From: Len Baker <len.baker@gmx.com>
To: "kernelnewbies@kernelnewbies.org"
<kernelnewbies@kernelnewbies.org>,
Kees Cook <keescook@chromium.org>
Cc: Len Baker <len.baker@gmx.com>
Subject: [Clarification] writes to kernel addresses that came from userspace
Date: Sun, 12 Sep 2021 18:20:30 +0200 [thread overview]
Message-ID: <20210912162030.GA4692@titan> (raw)
Hi,
I am taking a look to the issues in the Kernel Self Protection Project [1]
and this one [2] (perform taint-tracking of writes to kernel addresses
that came from userspace) take my attention. Reading the explanation does
not make it clear to me where the flaw is.
[extracted from the KSPP]
It should be possible to perform taint tracking of addresses in the kernel
to avoid flaws of the form:
copy_from_user(object, src, ...);
...
memcpy(object.address, something, ...);
[end of extracted]
My question is: Why is this scenario a flaw?
If I understand correctly, the copy_from_user() function copies n bytes of
src (in user space address) to object (in kernel space address). I think
that it is the correct way to act. Then, in kernel space the object is
modified. So, I don't see the problem. Sorry if it is a trivial question
but I can not figure it out on my own.
[1] https://github.com/KSPP/linux/issues
[2] https://github.com/KSPP/linux/issues/126
Thanks in advance.
Regards,
Len
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next reply other threads:[~2021-09-12 16:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-12 16:20 Len Baker [this message]
2021-09-12 18:22 ` [Clarification] writes to kernel addresses that came from userspace Valentin Vidić
2021-09-12 18:47 ` Kees Cook
2021-09-13 7:59 ` Bernd Petrovitsch
2021-09-13 18:01 ` Kees Cook
2021-09-16 0:59 ` Random Guy
2021-09-18 9:47 ` Len Baker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210912162030.GA4692@titan \
--to=len.baker@gmx.com \
--cc=keescook@chromium.org \
--cc=kernelnewbies@kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).