INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.002219] ================================================================== [ 34.003299] BUG: KASAN: slab-out-of-bounds in sha3_update+0xdf/0x2e0 [ 34.004154] Write of size 192 at addr ffff8801cb8fe13c by task syzkaller542110/3079 [ 34.005189] [ 34.005420] CPU: 0 PID: 3079 Comm: syzkaller542110 Not tainted 4.15.0-rc1+ #115 [ 34.006462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.007734] Call Trace: [ 34.008093] dump_stack+0x194/0x257 [ 34.008583] ? arch_local_irq_restore+0x53/0x53 [ 34.009208] ? show_regs_print_info+0x65/0x65 [ 34.009805] ? do_fast_syscall_32+0x3ee/0xf9d [ 34.010537] ? sha3_update+0xdf/0x2e0 [ 34.011066] print_address_description+0x73/0x250 [ 34.011713] ? sha3_update+0xdf/0x2e0 [ 34.012227] kasan_report+0x25b/0x340 [ 34.012741] check_memory_region+0x137/0x190 [ 34.013331] memcpy+0x37/0x50 [ 34.013769] sha3_update+0xdf/0x2e0 [ 34.014270] crypto_shash_update+0xcb/0x220 [ 34.014855] hmac_update+0x7e/0xa0 [ 34.015337] crypto_shash_update+0xcb/0x220 [ 34.015924] __keyctl_dh_compute+0x16d8/0x1a00 [ 34.016549] ? dh_data_from_key+0x340/0x340 [ 34.017133] ? find_held_lock+0x39/0x1d0 [ 34.017715] ? __might_fault+0xe0/0x1d0 [ 34.018253] ? lock_release+0xda0/0xda0 [ 34.018787] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 34.019580] ? kasan_check_write+0x14/0x20 [ 34.020148] ? _copy_from_user+0x99/0x110 [ 34.020704] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 34.021353] ? compat_SyS_keyctl+0x2c0/0x2c0 [ 34.021942] ? __handle_mm_fault+0x3e20/0x3e20 [ 34.023955] compat_SyS_keyctl+0x72/0x2c0 [ 34.028071] ? compat_keyctl_instantiate_key_iov+0x1c0/0x1c0 [ 34.033834] do_fast_syscall_32+0x3ee/0xf9d [ 34.038127] ? do_int80_syscall_32+0x9d0/0x9d0 [ 34.042674] ? kasan_check_read+0x11/0x20 [ 34.046878] ? syscall_return_slowpath+0x550/0x550 [ 34.051775] ? SyS_rt_sigaction+0x94/0x1b0 [ 34.055981] ? lockdep_sys_exit+0x47/0xf0 [ 34.060095] ? retint_user+0x18/0x18 [ 34.063778] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.068593] entry_SYSENTER_compat+0x51/0x60 [ 34.072968] RIP: 0023:0xf7fcdc79 [ 34.076300] RSP: 002b:00000000ffdd6c5c EFLAGS: 00000282 ORIG_RAX: 0000000000000120 [ 34.083975] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00000000204c8ff4 [ 34.091211] RDX: 00000000205cd000 RSI: 0000000000000030 RDI: 0000000020550000 [ 34.098444] RBP: 00000000080bb068 R08: 0000000000000000 R09: 0000000000000000 [ 34.105683] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 34.112920] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.120179] [ 34.121771] Allocated by task 3079: [ 34.125362] save_stack+0x43/0xd0 [ 34.128777] kasan_kmalloc+0xad/0xe0 [ 34.132453] __kmalloc+0x162/0x760 [ 34.135959] __keyctl_dh_compute+0x2a1/0x1a00 [ 34.140416] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 34.145221] compat_SyS_keyctl+0x72/0x2c0 [ 34.149335] do_fast_syscall_32+0x3ee/0xf9d [ 34.153620] entry_SYSENTER_compat+0x51/0x60 [ 34.157989] [ 34.159580] Freed by task 1701: [ 34.162825] save_stack+0x43/0xd0 [ 34.166241] kasan_slab_free+0x71/0xc0 [ 34.170094] kfree+0xca/0x250 [ 34.173164] load_elf_binary+0x1e00/0x4c50 [ 34.177362] search_binary_handler+0x142/0x6b0 [ 34.181907] do_execveat_common.isra.30+0x1754/0x23c0 [ 34.187059] SyS_execve+0x39/0x50 [ 34.190477] do_syscall_64+0x26c/0x920 [ 34.194327] return_from_SYSCALL_64+0x0/0x75 [ 34.198696] [ 34.200288] The buggy address belongs to the object at ffff8801cb8fe040 [ 34.200288] which belongs to the cache kmalloc-512 of size 512 [ 34.212907] The buggy address is located 252 bytes inside of [ 34.212907] 512-byte region [ffff8801cb8fe040, ffff8801cb8fe240) [ 34.224743] The