[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.615801] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.243060] random: sshd: uninitialized urandom read (32 bytes read)
[   25.627565] random: sshd: uninitialized urandom read (32 bytes read)
[   26.476665] random: sshd: uninitialized urandom read (32 bytes read)
[   26.638456] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts.
[   32.049830] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   32.150311] ==================================================================
[   32.157756] BUG: KASAN: slab-out-of-bounds in crypto_sha3_final+0x416/0x450
[   32.164847] Write of size 8 at addr ffff8801c8aefd5c by task syz-executor294/4529
[   32.172710] 
[   32.174326] CPU: 1 PID: 4529 Comm: syz-executor294 Not tainted 4.17.0+ #90
[   32.181329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.190670] Call Trace:
[   32.193247]  dump_stack+0x1b9/0x294
[   32.196864]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.202041]  ? printk+0x9e/0xba
[   32.205308]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.210049]  ? kasan_check_write+0x14/0x20
[   32.214276]  print_address_description+0x6c/0x20b
[   32.219104]  ? crypto_sha3_final+0x416/0x450
[   32.223496]  kasan_report.cold.7+0x242/0x2fe
[   32.227885]  __asan_report_store8_noabort+0x17/0x20
[   32.232883]  crypto_sha3_final+0x416/0x450
[   32.237109]  crypto_shash_final+0x104/0x260
[   32.241409]  ? crypto_sha3_init+0x170/0x170
[   32.245717]  __keyctl_dh_compute+0x1184/0x1bc0
[   32.250295]  ? copy_overflow+0x30/0x30
[   32.254169]  ? save_stack+0xa9/0xd0
[   32.257783]  ? find_held_lock+0x36/0x1c0
[   32.261836]  ? lock_downgrade+0x8e0/0x8e0
[   32.265967]  ? check_same_owner+0x320/0x320
[   32.270290]  ? trace_hardirqs_off+0xd/0x10
[   32.274523]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   32.279625]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.285149]  ? _copy_from_user+0xdf/0x150
[   32.289293]  keyctl_dh_compute+0xb9/0x100
[   32.293439]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   32.298192]  ? kzfree+0x28/0x30
[   32.301456]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   32.306646]  __x64_sys_keyctl+0x12a/0x3b0
[   32.310778]  do_syscall_64+0x1b1/0x800
[   32.314648]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.319557]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.324473]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.329820]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.334653]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.339829] RIP: 0033:0x440019
[   32.343002] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   32.362193] RSP: 002b:00007ffd6aed69e8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   32.369885] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   32.377136] RDX: 0000000020000080 RSI: 00000000200001c0 RDI: 0000000000000017
[   32.384398] RBP: 00000000006ca018 R08: 0000000020000200 R09: 00000000004002c8
[   32.391660] R10: 0000000000000059 R11: 0000000000000217 R12: 0000000000401940
[   32.398923] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   32.406183] 
[   32.407796] Allocated by task 4529:
[   32.411412]  save_stack+0x43/0xd0
[   32.414844]  kasan_kmalloc+0xc4/0xe0
[   32.418539]  __kmalloc+0x14e/0x760
[   32.422061]  __keyctl_dh_compute+0xfe9/0x1bc0
[   32.426535]  keyctl_dh_compute+0xb9/0x100
[   32.430662]  __x64_sys_keyctl+0x12a/0x3b0
[   32.434813]  do_syscall_64+0x1b1/0x800
[   32.438684]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.443845] 
[   32.445467] Freed by task 2446:
[   32.448730]  save_stack+0x43/0xd0
[   32.452167]  __kasan_slab_free+0x11a/0x170
[   32.456384]  kasan_slab_free+0xe/0x10
[   32.460170]  kfree+0xd9/0x260
[   32.463268]  kernfs_put_open_node.isra.7+0x298/0x400
[   32.468347]  kernfs_fop_release+0xec/0x1a0
[   32.472559]  __fput+0x353/0x890
[   32.475824]  ____fput+0x15/0x20
[   32.479085]  task_work_run+0x1e4/0x290
[   32.482951]  exit_to_usermode_loop+0x2bd/0x310
[   32.487511]  do_syscall_64+0x6ac/0x800
[   32.491379]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.496539] 
[   32.498156] The buggy address belongs to the object at ffff8801c8aefd00
