syzkaller-repros/linux/56a2ca5cc3634acc143a865745dcca8c5302df5c.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in memcpy
 // https://syzkaller.appspot.com/bug?id=56a2ca5cc3634acc143a865745dcca8c5302df5c
 // status:open
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <sys/syscall.h>
 #include <unistd.h>

 #include <stdint.h>
 #include <string.h>

 long r[84];
 void loop()
 {
   memset(r, -1, sizeof(r));
   r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                  0xfffffffffffffffful, 0x0ul);
   memcpy((void*)0x20ceeff8, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
   r[2] = syscall(__NR_open, 0x20ceeff8ul, 0x0ul, 0x0ul);
   r[3] = syscall(__NR_socket, 0xful, 0x3ul, 0x2ul);
   *(uint64_t*)0x205f5000 = (uint64_t)0x0;
   *(uint32_t*)0x205f5008 = (uint32_t)0x0;
   *(uint64_t*)0x205f5010 = (uint64_t)0x208feff0;
   *(uint64_t*)0x205f5018 = (uint64_t)0x1;
   *(uint64_t*)0x205f5020 = (uint64_t)0x0;
   *(uint64_t*)0x205f5028 = (uint64_t)0x0;
   *(uint32_t*)0x205f5030 = (uint32_t)0x0;
   *(uint64_t*)0x208feff0 = (uint64_t)0x20d4cea8;
   *(uint64_t*)0x208feff8 = (uint64_t)0x78;
   *(uint8_t*)0x20d4cea8 = (uint8_t)0x2;
   *(uint8_t*)0x20d4cea9 = (uint8_t)0x3;
   *(uint8_t*)0x20d4ceaa = (uint8_t)0x0;
   *(uint8_t*)0x20d4ceab = (uint8_t)0x0;
   *(uint16_t*)0x20d4ceac = (uint16_t)0xf;
   *(uint16_t*)0x20d4ceae = (uint16_t)0x0;
   *(uint32_t*)0x20d4ceb0 = (uint32_t)0x0;
   *(uint32_t*)0x20d4ceb4 = (uint32_t)0x0;
   *(uint16_t*)0x20d4ceb8 = (uint16_t)0x1;
   *(uint16_t*)0x20d4ceba = (uint16_t)0x9;
   *(uint16_t*)0x20d4cebc = (uint16_t)0x7fffffff;
   *(uint16_t*)0x20d4cebe = (uint16_t)0x0;
   *(uint16_t*)0x20d4cec0 = (uint16_t)0x5;
   *(uint16_t*)0x20d4cec2 = (uint16_t)0x6;
   *(uint8_t*)0x20d4cec4 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cec5 = (uint8_t)0x0;
   *(uint16_t*)0x20d4cec6 = (uint16_t)0x0;
   *(uint16_t*)0x20d4cec8 = (uint16_t)0xa;
   *(uint16_t*)0x20d4ceca = (uint16_t)0x204e;
   *(uint32_t*)0x20d4cecc = (uint32_t)0x0;
   *(uint8_t*)0x20d4ced0 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced1 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced2 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced3 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced4 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced5 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced6 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced7 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced8 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ced9 = (uint8_t)0x0;
   *(uint8_t*)0x20d4ceda = (uint8_t)0x0;
   *(uint8_t*)0x20d4cedb = (uint8_t)0x0;
   *(uint8_t*)0x20d4cedc = (uint8_t)0x0;
   *(uint8_t*)0x20d4cedd = (uint8_t)0x0;
   *(uint8_t*)0x20d4cede = (uint8_t)0x0;
   *(uint8_t*)0x20d4cedf = (uint8_t)0x0;
   *(uint32_t*)0x20d4cee0 = (uint32_t)0x0;
   *(uint16_t*)0x20d4cee8 = (uint16_t)0x2;
   *(uint16_t*)0x20d4ceea = (uint16_t)0x1;
   *(uint32_t*)0x20d4ceec = (uint32_t)0x0;
   *(uint8_t*)0x20d4cef0 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cef1 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cef2 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cef3 = (uint8_t)0xb;
   *(uint32_t*)0x20d4cef4 = (uint32_t)0x0;
   *(uint16_t*)0x20d4cef8 = (uint16_t)0x5;
   *(uint16_t*)0x20d4cefa = (uint16_t)0x5;
   *(uint8_t*)0x20d4cefc = (uint8_t)0x0;
   *(uint8_t*)0x20d4cefd = (uint8_t)0x0;
   *(uint16_t*)0x20d4cefe = (uint16_t)0x0;
   *(uint16_t*)0x20d4cf00 = (uint16_t)0xa;
   *(uint16_t*)0x20d4cf02 = (uint16_t)0x204e;
   *(uint32_t*)0x20d4cf04 = (uint32_t)0x0;
   *(uint8_t*)0x20d4cf08 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf09 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf0a = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf0b = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf0c = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf0d = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf0e = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf0f = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf10 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf11 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf12 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf13 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf14 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf15 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf16 = (uint8_t)0x0;
   *(uint8_t*)0x20d4cf17 = (uint8_t)0x0;
   *(uint32_t*)0x20d4cf18 = (uint32_t)0x0;
   r[83] = syscall(__NR_sendmsg, r[3], 0x205f5000ul, 0x0ul);
 }

