[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.097596] random: sshd: uninitialized urandom read (32 bytes read)
[   34.366072] kauditd_printk_skb: 10 callbacks suppressed
[   34.366081] audit: type=1400 audit(1575374382.637:35): avc:  denied  { map } for  pid=6954 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   34.472213] random: sshd: uninitialized urandom read (32 bytes read)
[   35.055808] random: sshd: uninitialized urandom read (32 bytes read)
[   35.306769] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.217' (ECDSA) to the list of known hosts.
[   41.059466] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   41.191513] audit: type=1400 audit(1575374389.467:36): avc:  denied  { map } for  pid=6967 comm="syz-executor404" path="/root/syz-executor404919193" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   41.223769] ==================================================================
[   41.223797] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x288/0x550
[   41.223803] Read of size 28 at addr ffffffff87063798 by task syz-executor404/6970
[   41.223806] 
[   41.223814] CPU: 0 PID: 6970 Comm: syz-executor404 Not tainted 4.14.157-syzkaller #0
[   41.223818] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.223822] Call Trace:
[   41.223833]  dump_stack+0x142/0x197
[   41.223842]  ? fbcon_get_font+0x288/0x550
[   41.223852]  print_address_description.cold+0x5/0x1dc
[   41.223859]  ? fbcon_get_font+0x288/0x550
[   41.223866]  kasan_report.cold+0xa9/0x2af
[   41.223877]  check_memory_region+0x123/0x190
[   41.223885]  memcpy+0x24/0x50
[   41.223893]  fbcon_get_font+0x288/0x550
[   41.223902]  ? display_to_var+0x7e0/0x7e0
[   41.223911]  con_font_op+0x1d5/0x1060
[   41.223920]  ? avc_has_extended_perms+0x7b7/0xe40
[   41.223929]  ? con_write+0xc0/0xc0
[   41.223940]  ? security_capable+0x8e/0xc0
[   41.223951]  ? ns_capable_common+0x12c/0x160
[   41.223962]  vt_ioctl+0xb80/0x2170
[   41.223968]  ? avc_has_extended_perms+0x8ec/0xe40
[   41.223978]  ? futex_wake+0x134/0x430
[   41.223987]  ? complete_change_console+0x360/0x360
[   41.223994]  ? avc_ss_reset+0x110/0x110
[   41.224007]  ? tty_jobctrl_ioctl+0x44/0xc10
[   41.224014]  ? complete_change_console+0x360/0x360
[   41.224024]  tty_ioctl+0x841/0x1320
[   41.224033]  ? tty_vhangup+0x30/0x30
[   41.224050]  ? __might_sleep+0x93/0xb0
[   41.224057]  ? __fget+0x210/0x370
[   41.224069]  ? tty_vhangup+0x30/0x30
[   41.224078]  do_vfs_ioctl+0x7ae/0x1060
[   41.224088]  ? selinux_file_mprotect+0x5d0/0x5d0
[   41.224104]  ? lock_downgrade+0x740/0x740
[   41.224114]  ? ioctl_preallocate+0x1c0/0x1c0
[   41.224121]  ? __fget+0x237/0x370
[   41.224133]  ? security_file_ioctl+0x7d/0xb0
[   41.224140]  ? security_file_ioctl+0x89/0xb0
[   41.224150]  SyS_ioctl+0x8f/0xc0
[   41.224157]  ? do_vfs_ioctl+0x1060/0x1060
[   41.224168]  do_syscall_64+0x1e8/0x640
[   41.224175]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.224189]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.224196] RIP: 0033:0x44a6f9
[   41.224200] RSP: 002b:00007fb3ab111ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   41.224207] RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a6f9
[   41.224212] RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005
[   41.224216] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
[   41.224220] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
[   41.224224] R13: 00007ffd7095347f R14: 00007fb3ab1129c0 R15: 20c49ba5e353f7cf
[   41.224238] 
[   41.224241] The buggy address belongs to the variable:
[   41.224248]  fontdata_8x16+0xff8/0x1120
[   41.224250] 
[   41.224253] Memory state around the buggy address:
[   41.224259]  ffffffff87063680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.224265]  ffffffff87063700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.224270] >ffffffff87063780: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa
[   41.224274]                                ^
[   41.224279]  ffffffff87063800: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa
[   41.224284]  ffffffff87063880: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
[   41.224287] ==================================================================
[   41.224290] Disabling lock debugging due to kernel taint
[   41.224294] Kernel panic - not syncing: panic_on_warn set ...
[   41.224294] 
[   41.224300] CPU: 0 PID: 6970 Comm: syz-executor404 Tainted: G    B           4.14.157-syzkaller #0
[   41.224303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.224305] Call Trace:
[   41.224311]  dump_stack+0x142/0x197
[   41.224317]  ? fbcon_get_font+0x288/0x550
[   41.224322]  panic+0x1f9/0x42d
[   41.224326]  ? add_taint.cold+0x16/0x16
[   41.224332]  ? lock_downgrade+0x740/0x740
[   41.224339]  kasan_end_report+0x47/0x4f
[   41.224344]  kasan_report.cold+0x130/0x2af
[   41.224350]  check_memory_region+0x123/0x190
[   41.224354]  memcpy+0x24/0x50
[   41.224359]  fbcon_get_font+0x288/0x550
[   41.224365]  ? display_to_var+0x7e0/0x7e0
[   41.224370]  con_font_op+0x1d5/0x1060
[   41.224374]  ? avc_has_extended_perms+0x7b7/0xe40
[   41.224380]  ? con_write+0xc0/0xc0
[   41.224385]  ? security_capable+0x8e/0xc0
[   41.224391]  ? ns_capable_common+0x12c/0x160
[   41.224397]  vt_ioctl+0xb80/0x2170
[   41.224401]  ? avc_has_extended_perms+0x8ec/0xe40
[   41.224406]  ? futex_wake+0x134/0x430
[   41.224412]  ? complete_change_console+0x360/0x360
[   41.224417]  ? avc_ss_reset+0x110/0x110
[   41.224424]  ? tty_jobctrl_ioctl+0x44/0xc10
[   41.224428]  ? complete_change_console+0x360/0x360
[   41.224434]  tty_ioctl+0x841/0x1320
[   41.224439]  ? tty_vhangup+0x30/0x30
[   41.224447]  ? __might_sleep+0x93/0xb0
[   41.224451]  ? __fget+0x210/0x370
[   41.224458]  ? tty_vhangup+0x30/0x30
[   41.224462]  do_vfs_ioctl+0x7ae/0x1060
[   41.224467]  ? selinux_file_mprotect+0x5d0/0x5d0
[   41.224472]  ? lock_downgrade+0x740/0x740
[   41.224477]  ? ioctl_preallocate+0x1c0/0x1c0
[   41.224483]  ? __fget+0x237/0x370
[   41.224489]  ? security_file_ioctl+0x7d/0xb0
[   41.224494]  ? security_file_ioctl+0x89/0xb0
[   41.224499]  SyS_ioctl+0x8f/0xc0
[   41.224505]  ? do_vfs_ioctl+0x1060/0x1060
[   41.224512]  do_syscall_64+0x1e8/0x640
[   41.224519]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.224528]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.224532] RIP: 0033:0x44a6f9
[   41.224535] RSP: 002b:00007fb3ab111ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   41.224541] RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a6f9
[   41.224544] RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005
[   41.224548] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
[   41.224552] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
[   41.224555] R13: 00007ffd7095347f R14: 00007fb3ab1129c0 R15: 20c49ba5e353f7cf
[   41.225844] Kernel Offset: disabled
[   41.784977] Rebooting in 86400 seconds..