[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.668345] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.199203] random: sshd: uninitialized urandom read (32 bytes read)
[   23.590257] random: sshd: uninitialized urandom read (32 bytes read)
[   24.403191] random: sshd: uninitialized urandom read (32 bytes read)
[   24.562405] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
[   29.982380] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.130814] ==================================================================
[   30.138284] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0
[   30.144760] Write of size 4 at addr ffff8801d8c1df58 by task syz-executor217/4518
[   30.152353] 
[   30.153961] CPU: 1 PID: 4518 Comm: syz-executor217 Not tainted 4.17.0+ #90
[   30.160949] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.170280] Call Trace:
[   30.172855]  dump_stack+0x1b9/0x294
[   30.176470]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.181640]  ? printk+0x9e/0xba
[   30.184906]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.189646]  ? kasan_check_write+0x14/0x20
[   30.193864]  print_address_description+0x6c/0x20b
[   30.198692]  ? sha1_final+0x283/0x2e0
[   30.202486]  kasan_report.cold.7+0x242/0x2fe
[   30.206897]  __asan_report_store4_noabort+0x17/0x20
[   30.211908]  sha1_final+0x283/0x2e0
[   30.215516]  crypto_shash_final+0x104/0x260
[   30.219819]  ? sha1_generic_block_fn+0x100/0x100
[   30.224568]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.229147]  ? copy_overflow+0x30/0x30
[   30.233021]  ? find_held_lock+0x36/0x1c0
[   30.237072]  ? lock_downgrade+0x8e0/0x8e0
[   30.241201]  ? check_same_owner+0x320/0x320
[   30.245505]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   30.251029]  ? handle_mm_fault+0x55a/0xc70
[   30.255338]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.260864]  ? _copy_from_user+0xdf/0x150
[   30.265004]  keyctl_dh_compute+0xb9/0x100
[   30.269133]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.273872]  ? kzfree+0x28/0x30
[   30.277133]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.282307]  __x64_sys_keyctl+0x12a/0x3b0
[   30.286446]  do_syscall_64+0x1b1/0x800
[   30.290318]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.295235]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.300147]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.305666]  ? retint_user+0x18/0x18
[   30.309363]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.314189]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.319358] RIP: 0033:0x43ffa9
[   30.322523] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.341699] RSP: 002b:00007ffff52e0ea8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.349386] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   30.356639] RDX: 0000000020000280 RSI: 0000000020000100 RDI: 0000000000000017
[   30.363894] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8
[   30.371148] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   30.378405] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   30.385662] 
[   30.387278] Allocated by task 4518:
[   30.390890]  save_stack+0x43/0xd0
[   30.394321]  kasan_kmalloc+0xc4/0xe0
[   30.398011]  __kmalloc+0x14e/0x760
[   30.401533]  __keyctl_dh_compute+0xfe9/0x1bc0
[   30.406009]  keyctl_dh_compute+0xb9/0x100
[   30.410135]  __x64_sys_keyctl+0x12a/0x3b0
[   30.414264]  do_syscall_64+0x1b1/0x800
[   30.418188]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.423352] 
[   30.424959] Freed by task 2868:
[   30.428221]  save_stack+0x43/0xd0
[   30.431653]  __kasan_slab_free+0x11a/0x170
[   30.435866]  kasan_slab_free+0xe/0x10
[   30.439645]  kfree+0xd9/0x260
[   30.442731]  single_release+0x8f/0xb0
[   30.446508]  __fput+0x353/0x890
[   30.449765]  ____fput+0x15/0x20
[   30.453025]  task_work_run+0x1e4/0x290
[   30.456893]  exit_to_usermode_loop+0x2bd/0x310
[   30.461462]  do_syscall_64+0x6ac/0x800
[   30.465331]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.470499] 
[   30.472110] The buggy address belongs to the object at ffff8801d8c1df40
[   30.472110]  which belongs to the cache kmalloc-32 of size 32
[   30.484575] The buggy address is located 24 bytes inside of
[   30.484575]  32-byte region [ffff8801d8c1df40, ffff8801d8c1df60)
[   30.496257] The buggy address belongs to the page:
[   30.501181] page:ffffea0007630740 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d8c1dfc1
[   30.510626] flags: 0x2fffc0000000100(slab)
[   30.514850] raw: 02fffc0000000100 ffffea000764c2c8 ffffea0007648508 ffff8801da8001c0
[   30.522715] raw: ffff8801d8c1dfc1 ffff8801d8c1d000 0000000100000022 0000000000000000
[   30.530581] page dumped because: kasan: bad access detected
[   30.536283] 
[   30.537886] Memory state around the buggy address:
[   30.542796]  ffff8801d8c1de00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.550144]  ffff8801d8c1de80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.557488] >ffff8801d8c1df00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   30.564830]                                                     ^
[   30.571061]  ffff8801d8c1df80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   30.578408]  ffff8801d8c1e000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   30.585745] ==================================================================
[   30.593086] Disabling lock debugging due to kernel taint
[   30.598597] Kernel panic - not syncing: panic_on_warn set ...
[   30.598597] 
[   30.605975] CPU: 1 PID: 4518 Comm: syz-executor217 Tainted: G    B             4.17.0+ #90
[   30.614365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.623700] Call Trace:
[   30.626273]  dump_stack+0x1b9/0x294
[   30.629890]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.635067]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.639805]  ? sha1_final+0x200/0x2e0
[   30.643589]  panic+0x22f/0x4de
[   30.646771]  ? add_taint.cold.5+0x16/0x16
[   30.650907]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.655302]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.659723]  ? sha1_final+0x283/0x2e0
[   30.663505]  kasan_end_report+0x47/0x4f
[   30.667459]  kasan_report.cold.7+0x76/0x2fe
[   30.671762]  __asan_report_store4_noabort+0x17/0x20
[   30.676757]  sha1_final+0x283/0x2e0
[   30.680364]  crypto_shash_final+0x104/0x260
[   30.684671]  ? sha1_generic_block_fn+0x100/0x100
[   30.689408]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.693979]  ? copy_overflow+0x30/0x30
[   30.697847]  ? find_held_lock+0x36/0x1c0
[   30.701886]  ? lock_downgrade+0x8e0/0x8e0
[   30.706018]  ? check_same_owner+0x320/0x320
[   30.710324]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   30.715837]  ? handle_mm_fault+0x55a/0xc70
[   30.720061]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.725588]  ? _copy_from_user+0xdf/0x150
[   30.729716]  keyctl_dh_compute+0xb9/0x100
[   30.733841]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.738575]  ? kzfree+0x28/0x30
[   30.741834]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.747001]  __x64_sys_keyctl+0x12a/0x3b0
[   30.751134]  do_syscall_64+0x1b1/0x800
[   30.754999]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.759920]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.764834]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.770354]  ? retint_user+0x18/0x18
[   30.774055]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.778884]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.784051] RIP: 0033:0x43ffa9
[   30.787214] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.806339] RSP: 002b:00007ffff52e0ea8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.814031] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   30.821280] RDX: 0000000020000280 RSI: 0000000020000100 RDI: 0000000000000017
[   30.828628] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8
[   30.835879] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   30.843125] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   30.850859] Dumping ftrace buffer:
[   30.854379]    (ftrace buffer empty)
[   30.858065] Kernel Offset: disabled
[   30.861669] Rebooting in 86400 seconds..