Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+cb76c2983557a07cdb14@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, penguin-kernel@i-love.sakura.ne.jp,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set
Date: Tue, 05 Mar 2024 02:27:03 -0800	[thread overview]
Message-ID: <00000000000087ec580612e7488e@google.com> (raw)
In-Reply-To: <1fec6a8b-7083-4b08-858a-0793f996ed52@I-love.SAKURA.ne.jp>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: bad usercopy in fpa_set

usercopy: Kernel memory overwrite attempt detected to SLUB object 'task_struct' (offset 80, size 140)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 3917 Comm: syz-executor.0 Not tainted 6.8.0-rc7-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at usercopy_abort+0x98/0x9c mm/usercopy.c:102
LR is at __wake_up_klogd.part.0+0x7c/0xac kernel/printk/printk.c:3899
pc : [<8183e740>]    lr : [<802b7f34>]    psr: 60000113
sp : df9d5e50  ip : df9d5d98  fp : df9d5e74
r10: 0000001a  r9 : 83d59800  r8 : 84ccd450
r7 : ddea5c20  r6 : 00000000  r5 : 0000008c  r4 : 00000050
r3 : 83d59800  r2 : 00000000  r1 : 00000000  r0 : 00000066
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 84b822c0  DAC: 00000000
Register r0 information: non-paged memory
Register r1 information: NULL pointer
Register r2 information: NULL pointer
Register r3 information: slab task_struct start 83d59800 pointer offset 0 size 3072
Register r4 information: non-paged memory
Register r5 information: non-paged memory
Register r6 information: NULL pointer
Register r7 information: non-slab/vmalloc memory
Register r8 information: slab task_struct start 84ccd400 pointer offset 80 size 3072
Register r9 information: slab task_struct start 83d59800 pointer offset 0 size 3072
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdf9d4000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r12 information: 2-page vmalloc region starting at 0xdf9d4000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Process syz-executor.0 (pid: 3917, stack limit = 0xdf9d4000)
Stack: (0xdf9d5e50 to 0xdf9d6000)
5e40:                                     81fda684 81fadca8 81fc2424 00000050
5e60: 0000008c 83d59800 df9d5ea4 df9d5e78 804a922c 8183e6b4 0000008c df9d5e88
5e80: 80216278 84ccd450 0000008c 00000000 84ccd4dc ddea5c20 df9d5edc df9d5ea8
5ea0: 804e1c20 804a9160 0000008c 00000001 df9d5ecc 84ccd450 0000008c 00000001
5ec0: 00000000 00000000 83d59800 0000001a df9d5ef4 df9d5ee0 8020a090 804e1a40
5ee0: 00000000 0000000c df9d5f6c df9d5ef8 8020a680 8020a01c 00000000 00000000
5f00: df9d5f1c df9d5f10 81862d34 802798b0 df9d5f6c df9d5f20 8027f524 81862d10
5f20: df9d5f54 00000000 8027b25c 60000013 818110f0 81827f88 df9d5f54 b2f514c9
5f40: 0000000f 84ccd400 0000000f b2f514c9 84ccd400 0000000f 00000001 00000000
5f60: df9d5fa4 df9d5f70 80253494 8020a398 8020301c b2f514c9 df9d5fac 00000000
5f80: 00000000 0014c2cc 0000001a 80200288 83d59800 0000001a 00000000 df9d5fa8
5fa0: 80200060 80253268 00000000 00000000 0000000f 00000004 00000001 00000000
5fc0: 00000000 00000000 0014c2cc 0000001a 7e8da326 7e8da327 003d0f00 76bf70fc
5fe0: 76bf6f08 76bf6ef8 000167e8 00050bd0 60000010 0000000f 00000000 00000000
Backtrace: 
[<8183e6a8>] (usercopy_abort) from [<804a922c>] (__check_heap_object+0xd8/0xf4 mm/slub.c:5386)
[<804a9154>] (__check_heap_object) from [<804e1c20>] (check_heap_object mm/usercopy.c:196 [inline])
[<804a9154>] (__check_heap_object) from [<804e1c20>] (__check_object_size mm/usercopy.c:251 [inline])
[<804a9154>] (__check_heap_object) from [<804e1c20>] (__check_object_size+0x1ec/0x30c mm/usercopy.c:213)
 r8:ddea5c20 r7:84ccd4dc r6:00000000 r5:0000008c r4:84ccd450
[<804e1a34>] (__check_object_size) from [<8020a090>] (check_object_size include/linux/thread_info.h:215 [inline])
[<804e1a34>] (__check_object_size) from [<8020a090>] (__copy_from_user include/linux/uaccess.h:101 [inline])
[<804e1a34>] (__check_object_size) from [<8020a090>] (user_regset_copyin include/linux/regset.h:268 [inline])
[<804e1a34>] (__check_object_size) from [<8020a090>] (fpa_set+0x80/0xa0 arch/arm/kernel/ptrace.c:589)
 r10:0000001a r9:83d59800 r8:00000000 r7:00000000 r6:00000001 r5:0000008c
 r4:84ccd450
[<8020a010>] (fpa_set) from [<8020a680>] (copy_regset_from_user include/linux/regset.h:337 [inline])
[<8020a010>] (fpa_set) from [<8020a680>] (arch_ptrace+0x2f4/0x3e4 arch/arm/kernel/ptrace.c:764)
 r5:0000000c r4:00000000
[<8020a38c>] (arch_ptrace) from [<80253494>] (__do_sys_ptrace kernel/ptrace.c:1288 [inline])
[<8020a38c>] (arch_ptrace) from [<80253494>] (sys_ptrace+0x238/0x4dc kernel/ptrace.c:1261)
 r7:00000000 r6:00000001 r5:0000000f r4:84ccd400
[<8025325c>] (sys_ptrace) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdf9d5fa8 to 0xdf9d5ff0)
5fa0:                   00000000 00000000 0000000f 00000004 00000001 00000000
5fc0: 00000000 00000000 0014c2cc 0000001a 7e8da326 7e8da327 003d0f00 76bf70fc
5fe0: 76bf6f08 76bf6ef8 000167e8 00050bd0
 r10:0000001a r9:83d59800 r8:80200288 r7:0000001a r6:0014c2cc r5:00000000
 r4:00000000
Code: e30a0688 e34801fd e58dc000 ebfff35b (e7f001f2) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e30a0688 	movw	r0, #42632	@ 0xa688
   4:	e34801fd 	movt	r0, #33277	@ 0x81fd
   8:	e58dc000 	str	ip, [sp]
   c:	ebfff35b 	bl	0xffffcd80
* 10:	e7f001f2 	udf	#18 <-- trapping instruction


