[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.225135] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.465204] random: sshd: uninitialized urandom read (32 bytes read) [ 24.935845] random: sshd: uninitialized urandom read (32 bytes read) [ 25.819278] random: sshd: uninitialized urandom read (32 bytes read) [ 25.982376] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. [ 31.466362] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.562038] ================================================================== [ 31.569510] BUG: KASAN: slab-out-of-bounds in crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 31.577639] Read of size 4 at addr ffff8801d95e8588 by task syz-executor643/4576 [ 31.585146] [ 31.586782] CPU: 0 PID: 4576 Comm: syz-executor643 Not tainted 4.17.0+ #100 [ 31.593862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.603288] Call Trace: [ 31.605870] dump_stack+0x1b9/0x294 [ 31.609481] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.614658] ? printk+0x9e/0xba [ 31.617944] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.622683] ? kasan_check_write+0x14/0x20 [ 31.626901] print_address_description+0x6c/0x20b [ 31.631742] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 31.637176] kasan_report.cold.7+0x242/0x2fe [ 31.641566] __asan_report_load4_noabort+0x14/0x20 [ 31.646481] crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 31.651748] ? skcipher_walk_first+0x158/0x410 [ 31.656315] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0 [ 31.661745] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.667266] ? skcipher_walk_aead_common+0x84a/0xbc0 [ 31.672366] ? skcipher_walk_aead_decrypt+0xc7/0x100 [ 31.677464] crypto_morus640_process_crypt.isra.12+0x153/0x230 [ 31.683427] ? crypto_morus640_decrypt_chunk+0xd20/0xd20 [ 31.688863] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.694390] ? crypto_morus640_process_ad+0xa10/0xa10 [ 31.699578] ? crypto_morus640_update+0xc7/0xe0 [ 31.704235] crypto_morus640_crypt+0x42e/0x9f0 [ 31.708802] ? crypto_morus640_load+0x170/0x170 [ 31.713453] ? scatterwalk_ffwd+0x3b0/0x3b0 [ 31.717763] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.722775] crypto_morus640_decrypt+0x23e/0x3d0 [ 31.727513] ? af_alg_make_sg+0x4d0/0x4d0 [ 31.731646] ? crypto_morus640_crypt+0x9f0/0x9f0 [ 31.736396] ? __sk_mem_schedule+0xe0/0xe0 [ 31.740623] ? memset+0x31/0x40 [ 31.743886] aead_recvmsg+0x13cc/0x1ba0 [ 31.747851] ? aead_release+0x50/0x50 [ 31.751634] ? move_addr_to_kernel.part.20+0x100/0x100 [ 31.756903] ? security_socket_recvmsg+0x9b/0xc0 [ 31.761646] ? aead_release+0x50/0x50 [ 31.765524] sock_recvmsg+0xd0/0x110 [ 31.769223] ? __sock_recv_ts_and_drops+0x420/0x420 [ 31.774222] ___sys_recvmsg+0x2b6/0x680 [ 31.778214] ? ___sys_sendmsg+0x940/0x940 [ 31.782345] ? sock_sendmsg+0x120/0x120 [ 31.786395] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.791914] ? fget_raw+0x20/0x20 [ 31.795348] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.800865] ? __vfs_write+0x113/0x9d0 [ 31.804735] ? kernel_read+0x120/0x120 [ 31.808607] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.814124] ? fsnotify+0x415/0xfc0 [ 31.817733] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.823265] ? sockfd_lookup_light+0xc5/0x160 [ 31.827742] __sys_recvmsg+0x112/0x260 [ 31.831611] ? __ia32_sys_sendmmsg+0x100/0x100 [ 31.836178] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.841695] ? vfs_write+0x2a8/0x560 [ 31.845417] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.850940] ? ksys_write+0x1a6/0x250 [ 31.854993] __x64_sys_recvmsg+0x78/0xb0 [ 31.859048] do_syscall_64+0x1b1/0x800 [ 