 int main()
 {
   loop();
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in memcpy
	// https://syzkaller.appspot.com/bug?id=56a2ca5cc3634acc143a865745dcca8c5302df5c
	// status:open
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <sys/syscall.h>
	#include <unistd.h>

	#include <stdint.h>
	#include <string.h>

	long r[84];
	void loop()
	{
	memset(r, -1, sizeof(r));
	r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
	0xfffffffffffffffful, 0x0ul);
	memcpy((void*)0x20ceeff8, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
	r[2] = syscall(__NR_open, 0x20ceeff8ul, 0x0ul, 0x0ul);
	r[3] = syscall(__NR_socket, 0xful, 0x3ul, 0x2ul);
	(uint64_t)0x205f5000 = (uint64_t)0x0;
	(uint32_t)0x205f5008 = (uint32_t)0x0;
	(uint64_t)0x205f5010 = (uint64_t)0x208feff0;
	(uint64_t)0x205f5018 = (uint64_t)0x1;
	(uint64_t)0x205f5020 = (uint64_t)0x0;
	(uint64_t)0x205f5028 = (uint64_t)0x0;
	(uint32_t)0x205f5030 = (uint32_t)0x0;
	(uint64_t)0x208feff0 = (uint64_t)0x20d4cea8;
	(uint64_t)0x208feff8 = (uint64_t)0x78;
	(uint8_t)0x20d4cea8 = (uint8_t)0x2;
	(uint8_t)0x20d4cea9 = (uint8_t)0x3;
	(uint8_t)0x20d4ceaa = (uint8_t)0x0;
	(uint8_t)0x20d4ceab = (uint8_t)0x0;
	(uint16_t)0x20d4ceac = (uint16_t)0xf;
	(uint16_t)0x20d4ceae = (uint16_t)0x0;
	(uint32_t)0x20d4ceb0 = (uint32_t)0x0;
	(uint32_t)0x20d4ceb4 = (uint32_t)0x0;
	(uint16_t)0x20d4ceb8 = (uint16_t)0x1;
	(uint16_t)0x20d4ceba = (uint16_t)0x9;
	(uint16_t)0x20d4cebc = (uint16_t)0x7fffffff;
	(uint16_t)0x20d4cebe = (uint16_t)0x0;
	(uint16_t)0x20d4cec0 = (uint16_t)0x5;
	(uint16_t)0x20d4cec2 = (uint16_t)0x6;
	(uint8_t)0x20d4cec4 = (uint8_t)0x0;
	(uint8_t)0x20d4cec5 = (uint8_t)0x0;
	(uint16_t)0x20d4cec6 = (uint16_t)0x0;
	(uint16_t)0x20d4cec8 = (uint16_t)0xa;
	(uint16_t)0x20d4ceca = (uint16_t)0x204e;
	(uint32_t)0x20d4cecc = (uint32_t)0x0;
	(uint8_t)0x20d4ced0 = (uint8_t)0x0;
	(uint8_t)0x20d4ced1 = (uint8_t)0x0;
