[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 20.078300] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 25.617559] random: sshd: uninitialized urandom read (32 bytes read)
[ 25.996930] random: sshd: uninitialized urandom read (32 bytes read)
[ 26.810736] random: sshd: uninitialized urandom read (32 bytes read)
[ 26.968465] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts.
[ 32.408327] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 32.499027] ==================================================================
[ 32.506530] BUG: KASAN: slab-out-of-bounds in crypto_morus640_decrypt_chunk+0xcf8/0xd20
[ 32.514658] Read of size 4 at addr ffff8801d70dea88 by task syz-executor521/4532
[ 32.522180]
[ 32.523800] CPU: 1 PID: 4532 Comm: syz-executor521 Not tainted 4.17.0+ #100
[ 32.530877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 32.540210] Call Trace:
[ 32.542786] dump_stack+0x1b9/0x294
[ 32.546399] ? dump_stack_print_info.cold.2+0x52/0x52
[ 32.551580] ? printk+0x9e/0xba
[ 32.554838] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 32.559573] ? kasan_check_write+0x14/0x20
[ 32.563791] print_address_description+0x6c/0x20b
[ 32.568623] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20
[ 32.574053] kasan_report.cold.7+0x242/0x2fe
[ 32.578443] __asan_report_load4_noabort+0x14/0x20
[ 32.583354] crypto_morus640_decrypt_chunk+0xcf8/0xd20
[ 32.588621] ? skcipher_walk_first+0x158/0x410
[ 32.593186] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0
[ 32.598627] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 32.604145] ? skcipher_walk_aead_common+0x84a/0xbc0
[ 32.609238] ? skcipher_walk_aead_decrypt+0xc7/0x100
[ 32.614335] crypto_morus640_process_crypt.isra.12+0x153/0x230
[ 32.620292] ? crypto_morus640_decrypt_chunk+0xd20/0xd20
[ 32.625725] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 32.631257] ? crypto_morus640_process_ad+0xa10/0xa10
[ 32.636442] ? crypto_morus640_update+0xc7/0xe0
[ 32.641091] crypto_morus640_crypt+0x42e/0x9f0
[ 32.645658] ? crypto_morus640_load+0x170/0x170
[ 32.650307] ? scatterwalk_ffwd+0x3b0/0x3b0
[ 32.654624] ? rcu_read_lock_sched_held+0x108/0x120
[ 32.659624] crypto_morus640_decrypt+0x23e/0x3d0
[ 32.664358] ? af_alg_make_sg+0x4d0/0x4d0
[ 32.668488] ? crypto_morus640_crypt+0x9f0/0x9f0
[ 32.673227] ? __sk_mem_schedule+0xe0/0xe0
[ 32.677446] ? memset+0x31/0x40
[ 32.680709] aead_recvmsg+0x13cc/0x1ba0
[ 32.684683] ? aead_release+0x50/0x50
[ 32.688472] ? move_addr_to_kernel.part.20+0x100/0x100
[ 32.693731] ? security_socket_recvmsg+0x9b/0xc0
[ 32.698465] ? aead_release+0x50/0x50
[ 32.702246] sock_recvmsg+0xd0/0x110
[ 32.705947] ? __sock_recv_ts_and_drops+0x420/0x420
[ 32.710945] ___sys_recvmsg+0x2b6/0x680
[ 32.714902] ? ___sys_sendmsg+0x940/0x940
[ 32.719043] ? sock_sendmsg+0x120/0x120
[ 32.723020] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 32.728549] ? fget_raw+0x20/0x20
[ 32.731984] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 32.737517] ? __vfs_write+0x113/0x9d0
[ 32.741394] ? kernel_read+0x120/0x120
[ 32.745267] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 32.750785] ? fsnotify+0x415/0xfc0
[ 32.754395] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 32.759914] ? sockfd_lookup_light+0xc5/0x160
[ 32.764389] __sys_recvmsg+0x112/0x260
[ 32.768773] ? __ia32_sys_sendmmsg+0x100/0x100
[ 32.773341] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 32.778861] ? vfs_write+0x2a8/0x560
[ 32.782556] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 32.788068] ? ksys_write+0x1a6/0x250
[ 32.791854] __x64_sys_recvmsg+0x78/0xb0
[ 32.795895] do_syscall_64+0x1b1/0x800
