[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.845342] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.969894] random: sshd: uninitialized urandom read (32 bytes read)
[   23.398131] random: sshd: uninitialized urandom read (32 bytes read)
[   24.242194] random: sshd: uninitialized urandom read (32 bytes read)
[   24.399254] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts.
[   29.881491] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.972517] ==================================================================
[   29.979948] BUG: KASAN: slab-out-of-bounds in sha256_final+0x303/0x380
[   29.986604] Write of size 4 at addr ffff8801d916fee0 by task syz-executor894/4529
[   29.994211] 
[   29.995820] CPU: 0 PID: 4529 Comm: syz-executor894 Not tainted 4.17.0+ #89
[   30.002808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.012151] Call Trace:
[   30.014722]  dump_stack+0x1b9/0x294
[   30.018330]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.023507]  ? printk+0x9e/0xba
[   30.026764]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.031504]  ? kasan_check_write+0x14/0x20
[   30.035721]  print_address_description+0x6c/0x20b
[   30.040549]  ? sha256_final+0x303/0x380
[   30.044510]  kasan_report.cold.7+0x242/0x2fe
[   30.048899]  __asan_report_store4_noabort+0x17/0x20
[   30.053894]  sha256_final+0x303/0x380
[   30.057677]  crypto_shash_final+0x104/0x260
[   30.061978]  ? sha256_generic_block_fn+0x70/0x70
[   30.066715]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.071286]  ? copy_overflow+0x30/0x30
[   30.075151]  ? save_stack+0xa9/0xd0
[   30.078762]  ? find_held_lock+0x36/0x1c0
[   30.082807]  ? lock_downgrade+0x8e0/0x8e0
[   30.086937]  ? check_same_owner+0x320/0x320
[   30.091238]  ? trace_hardirqs_off+0xd/0x10
[   30.095453]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   30.100540]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.106063]  ? _copy_from_user+0xdf/0x150
[   30.110194]  keyctl_dh_compute+0xb9/0x100
[   30.114330]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.119065]  ? kzfree+0x28/0x30
[   30.122324]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.127497]  __x64_sys_keyctl+0x12a/0x3b0
[   30.131626]  do_syscall_64+0x1b1/0x800
[   30.135497]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.140406]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.145318]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.150660]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.155490]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.160657] RIP: 0033:0x440019
[   30.163823] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.183015] RSP: 002b:00007ffe563f4ba8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.190711] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   30.197960] RDX: 0000000020000080 RSI: 00000000200001c0 RDI: 0000000000000017
[   30.205209] RBP: 00000000006ca018 R08: 0000000020000200 R09: 00000000004002c8
[   30.212458] R10: 0000000000000005 R11: 0000000000000217 R12: 0000000000401940
[   30.219716] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   30.226972] 
[   30.228577] Allocated by task 4529:
[   30.232184]  save_stack+0x43/0xd0
[   30.235614]  kasan_kmalloc+0xc4/0xe0
[   30.239304]  __kmalloc+0x14e/0x760
[   30.242824]  __keyctl_dh_compute+0xfe9/0x1bc0
[   30.247296]  keyctl_dh_compute+0xb9/0x100
[   30.251421]  __x64_sys_keyctl+0x12a/0x3b0
[   30.255546]  do_syscall_64+0x1b1/0x800
[   30.259412]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.264572] 
[   30.266174] Freed by task 2874:
[   30.269430]  save_stack+0x43/0xd0
[   30.272858]  __kasan_slab_free+0x11a/0x170
[   30.277068]  kasan_slab_free+0xe/0x10
[   30.280846]  kfree+0xd9/0x260
[   30.283930]  single_release+0x8f/0xb0
[   30.287705]  __fput+0x353/0x890
[   30.290958]  ____fput+0x15/0x20
[   30.294216]  task_work_run+0x1e4/0x290
[   30.298083]  exit_to_usermode_loop+0x2bd/0x310
[   30.302650]  do_syscall_64+0x6ac/0x800
[   30.306517]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.311677] 
[   30.313283] The buggy address belongs to the object at ffff8801d916fec0
