[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.860259] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.748806] random: sshd: uninitialized urandom read (32 bytes read) [ 24.048979] random: sshd: uninitialized urandom read (32 bytes read) [ 24.877088] random: sshd: uninitialized urandom read (32 bytes read) [ 25.035838] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.32' (ECDSA) to the list of known hosts. [ 30.460903] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/07 10:58:24 parsed 1 programs [ 31.611703] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/07 10:58:26 executed programs: 0 [ 32.501654] IPVS: ftp: loaded support on port[0] = 21 [ 32.627320] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.633775] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.641319] device bridge_slave_0 entered promiscuous mode [ 32.657151] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.663524] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.670438] device bridge_slave_1 entered promiscuous mode [ 32.688653] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.703957] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.744215] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.766438] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.835940] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.843402] team0: Port device team_slave_0 added [ 32.857233] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.864321] team0: Port device team_slave_1 added [ 32.880925] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.898596] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.916179] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.931885] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 33.052132] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.058559] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.065355] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.071809] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.464970] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.471086] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.514597] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.558994] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.566595] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.603255] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.859846] ================================================================== [ 33.867296] BUG: KASAN: slab-out-of-bounds in sha1_finup+0x44e/0x4b0 [ 33.873771] Write of size 4 at addr ffff8801d7130ed8 by task syz-executor0/4761 [ 33.881193] [ 33.882808] CPU: 0 PID: 4761 Comm: syz-executor0 Not tainted 4.17.0+ #113 [ 33.889709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.899038] Call Trace: [ 33.901610] dump_stack+0x1b9/0x294 [ 33.905393] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.910572] ? printk+0x9e/0xba [ 33.913847] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.918612] ? kasan_check_write+0x14/0x20 [ 33.922832] print_address_description+0x6c/0x20b [ 33.927658] ? sha1_finup+0x44e/0x4b0 [ 33.931440] kasan_report.cold.7+0x242/0x2fe [ 33.935832] __asan_report_store4_noabort+0x17/0x20 [ 33.940827] sha1_finup+0x44e/0x4b0 [ 33.944436] ? sha1_base_init+0x150/0x150 [ 33.949175] sha1_avx2_final+0x28/0x30 [ 33.953055] crypto_shash_final+0x104/0x260 [ 33.957357] ? sha1_avx2_finup+0x40/0x40 [ 33.961400] __keyctl_dh_compute+0x1184/0x1bc0 [ 33.965968] ? copy_overflow+0x30/0x30 [ 33.970194] ? find_held_lock+0x36/0x1c0 [ 33.974238] ? lock_downgrade+0x8e0/0x8e0 [ 33.978368] ? check_same_owner+0x320/0x320 [ 33.982671] ? find_held_lock+0x36/0x1c0 [ 33.987156] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.992672] ? _copy_from_user+0xdf/0x150 [ 33.996798] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.001620] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 34.006534] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.011702] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.016535] do_fast_syscall_32+0x345/0xf9b [ 34.020838] ? do_int80_syscall_32+0x880/0x880 [ 34.025400] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.030150] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.035675] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.040589] ? sysret32_from_system_call+0x5/0x46 [ 34.045418] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.050246] entry_SYSENTER_compat+0x70/0x7f [ 34.054630] RIP: 0023:0xf7fbdcb9 [ 34.057969] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.077583] RSP: 002b:00000000ffdb494c EFLAGS: 00000286 ORIG_RAX: 0000000000000120 [ 34.085276] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 34.092526] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8 [ 34.099782] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.107033] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 34.114282] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.121546] [ 34.123156] Allocated by task 4761: [ 34.126767] save_stack+0x43/0xd0 [ 34.130207] kasan_kmalloc+0xc4/0xe0 [ 34.133899] __kmalloc+0x14e/0x760 [ 34.137423] __keyctl_dh_compute+0xfe9/0x1bc0 [ 34.141896] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.146720] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.151560] do_fast_syscall_32+0x345/0xf9b [ 34.155863] entry_SYSENTER_compat+0x70/0x7f [ 34.160243] [ 34.161850] Freed by task 1: [ 34.164867] save_stack+0x43/0xd0 [ 34.168300] __kasan_slab_free+0x11a/0x170 [ 34.172519] kasan_slab_free+0xe/0x10 [ 34.176311] kfree+0xd9/0x260 [ 34.179400] acpi_ns_get_node_unlocked+0x2b1/0x2ee [ 34.184311] acpi_ns_get_node+0x4d/0x6b [ 34.188262] acpi_get_handle+0x153/0x24b [ 34.192301] acpi_has_method+0x68/0xa0 [ 34.196167] acpi_device_setup_files+0x393/0x820 [ 34.200903] acpi_device_add+0x8af/0x1240 [ 34.205033] acpi_add_single_object+0xaa5/0x1e70 [ 34.209789] acpi_bus_check_add+0x5fa/0xb40 [ 34.214119] acpi_ns_walk_namespace+0x224/0x400 [ 34.218794] acpi_walk_namespace+0xf2/0x12c [ 34.223115] acpi_bus_scan+0x138/0x160 [ 34.227005] acpi_scan_init+0x404/0x8df [ 34.230962] acpi_init+0x936/0x9fa [ 34.234485] do_one_initcall+0x127/0x913 [ 34.238527] kernel_init_freeable+0x49b/0x58e [ 34.243002] kernel_init+0x11/0x1b3 [ 34.246606] ret_from_fork+0x3a/0x50 [ 34.250293] [ 34.251903] The buggy address belongs to the object at ffff8801d7130ec0 [ 34.251903] which belongs to the cache kmalloc-32 of size 32 [ 34.264368] The buggy address is located 24 bytes inside of [ 34.264368] 32-byte region [ffff8801d7130ec0, ffff8801d7130ee0) [ 34.276047] The buggy address belongs to the page: [ 34.280959] page:ffffea00075c4c00 count:1 mapcount:0 mapping:ffff8801d7130000 index:0xffff8801d7130fc1 [ 34.290386] flags: 0x2fffc0000000100(slab) [ 34.294613] raw: 02fffc0000000100 ffff8801d7130000 ffff8801d7130fc1 0000000100000036 [ 34.302487] raw: ffffea00076061e0 ffffea0007633a60 ffff8801da8001c0 0000000000000000 [ 34.310358] page dumped because: kasan: bad access detected [ 34.316044] [ 34.317646] Memory state around the buggy address: [ 34.322566] ffff8801d7130d80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.329908] ffff8801d7130e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.337247] >ffff8801d7130e80: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 34.344592] ^ [ 34.350803] ffff8801d7130f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.358160] ffff8801d7130f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 34.365496] ================================================================== [ 34.372835] Disabling lock debugging due to kernel taint [ 34.378567] Kernel panic - not syncing: panic_on_warn set ... [ 34.378567] [ 34.385925] CPU: 0 PID: 4761 Comm: syz-executor0 Tainted: G B 4.17.0+ #113 [ 34.394219] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.403554] Call Trace: [ 34.406129] dump_stack+0x1b9/0x294 [ 34.409743] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.414915] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.419653] ? sha1_finup+0x3a0/0x4b0 [ 34.423429] panic+0x22f/0x4de [ 34.426600] ? add_taint.cold.5+0x16/0x16 [ 34.430738] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.435124] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.439508] ? sha1_finup+0x44e/0x4b0 [ 34.443301] kasan_end_report+0x47/0x4f [ 34.447279] kasan_report.cold.7+0x76/0x2fe [ 34.451592] __asan_report_store4_noabort+0x17/0x20 [ 34.456640] sha1_finup+0x44e/0x4b0 [ 34.460254] ? sha1_base_init+0x150/0x150 [ 34.464390] sha1_avx2_final+0x28/0x30 [ 34.468261] crypto_shash_final+0x104/0x260 [ 34.472571] ? sha1_avx2_finup+0x40/0x40 [ 34.476639] __keyctl_dh_compute+0x1184/0x1bc0 [ 34.481208] ? copy_overflow+0x30/0x30 [ 34.485095] ? find_held_lock+0x36/0x1c0 [ 34.489138] ? lock_downgrade+0x8e0/0x8e0 [ 34.493288] ? check_same_owner+0x320/0x320 [ 34.497599] ? find_held_lock+0x36/0x1c0 [ 34.501654] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.507188] ? _copy_from_user+0xdf/0x150 [ 34.511327] compat_keyctl_dh_compute+0x2c8/0x3e0 [ 34.516150] ? __x32_compat_sys_keyctl+0x3b0/0x3b0 [ 34.521064] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.526235] __ia32_compat_sys_keyctl+0x137/0x3b0 [ 34.531057] do_fast_syscall_32+0x345/0xf9b [ 34.535367] ? do_int80_syscall_32+0x880/0x880 [ 34.539930] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.544673] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.550190] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.555108] ? sysret32_from_system_call+0x5/0x46 [ 34.559930] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.564761] entry_SYSENTER_compat+0x70/0x7f [ 34.569158] RIP: 0023:0xf7fbdcb9 [ 34.572498] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.591636] RSP: 002b:00000000ffdb494c EFLAGS: 00000286 ORIG_RAX: 0000000000000120 [ 34.599325] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100 [ 34.606572] RDX: 0000000020a53ffb RSI: 0000000000000005 RDI: 0000000020c61fc8 [ 34.613821] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.621073] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 34.628325] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.636110] Dumping ftrace buffer: [ 34.639635] (ftrace buffer empty) [ 34.643335] Kernel Offset: disabled [ 34.646942] Rebooting in 86400 seconds..