random: sshd: uninitialized urandom read (32 bytes read, 112 bits of entropy available) ================================================================== BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 Read of size 8192 at addr ffff8800b406ef18 by task syzkaller774360/3309 CPU: 1 PID: 3309 Comm: syzkaller774360 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 bb3b4e73cdf88247 ffff8800b477f768 ffffffff81cc90ef ffffea0002d01b80 ffff8800b406ef18 ffff8800b477f7a0 ffffffff814d9e03 ffff8800b406ef18 0000000000002000 0000000000000000 ffff8800b406f100 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] check_memory_region_inline mm/kasan/kasan.c:325 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:332 [] memcpy+0x23/0x50 mm/kasan/kasan.c:367 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Allocated by task 3309: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kasan_krealloc+0x64/0x80 mm/kasan/kasan.c:654 [] ksize+0x92/0xf0 mm/slub.c:3727 [] __alloc_skb+0x10d/0x610 net/core/skbuff.c:237 [] alloc_skb include/linux/skbuff.h:815 [inline] [] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8800b406ef00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of 512-byte region [ffff8800b406ef00, ffff8800b406f100) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffffffff84214840 task.stack: ffffffff84200000 RIP: 0010:[] [] __rb_insert lib/rbtree.c:118 [inline] RIP: 0010:[] [] rb_insert_color+0x7b/0xcb0 lib/rbtree.c:420 RSP: 0018:ffff8801db407d10 EFLAGS: 00010006 RAX: 4000000000004088 RBX: 4000000000004080 RCX: 4000000000004080 RDX: 0800000000000811 RSI: ffff8801db416f10 RDI: ffff8801db417440 RBP: ffff8801db407d58 R08: 0000000000000001 R09: ffffffff850c0090 R10: 0000000000000001 R11: 1ffff1003b680f86 R12: ffffea0002d01b80 R13: ffff8801db417440 R14: ffff8801db417440 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055df2c64b110 CR3: 00000000b6cfc000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff842b7580 ffffffff842150b0 0000000000000000 ffff8801db407d68 0000000000000000 ffffea0002d01b88 ffff8801db417440 dffffc0000000000 ffffea0002d01b80 ffff8801db407da8 ffffffff81ce5f0b ffff8801db407d90 Call Trace: [] timerqueue_add+0x12b/0x2f0 lib/timerqueue.c:57 [] enqueue_hrtimer+0x14e/0x3e0 kernel/time/hrtimer.c:890 [] __run_hrtimer kernel/time/hrtimer.c:1268 [inline] [] __hrtimer_run_queues+0x669/0xe60 kernel/time/hrtimer.c:1317 [] hrtimer_interrupt+0x191/0x440 kernel/time/hrtimer.c:1351 [] local_apic_timer_interrupt+0x6a/0xb0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:695 [] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline] [] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:291 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:282 [] default_idle_call+0x48/0x70 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:157 [inline] [] cpu_idle_loop kernel/sched/idle.c:253 [inline] [] cpu_startup_entry+0x605/0x820 kernel/sched/idle.c:301 [] rest_init+0x152/0x160 init/main.c:409 [] start_kernel+0x638/0x66d init/main.c:680 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:196 [] x86_64_start_kernel+0x140/0x163 arch/x86/kernel/head64.c:185 Code: 0f 85 06 0a 00 00 49 bf 00 00 00 00 00 fc ff df 49 8b 1c 24 f6 c3 01 0f 85 9a 01 00 00 48 8d 43 08 48 89 d9 48 89 c2 48 c1 ea 03 <42> 80 3c 3a 00 0f 85 94 09 00 00 4c 8b 6b 08 4d 39 e5 0f 84 b0 RIP [] __rb_insert lib/rbtree.c:118 [inline] RIP [] rb_insert_color+0x7b/0xcb0 lib/rbtree.c:420 RSP ---[ end trace e77cb595cc83c6e4 ]---