From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AA85C433EF for ; Sun, 12 Sep 2021 16:21:19 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B9BFF610A6 for ; Sun, 12 Sep 2021 16:21:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B9BFF610A6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmx.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mPSDs-0000RG-3d; Sun, 12 Sep 2021 12:20:52 -0400 Received: from mout.gmx.net ([212.227.15.15]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mPSDo-0000Pp-Jm for kernelnewbies@kernelnewbies.org; Sun, 12 Sep 2021 12:20:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1631463644; bh=QSx+ho1WMCOJlxZF+qyKUWsXe+ShFas7gLncD6yDmOY=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject; b=CBEtCL8fDfnJZDm6k3YXPiaNvK50iCy9FRkvG7h/byjhxRxuXxo+5sAQIaJ8SLmMN dbSSDk+YWGctARqUoseeyEAG9g2E7E72xu6P5f2sLfApxizBAJ/d1yjADAbWJPMSTl tuzURTJrKD06eD7/qyaRqHbM9/ARPWnlBLZzHsm0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from titan ([79.150.72.99]) by mail.gmx.net (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MS3mz-1mVo8N0L8d-00TXkH; Sun, 12 Sep 2021 18:20:44 +0200 Date: Sun, 12 Sep 2021 18:20:30 +0200 From: Len Baker To: "kernelnewbies@kernelnewbies.org" , Kees Cook Subject: [Clarification] writes to kernel addresses that came from userspace Message-ID: <20210912162030.GA4692@titan> MIME-Version: 1.0 Content-Disposition: inline X-Provags-ID: V03:K1:bvzouoVudNCuGuaDHyQb63Hv0bDYnvil/eRXysHTVB+DScWK5e2 JFrSzGY1P9wHMhq1VPMq43hbMDtEHNNonmJJwzbQ3grymSBALPaDoWcp8r/Oze2omUHuQsp MNZOlMJMIy/l/NMl6WvWpy2OUXHlZWBVTrP0FQq+3cQhrQLBJXiS0KaJcySty9AXvUBiRyi cW3h3gymGP8LN4TSSbAnQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:moZIQzWyvX4=:2dTbSBSGzO+4Ap1zcBRBOy lSp5LSYxhZxjOG6QCYm5Kg80VJeCtPSNZ/jn4Yf126HU8r+CyOXlbCbxGZ+sRWNQKiHUzFsFX NSTHUyfBwN56pxt0G3sd9oRoihf6Swc7zDe4DsloQRcPhGoK66wkQrd4Q7ocKimhUyy2z9cBI M8ezNkvthUWpK618mfOKCA0l7UBuAVkvFyY+hO8gBZRv0KnodKAa9+Z3vsuToXqGha0IlEyo8 s5QrFvOFydKImRuGDEXfoW/VLtKeG8kZdJsAHzVj1yW7jQKRPCU7LD3XpqYx1FhbBRcbPtz8Q D6Qx14VXnVG/8IWFRx64t7KMumbMnHQ+lPDN+K/GyzIfKJc59SVm3ZSoVrXMVVh/e++GOk9S9 HUwHmNihkls9aQxMGg3ePQpQOff5IZMDu3RRdMz1xQt6sfH5VGPHn9OO9yYM/yGCJFZ/FI/nP jTToHTZyA2Mp04OD5k8ilXFKjJ3ldHWe2uvgbUzlxy496DndfOP4+0WRcnGO+GAORsTNV3rxq mv+d8Ik8u79jjb3QXrChsqiaE1rocaymtUnwPB0FQPaE9JgL1YXkPRzvXLrK9z7fwrTd8pKuq pox6Jj1mQT6BiIl4tpQ/hoeA37RUV50F8MThx4EN42Dnyja2r/RGGx+62CMLtsRGD8l5UfzSy 1VDlHjffImSfBVYqxSWSvMurbwk2h+4dr85z+5yFx2R/a3f/VA/6LfuLi6DNQrxVWAyzMJJrY KVpd4ajefVNTL0hvoPOhzWVTfKKDHN+Hqsa6ZdGkHFGUTtMP85jPUhFfNlw2HZxQpcntPiXH/ virGjsi8DROHXGitHtwVDlJIWLG0SwnvqcOWrVZJ1Btn99xJ7FiVQDeq30iZCvBvHf/EAeHYW CULJbekjYmJ4G2rVqQ95kRmJcPDE1Rucdq5S+CzWBQE70xSCHhoOfk5BhAKNRJoSeCd/NPFRl g3w8+Ev0hQDbNvfPkiX35+8L2W4btzGmAQYEQDtBW+rElT7ge1gJVlEohOjWn1dJnZgMkdP1i 8XyiHmDdlLFVHBYBgwqUI4No6bYtCyMsRrw2k0MB0nVqFyl3RKm2R3On81f0Ps3lfPRRExYl5 5gyMgUBbwP07yA= Cc: Len Baker X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kernelnewbies-bounces@kernelnewbies.org Hi, I am taking a look to the issues in the Kernel Self Protection Project [1] and this one [2] (perform taint-tracking of writes to kernel addresses that came from userspace) take my attention. Reading the explanation does not make it clear to me where the flaw is. [extracted from the KSPP] It should be possible to perform taint tracking of addresses in the kernel to avoid flaws of the form: copy_from_user(object, src, ...); ... memcpy(object.address, something, ...); [end of extracted] My question is: Why is this scenario a flaw? If I understand correctly, the copy_from_user() function copies n bytes of src (in user space address) to object (in kernel space address). I think that it is the correct way to act. Then, in kernel space the object is modified. So, I don't see the problem. Sorry if it is a trivial question but I can not figure it out on my own. [1] https://github.com/KSPP/linux/issues [2] https://github.com/KSPP/linux/issues/126 Thanks in advance. Regards, Len _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies