[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.548349] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.970377] random: sshd: uninitialized urandom read (32 bytes read) [ 22.210745] random: sshd: uninitialized urandom read (32 bytes read) [ 23.024668] random: sshd: uninitialized urandom read (32 bytes read) [ 50.552376] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 55.961631] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 56.062382] ================================================================== [ 56.069830] BUG: KASAN: slab-out-of-bounds in wp384_final+0x93/0xe0 [ 56.076228] Write of size 48 at addr ffff8801b70856b0 by task syz-executor188/4473 [ 56.083911] [ 56.085524] CPU: 1 PID: 4473 Comm: syz-executor188 Not tainted 4.17.0+ #92 [ 56.092515] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.101846] Call Trace: [ 56.104416] dump_stack+0x1b9/0x294 [ 56.108028] ? dump_stack_print_info.cold.2+0x52/0x52 [ 56.113197] ? printk+0x9e/0xba [ 56.116457] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 56.121209] ? kasan_check_write+0x14/0x20 [ 56.125429] print_address_description+0x6c/0x20b [ 56.130254] ? wp384_final+0x93/0xe0 [ 56.133953] kasan_report.cold.7+0x242/0x2fe [ 56.138345] check_memory_region+0x13e/0x1b0 [ 56.142736] memcpy+0x37/0x50 [ 56.145824] wp384_final+0x93/0xe0 [ 56.149345] ? wp256_final+0xe0/0xe0 [ 56.153043] ? kasan_unpoison_shadow+0x35/0x50 [ 56.157618] crypto_shash_final+0x104/0x260 [ 56.161919] ? wp256_final+0xe0/0xe0 [ 56.165621] __keyctl_dh_compute+0x1184/0x1bc0 [ 56.170192] ? copy_overflow+0x30/0x30 [ 56.174078] ? find_held_lock+0x36/0x1c0 [ 56.178132] ? lock_downgrade+0x8e0/0x8e0 [ 56.182261] ? check_same_owner+0x320/0x320 [ 56.186564] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 56.192088] ? handle_mm_fault+0x55a/0xc70 [ 56.196312] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.201830] ? _copy_from_user+0xdf/0x150 [ 56.205963] keyctl_dh_compute+0xb9/0x100 [ 56.210098] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 56.214844] ? kzfree+0x28/0x30 [ 56.218104] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 56.223277] __x64_sys_keyctl+0x12a/0x3b0 [ 56.227410] do_syscall_64+0x1b1/0x800 [ 56.231276] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 56.236108] ? syscall_return_slowpath+0x5c0/0x5c0 [ 56.241024] ? syscall_return_slowpath+0x30f/0x5c0 [ 56.245939] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.251461] ? retint_user+0x18/0x18 [ 56.255161] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.259990] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.265175] RIP: 0033:0x440019 [ 56.268354] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 56.287533] RSP: 002b:00007ffd31e8d908 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 56.295227] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 [ 56.302480] RDX: 0000000020000300 RSI: 0000000020000040 RDI: 0000000000000017 [ 56.309730] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 56.317000] R10: 00000000000000fb R11: 0000000000000217 R12: 0000000000401940 [ 56.324252] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000 [ 56.331511] [ 56.333121] Allocated by task 4473: [ 56.336744] save_stack+0x43/0xd0 [ 56.340180] kasan_kmalloc+0xc4/0xe0 [ 56.343874] __kmalloc+0x14e/0x760 [ 56.347400] __keyctl_dh_compute+0xfe9/0x1bc0 [ 56.351891] keyctl_dh_compute+0xb9/0x100 [ 56.356031] __x64_sys_keyctl+0x12a/0x3b0 [ 56.360161] do_syscall_64+0x1b1/0x800 [ 56.364031] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.369194] [ 56.370800] Freed by task 0: [ 56.373802] (stack is not available) [ 56.377489] [ 56.379097] The buggy address belongs to the object at ffff8801b70855c0 [ 56.379097] which belongs to the cache kmalloc-256 of size 256 [ 56.391737] The buggy address is located 240 bytes inside of [ 56.391737] 256-byte region [ffff8801b70855c0, ffff8801b70856c0) [ 56.403593] The buggy address belongs to the page: [ 56.408518] page:ffffea0006dc2140 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0 [ 56.416646] flags: 0x2fffc0000000100(slab) [ 56.420865] raw: 02fffc0000000100 ffffea0006bb01c8 ffff8801da801648 ffff8801da8007c0 [ 56.428730] raw: 0000000000000000 ffff8801b70850c0 000000010000000c 0000000000000000 [ 56.436590] page dumped because: kasan: bad access detected [ 56.442285] [ 56.443890] Memory state around the buggy address: [ 56.448798] ffff8801b7085580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 56.456145] ffff8801b7085600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.463484] >ffff8801b7085680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 56.470819] ^ [ 56.476253] ffff8801b7085700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.483597] ffff8801b7085780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.490938] ================================================================== [ 56.498278] Disabling lock debugging due to kernel taint [ 56.503937] Kernel panic - not syncing: panic_on_warn set ... [ 56.503937] [ 56.511297] CPU: 1 PID: 4473 Comm: syz-executor188 Tainted: G B 4.17.0+ #92 [ 56.519688] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.529110] Call Trace: [ 56.531683] dump_stack+0x1b9/0x294 [ 56.535290] ? dump_stack_print_info.cold.2+0x52/0x52 [ 56.540472] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.545210] ? wp384_final+0x80/0xe0 [ 56.548910] panic+0x22f/0x4de [ 56.552095] ? add_taint.cold.5+0x16/0x16 [ 56.556235] ? do_raw_spin_unlock+0x9e/0x2e0 [ 56.560629] ? do_raw_spin_unlock+0x9e/0x2e0 [ 56.565017] ? wp384_final+0x93/0xe0 [ 56.568712] kasan_end_report+0x47/0x4f [ 56.572665] kasan_report.cold.7+0x76/0x2fe [ 56.576969] check_memory_region+0x13e/0x1b0 [ 56.581356] memcpy+0x37/0x50 [ 56.584440] wp384_final+0x93/0xe0 [ 56.587962] ? wp256_final+0xe0/0xe0 [ 56.591659] ? kasan_unpoison_shadow+0x35/0x50 [ 56.596222] crypto_shash_final+0x104/0x260 [ 56.600522] ? wp256_final+0xe0/0xe0 [ 56.604219] __keyctl_dh_compute+0x1184/0x1bc0 [ 56.608783] ? copy_overflow+0x30/0x30 [ 56.612653] ? find_held_lock+0x36/0x1c0 [ 56.616701] ? lock_downgrade+0x8e0/0x8e0 [ 56.620849] ? check_same_owner+0x320/0x320 [ 56.625152] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 56.630667] ? handle_mm_fault+0x55a/0xc70 [ 56.634884] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.640407] ? _copy_from_user+0xdf/0x150 [ 56.644536] keyctl_dh_compute+0xb9/0x100 [ 56.648664] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 56.653403] ? kzfree+0x28/0x30 [ 56.656666] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 56.661836] __x64_sys_keyctl+0x12a/0x3b0 [ 56.666051] do_syscall_64+0x1b1/0x800 [ 56.669917] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 56.674748] ? syscall_return_slowpath+0x5c0/0x5c0 [ 56.679658] ? syscall_return_slowpath+0x30f/0x5c0 [ 56.684570] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.690096] ? retint_user+0x18/0x18 [ 56.693881] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.698704] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.703874] RIP: 0033:0x440019 [ 56.707040] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 56.726160] RSP: 002b:00007ffd31e8d908 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 56.733851] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 [ 56.741350] RDX: 0000000020000300 RSI: 0000000020000040 RDI: 0000000000000017 [ 56.748599] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 56.755849] R10: 00000000000000fb R11: 0000000000000217 R12: 0000000000401940 [ 56.763110] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000 [ 56.770743] Dumping ftrace buffer: [ 56.774271] (ftrace buffer empty) [ 56.777957] Kernel Offset: disabled [ 56.781582] Rebooting in 86400 seconds..