[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.043517] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.849981] random: sshd: uninitialized urandom read (32 bytes read) [ 24.212710] random: sshd: uninitialized urandom read (32 bytes read) [ 24.965000] random: sshd: uninitialized urandom read (32 bytes read) [ 25.118539] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. [ 30.685245] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/08 03:13:01 parsed 1 programs [ 31.823217] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/08 03:13:03 executed programs: 0 [ 32.940837] IPVS: ftp: loaded support on port[0] = 21 [ 33.065656] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.072156] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.079584] device bridge_slave_0 entered promiscuous mode [ 33.096176] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.102548] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.109685] device bridge_slave_1 entered promiscuous mode [ 33.125616] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.140975] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 33.180569] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 33.189241] ip (4579) used greatest stack depth: 17112 bytes left [ 33.200458] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.262298] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.269625] team0: Port device team_slave_0 added [ 33.284228] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.291560] team0: Port device team_slave_1 added [ 33.306621] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 33.323473] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 33.341189] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.358140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 33.401612] ip (4610) used greatest stack depth: 16888 bytes left [ 33.441667] ip (4618) used greatest stack depth: 16760 bytes left [ 33.484396] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.490852] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.497872] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.504248] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.907682] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.913804] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.955161] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.997567] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.006399] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 34.042828] 8021q: adding VLAN 0 to HW filter on device team0 [ 34.298820] ================================================================== [ 34.306328] BUG: KASAN: slab-out-of-bounds in tgr160_final+0x93/0xe0 [ 34.312817] Write of size 20 at addr ffff8801d6bcd414 by task syz-executor0/4788 [ 34.320341] [ 34.321983] CPU: 0 PID: 4788 Comm: syz-executor0 Not tainted 4.17.0+ #114 [ 34.328889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.338224] Call Trace: [ 34.340800] dump_stack+0x1b9/0x294 [ 34.344414] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.349585] ? printk+0x9e/0xba [ 34.352846] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.357584] ? kasan_check_write+0x14/0x20 [ 34.361810] print_address_description+0x6c/0x20b [ 34.366636] ? tgr160_final+0x93/0xe0 [ 34.370425] kasan_report.cold.7+0x242/0x2fe [ 34.374825] check_memory_region+0x13e/0x1b0 [ 34.379222] memcpy+0x37/0x50 [ 34.382309] tgr160_final+0x93/0xe0 [ 34.385926] ? tgr128_final+0x170/0x170 [ 34.389885] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.395406] ? tgr192_update+0x18a/0x520 [ 34.399452] ? kasan_unpoison_shadow+0x35/0x50 [ 34.404039] crypto_shash_final+0x104/0x260 [ 34.408342] ? tgr128_final+0x170/0x170 [ 34.412307] __keyctl_dh_compute+0x1184/0x1bc0 [ 34.416878] ? copy_overflow+0x30/0x30 [ 34.420751] ? find_held_lock+0x36/0x1c0 [ 34.424800] ? lock_downgrade+0x8e0/0x8e0 [ 34.428930] ? check_same_owner+0x320/0x320 [ 34.433245] ? find_held_lock+0x36/0x1c0 [ 34.437295] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.442822] ? _copy_from_user+0xdf/0x150 [ 34.446955] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.451782] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 34.456698] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.461871] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.466705] do_fast_syscall_32+0x345/0xf9b [ 34.471013] ? do_int80_syscall_32+0x880/0x880 [ 34.475594] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 34.480420] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.485939] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.490860] ? sysret32_from_system_call+0x5/0x46 [ 34.495693] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.500525] entry_SYSENTER_compat+0x70/0x7f [ 34.504917] RIP: 0023:0xf7f36cb9 [ 34.508257] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.527450] RSP: 002b:00000000ff81ac3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120 [ 34.535158] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 34.542419] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8 [ 34.549666] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.556913] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 34.564161] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.571415] [ 