[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.958281] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.964153] random: sshd: uninitialized urandom read (32 bytes read) [ 25.355795] random: sshd: uninitialized urandom read (32 bytes read) [ 26.117625] random: sshd: uninitialized urandom read (32 bytes read) [ 26.278085] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts. [ 31.772852] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.865184] ================================================================== [ 31.872673] BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 [ 31.879245] Read of size 1 at addr ffff8801ac96bc9d by task syz-executor545/4491 [ 31.886762] [ 31.888383] CPU: 1 PID: 4491 Comm: syz-executor545 Not tainted 4.17.0-rc6+ #67 [ 31.895723] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.905070] Call Trace: [ 31.907678] dump_stack+0x1b9/0x294 [ 31.911298] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.916481] ? printk+0x9e/0xba [ 31.919745] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.924486] ? kasan_check_write+0x14/0x20 [ 31.928714] print_address_description+0x6c/0x20b [ 31.934375] ? nla_strlcpy+0x13d/0x150 [ 31.938562] kasan_report.cold.7+0x242/0x2fe [ 31.942957] __asan_report_load1_noabort+0x14/0x20 [ 31.947884] nla_strlcpy+0x13d/0x150 [ 31.951581] nfnl_acct_new+0x574/0xc50 [ 31.955457] ? nfnl_acct_overquota+0x380/0x380 [ 31.960022] ? debug_check_no_locks_freed+0x310/0x310 [ 31.965192] ? graph_lock+0x170/0x170 [ 31.968976] ? retint_kernel+0x10/0x10 [ 31.972845] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.977843] ? print_usage_bug+0xc0/0xc0 [ 31.981910] ? find_held_lock+0x36/0x1c0 [ 31.985971] ? graph_lock+0x170/0x170 [ 31.989772] ? lock_downgrade+0x8e0/0x8e0 [ 31.993916] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.999479] ? __lock_is_held+0xb5/0x140 [ 32.003526] ? nfnl_acct_overquota+0x380/0x380 [ 32.008100] nfnetlink_rcv_msg+0xdb5/0xff0 [ 32.012335] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 32.017331] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 32.021724] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.025868] ? graph_lock+0x170/0x170 [ 32.029648] ? find_held_lock+0x36/0x1c0 [ 32.033693] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.039213] netlink_rcv_skb+0x172/0x440 [ 32.043349] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.047476] ? netlink_ack+0xbc0/0xbc0 [ 32.051347] ? __netlink_ns_capable+0x100/0x130 [ 32.055998] nfnetlink_rcv+0x1fe/0x1ba0 [ 32.059955] ? kasan_check_read+0x11/0x20 [ 32.064085] ? rcu_is_watching+0x85/0x140 [ 32.068217] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.073391] ? nfnl_err_reset+0x2d0/0x2d0 [ 32.077523] ? netlink_remove_tap+0x610/0x610 [ 32.082008] ? refcount_add_not_zero+0x320/0x320 [ 32.086762] ? kasan_check_read+0x11/0x20 [ 32.090893] ? rcu_is_watching+0x85/0x140 [ 32.095023] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.100206] ? netlink_skb_destructor+0x210/0x210 [ 32.105036] ? kasan_check_write+0x14/0x20 [ 32.109256] netlink_unicast+0x58b/0x740 [ 32.113303] ? netlink_attachskb+0x970/0x970 [ 32.117700] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.123221] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.128222] ? security_netlink_send+0x88/0xb0 [ 32.132787] netlink_sendmsg+0x9f0/0xfa0 [ 32.136837] ? netlink_unicast+0x740/0x740 [ 32.141054] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.146573] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.152090] ? security_socket_sendmsg+0x94/0xc0 [ 32.156826] ? netlink_unicast+0x740/0x740 [ 32.161050] sock_sendmsg+0xd5/0x120 [ 32.164745] sock_write_iter+0x35a/0x5a0 [ 32.168788] ? sock_sendmsg+0x120/0x120 [ 32.172744] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.178265] ? iov_iter_init+0xc9/0x1f0 [ 32.182308] __vfs_write+0x64d/0x960 [ 32.186006] ? kernel_read+0x120/0x120 [ 32.189887] ? lock_downgrade+0x8e0/0x8e0 [ 32.194018] ? handle_mm_fault+0x8c0/0xc70 [ 32.198234] ? handle_mm_fault+0x55a/0xc70 [ 32.202456] ? rw_verify_area+0x118/0x360 [ 32.206585] vfs_write+0x1f8/0x560 [ 32.210107] ksys_write+0xf9/0x250 [ 