Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp2813063lqz; Wed, 3 Apr 2024 09:15:03 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXqiVX00mJ3wRfYaazebS23kw+rQ7hN1egsPnKL8brzaIwLrV4KJJ9Md2jxaA8DsL35ChBn4Rsb8GiQbX8ZpK15YDdrGRrg6NoiBdOoQg== X-Google-Smtp-Source: AGHT+IHtGEy7UqyGTZff7E8DW45WsB3nA4JAP+AOX2TQCndhTvfGRqrfTehOJSjfRN0PEzUw8YS1 X-Received: by 2002:a17:90b:291:b0:29d:fdc5:8d07 with SMTP id az17-20020a17090b029100b0029dfdc58d07mr13911346pjb.13.1712160903000; Wed, 03 Apr 2024 09:15:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712160902; cv=pass; d=google.com; s=arc-20160816; b=zXMrF01WK6Kla3WsoonWWAEoiwDVXrOAJ0ntsYQRXzr94ghmAAgLTO6Wz4gqb17dnp 34bbXiwTVPLZzhb1qObr7M0BpXWEpSZi4sf7IcYhGzjjioswzRW1VrUMUpgdPD/lsuKS 7Sd/x2gf/hLSxINyAzI3ru9uoibW3YlSoahv84EzXcaMEFAY3KhVX9HtGk9SRxkPNxgX ZIPcJKwevBfjqob5b4T2wglyXwmJTFbyj20kR8r8z3s8t/zykddM8301PMlHPZWFLva/ XzbgUw1/o41vp5gkuGEojz3LRX7yfJyICl47nLYCLKmJGbUgXcKUEnl+hHY7VBfLDkqe tCow== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=fc4gDAai9j+UWYc45hYpxViIgWITb5osBGXho7qrtHI=; fh=Q2N2auKWINlwD7iHt424mNd/JxjUv56DOsvt2GYZWKA=; b=dlXDyPBiFiczHgkx4XsotV4T7pIt+I2IQ3b8wg7azyolOc4mHhB0BUqVZXaGtt6xag 2cRZ601OnIdoVABs6b84pOl0/Wxao7SFnAqJPA3KXFlk/S+G3K76QwykFnfK+Zc6tOFY Uw5InH5JxEd7Ll2gednszqa5YIWBNVmgKFOPqNIFKZL5LiBQu3ySQ8uWFl9bopza5d98 cmBDyhIRROFx9mzp2N8DeoBoF5K237YMJJgcWgBr+887c5bGnRJOfqBw34DKVM8fPiSG CHI3BXD+rb3W5Il5hFSE3tA+J+4Z648dvXNdzgdIDKdJHgKVYLsPiLK6W1jaTre1HbIv xtgw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=fail (test mode) header.i=@armlinux.org.uk header.s=pandora-2019 header.b=SkQ+dY5f; arc=pass (i=1 dkim=pass dkdomain=armlinux.org.uk dmarc=pass fromdomain=armlinux.org.uk); spf=pass (google.com: domain of linux-kernel+bounces-130174-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-130174-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=armlinux.org.uk Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id k5-20020a17090a3e8500b002a25ed32020si3176960pjc.182.2024.04.03.09.15.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 09:15:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-130174-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=fail (test mode) header.i=@armlinux.org.uk header.s=pandora-2019 header.b=SkQ+dY5f; arc=pass (i=1 dkim=pass dkdomain=armlinux.org.uk dmarc=pass fromdomain=armlinux.org.uk); spf=pass (google.com: domain of linux-kernel+bounces-130174-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-130174-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=armlinux.org.uk Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 22A7E287FAF for ; Wed, 3 Apr 2024 16:12:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1303214EC48; Wed, 3 Apr 2024 16:12:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="SkQ+dY5f" Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7583614B073 for ; Wed, 3 Apr 2024 