[   30.313283]  which belongs to the cache kmalloc-32 of size 32
[   30.325751] The buggy address is located 0 bytes to the right of
[   30.325751]  32-byte region [ffff8801d916fec0, ffff8801d916fee0)
[   30.337866] The buggy address belongs to the page:
[   30.342781] page:ffffea0007645bc0 count:1 mapcount:0 mapping:ffff8801d916f000 index:0xffff8801d916ffc1
[   30.352203] flags: 0x2fffc0000000100(slab)
[   30.356417] raw: 02fffc0000000100 ffff8801d916f000 ffff8801d916ffc1 000000010000000b
[   30.364291] raw: ffffea00076423a0 ffffea000764d7e0 ffff8801da8001c0 0000000000000000
[   30.372145] page dumped because: kasan: bad access detected
[   30.377827] 
[   30.379430] Memory state around the buggy address:
[   30.384338]  ffff8801d916fd80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.391673]  ffff8801d916fe00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.399016] >ffff8801d916fe80: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
[   30.406356]                                                        ^
[   30.412824]  ffff8801d916ff00: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc
[   30.420159]  ffff8801d916ff80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.427499] ==================================================================
[   30.434832] Disabling lock debugging due to kernel taint
[   30.440496] Kernel panic - not syncing: panic_on_warn set ...
[   30.440496] 
[   30.447859] CPU: 0 PID: 4529 Comm: syz-executor894 Tainted: G    B             4.17.0+ #89
[   30.456233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.465562] Call Trace:
[   30.468131]  dump_stack+0x1b9/0x294
[   30.471736]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.476907]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.481641]  ? sha256_final+0x2b0/0x380
[   30.485593]  panic+0x22f/0x4de
[   30.488763]  ? add_taint.cold.5+0x16/0x16
[   30.492888]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.497273]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.501661]  ? sha256_final+0x303/0x380
[   30.505614]  kasan_end_report+0x47/0x4f
[   30.509566]  kasan_report.cold.7+0x76/0x2fe
[   30.513866]  __asan_report_store4_noabort+0x17/0x20
[   30.518861]  sha256_final+0x303/0x380
[   30.522639]  crypto_shash_final+0x104/0x260
[   30.526938]  ? sha256_generic_block_fn+0x70/0x70
[   30.531673]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.536235]  ? copy_overflow+0x30/0x30
[   30.540100]  ? save_stack+0xa9/0xd0
[   30.543707]  ? find_held_lock+0x36/0x1c0
[   30.547748]  ? lock_downgrade+0x8e0/0x8e0
[   30.551872]  ? check_same_owner+0x320/0x320
[   30.556169]  ? trace_hardirqs_off+0xd/0x10
[   30.560384]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   30.565466]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.570979]  ? _copy_from_user+0xdf/0x150
[   30.575103]  keyctl_dh_compute+0xb9/0x100
[   30.579228]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.583960]  ? kzfree+0x28/0x30
[   30.587217]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.592383]  __x64_sys_keyctl+0x12a/0x3b0
[   30.596512]  do_syscall_64+0x1b1/0x800
[   30.600378]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.605283]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.610192]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.615532]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.620356]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.625518] RIP: 0033:0x440019
[   30.628681] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.647793] RSP: 002b:00007ffe563f4ba8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.655476] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   30.662719] RDX: 0000000020000080 RSI: 00000000200001c0 RDI: 0000000000000017
[   30.669965] RBP: 00000000006ca018 R08: 0000000020000200 R09: 00000000004002c8
[   30.677208] R10: 0000000000000005 R11: 0000000000000217 R12: 0000000000401940
[   30.684455] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   30.692132] Dumping ftrace buffer:
[   30.695652]    (ftrace buffer empty)
[   30.699336] Kernel Offset: disabled
[   30.702945] Rebooting in 86400 seconds..