[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.057789] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.616513] random: sshd: uninitialized urandom read (32 bytes read) [ 26.136074] random: sshd: uninitialized urandom read (32 bytes read) [ 27.011195] random: sshd: uninitialized urandom read (32 bytes read) [ 27.186229] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. [ 32.666243] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.765629] ================================================================== [ 32.773112] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0 [ 32.779605] Write of size 4 at addr ffff8801d88ee598 by task syz-executor414/4580 [ 32.787213] [ 32.788828] CPU: 1 PID: 4580 Comm: syz-executor414 Not tainted 4.17.0+ #89 [ 32.795819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.805160] Call Trace: [ 32.807746] dump_stack+0x1b9/0x294 [ 32.811382] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.816571] ? printk+0x9e/0xba [ 32.819855] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.824605] ? kasan_check_write+0x14/0x20 [ 32.828834] print_address_description+0x6c/0x20b [ 32.833683] ? sha1_finup+0x44e/0x4b0 [ 32.837485] kasan_report.cold.7+0x242/0x2fe [ 32.841908] __asan_report_store4_noabort+0x17/0x20 [ 32.846921] sha1_finup+0x44e/0x4b0 [ 32.850542] ? sha1_base_init+0x150/0x150 [ 32.854694] sha1_avx2_final+0x28/0x30 [ 32.858581] crypto_shash_final+0x104/0x260 [ 32.862911] ? sha1_avx2_finup+0x40/0x40 [ 32.866974] __keyctl_dh_compute+0x1184/0x1bc0 [ 32.871561] ? copy_overflow+0x30/0x30 [ 32.875446] ? find_held_lock+0x36/0x1c0 [ 32.879505] ? lock_downgrade+0x8e0/0x8e0 [ 32.883650] ? check_same_owner+0x320/0x320 [ 32.887967] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.893497] ? handle_mm_fault+0x55a/0xc70 [ 32.897741] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.903286] ? _copy_from_user+0xdf/0x150 [ 32.907438] keyctl_dh_compute+0xb9/0x100 [ 32.911573] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 32.916321] ? kzfree+0x28/0x30 [ 32.919595] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.924780] __x64_sys_keyctl+0x12a/0x3b0 [ 32.928922] do_syscall_64+0x1b1/0x800 [ 32.932797] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.937736] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.942674] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.948211] ? retint_user+0x18/0x18 [ 32.951942] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.956793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.961972] RIP: 0033:0x43ffb9 [ 32.965157] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.984385] RSP: 002b:00007ffd89980148 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 32.992097] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9 [ 32.999370] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 33.006634] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 33.013899] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018e0 [ 33.021158] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 33.028423] [ 33.030053] Allocated by task 4580: [ 33.033698] save_stack+0x43/0xd0 [ 33.037142] kasan_kmalloc+0xc4/0xe0 [ 33.040843] __kmalloc+0x14e/0x760 [ 33.044378] __keyctl_dh_compute+0xfe9/0x1bc0 [ 33.048866] keyctl_dh_compute+0xb9/0x100 [ 33.053030] __x64_sys_keyctl+0x12a/0x3b0 [ 33.057180] do_syscall_64+0x1b1/0x800 [ 33.061062] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.066233] [ 33.067846] Freed by task 2855: [ 33.071113] save_stack+0x43/0xd0 [ 33.074550] __kasan_slab_free+0x11a/0x170 [ 33.078770] kasan_slab_free+0xe/0x10 [ 33.082650] kfree+0xd9/0x260 [ 33.085743] single_release+0x8f/0xb0 [ 33.089532] __fput+0x353/0x890 [ 33.092796] ____fput+0x15/0x20 [ 33.096075] task_work_run+0x1e4/0x290 [ 33.099971] exit_to_usermode_loop+0x2bd/0x310 [ 33.104560] do_syscall_64+0x6ac/0x800 [ 33.108440] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.113610] [ 33.115237] The buggy address belongs to the object at ffff8801d88ee580 [ 33.115237] which belongs to the cache kmalloc-32 of size 32 [ 33.127740] The buggy address is located 24 bytes inside of [ 33.127740] 32-byte region [ffff8801d88ee580, ffff8801d88ee5a0) [ 33.139441] The buggy address belongs to the page: [ 33.144370] page:ffffea0007623b80 count:1 mapcount:0 mapping:ffff8801d88ee000 index:0xffff8801d88eefc1 [ 33.153816] flags: 0x2fffc0000000100(slab) [ 33.158053] raw: 02fffc0000000100 ffff8801d88ee000 ffff8801d88eefc1 0000000100000031 [ 33.165966] raw: ffffea00075ed7a0 ffffea0007603ce0 ffff8801da8001c0 0000000000000000 [ 33.173834] page dumped because: kasan: bad access detected [ 33.179530] [ 33.181162] Memory state around the buggy address: [ 33.186084] ffff8801d88ee480: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 33.193433] ffff8801d88ee500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.200796] >ffff8801d88ee580: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 33.208175] ^ [ 33.212314] ffff8801d88ee600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.219672] ffff8801d88ee680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.227038] ================================================================== [ 33.234395] Disabling lock debugging due to kernel taint [ 33.239891] Kernel panic - not syncing: panic_on_warn set ... [ 33.239891] [ 33.247258] CPU: 1 PID: 4580 Comm: syz-executor414 Tainted: G B 4.17.0+ #89 [ 33.255640] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.264979] Call Trace: [ 33.267557] dump_stack+0x1b9/0x294 [ 33.271178] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.276361] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.281101] ? sha1_finup+0x3a0/0x4b0 [ 33.284897] panic+0x22f/0x4de [ 33.288086] ? add_taint.cold.5+0x16/0x16 [ 33.292234] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.296631] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.301033] ? sha1_finup+0x44e/0x4b0 [ 33.304827] kasan_end_report+0x47/0x4f [ 33.308784] kasan_report.cold.7+0x76/0x2fe [ 33.313090] __asan_report_store4_noabort+0x17/0x20 [ 33.318099] sha1_finup+0x44e/0x4b0 [ 33.321709] ? sha1_base_init+0x150/0x150 [ 33.325855] sha1_avx2_final+0x28/0x30 [ 33.329726] crypto_shash_final+0x104/0x260 [ 33.334041] ? sha1_avx2_finup+0x40/0x40 [ 33.338092] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.342674] ? copy_overflow+0x30/0x30 [ 33.346547] ? find_held_lock+0x36/0x1c0 [ 33.350592] ? lock_downgrade+0x8e0/0x8e0 [ 33.354728] ? check_same_owner+0x320/0x320 [ 33.359041] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.364566] ? handle_mm_fault+0x55a/0xc70 [ 33.368795] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.374323] ? _copy_from_user+0xdf/0x150 [ 33.378559] keyctl_dh_compute+0xb9/0x100 [ 33.382694] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 33.387528] ? kzfree+0x28/0x30 [ 33.390869] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.396057] __x64_sys_keyctl+0x12a/0x3b0 [ 33.400207] do_syscall_64+0x1b1/0x800 [ 33.404095] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.409024] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.413951] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.419479] ? retint_user+0x18/0x18 [ 33.423198] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.428043] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.433244] RIP: 0033:0x43ffb9 [ 33.436418] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 33.455738] RSP: 002b:00007ffd89980148 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 33.463448] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9 [ 33.470730] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 33.478024] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 33.485320] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018e0 [ 33.492615] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 33.500427] Dumping ftrace buffer: [ 33.503968] (ftrace buffer empty) [ 33.507666] Kernel Offset: disabled [ 33.511288] Rebooting in 86400 seconds..