syzkaller-repros/linux/0f3f51343d723b1f87bdf56364a2b3a1824e36d7.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in tipc_nametbl_lookup_dst_nodes
 // https://syzkaller.appspot.com/bug?id=0f3f51343d723b1f87bdf56364a2b3a1824e36d7
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 long r[21];
 void loop()
 {
   memset(r, -1, sizeof(r));
   r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                  0xfffffffffffffffful, 0x0ul);
   r[1] = syscall(__NR_socket, 0x1eul, 0x5ul, 0x0ul);
   *(uint64_t*)0x207ca000 = (uint64_t)0x20fdbf80;
   *(uint32_t*)0x207ca008 = (uint32_t)0x80;
   *(uint64_t*)0x207ca010 = (uint64_t)0x20145000;
   *(uint64_t*)0x207ca018 = (uint64_t)0x0;
   *(uint64_t*)0x207ca020 = (uint64_t)0x2036bfa0;
   *(uint64_t*)0x207ca028 = (uint64_t)0x3;
   *(uint32_t*)0x207ca030 = (uint32_t)0x40;
   *(uint16_t*)0x20fdbf80 = (uint16_t)0x100010000000001e;
   memcpy((void*)0x20fdbf82,
          "\x01\xff\x01\x00\x00\x00\x20\xdf\x00\x00\x00\x00\x00\x8f\x00"
          "\x00\x80\x5b\xf8\x6c\x48\x02\x00\x02\x00\x00\x00\xf1\xff\xff"
          "\xff\x00\x9a\x48\x00\xff\xe6\xa5\x00\x00\x00\x01\x03\x00\x00"
          "\x00\x00\xe4\xff\x06\x4b\x3f\x01\x3a\x00\x00\x00\x08\x00\x00"
          "\x00\x00\x00\x00\x00\x00\xac\x50\xd5\xfe\x32\xc4\x88\x00\x00"
          "\x00\x7f\xff\xff\xff\x6a\x00\x83\x56\xed\xb9\xa6\x34\x1c\x1f"
          "\xd4\x56\x24\x28\x1e\x00\x07\x0e\xce\x00\x02\x06\xc3\x97\x5b"
          "\xc4\x00\x00\xfd\x00\x00\x09\x00\x00\x00\x00\x00\x0b\x00\x00"
          "\xdb\x00\x00\x04\xda\x36",
          126);
   *(uint64_t*)0x2036bfa0 = (uint64_t)0x10;
   *(uint32_t*)0x2036bfa8 = (uint32_t)0x18b;
   *(uint32_t*)0x2036bfac = (uint32_t)0x80000000;
   *(uint64_t*)0x2036bfb0 = (uint64_t)0x10;
   *(uint32_t*)0x2036bfb8 = (uint32_t)0x88;
   *(uint32_t*)0x2036bfbc = (uint32_t)0xe1b;
   *(uint64_t*)0x2036bfc0 = (uint64_t)0x10;
   *(uint32_t*)0x2036bfc8 = (uint32_t)0x197;
   *(uint32_t*)0x2036bfcc = (uint32_t)0x8;
   r[20] = syscall(__NR_sendmsg, r[1], 0x207ca000ul, 0x4ul);
 }

 int main()
 {
   loop();
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in tipc_nametbl_lookup_dst_nodes
	// https://syzkaller.appspot.com/bug?id=0f3f51343d723b1f87bdf56364a2b3a1824e36d7
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	long r[21];
	void loop()
	{
	memset(r, -1, sizeof(r));
	r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
	0xfffffffffffffffful, 0x0ul);
	r[1] = syscall(__NR_socket, 0x1eul, 0x5ul, 0x0ul);
	(uint64_t)0x207ca000 = (uint64_t)0x20fdbf80;
	(uint32_t)0x207ca008 = (uint32_t)0x80;
	(uint64_t)0x207ca010 = (uint64_t)0x20145000;
	(uint64_t)0x207ca018 = (uint64_t)0x0;
	(uint64_t)0x207ca020 = (uint64_t)0x2036bfa0;
	(uint64_t)0x207ca028 = (uint64_t)0x3;
	(uint32_t)0x207ca030 = (uint32_t)0x40;
	(uint16_t)0x20fdbf80 = (uint16_t)0x100010000000001e;
	memcpy((void*)0x20fdbf82,
	"\x01\xff\x01\x00\x00\x00\x20\xdf\x00\x00\x00\x00\x00\x8f\x00"
	"\x00\x80\x5b\xf8\x6c\x48\x02\x00\x02\x00\x00\x00\xf1\xff\xff"
	"\xff\x00\x9a\x48\x00\xff\xe6\xa5\x00\x00\x00\x01\x03\x00\x00"
	"\x00\x00\xe4\xff\x06\x4b\x3f\x01\x3a\x00\x00\x00\x08\x00\x00"
	"\x00\x00\x00\x00\x00\x00\xac\x50\xd5\xfe\x32\xc4\x88\x00\x00"
	"\x00\x7f\xff\xff\xff\x6a\x00\x83\x56\xed\xb9\xa6\x34\x1c\x1f"
	"\xd4\x56\x24\x28\x1e\x00\x07\x0e\xce\x00\x02\x06\xc3\x97\x5b"
	"\xc4\x00\x00\xfd\x00\x00\x09\x00\x00\x00\x00\x00\x0b\x00\x00"
	"\xdb\x00\x00\x04\xda\x36",
	126);
	(uint64_t)0x2036bfa0 = (uint64_t)0x10;
	(uint32_t)0x2036bfa8 = (uint32_t)0x18b;
	(uint32_t)0x2036bfac = (uint32_t)0x80000000;
	(uint64_t)0x2036bfb0 = (uint64_t)0x10;
	(uint32_t)0x2036bfb8 = (uint32_t)0x88;
	(uint32_t)0x2036bfbc = (uint32_t)0xe1b;
	(uint64_t)0x2036bfc0 = (uint64_t)0x10;
	(uint32_t)0x2036bfc8 = (uint32_t)0x197;
	(uint32_t)0x2036bfcc = (uint32_t)0x8;
	r[20] = syscall(__NR_sendmsg, r[1], 0x207ca000ul, 0x4ul);
	}

	int main()
	{
	loop();
	return 0;
	}