[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.419664] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.729671] random: sshd: uninitialized urandom read (32 bytes read)
[   22.988444] random: sshd: uninitialized urandom read (32 bytes read)
[   23.712571] random: sshd: uninitialized urandom read (32 bytes read)
[   23.869861] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
[   29.336977] random: sshd: uninitialized urandom read (32 bytes read)
2018/04/29 10:39:56 parsed 1 programs
2018/04/29 10:39:56 executed programs: 0
[   29.803596] IPVS: ftp: loaded support on port[0] = 21
[   30.006147] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.012656] bridge0: port 1(bridge_slave_0) entered disabled state
[   30.020231] device bridge_slave_0 entered promiscuous mode
[   30.037066] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.043459] bridge0: port 2(bridge_slave_1) entered disabled state
[   30.050660] device bridge_slave_1 entered promiscuous mode
[   30.066499] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   30.082410] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   30.123599] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   30.141401] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   30.209852] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   30.217279] team0: Port device team_slave_0 added
[   30.232058] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   30.239305] team0: Port device team_slave_1 added
[   30.254597] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   30.274015] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   30.292710] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   30.309992] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   30.429902] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.436409] bridge0: port 2(bridge_slave_1) entered forwarding state
[   30.443481] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.449852] bridge0: port 1(bridge_slave_0) entered forwarding state
[   30.870830] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   30.876989] 8021q: adding VLAN 0 to HW filter on device bond0
[   30.919931] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   30.945378] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   30.973308] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   30.979501] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   30.987175] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.026965] 8021q: adding VLAN 0 to HW filter on device team0
[   31.292335] ==================================================================
[   31.299906] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530
[   31.307130] Read of size 8 at addr ffff8801d661ad10 by task syz-executor0/4792
[   31.314512] 
[   31.316132] CPU: 1 PID: 4792 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #48
[   31.323299] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.332653] Call Trace:
[   31.335236]  dump_stack+0x1b9/0x294
[   31.338854]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.344037]  ? printk+0x9e/0xba
[   31.347315]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.352062]  ? kasan_check_write+0x14/0x20
[   31.356284]  print_address_description+0x6c/0x20b
[   31.361124]  ? __sctp_v6_cmp_addr+0x4c7/0x530
[   31.365602]  kasan_report.cold.7+0x242/0x2fe
[   31.370006]  __asan_report_load8_noabort+0x14/0x20
[   31.374956]  __sctp_v6_cmp_addr+0x4c7/0x530
[   31.379294]  sctp_inet6_cmp_addr+0x169/0x1a0
[   31.383708]  sctp_bind_addr_conflict+0x28c/0x470
[   31.388467]  ? sctp_bind_addr_match+0x400/0x400
[   31.393136]  ? kasan_check_write+0x14/0x20
[   31.397363]  ? do_raw_spin_lock+0xc1/0x200
[   31.401584]  sctp_get_port_local+0x9fc/0x1540
[   31.406071]  ? print_shortest_lock_dependencies.cold.55+0xa9/0x22a
[   31.412379]  ? sctp_set_owner_w+0x530/0x530
