[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.487977] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.147625] random: sshd: uninitialized urandom read (32 bytes read)
[   23.568568] random: sshd: uninitialized urandom read (32 bytes read)
[   24.366645] random: sshd: uninitialized urandom read (32 bytes read)
[   24.537837] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts.
[   29.987905] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.079921] ==================================================================
[   30.087421] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150
[   30.093780] Read of size 1 at addr ffff8801acebf89d by task syz-executor711/4535
[   30.101324] 
[   30.102952] CPU: 1 PID: 4535 Comm: syz-executor711 Not tainted 4.17.0-rc6+ #64
[   30.110299] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.119645] Call Trace:
[   30.122233]  dump_stack+0x1b9/0x294
[   30.125864]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.131052]  ? printk+0x9e/0xba
[   30.134357]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.139109]  ? kasan_check_write+0x14/0x20
[   30.143339]  print_address_description+0x6c/0x20b
[   30.148176]  ? nla_strlcpy+0x13d/0x150
[   30.152053]  kasan_report.cold.7+0x242/0x2fe
[   30.156451]  __asan_report_load1_noabort+0x14/0x20
[   30.161370]  nla_strlcpy+0x13d/0x150
[   30.165074]  nfnl_acct_new+0x574/0xc50
[   30.168956]  ? nfnl_acct_overquota+0x380/0x380
[   30.173529]  ? debug_check_no_locks_freed+0x310/0x310
[   30.178734]  ? graph_lock+0x170/0x170
[   30.182538]  ? print_usage_bug+0xc0/0xc0
[   30.186593]  ? find_held_lock+0x36/0x1c0
[   30.190649]  ? graph_lock+0x170/0x170
[   30.194441]  ? lock_downgrade+0x8e0/0x8e0
[   30.198586]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.204135]  ? __lock_is_held+0xb5/0x140
[   30.208200]  ? nfnl_acct_overquota+0x380/0x380
[   30.212778]  nfnetlink_rcv_msg+0xdb5/0xff0
[   30.217035]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   30.222053]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   30.226472]  ? nfnetlink_bind+0x3a0/0x3a0
[   30.230614]  ? graph_lock+0x170/0x170
[   30.234407]  ? find_held_lock+0x36/0x1c0
[   30.238472]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.244007]  netlink_rcv_skb+0x172/0x440
[   30.248076]  ? nfnetlink_bind+0x3a0/0x3a0
[   30.252214]  ? netlink_ack+0xbc0/0xbc0
[   30.256097]  ? __netlink_ns_capable+0x100/0x130
[   30.260757]  nfnetlink_rcv+0x1fe/0x1ba0
[   30.264725]  ? kasan_check_read+0x11/0x20
[   30.268857]  ? rcu_is_watching+0x85/0x140
[   30.273000]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.278195]  ? nfnl_err_reset+0x2d0/0x2d0
[   30.282335]  ? netlink_remove_tap+0x610/0x610
[   30.286839]  ? refcount_add_not_zero+0x320/0x320
[   30.291598]  ? kasan_check_read+0x11/0x20
[   30.295741]  ? rcu_is_watching+0x85/0x140
[   30.299889]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.305072]  ? netlink_skb_destructor+0x210/0x210
[   30.309910]  ? kasan_check_write+0x14/0x20
[   30.314151]  netlink_unicast+0x58b/0x740
[   30.318207]  ? netlink_attachskb+0x970/0x970
[   30.322621]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.328148]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   30.333154]  ? security_netlink_send+0x88/0xb0
[   30.337817]  netlink_sendmsg+0x9f0/0xfa0
[   30.341883]  ? netlink_unicast+0x740/0x740
[   30.346106]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.351642]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.357172]  ? security_socket_sendmsg+0x94/0xc0
[   30.361922]  ? netlink_unicast+0x740/0x740
[   30.366151]  sock_sendmsg+0xd5/0x120
[   30.369863]  sock_write_iter+0x35a/0x5a0
[   30.373915]  ? sock_sendmsg+0x120/0x120
[   30.377885]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.383411]  ? iov_iter_init+0xc9/0x1f0
