[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.677895] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.827092] random: sshd: uninitialized urandom read (32 bytes read)
[   24.295423] random: sshd: uninitialized urandom read (32 bytes read)
[   25.061565] random: sshd: uninitialized urandom read (32 bytes read)
[   25.226764] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
[   30.713886] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.867640] ==================================================================
[   30.875409] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0
[   30.881892] Write of size 4 at addr ffff8801d7136458 by task syz-executor261/4522
[   30.889493] 
[   30.891112] CPU: 0 PID: 4522 Comm: syz-executor261 Not tainted 4.17.0+ #89
[   30.898137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.907477] Call Trace:
[   30.910071]  dump_stack+0x1b9/0x294
[   30.913683]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.918860]  ? printk+0x9e/0xba
[   30.922136]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.926907]  ? kasan_check_write+0x14/0x20
[   30.931158]  print_address_description+0x6c/0x20b
[   30.935997]  ? sha1_final+0x283/0x2e0
[   30.939885]  kasan_report.cold.7+0x242/0x2fe
[   30.944286]  __asan_report_store4_noabort+0x17/0x20
[   30.949309]  sha1_final+0x283/0x2e0
[   30.952925]  crypto_shash_final+0x104/0x260
[   30.957251]  ? sha1_generic_block_fn+0x100/0x100
[   30.962028]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.966621]  ? copy_overflow+0x30/0x30
[   30.970501]  ? find_held_lock+0x36/0x1c0
[   30.974557]  ? lock_downgrade+0x8e0/0x8e0
[   30.978694]  ? check_same_owner+0x320/0x320
[   30.983006]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   30.988540]  ? handle_mm_fault+0x55a/0xc70
[   30.992769]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.998306]  ? _copy_from_user+0xdf/0x150
[   31.002459]  keyctl_dh_compute+0xb9/0x100
[   31.006602]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.011361]  ? kzfree+0x28/0x30
[   31.014638]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.019819]  __x64_sys_keyctl+0x12a/0x3b0
[   31.023975]  do_syscall_64+0x1b1/0x800
[   31.027875]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.032795]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.037720]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.043250]  ? retint_user+0x18/0x18
[   31.046956]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.051786]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.056960] RIP: 0033:0x43ffa9
[   31.060494] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.079677] RSP: 002b:00007ffc83d7d948 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.087385] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.094653] RDX: 0000000020000280 RSI: 0000000020000100 RDI: 0000000000000017
[   31.101911] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8
[   31.109174] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.116429] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.123690] 
[   31.125304] Allocated by task 4522:
[   31.128923]  save_stack+0x43/0xd0
[   31.132361]  kasan_kmalloc+0xc4/0xe0
[   31.136062]  __kmalloc+0x14e/0x760
[   31.139596]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.144082]  keyctl_dh_compute+0xb9/0x100
[   31.148215]  __x64_sys_keyctl+0x12a/0x3b0
[   31.152350]  do_syscall_64+0x1b1/0x800
[   31.156235]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.161427] 
[   31.163044] Freed by task 2860:
[   31.166315]  save_stack+0x43/0xd0
[   31.169749]  __kasan_slab_free+0x11a/0x170
[   31.173965]  kasan_slab_free+0xe/0x10
[   31.177748]  kfree+0xd9/0x260
[   31.180835]  single_release+0x8f/0xb0
[   31.184632]  __fput+0x353/0x890
[   31.187906]  ____fput+0x15/0x20
[   31.191177]  task_work_run+0x1e4/0x290
[   31.195079]  exit_to_usermode_loop+0x2bd/0x310
[   31.199644]  do_syscall_64+0x6ac/0x800
[   31.203519]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.208687] 
[   31.210300] The buggy address belongs to the object at ffff8801d7136440
[   31.210300]  which belongs to the cache kmalloc-32 of size 32
[   31.222876] The buggy address is located 24 bytes inside of
[   31.222876]  32-byte region [ffff8801d7136440, ffff8801d7136460)
[   31.234579] The buggy address belongs to the page:
[   31.239497] page:ffffea00075c4d80 count:1 mapcount:0 mapping:ffff8801d7136000 index:0xffff8801d7136fc1
[   31.248939] flags: 0x2fffc0000000100(slab)
[   31.253161] raw: 02fffc0000000100 ffff8801d7136000 ffff8801d7136fc1 000000010000003f
[   31.261040] raw: ffffea00075c48a0 ffffea00075c61e0 ffff8801da8001c0 0000000000000000
[   31.268903] page dumped because: kasan: bad access detected
[   31.274590] 
[   31.276197] Memory state around the buggy address:
[   31.281119]  ffff8801d7136300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.288463]  ffff8801d7136380: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
[   31.295810] >ffff8801d7136400: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   31.303154]                                                     ^
[   31.309370]  ffff8801d7136480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.316714]  ffff8801d7136500: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   31.324059] ==================================================================
[   31.331405] Disabling lock debugging due to kernel taint
[   31.336887] Kernel panic - not syncing: panic_on_warn set ...
[   31.336887] 
[   31.344261] CPU: 0 PID: 4522 Comm: syz-executor261 Tainted: G    B             4.17.0+ #89
[   31.352648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.361989] Call Trace:
[   31.364579]  dump_stack+0x1b9/0x294
[   31.368189]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.373365]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.378104]  ? sha1_final+0x270/0x2e0
[   31.381887]  panic+0x22f/0x4de
[   31.385071]  ? add_taint.cold.5+0x16/0x16
[   31.389204]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.393592]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.397985]  ? sha1_final+0x283/0x2e0
[   31.401777]  kasan_end_report+0x47/0x4f
[   31.405737]  kasan_report.cold.7+0x76/0x2fe
[   31.410053]  __asan_report_store4_noabort+0x17/0x20
[   31.415061]  sha1_final+0x283/0x2e0
[   31.418692]  crypto_shash_final+0x104/0x260
[   31.422996]  ? sha1_generic_block_fn+0x100/0x100
[   31.427746]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.432316]  ? copy_overflow+0x30/0x30
[   31.436187]  ? find_held_lock+0x36/0x1c0
[   31.440247]  ? lock_downgrade+0x8e0/0x8e0
[   31.444378]  ? check_same_owner+0x320/0x320
[   31.448682]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.454202]  ? handle_mm_fault+0x55a/0xc70
[   31.458424]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.463954]  ? _copy_from_user+0xdf/0x150
[   31.468092]  keyctl_dh_compute+0xb9/0x100
[   31.472225]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.476967]  ? kzfree+0x28/0x30
[   31.480238]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.485412]  __x64_sys_keyctl+0x12a/0x3b0
[   31.489551]  do_syscall_64+0x1b1/0x800
[   31.493433]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.498344]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.503255]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.508779]  ? retint_user+0x18/0x18
[   31.512478]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.517310]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.522483] RIP: 0033:0x43ffa9
[   31.525649] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.544769] RSP: 002b:00007ffc83d7d948 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.552460] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.559712] RDX: 0000000020000280 RSI: 0000000020000100 RDI: 0000000000000017
[   31.566961] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8
[   31.574211] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.581475] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.589218] Dumping ftrace buffer:
[   31.592738]    (ftrace buffer empty)
[   31.596427] Kernel Offset: disabled
[   31.600044] Rebooting in 86400 seconds..