[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.864225] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 22.147439] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.517880] random: sshd: uninitialized urandom read (32 bytes read) [ 23.342307] random: sshd: uninitialized urandom read (32 bytes read) [ 23.505829] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.28' (ECDSA) to the list of known hosts. [ 28.892833] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/07 15:59:44 parsed 1 programs [ 30.224455] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/07 15:59:46 executed programs: 0 [ 31.468514] IPVS: ftp: loaded support on port[0] = 21 [ 31.598317] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.604804] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.612309] device bridge_slave_0 entered promiscuous mode [ 31.628854] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.635260] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.642476] device bridge_slave_1 entered promiscuous mode [ 31.658210] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.674864] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.716789] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.734727] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.796900] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.804412] team0: Port device team_slave_0 added [ 31.819201] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.827226] team0: Port device team_slave_1 added [ 31.842652] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.860751] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.878547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.895752] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.017420] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.023906] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.030912] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.037377] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.469873] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.476037] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.521412] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.543990] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.573967] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.580242] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.587950] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.627696] 8021q: adding VLAN 0 to HW filter on device team0 [ 32.895641] ================================================================== [ 32.903238] BUG: KASAN: slab-out-of-bounds in sha256_finup+0x4bf/0x540 [ 32.909915] Write of size 4 at addr ffff8801d4304e20 by task syz-executor0/4836 [ 32.917359] [ 32.918981] CPU: 0 PID: 4836 Comm: syz-executor0 Not tainted 4.17.0+ #114 [ 32.925898] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.935242] Call Trace: [ 32.937830] dump_stack+0x1b9/0x294 [ 32.941454] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.946652] ? printk+0x9e/0xba [ 32.949921] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.954679] ? kasan_check_write+0x14/0x20 [ 32.958905] print_address_description+0x6c/0x20b [ 32.963736] ? sha256_finup+0x4bf/0x540 [ 32.967719] kasan_report.cold.7+0x242/0x2fe [ 32.972121] __asan_report_store4_noabort+0x17/0x20 [ 32.977126] sha256_finup+0x4bf/0x540 [ 32.980912] ? done_hash+0x12/0x12 [ 32.984443] sha256_avx2_final+0x28/0x30 [ 32.988492] crypto_shash_final+0x104/0x260 [ 32.992900] ? sha256_avx2_finup+0x40/0x40 [ 32.997124] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.001721] ? copy_overflow+0x30/0x30 [ 33.005605] ? __schedule+0x809/0x1e30 [ 33.009488] ? find_held_lock+0x36/0x1c0 [ 33.013543] ? lock_downgrade+0x8e0/0x8e0 [ 33.017675] ? do_fast_syscall_32+0x345/0xf9b [ 33.022182] ? check_same_owner+0x320/0x320 [ 33.026499] ? kasan_check_read+0x11/0x20 [ 33.030649] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.035059] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.039645] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.045171] ? _copy_from_user+0xdf/0x150 [ 33.049310] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 33.054167] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 33.059093] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.064279] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 33.069113] do_fast_syscall_32+0x345/0xf9b [ 33.073425] ? do_int80_syscall_32+0x880/0x880 [ 33.078006] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.082778] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.088319] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.093249] ? sysret32_from_system_call+0x5/0x46 [ 33.098089] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.102923] entry_SYSENTER_compat+0x70/0x7f [ 33.107316] RIP: 0023:0xf7f0bcb9 [ 33.110660] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 33.129877] RSP: 002b:00000000ffc3a64c EFLAGS: 00000286 ORIG_RAX: 0000000000000120 [ 33.137576] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 33.144833] RDX: 0000000020000180 RSI: 0000000000000005 RDI: 0000000020000240 [ 33.152089] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.159359] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.166632] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.173909] [ 33.175531] Allocated by task 4836: [ 33.179147] save_stack+0x43/0xd0 [ 