[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.078300] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.617559] random: sshd: uninitialized urandom read (32 bytes read) [ 25.996930] random: sshd: uninitialized urandom read (32 bytes read) [ 26.810736] random: sshd: uninitialized urandom read (32 bytes read) [ 26.968465] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. [ 32.408327] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.499027] ================================================================== [ 32.506530] BUG: KASAN: slab-out-of-bounds in crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 32.514658] Read of size 4 at addr ffff8801d70dea88 by task syz-executor521/4532 [ 32.522180] [ 32.523800] CPU: 1 PID: 4532 Comm: syz-executor521 Not tainted 4.17.0+ #100 [ 32.530877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.540210] Call Trace: [ 32.542786] dump_stack+0x1b9/0x294 [ 32.546399] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.551580] ? printk+0x9e/0xba [ 32.554838] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.559573] ? kasan_check_write+0x14/0x20 [ 32.563791] print_address_description+0x6c/0x20b [ 32.568623] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 32.574053] kasan_report.cold.7+0x242/0x2fe [ 32.578443] __asan_report_load4_noabort+0x14/0x20 [ 32.583354] crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 32.588621] ? skcipher_walk_first+0x158/0x410 [ 32.593186] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0 [ 32.598627] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.604145] ? skcipher_walk_aead_common+0x84a/0xbc0 [ 32.609238] ? skcipher_walk_aead_decrypt+0xc7/0x100 [ 32.614335] crypto_morus640_process_crypt.isra.12+0x153/0x230 [ 32.620292] ? crypto_morus640_decrypt_chunk+0xd20/0xd20 [ 32.625725] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.631257] ? crypto_morus640_process_ad+0xa10/0xa10 [ 32.636442] ? crypto_morus640_update+0xc7/0xe0 [ 32.641091] crypto_morus640_crypt+0x42e/0x9f0 [ 32.645658] ? crypto_morus640_load+0x170/0x170 [ 32.650307] ? scatterwalk_ffwd+0x3b0/0x3b0 [ 32.654624] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.659624] crypto_morus640_decrypt+0x23e/0x3d0 [ 32.664358] ? af_alg_make_sg+0x4d0/0x4d0 [ 32.668488] ? crypto_morus640_crypt+0x9f0/0x9f0 [ 32.673227] ? __sk_mem_schedule+0xe0/0xe0 [ 32.677446] ? memset+0x31/0x40 [ 32.680709] aead_recvmsg+0x13cc/0x1ba0 [ 32.684683] ? aead_release+0x50/0x50 [ 32.688472] ? move_addr_to_kernel.part.20+0x100/0x100 [ 32.693731] ? security_socket_recvmsg+0x9b/0xc0 [ 32.698465] ? aead_release+0x50/0x50 [ 32.702246] sock_recvmsg+0xd0/0x110 [ 32.705947] ? __sock_recv_ts_and_drops+0x420/0x420 [ 32.710945] ___sys_recvmsg+0x2b6/0x680 [ 32.714902] ? ___sys_sendmsg+0x940/0x940 [ 32.719043] ? sock_sendmsg+0x120/0x120 [ 32.723020] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.728549] ? fget_raw+0x20/0x20 [ 32.731984] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.737517] ? __vfs_write+0x113/0x9d0 [ 32.741394] ? kernel_read+0x120/0x120 [ 32.745267] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.750785] ? fsnotify+0x415/0xfc0 [ 32.754395] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.759914] ? sockfd_lookup_light+0xc5/0x160 [ 32.764389] __sys_recvmsg+0x112/0x260 [ 32.768773] ? __ia32_sys_sendmmsg+0x100/0x100 [ 32.773341] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.778861] ? vfs_write+0x2a8/0x560 [ 32.782556] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.788068] ? ksys_write+0x1a6/0x250 [ 32.791854] __x64_sys_recvmsg+0x78/0xb0 [ 32.795895] do_syscall_64+0x1b1/0x800 [ 32.799759] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.804580] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.809489] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.814412] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.819760] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.824585] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.829766] RIP: 0033:0x43fef9 [ 32.832957] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.852164] RSP: 002b:00007ffe6f4996d8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f [ 32.859860] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9 [ 32.867119] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004 [ 32.874373] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.881630] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820 [ 32.888879] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000 [ 32.896138] [ 32.897758] Allocated by task 4532: [ 32.901374] save_stack+0x43/0xd0 [ 32.904807] kasan_kmalloc+0xc4/0xe0 [ 32.908499] __kmalloc+0x14e/0x760 [ 32.912025] skcipher_walk_next+0x750/0x1850 [ 32.916414] skcipher_walk_first+0x151/0x410 [ 32.920807] skcipher_walk_aead_common+0x7f8/0xbc0 [ 32.925722] skcipher_walk_aead_decrypt+0xc7/0x100 [ 32.930633] crypto_morus640_process_crypt.isra.12+0x9c/0x230 [ 32.936497] crypto_morus640_crypt+0x42e/0x9f0 [ 32.941057] crypto_morus640_decrypt+0x23e/0x3d0 [ 32.945799] aead_recvmsg+0x13cc/0x1ba0 [ 32.949754] sock_recvmsg+0xd0/0x110 [ 32.953451] ___sys_recvmsg+0x2b6/0x680 [ 32.957407] __sys_recvmsg+0x112/0x260 [ 32.961271] __x64_sys_recvmsg+0x78/0xb0 [ 32.965324] do_syscall_64+0x1b1/0x800 [ 32.969192] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.974351] [ 32.975955] Freed by task 2887: [ 32.979218] save_stack+0x43/0xd0 [ 32.982652] __kasan_slab_free+0x11a/0x170 [ 32.986866] kasan_slab_free+0xe/0x10 [ 32.990651] kfree+0xd9/0x260 [ 32.993746] single_release+0x8f/0xb0 [ 32.997527] __fput+0x353/0x890 [ 33.000784] ____fput+0x15/0x20 [ 33.004059] task_work_run+0x1e4/0x290 [ 