[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.548545] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 19.567613] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.825337] random: sshd: uninitialized urandom read (32 bytes read) [ 20.626076] random: sshd: uninitialized urandom read (32 bytes read) [ 20.786494] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. [ 26.179410] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 26.271887] ================================================================== [ 26.279347] BUG: KASAN: slab-out-of-bounds in sha512_finup+0x564/0x620 [ 26.286032] Write of size 8 at addr ffff8801ae495440 by task syz-executor501/4514 [ 26.293633] [ 26.295253] CPU: 0 PID: 4514 Comm: syz-executor501 Not tainted 4.17.0+ #93 [ 26.302273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.311606] Call Trace: [ 26.314179] dump_stack+0x1b9/0x294 [ 26.317790] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.322960] ? printk+0x9e/0xba [ 26.326221] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 26.330959] ? kasan_check_write+0x14/0x20 [ 26.335174] print_address_description+0x6c/0x20b [ 26.339998] ? sha512_finup+0x564/0x620 [ 26.343961] kasan_report.cold.7+0x242/0x2fe [ 26.348352] __asan_report_store8_noabort+0x17/0x20 [ 26.353350] sha512_finup+0x564/0x620 [ 26.357140] ? sha512_update+0x9f/0x260 [ 26.361122] sha512_avx2_final+0x28/0x30 [ 26.365179] crypto_shash_final+0x104/0x260 [ 26.369482] ? sha512_avx2_finup+0x40/0x40 [ 26.373701] __keyctl_dh_compute+0x1184/0x1bc0 [ 26.378270] ? copy_overflow+0x30/0x30 [ 26.382143] ? find_held_lock+0x36/0x1c0 [ 26.386187] ? lock_downgrade+0x8e0/0x8e0 [ 26.390320] ? check_same_owner+0x320/0x320 [ 26.394623] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.400139] ? handle_mm_fault+0x55a/0xc70 [ 26.404360] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.409875] ? _copy_from_user+0xdf/0x150 [ 26.414007] keyctl_dh_compute+0xb9/0x100 [ 26.418158] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 26.422907] ? kzfree+0x28/0x30 [ 26.426167] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 26.431340] __x64_sys_keyctl+0x12a/0x3b0 [ 26.435486] do_syscall_64+0x1b1/0x800 [ 26.439355] ? syscall_return_slowpath+0x5c0/0x5c0 [ 26.444279] ? syscall_return_slowpath+0x30f/0x5c0 [ 26.449626] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.455146] ? retint_user+0x18/0x18 [ 26.458844] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.463686] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.468860] RIP: 0033:0x43ffa9 [ 26.472038] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 26.491213] RSP: 002b:00007fff4f463d78 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 26.498907] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 26.506158] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 26.513408] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 26.520658] R10: 0000000000000053 R11: 0000000000000217 R12: 00000000004018d0 [ 26.527907] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 26.535160] [ 26.536765] Allocated by task 4514: [ 26.540376] save_stack+0x43/0xd0 [ 26.543806] kasan_kmalloc+0xc4/0xe0 [ 26.547498] __kmalloc+0x14e/0x760 [ 26.551028] __keyctl_dh_compute+0xfe9/0x1bc0 [ 26.555510] keyctl_dh_compute+0xb9/0x100 [ 26.559641] __x64_sys_keyctl+0x12a/0x3b0 [ 26.563783] do_syscall_64+0x1b1/0x800 [ 26.567652] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.572815] [ 26.574422] Freed by task 0: [ 26.577413] (stack is not available) [ 26.581098] [ 26.582707] The buggy address belongs to the object at ffff8801ae4953c0 [ 26.582707] which belongs to the cache kmalloc-128 of size 128 [ 26.595350] The buggy address is located 0 bytes to the right of [ 26.595350] 128-byte region [ffff8801ae4953c0, ffff8801ae495440) [ 26.607549] The buggy address belongs to the page: [ 26.612460] page:ffffea0006b92540 count:1 mapcount:0 mapping:ffff8801da800640 index:0x0 [ 26.620581] flags: 0x2fffc0000000100(slab) [ 26.624798] raw: 02fffc0000000100 ffffea0006b2fd08 ffffea0007646348 ffff8801da800640 [ 26.632659] raw: 0000000000000000 ffff8801ae495000 0000000100000015 0000000000000000 [ 26.640516] page dumped because: kasan: bad access detected [ 26.646198] [ 26.647800] Memory state around the buggy address: [ 26.652709] ffff8801ae495300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.660050] ffff8801ae495380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 26.667388] >ffff8801ae495400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 26.674724] ^ [ 26.680154] ffff8801ae495480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.687492] ffff8801ae495500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.694827] ================================================================== [ 26.702158] Disabling lock debugging due to kernel taint [ 26.707882] Kernel panic - not syncing: panic_on_warn set ... [ 26.707882] [ 26.715246] CPU: 0 PID: 4514 Comm: syz-executor501 Tainted: G B 4.17.0+ #93 [ 26.723623] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.732952] Call Trace: [ 26.735520] dump_stack+0x1b9/0x294 [ 26.739127] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.744296] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.749038] ? sha512_finup+0x4b0/0x620 [ 26.752991] panic+0x22f/0x4de [ 26.756165] ? add_taint.cold.5+0x16/0x16 [ 26.760292] ? do_raw_spin_unlock+0x9e/0x2e0 [ 26.764679] ? do_raw_spin_unlock+0x9e/0x2e0 [ 26.769069] ? sha512_finup+0x564/0x620 [ 26.773030] kasan_end_report+0x47/0x4f [ 26.776993] kasan_report.cold.7+0x76/0x2fe [ 26.781297] __asan_report_store8_noabort+0x17/0x20 [ 26.786291] sha512_finup+0x564/0x620 [ 26.790071] ? sha512_update+0x9f/0x260 [ 26.794032] sha512_avx2_final+0x28/0x30 [ 26.798071] crypto_shash_final+0x104/0x260 [ 26.802369] ? sha512_avx2_finup+0x40/0x40 [ 26.806584] __keyctl_dh_compute+0x1184/0x1bc0 [ 26.811149] ? copy_overflow+0x30/0x30 [ 26.815025] ? find_held_lock+0x36/0x1c0 [ 26.819072] ? lock_downgrade+0x8e0/0x8e0 [ 26.823200] ? check_same_owner+0x320/0x320 [ 26.827501] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.833033] ? handle_mm_fault+0x55a/0xc70 [ 26.837250] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.842767] ? _copy_from_user+0xdf/0x150 [ 26.846896] keyctl_dh_compute+0xb9/0x100 [ 26.851029] ? __keyctl_dh_compute+0x1bc0/0x1bc0 [ 26.855765] ? kzfree+0x28/0x30 [ 26.859031] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 26.864214] __x64_sys_keyctl+0x12a/0x3b0 [ 26.868343] do_syscall_64+0x1b1/0x800 [ 26.872207] ? syscall_return_slowpath+0x5c0/0x5c0 [ 26.877115] ? syscall_return_slowpath+0x30f/0x5c0 [ 26.882031] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.887546] ? retint_user+0x18/0x18 [ 26.891239] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.896060] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.901227] RIP: 0033:0x43ffa9 [ 26.904401] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 26.923517] RSP: 002b:00007fff4f463d78 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa [ 26.931200] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 [ 26.938446] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017 [ 26.945695] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8 [ 26.952941] R10: 0000000000000053 R11: 0000000000000217 R12: 00000000004018d0 [ 26.960198] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 26.967885] Dumping ftrace buffer: [ 26.971402] (ftrace buffer empty) [ 26.975087] Kernel Offset: disabled [ 26.978694] Rebooting in 86400 seconds..