[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.001537] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.596383] random: sshd: uninitialized urandom read (32 bytes read) [ 26.080245] random: sshd: uninitialized urandom read (32 bytes read) [ 26.874306] random: sshd: uninitialized urandom read (32 bytes read) [ 27.035914] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. [ 32.528607] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.623950] ================================================================== [ 32.631536] BUG: KASAN: slab-out-of-bounds in sha256_finup+0x4bf/0x540 [ 32.638197] Write of size 4 at addr ffff8801d90f4fa0 by task syz-executor951/4587 [ 32.645794] [ 32.647408] CPU: 0 PID: 4587 Comm: syz-executor951 Not tainted 4.17.0+ #89 [ 32.654399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.663737] Call Trace: [ 32.666317] dump_stack+0x1b9/0x294 [ 32.669936] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.675123] ? printk+0x9e/0xba [ 32.678416] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.683287] ? kasan_check_write+0x14/0x20 [ 32.687543] print_address_description+0x6c/0x20b [ 32.692402] ? sha256_finup+0x4bf/0x540 [ 32.696375] kasan_report.cold.7+0x242/0x2fe [ 32.700779] __asan_report_store4_noabort+0x17/0x20 [ 32.705779] sha256_finup+0x4bf/0x540 [ 32.709565] ? done_hash+0x12/0x12 [ 32.713091] sha256_avx2_final+0x28/0x30 [ 32.717144] crypto_shash_final+0x104/0x260 [ 32.721448] ? sha256_avx2_finup+0x40/0x40 [ 32.725668] __keyctl_dh_compute+0x1184/0x1bc0 [ 32.730243] ? copy_overflow+0x30/0x30 [ 32.734118] ? save_stack+0xa9/0xd0 [ 32.737749] ? find_held_lock+0x36/0x1c0 [ 32.741814] ? lock_downgrade+0x8e0/0x8e0 [ 32.746044] ? check_same_owner+0x320/0x320 [ 32.750437] ? trace_hardirqs_off+0xd/0x10 [ 32.754664] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 32.759775] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.765295] ? _copy_from_user+0xdf/0x150 [ 32.769439] keyctl_dh_compute+0xb9/0x100 [ 32.773579] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 32.778338] ? kzfree+0x28/0x30 [ 32.781601] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.786779] __x64_sys_keyctl+0x12a/0x3b0 [ 32.790929] do_syscall_64+0x1b1/0x800 [ 32.794811] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.799726] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.804640] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.809992] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.814838] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.820015] RIP: 0033:0x43ffa9 [ 32.823200] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.842559] RSP: 002b:00007fff45562268 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 32.850341] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 32.857594] RDX: 0000000020000180 RSI: 0000000020000100 RDI: 0000000000000017 [ 32.864886] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8 [ 32.872382] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 32.879642] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 32.886913] [ 32.888537] Allocated by task 4587: [ 32.892183] save_stack+0x43/0xd0 [ 32.895650] kasan_kmalloc+0xc4/0xe0 [ 32.899350] __kmalloc+0x14e/0x760 [ 32.902897] __keyctl_dh_compute+0xfe9/0x1bc0 [ 32.907376] keyctl_dh_compute+0xb9/0x100 [ 32.911513] __x64_sys_keyctl+0x12a/0x3b0 [ 32.916319] do_syscall_64+0x1b1/0x800 [ 32.920197] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.925360] [ 32.926967] Freed by task 2882: [ 32.930242] save_stack+0x43/0xd0 [ 32.933685] __kasan_slab_free+0x11a/0x170 [ 32.937915] kasan_slab_free+0xe/0x10 [ 32.941803] kfree+0xd9/0x260 [ 32.944911] single_release+0x8f/0xb0 [ 32.948706] __fput+0x353/0x890 [ 32.951982] ____fput+0x15/0x20 [ 32.955269] task_work_run+0x1e4/0x290 [ 32.959160] exit_to_usermode_loop+0x2bd/0x310 [ 32.963737] do_syscall_64+0x6ac/0x800 [ 32.967611] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.972780] [ 32.974388] The buggy address belongs to the object at