31.862941] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.867787] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.872701] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.877629] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.882978] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.887815] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.892989] RIP: 0033:0x43fef9 [ 31.896160] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.915331] RSP: 002b:00007ffefc749938 EFLAGS: 00000207 ORIG_RAX: 000000000000002f [ 31.923043] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9 [ 31.930304] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004 [ 31.937645] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.944903] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820 [ 31.952154] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000 [ 31.959412] [ 31.961030] Allocated by task 4576: [ 31.964651] save_stack+0x43/0xd0 [ 31.968086] kasan_kmalloc+0xc4/0xe0 [ 31.971790] __kmalloc+0x14e/0x760 [ 31.975319] skcipher_walk_next+0x750/0x1850 [ 31.979711] skcipher_walk_first+0x151/0x410 [ 31.984103] skcipher_walk_aead_common+0x7f8/0xbc0 [ 31.989016] skcipher_walk_aead_decrypt+0xc7/0x100 [ 31.993935] crypto_morus640_process_crypt.isra.12+0x9c/0x230 [ 31.999798] crypto_morus640_crypt+0x42e/0x9f0 [ 32.004369] crypto_morus640_decrypt+0x23e/0x3d0 [ 32.009104] aead_recvmsg+0x13cc/0x1ba0 [ 32.013065] sock_recvmsg+0xd0/0x110 [ 32.016761] ___sys_recvmsg+0x2b6/0x680 [ 32.020720] __sys_recvmsg+0x112/0x260 [ 32.024584] __x64_sys_recvmsg+0x78/0xb0 [ 32.028626] do_syscall_64+0x1b1/0x800 [ 32.032499] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.037669] [ 32.039292] Freed by task 2859: [ 32.042559] save_stack+0x43/0xd0 [ 32.045990] __kasan_slab_free+0x11a/0x170 [ 32.050210] kasan_slab_free+0xe/0x10 [ 32.053990] kfree+0xd9/0x260 [ 32.057084] single_release+0x8f/0xb0 [ 32.060874] __fput+0x353/0x890 [ 32.064131] ____fput+0x15/0x20 [ 32.067392] task_work_run+0x1e4/0x290 [ 32.071262] exit_to_usermode_loop+0x302/0x360 [ 32.075826] do_syscall_64+0x6ac/0x800 [ 32.079697] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.084860] [ 32.086469] The buggy address belongs to the object at ffff8801d95e8580 [ 32.086469] which belongs to the cache kmalloc-32 of size 32 [ 32.098949] The buggy address is located 8 bytes inside of [ 32.098949] 32-byte region [ffff8801d95e8580, ffff8801d95e85a0) [ 32.110559] The buggy address belongs to the page: [ 32.115471] page:ffffea0007657a00 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d95e8fc1 [ 32.124896] flags: 0x2fffc0000000100(slab) [ 32.129126] raw: 02fffc0000000100 ffffea0007651a88 ffffea0007649c08 ffff8801da8001c0 [ 32.136989] raw: ffff8801d95e8fc1 ffff8801d95e8000 000000010000001e 0000000000000000 [ 32.144849] page dumped because: kasan: bad access detected [ 32.150552] [ 32.152158] Memory state around the buggy address: [ 32.157072] ffff8801d95e8480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.164412] ffff8801d95e8500: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 32.171760] >ffff8801d95e8580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 32.179093] ^ [ 32.182698] ffff8801d95e8600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.190041] ffff8801d95e8680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.197383] ================================================================== [ 32.204721] Disabling lock debugging due to kernel taint [ 32.210241] Kernel panic - not syncing: panic_on_warn set ... [ 32.210241] [ 32.217612] CPU: 0 PID: 4576 Comm: syz-executor643 Tainted: G B 4.17.0+ #100 [ 32.226177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.235509] Call Trace: [ 32.238086] dump_stack+0x1b9/0x294 [ 32.241698] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.246877] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.251615] ? crypto_morus640_decrypt_chunk+0xc10/0xd20 [ 32.257046] panic+0x22f/0x4de [ 32.260229] ? add_taint.cold.5+0x16/0x16 [ 32.264359] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.268747] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.273143] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 32.278577] kasan_end_report+0x47/0x4f [ 32.282532] kasan_report.cold.7+0x76/0x2fe [ 32.286840] __asan_report_load4_noabort+0x14/0x20 [ 32.291752] crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 32.297014] ? skcipher_walk_first+0x158/0x410 [ 32.301585] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0 [ 32.307023] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.312567] ? skcipher_walk_aead_common+0x84a/0xbc0 [ 32.317664] ? skcipher_walk_aead_decrypt+0xc7/0x100 [ 32.322756] crypto_morus640_process_crypt.isra.12+0x153/0x230 [ 32.328732] ? crypto_morus640_decrypt_chunk+0xd20/0xd20 [ 32.334164] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.339685] ? crypto_morus640_process_ad+0xa10/0xa10 [ 32.344868] ? crypto_morus640_update+0xc7/0xe0 [ 32.349519] crypto_morus640_crypt+0x42e/0x9f0 [ 32.354091] ? crypto_morus640_load+0x170/0x170 [ 32.358754] ? scatterwalk_ffwd+0x3b0/0x3b0 [ 32.363076] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.368072] crypto_morus640_decrypt+0x23e/0x3d0 [ 32.372807] ? af_alg_make_sg+0x4d0/0x4d0 [ 32.376934] ? crypto_morus640_crypt+0x9f0/0x9f0 [ 32.381670] ? __sk_mem_schedule+0xe0/0xe0 [ 32.385899] ? memset+0x31/0x40 [ 32.389158] aead_recvmsg+0x13cc/0x1ba0 [ 32.393113] ? aead_release+0x50/0x50 [ 32.396904] ? move_addr_to_kernel.part.20+0x100/0x100 [ 32.402160] ? security_socket_recvmsg+0x9b/0xc0 [ 32.406904] ? aead_release+0x50/0x50 [ 32.410684] sock_recvmsg+0xd0/0x110 [ 32.414377] ? __sock_recv_ts_and_drops+0x420/0x420 [ 32.419370] ___sys_recvmsg+0x2b6/0x680 [ 32.423327] ? ___sys_sendmsg+0x940/0x940 [ 32.427458] ? sock_sendmsg+0x120/0x120 [ 32.431423] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.436941] ? fget_raw+0x20/0x20 [ 32.440373] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.445892] ? __vfs_write+0x113/0x9d0 [ 32.449758] ? kernel_read+0x120/0x120 [ 32.453640] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.459165] ? fsnotify+0x415/0xfc0 [ 32.462774] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.468293] ? sockfd_lookup_light+0xc5/0x160 [ 32.472766] __sys_recvmsg+0x112/0x260 [ 32.476642] ? __ia32_sys_sendmmsg+0x100/0x100 [ 32.481203] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.486719] ? vfs_write+0x2a8/0x560 [ 32.490425] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.495940] ? ksys_write+0x1a6/0x250 [ 32.499724] __x64_sys_recvmsg+0x78/0xb0 [ 32.503764] do_syscall_64+0x1b1/0x800 [ 32.507643] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.512474] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.517395] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.522306] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.527652] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.532478] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.537643] RIP: 0033:0x43fef9 [ 32.540808] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.559924] RSP: 002b:00007ffefc749938 EFLAGS: 00000207 ORIG_RAX: 000000000000002f [ 32.567616] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9 [ 32.574869] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004 [ 32.582133] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.589381] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820 [ 32.596628] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000 [ 32.604584] Dumping ftrace buffer: [ 32.608112] (ftrace buffer empty) [ 32.611798] Kernel Offset: disabled [ 32.615400] Rebooting in 86400 seconds..