[ 31.903338] audit: type=1800 audit(1579079340.006:33): pid=7020 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 31.935689] audit: type=1800 audit(1579079340.006:34): pid=7020 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 35.455058] random: sshd: uninitialized urandom read (32 bytes read)
[ 35.762678] audit: type=1400 audit(1579079343.866:35): avc: denied { map } for pid=7194 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 35.811706] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.460943] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.644862] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts.
[ 42.306377] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 42.421977] audit: type=1400 audit(1579079350.526:36): avc: denied { map } for pid=7206 comm="syz-executor905" path="/root/syz-executor905735920" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 42.505196] ==================================================================
[ 42.505217] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1bdb/0x2160
[ 42.505222] Read of size 2 at addr ffffffff8708ffde by task syz-executor905/7206
[ 42.505223]
[ 42.505230] CPU: 0 PID: 7206 Comm: syz-executor905 Not tainted 4.14.165-syzkaller #0
[ 42.505233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 42.505235] Call Trace:
[ 42.505243] dump_stack+0x142/0x197
[ 42.505249] ? vga16fb_imageblit+0x1bdb/0x2160
[ 42.505257] print_address_description.cold+0x5/0x1dc
[ 42.505262] ? vga16fb_imageblit+0x1bdb/0x2160
[ 42.505266] kasan_report.cold+0xa9/0x2af
[ 42.505272] __asan_report_load2_noabort+0x14/0x20
[ 42.505277] vga16fb_imageblit+0x1bdb/0x2160
[ 42.505283] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 42.505289] ? debug_check_no_obj_freed+0x297/0x7b7
[ 42.505296] soft_cursor+0x4ff/0xa50
[ 42.505305] bit_cursor+0x11be/0x1830
[ 42.505312] ? bit_clear+0x4a0/0x4a0
[ 42.505317] ? fbcon_putcs+0x3c2/0x480
[ 42.505326] ? fbcon_putcs+0x223/0x480
[ 42.505333] ? fb_get_color_depth+0x5f/0x70
[ 42.505338] ? get_color+0x1bf/0x3b0
[ 42.505344] fbcon_cursor+0x4e3/0x6f0
[ 42.505347] ? bit_clear+0x4a0/0x4a0
[ 42.505355] set_cursor+0x1bd/0x240
[ 42.505359] redraw_screen+0x596/0x7c0
[ 42.505365] ? con_flush_chars+0x90/0x90
[ 42.505369] ? fbcon_set_palette+0x203/0x5b0
[ 42.505376] fbcon_modechanged+0x59e/0x880
[ 42.505383] fbcon_event_notify+0x11f/0x17af
[ 42.505390] ? lock_acquire+0x16f/0x430
[ 42.505398] notifier_call_chain+0x111/0x1b0
[ 42.505405] blocking_notifier_call_chain+0x80/0xa0
[ 42.505410] fb_notifier_call_chain+0x25/0x30
[ 42.505415] fb_set_var+0xb09/0xcf0
[ 42.505420] ? fb_set_suspend+0x110/0x110
[ 42.505424] ? lock_acquire+0x16f/0x430
[ 42.505428] ? lock_fb_info+0x1f/0x80
[ 42.505434] ? lock_fb_info+0x1f/0x80
[ 42.505440] ? __mutex_lock+0x36a/0x1470
[ 42.505444] ? trace_hardirqs_on+0x10/0x10
[ 42.505448] ? lock_acquire+0x16f/0x430
[ 42.505452] ? __down+0x16b/0x290
[ 42.505459] ? mutex_trylock+0x1c0/0x1c0
[ 42.505462] ? down+0x70/0x90
[ 42.505474] ? mutex_lock_nested+0x16/0x20
[ 42.505478] ? mutex_lock_nested+0x16/0x20
[ 42.505483] do_fb_ioctl+0x3cc/0x940
[ 42.505487] ? fb_read+0x520/0x520
[ 42.505495] ? avc_has_extended_perms+0x8ec/0xe40
[ 42.505501] ? putname+0xdb/0x120
[ 42.505507] ? avc_ss_reset+0x110/0x110
[ 42.505510] ? kmem_cache_free+0x83/0x2b0
[ 42.505517] ? do_syscall_64+0x1e8/0x640
[ 42.505521] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 42.505525] ? find_held_lock+0x35/0x130
[ 42.505530] ? debug_check_no_obj_freed+0x2aa/0x7b7
[ 42.505543] ? __might_sleep+0x93/0xb0
[ 42.505550] fb_ioctl+0xe6/0x130
[ 42.505554] ? do_fb_ioctl+0x940/0x940
[ 42.505558] do_vfs_ioctl+0x7ae/0x1060
[ 42.505563] ? selinux_file_mprotect+0x5d0/0x5d0
[ 42.505567] ? kmem_cache_free+0x244/0x2b0
[ 42.505572] ? ioctl_preallocate+0x1c0/0x1c0
[ 42.505575] ? putname+0xe0/0x120
[ 42.505582] ? do_sys_open+0x221/0x430
[ 42.505590] ? security_file_ioctl+0x7d/0xb0
[ 42.505594] ? security_file_ioctl+0x89/0xb0
[ 42.505599] SyS_ioctl+0x8f/0xc0
[ 42.505604] ? do_vfs_ioctl+0x1060/0x1060
[ 42.505609] do_syscall_64+0x1e8/0x640
[ 42.505613] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 42.505620] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 42.505624] RIP: 0033:0x440309
[ 42.505627] RSP: 002b:00007ffffc0ab698 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 42.505633] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309
[ 42.505635] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
[ 42.505638] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[ 42.505641] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
[ 42.505643] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
[ 42.505651]
[ 42.505652] The buggy address belongs to the variable:
[ 42.505657] transl_h+0x3e/0x40
[ 42.505658]
[ 42.505660] Memory state around the buggy address:
[ 42.505664] ffffffff8708fe80: 00 03 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa
[ 42.505667] ffffffff8708ff00: 00 00 00 00 00 fa fa fa fa fa fa fa 04 fa fa fa
[ 42.505671] >ffffffff8708ff80: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00
[ 42.505673] ^
[ 42.505676] ffffffff87090000: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 00 04
[ 42.505679] ffffffff87090080: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 00 00
[ 42.505681] ==================================================================
[ 42.505683] Disabling lock debugging due to kernel taint
[ 42.505685] Kernel panic - not syncing: panic_on_warn set ...
