[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.915847] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   20.268107] random: sshd: uninitialized urandom read (32 bytes read)
[   20.756961] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.549696] random: sshd: uninitialized urandom read (32 bytes read)
[   21.699559] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts.
[   27.079610] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/07 22:13:33 parsed 1 programs
[   28.474525] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/07 22:13:35 executed programs: 0
[   29.997592] IPVS: ftp: loaded support on port[0] = 21
[   30.120735] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.127231] bridge0: port 1(bridge_slave_0) entered disabled state
[   30.134644] device bridge_slave_0 entered promiscuous mode
[   30.142759] ip (4553) used greatest stack depth: 16616 bytes left
[   30.152355] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.158708] bridge0: port 2(bridge_slave_1) entered disabled state
[   30.165727] device bridge_slave_1 entered promiscuous mode
[   30.181063] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   30.196092] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   30.235267] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   30.252289] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   30.310207] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   30.317608] team0: Port device team_slave_0 added
[   30.331803] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   30.338833] team0: Port device team_slave_1 added
[   30.353470] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   30.369889] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   30.386344] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   30.402936] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   30.480222] ip (4604) used greatest stack depth: 16520 bytes left
[   30.515666] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.522096] bridge0: port 2(bridge_slave_1) entered forwarding state
[   30.529053] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.535750] bridge0: port 1(bridge_slave_0) entered forwarding state
[   30.920727] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   30.926826] 8021q: adding VLAN 0 to HW filter on device bond0
[   30.966503] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.006707] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.017109] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   31.051599] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   31.057686] 8021q: adding VLAN 0 to HW filter on device team0
[   31.064060] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   31.305381] ==================================================================
[   31.312859] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0
[   31.319335] Write of size 4 at addr ffff8801d0866f98 by task syz-executor0/4773
[   31.326758] 
[   31.328369] CPU: 0 PID: 4773 Comm: syz-executor0 Not tainted 4.17.0+ #114
[   31.335275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.344606] Call Trace:
[   31.347177]  dump_stack+0x1b9/0x294
[   31.350785]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.355957]  ? printk+0x9e/0xba
[   31.359219]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.363956]  ? kasan_check_write+0x14/0x20
[   31.368188]  print_address_description+0x6c/0x20b
[   31.373018]  ? sha1_final+0x283/0x2e0
[   31.376810]  kasan_report.cold.7+0x242/0x2fe
[   31.381202]  __asan_report_store4_noabort+0x17/0x20
[   31.386199]  sha1_final+0x283/0x2e0
[   31.389821]  crypto_shash_final+0x104/0x260
[   31.394124]  ? sha1_generic_block_fn+0x100/0x100
[   31.398869]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.403470]  ? copy_overflow+0x30/0x30
[   31.407344]  ? find_held_lock+0x36/0x1c0
[   31.411420]  ? lock_downgrade+0x8e0/0x8e0
[   31.415548]  ? check_same_owner+0x320/0x320
[   31.419850]  ? find_held_lock+0x36/0x1c0
[   31.423900]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.429421]  ? _copy_from_user+0xdf/0x150
[   31.433556]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   31.438383]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   31.443300]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.448473]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.453311]  do_fast_syscall_32+0x345/0xf9b
[   31.457614]  ? do_int80_syscall_32+0x880/0x880
[   31.462179]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.466925]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.472453]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.477375]  ? sysret32_from_system_call+0x5/0x46
[   31.482199]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.487037]  entry_SYSENTER_compat+0x70/0x7f
[   31.491425] RIP: 0023:0xf7fcdcb9
[   31.494764] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   31.513945] RSP: 002b:00000000ff9b8dac EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   31.521641] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   31.528892] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020000140
[   31.536578] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   31.543826] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   31.551076] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.558331] 