[   31.416689]  ? kasan_check_read+0x11/0x20
[   31.420823]  ? rcu_is_watching+0x85/0x140
[   31.424957]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   31.430142]  ? sctp_bind_addr_match+0x2c6/0x400
[   31.434810]  ? sctp_bind_addrs_to_raw+0x370/0x370
[   31.439644]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.445167]  ? sctp_v4_available+0x1b1/0x200
[   31.449563]  ? sctp_inet6_bind_verify+0xb2/0x500
[   31.454303]  sctp_do_bind+0x21c/0x5f0
[   31.458094]  sctp_bindx_add+0x90/0x1a0
[   31.461968]  sctp_setsockopt_bindx+0x2ad/0x320
[   31.466538]  sctp_setsockopt+0x12c4/0x7000
[   31.470758]  ? sctp_setsockopt_paddr_thresholds+0x560/0x560
[   31.476456]  ? print_usage_bug+0xc0/0xc0
[   31.480506]  ? __lock_is_held+0xb5/0x140
[   31.484552]  ? __account_cfs_rq_runtime+0x600/0x600
[   31.489555]  ? set_next_entity+0x2ae/0xaf0
[   31.493770]  ? debug_check_no_locks_freed+0x310/0x310
[   31.499204]  ? __lock_acquire+0x7f5/0x5140
[   31.503431]  ? __enqueue_entity+0x10d/0x1f0
[   31.507739]  ? debug_check_no_locks_freed+0x310/0x310
[   31.512931]  ? find_held_lock+0x36/0x1c0
[   31.516980]  ? lock_downgrade+0x8e0/0x8e0
[   31.521128]  ? finish_task_switch+0x182/0x810
[   31.525631]  ? kasan_check_read+0x11/0x20
[   31.529763]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.534161]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   31.538738]  ? compat_start_thread+0x80/0x80
[   31.543134]  ? _raw_spin_unlock_irq+0x27/0x70
[   31.547631]  ? graph_lock+0x170/0x170
[   31.551422]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.556427]  ? trace_hardirqs_on+0xd/0x10
[   31.560561]  ? _raw_spin_unlock_irq+0x27/0x70
[   31.565050]  ? finish_task_switch+0x1ca/0x810
[   31.569532]  ? finish_task_switch+0x182/0x810
[   31.574019]  ? find_held_lock+0x36/0x1c0
[   31.578092]  ? lock_downgrade+0x8e0/0x8e0
[   31.582225]  ? kasan_check_read+0x11/0x20
[   31.586361]  ? rcu_is_watching+0x85/0x140
[   31.590580]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   31.595757]  ? __fget+0x40c/0x650
[   31.599197]  ? expand_files.part.8+0x9a0/0x9a0
[   31.603768]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.609291]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.614813]  ? sock_alloc_file+0x2a4/0x4e0
[   31.619043]  ? __schedule+0x1e30/0x1e30
[   31.623013]  compat_sock_common_setsockopt+0x10c/0x150
[   31.628282]  ? sock_common_setsockopt+0xe0/0xe0
[   31.632940]  __compat_sys_setsockopt+0x1ab/0x7c0
[   31.637679]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[   31.642598]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.648129]  ? exit_to_usermode_loop+0x1ef/0x310
[   31.652886]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.657716]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   31.662804]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.667805]  do_fast_syscall_32+0x345/0xf9b
[   31.672113]  ? do_int80_syscall_32+0x880/0x880
[   31.676681]  ? _raw_spin_unlock_irq+0x27/0x70
[   31.681159]  ? finish_task_switch+0x1ca/0x810
[   31.685641]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.691159]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.696073]  ? sysret32_from_system_call+0x5/0x46
[   31.701001]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.705838]  entry_SYSENTER_compat+0x70/0x7f
[   31.710229] RIP: 0023:0xf7ff2cb9
[   31.713578] RSP: 002b:00000000f7fee0ac EFLAGS: 00000282 ORIG_RAX: 000000000000016e
[   31.721271] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000000084
[   31.728521] RDX: 0000000000000064 RSI: 0000000020223fd4 RDI: 0000000000000010
[   31.735772] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   31.743030] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   31.750287] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.757546] 
[   31.759154] Allocated by task 4792:
[   31.762768]  save_stack+0x43/0xd0
[   31.766201]  kasan_kmalloc+0xc4/0xe0
[   31.769894]  __kmalloc_node+0x47/0x70
[   31.773674]  kvmalloc_node+0x6b/0x100
[   31.777462]  vmemdup_user+0x2d/0xa0
[   31.781080]  sctp_setsockopt_bindx+0x5d/0x320
[   31.785560]  sctp_setsockopt+0x12c4/0x7000
[   31.789785]  compat_sock_common_setsockopt+0x10c/0x150
[   31.795052]  __compat_sys_setsockopt+0x1ab/0x7c0
[   31.799789]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   31.804881]  do_fast_syscall_32+0x345/0xf9b
[   31.809186]  entry_SYSENTER_compat+0x70/0x7f
[   31.813570] 
[   31.815179] Freed by task 3165:
[   31.818442]  save_stack+0x43/0xd0
[   31.821877]  __kasan_slab_free+0x11a/0x170
[   31.826092]  kasan_slab_free+0xe/0x10
[   31.829873]  kfree+0xd9/0x260
[   31.832958]  free_bprm+0x1a4/0x210
[   31.836479]  do_execveat_common.isra.34+0x1cd2/0x2590
[   31.841656]  __x64_sys_execve+0x8d/0xb0
[   31.845612]  do_syscall_64+0x1b1/0x800
[   31.849481]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.854644] 
[   31.856262] The buggy address belongs to the object at ffff8801d661ad00
[   31.856262]  which belongs to the cache kmalloc-32 of size 32
[   31.868727] The buggy address is located 16 bytes inside of
[   31.868727]  32-byte region [ffff8801d661ad00, ffff8801d661ad20)
[   31.880420] The buggy address belongs to the page:
[   31.885357] page:ffffea0007598680 count:1 mapcount:0 mapping:ffff8801d661a000 index:0xffff8801d661afc1
[   31.894790] flags: 0x2fffc0000000100(slab)
[   31.899016] raw: 02fffc0000000100 ffff8801d661a000 ffff8801d661afc1 000000010000000a
[   31.906895] raw: ffffea000758eee0 ffffea00075911a0 ffff8801da8001c0 0000000000000000
[   31.914758] page dumped because: kasan: bad access detected
[   31.920446] 
[   31.922053] Memory state around the buggy address:
[   31.926965]  ffff8801d661ac00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.934308]  ffff8801d661ac80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.941654] >ffff8801d661ad00: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   31.948995]                          ^
[   31.952875]  ffff8801d661ad80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.960229]  ffff8801d661ae00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.967577] ==================================================================
[   31.974938] Disabling lock debugging due to kernel taint
[   31.980417] Kernel panic - not syncing: panic_on_warn set ...
[   31.980417] 
[   31.987800] CPU: 1 PID: 4792 Comm: syz-executor0 Tainted: G    B             4.17.0-rc2+ #48
[   31.996643] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.005991] Call Trace:
[   32.008578]  dump_stack+0x1b9/0x294
[   32.012189]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.017367]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.022116]  ? __sctp_v6_cmp_addr+0x3f0/0x530
[   32.026593]  panic+0x22f/0x4de
[   32.029776]  ? add_taint.cold.5+0x16/0x16
[   32.033925]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.038338]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.042749]  ? __sctp_v6_cmp_addr+0x4c7/0x530
[   32.047340]  kasan_end_report+0x47/0x4f
[   32.051322]  kasan_report.cold.7+0x76/0x2fe
[   32.055673]  __asan_report_load8_noabort+0x14/0x20
[   32.060593]  __sctp_v6_cmp_addr+0x4c7/0x530
[   32.064908]  sctp_inet6_cmp_addr+0x169/0x1a0
[   32.069313]  sctp_bind_addr_conflict+0x28c/0x470
[   32.074053]  ? sctp_bind_addr_match+0x400/0x400
[   32.078707]  ? kasan_check_write+0x14/0x20
[   32.082941]  ? do_raw_spin_lock+0xc1/0x200
[   32.087160]  sctp_get_port_local+0x9fc/0x1540
[   32.091641]  ? print_shortest_lock_dependencies.cold.55+0xa9/0x22a
[   32.097949]  ? sctp_set_owner_w+0x530/0x530
[   32.102266]  ? kasan_check_read+0x11/0x20
[   32.106401]  ? rcu_is_watching+0x85/0x140
