[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.137530] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.698255] random: sshd: uninitialized urandom read (32 bytes read)
[   22.952934] random: sshd: uninitialized urandom read (32 bytes read)
[   23.706125] random: sshd: uninitialized urandom read (32 bytes read)
[   24.198404] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
[   29.606121] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.693792] ==================================================================
[   29.701241] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150
[   29.707459] Read of size 1 at addr ffff8801ac804b5d by task syz-executor319/4509
[   29.714965] 
[   29.716573] CPU: 1 PID: 4509 Comm: syz-executor319 Not tainted 4.17.0-rc6+ #68
[   29.723907] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.733256] Call Trace:
[   29.735834]  dump_stack+0x1b9/0x294
[   29.739452]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.744631]  ? printk+0x9e/0xba
[   29.747899]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.752647]  ? kasan_check_write+0x14/0x20
[   29.756863]  print_address_description+0x6c/0x20b
[   29.761685]  ? nla_strlcpy+0x13d/0x150
[   29.765557]  kasan_report.cold.7+0x242/0x2fe
[   29.769948]  __asan_report_load1_noabort+0x14/0x20
[   29.774871]  nla_strlcpy+0x13d/0x150
[   29.778564]  nfnl_acct_new+0x574/0xc50
[   29.782432]  ? nfnl_acct_overquota+0x380/0x380
[   29.786994]  ? debug_check_no_locks_freed+0x310/0x310
[   29.792165]  ? graph_lock+0x170/0x170
[   29.795944]  ? find_held_lock+0x36/0x1c0
[   29.799986]  ? print_usage_bug+0xc0/0xc0
[   29.804045]  ? find_held_lock+0x36/0x1c0
[   29.808087]  ? graph_lock+0x170/0x170
[   29.811868]  ? lock_downgrade+0x8e0/0x8e0
[   29.816009]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.821539]  ? __lock_is_held+0xb5/0x140
[   29.825588]  ? nfnl_acct_overquota+0x380/0x380
[   29.830148]  nfnetlink_rcv_msg+0xdb5/0xff0
[   29.834369]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   29.839364]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   29.843759]  ? nfnetlink_bind+0x3a0/0x3a0
[   29.847887]  ? graph_lock+0x170/0x170
[   29.851671]  ? find_held_lock+0x36/0x1c0
[   29.855726]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.861251]  netlink_rcv_skb+0x172/0x440
[   29.865296]  ? nfnetlink_bind+0x3a0/0x3a0
[   29.869426]  ? netlink_ack+0xbc0/0xbc0
[   29.873301]  ? __netlink_ns_capable+0x100/0x130
[   29.877952]  nfnetlink_rcv+0x1fe/0x1ba0
[   29.881908]  ? kasan_check_read+0x11/0x20
[   29.886042]  ? rcu_is_watching+0x85/0x140
[   29.890172]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   29.895348]  ? nfnl_err_reset+0x2d0/0x2d0
[   29.899478]  ? netlink_remove_tap+0x610/0x610
[   29.903954]  ? refcount_add_not_zero+0x320/0x320
[   29.908689]  ? kasan_check_read+0x11/0x20
[   29.912816]  ? rcu_is_watching+0x85/0x140
[   29.916944]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   29.922111]  ? netlink_skb_destructor+0x210/0x210
[   29.926934]  ? kasan_check_write+0x14/0x20
[   29.931148]  netlink_unicast+0x58b/0x740
[   29.935193]  ? netlink_attachskb+0x970/0x970
[   29.939582]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.945100]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   29.950099]  ? security_netlink_send+0x88/0xb0
[   29.954663]  netlink_sendmsg+0x9f0/0xfa0
[   29.958707]  ? netlink_unicast+0x740/0x740
[   29.962922]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.968441]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.973957]  ? security_socket_sendmsg+0x94/0xc0
[   29.978690]  ? netlink_unicast+0x740/0x740
[   29.982907]  sock_sendmsg+0xd5/0x120
[   29.986599]  sock_write_iter+0x35a/0x5a0
[   29.990638]  ? sock_sendmsg+0x120/0x120
[   29.994596]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.000110]  ? iov_iter_init+0xc9/0x1f0
