[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.035830] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.678222] random: sshd: uninitialized urandom read (32 bytes read)
[   25.078288] random: sshd: uninitialized urandom read (32 bytes read)
[   25.920448] random: sshd: uninitialized urandom read (32 bytes read)
[   26.080295] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts.
[   31.545514] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/07 15:29:43 parsed 1 programs
[   32.823883] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/07 15:29:45 executed programs: 0
[   34.018297] IPVS: ftp: loaded support on port[0] = 21
[   34.144921] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.151400] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.158824] device bridge_slave_0 entered promiscuous mode
[   34.176390] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.182783] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.189913] device bridge_slave_1 entered promiscuous mode
[   34.205375] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.221410] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.263271] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   34.281490] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   34.344303] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   34.351642] team0: Port device team_slave_0 added
[   34.366584] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   34.374480] team0: Port device team_slave_1 added
[   34.389565] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   34.407816] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   34.425807] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   34.442810] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   34.560124] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.566566] bridge0: port 2(bridge_slave_1) entered forwarding state
[   34.573522] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.579883] bridge0: port 1(bridge_slave_0) entered forwarding state
[   35.004730] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.010860] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.055990] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   35.099553] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   35.108576] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   35.148893] 8021q: adding VLAN 0 to HW filter on device team0
[   35.411957] ==================================================================
[   35.419470] BUG: KASAN: slab-out-of-bounds in rmd160_final+0x201/0x240
[   35.426123] Write of size 4 at addr ffff8801d0fae518 by task syz-executor0/4822
[   35.433548] 
[   35.435163] CPU: 0 PID: 4822 Comm: syz-executor0 Not tainted 4.17.0+ #114
[   35.442065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.451399] Call Trace:
[   35.453976]  dump_stack+0x1b9/0x294
[   35.457591]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.462761]  ? printk+0x9e/0xba
[   35.466037]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   35.470786]  ? kasan_check_write+0x14/0x20
[   35.475006]  print_address_description+0x6c/0x20b
[   35.479843]  ? rmd160_final+0x201/0x240
[   35.483808]  kasan_report.cold.7+0x242/0x2fe
[   35.488207]  __asan_report_store4_noabort+0x17/0x20
[   35.493220]  rmd160_final+0x201/0x240
[   35.497010]  ? rmd160_update+0x170/0x170
[   35.501070]  ? rmd160_update+0x13b/0x170
[   35.505114]  ? kasan_unpoison_shadow+0x35/0x50
[   35.509679]  crypto_shash_final+0x104/0x260
[   35.513988]  ? rmd160_update+0x170/0x170
[   35.518051]  __keyctl_dh_compute+0x1184/0x1bc0
[   35.522628]  ? copy_overflow+0x30/0x30
[   35.526504]  ? find_held_lock+0x36/0x1c0
[   35.530556]  ? lock_downgrade+0x8e0/0x8e0
[   35.534693]  ? check_same_owner+0x320/0x320
[   35.539013]  ? find_held_lock+0x36/0x1c0
[   35.543085]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.548615]  ? _copy_from_user+0xdf/0x150
[   35.552750]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   35.557586]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   35.562506]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   35.567680]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   35.572507]  do_fast_syscall_32+0x345/0xf9b
[   35.576817]  ? do_int80_syscall_32+0x880/0x880
[   35.581381]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   35.586208]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.591729]  ? syscall_return_slowpath+0x30f/0x5c0
[   35.596654]  ? sysret32_from_system_call+0x5/0x46
[   35.601486]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.606312]  entry_SYSENTER_compat+0x70/0x7f
[   35.610700] RIP: 0023:0xf7faacb9
[   35.614043] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.633235] RSP: 002b:00000000ffab4bcc EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   35.640932] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   35.648191] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8
[   35.655443] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.662695] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   35.669950] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.677207] 
