[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.399774] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.379050] random: sshd: uninitialized urandom read (32 bytes read) [ 24.662874] random: sshd: uninitialized urandom read (32 bytes read) [ 25.527741] random: sshd: uninitialized urandom read (32 bytes read) [ 25.690235] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts. [ 31.193253] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.288460] ================================================================== [ 31.295912] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0 [ 31.302396] Write of size 4 at addr ffff8801d9718198 by task syz-executor857/4564 [ 31.309990] [ 31.311614] CPU: 0 PID: 4564 Comm: syz-executor857 Not tainted 4.17.0+ #89 [ 31.318613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.327955] Call Trace: [ 31.330537] dump_stack+0x1b9/0x294 [ 31.334155] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.339330] ? printk+0x9e/0xba [ 31.342617] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.347359] ? kasan_check_write+0x14/0x20 [ 31.351589] print_address_description+0x6c/0x20b [ 31.356413] ? sha1_finup+0x44e/0x4b0 [ 31.360211] kasan_report.cold.7+0x242/0x2fe [ 31.364609] __asan_report_store4_noabort+0x17/0x20 [ 31.369628] sha1_finup+0x44e/0x4b0 [ 31.373468] ? sha1_base_init+0x150/0x150 [ 31.377615] sha1_avx2_final+0x28/0x30 [ 31.381521] crypto_shash_final+0x104/0x260 [ 31.385849] ? sha1_avx2_finup+0x40/0x40 [ 31.389905] __keyctl_dh_compute+0x1184/0x1bc0 [ 31.394496] ? copy_overflow+0x30/0x30 [ 31.398380] ? find_held_lock+0x36/0x1c0 [ 31.402436] ? lock_downgrade+0x8e0/0x8e0 [ 31.406587] ? check_same_owner+0x320/0x320 [ 31.410894] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.416412] ? handle_mm_fault+0x55a/0xc70 [ 31.420653] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.426182] ? _copy_from_user+0xdf/0x150 [ 31.430321] keyctl_dh_compute+0xb9/0x100 [ 31.434467] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 31.439217] ? kzfree+0x28/0x30 [ 31.442479] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.447654] __x64_sys_keyctl+0x12a/0x3b0 [ 31.451791] do_syscall_64+0x1b1/0x800 [ 31.455663] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.460577] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.465492] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.471189] ? retint_user+0x18/0x18 [ 31.474891] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.479743] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.484955] RIP: 0033:0x43ffa9 [ 31.488134] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.507312] RSP: 002b:00007ffc57224a28 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 31.515271] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 31.522525] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 31.529796] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 31.537159] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 31.544508] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 31.551774] [ 31.553382] Allocated by task 4564: [ 31.556997] save_stack+0x43/0xd0 [ 31.560444] kasan_kmalloc+0xc4/0xe0 [ 31.564154] __kmalloc+0x14e/0x760 [ 31.567683] __keyctl_dh_compute+0xfe9/0x1bc0 [ 31.572158] keyctl_dh_compute+0xb9/0x100 [ 31.576283] __x64_sys_keyctl+0x12a/0x3b0 [ 31.580418] do_syscall_64+0x1b1/0x800 [ 31.584295] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.589457] [ 31.591063] Freed by task 2860: [ 31.594331] save_stack+0x43/0xd0 [ 31.597778] __kasan_slab_free+0x11a/0x170 [ 31.602008] kasan_slab_free+0xe/0x10 [ 31.605800] kfree+0xd9/0x260 [ 31.608886] single_release+0x8f/0xb0 [ 31.612671] __fput+0x353/0x890 [ 31.615933] ____fput+0x15/0x20 [ 31.619213] task_work_run+0x1e4/0x290 [ 31.623089] exit_to_usermode_loop+0x2bd/0x310 [ 31.627655] do_syscall_64+0x6ac/0x800 [ 31.631534] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.636787] [ 31.638394] The buggy address belongs to the object at ffff8801d9718180 [ 31.638394] which belongs to the cache kmalloc-32 of size 32 [ 31.650863] The buggy address is located 24 bytes inside of [ 31.650863] 32-byte region [ffff8801d9718180, ffff8801d97181a0) [ 31.662539] The buggy address belongs to the page: [ 31.667452] page:ffffea000765c600 count:1 mapcount:0 mapping:ffff8801d9718000 index:0xffff8801d9718fc1 [ 31.676887] flags: 0x2fffc0000000100(slab) [ 31.681106] raw: 02fffc0000000100 ffff8801d9718000 ffff8801d9718fc1 0000000100000008 [ 31.688969] raw: ffffea0007335020 ffffea000740a8a0 ffff8801da8001c0 0000000000000000 [ 31.696824] page dumped because: kasan: bad access detected [ 31.702511] [ 31.704116] Memory state around the buggy address: [ 31.709038] ffff8801d9718080: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 31.716394] ffff8801d9718100: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 31.723745] >ffff8801d9718180: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 31.731080] ^ [ 31.735215] ffff8801d9718200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.742553] ffff8801d9718280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.749886] ================================================================== [ 31.757228] Disabling lock debugging due to kernel taint [ 31.762749] Kernel panic - not syncing: panic_on_warn set ... [ 31.762749] [ 31.770805] CPU: 0 PID: 4564 Comm: syz-executor857 Tainted: G B 4.17.0+ #89 [ 31.779187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.788528] Call Trace: [ 31.791099] dump_stack+0x1b9/0x294 [ 31.794712] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.799896] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.804631] ? sha1_finup+0x3a0/0x4b0 [ 31.808410] panic+0x22f/0x4de [ 31.811585] ? add_taint.cold.5+0x16/0x16 [ 31.815715] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.820102] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.824495] ? sha1_finup+0x44e/0x4b0 [ 31.828293] kasan_end_report+0x47/0x4f [ 31.832257] kasan_report.cold.7+0x76/0x2fe [ 31.836558] __asan_report_store4_noabort+0x17/0x20 [ 31.841562] sha1_finup+0x44e/0x4b0 [ 31.845168] ? sha1_base_init+0x150/0x150 [ 31.849298] sha1_avx2_final+0x28/0x30 [ 31.853167] crypto_shash_final+0x104/0x260 [ 31.857473] ? sha1_avx2_finup+0x40/0x40 [ 31.861513] __keyctl_dh_compute+0x1184/0x1bc0 [ 31.866079] ? copy_overflow+0x30/0x30 [ 31.869948] ? find_held_lock+0x36/0x1c0 [ 31.874080] ? lock_downgrade+0x8e0/0x8e0 [ 31.878217] ? check_same_owner+0x320/0x320 [ 31.882522] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.888049] ? handle_mm_fault+0x55a/0xc70 [ 31.892269] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.897793] ? _copy_from_user+0xdf/0x150 [ 31.901928] keyctl_dh_compute+0xb9/0x100 [ 31.906070] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 31.910821] ? kzfree+0x28/0x30 [ 31.914089] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.919260] __x64_sys_keyctl+0x12a/0x3b0 [ 31.923492] do_syscall_64+0x1b1/0x800 [ 31.927534] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.932442] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.937365] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.942897] ? retint_user+0x18/0x18 [ 31.946607] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.951433] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.956600] RIP: 0033:0x43ffa9 [ 31.959774] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.978895] RSP: 002b:00007ffc57224a28 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 31.986595] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 31.993948] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 32.001208] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 32.008468] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0 [ 32.015725] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 32.023424] Dumping ftrace buffer: [ 32.026950] (ftrace buffer empty) [ 32.030646] Kernel Offset: disabled [ 32.034252] Rebooting in 86400 seconds..