[   31.559938] Allocated by task 4773:
[   31.563558]  save_stack+0x43/0xd0
[   31.566992]  kasan_kmalloc+0xc4/0xe0
[   31.570687]  __kmalloc+0x14e/0x760
[   31.574210]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.578686]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   31.583512]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.588335]  do_fast_syscall_32+0x345/0xf9b
[   31.592637]  entry_SYSENTER_compat+0x70/0x7f
[   31.597021] 
[   31.598633] Freed by task 2311:
[   31.601893]  save_stack+0x43/0xd0
[   31.605333]  __kasan_slab_free+0x11a/0x170
[   31.609546]  kasan_slab_free+0xe/0x10
[   31.613322]  kfree+0xd9/0x260
[   31.616416]  tty_ldisc_put+0x4c/0x70
[   31.620124]  tty_ldisc_kill+0x6e/0xc0
[   31.623900]  tty_ldisc_hangup+0x2dd/0x640
[   31.628037]  __tty_hangup.part.21+0x2da/0x6e0
[   31.632518]  tty_vhangup+0x21/0x30
[   31.636042]  pty_close+0x3bd/0x510
[   31.639571]  tty_release+0x494/0x12e0
[   31.643351]  __fput+0x353/0x890
[   31.646607]  ____fput+0x15/0x20
[   31.649867]  task_work_run+0x1e4/0x290
[   31.653736]  exit_to_usermode_loop+0x2bd/0x310
[   31.658294]  do_syscall_64+0x6ac/0x800
[   31.662164]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.667343] 
[   31.668950] The buggy address belongs to the object at ffff8801d0866f80
[   31.668950]  which belongs to the cache kmalloc-32 of size 32
[   31.681417] The buggy address is located 24 bytes inside of
[   31.681417]  32-byte region [ffff8801d0866f80, ffff8801d0866fa0)
[   31.693096] The buggy address belongs to the page:
[   31.698011] page:ffffea0007421980 count:1 mapcount:0 mapping:ffff8801d0866000 index:0xffff8801d0866fc1
[   31.707456] flags: 0x2fffc0000000100(slab)
[   31.711672] raw: 02fffc0000000100 ffff8801d0866000 ffff8801d0866fc1 0000000100000008
[   31.719533] raw: ffffea00074264e0 ffffea000743d320 ffff8801da8001c0 0000000000000000
[   31.727398] page dumped because: kasan: bad access detected
[   31.733097] 
[   31.734703] Memory state around the buggy address:
[   31.739610]  ffff8801d0866e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.746957]  ffff8801d0866f00: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
[   31.754302] >ffff8801d0866f80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.761643]                             ^
[   31.765768]  ffff8801d0867000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.773104]  ffff8801d0867080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   31.780437] ==================================================================
[   31.787768] Disabling lock debugging due to kernel taint
[   31.793752] Kernel panic - not syncing: panic_on_warn set ...
[   31.793752] 
[   31.801113] CPU: 0 PID: 4773 Comm: syz-executor0 Tainted: G    B             4.17.0+ #114
[   31.809404] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.818733] Call Trace:
[   31.821313]  dump_stack+0x1b9/0x294
[   31.824920]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.830088]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.834826]  ? sha1_final+0x270/0x2e0
[   31.838608]  panic+0x22f/0x4de
[   31.841779]  ? add_taint.cold.5+0x16/0x16
[   31.845917]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.850303]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.854690]  ? sha1_final+0x283/0x2e0
[   31.858473]  kasan_end_report+0x47/0x4f
[   31.862430]  kasan_report.cold.7+0x76/0x2fe
[   31.866730]  __asan_report_store4_noabort+0x17/0x20
[   31.871733]  sha1_final+0x283/0x2e0
[   31.875340]  crypto_shash_final+0x104/0x260
[   31.879641]  ? sha1_generic_block_fn+0x100/0x100
[   31.884377]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.888948]  ? copy_overflow+0x30/0x30
[   31.892815]  ? find_held_lock+0x36/0x1c0
[   31.896856]  ? lock_downgrade+0x8e0/0x8e0
[   31.900982]  ? check_same_owner+0x320/0x320
[   31.905378]  ? find_held_lock+0x36/0x1c0
[   31.909427]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.914943]  ? _copy_from_user+0xdf/0x150
[   31.919081]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   31.923904]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   31.928817]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.933984]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.938819]  do_fast_syscall_32+0x345/0xf9b
[   31.943120]  ? do_int80_syscall_32+0x880/0x880
[   31.947678]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.952414]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.957937]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.962847]  ? sysret32_from_system_call+0x5/0x46
[   31.967677]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.972503]  entry_SYSENTER_compat+0x70/0x7f
[   31.976887] RIP: 0023:0xf7fcdcb9
[   31.980245] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   31.999362] RSP: 002b:00000000ff9b8dac EFLAGS: 00000282 ORIG_RAX: 0000000000000120
[   32.007059] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   32.014309] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020000140
[   32.021557] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   32.028813] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   32.036062] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   32.043782] Dumping ftrace buffer:
[   32.047296]    (ftrace buffer empty)
[   32.050989] Kernel Offset: disabled
[   32.054591] Rebooting in 86400 seconds..