[   30.387374]  __vfs_write+0x64d/0x960
[   30.391080]  ? kernel_read+0x120/0x120
[   30.394971]  ? lock_downgrade+0x8e0/0x8e0
[   30.399132]  ? handle_mm_fault+0x8c0/0xc70
[   30.403372]  ? handle_mm_fault+0x55a/0xc70
[   30.407635]  ? rw_verify_area+0x118/0x360
[   30.411811]  vfs_write+0x1f8/0x560
[   30.415352]  ksys_write+0xf9/0x250
[   30.418885]  ? __ia32_sys_read+0xb0/0xb0
[   30.422932]  ? __ia32_sys_fallocate+0xf0/0xf0
[   30.427420]  __x64_sys_write+0x73/0xb0
[   30.431302]  do_syscall_64+0x1b1/0x800
[   30.435183]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.440099]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.445024]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.450564]  ? retint_user+0x18/0x18
[   30.454278]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.459113]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.464287] RIP: 0033:0x43fcf9
[   30.467463] RSP: 002b:00007fff665e2ce8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   30.475163] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9
[   30.482424] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003
[   30.489683] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   30.496955] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620
[   30.504217] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000
[   30.511483] 
[   30.513101] Allocated by task 4535:
[   30.516721]  save_stack+0x43/0xd0
[   30.520171]  kasan_kmalloc+0xc4/0xe0
[   30.523869]  __kmalloc+0x14e/0x760
[   30.527416]  load_elf_phdrs+0x17a/0x250
[   30.531374]  load_elf_binary+0x32b/0x5610
[   30.535508]  search_binary_handler+0x17d/0x570
[   30.540081]  __do_execve_file.isra.34+0x16fe/0x2610
[   30.545083]  __x64_sys_execve+0x8f/0xc0
[   30.549048]  do_syscall_64+0x1b1/0x800
[   30.552928]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.558107] 
[   30.559718] Freed by task 4535:
[   30.562987]  save_stack+0x43/0xd0
[   30.566435]  __kasan_slab_free+0x11a/0x170
[   30.570667]  kasan_slab_free+0xe/0x10
[   30.574465]  kfree+0xd9/0x260
[   30.577557]  load_elf_binary+0x2569/0x5610
[   30.581792]  search_binary_handler+0x17d/0x570
[   30.586375]  __do_execve_file.isra.34+0x16fe/0x2610
[   30.591392]  __x64_sys_execve+0x8f/0xc0
[   30.595353]  do_syscall_64+0x1b1/0x800
[   30.599225]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.604413] 
[   30.606032] The buggy address belongs to the object at ffff8801acebf800
[   30.606032]  which belongs to the cache kmalloc-512 of size 512
[   30.618686] The buggy address is located 157 bytes inside of
[   30.618686]  512-byte region [ffff8801acebf800, ffff8801acebfa00)
[   30.630556] The buggy address belongs to the page:
[   30.635493] page:ffffea0006b3afc0 count:1 mapcount:0 mapping:ffff8801acebf080 index:0x0
[   30.643633] flags: 0x2fffc0000000100(slab)
[   30.647857] raw: 02fffc0000000100 ffff8801acebf080 0000000000000000 0000000100000006
[   30.655727] raw: ffffea0006b47020 ffffea0006b136a0 ffff8801da800940 0000000000000000
[   30.663589] page dumped because: kasan: bad access detected
[   30.669279] 
[   30.670885] Memory state around the buggy address:
[   30.675801]  ffff8801acebf780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.683145]  ffff8801acebf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.690494] >ffff8801acebf880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.697840]                             ^
[   30.701984]  ffff8801acebf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.709332]  ffff8801acebf980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.716684] ==================================================================
[   30.724028] Disabling lock debugging due to kernel taint
[   30.729559] Kernel panic - not syncing: panic_on_warn set ...
