[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.056476] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.566821] random: sshd: uninitialized urandom read (32 bytes read)
[   27.001478] random: sshd: uninitialized urandom read (32 bytes read)
[   27.725445] random: sshd: uninitialized urandom read (32 bytes read)
[   27.880475] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
[   33.367805] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/01 15:30:42 parsed 1 programs
2018/05/01 15:30:42 executed programs: 0
[   33.826341] IPVS: ftp: loaded support on port[0] = 21
[   33.870209] ==================================================================
[   33.877680] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530
[   33.884849] Read of size 8 at addr ffff8801d70aa020 by task syz-executor0/4563
[   33.892182] 
[   33.893794] CPU: 0 PID: 4563 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #52
[   33.900957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.910295] Call Trace:
[   33.912867]  dump_stack+0x1b9/0x294
[   33.916475]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.921643]  ? printk+0x9e/0xba
[   33.924903]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.929669]  ? kasan_check_write+0x14/0x20
[   33.933883]  print_address_description+0x6c/0x20b
[   33.938705]  ? __sctp_v6_cmp_addr+0x4c7/0x530
[   33.943179]  kasan_report.cold.7+0x242/0x2fe
[   33.947569]  __asan_report_load8_noabort+0x14/0x20
[   33.952480]  __sctp_v6_cmp_addr+0x4c7/0x530
[   33.956781]  sctp_inet6_cmp_addr+0x169/0x1a0
[   33.961172]  sctp_bind_addr_match+0x20b/0x400
[   33.965648]  ? sctp_bind_addrs_to_raw+0x370/0x370
[   33.970474]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.975989]  ? sctp_v4_available+0x1b1/0x200
[   33.980378]  ? sctp_inet6_bind_verify+0xb2/0x500
[   33.985111]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   33.990626]  sctp_do_bind+0x1c0/0x5f0
[   33.994410]  sctp_bindx_add+0x90/0x1a0
[   33.998279]  sctp_setsockopt_bindx+0x2ad/0x320
[   34.002841]  sctp_setsockopt+0x12c4/0x7000
[   34.007057]  ? graph_lock+0x170/0x170
[   34.010839]  ? sctp_setsockopt_paddr_thresholds+0x560/0x560
[   34.016546]  ? print_usage_bug+0xc0/0xc0
[   34.020585]  ? mark_held_locks+0xc9/0x160
[   34.024720]  ? page_add_new_anon_rmap+0x3ff/0x850
[   34.029546]  ? find_held_lock+0x36/0x1c0
[   34.033595]  ? __lock_acquire+0x7f5/0x5140
[   34.037808]  ? pudp_huge_clear_flush+0x230/0x230
[   34.042544]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.047716]  ? debug_check_no_locks_freed+0x310/0x310
[   34.052888]  ? get_futex_key+0x1e90/0x1e90
[   34.057103]  ? do_huge_pmd_anonymous_page+0x48d/0x1cc0
[   34.062361]  ? __thp_get_unmapped_area+0x180/0x180
[   34.067274]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.072463]  ? do_futex+0x249/0x27d0
[   34.076156]  ? find_held_lock+0x36/0x1c0
[   34.080198]  ? graph_lock+0x170/0x170
[   34.083979]  ? exit_robust_list+0x290/0x290
[   34.088281]  ? kasan_check_read+0x11/0x20
[   34.092418]  ? find_held_lock+0x36/0x1c0
[   34.096462]  ? lock_downgrade+0x8e0/0x8e0
[   34.100591]  ? kasan_check_read+0x11/0x20
[   34.104718]  ? rcu_is_watching+0x85/0x140
[   34.108845]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   34.114019]  ? __fget+0x40c/0x650
[   34.117456]  ? expand_files.part.8+0x9a0/0x9a0
[   34.122017]  ? lock_downgrade+0x8e0/0x8e0
[   34.126320]  ? handle_mm_fault+0x8c0/0xc70
[   34.130544]  compat_sock_common_setsockopt+0x10c/0x150
[   34.135807]  ? sock_common_setsockopt+0xe0/0xe0
[   34.140456]  __compat_sys_setsockopt+0x1ab/0x7c0
[   34.145192]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[   34.150104]  ? __x32_compat_sys_get_robust_list+0x430/0x430
