[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.616108] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.821330] random: sshd: uninitialized urandom read (32 bytes read) [ 21.192315] random: sshd: uninitialized urandom read (32 bytes read) [ 21.989978] random: sshd: uninitialized urandom read (32 bytes read) [ 47.337118] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.42' (ECDSA) to the list of known hosts. [ 52.835897] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 52.934812] ================================================================== [ 52.942259] BUG: KASAN: slab-out-of-bounds in crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 52.950383] Read of size 4 at addr ffff8801d76dc848 by task syz-executor575/4437 [ 52.957891] [ 52.959508] CPU: 1 PID: 4437 Comm: syz-executor575 Not tainted 4.17.0+ #84 [ 52.966509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.975841] Call Trace: [ 52.978412] dump_stack+0x1b9/0x294 [ 52.982021] ? dump_stack_print_info.cold.2+0x52/0x52 [ 52.987193] ? printk+0x9e/0xba [ 52.990453] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 52.995192] ? kasan_check_write+0x14/0x20 [ 52.999411] print_address_description+0x6c/0x20b [ 53.004233] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 53.009663] kasan_report.cold.7+0x242/0x2fe [ 53.014055] __asan_report_load4_noabort+0x14/0x20 [ 53.018975] crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 53.024234] ? skcipher_walk_first+0x158/0x410 [ 53.028797] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0 [ 53.034240] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.039758] ? skcipher_walk_aead_common+0x84a/0xbc0 [ 53.044844] ? skcipher_walk_aead_decrypt+0xc7/0x100 [ 53.049930] crypto_morus640_process_crypt.isra.12+0x153/0x230 [ 53.055892] ? crypto_morus640_decrypt_chunk+0xd20/0xd20 [ 53.061335] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.066855] ? crypto_morus640_process_ad+0xa10/0xa10 [ 53.072034] ? crypto_morus640_update+0xc7/0xe0 [ 53.076684] crypto_morus640_crypt+0x42e/0x9f0 [ 53.081249] ? crypto_morus640_load+0x170/0x170 [ 53.085916] ? scatterwalk_ffwd+0x3b0/0x3b0 [ 53.090222] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.095221] crypto_morus640_decrypt+0x23e/0x3d0 [ 53.099955] ? af_alg_make_sg+0x4d0/0x4d0 [ 53.104086] ? crypto_morus640_crypt+0x9f0/0x9f0 [ 53.108836] ? __sk_mem_schedule+0xe0/0xe0 [ 53.113055] ? memset+0x31/0x40 [ 53.116318] aead_recvmsg+0x13cc/0x1ba0 [ 53.120366] ? aead_release+0x50/0x50 [ 53.124149] ? move_addr_to_kernel.part.20+0x100/0x100 [ 53.129405] ? security_socket_recvmsg+0x9b/0xc0 [ 53.134139] ? aead_release+0x50/0x50 [ 53.138180] sock_recvmsg+0xd0/0x110 [ 53.141876] ? __sock_recv_ts_and_drops+0x420/0x420 [ 53.146889] ___sys_recvmsg+0x2b6/0x680 [ 53.150862] ? ___sys_sendmsg+0x940/0x940 [ 53.154990] ? sock_sendmsg+0x120/0x120 [ 53.158961] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.164479] ? fget_raw+0x20/0x20 [ 53.167914] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.173437] ? __vfs_write+0x113/0x9d0 [ 53.177308] ? kernel_read+0x120/0x120 [ 53.181181] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.186716] ? fsnotify+0x415/0xfc0 [ 53.190328] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.195850] ? sockfd_lookup_light+0xc5/0x160 [ 53.200333] __sys_recvmsg+0x112/0x260 [ 53.204207] ? __ia32_sys_sendmmsg+0x100/0x100 [ 53.208777] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.214296] ? vfs_write+0x2a8/0x560 [ 53.218010] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.223526] ? ksys_write+0x1a6/0x250 [ 53.227323] __x64_sys_recvmsg+0x78/0xb0 [ 53.231364] do_syscall_64+0x1b1/0x800 [ 53.235232] ? syscall_return_slowpath+0x5c0/0x5c0 [ 