[ 32.799759] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 32.804580] ? syscall_return_slowpath+0x5c0/0x5c0
[ 32.809489] ? syscall_return_slowpath+0x30f/0x5c0
[ 32.814412] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 32.819760] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 32.824585] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 32.829766] RIP: 0033:0x43fef9
[ 32.832957] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00
[ 32.852164] RSP: 002b:00007ffe6f4996d8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f
[ 32.859860] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9
[ 32.867119] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004
[ 32.874373] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[ 32.881630] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820
[ 32.888879] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000
[ 32.896138]
[ 32.897758] Allocated by task 4532:
[ 32.901374] save_stack+0x43/0xd0
[ 32.904807] kasan_kmalloc+0xc4/0xe0
[ 32.908499] __kmalloc+0x14e/0x760
[ 32.912025] skcipher_walk_next+0x750/0x1850
[ 32.916414] skcipher_walk_first+0x151/0x410
[ 32.920807] skcipher_walk_aead_common+0x7f8/0xbc0
[ 32.925722] skcipher_walk_aead_decrypt+0xc7/0x100
[ 32.930633] crypto_morus640_process_crypt.isra.12+0x9c/0x230
[ 32.936497] crypto_morus640_crypt+0x42e/0x9f0
[ 32.941057] crypto_morus640_decrypt+0x23e/0x3d0
[ 32.945799] aead_recvmsg+0x13cc/0x1ba0
[ 32.949754] sock_recvmsg+0xd0/0x110
[ 32.953451] ___sys_recvmsg+0x2b6/0x680
[ 32.957407] __sys_recvmsg+0x112/0x260
[ 32.961271] __x64_sys_recvmsg+0x78/0xb0
[ 32.965324] do_syscall_64+0x1b1/0x800
[ 32.969192] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 32.974351]
[ 32.975955] Freed by task 2887:
[ 32.979218] save_stack+0x43/0xd0
[ 32.982652] __kasan_slab_free+0x11a/0x170
[ 32.986866] kasan_slab_free+0xe/0x10
[ 32.990651] kfree+0xd9/0x260
[ 32.993746] single_release+0x8f/0xb0
[ 32.997527] __fput+0x353/0x890
[ 33.000784] ____fput+0x15/0x20
[ 33.004059] task_work_run+0x1e4/0x290
[ 33.007927] exit_to_usermode_loop+0x302/0x360
[ 33.012492] do_syscall_64+0x6ac/0x800
[ 33.016377] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 33.021539]
[ 33.023155] The buggy address belongs to the object at ffff8801d70dea80
[ 33.023155] which belongs to the cache kmalloc-32 of size 32
[ 33.035622] The buggy address is located 8 bytes inside of
[ 33.035622] 32-byte region [ffff8801d70dea80, ffff8801d70deaa0)
[ 33.047214] The buggy address belongs to the page:
[ 33.052145] page:ffffea00075c3780 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d70defc1
[ 33.061585] flags: 0x2fffc0000000100(slab)
[ 33.065807] raw: 02fffc0000000100 ffffea00075c3088 ffffea0006bfd008 ffff8801da8001c0
[ 33.073672] raw: ffff8801d70defc1 ffff8801d70de000 0000000100000025 0000000000000000
[ 33.081528] page dumped because: kasan: bad access detected
[ 33.087217]
[ 33.088827] Memory state around the buggy address:
[ 33.093740] ffff8801d70de980: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[ 33.101080] ffff8801d70dea00: 00 00 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc
[ 33.108429] >ffff8801d70dea80: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[ 33.115765] ^
[ 33.119372] ffff8801d70deb00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 33.126719] ffff8801d70deb80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 33.134054] ==================================================================
[ 33.141388] Disabling lock debugging due to kernel taint
[ 33.147313] Kernel panic - not syncing: panic_on_warn set ...