	(uint8_t)0x20d4ced2 = (uint8_t)0x0;
	(uint8_t)0x20d4ced3 = (uint8_t)0x0;
	(uint8_t)0x20d4ced4 = (uint8_t)0x0;
	(uint8_t)0x20d4ced5 = (uint8_t)0x0;
	(uint8_t)0x20d4ced6 = (uint8_t)0x0;
	(uint8_t)0x20d4ced7 = (uint8_t)0x0;
	(uint8_t)0x20d4ced8 = (uint8_t)0x0;
	(uint8_t)0x20d4ced9 = (uint8_t)0x0;
	(uint8_t)0x20d4ceda = (uint8_t)0x0;
	(uint8_t)0x20d4cedb = (uint8_t)0x0;
	(uint8_t)0x20d4cedc = (uint8_t)0x0;
	(uint8_t)0x20d4cedd = (uint8_t)0x0;
	(uint8_t)0x20d4cede = (uint8_t)0x0;
	(uint8_t)0x20d4cedf = (uint8_t)0x0;
	(uint32_t)0x20d4cee0 = (uint32_t)0x0;
	(uint16_t)0x20d4cee8 = (uint16_t)0x2;
	(uint16_t)0x20d4ceea = (uint16_t)0x1;
	(uint32_t)0x20d4ceec = (uint32_t)0x0;
	(uint8_t)0x20d4cef0 = (uint8_t)0x0;
	(uint8_t)0x20d4cef1 = (uint8_t)0x0;
	(uint8_t)0x20d4cef2 = (uint8_t)0x0;
	(uint8_t)0x20d4cef3 = (uint8_t)0xb;
	(uint32_t)0x20d4cef4 = (uint32_t)0x0;
	(uint16_t)0x20d4cef8 = (uint16_t)0x5;
	(uint16_t)0x20d4cefa = (uint16_t)0x5;
	(uint8_t)0x20d4cefc = (uint8_t)0x0;
	(uint8_t)0x20d4cefd = (uint8_t)0x0;
	(uint16_t)0x20d4cefe = (uint16_t)0x0;
	(uint16_t)0x20d4cf00 = (uint16_t)0xa;
	(uint16_t)0x20d4cf02 = (uint16_t)0x204e;
	(uint32_t)0x20d4cf04 = (uint32_t)0x0;
	(uint8_t)0x20d4cf08 = (uint8_t)0x0;
	(uint8_t)0x20d4cf09 = (uint8_t)0x0;
	(uint8_t)0x20d4cf0a = (uint8_t)0x0;
	(uint8_t)0x20d4cf0b = (uint8_t)0x0;
	(uint8_t)0x20d4cf0c = (uint8_t)0x0;
	(uint8_t)0x20d4cf0d = (uint8_t)0x0;
	(uint8_t)0x20d4cf0e = (uint8_t)0x0;
	(uint8_t)0x20d4cf0f = (uint8_t)0x0;
	(uint8_t)0x20d4cf10 = (uint8_t)0x0;
	(uint8_t)0x20d4cf11 = (uint8_t)0x0;
	(uint8_t)0x20d4cf12 = (uint8_t)0x0;
	(uint8_t)0x20d4cf13 = (uint8_t)0x0;
	(uint8_t)0x20d4cf14 = (uint8_t)0x0;
	(uint8_t)0x20d4cf15 = (uint8_t)0x0;
	(uint8_t)0x20d4cf16 = (uint8_t)0x0;
	(uint8_t)0x20d4cf17 = (uint8_t)0x0;
	(uint32_t)0x20d4cf18 = (uint32_t)0x0;
	r[83] = syscall(__NR_sendmsg, r[3], 0x205f5000ul, 0x0ul);
	}

	int main()
	{
	loop();
	return 0;
	}