From: Len Baker <len.baker@gmx.com>
To: "kernelnewbies@kernelnewbies.org"
<kernelnewbies@kernelnewbies.org>,
Kees Cook <keescook@chromium.org>
Cc: Len Baker <len.baker@gmx.com>
Subject: [Clarification] writes to kernel addresses that came from userspace
Date: Sun, 12 Sep 2021 18:20:30 +0200 [thread overview]
Message-ID: <20210912162030.GA4692@titan> (raw)
Hi,
I am taking a look to the issues in the Kernel Self Protection Project [1]
and this one [2] (perform taint-tracking of writes to kernel addresses
that came from userspace) take my attention. Reading the explanation does
not make it clear to me where the flaw is.
[extracted from the KSPP]
It should be possible to perform taint tracking of addresses in the kernel
to avoid flaws of the form:
copy_from_user(object, src, ...);
...
memcpy(object.address, something, ...);
[end of extracted]
My question is: Why is this scenario a flaw?
If I understand correctly, the copy_from_user() function copies n bytes of
src (in user space address) to object (in kernel space address). I think
that it is the correct way to act. Then, in kernel space the object is
modified. So, I don't see the problem. Sorry if it is a trivial question
but I can not figure it out on my own.
[1] https://github.com/KSPP/linux/issues
[2] https://github.com/KSPP/linux/issues/126
Thanks in advance.
Regards,
Len
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next reply other threads:[~2021-09-12 16:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-12 16:20 Len Baker [this message]
2021-09-12 18:22 ` [Clarification] writes to kernel addresses that came from userspace Valentin Vidić
2021-09-12 18:47 ` Kees Cook
2021-09-12 18:47 ` Kees Cook
2021-09-13 7:59 ` Bernd Petrovitsch
2021-09-13 18:01 ` Kees Cook
2021-09-16 0:59 ` Random Guy
2021-09-18 9:47 ` Len Baker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210912162030.GA4692@titan \
--to=len.baker@gmx.com \
--cc=keescook@chromium.org \
--cc=kernelnewbies@kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.