[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.896981] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.690660] random: sshd: uninitialized urandom read (32 bytes read)
[   23.983308] random: sshd: uninitialized urandom read (32 bytes read)
[   24.749862] random: sshd: uninitialized urandom read (32 bytes read)
[   24.909998] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts.
[   30.451909] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.545802] ==================================================================
[   30.553246] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0
[   30.559724] Write of size 4 at addr ffff8801d708f958 by task syz-executor062/4535
[   30.567319] 
[   30.568930] CPU: 1 PID: 4535 Comm: syz-executor062 Not tainted 4.17.0+ #89
[   30.575916] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.585243] Call Trace:
[   30.587816]  dump_stack+0x1b9/0x294
[   30.591424]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.596591]  ? printk+0x9e/0xba
[   30.599851]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.604588]  ? kasan_check_write+0x14/0x20
[   30.608806]  print_address_description+0x6c/0x20b
[   30.613629]  ? sha1_final+0x283/0x2e0
[   30.617408]  kasan_report.cold.7+0x242/0x2fe
[   30.621797]  __asan_report_store4_noabort+0x17/0x20
[   30.626794]  sha1_final+0x283/0x2e0
[   30.630403]  crypto_shash_final+0x104/0x260
[   30.634704]  ? sha1_generic_block_fn+0x100/0x100
[   30.639441]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.644009]  ? copy_overflow+0x30/0x30
[   30.647880]  ? find_held_lock+0x36/0x1c0
[   30.651923]  ? lock_downgrade+0x8e0/0x8e0
[   30.656070]  ? check_same_owner+0x320/0x320
[   30.660382]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   30.665906]  ? handle_mm_fault+0x55a/0xc70
[   30.670134]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.675649]  ? _copy_from_user+0xdf/0x150
[   30.679810]  keyctl_dh_compute+0xb9/0x100
[   30.683953]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.688692]  ? kzfree+0x28/0x30
[   30.691961]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.697142]  __x64_sys_keyctl+0x12a/0x3b0
[   30.701281]  do_syscall_64+0x1b1/0x800
[   30.705150]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   30.709971]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.714890]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.719799]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.725317]  ? retint_user+0x18/0x18
[   30.729018]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.733864]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.739033] RIP: 0033:0x43ffa9
[   30.742201] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.761368] RSP: 002b:00007ffea3065eb8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.769063] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   30.776310] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   30.783557] RBP: 00000000006ca018 R08: 0000000020000140 R09: 00000000004002c8
[   30.790801] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   30.798049] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   30.805300] 
[   30.806904] Allocated by task 4535:
[   30.810513]  save_stack+0x43/0xd0
[   30.813942]  kasan_kmalloc+0xc4/0xe0
[   30.817632]  __kmalloc+0x14e/0x760
[   30.821151]  __keyctl_dh_compute+0xfe9/0x1bc0
[   30.825622]  keyctl_dh_compute+0xb9/0x100
[   30.829746]  __x64_sys_keyctl+0x12a/0x3b0
[   30.833873]  do_syscall_64+0x1b1/0x800
[   30.837739]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.842898] 
[   30.844500] Freed by task 2883:
[   30.847757]  save_stack+0x43/0xd0
[   30.851187]  __kasan_slab_free+0x11a/0x170
[   30.855400]  kasan_slab_free+0xe/0x10
[   30.859179]  kfree+0xd9/0x260
[   30.862263]  single_release+0x8f/0xb0
[   30.866042]  __fput+0x353/0x890
[   30.869304]  ____fput+0x15/0x20
[   30.872568]  task_work_run+0x1e4/0x290
[   30.876433]  exit_to_usermode_loop+0x2bd/0x310
[   30.880993]  do_syscall_64+0x6ac/0x800
[   30.884864]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.890030] 
[   30.891637] The buggy address belongs to the object at ffff8801d708f940
[   30.891637]  which belongs to the cache kmalloc-32 of size 32
[   30.904111] The buggy address is located 24 bytes inside of
[   30.904111]  32-byte region [ffff8801d708f940, ffff8801d708f960)
[   30.915796] The buggy address belongs to the page:
[   30.920708] page:ffffea00075c23c0 count:1 mapcount:0 mapping:ffff8801d708f000 index:0xffff8801d708ffc1
[   30.930134] flags: 0x2fffc0000000100(slab)
[   30.934351] raw: 02fffc0000000100 ffff8801d708f000 ffff8801d708ffc1 0000000100000034
[   30.942211] raw: ffffea00075c1420 ffffea00075c1520 ffff8801da8001c0 0000000000000000
[   30.950064] page dumped because: kasan: bad access detected
[   30.955747] 
[   30.957349] Memory state around the buggy address:
[   30.962261]  ffff8801d708f800: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc
[   30.969597]  ffff8801d708f880: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc
[   30.976932] >ffff8801d708f900: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   30.984270]                                                     ^
[   30.990474]  ffff8801d708f980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.997815]  ffff8801d708fa00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.005147] ==================================================================
[   31.012480] Disabling lock debugging due to kernel taint
[   31.017992] Kernel panic - not syncing: panic_on_warn set ...
[   31.017992] 
[   31.025358] CPU: 1 PID: 4535 Comm: syz-executor062 Tainted: G    B             4.17.0+ #89
[   31.033733] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.043058] Call Trace:
[   31.045627]  dump_stack+0x1b9/0x294
[   31.049231]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.054399]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.059134]  ? sha1_final+0x270/0x2e0
[   31.062914]  panic+0x22f/0x4de
[   31.066084]  ? add_taint.cold.5+0x16/0x16
[   31.070211]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.074593]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.078977]  ? sha1_final+0x283/0x2e0
[   31.082754]  kasan_end_report+0x47/0x4f
[   31.086704]  kasan_report.cold.7+0x76/0x2fe
[   31.091006]  __asan_report_store4_noabort+0x17/0x20
[   31.096019]  sha1_final+0x283/0x2e0
[   31.099628]  crypto_shash_final+0x104/0x260
[   31.103941]  ? sha1_generic_block_fn+0x100/0x100
[   31.108677]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.113245]  ? copy_overflow+0x30/0x30
[   31.117117]  ? find_held_lock+0x36/0x1c0
[   31.121157]  ? lock_downgrade+0x8e0/0x8e0
[   31.125283]  ? check_same_owner+0x320/0x320
[   31.129590]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.135104]  ? handle_mm_fault+0x55a/0xc70
[   31.139318]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.144838]  ? _copy_from_user+0xdf/0x150
[   31.148966]  keyctl_dh_compute+0xb9/0x100
[   31.153091]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.157824]  ? kzfree+0x28/0x30
[   31.161081]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.166248]  __x64_sys_keyctl+0x12a/0x3b0
[   31.170373]  do_syscall_64+0x1b1/0x800
[   31.174235]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.179054]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.183961]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.188873]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.194396]  ? retint_user+0x18/0x18
[   31.198102]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.202931]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.208096] RIP: 0033:0x43ffa9
[   31.211261] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.230378] RSP: 002b:00007ffea3065eb8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.238064] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.245308] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.252552] RBP: 00000000006ca018 R08: 0000000020000140 R09: 00000000004002c8
[   31.259804] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.267052] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.274799] Dumping ftrace buffer:
[   31.278312]    (ftrace buffer empty)
[   31.281998] Kernel Offset: disabled
[   31.285600] Rebooting in 86400 seconds..