Re: BUG: bad usercopy in __check_object_size (2)

[Kees Cook]

On Fri, Sep 7, 2018 at 8:19 AM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> On Fri, Sep 7, 2018 at 5:17 PM, syzbot
> <syzbot+a3c9d2673837ccc0f22b@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:    28619527b8a7 Merge git://git.kernel.org/pub/scm/linux/kern..
>> git tree:       bpf
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1618ac21400000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=62e9b447c16085cf
>> dashboard link: https://syzkaller.appspot.com/bug?extid=a3c9d2673837ccc0f22b
>> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+a3c9d2673837ccc0f22b@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> +Kees, looks like false positive?

Basically, yes. CONFIG_HARDENED_USERCOPY_PAGESPAN=y should not be used
-- it's for tracking down these cases (not really for general-purpose
"debugging"), but no one is currently working on solving them.

-Kees

-- 
Kees Cook
Pixel Security