Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp321541lqs;
        Tue, 5 Mar 2024 03:10:04 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXcm8DI6iIqBYDPeVSYDjgcEZPuCcOnYjs6YqeUByom6t1jbg6KwwvoLaKNyMAIvt3fyul2F1iNyeC2x9JqUyM9H48EGL039IAwLhSN0Q==
X-Google-Smtp-Source: AGHT+IEqTcFqV4X+lXneeq4Ep1MNOFzTNusARgMAcFR96kXbEfGq+RaWMItMYbUuS7AMh+hLE3sN
X-Received: by 2002:a05:6a20:9190:b0:1a1:51ad:c30e with SMTP id v16-20020a056a20919000b001a151adc30emr1369254pzd.42.1709637004081;
        Tue, 05 Mar 2024 03:10:04 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709637004; cv=pass;
        d=google.com; s=arc-20160816;
        b=xAEYihGOOBqptCTG7sUxEaKkIPVcmpi1TSmG5I/DQSwY1rVDgbLmkb9RDtoXX0HeQI
         rLx04uOKE2ZjqlLgwVnXW28GSElZ7kwwOUnQGjhX1dDMIjqmxt3O9v1zqE0ndvqcX3Hx
         J1DPBvjidCsDm8UWH6DI5x8UIKt9yLDD3QDvWEigCeg2pby+PZNr5xicY0tcdZ4aSH4q
         58xao7CmzIiTHV0QpJJgQkTA9hoEXijpPgqjE1NoQ59FfNlVGm+cbnlTBXwUWaJoIDzl
         1JzniZTXBQgcpMuCDbt+YHeYdNAUcHhUt/yK5zyOr8q3gVE1fJBk0Z3QQJklepSr1E6k
         SfQQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:references:to:from
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=ncbuS22ttBsc675b0JjZTfTttnam/8kIIMx9BpxW0pA=;
        fh=IilVLVqoduJp1aHq05cKZupUnsbstJToVs/e3Ha7GM0=;
        b=z+kD2mBaUaXdpZGrqBmmWM0UlrbUZX5jUj4DyAjejkQXediTMt1CyvhBIgIjihNWqk
         jD8rqQ1VWhjOU1WtccnI4rFm60iuXxt98a9vTH/6uvRSngJDCw0KlFYSMGMmPPHhOImo
         X7xa4udgNmt0Q6PrLFni94cuj+tio//sgAnC7HXSc1mqoa8GxPICusjoYdI/O6lI+Qwt
         0bwg+EzwGF9Kg4hR4BOWHNcTtpARhr8UnhV+6YhOgFI4Xq7MLTtCL+vT4mW/ssr0KpIa
         2UHecDpiv0/ZRrKb60zwFbVr1Xw1rHO/nCWKGSOAoDfHbf1aTCjXHB4u20XR5zpxgmQM
         yikg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-92191-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92191-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-92191-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id k10-20020aa788ca000000b006e4ca0c395esi9952593pff.195.2024.03.05.03.10.03
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Mar 2024 03:10:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-92191-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-92191-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92191-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 46CF1B25BB6
	for <linux.lists.archive@gmail.com>; Tue,  5 Mar 2024 11:00:15 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id CFE2354915;
	Tue,  5 Mar 2024 10:55:56 +0000 (UTC)
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D38B1DDF4
	for <linux-kernel@vger.kernel.org>; Tue,  5 Mar 2024 10:55:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709636156; cv=none; b=dnS3r+UuVbSuKjThMrTo+g1n3izbapsUIab2+BPqHCHcqayJbB0GXxZvsJ8N8fRS6nco5iKC6+58UGDFFdm8fNYUYb3+B3QVW1415n0jTwJk7I212j7CYxxeNBRlIvx68yjCrtoYdUIJIfwqyV4kekSZjA3ZWMUk2MZDAZ8vH8I=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709636156; c=relaxed/simple;
	bh=psG4RFtCydwdXA85upU/kataFifVqreazrTjPoPV2/g=;
	h=Message-ID:Date:MIME-Version:Subject:From:To:References:
	 In-Reply-To:Content-Type; b=c+xe40z94b7y1H3MaAt2hsM8x2umWd+dIhCWjPUMQANuKf8LEzQQSfnbkfhJD87jfkjP2P6L3ll+X95PveaXF4AkJUO9W78YdTb2XMUUx7T5jcK1AzK2eCWlD77W3+dkzq2lyWrA0KY37+iIQcn1C1LiSMMBikCuvwP5XDbUlLw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp
Received: from fsav115.sakura.ne.jp (fsav115.sakura.ne.jp [27.133.134.242])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 425Atj1w090055;
	Tue, 5 Mar 2024 19:55:45 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav115.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav115.sakura.ne.jp);
 Tue, 05 Mar 2024 19:55:45 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav115.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 425AtjbA090052
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Tue, 5 Mar 2024 19:55:45 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <aeb26d27-cd0f-4992-b303-f21abeacab21@I-love.SAKURA.ne.jp>
Date: Tue, 5 Mar 2024 19:55:45 +0900
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set
Content-Language: en-US
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzbot <syzbot+cb76c2983557a07cdb14@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
References: <0000000000004cf5c205faf1c7f3@google.com>
 <1fec6a8b-7083-4b08-858a-0793f996ed52@I-love.SAKURA.ne.jp>
In-Reply-To: <1fec6a8b-7083-4b08-858a-0793f996ed52@I-love.SAKURA.ne.jp>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index c421a899fc84..b47e56a87dfa 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -573,8 +573,10 @@ static int fpa_get(struct task_struct *target,
 		   const struct user_regset *regset,
 		   struct membuf to)
 {
-	return membuf_write(&to, &task_thread_info(target)->fpstate,
-				 sizeof(struct user_fp));
+	struct thread_info *thread = task_thread_info(target);
+
+	return membuf_write(&to, &thread->fpstate,
+				 sizeof(thread->fpstate));
 }
 
 static int fpa_set(struct task_struct *target,
@@ -586,7 +588,7 @@ static int fpa_set(struct task_struct *target,
 
 	return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 		&thread->fpstate,
-		0, sizeof(struct user_fp));
+		0, sizeof(thread->fpstate));
 }
 
 #ifdef CONFIG_VFP
@@ -690,7 +692,7 @@ static const struct user_regset arm_regsets[] = {
 		 * of sizes, so pretend that the registers are word-sized:
 		 */
 		.core_note_type = NT_PRFPREG,
-		.n = sizeof(struct user_fp) / sizeof(u32),
+		.n = sizeof(union fp_state) / sizeof(u32),
 		.size = sizeof(u32),
 		.align = sizeof(u32),
 		.regset_get = fpa_get,