[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.654085] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.369070] random: sshd: uninitialized urandom read (32 bytes read) [ 23.771343] random: sshd: uninitialized urandom read (32 bytes read) [ 24.623204] random: sshd: uninitialized urandom read (32 bytes read) [ 24.785428] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. [ 30.261284] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.379971] ================================================================== [ 30.387510] BUG: KASAN: slab-out-of-bounds in tgr192_final+0x538/0x560 [ 30.394182] Write of size 8 at addr ffff8801d95d7a60 by task syz-executor494/4571 [ 30.401783] [ 30.403405] CPU: 1 PID: 4571 Comm: syz-executor494 Not tainted 4.17.0+ #116 [ 30.410489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.419831] Call Trace: [ 30.422415] dump_stack+0x1b9/0x294 [ 30.426043] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.431224] ? printk+0x9e/0xba [ 30.434492] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.439240] ? kasan_check_write+0x14/0x20 [ 30.443467] print_address_description+0x6c/0x20b [ 30.448303] ? tgr192_final+0x538/0x560 [ 30.452269] kasan_report.cold.7+0x242/0x2fe [ 30.456674] __asan_report_store8_noabort+0x17/0x20 [ 30.461697] tgr192_final+0x538/0x560 [ 30.465488] crypto_shash_final+0x104/0x260 [ 30.469796] ? tgr192_update+0x520/0x520 [ 30.473849] __keyctl_dh_compute+0x1184/0x1bc0 [ 30.478428] ? copy_overflow+0x30/0x30 [ 30.482307] ? find_held_lock+0x36/0x1c0 [ 30.486361] ? lock_downgrade+0x8e0/0x8e0 [ 30.490497] ? check_same_owner+0x320/0x320 [ 30.494809] ? kasan_check_write+0x14/0x20 [ 30.499029] ? do_raw_spin_lock+0xc1/0x200 [ 30.503262] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.508792] ? _copy_from_user+0xdf/0x150 [ 30.512950] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 30.517784] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 30.522710] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.527895] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 30.532731] do_fast_syscall_32+0x345/0xf9b [ 30.537055] ? do_int80_syscall_32+0x880/0x880 [ 30.541633] ? do_syscall_64+0x48f/0x800 [ 30.545679] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 30.550525] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.555448] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.560366] ? sysret32_from_system_call+0x5/0x46 [ 30.565200] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.570040] entry_SYSENTER_compat+0x70/0x7f [ 30.574451] RIP: 0023:0xf7fe8cb9 [ 30.577807] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 30.596993] RSP: 002b:00000000ff9a01fc EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 30.604698] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000380 [ 30.611954] RDX: 0000000020000540 RSI: 0000000000000010 RDI: 00000000200005c0 [ 30.619216] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.626470] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 30.633729] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.641013] [ 30.642635] Allocated by task 4571: [ 30.646253] save_stack+0x43/0xd0 [ 30.649706] kasan_kmalloc+0xc4/0xe0 [ 30.653407] __kmalloc+0x14e/0x760 [ 30.656940] __keyctl_dh_compute+0xfe9/0x1bc0 [ 30.661423] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 30.666252] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 30.671083] do_fast_syscall_32+0x345/0xf9b [ 30.675402] entry_SYSENTER_compat+0x70/0x7f [ 30.679876] [ 30.681488] Freed by task 2877: [ 30.684756] save_stack+0x43/0xd0 [ 30.688199] __kasan_slab_free+0x11a/0x170 [ 30.692421] kasan_slab_free+0xe/0x10 [ 30.696210] kfree+0xd9/0x260 [ 30.699316] single_release+0x8f/0xb0 [ 30.703106] __fput+0x353/0x890 [ 30.706372] ____fput+0x15/0x20 [ 30.709635] task_work_run+0x1e4/0x290 [ 30.713514] exit_to_usermode_loop+0x2bd/0x310 [ 30.718085] do_syscall_64+0x6ac/0x800 [ 30.721962] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.727216] [ 30.728828] The buggy address belongs to