eb5020) [ 69.399060][ T8468] The buggy address belongs to the page: [ 69.404694][ T8468] page:ffffea00009fad40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27eb5 [ 69.414833][ T8468] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 69.422898][ T8468] raw: 00fff00000000200 ffffea000056e240 0000000d0000000d ffff888010841500 [ 69.431480][ T8468] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 69.440325][ T8468] page dumped because: kasan: bad access detected [ 69.446723][ T8468] page_owner tracks the page as allocated [ 69.452418][ T8468] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 15828671942, free_ts 14464854502 [ 69.468024][ T8468] get_page_from_freelist+0xa72/0x2f80 [ 69.473494][ T8468] __alloc_pages+0x1b2/0x500 [ 69.478153][ T8468] alloc_pages+0x18c/0x2a0 [ 69.482556][ T8468] allocate_slab+0x32b/0x4c0 [ 69.487143][ T8468] ___slab_alloc+0x4ba/0x820 [ 69.491728][ T8468] __slab_alloc.constprop.0+0xa7/0xf0 [ 69.497085][ T8468] __kmalloc+0x312/0x330 [ 69.501413][ T8468] tomoyo_encode2.part.0+0xe9/0x3a0 [ 69.506596][ T8468] tomoyo_encode+0x28/0x50 [ 69.511617][ T8468] tomoyo_realpath_from_path+0x186/0x620 [ 69.517251][ T8468] tomoyo_check_open_permission+0x272/0x380 [ 69.523136][ T8468] tomoyo_file_open+0xa3/0xd0 [ 69.527803][ T8468] security_file_open+0x52/0x4f0 [ 69.532778][ T8468] do_dentry_open+0x353/0x11d0 [ 69.537533][ T8468] path_openat+0x1c23/0x27f0 [ 69.542109][ T8468] do_filp_open+0x1aa/0x400 [ 69.546694][ T8468] page last free stack trace: [ 69.551350][ T8468] free_pcp_prepare+0x2c5/0x780 [ 69.556239][ T8468] free_unref_page+0x19/0x690 [ 69.560904][ T8468] kasan_depopulate_vmalloc_pte+0x5c/0x70 [ 69.566616][ T8468] __apply_to_page_range+0x694/0x1080 [ 69.572004][ T8468] kasan_release_vmalloc+0xa7/0xc0 [ 69.577116][ T8468] __purge_vmap_area_lazy+0x8f9/0x1c50 [ 69.582563][ T8468] _vm_unmap_aliases.part.0+0x3f0/0x500 [ 69.588096][ T8468] vm_unmap_aliases+0x47/0x50 [ 69.592781][ T8468] change_page_attr_set_clr+0x241/0x500 [ 69.598312][ T8468] set_memory_nx+0xb2/0x110 [ 69.602806][ T8468] free_init_pages+0x73/0xc0 [ 69.607385][ T8468] kernel_init+0x24/0x1d0 [ 69.611714][ T8468] ret_from_fork+0x1f/0x30 [ 69.616119][ T8468] [ 69.618423][ T8468] Memory state around the buggy address: [ 69.624038][ T8468] ffff888027eb4f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 69.632092][ T8468] ffff888027eb4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.640135][ T8468] >ffff888027eb5000: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 69.648184][ T8468] ^ [ 69.653024][ T8468] ffff888027eb5080: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 69.661075][ T8468] ffff888027eb5100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 69.669118][ T8468] ================================================================== [ 69.677160][ T8468] Disabling lock debugging due to kernel taint [ 69.683432][ T8468] Kernel panic - not syncing: panic_on_warn set ... [ 69.690027][ T8468] CPU: 0 PID: 8468 Comm: syz-executor843 Tainted: G B 5.14.0-rc1-syzkaller #0 [ 69.700179][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.710362][ T8468] Call Trace: [ 69.713636][ T8468] dump_stack_lvl+0xcd/0x134 [ 69.718229][ T8468] panic+0x306/0x73d [ 69.722146][ T8468] ? __warn_printk+0xf3/0xf3 [ 69.726756][ T8468] ? preempt_schedule_common+0x59/0xc0 [ 69.732220][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 69.737421][ T8468] ? preempt_schedule_thunk+0x16/0x18 [ 69.742795][ T8468] ? trace_hardirqs_on+0x38/0x1c0 [ 69.747815][ T8468] ? trace_hardirqs_on+0x51/0x1c0 [ 69.752841][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 69.758042][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 69.763247][ T8468] end_report.cold+0x5a/0x5a [ 69.767851][ T8468] kasan_report.cold+0x71/0xdf [ 69.772719][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0 [ 69.777925][ T8468] kasan_check_range+0x13d/0x180 [ 69.782871][ T8468] sctp_auth_shkey_hold+0x22/0xa0 [ 69.787900][ T8468] sctp_sendmsg_to_asoc+0x152e/0x2180 [ 69.793277][ T8468] ? lock_release+0x720/0x720 [ 69.798212][ T8468] ? sctp_set_owner_w+0x4d0/0x4d0 [ 69.803237][ T8468] ? do_raw_spin_lock+0x120/0x2b0 [ 69.808275][ T8468] ? mark_held_locks+0x9f/0xe0 [ 69.813036][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.819268][ T8468] ? sctp_sendmsg_check_sflags+0x1b2/0x2e0 [ 69.825072][ T8468] sctp_sendmsg+0x103b/0x1d30 [ 69.829748][ T8468] ? sctp_setsockopt+0xa5e0/0xa5e0 [ 69.834873][ T8468] ? aa_af_perm+0x230/0x230 [ 69.839541][ T8468] ? kfree+0xeb/0x650 [ 69.843616][ T8468] ? sctp_setsockopt+0x348/0xa5e0 [ 69.848638][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.854887][ T8468] inet_sendmsg+0x99/0xe0 [ 69.859211][ T8468] ? inet_send_prepare+0x4e0/0x4e0 [ 69.864337][ T8468] sock_sendmsg+0xcf/0x120 [ 69.868746][ T8468] __sys_sendto+0x21c/0x320 [ 69.873243][ T8468] ? __ia32_sys_getpeername+0xb0/0xb0 [ 69.878606][ T8468] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 69.884580][ T8468] ? kfree+0x226/0x650 [ 69.888657][ T8468] ? __context_tracking_exit+0xb8/0xe0 [ 69.894112][ T8468] ? lock_downgrade+0x6e0/0x6e0 [ 69.898951][ T8468] ? lock_downgrade+0x6e0/0x6e0 [ 69.903794][ T8468] __x64_sys_sendto+0xdd/0x1b0 [ 69.908550][ T8468] ? lockdep_hardirqs_on+0x79/0x100 [ 69.913744][ T8468] ? syscall_enter_from_user_mode+0x21/0x70 [ 69.919634][ T8468] do_syscall_64+0x35/0xb0 [ 69.924042][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.929952][ T8468] RIP: 0033:0x43efe9 [ 69.933936][ T8468] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 69.953531][ T8468] RSP: 002b:00007fff191e50c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 69.962028][ T8468] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043efe9 [ 69.969998][ T8468] RDX: 000000000000ffa0 RSI: 0000000020000140 RDI: 0000000000000003 [ 69.977955][ T8468] RBP: 0000000000402fd0 R08: 0000000000000000 R09: 0000000000000000 [ 69.985924][ T8468] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403060 [ 69.993882][ T8468] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 70.003134][ T8468] Kernel Offset: disabled [ 70.007452][ T8468] Rebooting in 86400 seconds..