Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp335068lqs; Tue, 5 Mar 2024 03:39:13 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVro6fl4C16YqstPyvcpWnnN1CIxeGe27XR3fFfsxtE256asmjRuBkXvV8HU6Q7q5oh4Ajq80q63b0n2rqkXclHyLEz5teVR6RgsRGbgA== X-Google-Smtp-Source: AGHT+IGkxCSHzW7bCfYJTbjDqCuqYMqSCDClVcxHb7Ra5VjwZ0I+pVMLN87RL8OD3EKj+qUphDpz X-Received: by 2002:a05:6a00:1915:b0:6e5:75cd:eff0 with SMTP id y21-20020a056a00191500b006e575cdeff0mr11567841pfi.31.1709638753379; Tue, 05 Mar 2024 03:39:13 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709638753; cv=pass; d=google.com; s=arc-20160816; b=dWa1XNJnD1j1IoXWOYucx1sU9bE40NuIhasocl3SP4KfyjLy9zndf5yAxCfdSyJiOz 88BmUwI9+6TtfU7pHZwn/ppONwUQ2obN+kzY/p+23JTzVU52n4eNJstZMoRfQ2/cQgsS xsXN3drBbfsWnEQS8PFYtCKOMj9l8ryXXhpGlhhyQBXYyx8zNMCOzaJEtLkPsZ3mFU3z DztJb3hA43LHKYrf9pFpJ7N3mm6XHW67E6RNFIw7hQkZzUMZPvkc5wwdYJGqvYveyUVM KVuT5kRnndv7M2B4JuY+OoXFUKrI0rfuXxIyQq0/ERFVMfIMby9d5MJyyZ6/gcTP7Kmt V4BA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:cc:references:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=GviYOp8Dw02wnSbBYjnR2iUHFi3jl1tY9fPYiXmlNzg=; fh=BnIj6p42vCXto+W3NMj3ULlmL8uWQs7ypInuFBVCc/g=; b=yE5j2WIHLL3wX7gWyYnxonfBxYOmV6mz/XSMZhZp8uXZzEYzIcC2OxJoZjwn/IwWUU 56MU9YLG5BjBxsPvdR1l1CkbsRr4zcS8ODI96PHeB+qZuLby2fKLsAjfx1NFS0VVrGj+ lj3PEweq0PanEJn7Cc4zW4gKk12CrtlNYO4w4oh0XQXP6xyu0vPZBdgHEM1U7JJuSQ2h B7IWmkd1EyE2tez6/OfjK02Fi9/b9rkvfKz+Ka9ZeJCVnVQYKdsCIyqYiIi0u8McAlZ+ Oym3ymUfnu2MJbHvp9Uk8lyjni8cR+EpMl9ooqbpNCZblb+bvytPI5Cbo7P63PpvaBX4 Tqjg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id cb3-20020a056a02070300b005ca5b61ca33si10722687pgb.224.2024.03.05.03.39.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 03:39:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92272-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AC7F928B181 for ; Tue, 5 Mar 2024 11:30:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2DC5A5A4C0; Tue, 5 Mar 2024 11:27:24 +0000 (UTC) Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 413C25917C for ; Tue, 5 Mar 2024 11:27:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709638043; cv=none; b=MejBIdSZUJEHDLxHsTSarY9Yk6ZkahFF75sVLCSYuHUdmF329UlzohSCH+hS/yji+tQDCwhyC2TaxWObwnPVtFK2ybQ9svFIxxn48zBm7kkvyiEupewjCKMK2KRa6bq38JMhgolNrjn89PgrjmvyfIzV0ouwqxfwwsAtCRms7vs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709638043; c=relaxed/simple; bh=EZAs+7yDmUmEfCChBu8JZgtnvW4sn/MdtQUYDU61rfI=; h=Message-ID:Date:MIME-Version:Subject:To:References:Cc:From: In-Reply-To:Content-Type; b=Uj7IzXECHOAGd7u5g5Lr1fFTEE/C1zuSPnLF0OO9De+ucFBdMBoy9YYvQx4G+IUG7WFRxotc1arVd7vo6ZIeodEBp1G4U9kh1/j1PLRpReIuH9FHJVit+bmgVz7NyxnDAvCihXk9Ue+JATkZtyJItytu73Ss3hOveyjwKfuIljg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav312.sakura.ne.jp (fsav312.sakura.ne.jp [153.120.85.143]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 425BR7U0098036; Tue, 5 Mar 2024 20:27:07 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav312.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav312.sakura.ne.jp); Tue, 05 Mar 2024 20:27:07 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav312.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 425BR79p098033 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Mar 2024 20:27:07 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Tue, 5 Mar 2024 20:27:07 +0900 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set Content-Language: en-US To: Linux ARM References: <0000000000004cf5c205faf1c7f3@google.com> Cc: syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com From: Tetsuo Handa In-Reply-To: <0000000000004cf5c205faf1c7f3@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello. syzbot is reporting kernel memory overwrite attempt at fpa_set(). I guessed that the amount to copy from/to should be sizeof(union fp_state) than sizeof(struct user_fp), for arch_ptrace(PTRACE_[SG]ETFPREGS) for arm is using offset == 0 and size == sizeof(union fp_state). But my guess did not solve the issue ( https://syzkaller.appspot.com/x/patch.diff?x=11e46dbc180000 ). On 2023/05/05 21:53, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 457391b03803 Linux 6.3 > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=105b8bb0280000 > kernel config: https://syzkaller.appspot.com/x/.config?x=385e197a58ca4afe > dashboard link: https://syzkaller.appspot.com/bug?extid=cb76c2983557a07cdb14 > compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > userspace arch: arm #syz set subsystems: arm