[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.654085] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.369070] random: sshd: uninitialized urandom read (32 bytes read)
[   23.771343] random: sshd: uninitialized urandom read (32 bytes read)
[   24.623204] random: sshd: uninitialized urandom read (32 bytes read)
[   24.785428] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts.
[   30.261284] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.379971] ==================================================================
[   30.387510] BUG: KASAN: slab-out-of-bounds in tgr192_final+0x538/0x560
[   30.394182] Write of size 8 at addr ffff8801d95d7a60 by task syz-executor494/4571
[   30.401783] 
[   30.403405] CPU: 1 PID: 4571 Comm: syz-executor494 Not tainted 4.17.0+ #116
[   30.410489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.419831] Call Trace:
[   30.422415]  dump_stack+0x1b9/0x294
[   30.426043]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.431224]  ? printk+0x9e/0xba
[   30.434492]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.439240]  ? kasan_check_write+0x14/0x20
[   30.443467]  print_address_description+0x6c/0x20b
[   30.448303]  ? tgr192_final+0x538/0x560
[   30.452269]  kasan_report.cold.7+0x242/0x2fe
[   30.456674]  __asan_report_store8_noabort+0x17/0x20
[   30.461697]  tgr192_final+0x538/0x560
[   30.465488]  crypto_shash_final+0x104/0x260
[   30.469796]  ? tgr192_update+0x520/0x520
[   30.473849]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.478428]  ? copy_overflow+0x30/0x30
[   30.482307]  ? find_held_lock+0x36/0x1c0
[   30.486361]  ? lock_downgrade+0x8e0/0x8e0
[   30.490497]  ? check_same_owner+0x320/0x320
[   30.494809]  ? kasan_check_write+0x14/0x20
[   30.499029]  ? do_raw_spin_lock+0xc1/0x200
[   30.503262]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.508792]  ? _copy_from_user+0xdf/0x150
[   30.512950]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   30.517784]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   30.522710]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.527895]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   30.532731]  do_fast_syscall_32+0x345/0xf9b
[   30.537055]  ? do_int80_syscall_32+0x880/0x880
[   30.541633]  ? do_syscall_64+0x48f/0x800
[   30.545679]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   30.550525]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.555448]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.560366]  ? sysret32_from_system_call+0x5/0x46
[   30.565200]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.570040]  entry_SYSENTER_compat+0x70/0x7f
[   30.574451] RIP: 0023:0xf7fe8cb9
[   30.577807] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   30.596993] RSP: 002b:00000000ff9a01fc EFLAGS: 00000292 ORIG_RAX: 0000000000000120
[   30.604698] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000380
[   30.611954] RDX: 0000000020000540 RSI: 0000000000000010 RDI: 00000000200005c0
[   30.619216] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   30.626470] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   30.633729] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   30.641013] 
[   30.642635] Allocated by task 4571:
[   30.646253]  save_stack+0x43/0xd0
[   30.649706]  kasan_kmalloc+0xc4/0xe0
[   30.653407]  __kmalloc+0x14e/0x760
[   30.656940]  __keyctl_dh_compute+0xfe9/0x1bc0
[   30.661423]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   30.666252]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   30.671083]  do_fast_syscall_32+0x345/0xf9b
[   30.675402]  entry_SYSENTER_compat+0x70/0x7f
[   30.679876] 
[   30.681488] Freed by task 2877:
[   30.684756]  save_stack+0x43/0xd0
[   30.688199]  __kasan_slab_free+0x11a/0x170
[   30.692421]  kasan_slab_free+0xe/0x10
[   30.696210]  kfree+0xd9/0x260
[   30.699316]  single_release+0x8f/0xb0
[   30.703106]  __fput+0x353/0x890
[   30.706372]  ____fput+0x15/0x20
[   30.709635]  task_work_run+0x1e4/0x290
[   30.713514]  exit_to_usermode_loop+0x2bd/0x310
[   30.718085]  do_syscall_64+0x6ac/0x800
[   30.721962]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.727216] 
[   30.728828] The buggy address belongs to the object at ffff8801d95d7a40