32.213639] ? __ia32_sys_read+0xb0/0xb0 [ 32.217682] ? __ia32_sys_fallocate+0xf0/0xf0 [ 32.222164] __x64_sys_write+0x73/0xb0 [ 32.226036] do_syscall_64+0x1b1/0x800 [ 32.230087] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.235004] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.239920] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.245450] ? retint_user+0x18/0x18 [ 32.249151] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.253977] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.259156] RIP: 0033:0x43fcc9 [ 32.262328] RSP: 002b:00007ffe6a18bd68 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 32.270019] RAX: ffffffffffffffda RBX: 00000000004a0fb8 RCX: 000000000043fcc9 [ 32.277282] RDX: 000000000000007b RSI: 0000000020000080 RDI: 0000000000000003 [ 32.284540] RBP: 0000000020000080 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.291815] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000200000000002 [ 32.299075] R13: 0000000000401680 R14: 0000000000000000 R15: 0000000000000000 [ 32.306342] [ 32.307962] Allocated by task 4484: [ 32.311581] save_stack+0x43/0xd0 [ 32.315017] kasan_kmalloc+0xc4/0xe0 [ 32.318711] kasan_slab_alloc+0x12/0x20 [ 32.322667] kmem_cache_alloc+0x12e/0x760 [ 32.326807] getname_kernel+0x54/0x370 [ 32.330687] open_exec+0x17/0x70 [ 32.334035] load_elf_binary+0x968/0x5610 [ 32.338165] search_binary_handler+0x17d/0x570 [ 32.342729] __do_execve_file.isra.34+0x16fe/0x2610 [ 32.347732] __x64_sys_execve+0x8f/0xc0 [ 32.351689] do_syscall_64+0x1b1/0x800 [ 32.355575] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.360740] [ 32.362352] Freed by task 4484: [ 32.365624] save_stack+0x43/0xd0 [ 32.369067] __kasan_slab_free+0x11a/0x170 [ 32.373294] kasan_slab_free+0xe/0x10 [ 32.377088] kmem_cache_free+0x86/0x2d0 [ 32.381044] putname+0xf2/0x130 [ 32.384306] open_exec+0x5e/0x70 [ 32.387666] load_elf_binary+0x968/0x5610 [ 32.391820] search_binary_handler+0x17d/0x570 [ 32.396387] __do_execve_file.isra.34+0x16fe/0x2610 [ 32.401383] __x64_sys_execve+0x8f/0xc0 [ 32.405345] do_syscall_64+0x1b1/0x800 [ 32.409214] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.414384] [ 32.416013] The buggy address belongs to the object at ffff8801ac96a4c0 [ 32.416013] which belongs to the cache names_cache of size 4096 [ 32.428739] The buggy address is located 2013 bytes to the right of [ 32.428739] 4096-byte region [ffff8801ac96a4c0, ffff8801ac96b4c0) [ 32.441289] The buggy address belongs to the page: [ 32.446208] page:ffffea0006b25a80 count:1 mapcount:0 mapping:ffff8801ac96a4c0 index:0x0 compound_mapcount: 0 [ 32.456158] flags: 0x2fffc0000008100(slab|head) [ 32.460811] raw: 02fffc0000008100 ffff8801ac96a4c0 0000000000000000 0000000100000001 [ 32.468674] raw: ffffea0006b24ea0 ffffea0006b268a0 ffff8801da988dc0 0000000000000000 [ 32.476529] page dumped because: kasan: bad access detected [ 32.482219] [ 32.483822] Memory state around the buggy address: [ 32.488729] ffff8801ac96bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.496239] ffff8801ac96bc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.503587] >ffff8801ac96bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.510923] ^ [ 32.515051] ffff8801ac96bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.522393] ffff8801ac96bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.529840] ================================================================== [ 32.537177] Disabling lock debugging due to kernel taint [ 32.542675] Kernel panic - not syncing: panic_on_warn set ... [ 32.542675] [ 32.550030] CPU: 1 PID: 4491 Comm: syz-executor545 Tainted: G B 4.17.0-rc6+ #67 [ 32.558765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.568098] Call Trace: [ 32.570759] dump_stack+0x1b9/0x294 [ 32.574402] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.579611] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.584369] ? nla_strlcpy+0xc0/0x150 [ 32.588153] panic+0x22f/0x4de [ 32.591420] ? add_taint.cold.5+0x16/0x16 [ 32.595566] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.599952] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.604433] ? nla_strlcpy+0x13d/0x150 [ 32.608301] kasan_end_report+0x47/0x4f [ 32.612252] kasan_report.cold.7+0x76/0x2fe [ 32.616726] __asan_report_load1_noabort+0x14/0x20 [ 32.621632] nla_strlcpy+0x13d/0x150 [ 32.625324] nfnl_acct_new+0x574/0xc50 [ 32.629190] ? nfnl_acct_overquota+0x380/0x380 [ 32.633749] ? debug_check_no_locks_freed+0x310/0x310 [ 32.638916] ? graph_lock+0x170/0x170 [ 32.642694] ? retint_kernel+0x10/0x10 [ 32.646558] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.651552] ? print_usage_bug+0xc0/0xc0 [ 32.655591] ? find_held_lock+0x36/0x1c0 [ 32.659630] ? graph_lock+0x170/0x170 [ 32.663424] ? lock_downgrade+0x8e0/0x8e0 [ 32.667555] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.673346] ? __lock_is_held+0xb5/0x140 [ 32.677537] ? nfnl_acct_overquota+0x380/0x380 [ 32.682196] nfnetlink_rcv_msg+0xdb5/0xff0 [ 32.686434] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 32.691437] ? nfnetlink_rcv_msg+0x3bc/0xff0 [ 32.695829] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.699968] ? graph_lock+0x170/0x170 [ 32.703792] ? find_held_lock+0x36/0x1c0 [ 32.707836] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.713357] netlink_rcv_skb+0x172/0x440 [ 32.717400] ? nfnetlink_bind+0x3a0/0x3a0 [ 32.721537] ? netlink_ack+0xbc0/0xbc0 [ 32.725407] ? __netlink_ns_capable+0x100/0x130 [ 32.730065] nfnetlink_rcv+0x1fe/0x1ba0 [ 32.734020] ? kasan_check_read+0x11/0x20 [ 32.738146] ? rcu_is_watching+0x85/0x140 [ 32.742281] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.747452] ? nfnl_err_reset+0x2d0/0x2d0 [ 32.751586] ? netlink_remove_tap+0x610/0x610 [ 32.756068] ? refcount_add_not_zero+0x320/0x320 [ 32.760822] ? kasan_check_read+0x11/0x20 [ 32.764965] ? rcu_is_watching+0x85/0x140 [ 32.769092] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.774263] ? netlink_skb_destructor+0x210/0x210 [ 32.779086] ? kasan_check_write+0x14/0x20 [ 32.783307] netlink_unicast+0x58b/0x740 [ 32.787348] ? netlink_attachskb+0x970/0x970 [ 32.791746] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.797263] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.802258] ? security_netlink_send+0x88/0xb0 [ 32.806833] netlink_sendmsg+0x9f0/0xfa0 [ 32.810874] ? netlink_unicast+0x740/0x740 [ 32.815091] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.820609] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.826130] ? security_socket_sendmsg+0x94/0xc0 [ 32.830864] ? netlink_unicast+0x740/0x740 [ 32.835078] sock_sendmsg+0xd5/0x120 [ 32.838769] sock_write_iter+0x35a/0x5a0 [ 32.842817] ? sock_sendmsg+0x120/0x120 [ 32.846772] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.852285] ? iov_iter_init+0xc9/0x1f0 [ 32.856244] __vfs_write+0x64d/0x960 [ 32.859960] ? kernel_read+0x120/0x120 [ 32.863826] ? lock_downgrade+0x8e0/0x8e0 [ 32.867952] ? handle_mm_fault+0x8c0/0xc70 [ 32.872167] ? handle_mm_fault+0x55a/0xc70 [ 32.876386] ? rw_verify_area+0x118/0x360 [ 32.880535] vfs_write+0x1f8/0x560 [ 32.884054] ksys_write+0xf9/0x250 [ 32.887575] ? __ia32_sys_read+0xb0/0xb0 [ 32.891620] ? __ia32_sys_fallocate+0xf0/0xf0 [ 32.896204] __x64_sys_write+0x73/0xb0 [ 32.900164] do_syscall_64+0x1b1/0x800 [ 32.904036] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.908948] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.913861] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.919380] ? retint_user+0x18/0x18 [ 32.923088] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.927938] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.933129] RIP: 0033:0x43fcc9 [ 32.936300] RSP: 002b:00007ffe6a18bd68 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 [ 32.944159] RAX: ffffffffffffffda RBX: 00000000004a0fb8 RCX: 000000000043fcc9 [ 32.951408] RDX: 000000000000007b RSI: 0000000020000080 RDI: 0000000000000003 [ 32.958660] RBP: 0000000020000080 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.965910] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000200000000002 [ 32.973157] R13: 0000000000401680 R14: 0000000000000000 R15: 0000000000000000 [ 32.980798] Dumping ftrace buffer: [ 32.984320] (ftrace buffer empty) [ 32.988008] Kernel Offset: disabled [ 32.991615] Rebooting in 86400 seconds..