[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.326851] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.987224] random: sshd: uninitialized urandom read (32 bytes read) [ 23.355696] random: sshd: uninitialized urandom read (32 bytes read) [ 24.165679] random: sshd: uninitialized urandom read (32 bytes read) [ 24.314000] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. [ 29.772244] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/10 10:53:02 parsed 1 programs [ 30.864626] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/10 10:53:03 executed programs: 0 [ 31.636845] IPVS: ftp: loaded support on port[0] = 21 [ 31.755105] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.761536] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.768798] device bridge_slave_0 entered promiscuous mode [ 31.785716] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.792101] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.799262] device bridge_slave_1 entered promiscuous mode [ 31.814167] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.829680] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.868127] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.884743] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.942852] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.950149] team0: Port device team_slave_0 added [ 31.963521] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.970608] team0: Port device team_slave_1 added [ 31.984538] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.001336] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.017901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.033877] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.140674] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.147101] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.153997] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.160358] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.539928] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.546195] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.585722] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.625582] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.633577] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.667532] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 32.673616] 8021q: adding VLAN 0 to HW filter on device team0 [ 32.702262] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 32.912984] ================================================================== [ 32.920460] BUG: KASAN: slab-out-of-bounds in sha512_finup+0x564/0x620 [ 32.927110] Write of size 8 at addr ffff8801cada1f80 by task syz-executor0/4766 [ 32.934531] [ 32.936145] CPU: 1 PID: 4766 Comm: syz-executor0 Not tainted 4.17.0+ #118 [ 32.943050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.952384] Call Trace: [ 32.954955] dump_stack+0x1b9/0x294 [ 32.958576] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.963745] ? printk+0x9e/0xba [ 32.967026] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.971794] ? kasan_check_write+0x14/0x20 [ 32.976014] print_address_description+0x6c/0x20b [ 32.980847] ? sha512_finup+0x564/0x620 [ 32.984805] kasan_report.cold.7+0x242/0x2fe [ 32.989194] __asan_report_store8_noabort+0x17/0x20 [ 32.994195] sha512_finup+0x564/0x620 [ 32.997975] ? sha512_update+0x9f/0x260 [ 33.001932] sha512_avx2_final+0x28/0x30 [ 33.005973] crypto_shash_final+0x104/0x260 [ 33.010279] ? sha512_avx2_finup+0x40/0x40 [ 33.014500] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.019075] ? copy_overflow+0x30/0x30 [ 33.022953] ? find_held_lock+0x36/0x1c0 [ 33.027001] ? lock_downgrade+0x8e0/0x8e0 [ 33.031148] ? check_same_owner+0x320/0x320 [ 33.035465] ? find_held_lock+0x36/0x1c0 [ 33.039520] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.045045] ? _copy_from_user+0xdf/0x150 [ 33.049178] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 33.054012] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 33.058940] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.064114] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 33.068938] do_fast_syscall_32+0x345/0xf9b [ 33.073270] ? do_int80_syscall_32+0x880/0x880 [ 33.077855] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.082601] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.088128] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.093051] ? sysret32_from_system_call+0x5/0x46 [ 33.097890] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.102721] entry_SYSENTER_compat+0x70/0x7f [ 33.107107] RIP: 0023:0xf7f75cb9 [ 33.110447] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 33.129615] RSP: 002b:00000000ff90d3ec EFLAGS: 00000286 ORIG_RAX: 0000000000000120 [ 33.137305] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 33.144555] RDX: 0000000020a53ffb RSI: 0000000000000053 RDI: 0000000020c61fc8 [ 33.151804] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.159056] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.166308] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.173562] [ 