[ 33.722070] audit: type=1800 audit(1584903970.640:33): pid=7120 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 33.750900] audit: type=1800 audit(1584903970.640:34): pid=7120 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 37.084084] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.318436] audit: type=1400 audit(1584903974.230:35): avc: denied { map } for pid=7290 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 37.369084] random: sshd: uninitialized urandom read (32 bytes read)
[ 38.145806] random: sshd: uninitialized urandom read (32 bytes read)
[ 38.332702] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts.
[ 43.876142] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
[ 44.003253] audit: type=1400 audit(1584903980.920:36): avc: denied { map } for pid=7303 comm="syz-executor224" path="/root/syz-executor224249781" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 44.048902] ==================================================================
[ 44.048934] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90
[ 44.048940] Write of size 8 at addr ffff88809b78d548 by task syz-executor224/7312
[ 44.048942]
[ 44.048951] CPU: 1 PID: 7312 Comm: syz-executor224 Not tainted 4.14.174-syzkaller #0
[ 44.048956] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 44.048959] Call Trace:
[ 44.048969] dump_stack+0x13e/0x194
[ 44.048978] ? con_shutdown+0x7f/0x90
[ 44.048989] print_address_description.cold+0x7c/0x1e2
[ 44.048997] ? con_shutdown+0x7f/0x90
[ 44.049004] kasan_report.cold+0xa9/0x2ae
[ 44.049012] ? set_palette+0x130/0x130
[ 44.049020] con_shutdown+0x7f/0x90
[ 44.049029] release_tty+0xb6/0x7a0
[ 44.049038] tty_release_struct+0x37/0x50
[ 44.049045] tty_release+0xaa6/0xd60
[ 44.049058] ? tty_release_struct+0x50/0x50
[ 44.049065] __fput+0x25f/0x790
[ 44.049078] task_work_run+0x113/0x190
[ 44.049090] do_exit+0x9f2/0x2b00
[ 44.049099] ? __do_page_fault+0x4e4/0xb40
[ 44.049109] ? mm_update_next_owner+0x5b0/0x5b0
[ 44.049118] ? lock_downgrade+0x6e0/0x6e0
[ 44.049132] do_group_exit+0x100/0x310
[ 44.049140] SyS_exit_group+0x19/0x20
[ 44.049146] ? do_group_exit+0x310/0x310
[ 44.049154] do_syscall_64+0x1d5/0x640
[ 44.049167] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 44.049173] RIP: 0033:0x43ff48
[ 44.049177] RSP: 002b:00007ffd9a9df8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 44.049185] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff48
[ 44.049189] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 44.049193] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 44.049197] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 44.049202] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[ 44.049213]
[ 44.049217] Allocated by task 7312:
[ 44.049224] save_stack+0x32/0xa0
[ 44.049230] kasan_kmalloc+0xbf/0xe0
[ 44.049236] kmem_cache_alloc_trace+0x14d/0x7b0
[ 44.049242] vc_allocate+0x142/0x550
[ 44.049248] con_install+0x4f/0x3e0
[ 44.049254] tty_init_dev+0xe1/0x3a0
[ 44.049259] tty_open+0x410/0x9c0
[ 44.049265] chrdev_open+0x1fc/0x540
[ 44.049272] do_dentry_open+0x732/0xe90
[ 44.049277] vfs_open+0x105/0x220
[ 44.049283] path_openat+0x8ca/0x3c50
[ 44.049289] do_filp_open+0x18e/0x250
[ 44.049294] do_sys_open+0x29d/0x3f0
[ 44.049300] do_syscall_64+0x1d5/0x640
[ 44.049306] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 44.049308]
[ 44.049311] Freed by task 7311:
[ 44.049316] save_stack+0x32/0xa0
[ 44.049321] kasan_slab_free+0x75/0xc0
[ 44.049326] kfree+0xcb/0x260