16:12:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712160739; cv=none; b=sKYvQwAJzJmBC3cTWFbdVo22APuF3Qaah5e6a8PJTyK9CwaDBMk/7TjIkBJyuRLew1A0X2ibOQQ0Ha6i8GvYWetG2apqtJblDVmg6nBjLxg+sFqI7jYOxrrkUhvd5NTCpxCRN1SrIdA51WZ53h0mkTN3CWVpqKc43DKDXYR0KZc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712160739; c=relaxed/simple; bh=qsyRmOlyTALS7ji80F2+z/3MPYXg6x1pvXiJIJElu34=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FPMW5BqutHen9nvdNnX4rVCpxKQGC783kCcmpx1SRP85JpOwrSkWx0rTkVUk9nZ80KPlBVh62/NUtLhULQOF4u7SboJXMQgNz1O+2RPeu7af2OUB7JRV5jgI7fw/nV0KxiMFbkKqKlveRDsuLrKnJ4BFtBK57gfjdKe/v7+kKnw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=SkQ+dY5f; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=fc4gDAai9j+UWYc45hYpxViIgWITb5osBGXho7qrtHI=; b=SkQ+dY5ftzrf0uRCZdT/BokK+/ o36GyvaribvslS5SRmOBx7cKS7a1T5FIRzKY2QojVu/I82K7gFOIDEqhL0o2HKLn/ou2KdlqrlcTM y82+JAb7I1T2IOjWQ8JYsW72aBIsyzEyQeHy2Z5MniFsGdd/cXLmzH83PlzxjJjUukBey/iXc6xEp iaQhvXb/1uu6Ma5JrViy38atJ8lrOAjg3HAwc1AKieBhdwV5qh7w3OLKD+sM1Bek5mo+P7BmPnb0u wpnpBKq1HTuVY3wPa600P7tP/zMBDtuJFQbwqkqpiA02suKByZsZzgH1kKqkJeqzHzjC8pTvgtlzR V1o4pddg==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:56948) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rs3Dc-0000Gd-2Y; Wed, 03 Apr 2024 17:12:08 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.94.2) (envelope-from ) id 1rs3Db-00084V-Hs; Wed, 03 Apr 2024 17:12:07 +0100 Date: Wed, 3 Apr 2024 17:12:07 +0100 From: "Russell King (Oracle)" To: Tetsuo Handa Cc: Linux ARM , syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set Message-ID: References: <0000000000004cf5c205faf1c7f3@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Russell King (Oracle) On Tue, Mar 05, 2024 at 08:27:07PM +0900, Tetsuo Handa wrote: > Hello. > > syzbot is reporting kernel memory overwrite attempt at fpa_set(). > I guessed that the amount to copy from/to should be sizeof(union fp_state) > than sizeof(struct user_fp), for arch_ptrace(PTRACE_[SG]ETFPREGS) for arm > is using offset == 0 and size == sizeof(union fp_state). But my guess did not > solve the issue ( https://syzkaller.appspot.com/x/patch.diff?x=11e46dbc180000 ). This is silly. sizeof(struct user_fp) is: 8 * ( 1 bit for sign1, 15 bits unused => 2 bytes 1 bit for sign2, 14 bits unused, 1 bit for j => 2 bytes 31 bits for mantissa1 => 4 bytes 32 bits for mantissa0 => 4 bytes ) + 4 bytes for fpsr 4 bytes for fpcr 8 bytes for ftype 4 bytes for init_flag This totals 8 * 12 + 4 + 4 + 8 + 4 = 116 bytes or 29 32-bit quantities, or 29 "unsigned int"s. This is copied into union fp_state. This union is made up of one of several different formats depending on the FP being used. user_fp doesn't reflect this. However, one of these, struct fp_soft_struct, is specifically sized to ensure that user_fp is _smaller_. struct fp_soft_struct is 35 unsigned int's. This is 140 bytes. This is larger than sizeof(user_fp). Therefore, there is _no way_ for fpa_set() to overwrite anything outside of thread_info->fpstate, because sizeof(struct user_fp) is smaller than sizeof(thread->fpstate). Syzbot appears to be wrong in this instance. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!