[ 42.505685]
[ 42.505689] CPU: 0 PID: 7206 Comm: syz-executor905 Tainted: G B 4.14.165-syzkaller #0
[ 42.505691] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 42.505692] Call Trace:
[ 42.505696] dump_stack+0x142/0x197
[ 42.505701] ? vga16fb_imageblit+0x1bdb/0x2160
[ 42.505705] panic+0x1f9/0x42d
[ 42.505708] ? add_taint.cold+0x16/0x16
[ 42.505712] ? lock_downgrade+0x740/0x740
[ 42.505718] kasan_end_report+0x47/0x4f
[ 42.505722] kasan_report.cold+0x130/0x2af
[ 42.505727] __asan_report_load2_noabort+0x14/0x20
[ 42.505731] vga16fb_imageblit+0x1bdb/0x2160
[ 42.505734] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 42.505738] ? debug_check_no_obj_freed+0x297/0x7b7
[ 42.505743] soft_cursor+0x4ff/0xa50
[ 42.505749] bit_cursor+0x11be/0x1830
[ 42.505754] ? bit_clear+0x4a0/0x4a0
[ 42.505757] ? fbcon_putcs+0x3c2/0x480
[ 42.505761] ? fbcon_putcs+0x223/0x480
[ 42.505766] ? fb_get_color_depth+0x5f/0x70
[ 42.505770] ? get_color+0x1bf/0x3b0
[ 42.505774] fbcon_cursor+0x4e3/0x6f0
[ 42.505777] ? bit_clear+0x4a0/0x4a0
[ 42.505782] set_cursor+0x1bd/0x240
[ 42.505785] redraw_screen+0x596/0x7c0
[ 42.505789] ? con_flush_chars+0x90/0x90
[ 42.505793] ? fbcon_set_palette+0x203/0x5b0
[ 42.505798] fbcon_modechanged+0x59e/0x880
[ 42.505803] fbcon_event_notify+0x11f/0x17af
[ 42.505808] ? lock_acquire+0x16f/0x430
[ 42.505812] notifier_call_chain+0x111/0x1b0
[ 42.505817] blocking_notifier_call_chain+0x80/0xa0
[ 42.505821] fb_notifier_call_chain+0x25/0x30
[ 42.505828] fb_set_var+0xb09/0xcf0
[ 42.505832] ? fb_set_suspend+0x110/0x110
[ 42.505836] ? lock_acquire+0x16f/0x430
[ 42.505839] ? lock_fb_info+0x1f/0x80
[ 42.505843] ? lock_fb_info+0x1f/0x80
[ 42.505847] ? __mutex_lock+0x36a/0x1470
[ 42.505851] ? trace_hardirqs_on+0x10/0x10
[ 42.505855] ? lock_acquire+0x16f/0x430
[ 42.505858] ? __down+0x16b/0x290
[ 42.505863] ? mutex_trylock+0x1c0/0x1c0
[ 42.505866] ? down+0x70/0x90
[ 42.505874] ? mutex_lock_nested+0x16/0x20
[ 42.505877] ? mutex_lock_nested+0x16/0x20
[ 42.505881] do_fb_ioctl+0x3cc/0x940
[ 42.505885] ? fb_read+0x520/0x520
[ 42.505889] ? avc_has_extended_perms+0x8ec/0xe40
[ 42.505893] ? putname+0xdb/0x120
[ 42.505897] ? avc_ss_reset+0x110/0x110
[ 42.505900] ? kmem_cache_free+0x83/0x2b0
[ 42.505904] ? do_syscall_64+0x1e8/0x640
[ 42.505907] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 42.505911] ? find_held_lock+0x35/0x130
[ 42.505915] ? debug_check_no_obj_freed+0x2aa/0x7b7
[ 42.505923] ? __might_sleep+0x93/0xb0
[ 42.505928] fb_ioctl+0xe6/0x130
[ 42.505931] ? do_fb_ioctl+0x940/0x940
[ 42.505935] do_vfs_ioctl+0x7ae/0x1060
[ 42.505939] ? selinux_file_mprotect+0x5d0/0x5d0
[ 42.505942] ? kmem_cache_free+0x244/0x2b0
[ 42.505946] ? ioctl_preallocate+0x1c0/0x1c0
[ 42.505949] ? putname+0xe0/0x120
[ 42.505953] ? do_sys_open+0x221/0x430
[ 42.505959] ? security_file_ioctl+0x7d/0xb0
[ 42.505962] ? security_file_ioctl+0x89/0xb0
[ 42.505967] SyS_ioctl+0x8f/0xc0
[ 42.505971] ? do_vfs_ioctl+0x1060/0x1060
[ 42.505975] do_syscall_64+0x1e8/0x640
[ 42.505978] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 42.505983] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 42.505986] RIP: 0033:0x440309
[ 42.505988] RSP: 002b:00007ffffc0ab698 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 42.505992] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309
[ 42.505994] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
[ 42.505996] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[ 42.505998] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
[ 42.506000] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
[ 42.507454] Kernel Offset: disabled
[ 43.316439] Rebooting in 86400 seconds..