| // KASAN: use-after-free Read in tipc_group_self |
| // https://syzkaller.appspot.com/bug?id=908e979198858d1e07b38c4db2600bc20551b15e |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| #include <stdint.h> |
| #include <string.h> |
| |
| long r[11]; |
| void loop() |
| { |
| memset(r, -1, sizeof(r)); |
| r[0] = syscall(__NR_mmap, 0x20000000ul, 0x9000ul, 0x3ul, 0x32ul, |
| 0xfffffffffffffffful, 0x0ul); |
| r[1] = syscall(__NR_socketpair, 0x8000000000001eul, 0x2ul, 0x0ul, |
| 0x20000000ul); |
| if (r[1] != -1) |
| r[2] = *(uint32_t*)0x20000004; |
| *(uint32_t*)0x20000fe4 = (uint32_t)0xfffffffffffffffd; |
| *(uint32_t*)0x20000fe8 = (uint32_t)0x3; |
| *(uint32_t*)0x20000fec = (uint32_t)0xfff; |
| *(uint32_t*)0x20000ff0 = (uint32_t)0xffffffff; |
| *(uint32_t*)0x20000ff4 = (uint32_t)0x40ffffffff; |
| *(uint32_t*)0x20000ff8 = (uint32_t)0x4; |
| *(uint32_t*)0x20000ffc = (uint32_t)0x6; |
| r[10] = syscall(__NR_setsockopt, r[2], 0x10ful, 0x87ul, 0x20000fe4ul, |
| 0x1cul); |
| } |
| |
| int main() |
| { |
| loop(); |
| return 0; |
| } |
