Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1573226pxk; Fri, 18 Sep 2020 17:00:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy33RrjtB9JeZJ61psyRKiPIo6vN9/gFpHf6iE1VjkcNFjRzmTGRzAZOGSvB7Mtkvbm+ynn X-Received: by 2002:a17:906:46c9:: with SMTP id k9mr37569350ejs.38.1600473622928; Fri, 18 Sep 2020 17:00:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600473622; cv=none; d=google.com; s=arc-20160816; b=T9DiKC29xFRMVAD8KSEwxAVQv8EFFo8Zg1hqtgNol3aCeq3W6JSNLL7uHnvC+E0XCP oghSBQFk9LqjMuGRng8rWUzf6a8K3X1qTUwgBmEahiWVYwHiYGzG8ek5U0nImpCBWRh4 FTii8GtlPaWEaNBmtm80k2NBMNlj/ZEb53Tcg3fP1/gx9sKMX9FgwlJ66UXZnwXHgVWu XdMP7ZC2gNYChTYkSe1h6z767RKkVubABpqBdQRBZsz/XF5d0292t9pb4pRdHY/L3462 Tr53VdGw9MajvuPgMS5u7yg47jRAgUjf9//pRmZ9fk/ONa3RTJouk8PoDju/BZQciBbJ Zjvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=F9HjIXEWLbIAWLKEr8IRrmXXpJT6PwXDz6DLSL5o70U=; b=SzM2IxzW3h08AsMrGSuxv8V3hQX3UtA08dFp/fcj9lnQHaePJfov7JZ+P65B1OI9L8 /VAovwhLAvlh1bvg5Dn8scArlhQMcZ1HekpHn6FyrfBPkoN2QgT+6OaZ61iHo6ssTQHt nfyPXFsxp47Ds7waEBti3CNZi6VziyHiqRsjRNZqKm04aKPreSUIkNDFslS4pse5Pt0P t/jcsfr3IcGpUzeq00FUBqCEmRK4In+AVn8sfABN2CHeD+M+bkkLYiVE2QZ2T9m4cuxL 8rIny51BBw8h6KOi8rqHngRHNTl1LD5dnkF+ZxamZVaA7kPEkRKQElcOyl1XBtrWtp9K WQnw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z3si3219689ede.201.2020.09.18.16.59.57; Fri, 18 Sep 2020 17:00:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726218AbgIRXzn (ORCPT + 99 others); Fri, 18 Sep 2020 19:55:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726022AbgIRXzm (ORCPT ); Fri, 18 Sep 2020 19:55:42 -0400 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 823AFC0613CE for ; Fri, 18 Sep 2020 16:55:42 -0700 (PDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kJQDx-001LjX-0T; Fri, 18 Sep 2020 23:55:29 +0000 Date: Sat, 19 Sep 2020 00:55:28 +0100 From: Al Viro To: Andy Lutomirski Cc: syzbot , Aleksa Sarai , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , LKML , Ingo Molnar , Peter Zijlstra , syzkaller-bugs@googlegroups.com, Thomas Gleixner , X86 ML Subject: Re: WARNING in ex_handler_uaccess Message-ID: <20200918235528.GB3421308@ZenIV.linux.org.uk> References: <000000000000762dee05af9ccd01@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 18, 2020 at 04:31:33PM -0700, Andy Lutomirski wrote: > check_zeroed_user() looks buggy. It does: > > if (!user_access_begin(from, size)) > return -EFAULT; > > unsafe_get_user(val, (unsigned long __user *) from, err_fault); > > This is wrong if size < sizeof(unsigned long) -- you read outside the > area you verified using user_access_begin(). Read the code immediately prior to that. from will be word-aligned, and size will be extended accordingly. If the area acceptable for user_access_begin() ends *NOT* on a word boundary, you have a problem and I would strongly recommend to seek professional help. All reads in that thing are word-aligned and word-sized. So I very much doubt that your analysis is correct.