53.240144] ? syscall_return_slowpath+0x30f/0x5c0 [ 53.245056] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 53.250403] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.255226] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.260394] RIP: 0033:0x43fef9 [ 53.263560] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 53.282729] RSP: 002b:00007ffd6c88d3b8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f [ 53.290418] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9 [ 53.297669] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004 [ 53.304929] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 53.312185] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820 [ 53.319432] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000 [ 53.326688] [ 53.328297] Allocated by task 4437: [ 53.331906] save_stack+0x43/0xd0 [ 53.335349] kasan_kmalloc+0xc4/0xe0 [ 53.339053] __kmalloc+0x14e/0x760 [ 53.342575] skcipher_walk_next+0x750/0x1850 [ 53.346964] skcipher_walk_first+0x151/0x410 [ 53.351352] skcipher_walk_aead_common+0x7f8/0xbc0 [ 53.356258] skcipher_walk_aead_decrypt+0xc7/0x100 [ 53.361168] crypto_morus640_process_crypt.isra.12+0x9c/0x230 [ 53.367031] crypto_morus640_crypt+0x42e/0x9f0 [ 53.371592] crypto_morus640_decrypt+0x23e/0x3d0 [ 53.376325] aead_recvmsg+0x13cc/0x1ba0 [ 53.380287] sock_recvmsg+0xd0/0x110 [ 53.383978] ___sys_recvmsg+0x2b6/0x680 [ 53.387938] __sys_recvmsg+0x112/0x260 [ 53.391800] __x64_sys_recvmsg+0x78/0xb0 [ 53.395841] do_syscall_64+0x1b1/0x800 [ 53.399705] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.404869] [ 53.406476] Freed by task 2800: [ 53.409734] save_stack+0x43/0xd0 [ 53.413168] __kasan_slab_free+0x11a/0x170 [ 53.417392] kasan_slab_free+0xe/0x10 [ 53.421179] kfree+0xd9/0x260 [ 53.424265] single_release+0x8f/0xb0 [ 53.428043] __fput+0x353/0x890 [ 53.431298] ____fput+0x15/0x20 [ 53.434558] task_work_run+0x1e4/0x290 [ 53.438426] exit_to_usermode_loop+0x302/0x360 [ 53.442995] do_syscall_64+0x6ac/0x800 [ 53.446859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.452030] [ 53.453637] The buggy address belongs to the object at ffff8801d76dc840 [ 53.453637] which belongs to the cache kmalloc-32 of size 32 [ 53.466101] The buggy address is located 8 bytes inside of [ 53.466101] 32-byte region [ffff8801d76dc840, ffff8801d76dc860) [ 53.477689] The buggy address belongs to the page: [ 53.482596] page:ffffea00075db700 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d76dcfc1 [ 53.492018] flags: 0x2fffc0000000100(slab) [ 53.496236] raw: 02fffc0000000100 ffff8801da801238 ffffea00075dcdc8 ffff8801da8001c0 [ 53.504099] raw: ffff8801d76dcfc1 ffff8801d76dc000 000000010000003b 0000000000000000 [ 53.511956] page dumped because: kasan: bad access detected [ 53.517651] [ 53.519267] Memory state around the buggy address: [ 53.524175] ffff8801d76dc700: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 53.531522] ffff8801d76dc780: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 53.538862] >ffff8801d76dc800: 00 00 00 00 fc fc fc fc 00 fc fc fc fc fc fc fc [ 53.546201] ^ [ 53.551891] ffff8801d76dc880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 53.559226] ffff8801d76dc900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 53.566560] ================================================================== [ 53.573902] Disabling lock debugging due to kernel taint [ 53.579398] Kernel panic - not syncing: panic_on_warn set ... [ 53.579398] [ 53.586750] CPU: 1 PID: 4437 Comm: syz-executor575 Tainted: G B 4.17.0+ #84 [ 53.595128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.604460] Call Trace: [ 53.607031] dump_stack+0x1b9/0x294 [ 