[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.399774] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.379050] random: sshd: uninitialized urandom read (32 bytes read)
[   24.662874] random: sshd: uninitialized urandom read (32 bytes read)
[   25.527741] random: sshd: uninitialized urandom read (32 bytes read)
[   25.690235] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts.
[   31.193253] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.288460] ==================================================================
[   31.295912] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0
[   31.302396] Write of size 4 at addr ffff8801d9718198 by task syz-executor857/4564
[   31.309990] 
[   31.311614] CPU: 0 PID: 4564 Comm: syz-executor857 Not tainted 4.17.0+ #89
[   31.318613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.327955] Call Trace:
[   31.330537]  dump_stack+0x1b9/0x294
[   31.334155]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.339330]  ? printk+0x9e/0xba
[   31.342617]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.347359]  ? kasan_check_write+0x14/0x20
[   31.351589]  print_address_description+0x6c/0x20b
[   31.356413]  ? sha1_finup+0x44e/0x4b0
[   31.360211]  kasan_report.cold.7+0x242/0x2fe
[   31.364609]  __asan_report_store4_noabort+0x17/0x20
[   31.369628]  sha1_finup+0x44e/0x4b0
[   31.373468]  ? sha1_base_init+0x150/0x150
[   31.377615]  sha1_avx2_final+0x28/0x30
[   31.381521]  crypto_shash_final+0x104/0x260
[   31.385849]  ? sha1_avx2_finup+0x40/0x40
[   31.389905]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.394496]  ? copy_overflow+0x30/0x30
[   31.398380]  ? find_held_lock+0x36/0x1c0
[   31.402436]  ? lock_downgrade+0x8e0/0x8e0
[   31.406587]  ? check_same_owner+0x320/0x320
[   31.410894]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.416412]  ? handle_mm_fault+0x55a/0xc70
[   31.420653]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.426182]  ? _copy_from_user+0xdf/0x150
[   31.430321]  keyctl_dh_compute+0xb9/0x100
[   31.434467]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.439217]  ? kzfree+0x28/0x30
[   31.442479]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.447654]  __x64_sys_keyctl+0x12a/0x3b0
[   31.451791]  do_syscall_64+0x1b1/0x800
[   31.455663]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.460577]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.465492]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.471189]  ? retint_user+0x18/0x18
[   31.474891]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.479743]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.484955] RIP: 0033:0x43ffa9
[   31.488134] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.507312] RSP: 002b:00007ffc57224a28 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.515271] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.522525] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.529796] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   31.537159] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.544508] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.551774] 
[   31.553382] Allocated by task 4564:
[   31.556997]  save_stack+0x43/0xd0
[   31.560444]  kasan_kmalloc+0xc4/0xe0
[   31.564154]  __kmalloc+0x14e/0x760
[   31.567683]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.572158]  keyctl_dh_compute+0xb9/0x100
[   31.576283]  __x64_sys_keyctl+0x12a/0x3b0
[   31.580418]  do_syscall_64+0x1b1/0x800
[   31.584295]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.589457] 
[   31.591063] Freed by task 2860:
[   31.594331]  save_stack+0x43/0xd0
[   31.597778]  __kasan_slab_free+0x11a/0x170
[   31.602008]  kasan_slab_free+0xe/0x10
[   31.605800]  kfree+0xd9/0x260
[   31.608886]  single_release+0x8f/0xb0
[   31.612671]  __fput+0x353/0x890
[   31.615933]  ____fput+0x15/0x20
[   31.619213]  task_work_run+0x1e4/0x290
[   31.623089]  exit_to_usermode_loop+0x2bd/0x310
[   31.627655]  do_syscall_64+0x6ac/0x800
[   31.631534]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.636787] 
[   31.638394] The buggy address belongs to the object at ffff8801d9718180
[   31.638394]  which belongs to the cache kmalloc-32 of size 32
[   31.650863] The buggy address is located 24 bytes inside of
[   31.650863]  32-byte region [ffff8801d9718180, ffff8801d97181a0)
[   31.662539] The buggy address belongs to the page:
[   31.667452] page:ffffea000765c600 count:1 mapcount:0 mapping:ffff8801d9718000 index:0xffff8801d9718fc1
[   31.676887] flags: 0x2fffc0000000100(slab)
[   31.681106] raw: 02fffc0000000100 ffff8801d9718000 ffff8801d9718fc1 0000000100000008
[   31.688969] raw: ffffea0007335020 ffffea000740a8a0 ffff8801da8001c0 0000000000000000
[   31.696824] page dumped because: kasan: bad access detected
[   31.702511] 
[   31.704116] Memory state around the buggy address:
[   31.709038]  ffff8801d9718080: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   31.716394]  ffff8801d9718100: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   31.723745] >ffff8801d9718180: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   31.731080]                             ^
[   31.735215]  ffff8801d9718200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.742553]  ffff8801d9718280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.749886] ==================================================================
[   31.757228] Disabling lock debugging due to kernel taint
[   31.762749] Kernel panic - not syncing: panic_on_warn set ...
[   31.762749] 
[   31.770805] CPU: 0 PID: 4564 Comm: syz-executor857 Tainted: G    B             4.17.0+ #89
[   31.779187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.788528] Call Trace:
[   31.791099]  dump_stack+0x1b9/0x294
[   31.794712]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.799896]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.804631]  ? sha1_finup+0x3a0/0x4b0
[   31.808410]  panic+0x22f/0x4de
[   31.811585]  ? add_taint.cold.5+0x16/0x16
[   31.815715]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.820102]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.824495]  ? sha1_finup+0x44e/0x4b0
[   31.828293]  kasan_end_report+0x47/0x4f
[   31.832257]  kasan_report.cold.7+0x76/0x2fe
[   31.836558]  __asan_report_store4_noabort+0x17/0x20
[   31.841562]  sha1_finup+0x44e/0x4b0
[   31.845168]  ? sha1_base_init+0x150/0x150
[   31.849298]  sha1_avx2_final+0x28/0x30
[   31.853167]  crypto_shash_final+0x104/0x260
[   31.857473]  ? sha1_avx2_finup+0x40/0x40
[   31.861513]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.866079]  ? copy_overflow+0x30/0x30
[   31.869948]  ? find_held_lock+0x36/0x1c0
[   31.874080]  ? lock_downgrade+0x8e0/0x8e0
[   31.878217]  ? check_same_owner+0x320/0x320
[   31.882522]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.888049]  ? handle_mm_fault+0x55a/0xc70
[   31.892269]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.897793]  ? _copy_from_user+0xdf/0x150
[   31.901928]  keyctl_dh_compute+0xb9/0x100
[   31.906070]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.910821]  ? kzfree+0x28/0x30
[   31.914089]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.919260]  __x64_sys_keyctl+0x12a/0x3b0
[   31.923492]  do_syscall_64+0x1b1/0x800
[   31.927534]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.932442]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.937365]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.942897]  ? retint_user+0x18/0x18
[   31.946607]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.951433]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.956600] RIP: 0033:0x43ffa9
[   31.959774] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.978895] RSP: 002b:00007ffc57224a28 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.986595] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.993948] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   32.001208] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   32.008468] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   32.015725] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   32.023424] Dumping ftrace buffer:
[   32.026950]    (ftrace buffer empty)
[   32.030646] Kernel Offset: disabled
[   32.034252] Rebooting in 86400 seconds..