[ 20.968338] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.765915] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 25.150553] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 26.152964] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available) [ 26.318484] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) [ 30.275211] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. 2018/03/10 21:37:54 parsed 1 programs 2018/03/10 21:37:54 executed programs: 0 [ 32.018614] IPVS: Creating netns size=2552 id=1 [ 32.050019] ================================================================== [ 32.057383] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153f/0x3490 [ 32.063938] Read of size 2368 at addr ffff8801d95582c0 by task syz-executor0/3795 [ 32.071527] [ 32.073131] CPU: 1 PID: 3795 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 32.080715] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.090039] 0000000000000000 ec840d6936bc4a2f ffff8800a99176f8 ffffffff81d0408d [ 32.098008] ffffea0007655600 ffff8801d95582c0 0000000000000000 ffff8801d9558480 [ 32.105976] ffff8800a9917938 ffff8800a9917730 ffffffff814fe143 ffff8801d95582c0 [ 32.113937] Call Trace: [ 32.116499] [] dump_stack+0xc1/0x124 [ 32.121830] [] print_address_description+0x73/0x260 [ 32.128460] [] kasan_report+0x285/0x370 [ 32.134049] [] ? pfkey_add+0x153f/0x3490 [ 32.139726] [] check_memory_region+0x137/0x190 [ 32.145925] [] memcpy+0x23/0x50 [ 32.150819] [] pfkey_add+0x153f/0x3490 [ 32.156322] [] ? pfkey_delete+0x370/0x370 [ 32.162092] [] ? pfkey_add+0x3490/0x3490 [ 32.167768] [] ? __skb_clone+0x24a/0x7d0 [ 32.173444] [] ? pfkey_delete+0x370/0x370 [ 32.179213] [] pfkey_process+0x68b/0x750 [ 32.184896] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 32.191705] [] pfkey_sendmsg+0x3a9/0x760 [ 32.197380] [] ? pfkey_spdget+0x820/0x820 [ 32.203146] [] sock_sendmsg+0xca/0x110 [ 32.208650] [] ___sys_sendmsg+0x6c1/0x7c0 [ 32.214413] [] ? copy_msghdr_from_user+0x550/0x550 [ 32.220960] [] ? __alloc_pages_direct_compact+0x250/0x250 [ 32.228122] [] ? do_futex+0x3f4/0x15d0 [ 32.233635] [] ? __lock_is_held+0xa1/0xf0 [ 32.239398] [] ? exit_robust_list+0x240/0x240 [ 32.245512] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 32.252493] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 32.259211] [] ? __fget_light+0xa3/0x1e0 [ 32.264888] [] ? __fdget+0x18/0x20 [ 32.270045] [] ? sockfd_lookup_light+0x118/0x160 [ 32.276419] [] __sys_sendmsg+0xd3/0x190 [ 32.282009] [] ? SyS_shutdown+0x1b0/0x1b0 [ 32.287775] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 32.293889] [] ? __do_page_fault+0x380/0xa00 [ 32.299913] [] compat_SyS_sendmsg+0x2a/0x40 [ 32.305850] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 32.312399] [] do_fast_syscall_32+0x321/0x8a0 [ 32.318510] [] sysenter_flags_fixed+0xd/0x17 [ 32.324532] [ 32.326127] Allocated by task 3795: [ 32.329719] [] save_stack_trace+0x26/0x50 [ 32.335597] [] save_stack+0x43/0xd0 [ 32.340959] [] kasan_kmalloc+0xad/0xe0 [ 32.346581] [] kasan_krealloc+0x64/0x80 [ 32.352284] [] ksize+0x92/0xf0 [ 32.357207] [] __alloc_skb+0x132/0x600 [ 32.362824] [] pfkey_sendmsg+0x135/0x760 [ 32.368618] [] sock_sendmsg+0xca/0x110 [ 32.374235] [] ___sys_sendmsg+0x6c1/0x7c0 [ 32.380116] [] __sys_sendmsg+0xd3/0x190 [ 32.385820] [] compat_SyS_sendmsg+0x2a/0x40 [ 32.391871] [] do_fast_syscall_32+0x321/0x8a0 [ 32.398095] [] sysenter_flags_fixed+0xd/0x17 [ 32.404244] [ 32.405841] Freed by task 0: [ 32.408824] (stack is not available) [ 32.412501] [ 32.414098] The buggy address belongs to the object at ffff8801d9558280 [ 32.414098] which belongs to the cache kmalloc-512 of size 512 [ 32.426719] The buggy address is located 64 bytes inside of [ 32.426719] 512-byte region [ffff8801d9558280, ffff8801d9558480) [ 32.438472] The buggy address belongs to the page: [ 32.444415] kasan: CONFIG_KASAN_INLINE enabled [ 32.448817] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 32.456316] ------------[ cut here ]------------ [ 32.461068] WARNING: CPU: 0 PID: 3790 at kernel/sched/core.c:7944 __might_sleep+0x138/0x1a0() [ 32.469720] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x270/0xa20 [ 32.480008] Kernel panic - not syncing: panic_on_warn set ... [ 32.480008] [ 33.628257] Shutting down cpus with NMI [ 33.632726] Dumping ftrace buffer: [ 33.636239] (ftrace buffer empty) [ 33.639919] Kernel Offset: disabled [ 33.643514] Rebooting in 86400 seconds..