[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.326851] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.987224] random: sshd: uninitialized urandom read (32 bytes read)
[   23.355696] random: sshd: uninitialized urandom read (32 bytes read)
[   24.165679] random: sshd: uninitialized urandom read (32 bytes read)
[   24.314000] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
[   29.772244] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/10 10:53:02 parsed 1 programs
[   30.864626] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/10 10:53:03 executed programs: 0
[   31.636845] IPVS: ftp: loaded support on port[0] = 21
[   31.755105] bridge0: port 1(bridge_slave_0) entered blocking state
[   31.761536] bridge0: port 1(bridge_slave_0) entered disabled state
[   31.768798] device bridge_slave_0 entered promiscuous mode
[   31.785716] bridge0: port 2(bridge_slave_1) entered blocking state
[   31.792101] bridge0: port 2(bridge_slave_1) entered disabled state
[   31.799262] device bridge_slave_1 entered promiscuous mode
[   31.814167] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   31.829680] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   31.868127] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   31.884743] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   31.942852] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   31.950149] team0: Port device team_slave_0 added
[   31.963521] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   31.970608] team0: Port device team_slave_1 added
[   31.984538] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   32.001336] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   32.017901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   32.033877] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   32.140674] bridge0: port 2(bridge_slave_1) entered blocking state
[   32.147101] bridge0: port 2(bridge_slave_1) entered forwarding state
[   32.153997] bridge0: port 1(bridge_slave_0) entered blocking state
[   32.160358] bridge0: port 1(bridge_slave_0) entered forwarding state
[   32.539928] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   32.546195] 8021q: adding VLAN 0 to HW filter on device bond0
[   32.585722] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   32.625582] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   32.633577] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   32.667532] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   32.673616] 8021q: adding VLAN 0 to HW filter on device team0
[   32.702262] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   32.912984] ==================================================================
[   32.920460] BUG: KASAN: slab-out-of-bounds in sha512_finup+0x564/0x620
[   32.927110] Write of size 8 at addr ffff8801cada1f80 by task syz-executor0/4766
[   32.934531] 
[   32.936145] CPU: 1 PID: 4766 Comm: syz-executor0 Not tainted 4.17.0+ #118
[   32.943050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.952384] Call Trace:
[   32.954955]  dump_stack+0x1b9/0x294
[   32.958576]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.963745]  ? printk+0x9e/0xba
[   32.967026]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.971794]  ? kasan_check_write+0x14/0x20
[   32.976014]  print_address_description+0x6c/0x20b
[   32.980847]  ? sha512_finup+0x564/0x620
[   32.984805]  kasan_report.cold.7+0x242/0x2fe
[   32.989194]  __asan_report_store8_noabort+0x17/0x20
[   32.994195]  sha512_finup+0x564/0x620
[   32.997975]  ? sha512_update+0x9f/0x260
[   33.001932]  sha512_avx2_final+0x28/0x30
[   33.005973]  crypto_shash_final+0x104/0x260
[   33.010279]  ? sha512_avx2_finup+0x40/0x40
[   33.014500]  __keyctl_dh_compute+0x1184/0x1bc0
[   33.019075]  ? copy_overflow+0x30/0x30
[   33.022953]  ? find_held_lock+0x36/0x1c0
[   33.027001]  ? lock_downgrade+0x8e0/0x8e0
[   33.031148]  ? check_same_owner+0x320/0x320
[   33.035465]  ? find_held_lock+0x36/0x1c0
[   33.039520]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.045045]  ? _copy_from_user+0xdf/0x150
[   33.049178]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   33.054012]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   33.058940]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   33.064114]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   33.068938]  do_fast_syscall_32+0x345/0xf9b
[   33.073270]  ? do_int80_syscall_32+0x880/0x880
[   33.077855]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.082601]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.088128]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.093051]  ? sysret32_from_system_call+0x5/0x46
[   33.097890]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.102721]  entry_SYSENTER_compat+0x70/0x7f
[   33.107107] RIP: 0023:0xf7f75cb9
[   33.110447] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   33.129615] RSP: 002b:00000000ff90d3ec EFLAGS: 00000286 ORIG_RAX: 0000000000000120
[   33.137305] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   33.144555] RDX: 0000000020a53ffb RSI: 0000000000000053 RDI: 0000000020c61fc8
[   33.151804] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   33.159056] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   33.166308] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   33.173562] 