[   30.004068]  __vfs_write+0x64d/0x960
[   30.007764]  ? kernel_read+0x120/0x120
[   30.011630]  ? lock_downgrade+0x8e0/0x8e0
[   30.015757]  ? handle_mm_fault+0x8c0/0xc70
[   30.019973]  ? handle_mm_fault+0x55a/0xc70
[   30.024192]  ? rw_verify_area+0x118/0x360
[   30.028319]  vfs_write+0x1f8/0x560
[   30.031845]  ksys_write+0xf9/0x250
[   30.035370]  ? __ia32_sys_read+0xb0/0xb0
[   30.039426]  __x64_sys_write+0x73/0xb0
[   30.043299]  do_syscall_64+0x1b1/0x800
[   30.047169]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.052077]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.056989]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.062511]  ? retint_user+0x18/0x18
[   30.066205]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.071044]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.076221] RIP: 0033:0x43ff39
[   30.079391] RSP: 002b:00007ffc39457248 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   30.087077] RAX: ffffffffffffffda RBX: 00007ffc39457260 RCX: 000000000043ff39
[   30.094323] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003
[   30.101570] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
[   30.108818] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401800
[   30.116067] R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000
[   30.123321] 
[   30.124926] Allocated by task 4509:
[   30.128535]  save_stack+0x43/0xd0
[   30.131965]  kasan_kmalloc+0xc4/0xe0
[   30.135658]  __kmalloc+0x14e/0x760
[   30.139175]  load_elf_phdrs+0x17a/0x250
[   30.143125]  load_elf_binary+0x32b/0x5610
[   30.147249]  search_binary_handler+0x17d/0x570
[   30.151809]  do_execveat_common.isra.34+0x16ce/0x2590
[   30.156975]  __x64_sys_execve+0x8d/0xb0
[   30.160927]  do_syscall_64+0x1b1/0x800
[   30.164792]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.169953] 
[   30.171555] Freed by task 4509:
[   30.174813]  save_stack+0x43/0xd0
[   30.178246]  __kasan_slab_free+0x11a/0x170
[   30.182457]  kasan_slab_free+0xe/0x10
[   30.186236]  kfree+0xd9/0x260
[   30.189319]  load_elf_binary+0x2569/0x5610
[   30.193532]  search_binary_handler+0x17d/0x570
[   30.198090]  do_execveat_common.isra.34+0x16ce/0x2590
[   30.203260]  __x64_sys_execve+0x8d/0xb0
[   30.207212]  do_syscall_64+0x1b1/0x800
[   30.211082]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.216245] 
[   30.217851] The buggy address belongs to the object at ffff8801ac804ac0
[   30.217851]  which belongs to the cache kmalloc-512 of size 512
[   30.230484] The buggy address is located 157 bytes inside of
[   30.230484]  512-byte region [ffff8801ac804ac0, ffff8801ac804cc0)
[   30.242340] The buggy address belongs to the page:
[   30.247248] page:ffffea0006b20100 count:1 mapcount:0 mapping:ffff8801ac8040c0 index:0x0
[   30.255368] flags: 0x2fffc0000000100(slab)
[   30.259587] raw: 02fffc0000000100 ffff8801ac8040c0 0000000000000000 0000000100000006
[   30.267446] raw: ffffea0006b3c460 ffff8801da801748 ffff8801da800940 0000000000000000
[   30.275298] page dumped because: kasan: bad access detected
[   30.280978] 
[   30.282580] Memory state around the buggy address:
[   30.287487]  ffff8801ac804a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.294823]  ffff8801ac804a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   30.302157] >ffff8801ac804b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.309496]                                                     ^
[   30.315704]  ffff8801ac804b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.323045]  ffff8801ac804c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.330384] ==================================================================
[   30.337717] Disabling lock debugging due to kernel taint
[   30.343223] Kernel panic - not syncing: panic_on_warn set ...
