[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.826438] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.252720] random: sshd: uninitialized urandom read (32 bytes read)
[   24.555872] random: sshd: uninitialized urandom read (32 bytes read)
[   25.315971] random: sshd: uninitialized urandom read (32 bytes read)
[   25.480009] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
[   30.989472] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.083884] ==================================================================
[   31.091350] BUG: KASAN: slab-out-of-bounds in rmd160_final+0x201/0x240
[   31.098001] Write of size 4 at addr ffff8801d88781d8 by task syz-executor724/4532
[   31.105607] 
[   31.107218] CPU: 1 PID: 4532 Comm: syz-executor724 Not tainted 4.17.0+ #89
[   31.114205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.123540] Call Trace:
[   31.126119]  dump_stack+0x1b9/0x294
[   31.129732]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.134904]  ? printk+0x9e/0xba
[   31.138165]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.142903]  ? kasan_check_write+0x14/0x20
[   31.147121]  print_address_description+0x6c/0x20b
[   31.151958]  ? rmd160_final+0x201/0x240
[   31.155915]  kasan_report.cold.7+0x242/0x2fe
[   31.160305]  __asan_report_store4_noabort+0x17/0x20
[   31.165304]  rmd160_final+0x201/0x240
[   31.169086]  ? rmd160_update+0x170/0x170
[   31.173130]  ? rmd160_update+0x13b/0x170
[   31.177172]  ? kasan_unpoison_shadow+0x35/0x50
[   31.181737]  crypto_shash_final+0x104/0x260
[   31.186048]  ? rmd160_update+0x170/0x170
[   31.190107]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.194678]  ? copy_overflow+0x30/0x30
[   31.198559]  ? find_held_lock+0x36/0x1c0
[   31.202607]  ? lock_downgrade+0x8e0/0x8e0
[   31.206737]  ? check_same_owner+0x320/0x320
[   31.211044]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.216565]  ? handle_mm_fault+0x55a/0xc70
[   31.220787]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.226307]  ? _copy_from_user+0xdf/0x150
[   31.230443]  keyctl_dh_compute+0xb9/0x100
[   31.234571]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.239312]  ? kzfree+0x28/0x30
[   31.242586]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.247760]  __x64_sys_keyctl+0x12a/0x3b0
[   31.251892]  do_syscall_64+0x1b1/0x800
[   31.255762]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.260683]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.265595]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.271126]  ? retint_user+0x18/0x18
[   31.274826]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.279655]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.284831] RIP: 0033:0x43ffa9
[   31.288010] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.307195] RSP: 002b:00007ffd9be52ed8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.314889] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.322141] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.329393] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   31.336647] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.343896] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.351153] 
[   31.352759] Allocated by task 4532:
[   31.356373]  save_stack+0x43/0xd0
[   31.359806]  kasan_kmalloc+0xc4/0xe0
[   31.363502]  __kmalloc+0x14e/0x760
[   31.367032]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.371509]  keyctl_dh_compute+0xb9/0x100
[   31.375638]  __x64_sys_keyctl+0x12a/0x3b0
[   31.379768]  do_syscall_64+0x1b1/0x800
[   31.383640]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.388802] 
[   31.390426] Freed by task 2865:
[   31.393698]  save_stack+0x43/0xd0
[   31.397148]  __kasan_slab_free+0x11a/0x170
[   31.401361]  kasan_slab_free+0xe/0x10
[   31.405141]  kfree+0xd9/0x260
[   31.408227]  single_release+0x8f/0xb0
[   31.412023]  __fput+0x353/0x890
[   31.415296]  ____fput+0x15/0x20
[   31.418559]  task_work_run+0x1e4/0x290
[   31.422432]  exit_to_usermode_loop+0x2bd/0x310
[   31.426992]  do_syscall_64+0x6ac/0x800
[   31.430869]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.436036] 
[   31.437648] The buggy address belongs to the object at ffff8801d88781c0
[   31.437648]  which belongs to the cache kmalloc-32 of size 32
[   31.450111] The buggy address is located 24 bytes inside of
[   31.450111]  32-byte region [ffff8801d88781c0, ffff8801d88781e0)
[   31.461788] The buggy address belongs to the page:
[   31.466701] page:ffffea0007621e00 count:1 mapcount:0 mapping:ffff8801d8878000 index:0xffff8801d8878fc1
[   31.476125] flags: 0x2fffc0000000100(slab)
[   31.480344] raw: 02fffc0000000100 ffff8801d8878000 ffff8801d8878fc1 0000000100000018
[   31.488223] raw: ffffea00070e71e0 ffffea00076222a0 ffff8801da8001c0 0000000000000000
[   31.496095] page dumped because: kasan: bad access detected
[   31.501780] 
[   31.503388] Memory state around the buggy address:
[   31.508298]  ffff8801d8878080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.515638]  ffff8801d8878100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.522983] >ffff8801d8878180: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   31.530331]                                                     ^
[   31.536553]  ffff8801d8878200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.543893]  ffff8801d8878280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.551228] ==================================================================
[   31.558566] Disabling lock debugging due to kernel taint
[   31.564081] Kernel panic - not syncing: panic_on_warn set ...
[   31.564081] 
[   31.571447] CPU: 1 PID: 4532 Comm: syz-executor724 Tainted: G    B             4.17.0+ #89
[   31.579828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.589158] Call Trace:
[   31.591732]  dump_stack+0x1b9/0x294
[   31.595344]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.600524]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.605266]  ? rmd160_final+0x1b0/0x240
[   31.609223]  panic+0x22f/0x4de
[   31.612398]  ? add_taint.cold.5+0x16/0x16
[   31.616526]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.620922]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.625313]  ? rmd160_final+0x201/0x240
[   31.629272]  kasan_end_report+0x47/0x4f
[   31.633226]  kasan_report.cold.7+0x76/0x2fe
[   31.637530]  __asan_report_store4_noabort+0x17/0x20
[   31.642536]  rmd160_final+0x201/0x240
[   31.646317]  ? rmd160_update+0x170/0x170
[   31.650358]  ? rmd160_update+0x13b/0x170
[   31.654398]  ? kasan_unpoison_shadow+0x35/0x50
[   31.658977]  crypto_shash_final+0x104/0x260
[   31.663287]  ? rmd160_update+0x170/0x170
[   31.667333]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.671897]  ? copy_overflow+0x30/0x30
[   31.675766]  ? find_held_lock+0x36/0x1c0
[   31.679823]  ? lock_downgrade+0x8e0/0x8e0
[   31.683961]  ? check_same_owner+0x320/0x320
[   31.688267]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.693792]  ? handle_mm_fault+0x55a/0xc70
[   31.698013]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.703593]  ? _copy_from_user+0xdf/0x150
[   31.707723]  keyctl_dh_compute+0xb9/0x100
[   31.711855]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.716591]  ? kzfree+0x28/0x30
[   31.719868]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.725043]  __x64_sys_keyctl+0x12a/0x3b0
[   31.729186]  do_syscall_64+0x1b1/0x800
[   31.733055]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.737962]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.742871]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.748392]  ? retint_user+0x18/0x18
[   31.752084]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.756913]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.762080] RIP: 0033:0x43ffa9
[   31.765245] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.784375] RSP: 002b:00007ffd9be52ed8 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.792063] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
[   31.799311] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.806560] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   31.813818] R10: 0000000000000005 R11: 0000000000000217 R12: 00000000004018d0
[   31.821067] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
[   31.828776] Dumping ftrace buffer:
[   31.832295]    (ftrace buffer empty)
[   31.835983] Kernel Offset: disabled
[   31.839586] Rebooting in 86400 seconds..