buggy address belongs to the page: [ 34.229636] page:000000005c5ee2ca count:1 mapcount:0 mapping:00000000aaed560f index:0x0 [ 34.237745] flags: 0x2fffc0000000100(slab) [ 34.241947] raw: 02fffc0000000100 ffff8801cb8fe040 0000000000000000 0000000100000006 [ 34.249794] raw: ffffea00072f80a0 ffffea00072e56a0 ffff8801db000940 0000000000000000 [ 34.257635] page dumped because: kasan: bad access detected [ 34.263307] [ 34.264898] Memory state around the buggy address: [ 34.269789] ffff8801cb8fe080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.277112] ffff8801cb8fe100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.284434] >ffff8801cb8fe180: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 34.291754] ^ [ 34.297426] ffff8801cb8fe200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.304747] ffff8801cb8fe280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 34.312068] ================================================================== [ 34.319390] Disabling lock debugging due to kernel taint [ 34.324951] Kernel panic - not syncing: panic_on_warn set ... [ 34.324951] [ 34.332282] CPU: 0 PID: 3079 Comm: syzkaller542110 Tainted: G B 4.15.0-rc1+ #115 [ 34.340992] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.350311] Call Trace: [ 34.352869] dump_stack+0x194/0x257 [ 34.356462] ? arch_local_irq_restore+0x53/0x53 [ 34.361097] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.365818] ? vsnprintf+0x1ed/0x1900 [ 34.369583] ? sha3_update+0x90/0x2e0 [ 34.373348] panic+0x1e4/0x41c [ 34.376506] ? refcount_error_report+0x214/0x214 [ 34.381228] ? add_taint+0x1c/0x50 [ 34.384730] ? add_taint+0x1c/0x50 [ 34.388236] ? sha3_update+0xdf/0x2e0 [ 34.392000] kasan_end_report+0x50/0x50 [ 34.395936] kasan_report+0x144/0x340 [ 34.399700] check_memory_region+0x137/0x190 [ 34.404070] memcpy+0x37/0x50 [ 34.407142] sha3_update+0xdf/0x2e0 [ 34.410738] crypto_shash_update+0xcb/0x220 [ 34.415025] hmac_update+0x7e/0xa0 [ 34.418529] crypto_shash_update+0xcb/0x220 [ 34.422818] __keyctl_dh_compute+0x16d8/0x1a00 [ 34.427371] ? dh_data_from_key+0x340/0x340 [ 34.431659] ? find_held_lock+0x39/0x1d0 [ 34.435689] ? __might_fault+0xe0/0x1d0 [ 34.439630] ? lock_release+0xda0/0xda0 [ 34.443567] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 34.449422] ? kasan_check_write+0x14/0x20 [ 34.453619] ? _copy_from_user+0x99/0x110 [ 34.457732] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 34.462542] ? compat_SyS_keyctl+0x2c0/0x2c0 [ 34.466912] ? __handle_mm_fault+0x3e20/0x3e20 [ 34.471469] compat_SyS_keyctl+0x72/0x2c0 [ 34.475582] ? compat_keyctl_instantiate_key_iov+0x1c0/0x1c0 [ 34.481352] do_fast_syscall_32+0x3ee/0xf9d [ 34.485639] ? do_int80_syscall_32+0x9d0/0x9d0 [ 34.490196] ? kasan_check_read+0x11/0x20 [ 34.494309] ? syscall_return_slowpath+0x550/0x550 [ 34.499204] ? SyS_rt_sigaction+0x94/0x1b0 [ 34.503405] ? lockdep_sys_exit+0x47/0xf0 [ 34.507517] ? retint_user+0x18/0x18 [ 34.511198] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.516007] entry_SYSENTER_compat+0x51/0x60 [ 34.520376] RIP: 0023:0xf7fcdc79 [ 34.523704] RSP: 002b:00000000ffdd6c5c EFLAGS: 00000282 ORIG_RAX: 0000000000000120 [ 34.531373] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00000000204c8ff4 [ 34.538615] RDX: 00000000205cd000 RSI: 0000000000000030 RDI: 0000000020550000 [ 34.545849] RBP: 00000000080bb068 R08: 0000000000000000 R09: 0000000000000000 [ 34.553080] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 34.560313] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.567594] Dumping ftrace buffer: [ 34.571098] (ftrace buffer empty) [ 34.574774] Kernel Offset: disabled [ 34.578367] Rebooting in 86400 seconds..