[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.697315] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.490226] random: sshd: uninitialized urandom read (32 bytes read) [ 20.769536] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.529980] random: sshd: uninitialized urandom read (32 bytes read) [ 21.685154] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 27.105006] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.199761] ================================================================== [ 27.207222] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0 [ 27.213697] Write of size 4 at addr ffff8801d97e1ad8 by task syz-executor437/4553 [ 27.221288] [ 27.222904] CPU: 0 PID: 4553 Comm: syz-executor437 Not tainted 4.17.0+ #89 [ 27.229891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.239220] Call Trace: [ 27.241791] dump_stack+0x1b9/0x294 [ 27.245402] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.250569] ? printk+0x9e/0xba [ 27.253829] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.258572] ? kasan_check_write+0x14/0x20 [ 27.262800] print_address_description+0x6c/0x20b [ 27.267626] ? sha1_finup+0x44e/0x4b0 [ 27.271407] kasan_report.cold.7+0x242/0x2fe [ 27.275799] __asan_report_store4_noabort+0x17/0x20 [ 27.280792] sha1_finup+0x44e/0x4b0 [ 27.284401] ? sha1_base_init+0x150/0x150 [ 27.288543] sha1_avx2_final+0x28/0x30 [ 27.292425] crypto_shash_final+0x104/0x260 [ 27.296726] ? sha1_avx2_finup+0x40/0x40 [ 27.300772] __keyctl_dh_compute+0x1184/0x1bc0 [ 27.305348] ? copy_overflow+0x30/0x30 [ 27.309221] ? find_held_lock+0x36/0x1c0 [ 27.313273] ? lock_downgrade+0x8e0/0x8e0 [ 27.317421] ? check_same_owner+0x320/0x320 [ 27.321731] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.327253] ? handle_mm_fault+0x55a/0xc70 [ 27.331474] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.337010] ? _copy_from_user+0xdf/0x150 [ 27.341158] keyctl_dh_compute+0xb9/0x100 [ 27.345290] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 27.350077] ? kzfree+0x28/0x30 [ 27.353341] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.358523] __x64_sys_keyctl+0x12a/0x3b0 [ 27.362653] do_syscall_64+0x1b1/0x800 [ 27.366520] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.371428] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.376347] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.381873] ? retint_user+0x18/0x18 [ 27.385572] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.390400] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.395566] RIP: 0033:0x43ffb9 [ 27.398738] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 27.417915] RSP: 002b:00007ffce5fe4808 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 27.425615] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9 [ 27.432863] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 27.440123] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 27.447378] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018e0 [ 27.454625] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 27.461879] [ 27.463485] Allocated by task 4553: [ 27.467093] save_stack+0x43/0xd0 [ 27.470522] kasan_kmalloc+0xc4/0xe0 [ 27.474213] __kmalloc+0x14e/0x760 [ 27.477732] __keyctl_dh_compute+0xfe9/0x1bc0 [ 27.482207] keyctl_dh_compute+0xb9/0x100 [ 27.486333] __x64_sys_keyctl+0x12a/0x3b0 [ 27.490461] do_syscall_64+0x1b1/0x800 [ 27.494333] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.499509] [ 27.501114] Freed by task 2877: [ 27.504372] save_stack+0x43/0xd0 [ 27.507805] __kasan_slab_free+0x11a/0x170 [ 27.512027] kasan_slab_free+0xe/0x10 [ 27.515812] kfree+0xd9/0x260 [ 27.518894] single_release+0x8f/0xb0 [ 27.522670] __fput+0x353/0x890 [ 27.525925] ____fput+0x15/0x20 [ 27.529183] task_work_run+0x1e4/0x290 [ 27.533057] exit_to_usermode_loop+0x2bd/0x310 [ 27.537630] do_syscall_64+0x6ac/0x800 [ 27.541499] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.546660] [ 27.548266] The buggy address belongs to the object at ffff8801d97e1ac0 [ 27.548266] which belongs to the cache kmalloc-32 of size 32 [ 27.560738] The buggy address is located 24 bytes inside of [ 27.560738] 32-byte region [ffff8801d97e1ac0, ffff8801d97e1ae0) [ 27.572414] The buggy address belongs to the page: [ 27.577324] page:ffffea000765f840 count:1 mapcount:0 mapping:ffff8801d97e1000 index:0xffff8801d97e1fc1 [ 27.586769] flags: 0x2fffc0000000100(slab) [ 27.590985] raw: 02fffc0000000100 ffff8801d97e1000 ffff8801d97e1fc1 0000000100000016 [ 27.598966] raw: ffffea00076540e0 ffffea000736cda0 ffff8801da8001c0 0000000000000000 [ 27.606831] page dumped because: kasan: bad access detected [ 27.612518] [ 27.614124] Memory state around the buggy address: [ 27.619040] ffff8801d97e1980: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc [ 27.626385] ffff8801d97e1a00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 27.633731] >ffff8801d97e1a80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 27.641071] ^ [ 27.647541] ffff8801d97e1b00: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 27.654882] ffff8801d97e1b80: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 27.662233] ================================================================== [ 27.669575] Disabling lock debugging due to kernel taint [ 27.675102] Kernel panic - not syncing: panic_on_warn set ... [ 27.675102] [ 27.682462] CPU: 0 PID: 4553 Comm: syz-executor437 Tainted: G B 4.17.0+ #89 [ 27.690843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.700170] Call Trace: [ 27.702739] dump_stack+0x1b9/0x294 [ 27.706350] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.711527] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.716259] ? sha1_finup+0x3a0/0x4b0 [ 27.720044] panic+0x22f/0x4de [ 27.723217] ? add_taint.cold.5+0x16/0x16 [ 27.727345] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.731730] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.736113] ? sha1_finup+0x44e/0x4b0 [ 27.739894] kasan_end_report+0x47/0x4f [ 27.743845] kasan_report.cold.7+0x76/0x2fe [ 27.748146] __asan_report_store4_noabort+0x17/0x20 [ 27.753140] sha1_finup+0x44e/0x4b0 [ 27.756745] ? sha1_base_init+0x150/0x150 [ 27.760879] sha1_avx2_final+0x28/0x30 [ 27.764743] crypto_shash_final+0x104/0x260 [ 27.769047] ? sha1_avx2_finup+0x40/0x40 [ 27.773097] __keyctl_dh_compute+0x1184/0x1bc0 [ 27.777661] ? copy_overflow+0x30/0x30 [ 27.781529] ? find_held_lock+0x36/0x1c0 [ 27.785568] ? lock_downgrade+0x8e0/0x8e0 [ 27.789694] ? check_same_owner+0x320/0x320 [ 27.793992] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.799511] ? handle_mm_fault+0x55a/0xc70 [ 27.803724] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.809239] ? _copy_from_user+0xdf/0x150 [ 27.813366] keyctl_dh_compute+0xb9/0x100 [ 27.817501] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 27.822245] ? kzfree+0x28/0x30 [ 27.825503] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.830673] __x64_sys_keyctl+0x12a/0x3b0 [ 27.834811] do_syscall_64+0x1b1/0x800 [ 27.838685] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.843593] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.848501] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.854021] ? retint_user+0x18/0x18 [ 27.857717] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.862978] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.868143] RIP: 0033:0x43ffb9 [ 27.871305] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 27.890423] RSP: 002b:00007ffce5fe4808 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 27.898110] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9 [ 27.905364] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 27.912619] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 27.919867] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018e0 [ 27.927113] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 27.934990] Dumping ftrace buffer: [ 27.938525] (ftrace buffer empty) [ 27.942219] Kernel Offset: disabled [ 27.945829] Rebooting in 86400 seconds..