| // KASAN: slab-out-of-bounds Read in asn1_ber_decoder |
| // https://syzkaller.appspot.com/bug?id=76b1f877893d053ac5d62d6ccaad2d6c0d28f161 |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| #include <stdint.h> |
| #include <string.h> |
| |
| long r[16]; |
| void loop() |
| { |
| memset(r, -1, sizeof(r)); |
| r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, |
| 0xfffffffffffffffful, 0x0ul); |
| memcpy((void*)0x20084ffa, "\x6c\x6f\x67\x6f\x6e\x00", 6); |
| *(uint8_t*)0x2078cffb = (uint8_t)0x73; |
| *(uint8_t*)0x2078cffc = (uint8_t)0x79; |
| *(uint8_t*)0x2078cffd = (uint8_t)0x7a; |
| *(uint8_t*)0x2078cffe = (uint8_t)0x20; |
| *(uint8_t*)0x2078cfff = (uint8_t)0x0; |
| r[7] = syscall(__NR_add_key, 0x20084ffaul, 0x2078cffbul, 0x20b90000ul, |
| 0x0ul, 0xfffffffffffffffbul); |
| memcpy((void*)0x20825ff5, |
| "\x61\x73\x79\x6d\x6d\x65\x74\x72\x69\x63\x00", 11); |
| *(uint8_t*)0x205ceffb = (uint8_t)0x73; |
| *(uint8_t*)0x205ceffc = (uint8_t)0x79; |
| *(uint8_t*)0x205ceffd = (uint8_t)0x7a; |
| *(uint8_t*)0x205ceffe = (uint8_t)0x20; |
| *(uint8_t*)0x205cefff = (uint8_t)0x0; |
| memcpy((void*)0x201d9000, "\x30\x32", 2); |
| r[15] = syscall(__NR_add_key, 0x20825ff5ul, 0x205ceffbul, |
| 0x201d9000ul, 0x2ul, r[7]); |
| } |
| |
| int main() |
| { |
| loop(); |
| return 0; |
| } |