[   34.155797]  ? mm_fault_error+0x380/0x380
[   34.159927]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   34.165010]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.170006]  do_fast_syscall_32+0x345/0xf9b
[   34.174309]  ? do_int80_syscall_32+0x880/0x880
[   34.178868]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.183604]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.189120]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.194034]  ? sysret32_from_system_call+0x5/0x46
[   34.199031]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.203941]  entry_SYSENTER_compat+0x70/0x7f
[   34.208332] RIP: 0023:0xf7f7ecb9
[   34.211675] RSP: 002b:00000000ff8668fc EFLAGS: 00000286 ORIG_RAX: 000000000000016e
[   34.219375] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000084
[   34.226622] RDX: 0000000000000064 RSI: 0000000020d24000 RDI: 0000000000000020
[   34.233870] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.241128] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   34.248376] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.256602] 
[   34.258213] Allocated by task 4563:
[   34.261819]  save_stack+0x43/0xd0
[   34.265249]  kasan_kmalloc+0xc4/0xe0
[   34.268955]  __kmalloc_node+0x47/0x70
[   34.272735]  kvmalloc_node+0x6b/0x100
[   34.276521]  vmemdup_user+0x2d/0xa0
[   34.280132]  sctp_setsockopt_bindx+0x5d/0x320
[   34.284601]  sctp_setsockopt+0x12c4/0x7000
[   34.288814]  compat_sock_common_setsockopt+0x10c/0x150
[   34.294072]  __compat_sys_setsockopt+0x1ab/0x7c0
[   34.298807]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   34.303889]  do_fast_syscall_32+0x345/0xf9b
[   34.308188]  entry_SYSENTER_compat+0x70/0x7f
[   34.312567] 
[   34.314172] Freed by task 2860:
[   34.317440]  save_stack+0x43/0xd0
[   34.320877]  __kasan_slab_free+0x11a/0x170
[   34.325096]  kasan_slab_free+0xe/0x10
[   34.328894]  kfree+0xd9/0x260
[   34.331980]  single_release+0x8f/0xb0
[   34.335758]  __fput+0x34d/0x890
[   34.339014]  ____fput+0x15/0x20
[   34.342274]  task_work_run+0x1e4/0x290
[   34.346152]  exit_to_usermode_loop+0x2bd/0x310
[   34.350714]  do_syscall_64+0x6ac/0x800
[   34.354580]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.359743] 
[   34.361348] The buggy address belongs to the object at ffff8801d70aa000
[   34.361348]  which belongs to the cache kmalloc-32 of size 32
[   34.373819] The buggy address is located 0 bytes to the right of
[   34.373819]  32-byte region [ffff8801d70aa000, ffff8801d70aa020)
[   34.385933] The buggy address belongs to the page:
[   34.390843] page:ffffea00075c2a80 count:1 mapcount:0 mapping:ffff8801d70aa000 index:0xffff8801d70aafc1
[   34.400266] flags: 0x2fffc0000000100(slab)
[   34.404479] raw: 02fffc0000000100 ffff8801d70aa000 ffff8801d70aafc1 000000010000003f
[   34.412339] raw: ffffea00075c29a0 ffffea00075c2ba0 ffff8801da8001c0 0000000000000000
[   34.420195] page dumped because: kasan: bad access detected
[   34.425964] 
[   34.427565] Memory state around the buggy address:
[   34.432469]  ffff8801d70a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.439803]  ffff8801d70a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.447147] >ffff8801d70aa000: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   34.454479]                                ^
[   34.458863]  ffff8801d70aa080: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   34.466197]  ffff8801d70aa100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   34.473536] ==================================================================
[   34.480870] Disabling lock debugging due to kernel taint
[   34.486361] Kernel panic - not syncing: panic_on_warn set ...
