[....] Starting OpenBSD Secure Shell server: sshd[   11.749146] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.078949] random: sshd: uninitialized urandom read (32 bytes read)
[   27.587664] audit: type=1400 audit(1537821740.961:6): avc:  denied  { map } for  pid=1774 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   27.622662] random: sshd: uninitialized urandom read (32 bytes read)
[   28.068341] random: sshd: uninitialized urandom read (32 bytes read)
[   28.221977] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts.
[   33.867382] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.960124] audit: type=1400 audit(1537821747.331:7): avc:  denied  { map } for  pid=1792 comm="syz-executor352" path="/root/syz-executor352190673" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   33.987977] audit: type=1400 audit(1537821747.371:8): avc:  denied  { prog_load } for  pid=1792 comm="syz-executor352" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   34.012044] audit: type=1400 audit(1537821747.391:9): avc:  denied  { prog_run } for  pid=1792 comm="syz-executor352" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   34.012210] ==================================================================
[   34.012228] BUG: KASAN: use-after-free in _copy_to_user+0x9a/0xc0
[   34.012231] Read of size 660 at addr ffff8801c3e3fffa by task syz-executor352/1792
[   34.012233] 
[   34.012238] CPU: 0 PID: 1792 Comm: syz-executor352 Not tainted 4.14.71+ #8
[   34.012240] Call Trace:
[   34.012248]  dump_stack+0xb9/0x11b
[   34.012258]  print_address_description+0x60/0x22b
[   34.012264]  kasan_report.cold.6+0x11b/0x2dd
[   34.012268]  ? _copy_to_user+0x9a/0xc0
[   34.012274]  _copy_to_user+0x9a/0xc0
[   34.012283]  bpf_test_finish.isra.0+0xc8/0x190
[   34.012287]  ? bpf_test_run+0x350/0x350
[   34.012295]  ? kvm_clock_read+0x1f/0x30
[   34.012301]  ? ktime_get+0x17f/0x1c0
[   34.012308]  ? bpf_test_run+0x280/0x350
[   34.012319]  bpf_prog_test_run_skb+0x4d0/0x8c0
[   34.012326]  ? bpf_test_init.isra.1+0xc0/0xc0
[   34.012334]  ? __fget_light+0x163/0x1f0
[   34.012340]  ? bpf_prog_add+0x42/0xa0
[   34.012346]  ? bpf_test_init.isra.1+0xc0/0xc0
[   34.012351]  SyS_bpf+0x79d/0x3640
[   34.012359]  ? bpf_prog_get+0x20/0x20
[   34.012363]  ? __do_page_fault+0x485/0xb60
[   34.012370]  ? lock_downgrade+0x560/0x560
[   34.012380]  ? up_read+0x17/0x30
[   34.012384]  ? __do_page_fault+0x64c/0xb60
[   34.012392]  ? do_syscall_64+0x43/0x4b0
[   34.012399]  ? bpf_prog_get+0x20/0x20
[   34.012402]  do_syscall_64+0x19b/0x4b0
[   34.012411]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.012415] RIP: 0033:0x440259
[   34.012417] RSP: 002b:00007fff63f9d828 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   34.012422] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
[   34.012425] RDX: 0000000000000028 RSI: 0000000020000280 RDI: 000000000000000a
[   34.012427] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[   34.012430] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401ae0
[   34.012432] R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000
[   34.012443] 
[   34.012444] The buggy address belongs to the page:
[   34.012449] page:ffffea00070f8fc0 count:0 mapcount:0 mapping:          (null) index:0x0
[   34.012452] flags: 0x4000000000000000()
[   34.012458] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
[   34.012463] raw: 0000000000000000 ffffea00070f8fe0 0000000000000000 0000000000000000
[   34.012465] page dumped because: kasan: bad access detected
[   34.012466] 
[   34.012467] Memory state around the buggy address:
[   34.012470]  ffff8801c3e3fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   34.012473]  ffff8801c3e3ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   34.012476] >ffff8801c3e3ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   34.012479]                                                                 ^
[   34.012481]  ffff8801c3e40000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.012484]  ffff8801c3e40080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.012486] ==================================================================
[   34.012487] Disabling lock debugging due to kernel taint
[   34.012490] Kernel panic - not syncing: panic_on_warn set ...
[   34.012490] 
[   34.012494] CPU: 0 PID: 1792 Comm: syz-executor352 Tainted: G    B           4.14.71+ #8
[   34.012495] Call Trace:
[   34.012499]  dump_stack+0xb9/0x11b
[   34.012504]  panic+0x1bf/0x3a4
[   34.012508]  ? add_taint.cold.4+0x16/0x16
[   34.012516]  kasan_end_report+0x43/0x49
[   34.012520]  kasan_report.cold.6+0x77/0x2dd
[   34.012523]  ? _copy_to_user+0x9a/0xc0
[   34.012528]  _copy_to_user+0x9a/0xc0
[   34.012532]  bpf_test_finish.isra.0+0xc8/0x190
[   34.012536]  ? bpf_test_run+0x350/0x350
[   34.012540]  ? kvm_clock_read+0x1f/0x30
[   34.012544]  ? ktime_get+0x17f/0x1c0
[   34.012549]  ? bpf_test_run+0x280/0x350
[   34.012555]  bpf_prog_test_run_skb+0x4d0/0x8c0
[   34.012561]  ? bpf_test_init.isra.1+0xc0/0xc0
[   34.012565]  ? __fget_light+0x163/0x1f0
[   34.012569]  ? bpf_prog_add+0x42/0xa0
[   34.012573]  ? bpf_test_init.isra.1+0xc0/0xc0
[   34.012577]  SyS_bpf+0x79d/0x3640
[   34.012583]  ? bpf_prog_get+0x20/0x20
[   34.012586]  ? __do_page_fault+0x485/0xb60
[   34.012590]  ? lock_downgrade+0x560/0x560
[   34.012596]  ? up_read+0x17/0x30
[   34.012600]  ? __do_page_fault+0x64c/0xb60
[   34.012604]  ? do_syscall_64+0x43/0x4b0
[   34.012609]  ? bpf_prog_get+0x20/0x20
[   34.012611]  do_syscall_64+0x19b/0x4b0
[   34.012617]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.012620] RIP: 0033:0x440259
[   34.012622] RSP: 002b:00007fff63f9d828 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   34.012625] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
[   34.012627] RDX: 0000000000000028 RSI: 0000000020000280 RDI: 000000000000000a
[   34.012630] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[   34.012632] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401ae0
[   34.012634] R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000
[   34.034649] Kernel Offset: 0x26e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   34.504226] Rebooting in 86400 seconds..