From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8CD33C433F5 for ; Mon, 13 Sep 2021 18:01:42 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1783B60C40 for ; Mon, 13 Sep 2021 18:01:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1783B60C40 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mPqGa-000173-7w; Mon, 13 Sep 2021 14:01:16 -0400 Received: from mail-pf1-x431.google.com ([2607:f8b0:4864:20::431]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1mPqGX-00015Y-EJ for kernelnewbies@kernelnewbies.org; Mon, 13 Sep 2021 14:01:13 -0400 Received: by mail-pf1-x431.google.com with SMTP id q22so9631338pfu.0 for ; Mon, 13 Sep 2021 11:01:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=pogEE7uq1956BujhFhOanf/kiNgVHnMBEWPeWCR2cec=; b=b0QL4+HmhPF4x9ujMudLJlaD1whtkSNxOTYAu0hxY4BYP5cGajXfjM/58gTS8JwFD2 Fs74vqcIz8WKkSEGCIwFCX+xGngc9QIBxEchwTQo8uINIY6uq0POSpFoc9J/hxmIhXoe IlJ1sDYyHQuzNgG0raB9VHU/CX6s+g5pAKlCo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=pogEE7uq1956BujhFhOanf/kiNgVHnMBEWPeWCR2cec=; b=Ce90t8BHWgGFhNxdlUDwTmwTMReS+sU+MOOXgZYTTK8GcxmBjucwTLwRW2bFpmk/1r SVuBbaZKIoKilXDH2sbGxyo8WDz/Tf3XKko2SHHMkyezvtspkDWPf+jcw2BMcgQu09vD YZ3USVC/9Pduf8Z8lGKETBfQnN0UikooMjy+MGGt17QgXqO2dus8PFidV86nNZwth0jQ 37yZxkPvimcslrX8MpXg5NSUdq+fUVSwc02gXjQMUsHQhLvIjeammMzZZFUAtzrXJlyh aEXvcTZ0Pd1h/rbTnGEXQLMfUeMrEpNh8JM9DKlmKQL2SiI/FPbZOuMpg/gT733nKLJE fDmQ== X-Gm-Message-State: AOAM530olyP6vi/j+7oZU3P0wvB6qGXmqqmK2ZAWVKm+7WYht5cj75B/ hzybpPHPEh2K9hBYstwZyz5z5hkjHAJb6w== X-Google-Smtp-Source: ABdhPJyANKAPv23XnRM9XNrx86GYixwhGOLM4OpLo0KnIT6hRip6fiSt5Qc3FYxTj3l5un4K5jagbg== X-Received: by 2002:a63:5c51:: with SMTP id n17mr12244547pgm.376.1631556070504; Mon, 13 Sep 2021 11:01:10 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u12sm8822523pgi.21.2021.09.13.11.01.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Sep 2021 11:01:09 -0700 (PDT) Date: Mon, 13 Sep 2021 11:01:08 -0700 From: Kees Cook To: Bernd Petrovitsch Subject: Re: [Clarification] writes to kernel addresses that came from userspace Message-ID: <202109131059.258B8DCD@keescook> References: <20210912162030.GA4692@titan> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Cc: Len Baker , "kernelnewbies@kernelnewbies.org" X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kernelnewbies-bounces@kernelnewbies.org On Mon, Sep 13, 2021 at 09:59:36AM +0200, Bernd Petrovitsch wrote: > Hi all! > > On 12/09/2021 18:20, Len Baker wrote: > [...] > > [extracted from the KSPP] > > > > It should be possible to perform taint tracking of addresses in the kernel > > to avoid flaws of the form: > > > > copy_from_user(object, src, ...); > > ... > > memcpy(object.address, something, ...); > > > > [end of extracted] > > > > My question is: Why is this scenario a flaw? > > > > If I understand correctly, the copy_from_user() function copies n bytes of > > src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is > > Yup. > > > modified. So, I don't see the problem. Sorry if it is a trivial question > > but I can not figure it out on my own. > > Shouldn't the memcpy() be a copy_to_user() as object.address is setup by the > user space and thus a user space address? Right, _correct_ code would pass a userspace address, and use copy_to_user() for writing to it. The goal here would be to find the kinds of paths that might lead to bad conditions (i.e. answering "is it possible for a userspace-controlled value to reach a place in the kernel that didn't sanity-check it before doing indexing, sizing, etc?"). -- Kees Cook _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies