[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.823617] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.088569] random: sshd: uninitialized urandom read (32 bytes read)
[   24.457184] random: sshd: uninitialized urandom read (32 bytes read)
[   25.224885] random: sshd: uninitialized urandom read (32 bytes read)
[   25.378584] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts.
[   30.823678] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/08 00:49:56 parsed 1 programs
[   31.988283] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/08 00:49:58 executed programs: 0
[   33.142729] IPVS: ftp: loaded support on port[0] = 21
[   33.268345] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.274833] bridge0: port 1(bridge_slave_0) entered disabled state
[   33.282324] device bridge_slave_0 entered promiscuous mode
[   33.298517] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.304913] bridge0: port 2(bridge_slave_1) entered disabled state
[   33.311963] device bridge_slave_1 entered promiscuous mode
[   33.327382] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   33.343626] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   33.384977] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   33.403755] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   33.466427] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   33.473782] team0: Port device team_slave_0 added
[   33.488329] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   33.495494] team0: Port device team_slave_1 added
[   33.510560] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   33.527771] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   33.544788] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   33.561624] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.682943] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.689424] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.696433] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.702805] bridge0: port 1(bridge_slave_0) entered forwarding state
[   34.111302] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   34.117431] 8021q: adding VLAN 0 to HW filter on device bond0
[   34.160310] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   34.203378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   34.211643] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   34.249651] 8021q: adding VLAN 0 to HW filter on device team0
[   34.557944] ==================================================================
[   34.565465] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0
[   34.571997] Write of size 4 at addr ffff8801d6caf998 by task syz-executor0/4817
[   34.579439] 
[   34.581060] CPU: 1 PID: 4817 Comm: syz-executor0 Not tainted 4.17.0+ #114
[   34.587966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.597302] Call Trace:
[   34.599884]  dump_stack+0x1b9/0x294
[   34.603498]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.608759]  ? printk+0x9e/0xba
[   34.612033]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.616793]  ? kasan_check_write+0x14/0x20
[   34.621032]  print_address_description+0x6c/0x20b
[   34.625897]  ? sha1_final+0x283/0x2e0
[   34.629700]  kasan_report.cold.7+0x242/0x2fe
[   34.634110]  __asan_report_store4_noabort+0x17/0x20
[   34.639126]  sha1_final+0x283/0x2e0
[   34.642757]  crypto_shash_final+0x104/0x260
[   34.647087]  ? sha1_generic_block_fn+0x100/0x100
[   34.651877]  __keyctl_dh_compute+0x1184/0x1bc0
[   34.656508]  ? copy_overflow+0x30/0x30
[   34.660404]  ? find_held_lock+0x36/0x1c0
[   34.664490]  ? lock_downgrade+0x8e0/0x8e0
[   34.668652]  ? check_same_owner+0x320/0x320
[   34.672978]  ? find_held_lock+0x36/0x1c0
[   34.677064]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.682610]  ? _copy_from_user+0xdf/0x150
[   34.686774]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.691617]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   34.696565]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.701756]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.706595]  do_fast_syscall_32+0x345/0xf9b
[   34.710916]  ? do_int80_syscall_32+0x880/0x880
[   34.715505]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.720269]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.725804]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.730720]  ? sysret32_from_system_call+0x5/0x46
[   34.735550]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.740399]  entry_SYSENTER_compat+0x70/0x7f
[   34.744796] RIP: 0023:0xf7f4ecb9
[   34.748138] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   34.767325] RSP: 002b:00000000ffcc6c7c EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   34.775033] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   34.782402] RDX: 0000000020000280 RSI: 0000000000000005 RDI: 0000000020000240
[   34.789664] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.796924] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   34.804197] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.811454] 
[   34.813073] Allocated by task 4817:
[   34.816689]  save_stack+0x43/0xd0
[   34.820125]  kasan_kmalloc+0xc4/0xe0
