[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.790615] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.522592] random: sshd: uninitialized urandom read (32 bytes read)
[   21.761768] random: sshd: uninitialized urandom read (32 bytes read)
[   22.577997] random: sshd: uninitialized urandom read (32 bytes read)
[   22.758936] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts.
[   28.284393] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   28.379350] ==================================================================
[   28.386842] BUG: KASAN: slab-out-of-bounds in rmd320_final+0x201/0x240
[   28.393500] Write of size 4 at addr ffff8801d06f8440 by task syz-executor818/4547
[   28.401108] 
[   28.402738] CPU: 0 PID: 4547 Comm: syz-executor818 Not tainted 4.17.0+ #89
[   28.409731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.419239] Call Trace:
[   28.421824]  dump_stack+0x1b9/0x294
[   28.425435]  ? dump_stack_print_info.cold.2+0x52/0x52
[   28.430603]  ? printk+0x9e/0xba
[   28.433883]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   28.438625]  ? kasan_check_write+0x14/0x20
[   28.442854]  print_address_description+0x6c/0x20b
[   28.447696]  ? rmd320_final+0x201/0x240
[   28.451654]  kasan_report.cold.7+0x242/0x2fe
[   28.456054]  __asan_report_store4_noabort+0x17/0x20
[   28.461064]  rmd320_final+0x201/0x240
[   28.464866]  ? rmd320_update+0x170/0x170
[   28.468920]  ? rmd320_update+0x13b/0x170
[   28.472965]  ? kasan_unpoison_shadow+0x35/0x50
[   28.477529]  crypto_shash_final+0x104/0x260
[   28.481831]  ? rmd320_update+0x170/0x170
[   28.485881]  __keyctl_dh_compute+0x1184/0x1bc0
[   28.490451]  ? copy_overflow+0x30/0x30
[   28.494328]  ? find_held_lock+0x36/0x1c0
[   28.498373]  ? lock_downgrade+0x8e0/0x8e0
[   28.502505]  ? check_same_owner+0x320/0x320
[   28.506820]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   28.512340]  ? handle_mm_fault+0x55a/0xc70
[   28.516560]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.522086]  ? _copy_from_user+0xdf/0x150
[   28.526232]  keyctl_dh_compute+0xb9/0x100
[   28.530366]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   28.535107]  ? kzfree+0x28/0x30
[   28.538376]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   28.543558]  __x64_sys_keyctl+0x12a/0x3b0
[   28.547698]  do_syscall_64+0x1b1/0x800
[   28.551567]  ? syscall_return_slowpath+0x5c0/0x5c0
[   28.556475]  ? syscall_return_slowpath+0x30f/0x5c0
[   28.561398]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.566923]  ? retint_user+0x18/0x18
[   28.570619]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.575445]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.580623] RIP: 0033:0x440019
[   28.583788] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   28.602977] RSP: 002b:00007ffc632dd578 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   28.610682] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   28.617943] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   28.625193] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   28.632443] R10: 000000000000001c R11: 0000000000000217 R12: 0000000000401940
[   28.639702] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   28.646963] 
[   28.648574] Allocated by task 4547:
[   28.652188]  save_stack+0x43/0xd0
[   28.655624]  kasan_kmalloc+0xc4/0xe0
[   28.660244]  __kmalloc+0x14e/0x760
[   28.663770]  __keyctl_dh_compute+0xfe9/0x1bc0
[   28.668253]  keyctl_dh_compute+0xb9/0x100
[   28.672469]  __x64_sys_keyctl+0x12a/0x3b0
[   28.676605]  do_syscall_64+0x1b1/0x800
[   28.680477]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.685646] 
[   28.687255] Freed by task 1:
[   28.690260]  save_stack+0x43/0xd0
[   28.693696]  __kasan_slab_free+0x11a/0x170
[   28.697920]  kasan_slab_free+0xe/0x10
[   28.701702]  kfree+0xd9/0x260
[   28.704794]  virtscsi_target_destroy+0x37/0x50
[   28.709355]  scsi_target_destroy+0x1fa/0x560
[   28.713743]  scsi_target_reap+0xf8/0x140
[   28.717784]  __scsi_scan_target+0x221/0xfe0
[   28.722085]  scsi_scan_channel.part.7+0x11f/0x190
[   28.726915]  scsi_scan_host_selected+0x2b9/0x3d0
[   28.731650]  do_scsi_scan_host+0x1ee/0x260
[   28.735870]  scsi_scan_host+0x4a2/0x590
[   28.739827]  virtscsi_probe+0xbe5/0xf04
[   28.743785]  virtio_dev_probe+0x592/0x942
[   28.747920]  driver_probe_device+0x68e/0x950
[   28.752307]  __driver_attach+0x28b/0x2f0
[   28.756348]  bus_for_each_dev+0x151/0x1d0
[   28.760475]  driver_attach+0x3d/0x50
[   28.764182]  bus_add_driver+0x4b2/0x600
