[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.057789] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.616513] random: sshd: uninitialized urandom read (32 bytes read)
[   26.136074] random: sshd: uninitialized urandom read (32 bytes read)
[   27.011195] random: sshd: uninitialized urandom read (32 bytes read)
[   27.186229] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
[   32.666243] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   32.765629] ==================================================================
[   32.773112] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0
[   32.779605] Write of size 4 at addr ffff8801d88ee598 by task syz-executor414/4580
[   32.787213] 
[   32.788828] CPU: 1 PID: 4580 Comm: syz-executor414 Not tainted 4.17.0+ #89
[   32.795819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.805160] Call Trace:
[   32.807746]  dump_stack+0x1b9/0x294
[   32.811382]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.816571]  ? printk+0x9e/0xba
[   32.819855]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.824605]  ? kasan_check_write+0x14/0x20
[   32.828834]  print_address_description+0x6c/0x20b
[   32.833683]  ? sha1_finup+0x44e/0x4b0
[   32.837485]  kasan_report.cold.7+0x242/0x2fe
[   32.841908]  __asan_report_store4_noabort+0x17/0x20
[   32.846921]  sha1_finup+0x44e/0x4b0
[   32.850542]  ? sha1_base_init+0x150/0x150
[   32.854694]  sha1_avx2_final+0x28/0x30
[   32.858581]  crypto_shash_final+0x104/0x260
[   32.862911]  ? sha1_avx2_finup+0x40/0x40
[   32.866974]  __keyctl_dh_compute+0x1184/0x1bc0
[   32.871561]  ? copy_overflow+0x30/0x30
[   32.875446]  ? find_held_lock+0x36/0x1c0
[   32.879505]  ? lock_downgrade+0x8e0/0x8e0
[   32.883650]  ? check_same_owner+0x320/0x320
[   32.887967]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.893497]  ? handle_mm_fault+0x55a/0xc70
[   32.897741]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.903286]  ? _copy_from_user+0xdf/0x150
[   32.907438]  keyctl_dh_compute+0xb9/0x100
[   32.911573]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   32.916321]  ? kzfree+0x28/0x30
[   32.919595]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   32.924780]  __x64_sys_keyctl+0x12a/0x3b0
[   32.928922]  do_syscall_64+0x1b1/0x800
[   32.932797]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.937736]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.942674]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.948211]  ? retint_user+0x18/0x18
[   32.951942]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.956793]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.961972] RIP: 0033:0x43ffb9
[   32.965157] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   32.984385] RSP: 002b:00007ffd89980148 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   32.992097] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9
[   32.999370] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   33.006634] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   33.013899] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018e0
[   33.021158] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000
[   33.028423] 
[   33.030053] Allocated by task 4580:
[   33.033698]  save_stack+0x43/0xd0
[   33.037142]  kasan_kmalloc+0xc4/0xe0
[   33.040843]  __kmalloc+0x14e/0x760
[   33.044378]  __keyctl_dh_compute+0xfe9/0x1bc0
[   33.048866]  keyctl_dh_compute+0xb9/0x100
[   33.053030]  __x64_sys_keyctl+0x12a/0x3b0
[   33.057180]  do_syscall_64+0x1b1/0x800
[   33.061062]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.066233] 
[   33.067846] Freed by task 2855:
[   33.071113]  save_stack+0x43/0xd0
[   33.074550]  __kasan_slab_free+0x11a/0x170
[   33.078770]  kasan_slab_free+0xe/0x10
[   33.082650]  kfree+0xd9/0x260
[   33.085743]  single_release+0x8f/0xb0
[   33.089532]  __fput+0x353/0x890
[   33.092796]  ____fput+0x15/0x20
[   33.096075]  task_work_run+0x1e4/0x290
[   33.099971]  exit_to_usermode_loop+0x2bd/0x310
[   33.104560]  do_syscall_64+0x6ac/0x800
[   33.108440]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.113610] 
[   33.115237] The buggy address belongs to the object at ffff8801d88ee580