53.610643] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.615815] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.620550] ? crypto_morus640_decrypt_chunk+0xcf0/0xd20 [ 53.625991] panic+0x22f/0x4de [ 53.629163] ? add_taint.cold.5+0x16/0x16 [ 53.633305] ? do_raw_spin_unlock+0x9e/0x2e0 [ 53.637693] ? do_raw_spin_unlock+0x9e/0x2e0 [ 53.642084] ? crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 53.647515] kasan_end_report+0x47/0x4f [ 53.651466] kasan_report.cold.7+0x76/0x2fe [ 53.655767] __asan_report_load4_noabort+0x14/0x20 [ 53.660685] crypto_morus640_decrypt_chunk+0xcf8/0xd20 [ 53.665942] ? skcipher_walk_first+0x158/0x410 [ 53.670503] ? crypto_morus640_encrypt_chunk+0xdb0/0xdb0 [ 53.675931] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.681447] ? skcipher_walk_aead_common+0x84a/0xbc0 [ 53.686528] ? skcipher_walk_aead_decrypt+0xc7/0x100 [ 53.691610] crypto_morus640_process_crypt.isra.12+0x153/0x230 [ 53.697560] ? crypto_morus640_decrypt_chunk+0xd20/0xd20 [ 53.702995] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.708511] ? crypto_morus640_process_ad+0xa10/0xa10 [ 53.713683] ? crypto_morus640_update+0xc7/0xe0 [ 53.718335] crypto_morus640_crypt+0x42e/0x9f0 [ 53.722906] ? crypto_morus640_load+0x170/0x170 [ 53.727553] ? scatterwalk_ffwd+0x3b0/0x3b0 [ 53.731861] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.736860] crypto_morus640_decrypt+0x23e/0x3d0 [ 53.741593] ? af_alg_make_sg+0x4d0/0x4d0 [ 53.745720] ? crypto_morus640_crypt+0x9f0/0x9f0 [ 53.750459] ? __sk_mem_schedule+0xe0/0xe0 [ 53.754675] ? memset+0x31/0x40 [ 53.757933] aead_recvmsg+0x13cc/0x1ba0 [ 53.761888] ? aead_release+0x50/0x50 [ 53.765666] ? move_addr_to_kernel.part.20+0x100/0x100 [ 53.770928] ? security_socket_recvmsg+0x9b/0xc0 [ 53.775660] ? aead_release+0x50/0x50 [ 53.779441] sock_recvmsg+0xd0/0x110 [ 53.783143] ? __sock_recv_ts_and_drops+0x420/0x420 [ 53.788140] ___sys_recvmsg+0x2b6/0x680 [ 53.792094] ? ___sys_sendmsg+0x940/0x940 [ 53.796234] ? sock_sendmsg+0x120/0x120 [ 53.800190] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.805706] ? fget_raw+0x20/0x20 [ 53.809139] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.814655] ? __vfs_write+0x113/0x9d0 [ 53.818518] ? kernel_read+0x120/0x120 [ 53.822387] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.827920] ? fsnotify+0x415/0xfc0 [ 53.831528] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.837053] ? sockfd_lookup_light+0xc5/0x160 [ 53.841529] __sys_recvmsg+0x112/0x260 [ 53.845393] ? __ia32_sys_sendmmsg+0x100/0x100 [ 53.849965] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.855604] ? vfs_write+0x2a8/0x560 [ 53.859560] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.865087] ? ksys_write+0x1a6/0x250 [ 53.868882] __x64_sys_recvmsg+0x78/0xb0 [ 53.872922] do_syscall_64+0x1b1/0x800 [ 53.876790] ? syscall_return_slowpath+0x5c0/0x5c0 [ 53.881697] ? syscall_return_slowpath+0x30f/0x5c0 [ 53.886606] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 53.891951] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.896772] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.901937] RIP: 0033:0x43fef9 [ 53.905102] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 53.924218] RSP: 002b:00007ffd6c88d3b8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f [ 53.931904] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9 [ 53.939152] RDX: 0000000000000000 RSI: 0000000020002840 RDI: 0000000000000004 [ 53.946400] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 53.953647] R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401820 [ 53.960903] R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000 [ 53.968637] Dumping ftrace buffer: [ 53.972154] (ftrace buffer empty) [ 53.975852] Kernel Offset: disabled [ 53.979457] Rebooting in 86400 seconds..