the object at ffff8801d95d7a40 [ 30.728828] which belongs to the cache kmalloc-32 of size 32 [ 30.741298] The buggy address is located 0 bytes to the right of [ 30.741298] 32-byte region [ffff8801d95d7a40, ffff8801d95d7a60) [ 30.753428] The buggy address belongs to the page: [ 30.758349] page:ffffea00076575c0 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d95d7fc1 [ 30.767788] flags: 0x2fffc0000000100(slab) [ 30.772015] raw: 02fffc0000000100 ffffea0007659188 ffffea0006b7a688 ffff8801da8001c0 [ 30.779887] raw: ffff8801d95d7fc1 ffff8801d95d7000 000000010000000a 0000000000000000 [ 30.787769] page dumped because: kasan: bad access detected [ 30.793462] [ 30.795070] Memory state around the buggy address: [ 30.799983] ffff8801d95d7900: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 30.807328] ffff8801d95d7980: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 30.814677] >ffff8801d95d7a00: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 30.822021] ^ [ 30.828513] ffff8801d95d7a80: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 30.835863] ffff8801d95d7b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.843211] ================================================================== [ 30.850561] Disabling lock debugging due to kernel taint [ 30.856081] Kernel panic - not syncing: panic_on_warn set ... [ 30.856081] [ 30.863476] CPU: 1 PID: 4571 Comm: syz-executor494 Tainted: G B 4.17.0+ #116 [ 30.871947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.881296] Call Trace: [ 30.883882] dump_stack+0x1b9/0x294 [ 30.887496] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.892679] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.897424] ? tgr192_final+0x4b0/0x560 [ 30.901386] panic+0x22f/0x4de [ 30.904656] ? add_taint.cold.5+0x16/0x16 [ 30.908797] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.913192] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.917587] ? tgr192_final+0x538/0x560 [ 30.921547] kasan_end_report+0x47/0x4f [ 30.925595] kasan_report.cold.7+0x76/0x2fe [ 30.929919] __asan_report_store8_noabort+0x17/0x20 [ 30.934930] tgr192_final+0x538/0x560 [ 30.938719] crypto_shash_final+0x104/0x260 [ 30.943033] ? tgr192_update+0x520/0x520 [ 30.947158] __keyctl_dh_compute+0x1184/0x1bc0 [ 30.951732] ? copy_overflow+0x30/0x30 [ 30.955611] ? find_held_lock+0x36/0x1c0 [ 30.959659] ? lock_downgrade+0x8e0/0x8e0 [ 30.963816] ? check_same_owner+0x320/0x320 [ 30.968141] ? kasan_check_write+0x14/0x20 [ 30.972360] ? do_raw_spin_lock+0xc1/0x200 [ 30.976590] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.982135] ? _copy_from_user+0xdf/0x150 [ 30.986270] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 30.991105] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 30.996042] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.001223] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 31.006062] do_fast_syscall_32+0x345/0xf9b [ 31.010370] ? do_int80_syscall_32+0x880/0x880 [ 31.014946] ? do_syscall_64+0x48f/0x800 [ 31.018998] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.023833] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.028751] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.033671] ? sysret32_from_system_call+0x5/0x46 [ 31.038520] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.043351] entry_SYSENTER_compat+0x70/0x7f [ 31.047744] RIP: 0023:0xf7fe8cb9 [ 31.051086] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 31.070227] RSP: 002b:00000000ff9a01fc EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 31.077923] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000380 [ 31.085178] RDX: 0000000020000540 RSI: 0000000000000010 RDI: 00000000200005c0 [ 31.092451] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 31.099706] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 31.106973] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.114867] Dumping ftrace buffer: [ 31.118418] (ftrace buffer empty) [ 31.122112] Kernel Offset: disabled [ 31.125724] Rebooting in 86400 seconds..