[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.555065] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.453135] random: sshd: uninitialized urandom read (32 bytes read) [ 26.975048] random: sshd: uninitialized urandom read (32 bytes read) [ 27.783348] random: sshd: uninitialized urandom read (32 bytes read) [ 27.948838] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. [ 33.461600] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.560378] ================================================================== [ 33.567856] BUG: KASAN: slab-out-of-bounds in sha256_finup+0x4bf/0x540 [ 33.574512] Write of size 4 at addr ffff8801ac3b3060 by task syz-executor301/4579 [ 33.582143] [ 33.583780] CPU: 0 PID: 4579 Comm: syz-executor301 Not tainted 4.17.0+ #89 [ 33.590803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.600148] Call Trace: [ 33.602731] dump_stack+0x1b9/0x294 [ 33.606349] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.611529] ? printk+0x9e/0xba [ 33.614801] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.619549] ? kasan_check_write+0x14/0x20 [ 33.623774] print_address_description+0x6c/0x20b [ 33.628780] ? sha256_finup+0x4bf/0x540 [ 33.632787] kasan_report.cold.7+0x242/0x2fe [ 33.637225] __asan_report_store4_noabort+0x17/0x20 [ 33.642232] sha256_finup+0x4bf/0x540 [ 33.646015] ? done_hash+0x12/0x12 [ 33.649545] sha256_avx2_final+0x28/0x30 [ 33.653587] crypto_shash_final+0x104/0x260 [ 33.657895] ? sha256_avx2_finup+0x40/0x40 [ 33.662115] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.666687] ? copy_overflow+0x30/0x30 [ 33.670597] ? save_stack+0xa9/0xd0 [ 33.674212] ? find_held_lock+0x36/0x1c0 [ 33.678271] ? lock_downgrade+0x8e0/0x8e0 [ 33.682404] ? check_same_owner+0x320/0x320 [ 33.686718] ? trace_hardirqs_off+0xd/0x10 [ 33.690938] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 33.696044] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.701575] ? _copy_from_user+0xdf/0x150 [ 33.705716] keyctl_dh_compute+0xb9/0x100 [ 33.709865] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 33.714609] ? kzfree+0x28/0x30 [ 33.717872] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.723052] __x64_sys_keyctl+0x12a/0x3b0 [ 33.727186] do_syscall_64+0x1b1/0x800 [ 33.731059] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.735972] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.740890] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.746244] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.751081] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.756260] RIP: 0033:0x43ffa9 [ 33.759428] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 33.778604] RSP: 002b:00007ffd1950e2d8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 33.786304] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 33.793554] RDX: 0000000020000180 RSI: 0000000020000100 RDI: 0000000000000017 [ 33.800804] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8 [ 33.808061] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 33.815310] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 33.822566] [ 33.824176] Allocated by task 4579: [ 33.827788] save_stack+0x43/0xd0 [ 33.831224] kasan_kmalloc+0xc4/0xe0 [ 33.834919] __kmalloc+0x14e/0x760 [ 33.838457] __keyctl_dh_compute+0xfe9/0x1bc0 [ 33.842941] keyctl_dh_compute+0xb9/0x100 [ 33.847072] __x64_sys_keyctl+0x12a/0x3b0 [ 33.851213] do_syscall_64+0x1b1/0x800 [ 33.855094] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.860258] [ 33.861866] Freed by task 2885: [ 33.865134] save_stack+0x43/0xd0 [ 33.868567] __kasan_slab_free+0x11a/0x170 [ 33.872792] kasan_slab_free+0xe/0x10 [ 33.876583] kfree+0xd9/0x260 [ 33.879679] single_release+0x8f/0xb0 [ 33.883459] __fput+0x353/0x890 [ 33.886731] ____fput+0x15/0x20 [ 33.889993] task_work_run+0x1e4/0x290 [ 33.893866] exit_to_usermode_loop+0x2bd/0x310 [ 33.898432] do_syscall_64+0x6ac/0x800 [ 33.902303] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.907467] [ 33.909079] The buggy address belongs to the