[Clarification] writes to kernel addresses that came from userspace

Valentin Vidić vvidic at valentin-vidic.from.hr
Sun Sep 12 14:22:22 EDT 2021


On Sun, Sep 12, 2021 at 06:20:30PM +0200, Len Baker wrote:
> I am taking a look to the issues in the Kernel Self Protection Project [1]
> and this one [2] (perform taint-tracking of writes to kernel addresses
> that came from userspace) take my attention. Reading the explanation does
> not make it clear to me where the flaw is.
> 
> [extracted from the KSPP]
> 
> It should be possible to perform taint tracking of addresses in the kernel
> to avoid flaws of the form:
> 
> copy_from_user(object, src, ...);
> ...
> memcpy(object.address, something, ...);
> 
> [end of extracted]
> 
> My question is: Why is this scenario a flaw?
> 
> If I understand correctly, the copy_from_user() function copies n bytes of
> src (in user space address) to object (in kernel space address). I think
> that it is the correct way to act. Then, in kernel space the object is
> modified. So, I don't see the problem. Sorry if it is a trivial question
> but I can not figure it out on my own.

I suppose the problem is that userspace sets the value of object.address
to point to something dangerous. If the kernel tries to write to that
location later it will cause a crash or worse...

-- 
Valentin



More information about the Kernelnewbies mailing list