[....] Starting enhanced syslogd: rsyslogd[ 13.364320] audit: type=1400 audit(1516641576.408:5): avc: denied { syslog } for pid=3507 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 19.726939] audit: type=1400 audit(1516641582.770:6): avc: denied { map } for pid=3646 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts.
[ 26.042700] audit: type=1400 audit(1516641589.086:7): avc: denied { map } for pid=3660 comm="syzkaller770874" path="/root/syzkaller770874326" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[ 26.412650] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
executing program
[ 26.733600] ==================================================================
[ 26.741023] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0
[ 26.747929] Read of size 2 at addr ffff8801d610078b by task syzkaller770874/3661
[ 26.755430]
[ 26.757040] CPU: 1 PID: 3661 Comm: syzkaller770874 Not tainted 4.15.0-rc9+ #274
[ 26.764455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 26.774482] Call Trace:
[ 26.777055] dump_stack+0x194/0x257
[ 26.780661] ? arch_local_irq_restore+0x53/0x53
[ 26.785305] ? show_regs_print_info+0x18/0x18
[ 26.789776] ? refcount_add+0x24/0x60
[ 26.793550] ? erspan_build_header+0x3bf/0x3d0
[ 26.798105] print_address_description+0x73/0x250
[ 26.802917] ? erspan_build_header+0x3bf/0x3d0
[ 26.807470] kasan_report+0x25b/0x340
[ 26.811255] __asan_report_load_n_noabort+0xf/0x20
[ 26.816154] erspan_build_header+0x3bf/0x3d0
[ 26.820541] erspan_xmit+0x3b8/0x13b0
[ 26.824326] ? prepare_fb_xmit+0x9a0/0x9a0
[ 26.828539] ? netif_skb_features+0x9b0/0x9b0
[ 26.833027] ? __dev_get_by_index+0x1a0/0x1a0
[ 26.837503] ? check_noncircular+0x20/0x20
[ 26.841721] packet_direct_xmit+0x315/0x6b0
[ 26.846027] packet_sendmsg+0x3aed/0x60b0
[ 26.850159] ? find_held_lock+0x35/0x1d0
[ 26.854199] ? avc_has_perm+0x35e/0x680
[ 26.858162] ? packet_cached_dev_get+0x2b0/0x2b0
[ 26.862895] ? avc_has_perm+0x43e/0x680
[ 26.866844] ? avc_has_perm_noaudit+0x520/0x520
[ 26.871482] ? find_held_lock+0x35/0x1d0
[ 26.875521] ? fanout_add+0x1430/0x1430
[ 26.879467] ? avc_has_perm+0x35e/0x680
[ 26.883420] ? find_held_lock+0x35/0x1d0
[ 26.887461] ? sock_has_perm+0x2a4/0x420
[ 26.891495] ? selinux_secmark_relabel_packet+0xc0/0xc0
[ 26.896829] ? lock_release+0x952/0xa40
[ 26.900776] ? trace_event_raw_event_sched_switch+0x800/0x800
[ 26.906639] ? __check_object_size+0x25d/0x4f0
[ 26.911191] ? avc_has_perm_noaudit+0x520/0x520
[ 26.915841] ? selinux_socket_sendmsg+0x36/0x40
[ 26.920479] ? security_socket_sendmsg+0x89/0xb0
[ 26.925205] ? packet_cached_dev_get+0x2b0/0x2b0
[ 26.929943] sock_sendmsg+0xca/0x110
[ 26.933631] SYSC_sendto+0x361/0x5c0
[ 26.937335] ? SYSC_connect+0x4a0/0x4a0
[ 26.941283] ? selinux_secmark_relabel_packet+0xc0/0xc0
[ 26.946618] ? __do_page_fault+0x3d6/0xc90
[ 26.950829] ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[ 26.956101] ? SyS_setsockopt+0x215/0x360
[ 26.960842] ? SyS_recv+0x40/0x40
[ 26.964269] ? entry_SYSCALL_64_fastpath+0x5/0xa0
[ 26.969091] SyS_sendto+0x40/0x50
[ 26.972521] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 26.977247] RIP: 0033:0x4454c9
[ 26.980409] RSP: 002b:00007ffcc8570b68 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[ 26.988088] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454c9
[ 26.995328] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004
[ 27.002570] RBP: 00000000004a7073 R08: 0000000020008000 R09: 000000000000001c
[ 27.009811] R10: 0000000000000000 R11: 0000000000000217 R12: 00007ffcc8570c18
[ 27.017060] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000
[ 27.024317]
[ 27.025915] Allocated by task 2109:
[ 27.029515] save_stack+0x43/0xd0
[ 27.032944] kasan_kmalloc+0xad/0xe0
[ 27.036627] kasan_slab_alloc+0x12/0x20
[ 27.040574] kmem_cache_alloc+0x12e/0x760
[ 27.044693] getname_flags+0xcb/0x580
[ 27.048465] user_path_at_empty+0x2d/0x50
[ 27.052583] vfs_statx+0xe9/0x190
[ 27.056006] SYSC_newstat+0x87/0xf0
[ 27.059609] SyS_newstat+0x1d/0x30
[ 27.063122] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 27.067845]
[ 27.069443] Freed by task 2109:
[ 27.072695] save_stack+0x43/0xd0
[ 27.076128] kasan_slab_free+0x71/0xc0
[ 27.079984] kmem_cache_free+0x83/0x2a0
[ 27.083931] putname+0xee/0x130
[ 27.087181] filename_lookup+0x315/0x500
[ 27.091214] user_path_at_empty+0x40/0x50
[ 27.095331] vfs_statx+0xe9/0x190
[ 27.098757] SYSC_newstat+0x87/0xf0
[ 27.102352] SyS_newstat+0x1d/0x30
[ 27.105863] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 27.110584]
[ 27.112185] The buggy address belongs to the object at ffff8801d6100500
[ 27.112185] which belongs to the cache names_cache of size 4096
[ 27.124901] The buggy address is located 651 bytes inside of
[ 27.124901] 4096-byte region [ffff8801d6100500, ffff8801d6101500)
[ 27.136841] The buggy address belongs to the page:
[ 27.141756] page:ffffea0007584000 count:1 mapcount:0 mapping:ffff8801d6100500 index:0x0 compound_mapcount: 0
[ 27.151702] flags: 0x2fffc0000008100(slab|head)
[ 27.156342] raw: 02fffc0000008100 ffff8801d6100500 0000000000000000 0000000100000001
[ 27.164194] raw: ffffea0007583ea0 ffffea0007584ea0 ffff8801dae2c600 0000000000000000
[ 27.172052] page dumped because: kasan: bad access detected
[ 27.177730]
[ 27.179336] Memory state around the buggy address:
[ 27.184237] ffff8801d6100680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.191566] ffff8801d6100700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.198898] >ffff8801d6100780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.206227] ^
[ 27.209823] ffff8801d6100800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.217154] ffff8801d6100880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.224480] ==================================================================
[ 27.231809] Disabling lock debugging due to kernel taint
[ 27.237267] Kernel panic - not syncing: panic_on_warn set ...
