[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.349372] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.729561] random: sshd: uninitialized urandom read (32 bytes read)
[   24.006615] random: sshd: uninitialized urandom read (32 bytes read)
[   24.807212] random: sshd: uninitialized urandom read (32 bytes read)
[   39.487245] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts.
[   44.938699] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   45.030356] ==================================================================
[   45.037793] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0
[   45.044265] Write of size 4 at addr ffff8801d71f3958 by task syz-executor474/4581
[   45.051856] 
[   45.053467] CPU: 0 PID: 4581 Comm: syz-executor474 Not tainted 4.17.0+ #89
[   45.060463] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.069791] Call Trace:
[   45.072368]  dump_stack+0x1b9/0x294
[   45.075976]  ? dump_stack_print_info.cold.2+0x52/0x52
[   45.081178]  ? printk+0x9e/0xba
[   45.084436]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   45.089175]  ? kasan_check_write+0x14/0x20
[   45.093400]  print_address_description+0x6c/0x20b
[   45.098226]  ? sha1_finup+0x44e/0x4b0
[   45.102005]  kasan_report.cold.7+0x242/0x2fe
[   45.106409]  __asan_report_store4_noabort+0x17/0x20
[   45.111424]  sha1_finup+0x44e/0x4b0
[   45.115063]  ? sha1_base_init+0x150/0x150
[   45.119226]  sha1_avx2_final+0x28/0x30
[   45.123094]  crypto_shash_final+0x104/0x260
[   45.127404]  ? sha1_avx2_finup+0x40/0x40
[   45.131452]  __keyctl_dh_compute+0x1184/0x1bc0
[   45.136030]  ? copy_overflow+0x30/0x30
[   45.140090]  ? find_held_lock+0x36/0x1c0
[   45.144166]  ? lock_downgrade+0x8e0/0x8e0
[   45.148309]  ? check_same_owner+0x320/0x320
[   45.152791]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   45.158313]  ? handle_mm_fault+0x55a/0xc70
[   45.162539]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   45.168064]  ? _copy_from_user+0xdf/0x150
[   45.172202]  keyctl_dh_compute+0xb9/0x100
[   45.176341]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   45.181086]  ? kzfree+0x28/0x30
[   45.184352]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   45.189534]  __x64_sys_keyctl+0x12a/0x3b0
[   45.193680]  do_syscall_64+0x1b1/0x800
[   45.197563]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   45.202392]  ? syscall_return_slowpath+0x5c0/0x5c0
[   45.207309]  ? syscall_return_slowpath+0x30f/0x5c0
[   45.212224]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   45.217753]  ? retint_user+0x18/0x18
[   45.221460]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.226296]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.231487] RIP: 0033:0x43ffa9
[   45.234659] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   45.254068] RSP: 002b:00007fffd75787b8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   45.261776] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   45.269054] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   45.276318] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   45.283574] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   45.290843] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   45.298190] 
[   45.299811] Allocated by task 4581:
[   45.303437]  save_stack+0x43/0xd0
[   45.306882]  kasan_kmalloc+0xc4/0xe0
[   45.310580]  __kmalloc+0x14e/0x760
[   45.314141]  __keyctl_dh_compute+0xfe9/0x1bc0
[   45.318624]  keyctl_dh_compute+0xb9/0x100
[   45.322766]  __x64_sys_keyctl+0x12a/0x3b0
[   45.326917]  do_syscall_64+0x1b1/0x800
[   45.330821]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.336004] 
[   45.337628] Freed by task 2886:
[   45.340905]  save_stack+0x43/0xd0
[   45.344347]  __kasan_slab_free+0x11a/0x170
[   45.348573]  kasan_slab_free+0xe/0x10
[   45.352373]  kfree+0xd9/0x260
[   45.355474]  single_release+0x8f/0xb0
[   45.359262]  __fput+0x353/0x890
[   45.362529]  ____fput+0x15/0x20
[   45.365798]  task_work_run+0x1e4/0x290
[   45.369682]  exit_to_usermode_loop+0x2bd/0x310
[   45.374269]  do_syscall_64+0x6ac/0x800
[   45.378159]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.383329] 
[   45.384941] The buggy address belongs to the object at ffff8801d71f3940