33.175168] Allocated by task 4766: [ 33.178775] save_stack+0x43/0xd0 [ 33.182213] kasan_kmalloc+0xc4/0xe0 [ 33.185917] __kmalloc+0x14e/0x760 [ 33.189437] __keyctl_dh_compute+0xfe9/0x1bc0 [ 33.193913] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 33.198733] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 33.203556] do_fast_syscall_32+0x345/0xf9b [ 33.207860] entry_SYSENTER_compat+0x70/0x7f [ 33.212240] [ 33.213853] Freed by task 3189: [ 33.217124] save_stack+0x43/0xd0 [ 33.220560] __kasan_slab_free+0x11a/0x170 [ 33.224780] kasan_slab_free+0xe/0x10 [ 33.228557] kfree+0xd9/0x260 [ 33.231644] load_elf_binary+0x6c5/0x5610 [ 33.235774] search_binary_handler+0x17d/0x570 [ 33.240334] __do_execve_file.isra.35+0x16fe/0x2610 [ 33.245331] __x64_sys_execve+0x8f/0xc0 [ 33.249296] do_syscall_64+0x1b1/0x800 [ 33.253179] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.258355] [ 33.259978] The buggy address belongs to the object at ffff8801cada1f00 [ 33.259978] which belongs to the cache kmalloc-128 of size 128 [ 33.272615] The buggy address is located 0 bytes to the right of [ 33.272615] 128-byte region [ffff8801cada1f00, ffff8801cada1f80) [ 33.284811] The buggy address belongs to the page: [ 33.289719] page:ffffea00072b6840 count:1 mapcount:0 mapping:ffff8801da800640 index:0x0 [ 33.297849] flags: 0x2fffc0000000100(slab) [ 33.302073] raw: 02fffc0000000100 ffffea00072b6b08 ffffea00071e2308 ffff8801da800640 [ 33.309935] raw: 0000000000000000 ffff8801cada1000 0000000100000015 0000000000000000 [ 33.317792] page dumped because: kasan: bad access detected [ 33.323474] [ 33.325079] Memory state around the buggy address: [ 33.329989] ffff8801cada1e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.337328] ffff8801cada1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.344663] >ffff8801cada1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.351995] ^ [ 33.355346] ffff8801cada2000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.362691] ffff8801cada2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.370029] ================================================================== [ 33.377375] Disabling lock debugging due to kernel taint [ 33.383354] Kernel panic - not syncing: panic_on_warn set ... [ 33.383354] [ 33.390716] CPU: 1 PID: 4766 Comm: syz-executor0 Tainted: G B 4.17.0+ #118 [ 33.399008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.408355] Call Trace: [ 33.410927] dump_stack+0x1b9/0x294 [ 33.414532] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.419704] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.424436] ? sha512_finup+0x4b0/0x620 [ 33.428389] panic+0x22f/0x4de [ 33.431559] ? add_taint.cold.5+0x16/0x16 [ 33.435688] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.440088] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.444484] ? sha512_finup+0x564/0x620 [ 33.448438] kasan_end_report+0x47/0x4f [ 33.452391] kasan_report.cold.7+0x76/0x2fe [ 33.456693] __asan_report_store8_noabort+0x17/0x20 [ 33.461684] sha512_finup+0x564/0x620 [ 33.465464] ? sha512_update+0x9f/0x260 [ 33.469419] sha512_avx2_final+0x28/0x30 [ 33.473470] crypto_shash_final+0x104/0x260 [ 33.477768] ? sha512_avx2_finup+0x40/0x40 [ 33.481982] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.486547] ? copy_overflow+0x30/0x30 [ 33.490414] ? find_held_lock+0x36/0x1c0 [ 33.494453] ? lock_downgrade+0x8e0/0x8e0 [ 33.498579] ? check_same_owner+0x320/0x320 [ 33.502880] ? find_held_lock+0x36/0x1c0 [ 33.506925] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.512439] ? _copy_from_user+0xdf/0x150 [ 33.516566] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 33.521389] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 33.526299] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.531468] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 33.536288] do_fast_syscall_32+0x345/0xf9b [ 33.540589] ? do_int80_syscall_32+0x880/0x880 [ 33.545160] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.549896] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.555410] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.560330] ? sysret32_from_system_call+0x5/0x46 [ 33.565171] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.569994] entry_SYSENTER_compat+0x70/0x7f [ 33.574382] RIP: 0023:0xf7f75cb9 [ 33.577721] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 33.596856] RSP: 002b:00000000ff90d3ec EFLAGS: 00000286 ORIG_RAX: 0000000000000120 [ 33.604540] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 33.611786] RDX: 0000000020a53ffb RSI: 0000000000000053 RDI: 0000000020c61fc8 [ 33.619041] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.627760] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.635013] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.642708] Dumping ftrace buffer: [ 33.646225] (ftrace buffer empty) [ 33.649918] Kernel Offset: disabled [ 33.653518] Rebooting in 86400 seconds..