[ 27.237267]
[ 27.244612] CPU: 1 PID: 3661 Comm: syzkaller770874 Tainted: G B 4.15.0-rc9+ #274
[ 27.253330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 27.262653] Call Trace:
[ 27.265213] dump_stack+0x194/0x257
[ 27.268812] ? arch_local_irq_restore+0x53/0x53
[ 27.273452] ? kasan_end_report+0x32/0x50
[ 27.277574] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 27.282299] ? vsnprintf+0x1ed/0x1900
[ 27.286079] ? erspan_build_header+0x360/0x3d0
[ 27.290894] panic+0x1e4/0x41c
[ 27.294060] ? refcount_error_report+0x214/0x214
[ 27.298788] ? add_taint+0x1c/0x50
[ 27.302297] ? add_taint+0x1c/0x50
[ 27.305807] ? erspan_build_header+0x3bf/0x3d0
[ 27.310359] kasan_end_report+0x50/0x50
[ 27.314320] kasan_report+0x144/0x340
[ 27.318113] __asan_report_load_n_noabort+0xf/0x20
[ 27.323020] erspan_build_header+0x3bf/0x3d0
[ 27.327411] erspan_xmit+0x3b8/0x13b0
[ 27.331186] ? prepare_fb_xmit+0x9a0/0x9a0
[ 27.335391] ? netif_skb_features+0x9b0/0x9b0
[ 27.340039] ? __dev_get_by_index+0x1a0/0x1a0
[ 27.344507] ? check_noncircular+0x20/0x20
[ 27.348726] packet_direct_xmit+0x315/0x6b0
[ 27.353025] packet_sendmsg+0x3aed/0x60b0
[ 27.357146] ? find_held_lock+0x35/0x1d0
[ 27.361191] ? avc_has_perm+0x35e/0x680
[ 27.365143] ? packet_cached_dev_get+0x2b0/0x2b0
[ 27.369873] ? avc_has_perm+0x43e/0x680
[ 27.373819] ? avc_has_perm_noaudit+0x520/0x520
[ 27.378457] ? find_held_lock+0x35/0x1d0
[ 27.382490] ? fanout_add+0x1430/0x1430
[ 27.386435] ? avc_has_perm+0x35e/0x680
[ 27.390393] ? find_held_lock+0x35/0x1d0
[ 27.394429] ? sock_has_perm+0x2a4/0x420
[ 27.398460] ? selinux_secmark_relabel_packet+0xc0/0xc0
[ 27.403791] ? lock_release+0x952/0xa40
[ 27.407749] ? trace_event_raw_event_sched_switch+0x800/0x800
[ 27.413612] ? __check_object_size+0x25d/0x4f0
[ 27.418165] ? avc_has_perm_noaudit+0x520/0x520
[ 27.422811] ? selinux_socket_sendmsg+0x36/0x40
[ 27.427452] ? security_socket_sendmsg+0x89/0xb0
[ 27.432183] ? packet_cached_dev_get+0x2b0/0x2b0
[ 27.436908] sock_sendmsg+0xca/0x110
[ 27.440594] SYSC_sendto+0x361/0x5c0
[ 27.444282] ? SYSC_connect+0x4a0/0x4a0
[ 27.448227] ? selinux_secmark_relabel_packet+0xc0/0xc0
[ 27.453575] ? __do_page_fault+0x3d6/0xc90
[ 27.457791] ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[ 27.463050] ? SyS_setsockopt+0x215/0x360
[ 27.467171] ? SyS_recv+0x40/0x40
[ 27.470595] ? entry_SYSCALL_64_fastpath+0x5/0xa0
[ 27.475419] SyS_sendto+0x40/0x50
[ 27.478845] entry_SYSCALL_64_fastpath+0x29/0xa0
[ 27.483570] RIP: 0033:0x4454c9
[ 27.486729] RSP: 002b:00007ffcc8570b68 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[ 27.494405] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004454c9
[ 27.501644] RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004
[ 27.508883] RBP: 00000000004a7073 R08: 0000000020008000 R09: 000000000000001c
[ 27.516122] R10: 0000000000000000 R11: 0000000000000217 R12: 00007ffcc8570c18
[ 27.523360] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000
[ 27.531060] Dumping ftrace buffer:
[ 27.534578] (ftrace buffer empty)
[ 27.538256] Kernel Offset: disabled
[ 27.541853] Rebooting in 86400 seconds..