syzkaller-repros/linux/74f4baf145987a4f8f09f031a771a345dbbec229.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in ip6_xmit (3)
 // https://syzkaller.appspot.com/bug?id=74f4baf145987a4f8f09f031a771a345dbbec229
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 #ifndef __NR_bpf
 #define __NR_bpf 321
 #endif

 uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
 void loop()
 {
   long res = 0;
   syscall(__NR_socketpair, 0, 0, 0, 0x20000140);
   res = syscall(__NR_socket, 0xa, 1, 0);
   if (res != -1)
     r[0] = res;
   *(uint32_t*)0x20000280 = 0x12;
   *(uint32_t*)0x20000284 = 2;
   *(uint32_t*)0x20000288 = 4;
   *(uint32_t*)0x2000028c = 1;
   *(uint32_t*)0x20000290 = 0;
   *(uint32_t*)0x20000294 = 1;
   *(uint32_t*)0x20000298 = 0;
   *(uint8_t*)0x2000029c = 0;
   *(uint8_t*)0x2000029d = 0;
   *(uint8_t*)0x2000029e = 0;
   *(uint8_t*)0x2000029f = 0;
   *(uint8_t*)0x200002a0 = 0;
   *(uint8_t*)0x200002a1 = 0;
   *(uint8_t*)0x200002a2 = 0;
   *(uint8_t*)0x200002a3 = 0;
   *(uint8_t*)0x200002a4 = 0;
   *(uint8_t*)0x200002a5 = 0;
   *(uint8_t*)0x200002a6 = 0;
   *(uint8_t*)0x200002a7 = 0;
   *(uint8_t*)0x200002a8 = 0;
   *(uint8_t*)0x200002a9 = 0;
   *(uint8_t*)0x200002aa = 0;
   *(uint8_t*)0x200002ab = 0;
   res = syscall(__NR_bpf, 0, 0x20000280, 0x2c);
   if (res != -1)
     r[1] = res;
   *(uint32_t*)0x20000180 = r[1];
   *(uint64_t*)0x20000188 = 0x20000000;
   *(uint64_t*)0x20000190 = 0x20000140;
   *(uint64_t*)0x20000198 = 0;
   syscall(__NR_bpf, 2, 0x20000180, 0x20);
   *(uint64_t*)0x20000580 = 0x20000080;
   *(uint16_t*)0x20000080 = 2;
   *(uint16_t*)0x20000082 = htobe16(0x4e22);
   *(uint8_t*)0x20000084 = 0xac;
   *(uint8_t*)0x20000085 = 0x14;
   *(uint8_t*)0x20000086 = 0x14;
   *(uint8_t*)0x20000087 = 0xaa;
   *(uint8_t*)0x20000088 = 0;
   *(uint8_t*)0x20000089 = 0;
   *(uint8_t*)0x2000008a = 0;
   *(uint8_t*)0x2000008b = 0;
   *(uint8_t*)0x2000008c = 0;
   *(uint8_t*)0x2000008d = 0;
   *(uint8_t*)0x2000008e = 0;
   *(uint8_t*)0x2000008f = 0;
   *(uint32_t*)0x20000588 = 0x80;
   *(uint64_t*)0x20000590 = 0x200002c0;
   *(uint64_t*)0x200002c0 = 0x20000000;
   *(uint64_t*)0x200002c8 = 0;
   *(uint64_t*)0x20000598 = 1;
   *(uint64_t*)0x200005a0 = 0x20000300;
   *(uint64_t*)0x20000300 = 0x10;
   *(uint32_t*)0x20000308 = 0x1bf;
   *(uint32_t*)0x2000030c = 3;
   *(uint64_t*)0x20000310 = 0x10;
   *(uint32_t*)0x20000318 = 1;
   *(uint32_t*)0x2000031c = 0;
   *(uint64_t*)0x20000320 = 0x10;
   *(uint32_t*)0x20000328 = 0x19f;
   *(uint32_t*)0x2000032c = 9;
   *(uint64_t*)0x20000330 = 0x10;
   *(uint32_t*)0x20000338 = 0x10b;
   *(uint32_t*)0x2000033c = 1;
   *(uint64_t*)0x20000340 = 0x10;
   *(uint32_t*)0x20000348 = 0;
   *(uint32_t*)0x2000034c = 9;
   *(uint64_t*)0x200005a8 = 0x50;
   *(uint32_t*)0x200005b0 = 1;
   syscall(__NR_sendmsg, r[0], 0x20000580, 0x20000000);
 }

