[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.310633] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.024951] random: sshd: uninitialized urandom read (32 bytes read) [ 24.524585] random: sshd: uninitialized urandom read (32 bytes read) [ 25.306514] random: sshd: uninitialized urandom read (32 bytes read) [ 25.465151] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 30.943332] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.038016] ================================================================== [ 31.046593] BUG: KASAN: slab-out-of-bounds in sha512_finup+0x564/0x620 [ 31.053244] Write of size 8 at addr ffff8801ad096ec0 by task syz-executor066/4524 [ 31.060837] [ 31.062449] CPU: 0 PID: 4524 Comm: syz-executor066 Not tainted 4.17.0+ #93 [ 31.069436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.078769] Call Trace: [ 31.081342] dump_stack+0x1b9/0x294 [ 31.084956] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.090125] ? printk+0x9e/0xba [ 31.093915] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.098658] ? kasan_check_write+0x14/0x20 [ 31.102876] print_address_description+0x6c/0x20b [ 31.107708] ? sha512_finup+0x564/0x620 [ 31.111665] kasan_report.cold.7+0x242/0x2fe [ 31.116069] __asan_report_store8_noabort+0x17/0x20 [ 31.121083] sha512_finup+0x564/0x620 [ 31.124877] ? sha512_update+0x9f/0x260 [ 31.128852] sha512_avx2_final+0x28/0x30 [ 31.132913] crypto_shash_final+0x104/0x260 [ 31.138171] ? sha512_avx2_finup+0x40/0x40 [ 31.142392] __keyctl_dh_compute+0x1184/0x1bc0 [ 31.146963] ? copy_overflow+0x30/0x30 [ 31.150848] ? find_held_lock+0x36/0x1c0 [ 31.154899] ? lock_downgrade+0x8e0/0x8e0 [ 31.159032] ? check_same_owner+0x320/0x320 [ 31.163335] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.168853] ? handle_mm_fault+0x55a/0xc70 [ 31.173077] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.178606] ? _copy_from_user+0xdf/0x150 [ 31.182737] keyctl_dh_compute+0xb9/0x100 [ 31.186871] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 31.191619] ? kzfree+0x28/0x30 [ 31.194886] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.200071] __x64_sys_keyctl+0x12a/0x3b0 [ 31.204299] do_syscall_64+0x1b1/0x800 [ 31.208179] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.213087] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.218001] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.223517] ? retint_user+0x18/0x18 [ 31.227220] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.232057] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.237235] RIP: 0033:0x43ffa9 [ 31.240401] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.259575] RSP: 002b:00007ffed3d049f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 31.267267] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 31.274527] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 31.281776] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 31.289025] R10: 0000000000000053 R11: 0000000000000217 R12: 00000000004018d0 [ 31.296285] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 31.303540] [ 31.305145] Allocated by task 4524: [ 31.308767] save_stack+0x43/0xd0 [ 31.312200] kasan_kmalloc+0xc4/0xe0 [ 31.315898] __kmalloc+0x14e/0x760 [ 31.319423] __keyctl_dh_compute+0xfe9/0x1bc0 [ 31.323906] keyctl_dh_compute+0xb9/0x100 [ 31.328042] __x64_sys_keyctl+0x12a/0x3b0 [ 31.332179] do_syscall_64+0x1b1/0x800 [ 31.336053] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.341230] [ 31.342833] Freed by task 0: [ 31.345836] (stack is not available) [ 31.349520] [ 31.351128] The buggy address belongs to the object at ffff8801ad096e40 [ 31.351128] which belongs to the cache kmalloc-128 of size 128 [ 31.363776] The buggy address is located 0 bytes to the right of [ 31.363776] 128-byte region [ffff8801ad096e40, ffff8801ad096ec0) [ 31.375985] The buggy address belongs to the page: [ 31.380911] page:ffffea0006b42580 count:1 mapcount:0 mapping:ffff8801da800640 index:0x0 [ 31.389032] flags: 0x2fffc0000000100(slab) [ 31.393250] raw: 02fffc0000000100 ffffea0006b46888 ffff8801da801548 ffff8801da800640 [ 31.401121] raw: 0000000000000000 ffff8801ad096000 0000000100000015 0000000000000000 [ 31.408976] page dumped because: kasan: bad access detected [ 31.414660] [ 31.416265] Memory state around the buggy address: [ 31.421172] ffff8801ad096d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.428508] ffff8801ad096e00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 31.435856] >ffff8801ad096e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.443189] ^ [ 31.448620] ffff8801ad096f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.455968] ffff8801ad096f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.463303] ================================================================== [ 31.470648] Disabling lock debugging due to kernel taint [ 31.476149] Kernel panic - not syncing: panic_on_warn set ... [ 31.476149] [ 31.483512] CPU: 0 PID: 4524 Comm: syz-executor066 Tainted: G B 4.17.0+ #93 [ 31.491891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.501221] Call Trace: [ 31.503791] dump_stack+0x1b9/0x294 [ 31.507396] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.512564] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.517298] ? sha512_finup+0x4b0/0x620 [ 31.521251] panic+0x22f/0x4de [ 31.524432] ? add_taint.cold.5+0x16/0x16 [ 31.528561] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.532953] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.537350] ? sha512_finup+0x564/0x620 [ 31.541313] kasan_end_report+0x47/0x4f [ 31.545265] kasan_report.cold.7+0x76/0x2fe [ 31.549574] __asan_report_store8_noabort+0x17/0x20 [ 31.554570] sha512_finup+0x564/0x620 [ 31.558347] ? sha512_update+0x9f/0x260 [ 31.562300] sha512_avx2_final+0x28/0x30 [ 31.566342] crypto_shash_final+0x104/0x260 [ 31.570652] ? sha512_avx2_finup+0x40/0x40 [ 31.574870] __keyctl_dh_compute+0x1184/0x1bc0 [ 31.579434] ? copy_overflow+0x30/0x30 [ 31.583301] ? find_held_lock+0x36/0x1c0 [ 31.587344] ? lock_downgrade+0x8e0/0x8e0 [ 31.591477] ? check_same_owner+0x320/0x320 [ 31.595779] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.601296] ? handle_mm_fault+0x55a/0xc70 [ 31.605512] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.611040] ? _copy_from_user+0xdf/0x150 [ 31.615176] keyctl_dh_compute+0xb9/0x100 [ 31.619303] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 31.624054] ? kzfree+0x28/0x30 [ 31.627312] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.632491] __x64_sys_keyctl+0x12a/0x3b0 [ 31.636631] do_syscall_64+0x1b1/0x800 [ 31.640498] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.645407] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.650322] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.655847] ? retint_user+0x18/0x18 [ 31.659539] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.664362] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.669535] RIP: 0033:0x43ffa9 [ 31.673053] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.692171] RSP: 002b:00007ffed3d049f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 31.699866] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 31.707115] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 31.714374] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 31.721622] R10: 0000000000000053 R11: 0000000000000217 R12: 00000000004018d0 [ 31.728880] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 31.736608] Dumping ftrace buffer: [ 31.740128] (ftrace buffer empty) [ 31.743814] Kernel Offset: disabled [ 31.747423] Rebooting in 86400 seconds..