Received: by 2002:a05:7208:31d3:b0:81:e143:7c29 with SMTP id v19csp369011rbd;
        Fri, 5 Apr 2024 07:02:58 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVXK/LPD9SX98Bqyqqyfl0SD0V1fC01lxGNOP977Zm5xsWXVeVHgUWu0JjfG/wiheCaRD+fEB6/5yX+KFmih6GYoymnyOWGuLdMejmBPQ==
X-Google-Smtp-Source: AGHT+IFBeW5q6bluz2htYiHpsBvyXWKA2xOVoy1O1mjIVYwm5M1KfwMKiIbJTR0uC96lnTgeKGKb
X-Received: by 2002:a19:ad03:0:b0:513:cc25:d3b5 with SMTP id t3-20020a19ad03000000b00513cc25d3b5mr1058117lfc.7.1712325778261;
        Fri, 05 Apr 2024 07:02:58 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712325778; cv=pass;
        d=google.com; s=arc-20160816;
        b=sLvTjsQl4oP8jhr+PA6c7xFoAY+1Cfqda38lVtEKIMD7ORdwpiDJ+XOiZl6RbFgcCT
         E1WEd2FQrGw9mf3cFDaPeCo2nj0mbbDXaWP+SL0NFwvmWonJih+VapKFb+jANn+yEZXm
         3IbJQS0BEUxVUtZM9KrZ9wnkcEitPfpRiVcGFPSmzhBlStAN3NAa8UEks1TtWVKAO49t
         dU58X4ibMDMkr/sPBqUzTs+Z967/EAYsLj3ESaKRNFnyah3z1t9cEuEjXnuMJ+3K0dO4
         yj2siGzHztLtOwUVKmKxAOyPkl+NZYBil8NYRQ7p++h5TWpnDSuIJpraKKu0HF29RTSx
         KxzQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:references:to:from
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=K5h883tVdpUq0qr7+hZKXxP+itN0/KdiENZcllNedzA=;
        fh=UTnxRGbQDzn75garEhJZrDDtTazDNWmnXkv1Ofy1uH4=;
        b=K9NneYIgUHQ9+p0Qb88U6x2JDajze1JuejS8cl9uS+fDbK1EMqRJMUGInLdASysyaU
         ABBu0nFoqDKL6f0eQmgPHU+Lghl3agOmzug8hVFgtlDtMd35ptIm8FbDZZemYO0JpLrm
         8Qg0TR+p0KMn+Deki+z1RYeRNrkuLIELXEeiajquIjrkRmRo7KTh+PLX/B9m/cJfw/5s
         yHe47aQOZy9A+9D6iV65y4YsGI5rxDBMNi6rzzuFFRN7v47GxIZt064FeWVv0u+1vlqt
         B2Wtl5sf2dbyGwbU3/1hDJRIZ0NV6SyLZ73jbO1t82lnVWf7IUtBJ4Imbks2gNkh7EMI
         5t2g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-133104-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-133104-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-133104-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id i12-20020a05640242cc00b0056dfa248aa8si813707edc.153.2024.04.05.07.02.58
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 05 Apr 2024 07:02:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-133104-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-133104-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-133104-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id DEC191F22355
	for <linux.lists.archive@gmail.com>; Fri,  5 Apr 2024 14:02:28 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C77C316DED6;
	Fri,  5 Apr 2024 14:02:21 +0000 (UTC)
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B95CB16D32D
	for <linux-kernel@vger.kernel.org>; Fri,  5 Apr 2024 14:02:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712325741; cv=none; b=BIPRieUZUqzQlSGfucmnk/a3VCuk8m1yuf3zfRsWVr+IOONuAZNFeiPmExFzHERsQslZgRJxCZSqzNHL7kRhFtO3FLXu+5f72UVMsZwg/LwS1r5gdP/4P0aWMGArJgnByaDGyYGoohBCrduB7eyhF5CPrnO2Ief6v9vOCbZzdSs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712325741; c=relaxed/simple;
	bh=9AmGGy1+OYUQuSHOnG2dQOkuvK2E3pExzjH3QuzmLj0=;
	h=Message-ID:Date:MIME-Version:Subject:From:To:References:
	 In-Reply-To:Content-Type; b=g9jZGwkpfH4NbAF4irCavWvedTOmJp/J7UBAIbW5ZVwaTNPb3b+jxtzzrcY8cCqapdX5gfZmQWZ8RfNhN4TZXTgn7BFWmzlU04iJ4ycOOMeCMksfatt617uodl/6NgwhlK1lWdhH6ZPBqrJHfAle1dG2vWiqwe91mrVViKtY2rk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp
Received: from fsav415.sakura.ne.jp (fsav415.sakura.ne.jp [133.242.250.114])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 435E28IJ013713;
	Fri, 5 Apr 2024 23:02:08 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav415.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav415.sakura.ne.jp);
 Fri, 05 Apr 2024 23:02:08 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav415.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 435E28Oo013710
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Fri, 5 Apr 2024 23:02:08 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <cb6d724f-7afb-44c6-835c-6c8c229b70a0@I-love.SAKURA.ne.jp>
Date: Fri, 5 Apr 2024 23:02:05 +0900
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set
Content-Language: en-US
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzbot <syzbot+cb76c2983557a07cdb14@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        Kees Cook <keescook@chromium.org>
References: <0000000000004cf5c205faf1c7f3@google.com>
 <1fec6a8b-7083-4b08-858a-0793f996ed52@I-love.SAKURA.ne.jp>
 <aeb26d27-cd0f-4992-b303-f21abeacab21@I-love.SAKURA.ne.jp>
 <f42ee0ef-8754-4acc-94ea-9574de83c9c9@I-love.SAKURA.ne.jp>
In-Reply-To: <f42ee0ef-8754-4acc-94ea-9574de83c9c9@I-love.SAKURA.ne.jp>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index c421a899fc84..347611ae762f 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -583,10 +583,15 @@ static int fpa_set(struct task_struct *target,
 		   const void *kbuf, const void __user *ubuf)
 {
 	struct thread_info *thread = task_thread_info(target);
+	const unsigned int pos0 = pos;
+	char buf[sizeof(struct user_fp)];
+	int ret;
 
-	return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-		&thread->fpstate,
-		0, sizeof(struct user_fp));
+	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+				 buf, 0, sizeof(struct user_fp));
+	if (!ret)
+		memcpy(&thread->fpstate, buf, pos - pos0);
+	return ret;
 }
 
 #ifdef CONFIG_VFP