object at ffff8801ac3b3040 [ 33.909079] which belongs to the cache kmalloc-32 of size 32 [ 33.921551] The buggy address is located 0 bytes to the right of [ 33.921551] 32-byte region [ffff8801ac3b3040, ffff8801ac3b3060) [ 33.933667] The buggy address belongs to the page: [ 33.938582] page:ffffea0006b0ecc0 count:1 mapcount:0 mapping:ffff8801ac3b3000 index:0xffff8801ac3b3fc1 [ 33.948011] flags: 0x2fffc0000000100(slab) [ 33.952236] raw: 02fffc0000000100 ffff8801ac3b3000 ffff8801ac3b3fc1 000000010000001e [ 33.960202] raw: ffffea00075c6060 ffffea0006af0de0 ffff8801da8001c0 0000000000000000 [ 33.968062] page dumped because: kasan: bad access detected [ 33.973755] [ 33.975359] Memory state around the buggy address: [ 33.980267] ffff8801ac3b2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.987606] ffff8801ac3b2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.994947] >ffff8801ac3b3000: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 34.002288] ^ [ 34.008759] ffff8801ac3b3080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.016184] ffff8801ac3b3100: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 34.023520] ================================================================== [ 34.030855] Disabling lock debugging due to kernel taint [ 34.036404] Kernel panic - not syncing: panic_on_warn set ... [ 34.036404] [ 34.043780] CPU: 0 PID: 4579 Comm: syz-executor301 Tainted: G B 4.17.0+ #89 [ 34.052183] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.061535] Call Trace: [ 34.064115] dump_stack+0x1b9/0x294 [ 34.067722] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.072907] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.077654] ? sha256_finup+0x480/0x540 [ 34.081617] panic+0x22f/0x4de [ 34.084790] ? add_taint.cold.5+0x16/0x16 [ 34.088920] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.093317] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.097704] ? sha256_finup+0x4bf/0x540 [ 34.101680] kasan_end_report+0x47/0x4f [ 34.105645] kasan_report.cold.7+0x76/0x2fe [ 34.109947] __asan_report_store4_noabort+0x17/0x20 [ 34.114945] sha256_finup+0x4bf/0x540 [ 34.118732] ? done_hash+0x12/0x12 [ 34.122338] sha256_avx2_final+0x28/0x30 [ 34.126469] crypto_shash_final+0x104/0x260 [ 34.130771] ? sha256_avx2_finup+0x40/0x40 [ 34.134988] __keyctl_dh_compute+0x1184/0x1bc0 [ 34.139556] ? copy_overflow+0x30/0x30 [ 34.143441] ? save_stack+0xa9/0xd0 [ 34.147065] ? find_held_lock+0x36/0x1c0 [ 34.151122] ? lock_downgrade+0x8e0/0x8e0 [ 34.155255] ? check_same_owner+0x320/0x320 [ 34.159563] ? trace_hardirqs_off+0xd/0x10 [ 34.163780] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.168867] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.174384] ? _copy_from_user+0xdf/0x150 [ 34.178513] keyctl_dh_compute+0xb9/0x100 [ 34.182655] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 34.187404] ? kzfree+0x28/0x30 [ 34.190666] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.195836] __x64_sys_keyctl+0x12a/0x3b0 [ 34.199978] do_syscall_64+0x1b1/0x800 [ 34.203845] ? syscall_return_slowpath+0x5c0/0x5c0 [ 34.208754] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.213666] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 34.219014] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.223847] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.229021] RIP: 0033:0x43ffa9 [ 34.232189] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 34.251308] RSP: 002b:00007ffd1950e2d8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 34.259005] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 34.266270] RDX: 0000000020000180 RSI: 0000000020000100 RDI: 0000000000000017 [ 34.273521] RBP: 00000000006ca018 R08: 0000000020000240 R09: 00000000004002c8 [ 34.280778] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 34.288034] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 34.295804] Dumping ftrace buffer: [ 34.299328] (ftrace buffer empty) [ 34.303022] Kernel Offset: disabled [ 34.306634] Rebooting in 86400 seconds..