syzkaller-repros/linux/147b6b056a3ecb0e72153ff353446d64867e2894.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: stack-out-of-bounds Read in xfrm_state_find (3)
 // https://syzkaller.appspot.com/bug?id=147b6b056a3ecb0e72153ff353446d64867e2894
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <endian.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 #include <stdint.h>
 #include <string.h>

 long r[1];
 void loop()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000, 0xfff000, 0x3, 0x32, 0xffffffff, 0x0);
   r[0] = syscall(__NR_socket, 0xa, 0x2, 0x0);
   *(uint64_t*)0x20000f18 = htobe64(0x0);
   *(uint64_t*)0x20000f20 = htobe64(0x1);
   *(uint64_t*)0x20000f28 = htobe64(0x0);
   *(uint64_t*)0x20000f30 = htobe64(0x1);
   *(uint16_t*)0x20000f38 = htobe16(0x4e20);
   *(uint16_t*)0x20000f3a = 0x0;
   *(uint16_t*)0x20000f3c = htobe16(0x4e20);
   *(uint16_t*)0x20000f3e = 0x0;
   *(uint16_t*)0x20000f40 = 0xa;
   *(uint8_t*)0x20000f42 = 0x0;
   *(uint8_t*)0x20000f43 = 0x0;
   *(uint8_t*)0x20000f44 = 0x0;
   *(uint32_t*)0x20000f48 = 0x0;
   *(uint32_t*)0x20000f4c = 0x0;
   *(uint64_t*)0x20000f50 = 0x0;
   *(uint64_t*)0x20000f58 = 0x4;
   *(uint64_t*)0x20000f60 = 0x0;
   *(uint64_t*)0x20000f68 = 0x0;
   *(uint64_t*)0x20000f70 = 0x0;
   *(uint64_t*)0x20000f78 = 0x0;
   *(uint64_t*)0x20000f80 = 0x0;
   *(uint64_t*)0x20000f88 = 0x0;
   *(uint64_t*)0x20000f90 = 0x0;
   *(uint64_t*)0x20000f98 = 0x0;
   *(uint64_t*)0x20000fa0 = 0x0;
   *(uint64_t*)0x20000fa8 = 0x0;
   *(uint32_t*)0x20000fb0 = 0x0;
   *(uint32_t*)0x20000fb4 = 0x0;
   *(uint8_t*)0x20000fb8 = 0x1;
   *(uint8_t*)0x20000fb9 = 0x0;
   *(uint8_t*)0x20000fba = 0x0;
   *(uint8_t*)0x20000fbb = 0x0;
   *(uint32_t*)0x20000fc0 = htobe32(0xe0000001);
   *(uint32_t*)0x20000fd0 = 0x0;
   *(uint8_t*)0x20000fd4 = 0x0;
   *(uint16_t*)0x20000fd8 = 0x0;
   *(uint8_t*)0x20000fdc = 0x0;
   *(uint8_t*)0x20000fdd = 0x0;
   *(uint8_t*)0x20000fde = 0x0;
   *(uint8_t*)0x20000fdf = 0x0;
   *(uint8_t*)0x20000fe0 = 0x0;
   *(uint8_t*)0x20000fe1 = 0x0;
   *(uint8_t*)0x20000fe2 = 0x0;
   *(uint8_t*)0x20000fe3 = 0x0;
   *(uint8_t*)0x20000fe4 = 0x0;
   *(uint8_t*)0x20000fe5 = 0x0;
   *(uint8_t*)0x20000fe6 = 0x0;
   *(uint8_t*)0x20000fe7 = 0x0;
   *(uint8_t*)0x20000fe8 = 0x0;
   *(uint8_t*)0x20000fe9 = 0x0;
   *(uint8_t*)0x20000fea = 0x0;
   *(uint8_t*)0x20000feb = 0x0;
   *(uint32_t*)0x20000fec = 0x0;
   *(uint8_t*)0x20000ff0 = 0x0;
   *(uint8_t*)0x20000ff1 = 0x0;
   *(uint8_t*)0x20000ff2 = 0x0;
   *(uint32_t*)0x20000ff4 = 0x0;
   *(uint32_t*)0x20000ff8 = 0x0;
   *(uint32_t*)0x20000ffc = 0x0;
   syscall(__NR_setsockopt, r[0], 0x29, 0x23, 0x20000f18, 0xe8);
   *(uint16_t*)0x20999000 = 0x2;
   *(uint16_t*)0x20999002 = htobe16(0x4e20);
   *(uint32_t*)0x20999004 = 0x0;
   *(uint64_t*)0x20999008 = htobe64(0x0);
   *(uint64_t*)0x20999010 = htobe64(0x1);
   *(uint32_t*)0x20999018 = 0x0;
   syscall(__NR_sendto, r[0], 0x2028a000, 0x0, 0x0, 0x20999000, 0x1c);
 }