[   33.115237]  which belongs to the cache kmalloc-32 of size 32
[   33.127740] The buggy address is located 24 bytes inside of
[   33.127740]  32-byte region [ffff8801d88ee580, ffff8801d88ee5a0)
[   33.139441] The buggy address belongs to the page:
[   33.144370] page:ffffea0007623b80 count:1 mapcount:0 mapping:ffff8801d88ee000 index:0xffff8801d88eefc1
[   33.153816] flags: 0x2fffc0000000100(slab)
[   33.158053] raw: 02fffc0000000100 ffff8801d88ee000 ffff8801d88eefc1 0000000100000031
[   33.165966] raw: ffffea00075ed7a0 ffffea0007603ce0 ffff8801da8001c0 0000000000000000
[   33.173834] page dumped because: kasan: bad access detected
[   33.179530] 
[   33.181162] Memory state around the buggy address:
[   33.186084]  ffff8801d88ee480: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   33.193433]  ffff8801d88ee500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.200796] >ffff8801d88ee580: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   33.208175]                             ^
[   33.212314]  ffff8801d88ee600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.219672]  ffff8801d88ee680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.227038] ==================================================================
[   33.234395] Disabling lock debugging due to kernel taint
[   33.239891] Kernel panic - not syncing: panic_on_warn set ...
[   33.239891] 
[   33.247258] CPU: 1 PID: 4580 Comm: syz-executor414 Tainted: G    B             4.17.0+ #89
[   33.255640] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.264979] Call Trace:
[   33.267557]  dump_stack+0x1b9/0x294
[   33.271178]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.276361]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.281101]  ? sha1_finup+0x3a0/0x4b0
[   33.284897]  panic+0x22f/0x4de
[   33.288086]  ? add_taint.cold.5+0x16/0x16
[   33.292234]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.296631]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.301033]  ? sha1_finup+0x44e/0x4b0
[   33.304827]  kasan_end_report+0x47/0x4f
[   33.308784]  kasan_report.cold.7+0x76/0x2fe
[   33.313090]  __asan_report_store4_noabort+0x17/0x20
[   33.318099]  sha1_finup+0x44e/0x4b0
[   33.321709]  ? sha1_base_init+0x150/0x150
[   33.325855]  sha1_avx2_final+0x28/0x30
[   33.329726]  crypto_shash_final+0x104/0x260
[   33.334041]  ? sha1_avx2_finup+0x40/0x40
[   33.338092]  __keyctl_dh_compute+0x1184/0x1bc0
[   33.342674]  ? copy_overflow+0x30/0x30
[   33.346547]  ? find_held_lock+0x36/0x1c0
[   33.350592]  ? lock_downgrade+0x8e0/0x8e0
[   33.354728]  ? check_same_owner+0x320/0x320
[   33.359041]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.364566]  ? handle_mm_fault+0x55a/0xc70
[   33.368795]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.374323]  ? _copy_from_user+0xdf/0x150
[   33.378559]  keyctl_dh_compute+0xb9/0x100
[   33.382694]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   33.387528]  ? kzfree+0x28/0x30
[   33.390869]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   33.396057]  __x64_sys_keyctl+0x12a/0x3b0
[   33.400207]  do_syscall_64+0x1b1/0x800
[   33.404095]  ? syscall_return_slowpath+0x5c0/0x5c0
[   33.409024]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.413951]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.419479]  ? retint_user+0x18/0x18
[   33.423198]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.428043]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.433244] RIP: 0033:0x43ffb9
[   33.436418] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   33.455738] RSP: 002b:00007ffd89980148 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   33.463448] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffb9
[   33.470730] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   33.478024] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   33.485320] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018e0
[   33.492615] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000
[   33.500427] Dumping ftrace buffer:
[   33.503968]    (ftrace buffer empty)
[   33.507666] Kernel Offset: disabled
[   33.511288] Rebooting in 86400 seconds..