[   34.486361] 
[   34.493713] CPU: 0 PID: 4563 Comm: syz-executor0 Tainted: G    B             4.17.0-rc3+ #52
[   34.502270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.511597] Call Trace:
[   34.514171]  dump_stack+0x1b9/0x294
[   34.517773]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.522942]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.527681]  ? __sctp_v6_cmp_addr+0x3f0/0x530
[   34.532152]  panic+0x22f/0x4de
[   34.535322]  ? add_taint.cold.5+0x16/0x16
[   34.539451]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.543837]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.548223]  ? __sctp_v6_cmp_addr+0x4c7/0x530
[   34.552695]  kasan_end_report+0x47/0x4f
[   34.556643]  kasan_report.cold.7+0x76/0x2fe
[   34.560944]  __asan_report_load8_noabort+0x14/0x20
[   34.565849]  __sctp_v6_cmp_addr+0x4c7/0x530
[   34.570148]  sctp_inet6_cmp_addr+0x169/0x1a0
[   34.574535]  sctp_bind_addr_match+0x20b/0x400
[   34.579009]  ? sctp_bind_addrs_to_raw+0x370/0x370
[   34.583832]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   34.589347]  ? sctp_v4_available+0x1b1/0x200
[   34.593732]  ? sctp_inet6_bind_verify+0xb2/0x500
[   34.598462]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   34.603975]  sctp_do_bind+0x1c0/0x5f0
[   34.607752]  sctp_bindx_add+0x90/0x1a0
[   34.611616]  sctp_setsockopt_bindx+0x2ad/0x320
[   34.616173]  sctp_setsockopt+0x12c4/0x7000
[   34.620382]  ? graph_lock+0x170/0x170
[   34.624161]  ? sctp_setsockopt_paddr_thresholds+0x560/0x560
[   34.629847]  ? print_usage_bug+0xc0/0xc0
[   34.633885]  ? mark_held_locks+0xc9/0x160
[   34.638014]  ? page_add_new_anon_rmap+0x3ff/0x850
[   34.642833]  ? find_held_lock+0x36/0x1c0
[   34.646872]  ? __lock_acquire+0x7f5/0x5140
[   34.651083]  ? pudp_huge_clear_flush+0x230/0x230
[   34.655821]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.660992]  ? debug_check_no_locks_freed+0x310/0x310
[   34.666163]  ? get_futex_key+0x1e90/0x1e90
[   34.670374]  ? do_huge_pmd_anonymous_page+0x48d/0x1cc0
[   34.675629]  ? __thp_get_unmapped_area+0x180/0x180
[   34.680537]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.685703]  ? do_futex+0x249/0x27d0
[   34.689397]  ? find_held_lock+0x36/0x1c0
[   34.693444]  ? graph_lock+0x170/0x170
[   34.697224]  ? exit_robust_list+0x290/0x290
[   34.701522]  ? kasan_check_read+0x11/0x20
[   34.705646]  ? find_held_lock+0x36/0x1c0
[   34.709688]  ? lock_downgrade+0x8e0/0x8e0
[   34.713817]  ? kasan_check_read+0x11/0x20
[   34.717943]  ? rcu_is_watching+0x85/0x140
[   34.722067]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   34.727234]  ? __fget+0x40c/0x650
[   34.730667]  ? expand_files.part.8+0x9a0/0x9a0
[   34.735226]  ? lock_downgrade+0x8e0/0x8e0
[   34.739352]  ? handle_mm_fault+0x8c0/0xc70
[   34.743565]  compat_sock_common_setsockopt+0x10c/0x150
[   34.748819]  ? sock_common_setsockopt+0xe0/0xe0
[   34.753465]  __compat_sys_setsockopt+0x1ab/0x7c0
[   34.758199]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[   34.763106]  ? __x32_compat_sys_get_robust_list+0x430/0x430
[   34.768793]  ? mm_fault_error+0x380/0x380
[   34.772920]  __ia32_compat_sys_setsockopt+0xbd/0x150
[   34.778001]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.782994]  do_fast_syscall_32+0x345/0xf9b
[   34.787293]  ? do_int80_syscall_32+0x880/0x880
[   34.791853]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.796588]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.802274]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.807182]  ? sysret32_from_system_call+0x5/0x46
[   34.812000]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.816820]  entry_SYSENTER_compat+0x70/0x7f
[   34.821204] RIP: 0023:0xf7f7ecb9
[   34.824541] RSP: 002b:00000000ff8668fc EFLAGS: 00000286 ORIG_RAX: 000000000000016e
[   34.832226] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000084
[   34.839472] RDX: 0000000000000064 RSI: 0000000020d24000 RDI: 0000000000000020
[   34.846720] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.853965] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   34.861210] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.868830] Dumping ftrace buffer:
[   34.872351]    (ftrace buffer empty)
[   34.876035] Kernel Offset: disabled
[   34.879638] Rebooting in 86400 seconds..