Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp335068lqs;
        Tue, 5 Mar 2024 03:39:13 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCVro6fl4C16YqstPyvcpWnnN1CIxeGe27XR3fFfsxtE256asmjRuBkXvV8HU6Q7q5oh4Ajq80q63b0n2rqkXclHyLEz5teVR6RgsRGbgA==
X-Google-Smtp-Source: AGHT+IGkxCSHzW7bCfYJTbjDqCuqYMqSCDClVcxHb7Ra5VjwZ0I+pVMLN87RL8OD3EKj+qUphDpz
X-Received: by 2002:a05:6a00:1915:b0:6e5:75cd:eff0 with SMTP id y21-20020a056a00191500b006e575cdeff0mr11567841pfi.31.1709638753379;
        Tue, 05 Mar 2024 03:39:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709638753; cv=pass;
        d=google.com; s=arc-20160816;
        b=dWa1XNJnD1j1IoXWOYucx1sU9bE40NuIhasocl3SP4KfyjLy9zndf5yAxCfdSyJiOz
         88BmUwI9+6TtfU7pHZwn/ppONwUQ2obN+kzY/p+23JTzVU52n4eNJstZMoRfQ2/cQgsS
         xsXN3drBbfsWnEQS8PFYtCKOMj9l8ryXXhpGlhhyQBXYyx8zNMCOzaJEtLkPsZ3mFU3z
         DztJb3hA43LHKYrf9pFpJ7N3mm6XHW67E6RNFIw7hQkZzUMZPvkc5wwdYJGqvYveyUVM
         KVuT5kRnndv7M2B4JuY+OoXFUKrI0rfuXxIyQq0/ERFVMfIMby9d5MJyyZ6/gcTP7Kmt
         V4BA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:cc:references:to
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=GviYOp8Dw02wnSbBYjnR2iUHFi3jl1tY9fPYiXmlNzg=;
        fh=BnIj6p42vCXto+W3NMj3ULlmL8uWQs7ypInuFBVCc/g=;
        b=yE5j2WIHLL3wX7gWyYnxonfBxYOmV6mz/XSMZhZp8uXZzEYzIcC2OxJoZjwn/IwWUU
         56MU9YLG5BjBxsPvdR1l1CkbsRr4zcS8ODI96PHeB+qZuLby2fKLsAjfx1NFS0VVrGj+
         lj3PEweq0PanEJn7Cc4zW4gKk12CrtlNYO4w4oh0XQXP6xyu0vPZBdgHEM1U7JJuSQ2h
         B7IWmkd1EyE2tez6/OfjK02Fi9/b9rkvfKz+Ka9ZeJCVnVQYKdsCIyqYiIi0u8McAlZ+
         Oym3ymUfnu2MJbHvp9Uk8lyjni8cR+EpMl9ooqbpNCZblb+bvytPI5Cbo7P63PpvaBX4
         Tqjg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id cb3-20020a056a02070300b005ca5b61ca33si10722687pgb.224.2024.03.05.03.39.13
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Mar 2024 03:39:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id AC7F928B181
	for <linux.lists.archive@gmail.com>; Tue,  5 Mar 2024 11:30:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 2DC5A5A4C0;
	Tue,  5 Mar 2024 11:27:24 +0000 (UTC)
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 413C25917C
	for <linux-kernel@vger.kernel.org>; Tue,  5 Mar 2024 11:27:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709638043; cv=none; b=MejBIdSZUJEHDLxHsTSarY9Yk6ZkahFF75sVLCSYuHUdmF329UlzohSCH+hS/yji+tQDCwhyC2TaxWObwnPVtFK2ybQ9svFIxxn48zBm7kkvyiEupewjCKMK2KRa6bq38JMhgolNrjn89PgrjmvyfIzV0ouwqxfwwsAtCRms7vs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709638043; c=relaxed/simple;
	bh=EZAs+7yDmUmEfCChBu8JZgtnvW4sn/MdtQUYDU61rfI=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:Cc:From:
	 In-Reply-To:Content-Type; b=Uj7IzXECHOAGd7u5g5Lr1fFTEE/C1zuSPnLF0OO9De+ucFBdMBoy9YYvQx4G+IUG7WFRxotc1arVd7vo6ZIeodEBp1G4U9kh1/j1PLRpReIuH9FHJVit+bmgVz7NyxnDAvCihXk9Ue+JATkZtyJItytu73Ss3hOveyjwKfuIljg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp
Received: from fsav312.sakura.ne.jp (fsav312.sakura.ne.jp [153.120.85.143])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 425BR7U0098036;
	Tue, 5 Mar 2024 20:27:07 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav312.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav312.sakura.ne.jp);
 Tue, 05 Mar 2024 20:27:07 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav312.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 425BR79p098033
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Tue, 5 Mar 2024 20:27:07 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <dcf54740-7cc3-4017-ad1b-8626a22fc15e@I-love.SAKURA.ne.jp>
Date: Tue, 5 Mar 2024 20:27:07 +0900
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set
Content-Language: en-US
To: Linux ARM <linux-arm-kernel@lists.infradead.org>
References: <0000000000004cf5c205faf1c7f3@google.com>
Cc: syzbot <syzbot+cb76c2983557a07cdb14@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
In-Reply-To: <0000000000004cf5c205faf1c7f3@google.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hello.

syzbot is reporting kernel memory overwrite attempt at fpa_set().
I guessed that the amount to copy from/to should be sizeof(union fp_state)
than sizeof(struct user_fp), for arch_ptrace(PTRACE_[SG]ETFPREGS) for arm
is using offset == 0 and size == sizeof(union fp_state). But my guess did not
solve the issue ( https://syzkaller.appspot.com/x/patch.diff?x=11e46dbc180000 ).

On 2023/05/05 21:53, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    457391b03803 Linux 6.3
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=105b8bb0280000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=385e197a58ca4afe
> dashboard link: https://syzkaller.appspot.com/bug?extid=cb76c2983557a07cdb14
> compiler:       arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm

#syz set subsystems: arm