[   30.343223] 
[   30.350592] CPU: 1 PID: 4509 Comm: syz-executor319 Tainted: G    B             4.17.0-rc6+ #68
[   30.359323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.368652] Call Trace:
[   30.371221]  dump_stack+0x1b9/0x294
[   30.374827]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.379995]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.384733]  ? nla_strlcpy+0x70/0x150
[   30.388512]  panic+0x22f/0x4de
[   30.391680]  ? add_taint.cold.5+0x16/0x16
[   30.395809]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.400194]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.404580]  ? nla_strlcpy+0x13d/0x150
[   30.408442]  kasan_end_report+0x47/0x4f
[   30.412393]  kasan_report.cold.7+0x76/0x2fe
[   30.416695]  __asan_report_load1_noabort+0x14/0x20
[   30.421599]  nla_strlcpy+0x13d/0x150
[   30.425291]  nfnl_acct_new+0x574/0xc50
[   30.429158]  ? nfnl_acct_overquota+0x380/0x380
[   30.433716]  ? debug_check_no_locks_freed+0x310/0x310
[   30.438883]  ? graph_lock+0x170/0x170
[   30.442661]  ? find_held_lock+0x36/0x1c0
[   30.446700]  ? print_usage_bug+0xc0/0xc0
[   30.450740]  ? find_held_lock+0x36/0x1c0
[   30.454778]  ? graph_lock+0x170/0x170
[   30.458555]  ? lock_downgrade+0x8e0/0x8e0
[   30.462681]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.468195]  ? __lock_is_held+0xb5/0x140
[   30.472233]  ? nfnl_acct_overquota+0x380/0x380
[   30.476792]  nfnetlink_rcv_msg+0xdb5/0xff0
[   30.481010]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   30.486009]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   30.490406]  ? nfnetlink_bind+0x3a0/0x3a0
[   30.494531]  ? graph_lock+0x170/0x170
[   30.498309]  ? find_held_lock+0x36/0x1c0
[   30.502350]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.507868]  netlink_rcv_skb+0x172/0x440
[   30.511906]  ? nfnetlink_bind+0x3a0/0x3a0
[   30.516038]  ? netlink_ack+0xbc0/0xbc0
[   30.519905]  ? __netlink_ns_capable+0x100/0x130
[   30.524553]  nfnetlink_rcv+0x1fe/0x1ba0
[   30.528512]  ? kasan_check_read+0x11/0x20
[   30.532642]  ? rcu_is_watching+0x85/0x140
[   30.536769]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.541938]  ? nfnl_err_reset+0x2d0/0x2d0
[   30.546065]  ? netlink_remove_tap+0x610/0x610
[   30.550540]  ? refcount_add_not_zero+0x320/0x320
[   30.555271]  ? kasan_check_read+0x11/0x20
[   30.559395]  ? rcu_is_watching+0x85/0x140
[   30.563518]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.568684]  ? netlink_skb_destructor+0x210/0x210
[   30.573505]  ? kasan_check_write+0x14/0x20
[   30.577718]  netlink_unicast+0x58b/0x740
[   30.581758]  ? netlink_attachskb+0x970/0x970
[   30.586145]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.591660]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   30.596655]  ? security_netlink_send+0x88/0xb0
[   30.601212]  netlink_sendmsg+0x9f0/0xfa0
[   30.605253]  ? netlink_unicast+0x740/0x740
[   30.609467]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.614988]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.620507]  ? security_socket_sendmsg+0x94/0xc0
[   30.625238]  ? netlink_unicast+0x740/0x740
[   30.629449]  sock_sendmsg+0xd5/0x120
[   30.633139]  sock_write_iter+0x35a/0x5a0
[   30.637181]  ? sock_sendmsg+0x120/0x120
[   30.641134]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.646649]  ? iov_iter_init+0xc9/0x1f0
[   30.650601]  __vfs_write+0x64d/0x960
[   30.654292]  ? kernel_read+0x120/0x120
[   30.658157]  ? lock_downgrade+0x8e0/0x8e0
[   30.662282]  ? handle_mm_fault+0x8c0/0xc70
[   30.666496]  ? handle_mm_fault+0x55a/0xc70
[   30.670707]  ? rw_verify_area+0x118/0x360
[   30.674835]  vfs_write+0x1f8/0x560
[   30.678356]  ksys_write+0xf9/0x250
[   30.681875]  ? __ia32_sys_read+0xb0/0xb0
[   30.685917]  __x64_sys_write+0x73/0xb0
[   30.689785]  do_syscall_64+0x1b1/0x800
[   30.693651]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.698559]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.703466]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.708981]  ? retint_user+0x18/0x18
[   30.712675]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.717497]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.722663] RIP: 0033:0x43ff39
[   30.725827] RSP: 002b:00007ffc39457248 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   30.733511] RAX: ffffffffffffffda RBX: 00007ffc39457260 RCX: 000000000043ff39
[   30.740757] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003
[   30.748006] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
[   30.755262] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401800
[   30.762506] R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000
[   30.770219] Dumping ftrace buffer:
[   30.773733]    (ftrace buffer empty)
[   30.777423] Kernel Offset: disabled
[   30.781026] Rebooting in 86400 seconds..