From: Kees Cook <keescook@chromium.org>
To: Bernd Petrovitsch <bernd@petrovitsch.priv.at>
Cc: Len Baker <len.baker@gmx.com>,
"kernelnewbies@kernelnewbies.org"
<kernelnewbies@kernelnewbies.org>
Subject: Re: [Clarification] writes to kernel addresses that came from userspace
Date: Mon, 13 Sep 2021 11:01:08 -0700 [thread overview]
Message-ID: <202109131059.258B8DCD@keescook> (raw)
In-Reply-To: <bb4d29b4-391e-93da-c192-702ee60012d0@petrovitsch.priv.at>
On Mon, Sep 13, 2021 at 09:59:36AM +0200, Bernd Petrovitsch wrote:
> Hi all!
>
> On 12/09/2021 18:20, Len Baker wrote:
> [...]
> > [extracted from the KSPP]
> >
> > It should be possible to perform taint tracking of addresses in the kernel
> > to avoid flaws of the form:
> >
> > copy_from_user(object, src, ...);
> > ...
> > memcpy(object.address, something, ...);
> >
> > [end of extracted]
> >
> > My question is: Why is this scenario a flaw?
> >
> > If I understand correctly, the copy_from_user() function copies n bytes of
> > src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is
>
> Yup.
>
> > modified. So, I don't see the problem. Sorry if it is a trivial question
> > but I can not figure it out on my own.
>
> Shouldn't the memcpy() be a copy_to_user() as object.address is setup by the
> user space and thus a user space address?
Right, _correct_ code would pass a userspace address, and use
copy_to_user() for writing to it. The goal here would be to find the
kinds of paths that might lead to bad conditions (i.e. answering "is it
possible for a userspace-controlled value to reach a place in the kernel
that didn't sanity-check it before doing indexing, sizing, etc?").
--
Kees Cook
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next prev parent reply other threads:[~2021-09-13 18:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-12 16:20 [Clarification] writes to kernel addresses that came from userspace Len Baker
2021-09-12 18:22 ` Valentin Vidić
2021-09-12 18:47 ` Kees Cook
2021-09-12 18:47 ` Kees Cook
2021-09-13 7:59 ` Bernd Petrovitsch
2021-09-13 18:01 ` Kees Cook [this message]
2021-09-16 0:59 ` Random Guy
2021-09-18 9:47 ` Len Baker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109131059.258B8DCD@keescook \
--to=keescook@chromium.org \
--cc=bernd@petrovitsch.priv.at \
--cc=kernelnewbies@kernelnewbies.org \
--cc=len.baker@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.