[   35.678813] Allocated by task 4822:
[   35.682429]  save_stack+0x43/0xd0
[   35.685866]  kasan_kmalloc+0xc4/0xe0
[   35.689574]  __kmalloc+0x14e/0x760
[   35.693096]  __keyctl_dh_compute+0xfe9/0x1bc0
[   35.697573]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   35.702395]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   35.707229]  do_fast_syscall_32+0x345/0xf9b
[   35.711538]  entry_SYSENTER_compat+0x70/0x7f
[   35.716283] 
[   35.717894] Freed by task 3199:
[   35.721164]  save_stack+0x43/0xd0
[   35.724597]  __kasan_slab_free+0x11a/0x170
[   35.728812]  kasan_slab_free+0xe/0x10
[   35.732590]  kfree+0xd9/0x260
[   35.735694]  load_elf_binary+0x463e/0x5610
[   35.739928]  search_binary_handler+0x17d/0x570
[   35.744504]  __do_execve_file.isra.34+0x16fe/0x2610
[   35.749509]  __x64_sys_execve+0x8f/0xc0
[   35.753476]  do_syscall_64+0x1b1/0x800
[   35.757359]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.762522] 
[   35.764131] The buggy address belongs to the object at ffff8801d0fae500
[   35.764131]  which belongs to the cache kmalloc-32 of size 32
[   35.776611] The buggy address is located 24 bytes inside of
[   35.776611]  32-byte region [ffff8801d0fae500, ffff8801d0fae520)
[   35.788303] The buggy address belongs to the page:
[   35.793217] page:ffffea000743eb80 count:1 mapcount:0 mapping:ffff8801d0fae000 index:0xffff8801d0faefc1
[   35.802642] flags: 0x2fffc0000000100(slab)
[   35.806860] raw: 02fffc0000000100 ffff8801d0fae000 ffff8801d0faefc1 0000000100000023
[   35.814724] raw: ffffea00074171a0 ffffea000749e220 ffff8801da8001c0 0000000000000000
[   35.822591] page dumped because: kasan: bad access detected
[   35.828274] 
[   35.829877] Memory state around the buggy address:
[   35.834890]  ffff8801d0fae400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.842229]  ffff8801d0fae480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.849569] >ffff8801d0fae500: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   35.856903]                             ^
[   35.861040]  ffff8801d0fae580: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   35.868382]  ffff8801d0fae600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.875732] ==================================================================
[   35.883093] Disabling lock debugging due to kernel taint
[   35.889061] Kernel panic - not syncing: panic_on_warn set ...
[   35.889061] 
[   35.896438] CPU: 0 PID: 4822 Comm: syz-executor0 Tainted: G    B             4.17.0+ #114
[   35.904738] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.915251] Call Trace:
[   35.917839]  dump_stack+0x1b9/0x294
[   35.921464]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.926651]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.931400]  ? rmd160_final+0x1b0/0x240
[   35.935364]  panic+0x22f/0x4de
[   35.938760]  ? add_taint.cold.5+0x16/0x16
[   35.942891]  ? do_raw_spin_unlock+0x9e/0x2e0
[   35.947285]  ? do_raw_spin_unlock+0x9e/0x2e0
[   35.951677]  ? rmd160_final+0x201/0x240
[   35.955632]  kasan_end_report+0x47/0x4f
[   35.959588]  kasan_report.cold.7+0x76/0x2fe
[   35.963890]  __asan_report_store4_noabort+0x17/0x20
[   35.968894]  rmd160_final+0x201/0x240
[   35.972675]  ? rmd160_update+0x170/0x170
[   35.976716]  ? rmd160_update+0x13b/0x170
[   35.980770]  ? kasan_unpoison_shadow+0x35/0x50
[   35.985337]  crypto_shash_final+0x104/0x260
[   35.989641]  ? rmd160_update+0x170/0x170
[   35.993685]  __keyctl_dh_compute+0x1184/0x1bc0
[   35.998248]  ? copy_overflow+0x30/0x30
[   36.002132]  ? find_held_lock+0x36/0x1c0
[   36.006175]  ? lock_downgrade+0x8e0/0x8e0
[   36.010312]  ? check_same_owner+0x320/0x320
[   36.014615]  ? find_held_lock+0x36/0x1c0
[   36.018665]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.024192]  ? _copy_from_user+0xdf/0x150
[   36.028339]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   36.033168]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   36.038094]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   36.043265]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   36.048097]  do_fast_syscall_32+0x345/0xf9b
[   36.052407]  ? do_int80_syscall_32+0x880/0x880
[   36.056971]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   36.061796]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.067316]  ? syscall_return_slowpath+0x30f/0x5c0
[   36.072240]  ? sysret32_from_system_call+0x5/0x46
[   36.077154]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.081983]  entry_SYSENTER_compat+0x70/0x7f
[   36.086393] RIP: 0023:0xf7faacb9
[   36.089744] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   36.108858] RSP: 002b:00000000ffab4bcc EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   36.116548] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   36.123802] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8
[   36.131062] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   36.138313] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   36.145573] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   36.153320] Dumping ftrace buffer:
[   36.156854]    (ftrace buffer empty)
[   36.160540] Kernel Offset: disabled
[   36.164144] Rebooting in 86400 seconds..