Tested on:

commit:         90d35da6 Linux 6.8-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17fdb512180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=57d422b95aec4095
dashboard link: https://syzkaller.appspot.com/bug?extid=cb76c2983557a07cdb14
compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16e3042e180000

next prev parent reply	other threads:[~2024-03-05 10:27 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-05 12:53 [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set syzbot
2023-05-07 11:03 ` syzbot
2024-03-05 10:17 ` Tetsuo Handa
2024-03-05 10:27   ` syzbot [this message]
2024-03-05 10:55   ` Tetsuo Handa
2024-03-05 11:04     ` syzbot
2024-04-05 11:42     ` Tetsuo Handa
2024-04-05 11:44       ` [syzbot] [arm] " syzbot
2024-04-05 14:02       ` [syzbot] [hardening?] [mm?] " Tetsuo Handa
2024-04-05 14:25         ` [syzbot] [arm] " syzbot
2024-03-05 11:27 ` [syzbot] [hardening?] [mm?] " Tetsuo Handa
2024-03-05 11:27   ` Tetsuo Handa
2024-04-03 16:12   ` Russell King (Oracle)
2024-04-03 16:12     ` Russell King (Oracle)
2024-04-05 14:28     ` Tetsuo Handa
2024-04-05 14:28       ` Tetsuo Handa
2024-04-15  9:02     ` Mark Rutland
2024-04-15  9:02       ` Mark Rutland
2024-04-15  9:38       ` Tetsuo Handa
2024-04-15  9:38         ` Tetsuo Handa
2024-04-15  9:44         ` Russell King (Oracle)
2024-04-15  9:44           ` Russell King (Oracle)
2024-04-15  9:58           ` Tetsuo Handa
2024-04-15  9:58             ` Tetsuo Handa
2024-04-15 10:27             ` Russell King (Oracle)
2024-04-15 10:27               ` Russell King (Oracle)
2024-04-15 11:43               ` Mark Rutland
2024-04-15 11:43                 ` Mark Rutland
2024-04-15 17:02                 ` Kees Cook
2024-04-15 17:02                   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000087ec580612e7488e@google.com \
    --to=syzbot+cb76c2983557a07cdb14@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.