 int main()
 {
   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
   loop();
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in ip6_xmit (3)
	// https://syzkaller.appspot.com/bug?id=74f4baf145987a4f8f09f031a771a345dbbec229
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
	void loop()
	{
	long res = 0;
	syscall(__NR_socketpair, 0, 0, 0, 0x20000140);
	res = syscall(__NR_socket, 0xa, 1, 0);
	if (res != -1)
	r[0] = res;
	(uint32_t)0x20000280 = 0x12;
	(uint32_t)0x20000284 = 2;
	(uint32_t)0x20000288 = 4;
	(uint32_t)0x2000028c = 1;
	(uint32_t)0x20000290 = 0;
	(uint32_t)0x20000294 = 1;
	(uint32_t)0x20000298 = 0;
	(uint8_t)0x2000029c = 0;
	(uint8_t)0x2000029d = 0;
	(uint8_t)0x2000029e = 0;
	(uint8_t)0x2000029f = 0;
	(uint8_t)0x200002a0 = 0;
	(uint8_t)0x200002a1 = 0;
	(uint8_t)0x200002a2 = 0;
	(uint8_t)0x200002a3 = 0;
	(uint8_t)0x200002a4 = 0;
	(uint8_t)0x200002a5 = 0;
	(uint8_t)0x200002a6 = 0;
	(uint8_t)0x200002a7 = 0;
	(uint8_t)0x200002a8 = 0;
	(uint8_t)0x200002a9 = 0;
	(uint8_t)0x200002aa = 0;
	(uint8_t)0x200002ab = 0;
	res = syscall(__NR_bpf, 0, 0x20000280, 0x2c);
	if (res != -1)
	r[1] = res;
	(uint32_t)0x20000180 = r[1];
	(uint64_t)0x20000188 = 0x20000000;
	(uint64_t)0x20000190 = 0x20000140;
	(uint64_t)0x20000198 = 0;
	syscall(__NR_bpf, 2, 0x20000180, 0x20);
	(uint64_t)0x20000580 = 0x20000080;
	(uint16_t)0x20000080 = 2;
	(uint16_t)0x20000082 = htobe16(0x4e22);
	(uint8_t)0x20000084 = 0xac;
	(uint8_t)0x20000085 = 0x14;
	(uint8_t)0x20000086 = 0x14;
	(uint8_t)0x20000087 = 0xaa;
	(uint8_t)0x20000088 = 0;
	(uint8_t)0x20000089 = 0;
	(uint8_t)0x2000008a = 0;
	(uint8_t)0x2000008b = 0;
	(uint8_t)0x2000008c = 0;
	(uint8_t)0x2000008d = 0;
	(uint8_t)0x2000008e = 0;
	(uint8_t)0x2000008f = 0;
	(uint32_t)0x20000588 = 0x80;
	(uint64_t)0x20000590 = 0x200002c0;
	(uint64_t)0x200002c0 = 0x20000000;
	(uint64_t)0x200002c8 = 0;
	(uint64_t)0x20000598 = 1;
	(uint64_t)0x200005a0 = 0x20000300;
	(uint64_t)0x20000300 = 0x10;
	(uint32_t)0x20000308 = 0x1bf;
	(uint32_t)0x2000030c = 3;
	(uint64_t)0x20000310 = 0x10;
	(uint32_t)0x20000318 = 1;
	(uint32_t)0x2000031c = 0;
	(uint64_t)0x20000320 = 0x10;
	(uint32_t)0x20000328 = 0x19f;
	(uint32_t)0x2000032c = 9;
	(uint64_t)0x20000330 = 0x10;
	(uint32_t)0x20000338 = 0x10b;
	(uint32_t)0x2000033c = 1;
	(uint64_t)0x20000340 = 0x10;
	(uint32_t)0x20000348 = 0;
	(uint32_t)0x2000034c = 9;
	(uint64_t)0x200005a8 = 0x50;
	(uint32_t)0x200005b0 = 1;
	syscall(__NR_sendmsg, r[0], 0x20000580, 0x20000000);
	}

	int main()
	{
	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
	loop();
	return 0;
	}