[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.394674] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.959849] random: sshd: uninitialized urandom read (32 bytes read)
[   24.243413] random: sshd: uninitialized urandom read (32 bytes read)
[   25.014090] random: sshd: uninitialized urandom read (32 bytes read)
[   30.513439] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts.
[   35.999398] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   36.093455] ==================================================================
[   36.100891] BUG: KASAN: slab-out-of-bounds in tgr160_final+0x93/0xe0
[   36.107372] Write of size 20 at addr ffff8801d912c054 by task syz-executor926/4564
[   36.115055] 
[   36.116667] CPU: 0 PID: 4564 Comm: syz-executor926 Not tainted 4.17.0+ #89
[   36.123656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.132987] Call Trace:
[   36.135562]  dump_stack+0x1b9/0x294
[   36.139171]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.144343]  ? printk+0x9e/0xba
[   36.147603]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   36.152343]  ? kasan_check_write+0x14/0x20
[   36.156562]  print_address_description+0x6c/0x20b
[   36.161384]  ? tgr160_final+0x93/0xe0
[   36.165167]  kasan_report.cold.7+0x242/0x2fe
[   36.169573]  check_memory_region+0x13e/0x1b0
[   36.173961]  memcpy+0x37/0x50
[   36.177056]  tgr160_final+0x93/0xe0
[   36.180672]  ? tgr128_final+0x170/0x170
[   36.184627]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.190144]  ? tgr192_update+0x18a/0x520
[   36.194189]  ? kasan_unpoison_shadow+0x35/0x50
[   36.198750]  crypto_shash_final+0x104/0x260
[   36.203051]  ? tgr128_final+0x170/0x170
[   36.207007]  __keyctl_dh_compute+0x1184/0x1bc0
[   36.211577]  ? copy_overflow+0x30/0x30
[   36.215465]  ? find_held_lock+0x36/0x1c0
[   36.219510]  ? lock_downgrade+0x8e0/0x8e0
[   36.223640]  ? check_same_owner+0x320/0x320
[   36.227946]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   36.233462]  ? handle_mm_fault+0x55a/0xc70
[   36.237697]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.243210]  ? _copy_from_user+0xdf/0x150
[   36.247341]  keyctl_dh_compute+0xb9/0x100
[   36.251466]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   36.256295]  ? kzfree+0x28/0x30
[   36.259555]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   36.264723]  __x64_sys_keyctl+0x12a/0x3b0
[   36.268851]  do_syscall_64+0x1b1/0x800
[   36.272717]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   36.277551]  ? syscall_return_slowpath+0x5c0/0x5c0
[   36.282463]  ? syscall_return_slowpath+0x30f/0x5c0
[   36.287371]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.292888]  ? retint_user+0x18/0x18
[   36.296594]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.301420]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.306589] RIP: 0033:0x440029
[   36.309753] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   36.328924] RSP: 002b:00007ffce89982d8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   36.336614] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440029
[   36.343860] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   36.351107] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   36.358361] R10: 0000000000000005 R11: 0000000000000217 R12: 0000000000401950
[   36.365606] R13: 00000000004019e0 R14: 0000000000000000 R15: 0000000000000000
[   36.372859] 
[   36.374474] Allocated by task 4564:
[   36.378086]  save_stack+0x43/0xd0
[   36.381528]  kasan_kmalloc+0xc4/0xe0
[   36.385219]  __kmalloc+0x14e/0x760
[   36.388745]  __keyctl_dh_compute+0xfe9/0x1bc0
[   36.393219]  keyctl_dh_compute+0xb9/0x100
[   36.397345]  __x64_sys_keyctl+0x12a/0x3b0
[   36.401473]  do_syscall_64+0x1b1/0x800
[   36.405342]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.410504] 
[   36.412106] Freed by task 2863:
[   36.415369]  save_stack+0x43/0xd0
[   36.418812]  __kasan_slab_free+0x11a/0x170
[   36.423033]  kasan_slab_free+0xe/0x10
[   36.426817]  kfree+0xd9/0x260
[   36.429908]  single_release+0x8f/0xb0
[   36.433692]  __fput+0x353/0x890
[   36.436947]  ____fput+0x15/0x20
[   36.440204]  task_work_run+0x1e4/0x290
[   36.444078]  exit_to_usermode_loop+0x2bd/0x310
[   36.448642]  do_syscall_64+0x6ac/0x800
[   36.452518]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.457679] 
[   36.459291] The buggy address belongs to the object at ffff8801d912c040