 int main()
 {
   loop();
   return 0;
 }
	// KASAN: stack-out-of-bounds Read in xfrm_state_find (3)
	// https://syzkaller.appspot.com/bug?id=147b6b056a3ecb0e72153ff353446d64867e2894
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <endian.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	#include <stdint.h>
	#include <string.h>

	long r[1];
	void loop()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000, 0xfff000, 0x3, 0x32, 0xffffffff, 0x0);
	r[0] = syscall(__NR_socket, 0xa, 0x2, 0x0);
	(uint64_t)0x20000f18 = htobe64(0x0);
	(uint64_t)0x20000f20 = htobe64(0x1);
	(uint64_t)0x20000f28 = htobe64(0x0);
	(uint64_t)0x20000f30 = htobe64(0x1);
	(uint16_t)0x20000f38 = htobe16(0x4e20);
	(uint16_t)0x20000f3a = 0x0;
	(uint16_t)0x20000f3c = htobe16(0x4e20);
	(uint16_t)0x20000f3e = 0x0;
	(uint16_t)0x20000f40 = 0xa;
	(uint8_t)0x20000f42 = 0x0;
	(uint8_t)0x20000f43 = 0x0;
	(uint8_t)0x20000f44 = 0x0;
	(uint32_t)0x20000f48 = 0x0;
	(uint32_t)0x20000f4c = 0x0;
	(uint64_t)0x20000f50 = 0x0;
	(uint64_t)0x20000f58 = 0x4;
	(uint64_t)0x20000f60 = 0x0;
	(uint64_t)0x20000f68 = 0x0;
	(uint64_t)0x20000f70 = 0x0;
	(uint64_t)0x20000f78 = 0x0;
	(uint64_t)0x20000f80 = 0x0;
	(uint64_t)0x20000f88 = 0x0;
	(uint64_t)0x20000f90 = 0x0;
	(uint64_t)0x20000f98 = 0x0;
	(uint64_t)0x20000fa0 = 0x0;
	(uint64_t)0x20000fa8 = 0x0;
	(uint32_t)0x20000fb0 = 0x0;
	(uint32_t)0x20000fb4 = 0x0;
	(uint8_t)0x20000fb8 = 0x1;
	(uint8_t)0x20000fb9 = 0x0;
	(uint8_t)0x20000fba = 0x0;
	(uint8_t)0x20000fbb = 0x0;
	(uint32_t)0x20000fc0 = htobe32(0xe0000001);
	(uint32_t)0x20000fd0 = 0x0;
	(uint8_t)0x20000fd4 = 0x0;
	(uint16_t)0x20000fd8 = 0x0;
	(uint8_t)0x20000fdc = 0x0;
	(uint8_t)0x20000fdd = 0x0;
	(uint8_t)0x20000fde = 0x0;
	(uint8_t)0x20000fdf = 0x0;
	(uint8_t)0x20000fe0 = 0x0;
	(uint8_t)0x20000fe1 = 0x0;
	(uint8_t)0x20000fe2 = 0x0;
	(uint8_t)0x20000fe3 = 0x0;
	(uint8_t)0x20000fe4 = 0x0;
	(uint8_t)0x20000fe5 = 0x0;
	(uint8_t)0x20000fe6 = 0x0;
	(uint8_t)0x20000fe7 = 0x0;
	(uint8_t)0x20000fe8 = 0x0;
	(uint8_t)0x20000fe9 = 0x0;
	(uint8_t)0x20000fea = 0x0;
	(uint8_t)0x20000feb = 0x0;
	(uint32_t)0x20000fec = 0x0;
	(uint8_t)0x20000ff0 = 0x0;
	(uint8_t)0x20000ff1 = 0x0;
	(uint8_t)0x20000ff2 = 0x0;
	(uint32_t)0x20000ff4 = 0x0;
	(uint32_t)0x20000ff8 = 0x0;
	(uint32_t)0x20000ffc = 0x0;
	syscall(__NR_setsockopt, r[0], 0x29, 0x23, 0x20000f18, 0xe8);
	(uint16_t)0x20999000 = 0x2;
	(uint16_t)0x20999002 = htobe16(0x4e20);
	(uint32_t)0x20999004 = 0x0;
	(uint64_t)0x20999008 = htobe64(0x0);
	(uint64_t)0x20999010 = htobe64(0x1);
	(uint32_t)0x20999018 = 0x0;
	syscall(__NR_sendto, r[0], 0x2028a000, 0x0, 0x0, 0x20999000, 0x1c);
	}

	int main()
	{
	loop();
	return 0;
	}