syzkaller-repros/linux/1c11a638b7d27e871aa297f3b4d5fd5bc90f0cb4.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in xfrm_hash_rebuild
 // https://syzkaller.appspot.com/bug?id=1c11a638b7d27e871aa297f3b4d5fd5bc90f0cb4
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 long r[3];
 void loop()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
   r[0] = syscall(__NR_socket, 0xa, 2, 0);
   *(uint8_t*)0x201e8000 = 0xac;
   *(uint8_t*)0x201e8001 = 0x14;
   *(uint8_t*)0x201e8002 = 0;
   *(uint8_t*)0x201e8003 = 0xbb;
   *(uint8_t*)0x201e8010 = 0xfe;
   *(uint8_t*)0x201e8011 = 0x80;
   *(uint8_t*)0x201e8012 = 0;
   *(uint8_t*)0x201e8013 = 0;
   *(uint8_t*)0x201e8014 = 0;
   *(uint8_t*)0x201e8015 = 0;
   *(uint8_t*)0x201e8016 = 0;
   *(uint8_t*)0x201e8017 = 0;
   *(uint8_t*)0x201e8018 = 0;
   *(uint8_t*)0x201e8019 = 0;
   *(uint8_t*)0x201e801a = 0;
   *(uint8_t*)0x201e801b = 0;
   *(uint8_t*)0x201e801c = 0;
   *(uint8_t*)0x201e801d = 0;
   *(uint8_t*)0x201e801e = 0;
   *(uint8_t*)0x201e801f = 0xbb;
   *(uint16_t*)0x201e8020 = htobe16(0x4e20);
   *(uint16_t*)0x201e8022 = 0;
   *(uint16_t*)0x201e8024 = htobe16(0x4e20);
   *(uint16_t*)0x201e8026 = 0;
   *(uint16_t*)0x201e8028 = 2;
   *(uint8_t*)0x201e802a = 0;
   *(uint8_t*)0x201e802b = 0;
   *(uint8_t*)0x201e802c = 0;
   *(uint32_t*)0x201e8030 = 0;
   *(uint32_t*)0x201e8034 = 0;
   *(uint64_t*)0x201e8038 = 0;
   *(uint64_t*)0x201e8040 = 0;
   *(uint64_t*)0x201e8048 = 0;
   *(uint64_t*)0x201e8050 = 0;
   *(uint64_t*)0x201e8058 = 0;
   *(uint64_t*)0x201e8060 = 0;
   *(uint64_t*)0x201e8068 = 0;
   *(uint64_t*)0x201e8070 = 0;
   *(uint64_t*)0x201e8078 = 0;
   *(uint64_t*)0x201e8080 = 0;
   *(uint64_t*)0x201e8088 = 0;
   *(uint64_t*)0x201e8090 = 0;
   *(uint32_t*)0x201e8098 = 0;
   *(uint32_t*)0x201e809c = 0x6e6bb0;
   *(uint8_t*)0x201e80a0 = 0;
   *(uint8_t*)0x201e80a1 = 0;
   *(uint8_t*)0x201e80a2 = 0;
   *(uint8_t*)0x201e80a3 = 0;
   *(uint8_t*)0x201e80a8 = 0xac;
   *(uint8_t*)0x201e80a9 = 0x14;
   *(uint8_t*)0x201e80aa = 0;
   *(uint8_t*)0x201e80ab = 0xaa;
   *(uint32_t*)0x201e80b8 = htobe32(0x4d2);
   *(uint8_t*)0x201e80bc = -1;
   *(uint16_t*)0x201e80c0 = 0;
   *(uint8_t*)0x201e80c4 = 0;
   *(uint8_t*)0x201e80c5 = 0;
   *(uint8_t*)0x201e80c6 = 0;
   *(uint8_t*)0x201e80c7 = 0;
   *(uint8_t*)0x201e80c8 = 0;
   *(uint8_t*)0x201e80c9 = 0;
   *(uint8_t*)0x201e80ca = 0;
   *(uint8_t*)0x201e80cb = 0;
   *(uint8_t*)0x201e80cc = 0;
   *(uint8_t*)0x201e80cd = 0;
   *(uint8_t*)0x201e80ce = 0;
   *(uint8_t*)0x201e80cf = 0;
   *(uint8_t*)0x201e80d0 = 0;
   *(uint8_t*)0x201e80d1 = 0;
