binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:344 [inline] BUG: KASAN: slab-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 Write of size 286 at addr ffff8801c3a8543c by task syz-executor4/12136 CPU: 1 PID: 12136 Comm: syz-executor4 Not tainted 4.15.0-rc7+ #167 BUG: unable to handle kernel paging request at ffff8801cdd3e000 IP: memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:65 PGD 88f9067 P4D 88f9067 PUD 1d98fa063 PMD 1cdd3d063 PTE 0 Oops: 0002 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 12147 Comm: syz-executor4 Not tainted 4.15.0-rc7+ #167 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:65 RSP: 0018:ffff8801cac7f7e0 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8801cc01ec1b RCX: 00000000fe2e0af8 RDX: 00000000fffffedd RSI: 0000000000000000 RDI: ffff8801cdd3e000 RBP: ffff8801cac7f800 R08: ffffed0039803d83 R09: ffff8801cc01ec1b R10: 0000000000000005 R11: ffffed0059803d5e R12: 00000000fffffedd R13: 0000000000000000 R14: 0000000000000123 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f772fb40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: ffff8801cdd3e000 CR3: 00000001d7c8a003 CR4: 00000000001606f0 Call Trace: memset include/linux/string.h:329 [inline] sha3_final+0xeb/0x2e0 crypto/sha3_generic.c:173 crypto_shash_final+0xe2/0x220 crypto/shash.c:145 hmac_final+0x16c/0x2b0 crypto/hmac.c:135 crypto_shash_final+0xe2/0x220 crypto/shash.c:145 kdf_ctr security/keys/dh.c:196 [inline] keyctl_dh_compute_kdf security/keys/dh.c:226 [inline] __keyctl_dh_compute+0x151e/0x1990 security/keys/dh.c:398 compat_keyctl_dh_compute+0x2bb/0x3e0 security/keys/compat_dh.c:39 C_SYSC_keyctl security/keys/compat.c:136 [inline] compat_SyS_keyctl+0x72/0x2c0 security/keys/compat.c:59 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7f54c79 RSP: 002b:00000000f772f08c EFLAGS: 00000296 ORIG_RAX: 0000000000000120 RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020f6dff4 RDX: 00000000200d2f74 RSI: 000000000000008c RDI: 000000002073dfd4 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Code: 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 RIP: memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:65 RSP: ffff8801cac7f7e0 CR2: ffff8801cdd3e000 ---[ end trace 54d10174bd51da82 ]---