[   33.175168] Allocated by task 4766:
[   33.178775]  save_stack+0x43/0xd0
[   33.182213]  kasan_kmalloc+0xc4/0xe0
[   33.185917]  __kmalloc+0x14e/0x760
[   33.189437]  __keyctl_dh_compute+0xfe9/0x1bc0
[   33.193913]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   33.198733]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   33.203556]  do_fast_syscall_32+0x345/0xf9b
[   33.207860]  entry_SYSENTER_compat+0x70/0x7f
[   33.212240] 
[   33.213853] Freed by task 3189:
[   33.217124]  save_stack+0x43/0xd0
[   33.220560]  __kasan_slab_free+0x11a/0x170
[   33.224780]  kasan_slab_free+0xe/0x10
[   33.228557]  kfree+0xd9/0x260
[   33.231644]  load_elf_binary+0x6c5/0x5610
[   33.235774]  search_binary_handler+0x17d/0x570
[   33.240334]  __do_execve_file.isra.35+0x16fe/0x2610
[   33.245331]  __x64_sys_execve+0x8f/0xc0
[   33.249296]  do_syscall_64+0x1b1/0x800
[   33.253179]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.258355] 
[   33.259978] The buggy address belongs to the object at ffff8801cada1f00
[   33.259978]  which belongs to the cache kmalloc-128 of size 128
[   33.272615] The buggy address is located 0 bytes to the right of
[   33.272615]  128-byte region [ffff8801cada1f00, ffff8801cada1f80)
[   33.284811] The buggy address belongs to the page:
[   33.289719] page:ffffea00072b6840 count:1 mapcount:0 mapping:ffff8801da800640 index:0x0
[   33.297849] flags: 0x2fffc0000000100(slab)
[   33.302073] raw: 02fffc0000000100 ffffea00072b6b08 ffffea00071e2308 ffff8801da800640
[   33.309935] raw: 0000000000000000 ffff8801cada1000 0000000100000015 0000000000000000
[   33.317792] page dumped because: kasan: bad access detected
[   33.323474] 
[   33.325079] Memory state around the buggy address:
[   33.329989]  ffff8801cada1e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.337328]  ffff8801cada1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.344663] >ffff8801cada1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.351995]                    ^
[   33.355346]  ffff8801cada2000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.362691]  ffff8801cada2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.370029] ==================================================================
[   33.377375] Disabling lock debugging due to kernel taint
[   33.383354] Kernel panic - not syncing: panic_on_warn set ...
[   33.383354] 
[   33.390716] CPU: 1 PID: 4766 Comm: syz-executor0 Tainted: G    B             4.17.0+ #118
[   33.399008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.408355] Call Trace:
[   33.410927]  dump_stack+0x1b9/0x294
[   33.414532]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.419704]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.424436]  ? sha512_finup+0x4b0/0x620
[   33.428389]  panic+0x22f/0x4de
[   33.431559]  ? add_taint.cold.5+0x16/0x16
[   33.435688]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.440088]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.444484]  ? sha512_finup+0x564/0x620
[   33.448438]  kasan_end_report+0x47/0x4f
[   33.452391]  kasan_report.cold.7+0x76/0x2fe
[   33.456693]  __asan_report_store8_noabort+0x17/0x20
[   33.461684]  sha512_finup+0x564/0x620
[   33.465464]  ? sha512_update+0x9f/0x260
[   33.469419]  sha512_avx2_final+0x28/0x30
[   33.473470]  crypto_shash_final+0x104/0x260
[   33.477768]  ? sha512_avx2_finup+0x40/0x40
[   33.481982]  __keyctl_dh_compute+0x1184/0x1bc0
[   33.486547]  ? copy_overflow+0x30/0x30
[   33.490414]  ? find_held_lock+0x36/0x1c0
[   33.494453]  ? lock_downgrade+0x8e0/0x8e0
[   33.498579]  ? check_same_owner+0x320/0x320
[   33.502880]  ? find_held_lock+0x36/0x1c0
[   33.506925]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.512439]  ? _copy_from_user+0xdf/0x150
[   33.516566]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   33.521389]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   33.526299]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   33.531468]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   33.536288]  do_fast_syscall_32+0x345/0xf9b
[   33.540589]  ? do_int80_syscall_32+0x880/0x880
[   33.545160]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.549896]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.555410]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.560330]  ? sysret32_from_system_call+0x5/0x46
[   33.565171]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.569994]  entry_SYSENTER_compat+0x70/0x7f
[   33.574382] RIP: 0023:0xf7f75cb9
[   33.577721] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   33.596856] RSP: 002b:00000000ff90d3ec EFLAGS: 00000286 ORIG_RAX: 0000000000000120
[   33.604540] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   33.611786] RDX: 0000000020a53ffb RSI: 0000000000000053 RDI: 0000000020c61fc8
[   33.619041] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   33.627760] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   33.635013] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   33.642708] Dumping ftrace buffer:
[   33.646225]    (ftrace buffer empty)
[   33.649918] Kernel Offset: disabled
[   33.653518] Rebooting in 86400 seconds..