[ 33.147313]
[ 33.154691] CPU: 1 PID: 4532 Comm: syz-executor521 Tainted: G B 4.17.0+ #100
[ 33.163174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 33.172508] Call Trace:
[ 33.175082] dump_stack+0x1b9/0x294
[ 33.178691] ? dump_stack_print_info.cold.2+0x52/0x52
[ 33.183875] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 33.188612] ? crypto_morus640_decrypt_chunk+0xc10/0xd20
[ 33.194045] panic+0x22f/0x4de
[ 33.197227] ? add_taint.cold.5+0x16/0x16
[ 33.201357] ? do_raw_spin_unlock+0x9e/0x2e0
[ 33.205745] ? do_raw_spin_unlock+0x9e/0x2e0
[ 33.210140] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20
[ 33.215578] kasan_end_report+0x47/0x4f
[ 33.219628] kasan_report.cold.7+0x76/0x2fe
[ 33.223928] __asan_report_load4_noabort+0x14/0x20
[ 33.228847] crypto_morus640_decrypt_chunk+0xcf8/0xd20
[ 33.234106] ? skcipher_walk_first+0x158/0x410
[ 33.238665] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0
[ 33.244117] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 33.249631] ? skcipher_walk_aead_common+0x84a/0xbc0
[ 33.254712] ? skcipher_walk_aead_decrypt+0xc7/0x100
[ 33.259795] crypto_morus640_process_crypt.isra.12+0x153/0x230
[ 33.265744] ? crypto_morus640_decrypt_chunk+0xd20/0xd20
[ 33.271173] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 33.276694] ? crypto_morus640_process_ad+0xa10/0xa10
[ 33.281864] ? crypto_morus640_update+0xc7/0xe0
[ 33.286511] crypto_morus640_crypt+0x42e/0x9f0
[ 33.291073] ? crypto_morus640_load+0x170/0x170
[ 33.295725] ? scatterwalk_ffwd+0x3b0/0x3b0
[ 33.300036] ? rcu_read_lock_sched_held+0x108/0x120
[ 33.305036] crypto_morus640_decrypt+0x23e/0x3d0
[ 33.309770] ? af_alg_make_sg+0x4d0/0x4d0
[ 33.313897] ? crypto_morus640_crypt+0x9f0/0x9f0
[ 33.318655] ? __sk_mem_schedule+0xe0/0xe0
[ 33.322874] ? memset+0x31/0x40
[ 33.326142] aead_recvmsg+0x13cc/0x1ba0
[ 33.330100] ? aead_release+0x50/0x50
[ 33.333882] ? move_addr_to_kernel.part.20+0x100/0x100
[ 33.339138] ? security_socket_recvmsg+0x9b/0xc0
[ 33.343870] ? aead_release+0x50/0x50
[ 33.347649] sock_recvmsg+0xd0/0x110
[ 33.351346] ? __sock_recv_ts_and_drops+0x420/0x420
[ 33.356341] ___sys_recvmsg+0x2b6/0x680
[ 33.360291] ? ___sys_sendmsg+0x940/0x940
[ 33.364417] ? sock_sendmsg+0x120/0x120
[ 33.368375] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 33.373893] ? fget_raw+0x20/0x20
[ 33.377322] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 33.382835] ? __vfs_write+0x113/0x9d0
[ 33.386701] ? kernel_read+0x120/0x120
[ 33.390570] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 33.396100] ? fsnotify+0x415/0xfc0
[ 33.399720] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 33.405242] ? sockfd_lookup_light+0xc5/0x160
[ 33.409737] __sys_recvmsg+0x112/0x260
[ 33.413635] ? __ia32_sys_sendmmsg+0x100/0x100
[ 33.418215] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 33.423744] ? vfs_write+0x2a8/0x560
[ 33.427455] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 33.432985] ? ksys_write+0x1a6/0x250
[ 33.436783] __x64_sys_recvmsg+0x78/0xb0
[ 33.440830] do_syscall_64+0x1b1/0x800
[ 33.444708] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 33.449528] ? syscall_return_slowpath+0x5c0/0x5c0
[ 33.454435] ? syscall_return_slowpath+0x30f/0x5c0
[ 33.459348] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 33.464694] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 33.469517] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 33.474686] RIP: 0033:0x43fef9
[ 33.477851] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00
[ 33.496983] RSP: 002b:00007ffe6f4996d8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f
[ 33.504688] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9
[ 33.511935] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004
[ 33.519198] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[ 33.526463] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820
[ 33.533725] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000
[ 33.541484] Dumping ftrace buffer:
[ 33.545007] (ftrace buffer empty)
[ 33.548700] Kernel Offset: disabled
[ 33.552319] Rebooting in 86400 seconds..