[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.529634] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.250178] random: sshd: uninitialized urandom read (32 bytes read)
[   23.788230] random: sshd: uninitialized urandom read (32 bytes read)
[   24.612563] random: sshd: uninitialized urandom read (32 bytes read)
[   24.766786] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
[   30.174420] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/08 09:14:03 parsed 1 programs
[   31.471942] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/08 09:14:05 executed programs: 0
[   32.483103] IPVS: ftp: loaded support on port[0] = 21
[   32.618434] bridge0: port 1(bridge_slave_0) entered blocking state
[   32.624955] bridge0: port 1(bridge_slave_0) entered disabled state
[   32.632577] device bridge_slave_0 entered promiscuous mode
[   32.649775] bridge0: port 2(bridge_slave_1) entered blocking state
[   32.656158] bridge0: port 2(bridge_slave_1) entered disabled state
[   32.663123] device bridge_slave_1 entered promiscuous mode
[   32.680264] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   32.697190] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   32.738903] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   32.757568] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   32.822048] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   32.829395] team0: Port device team_slave_0 added
[   32.844748] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   32.851860] team0: Port device team_slave_1 added
[   32.867674] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   32.884405] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   32.900621] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   32.917180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.043826] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.050329] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.057240] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.063585] bridge0: port 1(bridge_slave_0) entered forwarding state
[   33.518320] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   33.524622] 8021q: adding VLAN 0 to HW filter on device bond0
[   33.568789] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   33.578891] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   33.623727] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   33.629918] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   33.637641] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   33.674323] 8021q: adding VLAN 0 to HW filter on device team0
[   33.935360] ==================================================================
[   33.942874] BUG: KASAN: slab-out-of-bounds in wp384_final+0x93/0xe0
[   33.949277] Write of size 48 at addr ffff8801d97d13b0 by task syz-executor0/4789
[   33.956790] 
[   33.958403] CPU: 1 PID: 4789 Comm: syz-executor0 Not tainted 4.17.0+ #115
[   33.965307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.974653] Call Trace:
[   33.977231]  dump_stack+0x1b9/0x294
[   33.980843]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.986026]  ? printk+0x9e/0xba
[   33.989288]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.994047]  ? kasan_check_write+0x14/0x20
[   33.998291]  print_address_description+0x6c/0x20b
[   34.003117]  ? wp384_final+0x93/0xe0
[   34.006823]  kasan_report.cold.7+0x242/0x2fe
[   34.011219]  check_memory_region+0x13e/0x1b0
[   34.015608]  memcpy+0x37/0x50
[   34.018692]  wp384_final+0x93/0xe0
[   34.022349]  ? wp256_final+0xe0/0xe0
[   34.026066]  ? kasan_unpoison_shadow+0x35/0x50
[   34.030642]  crypto_shash_final+0x104/0x260
[   34.034952]  ? wp256_final+0xe0/0xe0
[   34.038649]  __keyctl_dh_compute+0x1184/0x1bc0
[   34.043233]  ? copy_overflow+0x30/0x30
[   34.047106]  ? find_held_lock+0x36/0x1c0
[   34.051159]  ? lock_downgrade+0x8e0/0x8e0
[   34.055289]  ? check_same_owner+0x320/0x320
[   34.059595]  ? find_held_lock+0x36/0x1c0
[   34.063645]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.069159]  ? _copy_from_user+0xdf/0x150
[   34.073292]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.078128]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   34.083046]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.088216]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.093044]  do_fast_syscall_32+0x345/0xf9b
[   34.097348]  ? do_int80_syscall_32+0x880/0x880
[   34.101924]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.106662]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.112180]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.117091]  ? sysret32_from_system_call+0x5/0x46
[   34.121917]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.126745]  entry_SYSENTER_compat+0x70/0x7f
[   34.131138] RIP: 0023:0xf7f9ccb9
[   34.134488] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   34.153658] RSP: 002b:00000000ff936d3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   34.161348] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000040
[   34.168597] RDX: 0000000020000300 RSI: 00000000000000fb RDI: 0000000020c61fc8
[   34.175849] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.183097] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   34.190348] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.197605] 