33.007927] exit_to_usermode_loop+0x302/0x360 [ 33.012492] do_syscall_64+0x6ac/0x800 [ 33.016377] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.021539] [ 33.023155] The buggy address belongs to the object at ffff8801d70dea80 [ 33.023155] which belongs to the cache kmalloc-32 of size 32 [ 33.035622] The buggy address is located 8 bytes inside of [ 33.035622] 32-byte region [ffff8801d70dea80, ffff8801d70deaa0) [ 33.047214] The buggy address belongs to the page: [ 33.052145] page:ffffea00075c3780 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d70defc1 [ 33.061585] flags: 0x2fffc0000000100(slab) [ 33.065807] raw: 02fffc0000000100 ffffea00075c3088 ffffea0006bfd008 ffff8801da8001c0 [ 33.073672] raw: ffff8801d70defc1 ffff8801d70de000 0000000100000025 0000000000000000 [ 33.081528] page dumped because: kasan: bad access detected [ 33.087217] [ 33.088827] Memory state around the buggy address: [ 33.093740] ffff8801d70de980: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 33.101080] ffff8801d70dea00: 00 00 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 33.108429] >ffff8801d70dea80: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 33.115765] ^ [ 33.119372] ffff8801d70deb00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.126719] ffff8801d70deb80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 33.134054] ================================================================== [ 33.141388] Disabling lock debugging due to kernel taint [ 33.147313] Kernel panic - not syncing: panic_on_warn set ... [ 33.147313] [ 33.154691] CPU: 1 PID: 4532 Comm: syz-executor521 Tainted: G B 4.17.0+ #100 [ 33.163174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.172508] Call Trace: [ 33.175082] dump_stack+0x1b9/0x294 [ 33.178691] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.183875] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.188612] ? crypto_morus640_decrypt_chunk+0xc10/0xd20 [ 33.194045] panic+0x22f/0x4de [ 33.197227] ? add_taint.cold.5+0x16/0x16 [ 33.201357] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.205745] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.210140] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 33.215578] kasan_end_report+0x47/0x4f [ 33.219628] kasan_report.cold.7+0x76/0x2fe [ 33.223928] __asan_report_load4_noabort+0x14/0x20 [ 33.228847] crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 33.234106] ? skcipher_walk_first+0x158/0x410 [ 33.238665] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0 [ 33.244117] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.249631] ? skcipher_walk_aead_common+0x84a/0xbc0 [ 33.254712] ? skcipher_walk_aead_decrypt+0xc7/0x100 [ 33.259795] crypto_morus640_process_crypt.isra.12+0x153/0x230 [ 33.265744] ? crypto_morus640_decrypt_chunk+0xd20/0xd20 [ 33.271173] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.276694] ? crypto_morus640_process_ad+0xa10/0xa10 [ 33.281864] ? crypto_morus640_update+0xc7/0xe0 [ 33.286511] crypto_morus640_crypt+0x42e/0x9f0 [ 33.291073] ? crypto_morus640_load+0x170/0x170 [ 33.295725] ? scatterwalk_ffwd+0x3b0/0x3b0 [ 33.300036] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.305036] crypto_morus640_decrypt+0x23e/0x3d0 [ 33.309770] ? af_alg_make_sg+0x4d0/0x4d0 [ 33.313897] ? crypto_morus640_crypt+0x9f0/0x9f0 [ 33.318655] ? __sk_mem_schedule+0xe0/0xe0 [ 33.322874] ? memset+0x31/0x40 [ 33.326142] aead_recvmsg+0x13cc/0x1ba0 [ 33.330100] ? aead_release+0x50/0x50 [ 33.333882] ? move_addr_to_kernel.part.20+0x100/0x100 [ 33.339138] ? security_socket_recvmsg+0x9b/0xc0 [ 33.343870] ? aead_release+0x50/0x50 [ 33.347649] sock_recvmsg+0xd0/0x110 [ 33.351346] ? __sock_recv_ts_and_drops+0x420/0x420 [ 33.356341] ___sys_recvmsg+0x2b6/0x680 [ 33.360291] ? ___sys_sendmsg+0x940/0x940 [ 33.364417] ? sock_sendmsg+0x120/0x120 [ 33.368375] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.373893] ? fget_raw+0x20/0x20 [ 33.377322] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.382835] ? __vfs_write+0x113/0x9d0 [ 33.386701] ? kernel_read+0x120/0x120 [ 33.390570] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.396100] ? fsnotify+0x415/0xfc0 [ 33.399720] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.405242] ? sockfd_lookup_light+0xc5/0x160 [ 33.409737] __sys_recvmsg+0x112/0x260 [ 33.413635] ? __ia32_sys_sendmmsg+0x100/0x100 [ 33.418215] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.423744] ? vfs_write+0x2a8/0x560 [ 33.427455] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.432985] ? ksys_write+0x1a6/0x250 [ 33.436783] __x64_sys_recvmsg+0x78/0xb0 [ 33.440830] do_syscall_64+0x1b1/0x800 [ 33.444708] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.449528] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.454435] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.459348] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.464694] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.469517] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.474686] RIP: 0033:0x43fef9 [ 33.477851] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 33.496983] RSP: 002b:00007ffe6f4996d8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f [ 33.504688] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9 [ 33.511935] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004 [ 33.519198] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.526463] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820 [ 33.533725] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000 [ 33.541484] Dumping ftrace buffer: [ 33.545007] (ftrace buffer empty) [ 33.548700] Kernel Offset: disabled [ 33.552319] Rebooting in 86400 seconds..