syzkaller-repros/linux/76b1f877893d053ac5d62d6ccaad2d6c0d28f161.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in asn1_ber_decoder
 // https://syzkaller.appspot.com/bug?id=76b1f877893d053ac5d62d6ccaad2d6c0d28f161
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <sys/syscall.h>
 #include <unistd.h>

 #include <stdint.h>
 #include <string.h>

 long r[16];
 void loop()
 {
   memset(r, -1, sizeof(r));
   r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                  0xfffffffffffffffful, 0x0ul);
   memcpy((void*)0x20084ffa, "\x6c\x6f\x67\x6f\x6e\x00", 6);
   *(uint8_t*)0x2078cffb = (uint8_t)0x73;
   *(uint8_t*)0x2078cffc = (uint8_t)0x79;
   *(uint8_t*)0x2078cffd = (uint8_t)0x7a;
   *(uint8_t*)0x2078cffe = (uint8_t)0x20;
   *(uint8_t*)0x2078cfff = (uint8_t)0x0;
   r[7] = syscall(__NR_add_key, 0x20084ffaul, 0x2078cffbul, 0x20b90000ul,
                  0x0ul, 0xfffffffffffffffbul);
   memcpy((void*)0x20825ff5,
          "\x61\x73\x79\x6d\x6d\x65\x74\x72\x69\x63\x00", 11);
   *(uint8_t*)0x205ceffb = (uint8_t)0x73;
   *(uint8_t*)0x205ceffc = (uint8_t)0x79;
   *(uint8_t*)0x205ceffd = (uint8_t)0x7a;
   *(uint8_t*)0x205ceffe = (uint8_t)0x20;
   *(uint8_t*)0x205cefff = (uint8_t)0x0;
   memcpy((void*)0x201d9000, "\x30\x32", 2);
   r[15] = syscall(__NR_add_key, 0x20825ff5ul, 0x205ceffbul,
                   0x201d9000ul, 0x2ul, r[7]);
 }

 int main()
 {
   loop();
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in asn1_ber_decoder
	// https://syzkaller.appspot.com/bug?id=76b1f877893d053ac5d62d6ccaad2d6c0d28f161
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <sys/syscall.h>
	#include <unistd.h>

	#include <stdint.h>
	#include <string.h>

	long r[16];
	void loop()
	{
	memset(r, -1, sizeof(r));
	r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
	0xfffffffffffffffful, 0x0ul);
	memcpy((void*)0x20084ffa, "\x6c\x6f\x67\x6f\x6e\x00", 6);
	(uint8_t)0x2078cffb = (uint8_t)0x73;
	(uint8_t)0x2078cffc = (uint8_t)0x79;
	(uint8_t)0x2078cffd = (uint8_t)0x7a;
	(uint8_t)0x2078cffe = (uint8_t)0x20;
	(uint8_t)0x2078cfff = (uint8_t)0x0;
	r[7] = syscall(__NR_add_key, 0x20084ffaul, 0x2078cffbul, 0x20b90000ul,
	0x0ul, 0xfffffffffffffffbul);
	memcpy((void*)0x20825ff5,
	"\x61\x73\x79\x6d\x6d\x65\x74\x72\x69\x63\x00", 11);
	(uint8_t)0x205ceffb = (uint8_t)0x73;
	(uint8_t)0x205ceffc = (uint8_t)0x79;
	(uint8_t)0x205ceffd = (uint8_t)0x7a;
	(uint8_t)0x205ceffe = (uint8_t)0x20;
	(uint8_t)0x205cefff = (uint8_t)0x0;
	memcpy((void*)0x201d9000, "\x30\x32", 2);
	r[15] = syscall(__NR_add_key, 0x20825ff5ul, 0x205ceffbul,
	0x201d9000ul, 0x2ul, r[7]);
	}

	int main()
	{
	loop();
	return 0;
	}