[   33.358826] audit: type=1800 audit(1577901194.567:33): pid=6938 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   33.385374] audit: type=1800 audit(1577901194.567:34): pid=6938 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   37.310682] random: sshd: uninitialized urandom read (32 bytes read)
[   37.611459] audit: type=1400 audit(1577901198.827:35): avc:  denied  { map } for  pid=7113 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   37.668863] random: sshd: uninitialized urandom read (32 bytes read)
[   38.244918] random: sshd: uninitialized urandom read (32 bytes read)
[   38.425826] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts.
[   44.077268] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   44.191047] audit: type=1400 audit(1577901205.407:36): avc:  denied  { map } for  pid=7125 comm="syz-executor036" path="/root/syz-executor036273740" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   44.225236] ==================================================================
[   44.225264] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x288/0x550
[   44.225271] Read of size 32 at addr ffffffff87064ca0 by task syz-executor036/7127
[   44.225273] 
[   44.225282] CPU: 1 PID: 7127 Comm: syz-executor036 Not tainted 4.14.161-syzkaller #0
[   44.225287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.225289] Call Trace:
[   44.225299]  dump_stack+0x142/0x197
[   44.225305]  ? fbcon_get_font+0x288/0x550
[   44.225312]  print_address_description.cold+0x5/0x1dc
[   44.225317]  ? fbcon_get_font+0x288/0x550
[   44.225321]  kasan_report.cold+0xa9/0x2af
[   44.225328]  check_memory_region+0x123/0x190
[   44.225332]  memcpy+0x24/0x50
[   44.225337]  fbcon_get_font+0x288/0x550
[   44.225343]  ? display_to_var+0x7e0/0x7e0
[   44.225348]  con_font_op+0x1d5/0x1060
[   44.225353]  ? avc_has_extended_perms+0x7b7/0xe40
[   44.225359]  ? con_write+0xc0/0xc0
[   44.225365]  ? security_capable+0x8e/0xc0
[   44.225373]  ? ns_capable_common+0x12c/0x160
[   44.225379]  vt_ioctl+0xb80/0x2170
[   44.225383]  ? avc_has_extended_perms+0x8ec/0xe40
[   44.225389]  ? complete_change_console+0x360/0x360
[   44.225394]  ? avc_ss_reset+0x110/0x110
[   44.225397]  ? kasan_slab_free+0x75/0xc0
[   44.225403]  ? SyS_open+0x2d/0x40
[   44.225409]  ? do_syscall_64+0x1e8/0x640
[   44.225414]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.225421]  ? debug_check_no_obj_freed+0x2aa/0x7b7
[   44.225426]  ? tty_jobctrl_ioctl+0x44/0xc10
[   44.225431]  ? complete_change_console+0x360/0x360
[   44.225437]  tty_ioctl+0x841/0x1320
[   44.225442]  ? tty_vhangup+0x30/0x30
[   44.225452]  ? __might_sleep+0x93/0xb0
[   44.225459]  ? tty_vhangup+0x30/0x30
[   44.225466]  do_vfs_ioctl+0x7ae/0x1060
[   44.225472]  ? selinux_file_mprotect+0x5d0/0x5d0
[   44.225478]  ? ioctl_preallocate+0x1c0/0x1c0
[   44.225482]  ? putname+0xe0/0x120
[   44.225487]  ? do_sys_open+0x221/0x430
[   44.225501]  ? security_file_ioctl+0x7d/0xb0
[   44.225505]  ? security_file_ioctl+0x89/0xb0
[   44.225511]  SyS_ioctl+0x8f/0xc0
[   44.225516]  ? do_vfs_ioctl+0x1060/0x1060
[   44.225521]  do_syscall_64+0x1e8/0x640
[   44.225525]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.225532]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.225536] RIP: 0033:0x4412d9
[   44.225539] RSP: 002b:00007ffc5eb95078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   44.225545] RAX: ffffffffffffffda RBX: 00000000004a2487 RCX: 00000000004412d9
[   44.225548] RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004
[   44.225551] RBP: 000000000000aca1 R08: 000000000000000d R09: 00000000004002c8
[   44.225553] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402100
[   44.225556] R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000
[   44.225563] 
[   44.225566] The buggy address belongs to the variable:
[   44.225571]  fontdata_8x16+0x1000/0x1120
[   44.225572] 
[   44.225574] Memory state around the buggy address:
[   44.225578]  ffffffff87064b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   44.225581]  ffffffff87064c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   44.225584] >ffffffff87064c80: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa
[   44.225586]                                ^
[   44.225590]  ffffffff87064d00: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa
[   44.225593]  ffffffff87064d80: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
[   44.225595] ==================================================================
[   44.225597] Disabling lock debugging due to kernel taint
[   44.225599] Kernel panic - not syncing: panic_on_warn set ...
