syzkaller-repros/linux/701637c97cd40acc95b08ea7c23cb76ceb787acf.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: use-after-free Read in bpf_csum_update
 // https://syzkaller.appspot.com/bug?id=701637c97cd40acc95b08ea7c23cb76ceb787acf
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 #ifndef __NR_bpf
 #define __NR_bpf 321
 #endif

 uint64_t r[1] = {0xffffffffffffffff};
 void loop()
 {
   long res = 0;
   *(uint32_t*)0x20000200 = 0xc;
   *(uint32_t*)0x20000204 = 0xe;
   *(uint64_t*)0x20000208 = 0x20000000;
   memcpy((void*)0x20000000,
          "\xb7\x02\x00\x00\x00\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07"
          "\x01\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x79\xa4"
          "\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05"
          "\x00\x00\x00\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00"
          "\x01\x00\x00\x00\xb7\x05\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00"
          "\x00\x00\x00\x85\x00\x00\x00\x28\x00\x00\x00\xb7\x00\x00\x00\x00\x00"
          "\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
          112);
   *(uint64_t*)0x20000210 = 0x20000340;
   memcpy((void*)0x20000340, "syzkaller", 10);
   *(uint32_t*)0x20000218 = 0;
   *(uint32_t*)0x2000021c = 0;
   *(uint64_t*)0x20000220 = 0;
   *(uint32_t*)0x20000228 = 0;
   *(uint32_t*)0x2000022c = 0;
   *(uint8_t*)0x20000230 = 0;
   *(uint8_t*)0x20000231 = 0;
   *(uint8_t*)0x20000232 = 0;
   *(uint8_t*)0x20000233 = 0;
   *(uint8_t*)0x20000234 = 0;
   *(uint8_t*)0x20000235 = 0;
   *(uint8_t*)0x20000236 = 0;
   *(uint8_t*)0x20000237 = 0;
   *(uint8_t*)0x20000238 = 0;
   *(uint8_t*)0x20000239 = 0;
   *(uint8_t*)0x2000023a = 0;
   *(uint8_t*)0x2000023b = 0;
   *(uint8_t*)0x2000023c = 0;
   *(uint8_t*)0x2000023d = 0;
   *(uint8_t*)0x2000023e = 0;
   *(uint8_t*)0x2000023f = 0;
   *(uint32_t*)0x20000240 = 0;
   *(uint32_t*)0x20000244 = 0;
   res = syscall(__NR_bpf, 5, 0x20000200, 0x48);
   if (res != -1)
     r[0] = res;
   *(uint32_t*)0x20000180 = r[0];
   *(uint32_t*)0x20000184 = 0;
   *(uint32_t*)0x20000188 = 0xfd;
   *(uint32_t*)0x2000018c = 0x72;
   *(uint64_t*)0x20000190 = 0x20000480;
   memcpy((void*)0x20000480,
          "\xf4\x49\x73\x3d\x72\x3d\xa3\x30\x17\x57\x67\xbe\x45\x28\x66\x7c\x6d"
          "\xa5\xe6\x4b\xe3\xbf\x8a\x94\x09\x20\x9d\x47\x8c\x1e\x00\x4a\xb0\x62"
          "\xc7\xbf\x92\xcd\x24\x0b\x75\x22\x07\x24\x3d\x18\x37\x48\xc0\x12\x31"
          "\xdd\x7e\x4e\x8b\xb6\xd5\x96\x10\xf0\xee\x83\x01\x3c\x24\x66\x75\xc8"
          "\x04\x53\x9f\xb9\x7e\x3e\x99\x9c\x68\xd6\x6a\x53\x2e\x10\x04\x42\x78"
          "\x6f\xf8\x71\x42\x66\x94\xea\x08\x8c\x25\x4e\x6b\xf9\xef\xb4\x6a\x2a"
          "\xda\x3c\x51\xf8\xc4\x1c\x62\x8d\x45\x1e\x96\xa5\x3d\x0b\x55\x6b\x2e"
          "\x38\xc2\x36\x7f\xb0\xd6\xf5\xd4\xe5\x55\x01\x59\x26\xc5\xa8\x3a\xc4"
          "\xbb\x9f\x4b\x62\x38\x5e\x0c\xf4\x67\x21\xa1\x35\xc6\x4b\x86\xb3\x9d"
          "\x9b\x5a\x9f\x98\x2d\xde\x49\x4b\xa4\xf6\x76\x86\xae\x20\xd8\x91\xc2"
          "\xec\x91\xdc\x03\x5b\x35\xe3\xcb\x14\x2d\xf4\xa8\xd4\xd1\xe1\x86\xf1"
          "\x4b\x7f\x88\xa1\xbd\x14\x17\x00\xb4\xb3\xde\x93\x15\xae\xad\x5c\x49"
          "\x53\x3f\x69\x9e\x8c\xa1\xdd\x43\x24\x06\x72\x63\xe0\x43\x09\xc0\xc9"
          "\x18\xfb\x53\x88\xa5\x4d\x46\x07\xf6\x05\xab\x3d\x25\xa9\xc0\x2f\xa9"
          "\xd5\x93\xc2\x76\x25\x36\xb8\x0b\xa6\xd2\xa1\xae\xfc\x4b\x43",
          253);
   *(uint64_t*)0x20000198 = 0x200002c0;
   *(uint32_t*)0x200001a0 = 5;
   *(uint32_t*)0x200001a4 = 0;
   syscall(__NR_bpf, 0xa, 0x20000180, 0x28);
 }

