[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.568950] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.239395] random: sshd: uninitialized urandom read (32 bytes read)
[   23.477660] random: sshd: uninitialized urandom read (32 bytes read)
[   24.239669] random: sshd: uninitialized urandom read (32 bytes read)
[   24.394156] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts.
[   29.837487] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.928187] ==================================================================
[   29.935629] BUG: KASAN: slab-out-of-bounds in sha256_final+0x303/0x380
[   29.942301] Write of size 4 at addr ffff8801d9167d60 by task syz-executor687/4515
[   29.949895] 
[   29.951506] CPU: 0 PID: 4515 Comm: syz-executor687 Not tainted 4.17.0+ #89
[   29.958492] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.967821] Call Trace:
[   29.970391]  dump_stack+0x1b9/0x294
[   29.973999]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.979181]  ? printk+0x9e/0xba
[   29.982439]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.987174]  ? kasan_check_write+0x14/0x20
[   29.991388]  print_address_description+0x6c/0x20b
[   29.996212]  ? sha256_final+0x303/0x380
[   30.000166]  kasan_report.cold.7+0x242/0x2fe
[   30.004554]  __asan_report_store4_noabort+0x17/0x20
[   30.009551]  sha256_final+0x303/0x380
[   30.013335]  crypto_shash_final+0x104/0x260
[   30.017641]  ? sha256_generic_block_fn+0x70/0x70
[   30.022380]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.026955]  ? copy_overflow+0x30/0x30
[   30.030829]  ? save_stack+0xa9/0xd0
[   30.034438]  ? find_held_lock+0x36/0x1c0
[   30.038483]  ? lock_downgrade+0x8e0/0x8e0
[   30.042613]  ? check_same_owner+0x320/0x320
[   30.046913]  ? trace_hardirqs_off+0xd/0x10
[   30.051126]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   30.056216]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.061732]  ? _copy_from_user+0xdf/0x150
[   30.065861]  keyctl_dh_compute+0xb9/0x100
[   30.069988]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.074726]  ? kzfree+0x28/0x30
[   30.077987]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.083158]  __x64_sys_keyctl+0x12a/0x3b0
[   30.087286]  do_syscall_64+0x1b1/0x800
[   30.091157]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.096072]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.100990]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.106342]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.111168]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.116337] RIP: 0033:0x440019
[   30.119502] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.138666] RSP: 002b:00007ffdb8b0aca8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.146354] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   30.153784] RDX: 0000000020000080 RSI: 00000000200001c0 RDI: 0000000000000017
[   30.161046] RBP: 00000000006ca018 R08: 0000000020000200 R09: 00000000004002c8
[   30.168296] R10: 0000000000000005 R11: 0000000000000217 R12: 0000000000401940
[   30.175550] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   30.182824] 
[   30.184446] Allocated by task 4515:
[   30.188072]  save_stack+0x43/0xd0
[   30.191506]  kasan_kmalloc+0xc4/0xe0
[   30.195194]  __kmalloc+0x14e/0x760
[   30.198712]  __keyctl_dh_compute+0xfe9/0x1bc0
[   30.203197]  keyctl_dh_compute+0xb9/0x100
[   30.207322]  __x64_sys_keyctl+0x12a/0x3b0
[   30.211457]  do_syscall_64+0x1b1/0x800
[   30.215335]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.220496] 
[   30.222100] Freed by task 2870:
[   30.225359]  save_stack+0x43/0xd0
[   30.228788]  __kasan_slab_free+0x11a/0x170
[   30.233008]  kasan_slab_free+0xe/0x10
[   30.236796]  kfree+0xd9/0x260
[   30.239877]  single_release+0x8f/0xb0
[   30.243665]  __fput+0x353/0x890
[   30.246925]  ____fput+0x15/0x20
[   30.250184]  task_work_run+0x1e4/0x290
[   30.254057]  exit_to_usermode_loop+0x2bd/0x310
[   30.258619]  do_syscall_64+0x6ac/0x800
[   30.262487]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.267649] 
[   30.269254] The buggy address belongs to the object at ffff8801d9167d40