[   30.728828]  which belongs to the cache kmalloc-32 of size 32
[   30.741298] The buggy address is located 0 bytes to the right of
[   30.741298]  32-byte region [ffff8801d95d7a40, ffff8801d95d7a60)
[   30.753428] The buggy address belongs to the page:
[   30.758349] page:ffffea00076575c0 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d95d7fc1
[   30.767788] flags: 0x2fffc0000000100(slab)
[   30.772015] raw: 02fffc0000000100 ffffea0007659188 ffffea0006b7a688 ffff8801da8001c0
[   30.779887] raw: ffff8801d95d7fc1 ffff8801d95d7000 000000010000000a 0000000000000000
[   30.787769] page dumped because: kasan: bad access detected
[   30.793462] 
[   30.795070] Memory state around the buggy address:
[   30.799983]  ffff8801d95d7900: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
[   30.807328]  ffff8801d95d7980: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
[   30.814677] >ffff8801d95d7a00: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
[   30.822021]                                                        ^
[   30.828513]  ffff8801d95d7a80: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc
[   30.835863]  ffff8801d95d7b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.843211] ==================================================================
[   30.850561] Disabling lock debugging due to kernel taint
[   30.856081] Kernel panic - not syncing: panic_on_warn set ...
[   30.856081] 
[   30.863476] CPU: 1 PID: 4571 Comm: syz-executor494 Tainted: G    B             4.17.0+ #116
[   30.871947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.881296] Call Trace:
[   30.883882]  dump_stack+0x1b9/0x294
[   30.887496]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.892679]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.897424]  ? tgr192_final+0x4b0/0x560
[   30.901386]  panic+0x22f/0x4de
[   30.904656]  ? add_taint.cold.5+0x16/0x16
[   30.908797]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.913192]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.917587]  ? tgr192_final+0x538/0x560
[   30.921547]  kasan_end_report+0x47/0x4f
[   30.925595]  kasan_report.cold.7+0x76/0x2fe
[   30.929919]  __asan_report_store8_noabort+0x17/0x20
[   30.934930]  tgr192_final+0x538/0x560
[   30.938719]  crypto_shash_final+0x104/0x260
[   30.943033]  ? tgr192_update+0x520/0x520
[   30.947158]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.951732]  ? copy_overflow+0x30/0x30
[   30.955611]  ? find_held_lock+0x36/0x1c0
[   30.959659]  ? lock_downgrade+0x8e0/0x8e0
[   30.963816]  ? check_same_owner+0x320/0x320
[   30.968141]  ? kasan_check_write+0x14/0x20
[   30.972360]  ? do_raw_spin_lock+0xc1/0x200
[   30.976590]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.982135]  ? _copy_from_user+0xdf/0x150
[   30.986270]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   30.991105]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   30.996042]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.001223]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.006062]  do_fast_syscall_32+0x345/0xf9b
[   31.010370]  ? do_int80_syscall_32+0x880/0x880
[   31.014946]  ? do_syscall_64+0x48f/0x800
[   31.018998]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.023833]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.028751]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.033671]  ? sysret32_from_system_call+0x5/0x46
[   31.038520]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.043351]  entry_SYSENTER_compat+0x70/0x7f
[   31.047744] RIP: 0023:0xf7fe8cb9
[   31.051086] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   31.070227] RSP: 002b:00000000ff9a01fc EFLAGS: 00000292 ORIG_RAX: 0000000000000120
[   31.077923] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000380
[   31.085178] RDX: 0000000020000540 RSI: 0000000000000010 RDI: 00000000200005c0
[   31.092451] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   31.099706] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   31.106973] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.114867] Dumping ftrace buffer:
[   31.118418]    (ftrace buffer empty)
[   31.122112] Kernel Offset: disabled
[   31.125724] Rebooting in 86400 seconds..