[   36.459291]  which belongs to the cache kmalloc-32 of size 32
[   36.471750] The buggy address is located 20 bytes inside of
[   36.471750]  32-byte region [ffff8801d912c040, ffff8801d912c060)
[   36.483424] The buggy address belongs to the page:
[   36.488330] page:ffffea0007644b00 count:1 mapcount:0 mapping:ffff8801d912c000 index:0xffff8801d912cfc1
[   36.497750] flags: 0x2fffc0000000100(slab)
[   36.501963] raw: 02fffc0000000100 ffff8801d912c000 ffff8801d912cfc1 000000010000001a
[   36.509830] raw: ffffea000764a060 ffffea0007646b60 ffff8801da8001c0 0000000000000000
[   36.517682] page dumped because: kasan: bad access detected
[   36.523385] 
[   36.524997] Memory state around the buggy address:
[   36.529912]  ffff8801d912bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.537272]  ffff8801d912bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.544634] >ffff8801d912c000: 06 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   36.551978]                                                     ^
[   36.558197]  ffff8801d912c080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   36.565545]  ffff8801d912c100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   36.572887] ==================================================================
[   36.580227] Disabling lock debugging due to kernel taint
[   36.585770] Kernel panic - not syncing: panic_on_warn set ...
[   36.585770] 
[   36.593119] CPU: 0 PID: 4564 Comm: syz-executor926 Tainted: G    B             4.17.0+ #89
[   36.601494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.610824] Call Trace:
[   36.613409]  dump_stack+0x1b9/0x294
[   36.617018]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.622200]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   36.626945]  ? tgr128_final+0x130/0x170
[   36.630898]  panic+0x22f/0x4de
[   36.634068]  ? add_taint.cold.5+0x16/0x16
[   36.638194]  ? do_raw_spin_unlock+0x9e/0x2e0
[   36.642584]  ? do_raw_spin_unlock+0x9e/0x2e0
[   36.646970]  ? tgr160_final+0x93/0xe0
[   36.650750]  kasan_end_report+0x47/0x4f
[   36.654700]  kasan_report.cold.7+0x76/0x2fe
[   36.658999]  check_memory_region+0x13e/0x1b0
[   36.663386]  memcpy+0x37/0x50
[   36.666467]  tgr160_final+0x93/0xe0
[   36.670069]  ? tgr128_final+0x170/0x170
[   36.674034]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.679550]  ? tgr192_update+0x18a/0x520
[   36.683589]  ? kasan_unpoison_shadow+0x35/0x50
[   36.688150]  crypto_shash_final+0x104/0x260
[   36.692458]  ? tgr128_final+0x170/0x170
[   36.696425]  __keyctl_dh_compute+0x1184/0x1bc0
[   36.700984]  ? copy_overflow+0x30/0x30
[   36.704849]  ? find_held_lock+0x36/0x1c0
[   36.708888]  ? lock_downgrade+0x8e0/0x8e0
[   36.713015]  ? check_same_owner+0x320/0x320
[   36.717323]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   36.722839]  ? handle_mm_fault+0x55a/0xc70
[   36.727053]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.732566]  ? _copy_from_user+0xdf/0x150
[   36.736702]  keyctl_dh_compute+0xb9/0x100
[   36.740827]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   36.745561]  ? kzfree+0x28/0x30
[   36.748819]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   36.753985]  __x64_sys_keyctl+0x12a/0x3b0
[   36.758118]  do_syscall_64+0x1b1/0x800
[   36.761981]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   36.766804]  ? syscall_return_slowpath+0x5c0/0x5c0
[   36.771800]  ? syscall_return_slowpath+0x30f/0x5c0
[   36.776707]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.782235]  ? retint_user+0x18/0x18
[   36.786027]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.790849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.796019] RIP: 0033:0x440029
[   36.799182] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   36.818300] RSP: 002b:00007ffce89982d8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   36.825987] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440029
[   36.833246] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   36.840501] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   36.847832] R10: 0000000000000005 R11: 0000000000000217 R12: 0000000000401950
[   36.855077] R13: 00000000004019e0 R14: 0000000000000000 R15: 0000000000000000
[   36.862726] Dumping ftrace buffer:
[   36.866239]    (ftrace buffer empty)
[   36.869925] Kernel Offset: disabled
[   36.873530] Rebooting in 86400 seconds..