[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.529634] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.250178] random: sshd: uninitialized urandom read (32 bytes read) [ 23.788230] random: sshd: uninitialized urandom read (32 bytes read) [ 24.612563] random: sshd: uninitialized urandom read (32 bytes read) [ 24.766786] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. [ 30.174420] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/08 09:14:03 parsed 1 programs [ 31.471942] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/08 09:14:05 executed programs: 0 [ 32.483103] IPVS: ftp: loaded support on port[0] = 21 [ 32.618434] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.624955] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.632577] device bridge_slave_0 entered promiscuous mode [ 32.649775] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.656158] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.663123] device bridge_slave_1 entered promiscuous mode [ 32.680264] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.697190] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.738903] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.757568] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.822048] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.829395] team0: Port device team_slave_0 added [ 32.844748] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.851860] team0: Port device team_slave_1 added [ 32.867674] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.884405] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.900621] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.917180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 33.043826] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.050329] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.057240] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.063585] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.518320] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.524622] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.568789] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.578891] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.623727] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 33.629918] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 33.637641] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.674323] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.935360] ================================================================== [ 33.942874] BUG: KASAN: slab-out-of-bounds in wp384_final+0x93/0xe0 [ 33.949277] Write of size 48 at addr ffff8801d97d13b0 by task syz-executor0/4789 [ 33.956790] [ 33.958403] CPU: 1 PID: 4789 Comm: syz-executor0 Not tainted 4.17.0+ #115 [ 33.965307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.974653] Call Trace: [ 33.977231] dump_stack+0x1b9/0x294 [ 33.980843] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.986026] ? printk+0x9e/0xba [ 33.989288] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.994047] ? kasan_check_write+0x14/0x20 [ 33.998291] print_address_description+0x6c/0x20b [ 34.003117] ? wp384_final+0x93/0xe0 [ 34.006823] kasan_report.cold.7+0x242/0x2fe [ 34.011219] check_memory_region+0x13e/0x1b0 [ 34.015608] memcpy+0x37/0x50 [ 34.018692] wp384_final+0x93/0xe0 [ 34.022349] ? wp256_final+0xe0/0xe0 [ 34.026066] ? kasan_unpoison_shadow+0x35/0x50 [ 34.030642] crypto_shash_final+0x104/0x260 [ 34.034952] ? wp256_final+0xe0/0xe0 [ 34.038649] __keyctl_dh_compute+0x1184/0x1bc0 [ 34.043233] ? copy_overflow+0x30/0x30 [ 34.047106] ? find_held_lock+0x36/0x1c0 [ 34.051159] ? lock_downgrade+0x8e0/0x8e0 [ 34.055289] ? check_same_owner+0x320/0x320 [ 34.059595] ? find_held_lock+0x36/0x1c0 [ 34.063645] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.069159] ? _copy_from_user+0xdf/0x150 [ 34.073292] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.078128] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 34.083046] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.088216] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.093044] do_fast_syscall_32+0x345/0xf9b [ 34.097348] ? do_int80_syscall_32+0x880/0x880 [ 34.101924] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.106662] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.112180] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.117091] ? sysret32_from_system_call+0x5/0x46 [ 34.121917] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.126745] entry_SYSENTER_compat+0x70/0x7f [ 34.131138] RIP: 0023:0xf7f9ccb9 [ 34.134488] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.153658] RSP: 002b:00000000ff936d3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120 [ 34.161348] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000040 [ 34.168597] RDX: 0000000020000300 RSI: 00000000000000fb RDI: 0000000020c61fc8 [ 34.175849] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.183097] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 