   *(uint8_t*)0x201e80d2 = 0;
   *(uint8_t*)0x201e80d3 = 0;
   *(uint32_t*)0x201e80d4 = 0x34ff;
   *(uint8_t*)0x201e80d8 = 0;
   *(uint8_t*)0x201e80d9 = 0;
   *(uint8_t*)0x201e80da = 0;
   *(uint32_t*)0x201e80dc = 0;
   *(uint32_t*)0x201e80e0 = 0;
   *(uint32_t*)0x201e80e4 = 0;
   syscall(__NR_setsockopt, r[0], 0x29, 0x23, 0x201e8000, 0xe8);
   r[1] = syscall(__NR_socket, 0xf, 3, 2);
   *(uint32_t*)0x20e8c000 = 0;
   syscall(__NR_setsockopt, r[1], 1, 8, 0x20e8c000, 4);
   memcpy((void*)0x20a97ff0,
          "\x02\x0b\xaf\x01\x02\x00\x00\x00\x00\x06\x7b\xbc\x8e\x1d\x4b\x48",
          16);
   syscall(__NR_write, r[1], 0x20a97ff0, 0x10);
   memcpy((void*)0x20000ff0,
          "\x02\x12\xa1\x25\x02\x00\x00\x00\x09\xe5\x00\x00\x00\x00\x09\x00",
          16);
   syscall(__NR_write, r[1], 0x20000ff0, 0x10);
   r[2] = syscall(__NR_socket, 0x10, 2, 6);
   *(uint64_t*)0x20616fc8 = 0x20000000;
   *(uint32_t*)0x20616fd0 = 0;
   *(uint64_t*)0x20616fd8 = 0x20664000;
   *(uint64_t*)0x20616fe0 = 1;
   *(uint64_t*)0x20616fe8 = 0x2061e000;
   *(uint64_t*)0x20616ff0 = 0;
   *(uint32_t*)0x20616ff8 = 0;
   *(uint64_t*)0x20664000 = 0x20d9efdf;
   *(uint64_t*)0x20664008 = 0x20;
   *(uint32_t*)0x20d9efdf = 0x20;
   *(uint16_t*)0x20d9efe3 = 0x24;
   *(uint16_t*)0x20d9efe5 = 1;
   *(uint32_t*)0x20d9efe7 = 0;
   *(uint32_t*)0x20d9efeb = 0x25dfdbfb;
   memcpy((void*)0x20d9efef,
          "\x23\x00\xfb\x06\x0b\x00\x04\x00\x00\x00\x00\x00\xff", 13);
   syscall(__NR_sendmsg, r[2], 0x20616fc8, 0);
 }

 int main()
 {
   loop();
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in xfrm_hash_rebuild
	// https://syzkaller.appspot.com/bug?id=1c11a638b7d27e871aa297f3b4d5fd5bc90f0cb4
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	long r[3];
	void loop()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
	r[0] = syscall(__NR_socket, 0xa, 2, 0);
	(uint8_t)0x201e8000 = 0xac;
	(uint8_t)0x201e8001 = 0x14;
	(uint8_t)0x201e8002 = 0;
	(uint8_t)0x201e8003 = 0xbb;
	(uint8_t)0x201e8010 = 0xfe;
	(uint8_t)0x201e8011 = 0x80;
	(uint8_t)0x201e8012 = 0;
	(uint8_t)0x201e8013 = 0;
	(uint8_t)0x201e8014 = 0;
	(uint8_t)0x201e8015 = 0;
	(uint8_t)0x201e8016 = 0;
	(uint8_t)0x201e8017 = 0;
	(uint8_t)0x201e8018 = 0;
	(uint8_t)0x201e8019 = 0;
	(uint8_t)0x201e801a = 0;
	(uint8_t)0x201e801b = 0;
	(uint8_t)0x201e801c = 0;
	(uint8_t)0x201e801d = 0;
	(uint8_t)0x201e801e = 0;
	(uint8_t)0x201e801f = 0xbb;
	(uint16_t)0x201e8020 = htobe16(0x4e20);
	(uint16_t)0x201e8022 = 0;
	(uint16_t)0x201e8024 = htobe16(0x4e20);
	(uint16_t)0x201e8026 = 0;
	(uint16_t)0x201e8028 = 2;
