syzkaller-repros/linux/29bd73ed27734a53a46318ed8921a0087df8f5fd.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Write in tcp_v6_syn_recv_sock
 // https://syzkaller.appspot.com/bug?id=29bd73ed27734a53a46318ed8921a0087df8f5fd
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 static void test();

 void loop()
 {
   while (1) {
     test();
   }
 }

 long r[3];
 void test()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
   r[0] = syscall(__NR_socket, 2, 1, 0);
   r[1] = syscall(__NR_socket, 0xa, 1, 0);
   *(uint16_t*)0x20c9c000 = 0xa;
   *(uint16_t*)0x20c9c002 = htobe16(0x4e22);
   *(uint32_t*)0x20c9c004 = 0;
   *(uint8_t*)0x20c9c008 = 0;
   *(uint8_t*)0x20c9c009 = 0;
   *(uint8_t*)0x20c9c00a = 0;
   *(uint8_t*)0x20c9c00b = 0;
   *(uint8_t*)0x20c9c00c = 0;
   *(uint8_t*)0x20c9c00d = 0;
   *(uint8_t*)0x20c9c00e = 0;
   *(uint8_t*)0x20c9c00f = 0;
   *(uint8_t*)0x20c9c010 = 0;
   *(uint8_t*)0x20c9c011 = 0;
   *(uint8_t*)0x20c9c012 = 0;
   *(uint8_t*)0x20c9c013 = 0;
   *(uint8_t*)0x20c9c014 = 0;
   *(uint8_t*)0x20c9c015 = 0;
   *(uint8_t*)0x20c9c016 = 0;
   *(uint8_t*)0x20c9c017 = 0;
   *(uint32_t*)0x20c9c018 = 0;
   syscall(__NR_bind, r[1], 0x20c9c000, 0x1c);
   syscall(__NR_listen, r[1], 0);
   memcpy((void*)0x20042ffc, "tls", 4);
   syscall(__NR_setsockopt, r[1], 6, 0x1f, 0x20042ffc, 4);
   *(uint16_t*)0x200b0000 = 2;
   *(uint16_t*)0x200b0002 = htobe16(0x4e22);
   *(uint32_t*)0x200b0004 = htobe32(0);
   *(uint8_t*)0x200b0008 = 0;
   *(uint8_t*)0x200b0009 = 0;
   *(uint8_t*)0x200b000a = 0;
   *(uint8_t*)0x200b000b = 0;
   *(uint8_t*)0x200b000c = 0;
   *(uint8_t*)0x200b000d = 0;
   *(uint8_t*)0x200b000e = 0;
   *(uint8_t*)0x200b000f = 0;
   syscall(__NR_sendto, r[0], 0x2087a000, 0, 0x20008045, 0x200b0000, 0x10);
   r[2] = syscall(__NR_socket, 0x10, 3, 0);
   memcpy((void*)0x20203000, "\x26\x00\x00\x00\x13\x00\x47\xf1\x07\x01\xc1\xb0"
                             "\x0e\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
                             "\x09\xef\x18\xff\xff\x00\xf1\x32\x05\x00\x14\x00"
                             "\x6e\x35",
          38);
   syscall(__NR_write, r[2], 0x20203000, 0x26);
 }

 int main()
 {
   for (;;) {
     loop();
   }
 }
	// KASAN: slab-out-of-bounds Write in tcp_v6_syn_recv_sock
	// https://syzkaller.appspot.com/bug?id=29bd73ed27734a53a46318ed8921a0087df8f5fd
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	static void test();

	void loop()
	{
	while (1) {
	test();
	}
	}

	long r[3];
	void test()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
	r[0] = syscall(__NR_socket, 2, 1, 0);
	r[1] = syscall(__NR_socket, 0xa, 1, 0);
	(uint16_t)0x20c9c000 = 0xa;
	(uint16_t)0x20c9c002 = htobe16(0x4e22);
	(uint32_t)0x20c9c004 = 0;
	(uint8_t)0x20c9c008 = 0;
	(uint8_t)0x20c9c009 = 0;
	(uint8_t)0x20c9c00a = 0;
	(uint8_t)0x20c9c00b = 0;
	(uint8_t)0x20c9c00c = 0;
	(uint8_t)0x20c9c00d = 0;
	(uint8_t)0x20c9c00e = 0;
	(uint8_t)0x20c9c00f = 0;
	(uint8_t)0x20c9c010 = 0;
	(uint8_t)0x20c9c011 = 0;
	(uint8_t)0x20c9c012 = 0;
	(uint8_t)0x20c9c013 = 0;
	(uint8_t)0x20c9c014 = 0;
	(uint8_t)0x20c9c015 = 0;
	(uint8_t)0x20c9c016 = 0;
	(uint8_t)0x20c9c017 = 0;
	(uint32_t)0x20c9c018 = 0;
	syscall(__NR_bind, r[1], 0x20c9c000, 0x1c);
	syscall(__NR_listen, r[1], 0);
	memcpy((void*)0x20042ffc, "tls", 4);
	syscall(__NR_setsockopt, r[1], 6, 0x1f, 0x20042ffc, 4);
	(uint16_t)0x200b0000 = 2;
	(uint16_t)0x200b0002 = htobe16(0x4e22);
	(uint32_t)0x200b0004 = htobe32(0);
	(uint8_t)0x200b0008 = 0;
	(uint8_t)0x200b0009 = 0;
	(uint8_t)0x200b000a = 0;
	(uint8_t)0x200b000b = 0;
	(uint8_t)0x200b000c = 0;
	(uint8_t)0x200b000d = 0;
	(uint8_t)0x200b000e = 0;
	(uint8_t)0x200b000f = 0;
	syscall(__NR_sendto, r[0], 0x2087a000, 0, 0x20008045, 0x200b0000, 0x10);
	r[2] = syscall(__NR_socket, 0x10, 3, 0);
	memcpy((void*)0x20203000, "\x26\x00\x00\x00\x13\x00\x47\xf1\x07\x01\xc1\xb0"
	"\x0e\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
	"\x09\xef\x18\xff\xff\x00\xf1\x32\x05\x00\x14\x00"
	"\x6e\x35",
	38);
	syscall(__NR_write, r[2], 0x20203000, 0x26);
	}

	int main()
	{
	for (;;) {
	loop();
	}
	}