[   28.768137]  driver_register+0x1c8/0x320
[   28.772183]  register_virtio_driver+0x79/0xd0
[   28.776668]  init+0xa3/0x114
[   28.779675]  do_one_initcall+0x127/0x913
[   28.783724]  kernel_init_freeable+0x49b/0x58e
[   28.788204]  kernel_init+0x11/0x1b3
[   28.791811]  ret_from_fork+0x3a/0x50
[   28.795509] 
[   28.797115] The buggy address belongs to the object at ffff8801d06f8400
[   28.797115]  which belongs to the cache kmalloc-64 of size 64
[   28.809600] The buggy address is located 0 bytes to the right of
[   28.809600]  64-byte region [ffff8801d06f8400, ffff8801d06f8440)
[   28.821718] The buggy address belongs to the page:
[   28.826652] page:ffffea000741be00 count:1 mapcount:0 mapping:ffff8801d06f8000 index:0x0
[   28.834777] flags: 0x2fffc0000000100(slab)
[   28.839011] raw: 02fffc0000000100 ffff8801d06f8000 0000000000000000 0000000100000020
[   28.846894] raw: ffffea000749d360 ffffea0007485860 ffff8801da800340 0000000000000000
[   28.854754] page dumped because: kasan: bad access detected
[   28.860444] 
[   28.862055] Memory state around the buggy address:
[   28.866970]  ffff8801d06f8300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.874309]  ffff8801d06f8380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.881651] >ffff8801d06f8400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   28.888997]                                            ^
[   28.894448]  ffff8801d06f8480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.901799]  ffff8801d06f8500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.909135] ==================================================================
[   28.916480] Disabling lock debugging due to kernel taint
[   28.922007] Kernel panic - not syncing: panic_on_warn set ...
[   28.922007] 
[   28.929389] CPU: 0 PID: 4547 Comm: syz-executor818 Tainted: G    B             4.17.0+ #89
[   28.937783] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.947127] Call Trace:
[   28.949704]  dump_stack+0x1b9/0x294
[   28.953314]  ? dump_stack_print_info.cold.2+0x52/0x52
[   28.958494]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.963232]  ? rmd320_final+0x200/0x240
[   28.967190]  panic+0x22f/0x4de
[   28.970364]  ? add_taint.cold.5+0x16/0x16
[   28.974494]  ? do_raw_spin_unlock+0x9e/0x2e0
[   28.978879]  ? do_raw_spin_unlock+0x9e/0x2e0
[   28.983268]  ? rmd320_final+0x201/0x240
[   28.987227]  kasan_end_report+0x47/0x4f
[   28.991183]  kasan_report.cold.7+0x76/0x2fe
[   28.995505]  __asan_report_store4_noabort+0x17/0x20
[   29.000521]  rmd320_final+0x201/0x240
[   29.004304]  ? rmd320_update+0x170/0x170
[   29.008354]  ? rmd320_update+0x13b/0x170
[   29.012397]  ? kasan_unpoison_shadow+0x35/0x50
[   29.016961]  crypto_shash_final+0x104/0x260
[   29.021262]  ? rmd320_update+0x170/0x170
[   29.025305]  __keyctl_dh_compute+0x1184/0x1bc0
[   29.029871]  ? copy_overflow+0x30/0x30
[   29.033740]  ? find_held_lock+0x36/0x1c0
[   29.037782]  ? lock_downgrade+0x8e0/0x8e0
[   29.041930]  ? check_same_owner+0x320/0x320
[   29.046233]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   29.051750]  ? handle_mm_fault+0x55a/0xc70
[   29.055981]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.061499]  ? _copy_from_user+0xdf/0x150
[   29.065627]  keyctl_dh_compute+0xb9/0x100
[   29.069766]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   29.074514]  ? kzfree+0x28/0x30
[   29.077773]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   29.082942]  __x64_sys_keyctl+0x12a/0x3b0
[   29.087087]  do_syscall_64+0x1b1/0x800
[   29.090957]  ? syscall_return_slowpath+0x5c0/0x5c0
[   29.095873]  ? syscall_return_slowpath+0x30f/0x5c0
[   29.100784]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.106302]  ? retint_user+0x18/0x18
[   29.110021]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.114852]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.120029] RIP: 0033:0x440019
[   29.123197] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   29.142326] RSP: 002b:00007ffc632dd578 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   29.150030] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   29.157281] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   29.164538] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   29.171794] R10: 000000000000001c R11: 0000000000000217 R12: 0000000000401940
[   29.179060] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   29.186811] Dumping ftrace buffer:
[   29.190331]    (ftrace buffer empty)
[   29.194017] Kernel Offset: disabled
[   29.197620] Rebooting in 86400 seconds..