	(uint8_t)0x201e802a = 0;
	(uint8_t)0x201e802b = 0;
	(uint8_t)0x201e802c = 0;
	(uint32_t)0x201e8030 = 0;
	(uint32_t)0x201e8034 = 0;
	(uint64_t)0x201e8038 = 0;
	(uint64_t)0x201e8040 = 0;
	(uint64_t)0x201e8048 = 0;
	(uint64_t)0x201e8050 = 0;
	(uint64_t)0x201e8058 = 0;
	(uint64_t)0x201e8060 = 0;
	(uint64_t)0x201e8068 = 0;
	(uint64_t)0x201e8070 = 0;
	(uint64_t)0x201e8078 = 0;
	(uint64_t)0x201e8080 = 0;
	(uint64_t)0x201e8088 = 0;
	(uint64_t)0x201e8090 = 0;
	(uint32_t)0x201e8098 = 0;
	(uint32_t)0x201e809c = 0x6e6bb0;
	(uint8_t)0x201e80a0 = 0;
	(uint8_t)0x201e80a1 = 0;
	(uint8_t)0x201e80a2 = 0;
	(uint8_t)0x201e80a3 = 0;
	(uint8_t)0x201e80a8 = 0xac;
	(uint8_t)0x201e80a9 = 0x14;
	(uint8_t)0x201e80aa = 0;
	(uint8_t)0x201e80ab = 0xaa;
	(uint32_t)0x201e80b8 = htobe32(0x4d2);
	(uint8_t)0x201e80bc = -1;
	(uint16_t)0x201e80c0 = 0;
	(uint8_t)0x201e80c4 = 0;
	(uint8_t)0x201e80c5 = 0;
	(uint8_t)0x201e80c6 = 0;
	(uint8_t)0x201e80c7 = 0;
	(uint8_t)0x201e80c8 = 0;
	(uint8_t)0x201e80c9 = 0;
	(uint8_t)0x201e80ca = 0;
	(uint8_t)0x201e80cb = 0;
	(uint8_t)0x201e80cc = 0;
	(uint8_t)0x201e80cd = 0;
	(uint8_t)0x201e80ce = 0;
	(uint8_t)0x201e80cf = 0;
	(uint8_t)0x201e80d0 = 0;
	(uint8_t)0x201e80d1 = 0;
	(uint8_t)0x201e80d2 = 0;
	(uint8_t)0x201e80d3 = 0;
	(uint32_t)0x201e80d4 = 0x34ff;
	(uint8_t)0x201e80d8 = 0;
	(uint8_t)0x201e80d9 = 0;
	(uint8_t)0x201e80da = 0;
	(uint32_t)0x201e80dc = 0;
	(uint32_t)0x201e80e0 = 0;
	(uint32_t)0x201e80e4 = 0;
	syscall(__NR_setsockopt, r[0], 0x29, 0x23, 0x201e8000, 0xe8);
	r[1] = syscall(__NR_socket, 0xf, 3, 2);
	(uint32_t)0x20e8c000 = 0;
	syscall(__NR_setsockopt, r[1], 1, 8, 0x20e8c000, 4);
	memcpy((void*)0x20a97ff0,
	"\x02\x0b\xaf\x01\x02\x00\x00\x00\x00\x06\x7b\xbc\x8e\x1d\x4b\x48",
	16);
	syscall(__NR_write, r[1], 0x20a97ff0, 0x10);
	memcpy((void*)0x20000ff0,
	"\x02\x12\xa1\x25\x02\x00\x00\x00\x09\xe5\x00\x00\x00\x00\x09\x00",
	16);
	syscall(__NR_write, r[1], 0x20000ff0, 0x10);
	r[2] = syscall(__NR_socket, 0x10, 2, 6);
	(uint64_t)0x20616fc8 = 0x20000000;
	(uint32_t)0x20616fd0 = 0;
	(uint64_t)0x20616fd8 = 0x20664000;
	(uint64_t)0x20616fe0 = 1;
	(uint64_t)0x20616fe8 = 0x2061e000;
	(uint64_t)0x20616ff0 = 0;
	(uint32_t)0x20616ff8 = 0;
	(uint64_t)0x20664000 = 0x20d9efdf;
	(uint64_t)0x20664008 = 0x20;
	(uint32_t)0x20d9efdf = 0x20;
	(uint16_t)0x20d9efe3 = 0x24;
	(uint16_t)0x20d9efe5 = 1;
	(uint32_t)0x20d9efe7 = 0;
	(uint32_t)0x20d9efeb = 0x25dfdbfb;
	memcpy((void*)0x20d9efef,
	"\x23\x00\xfb\x06\x0b\x00\x04\x00\x00\x00\x00\x00\xff", 13);
	syscall(__NR_sendmsg, r[2], 0x20616fc8, 0);
	}

	int main()
	{
	loop();
	return 0;
	}