syzkaller-repros/linux/c0789e761577af6735c74541d6035c0a9a73cff9.c

// KASAN: slab-out-of-bounds Read in bpf_skb_change_head
// https://syzkaller.appspot.com/bug?id=c0789e761577af6735c74541d6035c0a9a73cff9
// status:open
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  long res = 0;
  *(uint32_t*)0x20000200 = 0xc;
  *(uint32_t*)0x20000204 = 0xe;
  *(uint64_t*)0x20000208 = 0x20000000;
  memcpy((void*)0x20000000,
         "\xb7\x02\x00\x00\x13\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07"
         "\x01\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x79\xa4"
         "\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05"
         "\x00\x00\x00\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00"
         "\x01\x00\x00\x00\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00"
         "\x00\x00\x00\x85\x00\x00\x00\x2b\x00\x00\x00\xb7\x00\x00\x00\x00\x00"
         "\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
         112);
  *(uint64_t*)0x20000210 = 0x20000140;
  memcpy((void*)0x20000140, "syzkaller", 10);
  *(uint32_t*)0x20000218 = 0;
  *(uint32_t*)0x2000021c = 0;
  *(uint64_t*)0x20000220 = 0;
  *(uint32_t*)0x20000228 = 0;
  *(uint32_t*)0x2000022c = 0;
  *(uint8_t*)0x20000230 = 0;
  *(uint8_t*)0x20000231 = 0;
  *(uint8_t*)0x20000232 = 0;
  *(uint8_t*)0x20000233 = 0;
  *(uint8_t*)0x20000234 = 0;
  *(uint8_t*)0x20000235 = 0;
  *(uint8_t*)0x20000236 = 0;
  *(uint8_t*)0x20000237 = 0;
  *(uint8_t*)0x20000238 = 0;
  *(uint8_t*)0x20000239 = 0;
  *(uint8_t*)0x2000023a = 0;
  *(uint8_t*)0x2000023b = 0;
  *(uint8_t*)0x2000023c = 0;
  *(uint8_t*)0x2000023d = 0;
  *(uint8_t*)0x2000023e = 0;
  *(uint8_t*)0x2000023f = 0;
  *(uint32_t*)0x20000240 = 0;
  *(uint32_t*)0x20000244 = 0;
  res = syscall(__NR_bpf, 5, 0x20000200, 0x48);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x20000180 = r[0];
  *(uint32_t*)0x20000184 = 0;
  *(uint32_t*)0x20000188 = 0x79;
  *(uint32_t*)0x2000018c = 0x9f;
  *(uint64_t*)0x20000190 = 0x20000280;
  memcpy((void*)0x20000280,
         "\x43\x03\x7f\x63\x2e\x75\x92\x31\x91\x35\xda\xd4\xe4\x37\x51\x0f\xe7"
         "\x56\x4a\x1b\x03\x77\xa4\xf1\x56\x49\x06\x67\x6d\x4d\xa1\xb8\x28\x5f"
         "\x52\xc9\x9c\x5b\x98\x2e\x72\x37\x44\xed\x88\x33\x21\xaf\xdf\xe1\x3b"
         "\x86\xea\x79\x9f\xab\x0d\x67\x1d\x50\x5b\x0e\xef\xf9\x20\x39\x26\x09"
         "\x3d\x6f\x72\x65\x97\x41\xb8\x64\xf8\xcd\x2b\xd3\x0e\xbc\x99\x37\xe0"
         "\x88\xff\xd3\x2e\x03\x83\xf3\xa3\x91\x3b\x5e\x40\x14\xdc\x42\x9b\x5e"
         "\x93\x73\x37\x7c\x41\x74\xe1\x13\xef\x5f\xb1\x4f\x28\x84\x74\xc1\x88"
         "\xf3\x62",
         121);
  *(uint64_t*)0x20000198 = 0x20000380;
  *(uint32_t*)0x200001a0 = 0x100;
  *(uint32_t*)0x200001a4 = 0;
  syscall(__NR_bpf, 0xa, 0x20000180, 0x28);
  return 0;
}