[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.043517] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.849981] random: sshd: uninitialized urandom read (32 bytes read)
[   24.212710] random: sshd: uninitialized urandom read (32 bytes read)
[   24.965000] random: sshd: uninitialized urandom read (32 bytes read)
[   25.118539] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts.
[   30.685245] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/08 03:13:01 parsed 1 programs
[   31.823217] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/08 03:13:03 executed programs: 0
[   32.940837] IPVS: ftp: loaded support on port[0] = 21
[   33.065656] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.072156] bridge0: port 1(bridge_slave_0) entered disabled state
[   33.079584] device bridge_slave_0 entered promiscuous mode
[   33.096176] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.102548] bridge0: port 2(bridge_slave_1) entered disabled state
[   33.109685] device bridge_slave_1 entered promiscuous mode
[   33.125616] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   33.140975] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   33.180569] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   33.189241] ip (4579) used greatest stack depth: 17112 bytes left
[   33.200458] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   33.262298] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   33.269625] team0: Port device team_slave_0 added
[   33.284228] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   33.291560] team0: Port device team_slave_1 added
[   33.306621] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   33.323473] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   33.341189] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   33.358140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.401612] ip (4610) used greatest stack depth: 16888 bytes left
[   33.441667] ip (4618) used greatest stack depth: 16760 bytes left
[   33.484396] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.490852] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.497872] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.504248] bridge0: port 1(bridge_slave_0) entered forwarding state
[   33.907682] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   33.913804] 8021q: adding VLAN 0 to HW filter on device bond0
[   33.955161] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   33.997567] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   34.006399] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   34.042828] 8021q: adding VLAN 0 to HW filter on device team0
[   34.298820] ==================================================================
[   34.306328] BUG: KASAN: slab-out-of-bounds in tgr160_final+0x93/0xe0
[   34.312817] Write of size 20 at addr ffff8801d6bcd414 by task syz-executor0/4788
[   34.320341] 
[   34.321983] CPU: 0 PID: 4788 Comm: syz-executor0 Not tainted 4.17.0+ #114
[   34.328889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.338224] Call Trace:
[   34.340800]  dump_stack+0x1b9/0x294
[   34.344414]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.349585]  ? printk+0x9e/0xba
[   34.352846]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.357584]  ? kasan_check_write+0x14/0x20
[   34.361810]  print_address_description+0x6c/0x20b
[   34.366636]  ? tgr160_final+0x93/0xe0
[   34.370425]  kasan_report.cold.7+0x242/0x2fe
[   34.374825]  check_memory_region+0x13e/0x1b0
[   34.379222]  memcpy+0x37/0x50
[   34.382309]  tgr160_final+0x93/0xe0
[   34.385926]  ? tgr128_final+0x170/0x170
[   34.389885]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.395406]  ? tgr192_update+0x18a/0x520
[   34.399452]  ? kasan_unpoison_shadow+0x35/0x50
[   34.404039]  crypto_shash_final+0x104/0x260
[   34.408342]  ? tgr128_final+0x170/0x170
[   34.412307]  __keyctl_dh_compute+0x1184/0x1bc0
[   34.416878]  ? copy_overflow+0x30/0x30
[   34.420751]  ? find_held_lock+0x36/0x1c0
[   34.424800]  ? lock_downgrade+0x8e0/0x8e0
[   34.428930]  ? check_same_owner+0x320/0x320
[   34.433245]  ? find_held_lock+0x36/0x1c0
[   34.437295]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.442822]  ? _copy_from_user+0xdf/0x150
[   34.446955]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.451782]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   34.456698]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.461871]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.466705]  do_fast_syscall_32+0x345/0xf9b
[   34.471013]  ? do_int80_syscall_32+0x880/0x880
[   34.475594]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   34.480420]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.485939]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.490860]  ? sysret32_from_system_call+0x5/0x46
[   34.495693]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.500525]  entry_SYSENTER_compat+0x70/0x7f
[   34.504917] RIP: 0023:0xf7f36cb9
[   34.508257] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   34.527450] RSP: 002b:00000000ff81ac3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   34.535158] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   34.542419] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8
[   34.549666] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.556913] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   34.564161] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.571415] 
