[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.004267] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.817637] random: sshd: uninitialized urandom read (32 bytes read) [ 25.176089] random: sshd: uninitialized urandom read (32 bytes read) [ 25.981113] random: sshd: uninitialized urandom read (32 bytes read) [ 26.142474] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. [ 31.605249] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.700251] ================================================================== [ 31.707720] BUG: KASAN: slab-out-of-bounds in wp384_final+0x93/0xe0 [ 31.714137] Write of size 48 at addr ffff8801d0515f70 by task syz-executor441/4515 [ 31.721829] [ 31.723442] CPU: 1 PID: 4515 Comm: syz-executor441 Not tainted 4.17.0+ #92 [ 31.730433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.739771] Call Trace: [ 31.742368] dump_stack+0x1b9/0x294 [ 31.745989] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.751165] ? printk+0x9e/0xba [ 31.754428] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.759181] ? kasan_check_write+0x14/0x20 [ 31.763403] print_address_description+0x6c/0x20b [ 31.768232] ? wp384_final+0x93/0xe0 [ 31.771941] kasan_report.cold.7+0x242/0x2fe [ 31.776348] check_memory_region+0x13e/0x1b0 [ 31.781022] memcpy+0x37/0x50 [ 31.784129] wp384_final+0x93/0xe0 [ 31.787654] ? wp256_final+0xe0/0xe0 [ 31.791363] ? kasan_unpoison_shadow+0x35/0x50 [ 31.795928] crypto_shash_final+0x104/0x260 [ 31.800240] ? wp256_final+0xe0/0xe0 [ 31.803946] __keyctl_dh_compute+0x1184/0x1bc0 [ 31.808519] ? copy_overflow+0x30/0x30 [ 31.812402] ? find_held_lock+0x36/0x1c0 [ 31.816448] ? lock_downgrade+0x8e0/0x8e0 [ 31.820580] ? check_same_owner+0x320/0x320 [ 31.824884] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.830409] ? handle_mm_fault+0x55a/0xc70 [ 31.834897] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.840413] ? _copy_from_user+0xdf/0x150 [ 31.844547] keyctl_dh_compute+0xb9/0x100 [ 31.848680] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 31.853424] ? kzfree+0x28/0x30 [ 31.856693] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.861872] __x64_sys_keyctl+0x12a/0x3b0 [ 31.866008] do_syscall_64+0x1b1/0x800 [ 31.869885] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.874796] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.879706] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.885237] ? retint_user+0x18/0x18 [ 31.888935] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.893761] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.898929] RIP: 0033:0x440019 [ 31.902093] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.921272] RSP: 002b:00007ffee9d4db48 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 31.928973] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 [ 31.936221] RDX: 0000000020000300 RSI: 0000000020000040 RDI: 0000000000000017 [ 31.943471] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 31.950719] R10: 00000000000000fb R11: 0000000000000217 R12: 0000000000401940 [ 31.957968] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000 [ 31.965224] [ 31.966830] Allocated by task 4515: [ 31.970442] save_stack+0x43/0xd0 [ 31.973873] kasan_kmalloc+0xc4/0xe0 [ 31.977565] __kmalloc+0x14e/0x760 [ 31.981087] __keyctl_dh_compute+0xfe9/0x1bc0 [ 31.985559] keyctl_dh_compute+0xb9/0x100 [ 31.989690] __x64_sys_keyctl+0x12a/0x3b0 [ 31.993819] do_syscall_64+0x1b1/0x800 [ 31.997692] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.002857] [ 32.004460] Freed by task 0: [ 32.007458] (stack is not available) [ 32.011144] [ 32.012760] The buggy address belongs to the object at ffff8801d0515e80 [ 32.012760] which belongs to the cache kmalloc-256 of size 256 [ 32.025399] The buggy address is located 240 bytes inside of [ 32.025399] 256-byte region [ffff8801d0515e80, ffff8801d0515f80) [ 32.037354] The buggy address belongs to the page: [ 32.042266] page:ffffea0007414540 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0 [ 32.050386] flags: 0x2fffc0000000100(slab) [ 32.054603] raw: 02fffc0000000100 ffffea0006bc2f08 ffff8801da801648 ffff8801da8007c0 [ 32.062463] raw: 0000000000000000 ffff8801d05150c0 000000010000000c 0000000000000000 [ 32.070319] page dumped because: kasan: bad access detected [ 32.076002] [ 32.077611] Memory state around the buggy address: [ 32.082518] ffff8801d0515e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.089856] ffff8801d0515f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.097192] >ffff8801d0515f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.104523] ^ [ 32.107866] ffff8801d0516000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.116247] ffff8801d0516080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.123582] ================================================================== [ 32.130919] Disabling lock debugging due to kernel taint [ 32.136457] Kernel panic - not syncing: panic_on_warn set ... [ 32.136457] [ 32.143825] CPU: 1 PID: 4515 Comm: syz-executor441 Tainted: G B 4.17.0+ #92 [ 32.152204] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.161534] Call Trace: [ 32.164110] dump_stack+0x1b9/0x294 [ 32.167719] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.172900] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.177633] ? wp384_final+0x80/0xe0 [ 32.181328] panic+0x22f/0x4de [ 32.184502] ? add_taint.cold.5+0x16/0x16 [ 32.188629] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.193032] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.197424] ? wp384_final+0x93/0xe0 [ 32.201119] kasan_end_report+0x47/0x4f [ 32.205070] kasan_report.cold.7+0x76/0x2fe [ 32.209373] check_memory_region+0x13e/0x1b0 [ 32.213759] memcpy+0x37/0x50 [ 32.216842] wp384_final+0x93/0xe0 [ 32.220356] ? wp256_final+0xe0/0xe0 [ 32.224058] ? kasan_unpoison_shadow+0x35/0x50 [ 32.228621] crypto_shash_final+0x104/0x260 [ 32.232923] ? wp256_final+0xe0/0xe0 [ 32.236617] __keyctl_dh_compute+0x1184/0x1bc0 [ 32.241181] ? copy_overflow+0x30/0x30 [ 32.245059] ? find_held_lock+0x36/0x1c0 [ 32.249100] ? lock_downgrade+0x8e0/0x8e0 [ 32.253225] ? check_same_owner+0x320/0x320 [ 32.257527] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.263046] ? handle_mm_fault+0x55a/0xc70 [ 32.267272] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.272788] ? _copy_from_user+0xdf/0x150 [ 32.276914] keyctl_dh_compute+0xb9/0x100 [ 32.281050] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 32.285792] ? kzfree+0x28/0x30 [ 32.289055] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.294234] __x64_sys_keyctl+0x12a/0x3b0 [ 32.298365] do_syscall_64+0x1b1/0x800 [ 32.302233] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.307140] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.312055] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.317578] ? retint_user+0x18/0x18 [ 32.321272] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.326094] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.331262] RIP: 0033:0x440019 [ 32.334425] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.353545] RSP: 002b:00007ffee9d4db48 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 32.361250] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 [ 32.368508] RDX: 0000000020000300 RSI: 0000000020000040 RDI: 0000000000000017 [ 32.375758] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 32.383005] R10: 00000000000000fb R11: 0000000000000217 R12: 0000000000401940 [ 32.390258] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000 [ 32.398002] Dumping ftrace buffer: [ 32.401521] (ftrace buffer empty) [ 32.405205] Kernel Offset: disabled [ 32.408810] Rebooting in 86400 seconds..