[   34.199224] Allocated by task 4789:
[   34.202834]  save_stack+0x43/0xd0
[   34.206265]  kasan_kmalloc+0xc4/0xe0
[   34.209955]  __kmalloc+0x14e/0x760
[   34.213477]  __keyctl_dh_compute+0xfe9/0x1bc0
[   34.217953]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.222864]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.227777]  do_fast_syscall_32+0x345/0xf9b
[   34.232081]  entry_SYSENTER_compat+0x70/0x7f
[   34.236476] 
[   34.238081] Freed by task 3217:
[   34.241346]  save_stack+0x43/0xd0
[   34.244797]  __kasan_slab_free+0x11a/0x170
[   34.249012]  kasan_slab_free+0xe/0x10
[   34.252794]  kfree+0xd9/0x260
[   34.255889]  free_bprm+0x1b1/0x210
[   34.259415]  __do_execve_file.isra.34+0x1d38/0x2610
[   34.264411]  __x64_sys_execve+0x8f/0xc0
[   34.268388]  do_syscall_64+0x1b1/0x800
[   34.272268]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.277445] 
[   34.279057] The buggy address belongs to the object at ffff8801d97d12c0
[   34.279057]  which belongs to the cache kmalloc-256 of size 256
[   34.291697] The buggy address is located 240 bytes inside of
[   34.291697]  256-byte region [ffff8801d97d12c0, ffff8801d97d13c0)
[   34.303550] The buggy address belongs to the page:
[   34.308466] page:ffffea000765f440 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0
[   34.316603] flags: 0x2fffc0000000100(slab)
[   34.320824] raw: 02fffc0000000100 ffffea0007658fc8 ffffea0007640d08 ffff8801da8007c0
[   34.328690] raw: 0000000000000000 ffff8801d97d1040 000000010000000c 0000000000000000
[   34.336896] page dumped because: kasan: bad access detected
[   34.342589] 
[   34.344208] Memory state around the buggy address:
[   34.349135]  ffff8801d97d1280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   34.356490]  ffff8801d97d1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.363838] >ffff8801d97d1380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   34.371184]                                            ^
[   34.376613]  ffff8801d97d1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.383963]  ffff8801d97d1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.391303] ==================================================================
[   34.398641] Disabling lock debugging due to kernel taint
[   34.404396] Kernel panic - not syncing: panic_on_warn set ...
[   34.404396] 
[   34.411766] CPU: 1 PID: 4789 Comm: syz-executor0 Tainted: G    B             4.17.0+ #115
[   34.420061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.429393] Call Trace:
[   34.431970]  dump_stack+0x1b9/0x294
[   34.435583]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.440771]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.445512]  ? wp256_final+0x80/0xe0
[   34.449208]  panic+0x22f/0x4de
[   34.452383]  ? add_taint.cold.5+0x16/0x16
[   34.456513]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.460902]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.465308]  ? wp384_final+0x93/0xe0
[   34.469025]  kasan_end_report+0x47/0x4f
[   34.472988]  kasan_report.cold.7+0x76/0x2fe
[   34.477294]  check_memory_region+0x13e/0x1b0
[   34.481685]  memcpy+0x37/0x50
[   34.484770]  wp384_final+0x93/0xe0
[   34.488301]  ? wp256_final+0xe0/0xe0
[   34.492000]  ? kasan_unpoison_shadow+0x35/0x50
[   34.496570]  crypto_shash_final+0x104/0x260
[   34.500870]  ? wp256_final+0xe0/0xe0
[   34.504585]  __keyctl_dh_compute+0x1184/0x1bc0
[   34.509892]  ? copy_overflow+0x30/0x30
[   34.513772]  ? find_held_lock+0x36/0x1c0
[   34.517828]  ? lock_downgrade+0x8e0/0x8e0
[   34.521962]  ? check_same_owner+0x320/0x320
[   34.526268]  ? find_held_lock+0x36/0x1c0
[   34.530330]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.535851]  ? _copy_from_user+0xdf/0x150
[   34.539987]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.544818]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   34.549740]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.554918]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.559749]  do_fast_syscall_32+0x345/0xf9b
[   34.564057]  ? do_int80_syscall_32+0x880/0x880
[   34.568901]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.573646]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.579179]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.584101]  ? sysret32_from_system_call+0x5/0x46
[   34.588931]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.593772]  entry_SYSENTER_compat+0x70/0x7f
[   34.598172] RIP: 0023:0xf7f9ccb9
[   34.601513] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   34.620659] RSP: 002b:00000000ff936d3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   34.628357] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000040
[   34.635620] RDX: 0000000020000300 RSI: 00000000000000fb RDI: 0000000020c61fc8
[   34.642877] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.650134] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   34.657410] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.665150] Dumping ftrace buffer:
[   34.668679]    (ftrace buffer empty)
[   34.672366] Kernel Offset: disabled
[   34.675970] Rebooting in 86400 seconds..