Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1369369lqp; Mon, 15 Apr 2024 04:44:23 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVNn6h4n7SE3Jdau818VCBTY+T75YzgzGjwKcTML+Aqab713FQgFg7hFHiE9YV7DZ5Zsy+yF34zf1pEeW3eNMOiKG2RravO5OteVkh/+g== X-Google-Smtp-Source: AGHT+IFDasRLezC8lfgIM/vEuImVwEd+1y19TrJHJ/Lkzb+ZMsKeitli2QsDoyzu891gitmq7hiv X-Received: by 2002:a05:6a00:2d22:b0:6ee:1508:edc8 with SMTP id fa34-20020a056a002d2200b006ee1508edc8mr10396871pfb.23.1713181463452; Mon, 15 Apr 2024 04:44:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713181463; cv=pass; d=google.com; s=arc-20160816; b=ZojkF5FztEwYhLLNOZo8rgrfBUWzvTeqNaPdcRGsUXphMmHQ7wpXc8kPw9KWkO1kRC oWDXxtB1Bb7D40aHLeFjJAbHXPB2NGlwKjpoCqSzm4p9zeSUVlYjKmByhYwLqF5ugaRX hZhY2huNusPcABHcqc9umL+b59WeM2TrXaJMKw5WTXziNgiOS3PA/pMrPK8ps2u1o0Zy tEQfRxyRN/sqib7KxHSgKsVdJvs9h1v69UCNvccudnrhGEhztTvGf2hLD+5Lsubt1mFG 3GNVpRVBZiOVit8xqKJBF5Ykp9EXSPNgSgkZey45HTzHYbWu79T5txGCdyU4GdsNkMRl vZ0w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=gT6gbhUGrO5BJl/ZGuqsImRllMZe1KNvIXavek/k7B4=; fh=1AbriEWc4KYIR4KZ1c1dd5kbsk3CyJDBTc+b1Fv3bBg=; b=x7nz5QBFvzdUxkt+CqG4P2ysIvLnr0bFJ49NO7V69cjVFyet1ek8swD5MW/LhFLLLn MMRlKSHFNGNEhJuKtMdzN9z0MlqgeGvnD+jL9p7jC9uz1B+kZKNAd7eeMyRabaH6CgQP BSJlLrfUNV/g50yzgQOYk/I+XqdXd5GCMaBBCnR3CGmw/JYbtfOKMwKDtTikJNkCc9qU A4M7dEj0rz87qNd5phxZC/NDXbqbm/yzw7djPveHTFBXhO7CjYrJgLeA2MDlj8afRzQz luowCL42cvJHm+SwBz+Zv7obWqHReKcgRVcjWMOVXdmzOnt3b9hzR4AqZ59WoU2XjRFv 5+YA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-145001-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-145001-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id fa34-20020a056a002d2200b006ecd9421638si8004429pfb.335.2024.04.15.04.44.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Apr 2024 04:44:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-145001-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-145001-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-145001-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 8549DB20BA1 for ; Mon, 15 Apr 2024 11:44:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B2D2A62147; Mon, 15 Apr 2024 11:44:14 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C5A655DF05 for ; Mon, 15 Apr 2024 11:44:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713181454; cv=none; b=WQVlHDahR301ieGwAJjJi44oDsb5u61kX7tMoiCAQdXAs14s1icKVu/1AwpBL7Blj3R4irwTQvoHmY8d2a4XDOX1WFvyXHTGeb31W0m0RjRWOAIDq9LDk67IWT1mZKcH3T7nMFx51qSCE6do0JURsYM5wYb5hojkMNsl9c7YbE4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713181454; c=relaxed/simple; bh=vlz4xdTeFh3JWcWl9uGUVQlRxwjBAqpOUnqtGkd7sNs=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=O+CesjCz/Pq2vL8/oh/wsIeDb1xRAjqmWxkNwMEAoCVmlTq16BLntUSZWezH8YD5MvbKN8swQ0d4UGoj9MCvuzqQ4NCz//TnMIIQnMSVhvJB1sOvQXGTMQh8bp2JqXKNRVlAIkPQmkqHSoT8ZfbiW/M0Q3Mf5ce2gTylJecRrb8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 133382F4; Mon, 15 Apr 2024 04:44:39 -0700 (PDT) Received: from FVFF77S0Q05N.cambridge.arm.com (FVFF77S0Q05N.cambridge.arm.com [10.1.38.162]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 984023F738; Mon, 15 Apr 2024 04:44:09 -0700 (PDT) Date: Mon, 15 Apr 2024 12:43:59 +0100 From: Mark Rutland To: "Russell King (Oracle)" Cc: Tetsuo Handa , Kees Cook , Linux ARM , syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set Message-ID: References: <0000000000004cf5c205faf1c7f3@google.com> <2ab55fd1-7eb0-488e-93ea-660fa05ee43a@I-love.SAKURA.ne.jp> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon, Apr 15, 2024 at 11:27:02AM +0100, Russell King (Oracle) wrote: > On Mon, Apr 15, 2024 at 06:58:30PM +0900, Tetsuo Handa wrote: > > On 2024/04/15 18:44, Russell King (Oracle) wrote: > > > On Mon, Apr 15, 2024 at 06:38:33PM +0900, Tetsuo Handa wrote: > > >> On 2024/04/15 18:02, Mark Rutland wrote: > > >>> 08626a6056aad824 ("arm: Implement thread_struct whitelist for hardened usercopy") > > >>> > > >>> That commit says that all accesses are bounce-buffered and bypass the check, > > >>> but AFAICT the fpa_set() code hasn't changed since then, so either that was > > >>> wrong or the user_regset_copyin() code has changed. > > >> > > >> Then, can we go with https://lkml.kernel.org/r/0b49d91b-511f-449e-b7c3-93b2ccce6c49@I-love.SAKURA.ne.jp ? > > > > > > Have you visited that URL? It doesn't point to an email containing a > > > patch, so sorry, I don't know what patch you're referring to. > > > > > > > Containing a link to a diff. ;-) > > > > diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c > > index c421a899fc84..347611ae762f 100644 > > --- a/arch/arm/kernel/ptrace.c > > +++ b/arch/arm/kernel/ptrace.c > > @@ -583,10 +583,15 @@ static int fpa_set(struct task_struct *target, > > const void *kbuf, const void __user *ubuf) > > { > > struct thread_info *thread = task_thread_info(target); > > + const unsigned int pos0 = pos; > > + char buf[sizeof(struct user_fp)]; > > + int ret; > > > > - return user_regset_copyin(&pos, &count, &kbuf, &ubuf, > > - &thread->fpstate, > > - 0, sizeof(struct user_fp)); > > + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, > > + buf, 0, sizeof(struct user_fp)); > > + if (!ret) > > + memcpy(&thread->fpstate, buf, pos - pos0); > > + return ret; > > } > > > > #ifdef CONFIG_VFP > > No, not unless there is really no other option. It's hacking around the > issue, creating two copy operations of the data (one onto the stack) > rather than solving it properly - and I will not put up with that kind > of mentality - it's a completely broken approach to open source > software. If there is a problem, always fix it using the correct fix, > never try to sticky-plaster around a problem. > > It seems there is a way for architectures to tell the code what is > safe to write to, and it seems that a misunderstanding meant this > wasn't implemented. So let's see whether it's possible to fix that > first. I completely agree. We'll have to wait for Kees to wake up, but IIUC one assumption here was that thread_info was particularly sensitive, and hence any state to be copied to/from userspace would live in thread_struct. Either we need to remove that assumption, or we need to move things so that we can use arch_thread_struct_whitelist(). Given that arm always selects THREAD_INFO_IN_TASK, I think it would be a fairly mechanical change to move fp_state (and vfp_state!) into thread_struct. That would mean that the TI_FPSTATE offset would grow, but assuming that still fits into an ADD immediate, we'd be ok, and then arch_thread_struct_whitelist() could be used to handle these structures. Mark.