[   34.823819]  __kmalloc+0x14e/0x760
[   34.827356]  __keyctl_dh_compute+0xfe9/0x1bc0
[   34.831847]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.836673]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.841501]  do_fast_syscall_32+0x345/0xf9b
[   34.845811]  entry_SYSENTER_compat+0x70/0x7f
[   34.850201] 
[   34.851821] Freed by task 2309:
[   34.855098]  save_stack+0x43/0xd0
[   34.858547]  __kasan_slab_free+0x11a/0x170
[   34.862772]  kasan_slab_free+0xe/0x10
[   34.866558]  kfree+0xd9/0x260
[   34.869674]  tty_ldisc_put+0x4c/0x70
[   34.873396]  tty_ldisc_kill+0x6e/0xc0
[   34.877199]  tty_ldisc_hangup+0x2dd/0x640
[   34.881339]  __tty_hangup.part.21+0x2da/0x6e0
[   34.885832]  tty_vhangup+0x21/0x30
[   34.889369]  pty_close+0x3bd/0x510
[   34.892918]  tty_release+0x494/0x12e0
[   34.896723]  __fput+0x353/0x890
[   34.899998]  ____fput+0x15/0x20
[   34.903269]  task_work_run+0x1e4/0x290
[   34.907149]  exit_to_usermode_loop+0x2bd/0x310
[   34.911718]  do_syscall_64+0x6ac/0x800
[   34.915592]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.920760] 
[   34.922384] The buggy address belongs to the object at ffff8801d6caf980
[   34.922384]  which belongs to the cache kmalloc-32 of size 32
[   34.934854] The buggy address is located 24 bytes inside of
[   34.934854]  32-byte region [ffff8801d6caf980, ffff8801d6caf9a0)
[   34.946537] The buggy address belongs to the page:
[   34.951454] page:ffffea00075b2bc0 count:1 mapcount:0 mapping:ffff8801d6caf000 index:0xffff8801d6caffc1
[   34.960984] flags: 0x2fffc0000000100(slab)
[   34.965209] raw: 02fffc0000000100 ffff8801d6caf000 ffff8801d6caffc1 000000010000000a
[   34.973078] raw: ffffea00075d90e0 ffffea00075ccc60 ffff8801da8001c0 0000000000000000
[   34.980940] page dumped because: kasan: bad access detected
[   34.986637] 
[   34.988246] Memory state around the buggy address:
[   34.993154]  ffff8801d6caf880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.000497]  ffff8801d6caf900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.007838] >ffff8801d6caf980: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   35.015176]                             ^
[   35.019308]  ffff8801d6cafa00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   35.026652]  ffff8801d6cafa80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.033991] ==================================================================
[   35.041335] Disabling lock debugging due to kernel taint
[   35.047442] Kernel panic - not syncing: panic_on_warn set ...
[   35.047442] 
[   35.054831] CPU: 1 PID: 4817 Comm: syz-executor0 Tainted: G    B             4.17.0+ #114
[   35.063148] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.072496] Call Trace:
[   35.075089]  dump_stack+0x1b9/0x294
[   35.078703]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.083879]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.088621]  ? sha1_final+0x270/0x2e0
[   35.092404]  panic+0x22f/0x4de
[   35.095594]  ? add_taint.cold.5+0x16/0x16
[   35.099725]  ? do_raw_spin_unlock+0x9e/0x2e0
[   35.104122]  ? do_raw_spin_unlock+0x9e/0x2e0
[   35.108516]  ? sha1_final+0x283/0x2e0
[   35.112298]  kasan_end_report+0x47/0x4f
[   35.116268]  kasan_report.cold.7+0x76/0x2fe
[   35.120591]  __asan_report_store4_noabort+0x17/0x20
[   35.125605]  sha1_final+0x283/0x2e0
[   35.129215]  crypto_shash_final+0x104/0x260
[   35.133520]  ? sha1_generic_block_fn+0x100/0x100
[   35.138379]  __keyctl_dh_compute+0x1184/0x1bc0
[   35.142949]  ? copy_overflow+0x30/0x30
[   35.146824]  ? find_held_lock+0x36/0x1c0
[   35.150880]  ? lock_downgrade+0x8e0/0x8e0
[   35.155023]  ? check_same_owner+0x320/0x320
[   35.159341]  ? find_held_lock+0x36/0x1c0
[   35.163385]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.168930]  ? _copy_from_user+0xdf/0x150
[   35.173077]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   35.177905]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   35.182822]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   35.187996]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   35.192834]  do_fast_syscall_32+0x345/0xf9b
[   35.197149]  ? do_int80_syscall_32+0x880/0x880
[   35.201726]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.206667]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.212191]  ? syscall_return_slowpath+0x30f/0x5c0
[   35.217110]  ? sysret32_from_system_call+0x5/0x46
[   35.221937]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.226769]  entry_SYSENTER_compat+0x70/0x7f
[   35.231165] RIP: 0023:0xf7f4ecb9
[   35.234505] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.253638] RSP: 002b:00000000ffcc6c7c EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   35.261334] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   35.268600] RDX: 0000000020000280 RSI: 0000000000000005 RDI: 0000000020000240
[   35.275859] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.283121] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   35.290388] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.298231] Dumping ftrace buffer:
[   35.301760]    (ftrace buffer empty)
[   35.305449] Kernel Offset: disabled
[   35.309054] Rebooting in 86400 seconds..