[ 44.049337] vt_disallocate_all+0x25c/0x340
[ 44.049342] vt_ioctl+0x6e3/0x1f00
[ 44.049347] tty_ioctl+0x6c5/0x1220
[ 44.049354] do_vfs_ioctl+0x75a/0xfe0
[ 44.049360] SyS_ioctl+0x7f/0xb0
[ 44.049366] do_syscall_64+0x1d5/0x640
[ 44.049373] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 44.049375]
[ 44.049380] The buggy address belongs to the object at ffff88809b78d440
[ 44.049380] which belongs to the cache kmalloc-2048 of size 2048
[ 44.049385] The buggy address is located 264 bytes inside of
[ 44.049385] 2048-byte region [ffff88809b78d440, ffff88809b78dc40)
[ 44.049388] The buggy address belongs to the page:
[ 44.049399] page:ffffea00026de300 count:1 mapcount:0 mapping:ffff88809b78c340 index:0x0 compound_mapcount: 0
[ 44.049408] flags: 0xfffe0000008100(slab|head)
[ 44.049417] raw: 00fffe0000008100 ffff88809b78c340 0000000000000000 0000000100000003
[ 44.049425] raw: ffffea00027a1e20 ffffea00025320a0 ffff88812fe56c40 0000000000000000
[ 44.049428] page dumped because: kasan: bad access detected
[ 44.049430]
[ 44.049432] Memory state around the buggy address:
[ 44.049437] ffff88809b78d400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 44.049443] ffff88809b78d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.049448] >ffff88809b78d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.049451] ^
[ 44.049455] ffff88809b78d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.049461] ffff88809b78d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.049463] ==================================================================
[ 44.049466] Disabling lock debugging due to kernel taint
[ 44.049528] Kernel panic - not syncing: panic_on_warn set ...
[ 44.049528]
[ 44.049534] CPU: 1 PID: 7312 Comm: syz-executor224 Tainted: G B 4.14.174-syzkaller #0
[ 44.049538] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 44.049539] Call Trace:
[ 44.049546] dump_stack+0x13e/0x194
[ 44.049553] panic+0x1f9/0x42d
[ 44.049558] ? add_taint.cold+0x16/0x16
[ 44.049566] ? preempt_schedule_common+0x4a/0xc0
[ 44.049572] ? con_shutdown+0x7f/0x90
[ 44.049578] ? ___preempt_schedule+0x16/0x18
[ 44.049587] ? con_shutdown+0x7f/0x90
[ 44.049592] kasan_end_report+0x43/0x49
[ 44.049598] kasan_report.cold+0x12f/0x2ae
[ 44.049604] ? set_palette+0x130/0x130
[ 44.049610] con_shutdown+0x7f/0x90
[ 44.049615] release_tty+0xb6/0x7a0
[ 44.049622] tty_release_struct+0x37/0x50
[ 44.049628] tty_release+0xaa6/0xd60
[ 44.049636] ? tty_release_struct+0x50/0x50
[ 44.049641] __fput+0x25f/0x790
[ 44.049649] task_work_run+0x113/0x190
[ 44.049656] do_exit+0x9f2/0x2b00
[ 44.049662] ? __do_page_fault+0x4e4/0xb40
[ 44.049670] ? mm_update_next_owner+0x5b0/0x5b0
[ 44.049676] ? lock_downgrade+0x6e0/0x6e0
[ 44.049686] do_group_exit+0x100/0x310
[ 44.049692] SyS_exit_group+0x19/0x20
[ 44.049698] ? do_group_exit+0x310/0x310
[ 44.049704] do_syscall_64+0x1d5/0x640
[ 44.049712] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 44.049717] RIP: 0033:0x43ff48
[ 44.049720] RSP: 002b:00007ffd9a9df8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 44.049727] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff48
[ 44.049730] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 44.049734] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 44.049737] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 44.049740] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[ 44.050974] Kernel Offset: disabled
[ 44.650220] Rebooting in 86400 seconds..