[   34.573029] Allocated by task 4788:
[   34.576648]  save_stack+0x43/0xd0
[   34.580079]  kasan_kmalloc+0xc4/0xe0
[   34.583774]  __kmalloc+0x14e/0x760
[   34.587297]  __keyctl_dh_compute+0xfe9/0x1bc0
[   34.591776]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.596602]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.601424]  do_fast_syscall_32+0x345/0xf9b
[   34.605732]  entry_SYSENTER_compat+0x70/0x7f
[   34.610114] 
[   34.611720] Freed by task 2309:
[   34.614979]  save_stack+0x43/0xd0
[   34.618411]  __kasan_slab_free+0x11a/0x170
[   34.622625]  kasan_slab_free+0xe/0x10
[   34.626403]  kfree+0xd9/0x260
[   34.629487]  tty_ldisc_put+0x4c/0x70
[   34.633177]  tty_ldisc_kill+0x6e/0xc0
[   34.636954]  tty_ldisc_release+0xc5/0x280
[   34.641081]  tty_release_struct+0x1a/0x50
[   34.645208]  tty_release+0xe96/0x12e0
[   34.648987]  __fput+0x353/0x890
[   34.652247]  ____fput+0x15/0x20
[   34.655518]  task_work_run+0x1e4/0x290
[   34.659399]  exit_to_usermode_loop+0x2bd/0x310
[   34.663959]  do_syscall_64+0x6ac/0x800
[   34.667832]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.672993] 
[   34.674606] The buggy address belongs to the object at ffff8801d6bcd400
[   34.674606]  which belongs to the cache kmalloc-32 of size 32
[   34.687066] The buggy address is located 20 bytes inside of
[   34.687066]  32-byte region [ffff8801d6bcd400, ffff8801d6bcd420)
[   34.698742] The buggy address belongs to the page:
[   34.703651] page:ffffea00075af340 count:1 mapcount:0 mapping:ffff8801d6bcd000 index:0xffff8801d6bcdfc1
[   34.713073] flags: 0x2fffc0000000100(slab)
[   34.717292] raw: 02fffc0000000100 ffff8801d6bcd000 ffff8801d6bcdfc1 0000000100000021
[   34.725167] raw: ffffea00075af5e0 ffffea00075c4260 ffff8801da8001c0 0000000000000000
[   34.733030] page dumped because: kasan: bad access detected
[   34.738720] 
[   34.740323] Memory state around the buggy address:
[   34.745242]  ffff8801d6bcd300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   34.752583]  ffff8801d6bcd380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   34.759931] >ffff8801d6bcd400: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   34.767268]                             ^
[   34.771394]  ffff8801d6bcd480: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   34.779171]  ffff8801d6bcd500: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc
[   34.786519] ==================================================================
[   34.793855] Disabling lock debugging due to kernel taint
[   34.799469] Kernel panic - not syncing: panic_on_warn set ...
[   34.799469] 
[   34.806837] CPU: 0 PID: 4788 Comm: syz-executor0 Tainted: G    B             4.17.0+ #114
[   34.815136] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.824468] Call Trace:
[   34.827059]  dump_stack+0x1b9/0x294
[   34.830669]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.835856]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.840603]  ? tgr128_final+0x130/0x170
[   34.844559]  panic+0x22f/0x4de
[   34.847751]  ? add_taint.cold.5+0x16/0x16
[   34.851899]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.856291]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.860699]  ? tgr160_final+0x93/0xe0
[   34.864500]  kasan_end_report+0x47/0x4f
[   34.868467]  kasan_report.cold.7+0x76/0x2fe
[   34.872769]  check_memory_region+0x13e/0x1b0
[   34.877155]  memcpy+0x37/0x50
[   34.880252]  tgr160_final+0x93/0xe0
[   34.883860]  ? tgr128_final+0x170/0x170
[   34.887815]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.893332]  ? tgr192_update+0x18a/0x520
[   34.897390]  ? kasan_unpoison_shadow+0x35/0x50
[   34.901953]  crypto_shash_final+0x104/0x260
[   34.906250]  ? tgr128_final+0x170/0x170
[   34.910205]  __keyctl_dh_compute+0x1184/0x1bc0
[   34.914778]  ? copy_overflow+0x30/0x30
[   34.918650]  ? find_held_lock+0x36/0x1c0
[   34.922707]  ? lock_downgrade+0x8e0/0x8e0
[   34.926836]  ? check_same_owner+0x320/0x320
[   34.931152]  ? find_held_lock+0x36/0x1c0
[   34.935214]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.940732]  ? _copy_from_user+0xdf/0x150
[   34.944860]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.949681]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   34.954593]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.959761]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.964595]  do_fast_syscall_32+0x345/0xf9b
[   34.968906]  ? do_int80_syscall_32+0x880/0x880
[   34.973467]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   34.978305]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.983825]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.988736]  ? sysret32_from_system_call+0x5/0x46
[   34.993557]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.998378]  entry_SYSENTER_compat+0x70/0x7f
[   35.002765] RIP: 0023:0xf7f36cb9
[   35.006104] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.025219] RSP: 002b:00000000ff81ac3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   35.032904] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   35.040153] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8
[   35.047400] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.054669] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   35.061919] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.069615] Dumping ftrace buffer:
[   35.073144]    (ftrace buffer empty)
[   35.076835] Kernel Offset: disabled
[   35.080450] Rebooting in 86400 seconds..