[   32.111079]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.116264]  ? sctp_bind_addr_match+0x2c6/0x400
[   32.120925]  ? sctp_bind_addrs_to_raw+0x370/0x370
[   32.125753]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.131271]  ? sctp_v4_available+0x1b1/0x200
[   32.135672]  ? sctp_inet6_bind_verify+0xb2/0x500
[   32.140406]  sctp_do_bind+0x21c/0x5f0
[   32.144191]  sctp_bindx_add+0x90/0x1a0
[   32.148069]  sctp_setsockopt_bindx+0x2ad/0x320
[   32.152670]  sctp_setsockopt+0x12c4/0x7000
[   32.156890]  ? sctp_setsockopt_paddr_thresholds+0x560/0x560
[   32.162591]  ? print_usage_bug+0xc0/0xc0
[   32.166633]  ? __lock_is_held+0xb5/0x140
[   32.170676]  ? __account_cfs_rq_runtime+0x600/0x600
[   32.175676]  ? set_next_entity+0x2ae/0xaf0
[   32.179890]  ? debug_check_no_locks_freed+0x310/0x310
[   32.185067]  ? __lock_acquire+0x7f5/0x5140
[   32.189286]  ? __enqueue_entity+0x10d/0x1f0
[   32.193592]  ? debug_check_no_locks_freed+0x310/0x310
[   32.198764]  ? find_held_lock+0x36/0x1c0
[   32.202810]  ? lock_downgrade+0x8e0/0x8e0
[   32.206942]  ? finish_task_switch+0x182/0x810
[   32.211419]  ? kasan_check_read+0x11/0x20
[   32.215552]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.220035]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.224611]  ? compat_start_thread+0x80/0x80
[   32.229022]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.233510]  ? graph_lock+0x170/0x170
[   32.237292]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.242286]  ? trace_hardirqs_on+0xd/0x10
[   32.246438]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.250930]  ? finish_task_switch+0x1ca/0x810
[   32.255406]  ? finish_task_switch+0x182/0x810
[   32.259884]  ? find_held_lock+0x36/0x1c0
[   32.263932]  ? lock_downgrade+0x8e0/0x8e0
[   32.268075]  ? kasan_check_read+0x11/0x20
[   32.272211]  ? rcu_is_watching+0x85/0x140
[   32.276348]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.281541]  ? __fget+0x40c/0x650
[   32.284978]  ? expand_files.part.8+0x9a0/0x9a0
[   32.289550]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.295071]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.300592]  ? sock_alloc_file+0x2a4/0x4e0
[   32.304805]  ? __schedule+0x1e30/0x1e30
[   32.308769]  compat_sock_common_setsockopt+0x10c/0x150
[   32.314049]  ? sock_common_setsockopt+0xe0/0xe0
[   32.318702]  __compat_sys_setsockopt+0x1ab/0x7c0
[   32.323437]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[   32.328348]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.333867]  ? exit_to_usermode_loop+0x1ef/0x310
[   32.338604]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   32.343445]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   32.348531]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.353529]  do_fast_syscall_32+0x345/0xf9b
[   32.357835]  ? do_int80_syscall_32+0x880/0x880
[   32.362402]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.366878]  ? finish_task_switch+0x1ca/0x810
[   32.371363]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.376877]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.381788]  ? sysret32_from_system_call+0x5/0x46
[   32.386610]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.391431]  entry_SYSENTER_compat+0x70/0x7f
[   32.395818] RIP: 0023:0xf7ff2cb9
[   32.399157] RSP: 002b:00000000f7fee0ac EFLAGS: 00000282 ORIG_RAX: 000000000000016e
[   32.406843] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000000084
[   32.414112] RDX: 0000000000000064 RSI: 0000000020223fd4 RDI: 0000000000000010
[   32.421372] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   32.428624] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   32.435872] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   32.443783] Dumping ftrace buffer:
[   32.447310]    (ftrace buffer empty)
[   32.450998] Kernel Offset: disabled
[   32.454603] Rebooting in 86400 seconds..