syzkaller-repros/linux/7c17e17da1e764a4db88b33fb408531edef3c5a0.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in cap_convert_nscap
 // https://syzkaller.appspot.com/bug?id=7c17e17da1e764a4db88b33fb408531edef3c5a0
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 long r[1];
 void loop()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
   memcpy((void*)0x2000dff6, "./control", 10);
   syscall(__NR_mkdir, 0x2000dff6, 0);
   memcpy((void*)0x20741000, "./control", 10);
   r[0] = syscall(__NR_open, 0x20741000, 0, 0);
   memcpy((void*)0x20f4c000, "security.capability", 20);
   memcpy((void*)0x208c4fe9, "", 1);
   syscall(__NR_fsetxattr, r[0], 0x20f4c000, 0x208c4fe9, 1, 1);
 }

 int main()
 {
   loop();
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in cap_convert_nscap
	// https://syzkaller.appspot.com/bug?id=7c17e17da1e764a4db88b33fb408531edef3c5a0
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	long r[1];
	void loop()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
	memcpy((void*)0x2000dff6, "./control", 10);
	syscall(__NR_mkdir, 0x2000dff6, 0);
	memcpy((void*)0x20741000, "./control", 10);
	r[0] = syscall(__NR_open, 0x20741000, 0, 0);
	memcpy((void*)0x20f4c000, "security.capability", 20);
	memcpy((void*)0x208c4fe9, "", 1);
	syscall(__NR_fsetxattr, r[0], 0x20f4c000, 0x208c4fe9, 1, 1);
	}

	int main()
	{
	loop();
	return 0;
	}