33.182585] kasan_kmalloc+0xc4/0xe0 [ 33.186310] __kmalloc+0x14e/0x760 [ 33.189838] __keyctl_dh_compute+0xfe9/0x1bc0 [ 33.194318] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 33.199158] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 33.203996] do_fast_syscall_32+0x345/0xf9b [ 33.208319] entry_SYSENTER_compat+0x70/0x7f [ 33.212705] [ 33.214325] Freed by task 2310: [ 33.217591] save_stack+0x43/0xd0 [ 33.221043] __kasan_slab_free+0x11a/0x170 [ 33.225286] kasan_slab_free+0xe/0x10 [ 33.229078] kfree+0xd9/0x260 [ 33.232172] kvfree+0x61/0x70 [ 33.235268] __vunmap+0x2c5/0x3c0 [ 33.238705] vfree+0x68/0x100 [ 33.241812] n_tty_close+0xc3/0x130 [ 33.245434] tty_ldisc_close.isra.0+0xb0/0xe0 [ 33.249924] tty_ldisc_kill+0x4b/0xc0 [ 33.253711] tty_ldisc_release+0xc5/0x280 [ 33.257849] tty_release_struct+0x1a/0x50 [ 33.261983] tty_release+0xe96/0x12e0 [ 33.265772] __fput+0x353/0x890 [ 33.269041] ____fput+0x15/0x20 [ 33.272307] task_work_run+0x1e4/0x290 [ 33.276186] exit_to_usermode_loop+0x2bd/0x310 [ 33.280754] do_syscall_64+0x6ac/0x800 [ 33.284636] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.289808] [ 33.291422] The buggy address belongs to the object at ffff8801d4304e00 [ 33.291422] which belongs to the cache kmalloc-32 of size 32 [ 33.303899] The buggy address is located 0 bytes to the right of [ 33.303899] 32-byte region [ffff8801d4304e00, ffff8801d4304e20) [ 33.316125] The buggy address belongs to the page: [ 33.321053] page:ffffea000750c100 count:1 mapcount:0 mapping:ffff8801d4304000 index:0xffff8801d4304fc1 [ 33.330525] flags: 0x2fffc0000000100(slab) [ 33.334769] raw: 02fffc0000000100 ffff8801d4304000 ffff8801d4304fc1 0000000100000017 [ 33.342645] raw: ffffea00074a1660 ffffea00074f8660 ffff8801da8001c0 0000000000000000 [ 33.350513] page dumped because: kasan: bad access detected [ 33.356206] [ 33.357814] Memory state around the buggy address: [ 33.362731] ffff8801d4304d00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 33.370092] ffff8801d4304d80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.377453] >ffff8801d4304e00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 33.384812] ^ [ 33.389211] ffff8801d4304e80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.396555] ffff8801d4304f00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.403897] ================================================================== [ 33.411239] Disabling lock debugging due to kernel taint [ 33.418182] Kernel panic - not syncing: panic_on_warn set ... [ 33.418182] [ 33.425556] CPU: 0 PID: 4836 Comm: syz-executor0 Tainted: G B 4.17.0+ #114 [ 33.433857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.443205] Call Trace: [ 33.445785] dump_stack+0x1b9/0x294 [ 33.449404] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.454597] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.459355] ? sha256_finup+0x480/0x540 [ 33.463319] panic+0x22f/0x4de [ 33.466498] ? add_taint.cold.5+0x16/0x16 [ 33.470634] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.475036] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.479433] ? sha256_finup+0x4bf/0x540 [ 33.483406] kasan_end_report+0x47/0x4f [ 33.487378] kasan_report.cold.7+0x76/0x2fe [ 33.492479] __asan_report_store4_noabort+0x17/0x20 [ 33.497486] sha256_finup+0x4bf/0x540 [ 33.501279] ? done_hash+0x12/0x12 [ 33.504848] sha256_avx2_final+0x28/0x30 [ 33.508898] crypto_shash_final+0x104/0x260 [ 33.513206] ? sha256_avx2_finup+0x40/0x40 [ 33.517428] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.522032] ? copy_overflow+0x30/0x30 [ 33.525915] ? __schedule+0x809/0x1e30 [ 33.529796] ? find_held_lock+0x36/0x1c0 [ 33.533852] ? lock_downgrade+0x8e0/0x8e0 [ 33.538007] ? do_fast_syscall_32+0x345/0xf9b [ 33.542499] ? check_same_owner+0x320/0x320 [ 33.546806] ? kasan_check_read+0x11/0x20 [ 33.550944] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.555342] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.559931] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.566674] ? _copy_from_user+0xdf/0x150 [ 33.570807] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 33.575640] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 33.580570] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.585746] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 33.590589] do_fast_syscall_32+0x345/0xf9b [ 33.594904] ? do_int80_syscall_32+0x880/0x880 [ 33.599473] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.604225] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.609759] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.614677] ? sysret32_from_system_call+0x5/0x46 [ 33.619510] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.624341] entry_SYSENTER_compat+0x70/0x7f [ 33.628742] RIP: 0023:0xf7f0bcb9 [ 33.632097] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 33.651313] RSP: 002b:00000000ffc3a64c EFLAGS: 00000286 ORIG_RAX: 0000000000000120 [ 33.659011] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 33.666287] RDX: 0000000020000180 RSI: 0000000000000005 RDI: 0000000020000240 [ 33.673548] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.680805] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.688060] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.695842] Dumping ftrace buffer: [ 33.699367] (ftrace buffer empty) [ 33.703056] Kernel Offset: disabled [ 33.706678] Rebooting in 86400 seconds..