[   30.269254]  which belongs to the cache kmalloc-32 of size 32
[   30.281717] The buggy address is located 0 bytes to the right of
[   30.281717]  32-byte region [ffff8801d9167d40, ffff8801d9167d60)
[   30.293827] The buggy address belongs to the page:
[   30.298734] page:ffffea00076459c0 count:1 mapcount:0 mapping:ffff8801d9167000 index:0xffff8801d9167fc1
[   30.308158] flags: 0x2fffc0000000100(slab)
[   30.312373] raw: 02fffc0000000100 ffff8801d9167000 ffff8801d9167fc1 0000000100000028
[   30.320230] raw: ffffea00076581e0 ffffea0007646b20 ffff8801da8001c0 0000000000000000
[   30.328084] page dumped because: kasan: bad access detected
[   30.333764] 
[   30.335366] Memory state around the buggy address:
[   30.340272]  ffff8801d9167c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.347608]  ffff8801d9167c80: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
[   30.354943] >ffff8801d9167d00: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
[   30.362277]                                                        ^
[   30.368747]  ffff8801d9167d80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.376088]  ffff8801d9167e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   30.383426] ==================================================================
[   30.390758] Disabling lock debugging due to kernel taint
[   30.396264] Kernel panic - not syncing: panic_on_warn set ...
[   30.396264] 
[   30.403626] CPU: 0 PID: 4515 Comm: syz-executor687 Tainted: G    B             4.17.0+ #89
[   30.412008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.421344] Call Trace:
[   30.423910]  dump_stack+0x1b9/0x294
[   30.427513]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.432683]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.437418]  ? sha256_final+0x2b0/0x380
[   30.441371]  panic+0x22f/0x4de
[   30.444541]  ? add_taint.cold.5+0x16/0x16
[   30.448681]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.453067]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.457465]  ? sha256_final+0x303/0x380
[   30.461419]  kasan_end_report+0x47/0x4f
[   30.465373]  kasan_report.cold.7+0x76/0x2fe
[   30.469674]  __asan_report_store4_noabort+0x17/0x20
[   30.474668]  sha256_final+0x303/0x380
[   30.478446]  crypto_shash_final+0x104/0x260
[   30.482743]  ? sha256_generic_block_fn+0x70/0x70
[   30.487480]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.492052]  ? copy_overflow+0x30/0x30
[   30.495927]  ? save_stack+0xa9/0xd0
[   30.499532]  ? find_held_lock+0x36/0x1c0
[   30.503574]  ? lock_downgrade+0x8e0/0x8e0
[   30.507699]  ? check_same_owner+0x320/0x320
[   30.512001]  ? trace_hardirqs_off+0xd/0x10
[   30.516219]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   30.521304]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.526816]  ? _copy_from_user+0xdf/0x150
[   30.530954]  keyctl_dh_compute+0xb9/0x100
[   30.535079]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.539822]  ? kzfree+0x28/0x30
[   30.543080]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.548252]  __x64_sys_keyctl+0x12a/0x3b0
[   30.552384]  do_syscall_64+0x1b1/0x800
[   30.556247]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.561152]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.566063]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.571405]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.576232]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.581395] RIP: 0033:0x440019
[   30.584559] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.603674] RSP: 002b:00007ffdb8b0aca8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.611361] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   30.618618] RDX: 0000000020000080 RSI: 00000000200001c0 RDI: 0000000000000017
[   30.625865] RBP: 00000000006ca018 R08: 0000000020000200 R09: 00000000004002c8
[   30.633120] R10: 0000000000000005 R11: 0000000000000217 R12: 0000000000401940
[   30.640366] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   30.648104] Dumping ftrace buffer:
[   30.651633]    (ftrace buffer empty)
[   30.655319] Kernel Offset: disabled
[   30.658920] Rebooting in 86400 seconds..