[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.493459] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.347151] random: sshd: uninitialized urandom read (32 bytes read) [ 20.666573] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.491724] random: sshd: uninitialized urandom read (32 bytes read) [ 21.644019] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. [ 27.242890] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.363694] ================================================================== [ 27.371233] BUG: KASAN: slab-out-of-bounds in sha512_final+0x34a/0x3e0 [ 27.377888] Write of size 8 at addr ffff8801ce694340 by task syz-executor222/4542 [ 27.385533] [ 27.387155] CPU: 1 PID: 4542 Comm: syz-executor222 Not tainted 4.18.0-rc2+ #19 [ 27.394509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.404432] Call Trace: [ 27.407068] dump_stack+0x1c9/0x2b4 [ 27.410685] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.415894] ? printk+0xa7/0xcf [ 27.419154] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.423902] ? sha512_final+0x34a/0x3e0 [ 27.427868] print_address_description+0x6c/0x20b [ 27.432704] ? sha512_final+0x34a/0x3e0 [ 27.436676] kasan_report.cold.7+0x242/0x2fe [ 27.441076] __asan_report_store8_noabort+0x17/0x20 [ 27.446096] sha512_final+0x34a/0x3e0 [ 27.449929] crypto_shash_final+0x104/0x260 [ 27.454251] ? sha512_generic_block_fn+0x70/0x70 [ 27.458997] __keyctl_dh_compute+0x1198/0x1be0 [ 27.463574] ? copy_overflow+0x30/0x30 [ 27.467464] ? lock_release+0xa30/0xa30 [ 27.471432] ? check_same_owner+0x340/0x340 [ 27.475750] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.481271] ? _copy_from_user+0xdf/0x150 [ 27.485510] compat_keyctl_dh_compute+0x2d0/0x400 [ 27.490342] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 27.495267] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 27.500097] do_fast_syscall_32+0x34d/0xfb2 [ 27.504409] ? do_int80_syscall_32+0x890/0x890 [ 27.508980] ? do_syscall_64+0x497/0x820 [ 27.513028] ? syscall_slow_exit_work+0x500/0x500 [ 27.517861] ? syscall_return_slowpath+0x5e0/0x5e0 [ 27.522783] ? syscall_return_slowpath+0x31d/0x5e0 [ 27.527702] ? sysret32_from_system_call+0x5/0x46 [ 27.532536] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.537367] entry_SYSENTER_compat+0x70/0x7f [ 27.541765] RIP: 0023:0xf7f3bcb9 [ 27.545115] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 27.564289] RSP: 002b:00000000ffd55dcc EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 27.571986] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 27.579240] RDX: 0000000020a53ffb RSI: 0000000000000018 RDI: 0000000020000140 [ 27.586493] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 27.593748] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 27.601002] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.608264] [ 27.609870] Allocated by task 4542: [ 27.613487] save_stack+0x43/0xd0 [ 27.616922] kasan_kmalloc+0xc4/0xe0 [ 27.620618] __kmalloc+0x14e/0x760 [ 27.624147] __keyctl_dh_compute+0x1000/0x1be0 [ 27.628714] compat_keyctl_dh_compute+0x2d0/0x400 [ 27.633540] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 27.638371] do_fast_syscall_32+0x34d/0xfb2 [ 27.642676] entry_SYSENTER_compat+0x70/0x7f [ 27.647058] [ 27.648670] Freed by task 1: [ 27.651672] save_stack+0x43/0xd0 [ 27.655120] __kasan_slab_free+0x11a/0x170 [ 27.659336] kasan_slab_free+0xe/0x10 [ 27.663120] kfree+0xd9/0x260 [ 27.666210] kobject_uevent_env+0x275/0x1110 [ 27.670598] kobject_uevent+0x1f/0x30 [ 27.674395] netdev_queue_update_kobjects+0x3ac/0x4f0 [ 27.679566] netdev_register_kobject+0x299/0x380 [ 27.684306] register_netdevice+0x99f/0x11d0 [ 27.688697] bond_create+0xf5/0x157 [ 27.692307] bonding_init+0x165c/0x16fc [ 27.696264] do_one_initcall+0x127/0x913 [ 27.700310] kernel_init_freeable+0x49b/0x58e [ 27.704789] kernel_init+0x11/0x1b3 [ 27.708404] ret_from_fork+0x3a/0x50 [ 27.712091] [ 27.713697] The buggy address belongs to the object at ffff8801ce694300 [ 27.713697] which belongs to the cache kmalloc-64 of size 64 [ 27.726158] The buggy address is located 0 bytes to the right of [ 27.726158] 64-byte region [ffff8801ce694300, ffff8801ce694340) [ 27.738273] The buggy address belongs to the page: [ 27.743192] page:ffffea000739a500 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0 [ 27.751327] flags: 0x2fffc0000000100(slab) [ 27.755559] raw: 02fffc0000000100 ffffea00074c8508 ffff8801da801348 ffff8801da800340 [ 27.763437] raw: 0000000000000000 ffff8801ce694000 0000000100000020 0000000000000000 [ 27.771417] page dumped because: kasan: bad access detected [ 27.777118] [ 27.778736] Memory state around the buggy address: [ 27.783647] ffff8801ce694200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.790991] ffff8801ce694280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.798335] >ffff8801ce694300: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 27.805673] ^ [ 27.811109] ffff8801ce694380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 27.818449] ffff8801ce694400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.825787] ================================================================== [ 27.833124] Disabling lock debugging due to kernel taint [ 27.838653] Kernel panic - not syncing: panic_on_warn set ... [ 27.838653] [ 27.846024] CPU: 1 PID: 4542 Comm: syz-executor222 Tainted: G B 4.18.0-rc2+ #19 [ 27.854761] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.864095] Call Trace: [ 27.866668] dump_stack+0x1c9/0x2b4 [ 27.870277] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.875473] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.880215] panic+0x238/0x4e7 [ 27.883405] ? add_taint.cold.5+0x16/0x16 [ 27.887548] ? do_raw_spin_unlock+0xa7/0x2f0 [ 27.891940] ? sha512_final+0x34a/0x3e0 [ 27.895894] kasan_end_report+0x47/0x4f [ 27.899859] kasan_report.cold.7+0x76/0x2fe [ 27.904169] __asan_report_store8_noabort+0x17/0x20 [ 27.909166] sha512_final+0x34a/0x3e0 [ 27.912951] crypto_shash_final+0x104/0x260 [ 27.917255] ? sha512_generic_block_fn+0x70/0x70 [ 27.921992] __keyctl_dh_compute+0x1198/0x1be0 [ 27.926565] ? copy_overflow+0x30/0x30 [ 27.930440] ? lock_release+0xa30/0xa30 [ 27.934410] ? check_same_owner+0x340/0x340 [ 27.938717] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.944236] ? _copy_from_user+0xdf/0x150 [ 27.948366] compat_keyctl_dh_compute+0x2d0/0x400 [ 27.953194] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 27.958112] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 27.962939] do_fast_syscall_32+0x34d/0xfb2 [ 27.967243] ? do_int80_syscall_32+0x890/0x890 [ 27.971804] ? do_syscall_64+0x497/0x820 [ 27.975846] ? syscall_slow_exit_work+0x500/0x500 [ 27.980671] ? syscall_return_slowpath+0x5e0/0x5e0 [ 27.985587] ? syscall_return_slowpath+0x31d/0x5e0 [ 27.990591] ? sysret32_from_system_call+0x5/0x46 [ 27.995422] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.000261] entry_SYSENTER_compat+0x70/0x7f [ 28.004651] RIP: 0023:0xf7f3bcb9 [ 28.007991] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 28.027127] RSP: 002b:00000000ffd55dcc EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 28.034817] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 28.042078] RDX: 0000000020a53ffb RSI: 0000000000000018 RDI: 0000000020000140 [ 28.049329] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 28.056580] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 28.063828] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.071604] Dumping ftrace buffer: [ 28.075214] (ftrace buffer empty) [ 28.078909] Kernel Offset: disabled [ 28.082515] Rebooting in 86400 seconds..