[Clarification] writes to kernel addresses that came from userspace
Len Baker
len.baker at gmx.com
Sun Sep 12 12:20:30 EDT 2021
Hi,
I am taking a look to the issues in the Kernel Self Protection Project [1]
and this one [2] (perform taint-tracking of writes to kernel addresses
that came from userspace) take my attention. Reading the explanation does
not make it clear to me where the flaw is.
[extracted from the KSPP]
It should be possible to perform taint tracking of addresses in the kernel
to avoid flaws of the form:
copy_from_user(object, src, ...);
...
memcpy(object.address, something, ...);
[end of extracted]
My question is: Why is this scenario a flaw?
If I understand correctly, the copy_from_user() function copies n bytes of
src (in user space address) to object (in kernel space address). I think
that it is the correct way to act. Then, in kernel space the object is
modified. So, I don't see the problem. Sorry if it is a trivial question
but I can not figure it out on my own.
[1] https://github.com/KSPP/linux/issues
[2] https://github.com/KSPP/linux/issues/126
Thanks in advance.
Regards,
Len
More information about the Kernelnewbies
mailing list