[   30.729559] 
[   30.736941] CPU: 1 PID: 4535 Comm: syz-executor711 Tainted: G    B             4.17.0-rc6+ #64
[   30.745686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.755035] Call Trace:
[   30.757632]  dump_stack+0x1b9/0x294
[   30.761244]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.766429]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.771185]  ? nla_strlcpy+0x80/0x150
[   30.774970]  panic+0x22f/0x4de
[   30.778150]  ? add_taint.cold.5+0x16/0x16
[   30.782292]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.786684]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.791076]  ? nla_strlcpy+0x13d/0x150
[   30.794951]  kasan_end_report+0x47/0x4f
[   30.798910]  kasan_report.cold.7+0x76/0x2fe
[   30.803223]  __asan_report_load1_noabort+0x14/0x20
[   30.808141]  nla_strlcpy+0x13d/0x150
[   30.811847]  nfnl_acct_new+0x574/0xc50
[   30.815730]  ? nfnl_acct_overquota+0x380/0x380
[   30.820302]  ? debug_check_no_locks_freed+0x310/0x310
[   30.825491]  ? graph_lock+0x170/0x170
[   30.829378]  ? print_usage_bug+0xc0/0xc0
[   30.833433]  ? find_held_lock+0x36/0x1c0
[   30.837480]  ? graph_lock+0x170/0x170
[   30.841275]  ? lock_downgrade+0x8e0/0x8e0
[   30.845413]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.850937]  ? __lock_is_held+0xb5/0x140
[   30.854992]  ? nfnl_acct_overquota+0x380/0x380
[   30.859568]  nfnetlink_rcv_msg+0xdb5/0xff0
[   30.863802]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   30.868810]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   30.873223]  ? nfnetlink_bind+0x3a0/0x3a0
[   30.877355]  ? graph_lock+0x170/0x170
[   30.881145]  ? find_held_lock+0x36/0x1c0
[   30.885200]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.890731]  netlink_rcv_skb+0x172/0x440
[   30.894782]  ? nfnetlink_bind+0x3a0/0x3a0
[   30.898915]  ? netlink_ack+0xbc0/0xbc0
[   30.902791]  ? __netlink_ns_capable+0x100/0x130
[   30.907451]  nfnetlink_rcv+0x1fe/0x1ba0
[   30.911416]  ? kasan_check_read+0x11/0x20
[   30.915559]  ? rcu_is_watching+0x85/0x140
[   30.919699]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.924885]  ? nfnl_err_reset+0x2d0/0x2d0
[   30.929031]  ? netlink_remove_tap+0x610/0x610
[   30.933521]  ? refcount_add_not_zero+0x320/0x320
[   30.938266]  ? kasan_check_read+0x11/0x20
[   30.942417]  ? rcu_is_watching+0x85/0x140
[   30.946561]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.951742]  ? netlink_skb_destructor+0x210/0x210
[   30.956602]  ? kasan_check_write+0x14/0x20
[   30.960831]  netlink_unicast+0x58b/0x740
[   30.964889]  ? netlink_attachskb+0x970/0x970
[   30.969288]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.975676]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   30.980693]  ? security_netlink_send+0x88/0xb0
[   30.985275]  netlink_sendmsg+0x9f0/0xfa0
[   30.989342]  ? netlink_unicast+0x740/0x740
[   30.993583]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.999296]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.004946]  ? security_socket_sendmsg+0x94/0xc0
[   31.009694]  ? netlink_unicast+0x740/0x740
[   31.013930]  sock_sendmsg+0xd5/0x120
[   31.017647]  sock_write_iter+0x35a/0x5a0
[   31.021695]  ? sock_sendmsg+0x120/0x120
[   31.025669]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.031374]  ? iov_iter_init+0xc9/0x1f0
[   31.035358]  __vfs_write+0x64d/0x960
[   31.039071]  ? kernel_read+0x120/0x120
[   31.042946]  ? lock_downgrade+0x8e0/0x8e0
[   31.047080]  ? handle_mm_fault+0x8c0/0xc70
[   31.051305]  ? handle_mm_fault+0x55a/0xc70
[   31.055528]  ? rw_verify_area+0x118/0x360
[   31.059670]  vfs_write+0x1f8/0x560
[   31.063207]  ksys_write+0xf9/0x250
[   31.067152]  ? __ia32_sys_read+0xb0/0xb0
[   31.071203]  ? __ia32_sys_fallocate+0xf0/0xf0
[   31.075688]  __x64_sys_write+0x73/0xb0
[   31.079568]  do_syscall_64+0x1b1/0x800
[   31.083452]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.088368]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.093294]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.098905]  ? retint_user+0x18/0x18
[   31.102606]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.107531]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.112797] RIP: 0033:0x43fcf9
[   31.115970] RSP: 002b:00007fff665e2ce8 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   31.123667] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9
[   31.130929] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003
[   31.138310] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   31.145830] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620
[   31.153082] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000
[   31.160894] Dumping ftrace buffer:
[   31.164414]    (ftrace buffer empty)
[   31.168566] Kernel Offset: disabled
[   31.172194] Rebooting in 86400 seconds..