From: Kees Cook <keescook@chromium.org>
To: Bernd Petrovitsch <bernd@petrovitsch.priv.at>
Cc: Len Baker <len.baker@gmx.com>,
"kernelnewbies@kernelnewbies.org"
<kernelnewbies@kernelnewbies.org>
Subject: Re: [Clarification] writes to kernel addresses that came from userspace
Date: Mon, 13 Sep 2021 11:01:08 -0700 [thread overview]
Message-ID: <202109131059.258B8DCD@keescook> (raw)
In-Reply-To: <bb4d29b4-391e-93da-c192-702ee60012d0@petrovitsch.priv.at>
On Mon, Sep 13, 2021 at 09:59:36AM +0200, Bernd Petrovitsch wrote:
> Hi all!
>
> On 12/09/2021 18:20, Len Baker wrote:
> [...]
> > [extracted from the KSPP]
> >
> > It should be possible to perform taint tracking of addresses in the kernel
> > to avoid flaws of the form:
> >
> > copy_from_user(object, src, ...);
> > ...
> > memcpy(object.address, something, ...);
> >
> > [end of extracted]
> >
> > My question is: Why is this scenario a flaw?
> >
> > If I understand correctly, the copy_from_user() function copies n bytes of
> > src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is
>
> Yup.
>
> > modified. So, I don't see the problem. Sorry if it is a trivial question
> > but I can not figure it out on my own.
>
> Shouldn't the memcpy() be a copy_to_user() as object.address is setup by the
> user space and thus a user space address?
Right, _correct_ code would pass a userspace address, and use
copy_to_user() for writing to it. The goal here would be to find the
kinds of paths that might lead to bad conditions (i.e. answering "is it
possible for a userspace-controlled value to reach a place in the kernel
that didn't sanity-check it before doing indexing, sizing, etc?").
--
Kees Cook
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next prev parent reply other threads:[~2021-09-13 18:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-12 16:20 [Clarification] writes to kernel addresses that came from userspace Len Baker
2021-09-12 18:22 ` Valentin Vidić
2021-09-12 18:47 ` Kees Cook
2021-09-13 7:59 ` Bernd Petrovitsch
2021-09-13 18:01 ` Kees Cook [this message]
2021-09-16 0:59 ` Random Guy
2021-09-18 9:47 ` Len Baker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109131059.258B8DCD@keescook \
--to=keescook@chromium.org \
--cc=bernd@petrovitsch.priv.at \
--cc=kernelnewbies@kernelnewbies.org \
--cc=len.baker@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).