 int main()
 {
   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
   loop();
   return 0;
 }
	// KASAN: use-after-free Read in bpf_csum_update
	// https://syzkaller.appspot.com/bug?id=701637c97cd40acc95b08ea7c23cb76ceb787acf
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	uint64_t r[1] = {0xffffffffffffffff};
	void loop()
	{
	long res = 0;
	(uint32_t)0x20000200 = 0xc;
	(uint32_t)0x20000204 = 0xe;
	(uint64_t)0x20000208 = 0x20000000;
	memcpy((void*)0x20000000,
	"\xb7\x02\x00\x00\x00\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07"
	"\x01\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x79\xa4"
	"\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05"
	"\x00\x00\x00\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00"
	"\x01\x00\x00\x00\xb7\x05\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00"
	"\x00\x00\x00\x85\x00\x00\x00\x28\x00\x00\x00\xb7\x00\x00\x00\x00\x00"
	"\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
	112);
	(uint64_t)0x20000210 = 0x20000340;
	memcpy((void*)0x20000340, "syzkaller", 10);
	(uint32_t)0x20000218 = 0;
	(uint32_t)0x2000021c = 0;
	(uint64_t)0x20000220 = 0;
	(uint32_t)0x20000228 = 0;
	(uint32_t)0x2000022c = 0;
	(uint8_t)0x20000230 = 0;
	(uint8_t)0x20000231 = 0;
	(uint8_t)0x20000232 = 0;
	(uint8_t)0x20000233 = 0;
	(uint8_t)0x20000234 = 0;
	(uint8_t)0x20000235 = 0;
	(uint8_t)0x20000236 = 0;
	(uint8_t)0x20000237 = 0;
	(uint8_t)0x20000238 = 0;
	(uint8_t)0x20000239 = 0;
	(uint8_t)0x2000023a = 0;
	(uint8_t)0x2000023b = 0;
	(uint8_t)0x2000023c = 0;
	(uint8_t)0x2000023d = 0;
	(uint8_t)0x2000023e = 0;
	(uint8_t)0x2000023f = 0;
	(uint32_t)0x20000240 = 0;
	(uint32_t)0x20000244 = 0;
	res = syscall(__NR_bpf, 5, 0x20000200, 0x48);
	if (res != -1)
	r[0] = res;
	(uint32_t)0x20000180 = r[0];
	(uint32_t)0x20000184 = 0;
	(uint32_t)0x20000188 = 0xfd;
	(uint32_t)0x2000018c = 0x72;
	(uint64_t)0x20000190 = 0x20000480;
	memcpy((void*)0x20000480,
	"\xf4\x49\x73\x3d\x72\x3d\xa3\x30\x17\x57\x67\xbe\x45\x28\x66\x7c\x6d"
	"\xa5\xe6\x4b\xe3\xbf\x8a\x94\x09\x20\x9d\x47\x8c\x1e\x00\x4a\xb0\x62"
	"\xc7\xbf\x92\xcd\x24\x0b\x75\x22\x07\x24\x3d\x18\x37\x48\xc0\x12\x31"
	"\xdd\x7e\x4e\x8b\xb6\xd5\x96\x10\xf0\xee\x83\x01\x3c\x24\x66\x75\xc8"
	"\x04\x53\x9f\xb9\x7e\x3e\x99\x9c\x68\xd6\x6a\x53\x2e\x10\x04\x42\x78"
	"\x6f\xf8\x71\x42\x66\x94\xea\x08\x8c\x25\x4e\x6b\xf9\xef\xb4\x6a\x2a"
	"\xda\x3c\x51\xf8\xc4\x1c\x62\x8d\x45\x1e\x96\xa5\x3d\x0b\x55\x6b\x2e"
	"\x38\xc2\x36\x7f\xb0\xd6\xf5\xd4\xe5\x55\x01\x59\x26\xc5\xa8\x3a\xc4"
	"\xbb\x9f\x4b\x62\x38\x5e\x0c\xf4\x67\x21\xa1\x35\xc6\x4b\x86\xb3\x9d"
	"\x9b\x5a\x9f\x98\x2d\xde\x49\x4b\xa4\xf6\x76\x86\xae\x20\xd8\x91\xc2"
	"\xec\x91\xdc\x03\x5b\x35\xe3\xcb\x14\x2d\xf4\xa8\xd4\xd1\xe1\x86\xf1"
	"\x4b\x7f\x88\xa1\xbd\x14\x17\x00\xb4\xb3\xde\x93\x15\xae\xad\x5c\x49"
	"\x53\x3f\x69\x9e\x8c\xa1\xdd\x43\x24\x06\x72\x63\xe0\x43\x09\xc0\xc9"
	"\x18\xfb\x53\x88\xa5\x4d\x46\x07\xf6\x05\xab\x3d\x25\xa9\xc0\x2f\xa9"
	"\xd5\x93\xc2\x76\x25\x36\xb8\x0b\xa6\xd2\xa1\xae\xfc\x4b\x43",
	253);
	(uint64_t)0x20000198 = 0x200002c0;
	(uint32_t)0x200001a0 = 5;
	(uint32_t)0x200001a4 = 0;
	syscall(__NR_bpf, 0xa, 0x20000180, 0x28);
	}

	int main()
	{
	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
	loop();
	return 0;
	}