ffff8801d90f4f80 [ 32.974388] which belongs to the cache kmalloc-32 of size 32 [ 32.986890] The buggy address is located 0 bytes to the right of [ 32.986890] 32-byte region [ffff8801d90f4f80, ffff8801d90f4fa0) [ 32.999032] The buggy address belongs to the page: [ 33.003957] page:ffffea0007643d00 count:1 mapcount:0 mapping:ffff8801d90f4000 index:0xffff8801d90f4fc1 [ 33.013393] flags: 0x2fffc0000000100(slab) [ 33.017623] raw: 02fffc0000000100 ffff8801d90f4000 ffff8801d90f4fc1 000000010000003b [ 33.025501] raw: ffffea0007648d20 ffffea0007632fe0 ffff8801da8001c0 0000000000000000 [ 33.033364] page dumped because: kasan: bad access detected [ 33.039336] [ 33.040963] Memory state around the buggy address: [ 33.045877] ffff8801d90f4e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.053218] ffff8801d90f4f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.060578] >ffff8801d90f4f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 33.067915] ^ [ 33.072313] ffff8801d90f5000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.079653] ffff8801d90f5080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.086990] ================================================================== [ 33.094337] Disabling lock debugging due to kernel taint [ 33.100027] Kernel panic - not syncing: panic_on_warn set ... [ 33.100027] [ 33.107392] CPU: 0 PID: 4587 Comm: syz-executor951 Tainted: G B 4.17.0+ #89 [ 33.115783] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.125132] Call Trace: [ 33.127713] dump_stack+0x1b9/0x294 [ 33.131323] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.136614] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.141355] ? sha256_finup+0x480/0x540 [ 33.145314] panic+0x22f/0x4de [ 33.148485] ? add_taint.cold.5+0x16/0x16 [ 33.152627] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.157021] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.161413] ? sha256_finup+0x4bf/0x540 [ 33.165379] kasan_end_report+0x47/0x4f [ 33.169335] kasan_report.cold.7+0x76/0x2fe [ 33.173654] __asan_report_store4_noabort+0x17/0x20 [ 33.178650] sha256_finup+0x4bf/0x540 [ 33.182439] ? done_hash+0x12/0x12 [ 33.186049] sha256_avx2_final+0x28/0x30 [ 33.190093] crypto_shash_final+0x104/0x260 [ 33.194407] ? sha256_avx2_finup+0x40/0x40 [ 33.198626] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.203192] ? copy_overflow+0x30/0x30 [ 33.207071] ? save_stack+0xa9/0xd0 [ 33.210699] ? find_held_lock+0x36/0x1c0 [ 33.214781] ? lock_downgrade+0x8e0/0x8e0 [ 33.218934] ? check_same_owner+0x320/0x320 [ 33.223254] ? trace_hardirqs_off+0xd/0x10 [ 33.227478] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 33.232571] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.238096] ? _copy_from_user+0xdf/0x150 [ 33.242231] keyctl_dh_compute+0xb9/0x100 [ 33.246385] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 33.251135] ? kzfree+0x28/0x30 [ 33.254411] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.259607] __x64_sys_keyctl+0x12a/0x3b0 [ 33.263753] do_syscall_64+0x1b1/0x800 [ 33.267622] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.272536] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.277460] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.282814] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.287645] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.292903] RIP: 0033:0x43ffa9 [ 33.296078] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 33.315573] RSP: 002b:00007fff45562268 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 33.323273] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 33.330535] RDX: 0000000020000180 RSI: 0000000020000100 RDI: 0000000000000017 [ 33.337806] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8 [ 33.345085] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 33.352347] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 33.360219] Dumping ftrace buffer: [ 33.363928] (ftrace buffer empty) [ 33.367625] Kernel Offset: disabled [ 33.371244] Rebooting in 86400 seconds..