Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. [ 27.401813] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.494461] ================================================================== [ 27.501941] BUG: KASAN: slab-out-of-bounds in rmd160_final+0x201/0x240 [ 27.508603] Write of size 4 at addr ffff8801d70c6a18 by task syz-executor352/4530 [ 27.516202] [ 27.517814] CPU: 0 PID: 4530 Comm: syz-executor352 Not tainted 4.17.0+ #89 [ 27.524815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.534153] Call Trace: [ 27.536727] dump_stack+0x1b9/0x294 [ 27.540338] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.545509] ? printk+0x9e/0xba [ 27.548770] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.553510] ? kasan_check_write+0x14/0x20 [ 27.557729] print_address_description+0x6c/0x20b [ 27.562556] ? rmd160_final+0x201/0x240 [ 27.566511] kasan_report.cold.7+0x242/0x2fe [ 27.570922] __asan_report_store4_noabort+0x17/0x20 [ 27.575920] rmd160_final+0x201/0x240 [ 27.579706] ? rmd160_update+0x170/0x170 [ 27.584010] ? rmd160_update+0x13b/0x170 [ 27.588056] ? kasan_unpoison_shadow+0x35/0x50 [ 27.592618] crypto_shash_final+0x104/0x260 [ 27.596921] ? rmd160_update+0x170/0x170 [ 27.600975] __keyctl_dh_compute+0x1184/0x1bc0 [ 27.605545] ? copy_overflow+0x30/0x30 [ 27.609419] ? find_held_lock+0x36/0x1c0 [ 27.613477] ? lock_downgrade+0x8e0/0x8e0 [ 27.617608] ? check_same_owner+0x320/0x320 [ 27.621911] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.627438] ? handle_mm_fault+0x55a/0xc70 [ 27.631662] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.637181] ? _copy_from_user+0xdf/0x150 [ 27.641313] keyctl_dh_compute+0xb9/0x100 [ 27.645442] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 27.650183] ? kzfree+0x28/0x30 [ 27.653445] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.658619] __x64_sys_keyctl+0x12a/0x3b0 [ 27.662751] do_syscall_64+0x1b1/0x800 [ 27.666628] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 27.671463] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.676375] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.681311] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.686842] ? retint_user+0x18/0x18 [ 27.690539] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.695366] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.700536] RIP: 0033:0x43ffa9 [ 27.703710] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 27.722896] RSP: 002b:00007ffea2faf3a8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 27.730600] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 27.737853] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 27.745108] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 27.752368] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 27.759620] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 27.766876] [ 27.768484] Allocated by task 4530: [ 27.772098] save_stack+0x43/0xd0 [ 27.775534] kasan_kmalloc+0xc4/0xe0 [ 27.779225] __kmalloc+0x14e/0x760 [ 27.782747] __keyctl_dh_compute+0xfe9/0x1bc0 [ 27.787230] keyctl_dh_compute+0xb9/0x100 [ 27.791357] __x64_sys_keyctl+0x12a/0x3b0 [ 27.795487] do_syscall_64+0x1b1/0x800 [ 27.799361] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.804524] [ 27.806133] Freed by task 2867: [ 27.809395] save_stack+0x43/0xd0 [ 27.812826] __kasan_slab_free+0x11a/0x170 [ 27.817047] kasan_slab_free+0xe/0x10 [ 27.820837] kfree+0xd9/0x260 [ 27.823921] single_release+0x8f/0xb0 [ 27.827699] __fput+0x353/0x890 [ 27.830974] ____fput+0x15/0x20 [ 27.834235] task_work_run+0x1e4/0x290 [ 27.838119] exit_to_usermode_loop+0x2bd/0x310 [ 27.842684] do_syscall_64+0x6ac/0x800 [ 27.846554] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.851715] [ 27.853325] The buggy address belongs to the object at ffff8801d70c6a00 [ 27.853325] which belongs to the cache kmalloc-32 of size 32 [ 27.865801] The buggy address is located 24 bytes inside of [ 27.865801] 32-byte