34.190348] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.197605] [ 34.199224] Allocated by task 4789: [ 34.202834] save_stack+0x43/0xd0 [ 34.206265] kasan_kmalloc+0xc4/0xe0 [ 34.209955] __kmalloc+0x14e/0x760 [ 34.213477] __keyctl_dh_compute+0xfe9/0x1bc0 [ 34.217953] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.222864] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.227777] do_fast_syscall_32+0x345/0xf9b [ 34.232081] entry_SYSENTER_compat+0x70/0x7f [ 34.236476] [ 34.238081] Freed by task 3217: [ 34.241346] save_stack+0x43/0xd0 [ 34.244797] __kasan_slab_free+0x11a/0x170 [ 34.249012] kasan_slab_free+0xe/0x10 [ 34.252794] kfree+0xd9/0x260 [ 34.255889] free_bprm+0x1b1/0x210 [ 34.259415] __do_execve_file.isra.34+0x1d38/0x2610 [ 34.264411] __x64_sys_execve+0x8f/0xc0 [ 34.268388] do_syscall_64+0x1b1/0x800 [ 34.272268] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.277445] [ 34.279057] The buggy address belongs to the object at ffff8801d97d12c0 [ 34.279057] which belongs to the cache kmalloc-256 of size 256 [ 34.291697] The buggy address is located 240 bytes inside of [ 34.291697] 256-byte region [ffff8801d97d12c0, ffff8801d97d13c0) [ 34.303550] The buggy address belongs to the page: [ 34.308466] page:ffffea000765f440 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0 [ 34.316603] flags: 0x2fffc0000000100(slab) [ 34.320824] raw: 02fffc0000000100 ffffea0007658fc8 ffffea0007640d08 ffff8801da8007c0 [ 34.328690] raw: 0000000000000000 ffff8801d97d1040 000000010000000c 0000000000000000 [ 34.336896] page dumped because: kasan: bad access detected [ 34.342589] [ 34.344208] Memory state around the buggy address: [ 34.349135] ffff8801d97d1280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 34.356490] ffff8801d97d1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.363838] >ffff8801d97d1380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 34.371184] ^ [ 34.376613] ffff8801d97d1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.383963] ffff8801d97d1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.391303] ================================================================== [ 34.398641] Disabling lock debugging due to kernel taint [ 34.404396] Kernel panic - not syncing: panic_on_warn set ... [ 34.404396] [ 34.411766] CPU: 1 PID: 4789 Comm: syz-executor0 Tainted: G B 4.17.0+ #115 [ 34.420061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.429393] Call Trace: [ 34.431970] dump_stack+0x1b9/0x294 [ 34.435583] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.440771] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.445512] ? wp256_final+0x80/0xe0 [ 34.449208] panic+0x22f/0x4de [ 34.452383] ? add_taint.cold.5+0x16/0x16 [ 34.456513] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.460902] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.465308] ? wp384_final+0x93/0xe0 [ 34.469025] kasan_end_report+0x47/0x4f [ 34.472988] kasan_report.cold.7+0x76/0x2fe [ 34.477294] check_memory_region+0x13e/0x1b0 [ 34.481685] memcpy+0x37/0x50 [ 34.484770] wp384_final+0x93/0xe0 [ 34.488301] ? wp256_final+0xe0/0xe0 [ 34.492000] ? kasan_unpoison_shadow+0x35/0x50 [ 34.496570] crypto_shash_final+0x104/0x260 [ 34.500870] ? wp256_final+0xe0/0xe0 [ 34.504585] __keyctl_dh_compute+0x1184/0x1bc0 [ 34.509892] ? copy_overflow+0x30/0x30 [ 34.513772] ? find_held_lock+0x36/0x1c0 [ 34.517828] ? lock_downgrade+0x8e0/0x8e0 [ 34.521962] ? check_same_owner+0x320/0x320 [ 34.526268] ? find_held_lock+0x36/0x1c0 [ 34.530330] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.535851] ? _copy_from_user+0xdf/0x150 [ 34.539987] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.544818] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 34.549740] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.554918] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.559749] do_fast_syscall_32+0x345/0xf9b [ 34.564057] ? do_int80_syscall_32+0x880/0x880 [ 34.568901] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.573646] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.579179] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.584101] ? sysret32_from_system_call+0x5/0x46 [ 34.588931] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.593772] entry_SYSENTER_compat+0x70/0x7f [ 34.598172] RIP: 0023:0xf7f9ccb9 [ 34.601513] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.620659] RSP: 002b:00000000ff936d3c EFLAGS: 00000282 ORIG_RAX: 0000000000000120 [ 34.628357] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000040 [ 34.635620] RDX: 0000000020000300 RSI: 00000000000000fb RDI: 0000000020c61fc8 [ 34.642877] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.650134] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 34.657410] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.665150] Dumping ftrace buffer: [ 34.668679] (ftrace buffer empty) [ 34.672366] Kernel Offset: disabled [ 34.675970] Rebooting in 86400 seconds..