[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.117809] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.374736] random: sshd: uninitialized urandom read (32 bytes read)
[   24.781922] random: sshd: uninitialized urandom read (32 bytes read)
[   25.556625] random: sshd: uninitialized urandom read (32 bytes read)
[   25.715574] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts.
[   31.186266] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.281521] ==================================================================
[   31.289000] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0
[   31.295477] Write of size 4 at addr ffff8801d951da58 by task syz-executor161/4556
[   31.303073] 
[   31.304685] CPU: 0 PID: 4556 Comm: syz-executor161 Not tainted 4.17.0+ #90
[   31.311673] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.321004] Call Trace:
[   31.323577]  dump_stack+0x1b9/0x294
[   31.327188]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.332357]  ? printk+0x9e/0xba
[   31.335616]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.340357]  ? kasan_check_write+0x14/0x20
[   31.344580]  print_address_description+0x6c/0x20b
[   31.349407]  ? sha1_final+0x283/0x2e0
[   31.353201]  kasan_report.cold.7+0x242/0x2fe
[   31.357602]  __asan_report_store4_noabort+0x17/0x20
[   31.362604]  sha1_final+0x283/0x2e0
[   31.366231]  crypto_shash_final+0x104/0x260
[   31.370534]  ? sha1_generic_block_fn+0x100/0x100
[   31.375287]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.379859]  ? copy_overflow+0x30/0x30
[   31.383736]  ? find_held_lock+0x36/0x1c0
[   31.387785]  ? lock_downgrade+0x8e0/0x8e0
[   31.391925]  ? check_same_owner+0x320/0x320
[   31.396235]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.401758]  ? handle_mm_fault+0x55a/0xc70
[   31.405996]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.411522]  ? _copy_from_user+0xdf/0x150
[   31.415656]  keyctl_dh_compute+0xb9/0x100
[   31.419785]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.424522]  ? kzfree+0x28/0x30
[   31.427781]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.432969]  __x64_sys_keyctl+0x12a/0x3b0
[   31.437103]  do_syscall_64+0x1b1/0x800
[   31.440979]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.445894]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.450807]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.456326]  ? retint_user+0x18/0x18
[   31.460035]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.464870]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.470041] RIP: 0033:0x43ffa9
[   31.473222] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.492398] RSP: 002b:00007ffe82ff5c88 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.500097] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.507347] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.514596] RBP: 00000000006ca018 R08: 0000000020000140 R09: 00000000004002c8
[   31.521858] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.529109] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.536377] 
[   31.537990] Allocated by task 4556:
[   31.541605]  save_stack+0x43/0xd0
[   31.545042]  kasan_kmalloc+0xc4/0xe0
[   31.548740]  __kmalloc+0x14e/0x760
[   31.552266]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.556743]  keyctl_dh_compute+0xb9/0x100
[   31.560871]  __x64_sys_keyctl+0x12a/0x3b0
[   31.565003]  do_syscall_64+0x1b1/0x800
[   31.568881]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.574045] 
[   31.575652] Freed by task 2887:
[   31.578912]  save_stack+0x43/0xd0
[   31.582346]  __kasan_slab_free+0x11a/0x170
[   31.586570]  kasan_slab_free+0xe/0x10
[   31.590362]  kfree+0xd9/0x260
[   31.593450]  single_release+0x8f/0xb0
[   31.597245]  __fput+0x353/0x890
[   31.600500]  ____fput+0x15/0x20
[   31.603758]  task_work_run+0x1e4/0x290
[   31.607626]  exit_to_usermode_loop+0x2bd/0x310
[   31.612186]  do_syscall_64+0x6ac/0x800
[   31.616068]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.621237] 
[   31.622852] The buggy address belongs to the object at ffff8801d951da40
[   31.622852]  which belongs to the cache kmalloc-32 of size 32
[   31.635321] The buggy address is located 24 bytes inside of
[   31.635321]  32-byte region [ffff8801d951da40, ffff8801d951da60)
[   31.647005] The buggy address belongs to the page:
[   31.651919] page:ffffea0007654740 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d951dfc1
[   31.661344] flags: 0x2fffc0000000100(slab)
[   31.665559] raw: 02fffc0000000100 ffffea0007655e48 ffffea00075c3d08 ffff8801da8001c0
[   31.673427] raw: ffff8801d951dfc1 ffff8801d951d000 0000000100000030 0000000000000000
[   31.681283] page dumped because: kasan: bad access detected
[   31.686970] 
[   31.688574] Memory state around the buggy address:
[   31.693482]  ffff8801d951d900: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc
[   31.700831]  ffff8801d951d980: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc
[   31.708182] >ffff8801d951da00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   31.715534]                                                     ^
[   31.721752]  ffff8801d951da80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.729090]  ffff8801d951db00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.736426] ==================================================================
[   31.743763] Disabling lock debugging due to kernel taint
[   31.749282] Kernel panic - not syncing: panic_on_warn set ...
[   31.749282] 
[   31.756649] CPU: 0 PID: 4556 Comm: syz-executor161 Tainted: G    B             4.17.0+ #90
[   31.765031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.774379] Call Trace:
[   31.776954]  dump_stack+0x1b9/0x294
[   31.780560]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.785731]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.790467]  ? sha1_final+0x200/0x2e0
[   31.794252]  panic+0x22f/0x4de
[   31.797421]  ? add_taint.cold.5+0x16/0x16
[   31.801550]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.805936]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.810322]  ? sha1_final+0x283/0x2e0
[   31.814128]  kasan_end_report+0x47/0x4f
[   31.818083]  kasan_report.cold.7+0x76/0x2fe
[   31.822385]  __asan_report_store4_noabort+0x17/0x20
[   31.827379]  sha1_final+0x283/0x2e0
[   31.830988]  crypto_shash_final+0x104/0x260
[   31.835290]  ? sha1_generic_block_fn+0x100/0x100
[   31.840035]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.844600]  ? copy_overflow+0x30/0x30
[   31.848469]  ? find_held_lock+0x36/0x1c0
[   31.852510]  ? lock_downgrade+0x8e0/0x8e0
[   31.856637]  ? check_same_owner+0x320/0x320
[   31.860940]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.866467]  ? handle_mm_fault+0x55a/0xc70
[   31.870685]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.876213]  ? _copy_from_user+0xdf/0x150
[   31.880343]  keyctl_dh_compute+0xb9/0x100
[   31.884471]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.889209]  ? kzfree+0x28/0x30
[   31.892476]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.897646]  __x64_sys_keyctl+0x12a/0x3b0
[   31.901779]  do_syscall_64+0x1b1/0x800
[   31.905644]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.910556]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.915465]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.920982]  ? retint_user+0x18/0x18
[   31.924686]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.929507]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.934673] RIP: 0033:0x43ffa9
[   31.937839] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.956957] RSP: 002b:00007ffe82ff5c88 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.964645] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.971892] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.979140] RBP: 00000000006ca018 R08: 0000000020000140 R09: 00000000004002c8
[   31.986387] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.993643] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   32.001407] Dumping ftrace buffer:
[   32.004929]    (ftrace buffer empty)
[   32.008620] Kernel Offset: disabled
[   32.012226] Rebooting in 86400 seconds..