Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set

From: Tetsuo Handa
Date: Fri Apr 05 2024 - 10:29:01 EST

Next message: Kuppuswamy Sathyanarayanan: "Re: [PATCH V3 6/9] tools/arch/x86/intel_sdsi: Fix meter_show display"
Previous message: Arnd Bergmann: "[PATCH] i2c: i801: add I2C_MUX dependency"
In reply to: Russell King (Oracle): "Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set"
Next in thread: Tetsuo Handa: "Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2024/04/04 1:12, Russell King (Oracle) wrote:
> Therefore, there is _no way_ for fpa_set() to overwrite anything
> outside of thread_info->fpstate, because sizeof(struct user_fp)
> is smaller than sizeof(thread->fpstate).
>
> Syzbot appears to be wrong in this instance.
>

Thanks for clarification.

I came to suspect that commit 08626a6056aa ("arm: Implement thread_struct
whitelist for hardened usercopy") missed that ptrace(PTRACE_SETFPREGS)
needs to declare a usercopy whitelist. It seems to me that
https://syzkaller.appspot.com/text?tag=Patch&x=14c42099180000 can fix
this problem, but I'm not sure whether this is safe/correct. Can you check?

Next message: Kuppuswamy Sathyanarayanan: "Re: [PATCH V3 6/9] tools/arch/x86/intel_sdsi: Fix meter_show display"
Previous message: Arnd Bergmann: "[PATCH] i2c: i801: add I2C_MUX dependency"
In reply to: Russell King (Oracle): "Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set"
Next in thread: Tetsuo Handa: "Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]