[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.667267] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.511575] random: sshd: uninitialized urandom read (32 bytes read)
[   22.839396] random: sshd: uninitialized urandom read (32 bytes read)
[   23.706434] random: sshd: uninitialized urandom read (32 bytes read)
[   23.865806] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
[   29.293923] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.405977] ==================================================================
[   29.413469] BUG: KASAN: use-after-free in _copy_to_user+0xe9/0x110
[   29.419771] Read of size 1012 at addr ffff8801a73ffff2 by task syz-executor999/4519
[   29.427540] 
[   29.429150] CPU: 1 PID: 4519 Comm: syz-executor999 Not tainted 4.18.0-rc3+ #4
[   29.436398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.445729] Call Trace:
[   29.448305]  dump_stack+0x1c9/0x2b4
[   29.451918]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.457087]  ? printk+0xa7/0xcf
[   29.460348]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.465088]  ? _copy_to_user+0xe9/0x110
[   29.469048]  print_address_description+0x6c/0x20b
[   29.473875]  ? _copy_to_user+0xe9/0x110
[   29.477830]  kasan_report.cold.7+0x242/0x2fe
[   29.482219]  check_memory_region+0x13e/0x1b0
[   29.486607]  kasan_check_read+0x11/0x20
[   29.490560]  _copy_to_user+0xe9/0x110
[   29.494346]  bpf_test_finish.isra.7+0xee/0x1f0
[   29.498910]  ? bpf_test_init.isra.8+0x100/0x100
[   29.503558]  ? bpf_skb_change_head+0x737/0xad0
[   29.508121]  ? bpf_test_run+0x2fc/0x3b0
[   29.512078]  bpf_prog_test_run_skb+0x7d7/0xa30
[   29.516640]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   29.521501]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.527035]  ? __bpf_prog_get+0x9b/0x290
[   29.531078]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   29.535901]  bpf_prog_test_run+0x130/0x1a0
[   29.540118]  __x64_sys_bpf+0x3d8/0x510
[   29.544545]  ? bpf_prog_get+0x20/0x20
[   29.548339]  ? do_syscall_64+0x9a/0x820
[   29.552303]  do_syscall_64+0x1b9/0x820
[   29.556175]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.561085]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.566039]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.571398]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.576251]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.581420] RIP: 0033:0x440269
[   29.584588] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.603758] RSP: 002b:00007ffd46082208 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   29.611448] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
[   29.618705] RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
[   29.625953] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   29.633204] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401af0
[   29.640455] R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
[   29.647715] 
[   29.649319] The buggy address belongs to the page:
[   29.654226] page:ffffea00069cffc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   29.662343] flags: 0x2fffc0000000000()
[   29.666212] raw: 02fffc0000000000 ffffea00069cffc8 ffffea00069cffc8 0000000000000000
[   29.674078] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   29.681945] page dumped because: kasan: bad access detected
[   29.687637] 
[   29.689243] Memory state around the buggy address:
[   29.694150]  ffff8801a73ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   29.701487]  ffff8801a73fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   29.708825] >ffff8801a73fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   29.716159]                                                              ^
[   29.723150]  ffff8801a7400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.730491]  ffff8801a7400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.737823] ==================================================================
[   29.745157] Disabling lock debugging due to kernel taint
[   29.750653] Kernel panic - not syncing: panic_on_warn set ...
[   29.750653] 
[   29.758019] CPU: 1 PID: 4519 Comm: syz-executor999 Tainted: G    B             4.18.0-rc3+ #4
[   29.766674] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.776013] Call Trace:
[   29.778590]  dump_stack+0x1c9/0x2b4
[   29.782198]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.787368]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.792133]  panic+0x238/0x4e7
[   29.795305]  ? add_taint.cold.5+0x16/0x16
[   29.799431]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.803836]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.808234]  ? _copy_to_user+0xe9/0x110
[   29.812198]  kasan_end_report+0x47/0x4f
[   29.816148]  kasan_report.cold.7+0x76/0x2fe
[   29.820448]  check_memory_region+0x13e/0x1b0
[   29.824856]  kasan_check_read+0x11/0x20
[   29.828809]  _copy_to_user+0xe9/0x110
[   29.832589]  bpf_test_finish.isra.7+0xee/0x1f0
[   29.837147]  ? bpf_test_init.isra.8+0x100/0x100
[   29.841798]  ? bpf_skb_change_head+0x737/0xad0
[   29.846359]  ? bpf_test_run+0x2fc/0x3b0
[   29.850400]  bpf_prog_test_run_skb+0x7d7/0xa30
[   29.854964]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   29.859795]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.865309]  ? __bpf_prog_get+0x9b/0x290
[   29.869355]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   29.874178]  bpf_prog_test_run+0x130/0x1a0
[   29.878393]  __x64_sys_bpf+0x3d8/0x510
[   29.882266]  ? bpf_prog_get+0x20/0x20
[   29.886054]  ? do_syscall_64+0x9a/0x820
[   29.890012]  do_syscall_64+0x1b9/0x820
[   29.893892]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.898801]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.903730]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.909074]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.913898]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.919086] RIP: 0033:0x440269
[   29.922254] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.941475] RSP: 002b:00007ffd46082208 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   29.949187] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
[   29.956538] RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
[   29.963791] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   29.971046] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401af0
[   29.978298] R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
[   29.986120] Dumping ftrace buffer:
[   29.989655]    (ftrace buffer empty)
[   29.993431] Kernel Offset: disabled
[   29.997036] Rebooting in 86400 seconds..