| // KASAN: stack-out-of-bounds Write in ip6gre_tunnel_locate |
| // https://syzkaller.appspot.com/bug?id=e2451634d3dfc86b73a854b3b5908a2c61c02ea9 |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <endian.h> |
| #include <stdint.h> |
| #include <string.h> |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| uint64_t r[1] = {0xffffffffffffffff}; |
| void loop() |
| { |
| long res = 0; |
| res = syscall(__NR_socket, 0xa, 5, 0x84); |
| if (res != -1) |
| r[0] = res; |
| memcpy((void*)0x200000c0, |
| "\x69\x70\x36\x67\x72\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint64_t*)0x200000d0 = 0x20000140; |
| memcpy((void*)0x20000140, "\x67\x7a\xdf\xda\x73\xee\x1e\x9f\xb8\x32\xf6\xc9" |
| "\xfb\x3a\x12\x6d\x8e\x4b\xc2\x88\xe5\xda\x19\xfb" |
| "\x1b\x6a\x1e\x7b\xed\x25\x17\x80", |
| 32); |
| syscall(__NR_ioctl, r[0], 0x89f1, 0x200000c0); |
| } |
| |
| int main() |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| loop(); |
| return 0; |
| } |