Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set
From: Tetsuo Handa
Date: Mon Apr 15 2024 - 05:59:01 EST
On 2024/04/15 18:44, Russell King (Oracle) wrote:
> On Mon, Apr 15, 2024 at 06:38:33PM +0900, Tetsuo Handa wrote:
>> On 2024/04/15 18:02, Mark Rutland wrote:
>>> 08626a6056aad824 ("arm: Implement thread_struct whitelist for hardened usercopy")
>>>
>>> That commit says that all accesses are bounce-buffered and bypass the check,
>>> but AFAICT the fpa_set() code hasn't changed since then, so either that was
>>> wrong or the user_regset_copyin() code has changed.
>>
>> Then, can we go with https://lkml.kernel.org/r/0b49d91b-511f-449e-b7c3-93b2ccce6c49@xxxxxxxxxxxxxxxxxxx ?
>
> Have you visited that URL? It doesn't point to an email containing a
> patch, so sorry, I don't know what patch you're referring to.
>
Containing a link to a diff. ;-)
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index c421a899fc84..347611ae762f 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -583,10 +583,15 @@ static int fpa_set(struct task_struct *target,
const void *kbuf, const void __user *ubuf)
{
struct thread_info *thread = task_thread_info(target);
+ const unsigned int pos0 = pos;
+ char buf[sizeof(struct user_fp)];
+ int ret;
- return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- &thread->fpstate,
- 0, sizeof(struct user_fp));
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ buf, 0, sizeof(struct user_fp));
+ if (!ret)
+ memcpy(&thread->fpstate, buf, pos - pos0);
+ return ret;
}
#ifdef CONFIG_VFP