[   45.384941]  which belongs to the cache kmalloc-32 of size 32
[   45.397411] The buggy address is located 24 bytes inside of
[   45.397411]  32-byte region [ffff8801d71f3940, ffff8801d71f3960)
[   45.409102] The buggy address belongs to the page:
[   45.414024] page:ffffea00075c7cc0 count:1 mapcount:0 mapping:ffff8801d71f3000 index:0xffff8801d71f3fc1
[   45.423471] flags: 0x2fffc0000000100(slab)
[   45.427697] raw: 02fffc0000000100 ffff8801d71f3000 ffff8801d71f3fc1 000000010000003d
[   45.435567] raw: ffffea0007606f20 ffffea00075c7be0 ffff8801da8001c0 0000000000000000
[   45.443440] page dumped because: kasan: bad access detected
[   45.449130] 
[   45.450742] Memory state around the buggy address:
[   45.455666]  ffff8801d71f3800: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc
[   45.463022]  ffff8801d71f3880: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc
[   45.470364] >ffff8801d71f3900: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   45.477710]                                                     ^
[   45.483935]  ffff8801d71f3980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   45.491278]  ffff8801d71f3a00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   45.498625] ==================================================================
[   45.505972] Disabling lock debugging due to kernel taint
[   45.511627] Kernel panic - not syncing: panic_on_warn set ...
[   45.511627] 
[   45.519006] CPU: 0 PID: 4581 Comm: syz-executor474 Tainted: G    B             4.17.0+ #89
[   45.527395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.536739] Call Trace:
[   45.539332]  dump_stack+0x1b9/0x294
[   45.542971]  ? dump_stack_print_info.cold.2+0x52/0x52
[   45.548172]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   45.552919]  ? sha1_finup+0x3a0/0x4b0
[   45.556706]  panic+0x22f/0x4de
[   45.559890]  ? add_taint.cold.5+0x16/0x16
[   45.564021]  ? do_raw_spin_unlock+0x9e/0x2e0
[   45.568412]  ? do_raw_spin_unlock+0x9e/0x2e0
[   45.572801]  ? sha1_finup+0x44e/0x4b0
[   45.576587]  kasan_end_report+0x47/0x4f
[   45.580549]  kasan_report.cold.7+0x76/0x2fe
[   45.584855]  __asan_report_store4_noabort+0x17/0x20
[   45.589855]  sha1_finup+0x44e/0x4b0
[   45.593461]  ? sha1_base_init+0x150/0x150
[   45.597592]  sha1_avx2_final+0x28/0x30
[   45.601463]  crypto_shash_final+0x104/0x260
[   45.605771]  ? sha1_avx2_finup+0x40/0x40
[   45.609821]  __keyctl_dh_compute+0x1184/0x1bc0
[   45.614389]  ? copy_overflow+0x30/0x30
[   45.618259]  ? find_held_lock+0x36/0x1c0
[   45.622302]  ? lock_downgrade+0x8e0/0x8e0
[   45.626430]  ? check_same_owner+0x320/0x320
[   45.630742]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   45.636269]  ? handle_mm_fault+0x55a/0xc70
[   45.640491]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   45.646022]  ? _copy_from_user+0xdf/0x150
[   45.650152]  keyctl_dh_compute+0xb9/0x100
[   45.654283]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   45.659024]  ? kzfree+0x28/0x30
[   45.662283]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   45.667469]  __x64_sys_keyctl+0x12a/0x3b0
[   45.671835]  do_syscall_64+0x1b1/0x800
[   45.675715]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   45.680546]  ? syscall_return_slowpath+0x5c0/0x5c0
[   45.685456]  ? syscall_return_slowpath+0x30f/0x5c0
[   45.690367]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   45.695889]  ? retint_user+0x18/0x18
[   45.699589]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.704414]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.709586] RIP: 0033:0x43ffa9
[   45.712764] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   45.731975] RSP: 002b:00007fffd75787b8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   45.739676] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   45.747118] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   45.754376] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   45.761634] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   45.768899] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   45.776676] Dumping ftrace buffer:
[   45.780202]    (ftrace buffer empty)
[   45.783895] Kernel Offset: disabled
[   45.787506] Rebooting in 86400 seconds..