34.573029] Allocated by task 4788: [ 34.576648] save_stack+0x43/0xd0 [ 34.580079] kasan_kmalloc+0xc4/0xe0 [ 34.583774] __kmalloc+0x14e/0x760 [ 34.587297] __keyctl_dh_compute+0xfe9/0x1bc0 [ 34.591776] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.596602] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.601424] do_fast_syscall_32+0x345/0xf9b [ 34.605732] entry_SYSENTER_compat+0x70/0x7f [ 34.610114] [ 34.611720] Freed by task 2309: [ 34.614979] save_stack+0x43/0xd0 [ 34.618411] __kasan_slab_free+0x11a/0x170 [ 34.622625] kasan_slab_free+0xe/0x10 [ 34.626403] kfree+0xd9/0x260 [ 34.629487] tty_ldisc_put+0x4c/0x70 [ 34.633177] tty_ldisc_kill+0x6e/0xc0 [ 34.636954] tty_ldisc_release+0xc5/0x280 [ 34.641081] tty_release_struct+0x1a/0x50 [ 34.645208] tty_release+0xe96/0x12e0 [ 34.648987] __fput+0x353/0x890 [ 34.652247] ____fput+0x15/0x20 [ 34.655518] task_work_run+0x1e4/0x290 [ 34.659399] exit_to_usermode_loop+0x2bd/0x310 [ 34.663959] do_syscall_64+0x6ac/0x800 [ 34.667832] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.672993] [ 34.674606] The buggy address belongs to the object at ffff8801d6bcd400 [ 34.674606] which belongs to the cache kmalloc-32 of size 32 [ 34.687066] The buggy address is located 20 bytes inside of [ 34.687066] 32-byte region [ffff8801d6bcd400, ffff8801d6bcd420) [ 34.698742] The buggy address belongs to the page: [ 34.703651] page:ffffea00075af340 count:1 mapcount:0 mapping:ffff8801d6bcd000 index:0xffff8801d6bcdfc1 [ 34.713073] flags: 0x2fffc0000000100(slab) [ 34.717292] raw: 02fffc0000000100 ffff8801d6bcd000 ffff8801d6bcdfc1 0000000100000021 [ 34.725167] raw: ffffea00075af5e0 ffffea00075c4260 ffff8801da8001c0 0000000000000000 [ 34.733030] page dumped because: kasan: bad access detected [ 34.738720] [ 34.740323] Memory state around the buggy address: [ 34.745242] ffff8801d6bcd300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.752583] ffff8801d6bcd380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.759931] >ffff8801d6bcd400: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 34.767268] ^ [ 34.771394] ffff8801d6bcd480: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 34.779171] ffff8801d6bcd500: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc [ 34.786519] ================================================================== [ 34.793855] Disabling lock debugging due to kernel taint [ 34.799469] Kernel panic - not syncing: panic_on_warn set ... [ 34.799469] [ 34.806837] CPU: 0 PID: 4788 Comm: syz-executor0 Tainted: G B 4.17.0+ #114 [ 34.815136] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.824468] Call Trace: [ 34.827059] dump_stack+0x1b9/0x294 [ 34.830669] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.835856] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.840603] ? tgr128_final+0x130/0x170 [ 34.844559] panic+0x22f/0x4de [ 34.847751] ? add_taint.cold.5+0x16/0x16 [ 34.851899] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.856291] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.860699] ? tgr160_final+0x93/0xe0 [ 34.864500] kasan_end_report+0x47/0x4f [ 34.868467] kasan_report.cold.7+0x76/0x2fe [ 34.872769] check_memory_region+0x13e/0x1b0 [ 34.877155] memcpy+0x37/0x50 [ 34.880252] tgr160_final+0x93/0xe0 [ 34.883860] ? tgr128_final+0x170/0x170 [ 34.887815] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.893332] ? tgr192_update+0x18a/0x520 [ 34.897390] ? kasan_unpoison_shadow+0x35/0x50 [ 34.901953] crypto_shash_final+0x104/0x260 [ 34.906250] ? tgr128_final+0x170/0x170 [ 34.910205] __keyctl_dh_compute+0x1184/0x1bc0 [ 34.914778] ? copy_overflow+0x30/0x30 [ 34.918650] ? find_held_lock+0x36/0x1c0 [ 34.922707] ? lock_downgrade+0x8e0/0x8e0 [ 34.926836] ? check_same_owner+0x320/0x320 [ 34.931152] ? find_held_lock+0x36/0x1c0 [ 34.935214] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.940732] ? _copy_from_user+0xdf/0x150 [ 34.944860] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.949681] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 34.954593] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.959761] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.964595] do_fast_syscall_32+0x345/0xf9b [ 34.968906] ? do_int80_syscall_32+0x880/0x880 [ 34.973467] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 34.978305] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.983825] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.988736] ? sysret32_from_system_call+0x5/0x46 [ 34.993557] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.998378] entry_SYSENTER_compat+0x70/0x7f [ 35.002765] RIP: 0023:0xf7f36cb9 [ 35.006104] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 35.025219] RSP: 002b:00000000ff81ac3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120 [ 35.032904] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 35.040153] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8 [ 35.047400] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 35.054669] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 35.061919] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.069615] Dumping ftrace buffer: [ 35.073144] (ftrace buffer empty) [ 35.076835] Kernel Offset: disabled [ 35.080450] Rebooting in 86400 seconds..