[   32.498156]  which belongs to the cache kmalloc-96 of size 96
[   32.510621] The buggy address is located 92 bytes inside of
[   32.510621]  96-byte region [ffff8801c8aefd00, ffff8801c8aefd60)
[   32.522302] The buggy address belongs to the page:
[   32.527223] page:ffffea000722bbc0 count:1 mapcount:0 mapping:ffff8801da8004c0 index:0x0
[   32.535364] flags: 0x2fffc0000000100(slab)
[   32.539582] raw: 02fffc0000000100 ffffea000724e0c8 ffffea00070ba748 ffff8801da8004c0
[   32.547443] raw: 0000000000000000 ffff8801c8aef000 0000000100000020 0000000000000000
[   32.555298] page dumped because: kasan: bad access detected
[   32.560996] 
[   32.562609] Memory state around the buggy address:
[   32.567517]  ffff8801c8aefc00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   32.574854]  ffff8801c8aefc80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   32.582194] >ffff8801c8aefd00: 00 00 00 00 00 00 00 00 00 00 00 04 fc fc fc fc
[   32.589530]                                                     ^
[   32.595744]  ffff8801c8aefd80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   32.603086]  ffff8801c8aefe00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[   32.610432] ==================================================================
[   32.617767] Disabling lock debugging due to kernel taint
[   32.623497] Kernel panic - not syncing: panic_on_warn set ...
[   32.623497] 
[   32.630863] CPU: 1 PID: 4529 Comm: syz-executor294 Tainted: G    B             4.17.0+ #90
[   32.639259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.648597] Call Trace:
[   32.651170]  dump_stack+0x1b9/0x294
[   32.654783]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.659955]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.664694]  ? crypto_sha3_final+0x3d0/0x450
[   32.669084]  panic+0x22f/0x4de
[   32.672255]  ? add_taint.cold.5+0x16/0x16
[   32.676396]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.680782]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.685178]  ? crypto_sha3_final+0x416/0x450
[   32.689577]  kasan_end_report+0x47/0x4f
[   32.693541]  kasan_report.cold.7+0x76/0x2fe
[   32.697855]  __asan_report_store8_noabort+0x17/0x20
[   32.702868]  crypto_sha3_final+0x416/0x450
[   32.707091]  crypto_shash_final+0x104/0x260
[   32.711392]  ? crypto_sha3_init+0x170/0x170
[   32.715695]  __keyctl_dh_compute+0x1184/0x1bc0
[   32.720260]  ? copy_overflow+0x30/0x30
[   32.724129]  ? save_stack+0xa9/0xd0
[   32.727743]  ? find_held_lock+0x36/0x1c0
[   32.731791]  ? lock_downgrade+0x8e0/0x8e0
[   32.735919]  ? check_same_owner+0x320/0x320
[   32.740225]  ? trace_hardirqs_off+0xd/0x10
[   32.744441]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   32.749536]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.755060]  ? _copy_from_user+0xdf/0x150
[   32.759187]  keyctl_dh_compute+0xb9/0x100
[   32.763317]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   32.768064]  ? kzfree+0x28/0x30
[   32.771324]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   32.776493]  __x64_sys_keyctl+0x12a/0x3b0
[   32.780620]  do_syscall_64+0x1b1/0x800
[   32.784487]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.789405]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.794320]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.799667]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.804504]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.809671] RIP: 0033:0x440019
[   32.812840] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   32.832310] RSP: 002b:00007ffd6aed69e8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   32.840172] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   32.847420] RDX: 0000000020000080 RSI: 00000000200001c0 RDI: 0000000000000017
[   32.854840] RBP: 00000000006ca018 R08: 0000000020000200 R09: 00000000004002c8
[   32.862085] R10: 0000000000000059 R11: 0000000000000217 R12: 0000000000401940
[   32.869331] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   32.877044] Dumping ftrace buffer:
[   32.880567]    (ftrace buffer empty)
[   32.884257] Kernel Offset: disabled
[   32.887859] Rebooting in 86400 seconds..