================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:344 [inline] BUG: KASAN: slab-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 Write of size 300 at addr ffff8801c34693fc by task syz-executor3/12335 CPU: 0 PID: 12335 Comm: syz-executor3 Not tainted 4.15.0-rc4-mm1+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:355 [inline] kasan_report+0x23b/0x360 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:344 [inline] sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 crypto_shash_update+0xda/0x240 crypto/shash.c:110 hmac_update+0x7e/0xa0 crypto/hmac.c:122 crypto_shash_update+0xda/0x240 crypto/shash.c:110 kdf_ctr security/keys/dh.c:181 [inline] keyctl_dh_compute_kdf security/keys/dh.c:226 [inline] __keyctl_dh_compute+0x160f/0x1990 security/keys/dh.c:398 keyctl_dh_compute+0xac/0xf3 security/keys/dh.c:434 SYSC_keyctl security/keys/keyctl.c:1741 [inline] SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1637 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x452ac9 RSP: 002b:00007ff1a06e3c58 EFLAGS: 00000212 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000020a2bfae RSI: 00000000209fa000 RDI: 0000000000000017 RBP: 000000000000039b R08: 000000002072afc8 R09: 0000000000000000 R10: 0000000000000052 R11: 0000000000000212 R12: 00000000006f2728 R13: 00000000ffffffff R14: 00007ff1a06e46d4 R15: 0000000000000000 Allocated by task 12335: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3705 [inline] __kmalloc+0x162/0x760 mm/slab.c:3714 kmalloc include/linux/slab.h:521 [inline] kdf_alloc security/keys/dh.c:111 [inline] __keyctl_dh_compute+0x2b0/0x1990 security/keys/dh.c:288 keyctl_dh_compute+0xac/0xf3 security/keys/dh.c:434 SYSC_keyctl security/keys/keyctl.c:1741 [inline] SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1637 entry_SYSCALL_64_fastpath+0x1f/0x96 Freed by task 3127: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3485 [inline] kfree+0xd6/0x260 mm/slab.c:3800 kernfs_fop_release+0x13f/0x180 fs/kernfs/file.c:783 __fput+0x327/0x7e0 fs/file_table.c:209 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x199/0x270 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:165 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 entry_SYSCALL_64_fastpath+0x94/0x96 The buggy address belongs to the object at ffff8801c3469300 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 252 bytes inside of 512-byte region [ffff8801c3469300, ffff8801c3469500) The buggy address belongs to the page: page:ffffea00070d1a40 count:1 mapcount:0 mapping:ffff8801c3469080 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801c3469080 0000000000000000 0000000100000006 raw: ffffea00070ece60 ffffea00070c3ea0 ffff8801dac00940 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c3469380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801c3469400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801c3469480: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801c3469500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801c3469580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================