region [ffff8801d70c6a00, ffff8801d70c6a20) [ 27.877480] The buggy address belongs to the page: [ 27.882391] page:ffffea00075c3180 count:1 mapcount:0 mapping:ffff8801d70c6000 index:0xffff8801d70c6fc1 [ 27.891815] flags: 0x2fffc0000000100(slab) [ 27.896043] raw: 02fffc0000000100 ffff8801d70c6000 ffff8801d70c6fc1 000000010000003a [ 27.903910] raw: ffffea00075c4a60 ffffea0006b978a0 ffff8801da8001c0 0000000000000000 [ 27.911774] page dumped because: kasan: bad access detected [ 27.917462] [ 27.919064] Memory state around the buggy address: [ 27.923988] ffff8801d70c6900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.931422] ffff8801d70c6980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.939544] >ffff8801d70c6a00: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 27.946882] ^ [ 27.951016] ffff8801d70c6a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.958355] ffff8801d70c6b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.965777] ================================================================== [ 27.973129] Disabling lock debugging due to kernel taint [ 27.978637] Kernel panic - not syncing: panic_on_warn set ... [ 27.978637] [ 27.986003] CPU: 0 PID: 4530 Comm: syz-executor352 Tainted: G B 4.17.0+ #89 [ 27.994388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.003717] Call Trace: [ 28.006289] dump_stack+0x1b9/0x294 [ 28.009905] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.015088] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.019841] ? rmd160_final+0x1b0/0x240 [ 28.023798] panic+0x22f/0x4de [ 28.026968] ? add_taint.cold.5+0x16/0x16 [ 28.031114] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.035501] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.039898] ? rmd160_final+0x201/0x240 [ 28.043851] kasan_end_report+0x47/0x4f [ 28.047812] kasan_report.cold.7+0x76/0x2fe [ 28.052118] __asan_report_store4_noabort+0x17/0x20 [ 28.057115] rmd160_final+0x201/0x240 [ 28.060894] ? rmd160_update+0x170/0x170 [ 28.064934] ? rmd160_update+0x13b/0x170 [ 28.068975] ? kasan_unpoison_shadow+0x35/0x50 [ 28.073535] crypto_shash_final+0x104/0x260 [ 28.077837] ? rmd160_update+0x170/0x170 [ 28.081879] __keyctl_dh_compute+0x1184/0x1bc0 [ 28.086444] ? copy_overflow+0x30/0x30 [ 28.090314] ? find_held_lock+0x36/0x1c0 [ 28.094358] ? lock_downgrade+0x8e0/0x8e0 [ 28.098484] ? check_same_owner+0x320/0x320 [ 28.102873] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.108391] ? handle_mm_fault+0x55a/0xc70 [ 28.112616] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.118141] ? _copy_from_user+0xdf/0x150 [ 28.122274] keyctl_dh_compute+0xb9/0x100 [ 28.126410] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 28.131145] ? kzfree+0x28/0x30 [ 28.134404] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 28.139584] __x64_sys_keyctl+0x12a/0x3b0 [ 28.143713] do_syscall_64+0x1b1/0x800 [ 28.147837] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 28.152659] ? syscall_return_slowpath+0x5c0/0x5c0 [ 28.157567] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.162497] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.168034] ? retint_user+0x18/0x18 [ 28.171730] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.176554] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.181739] RIP: 0033:0x43ffa9 [ 28.184905] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 28.204048] RSP: 002b:00007ffea2faf3a8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 28.211736] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 28.218997] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 28.226252] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 28.233503] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 28.240763] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 28.248495] Dumping ftrace buffer: [ 28.252024] (ftrace buffer empty) [ 28.255709] Kernel Offset: disabled [ 28.259315] Rebooting in 86400 seconds..