[   44.225599] 
[   44.225603] CPU: 1 PID: 7127 Comm: syz-executor036 Tainted: G    B           4.14.161-syzkaller #0
[   44.225606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.225607] Call Trace:
[   44.225611]  dump_stack+0x142/0x197
[   44.225615]  ? fbcon_get_font+0x288/0x550
[   44.225620]  panic+0x1f9/0x42d
[   44.225623]  ? add_taint.cold+0x16/0x16
[   44.225629]  ? lock_downgrade+0x740/0x740
[   44.225635]  kasan_end_report+0x47/0x4f
[   44.225638]  kasan_report.cold+0x130/0x2af
[   44.225643]  check_memory_region+0x123/0x190
[   44.225647]  memcpy+0x24/0x50
[   44.225651]  fbcon_get_font+0x288/0x550
[   44.225655]  ? display_to_var+0x7e0/0x7e0
[   44.225658]  con_font_op+0x1d5/0x1060
[   44.225662]  ? avc_has_extended_perms+0x7b7/0xe40
[   44.225666]  ? con_write+0xc0/0xc0
[   44.225670]  ? security_capable+0x8e/0xc0
[   44.225674]  ? ns_capable_common+0x12c/0x160
[   44.225678]  vt_ioctl+0xb80/0x2170
[   44.225681]  ? avc_has_extended_perms+0x8ec/0xe40
[   44.225686]  ? complete_change_console+0x360/0x360
[   44.225689]  ? avc_ss_reset+0x110/0x110
[   44.225693]  ? kasan_slab_free+0x75/0xc0
[   44.225697]  ? SyS_open+0x2d/0x40
[   44.225700]  ? do_syscall_64+0x1e8/0x640
[   44.225704]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.225708]  ? debug_check_no_obj_freed+0x2aa/0x7b7
[   44.225712]  ? tty_jobctrl_ioctl+0x44/0xc10
[   44.225715]  ? complete_change_console+0x360/0x360
[   44.225719]  tty_ioctl+0x841/0x1320
[   44.225723]  ? tty_vhangup+0x30/0x30
[   44.225729]  ? __might_sleep+0x93/0xb0
[   44.225735]  ? tty_vhangup+0x30/0x30
[   44.225739]  do_vfs_ioctl+0x7ae/0x1060
[   44.225743]  ? selinux_file_mprotect+0x5d0/0x5d0
[   44.225747]  ? ioctl_preallocate+0x1c0/0x1c0
[   44.225751]  ? putname+0xe0/0x120
[   44.225755]  ? do_sys_open+0x221/0x430
[   44.225760]  ? security_file_ioctl+0x7d/0xb0
[   44.225763]  ? security_file_ioctl+0x89/0xb0
[   44.225768]  SyS_ioctl+0x8f/0xc0
[   44.225772]  ? do_vfs_ioctl+0x1060/0x1060
[   44.225776]  do_syscall_64+0x1e8/0x640
[   44.225779]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.225785]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.225787] RIP: 0033:0x4412d9
[   44.225789] RSP: 002b:00007ffc5eb95078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   44.225793] RAX: ffffffffffffffda RBX: 00000000004a2487 RCX: 00000000004412d9
[   44.225796] RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004
[   44.225798] RBP: 000000000000aca1 R08: 000000000000000d R09: 00000000004002c8
[   44.225800] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402100
[   44.225802] R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000
[   44.227064] Kernel Offset: disabled
[   44.815223] Rebooting in 86400 seconds..