[Clarification] writes to kernel addresses that came from userspace
Bernd Petrovitsch
bernd at petrovitsch.priv.at
Mon Sep 13 03:59:36 EDT 2021
Hi all!
On 12/09/2021 18:20, Len Baker wrote:
[...]
> [extracted from the KSPP]
>
> It should be possible to perform taint tracking of addresses in the kernel
> to avoid flaws of the form:
>
> copy_from_user(object, src, ...);
> ...
> memcpy(object.address, something, ...);
>
> [end of extracted]
>
> My question is: Why is this scenario a flaw?
>
> If I understand correctly, the copy_from_user() function copies n bytes of
> src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is
Yup.
> modified. So, I don't see the problem. Sorry if it is a trivial question
> but I can not figure it out on my own.
Shouldn't the memcpy() be a copy_to_user() as object.address is setup by
the user space and thus a user space address?
MfG,
Bernd
--
Bernd Petrovitsch Email : bernd at petrovitsch.priv.at
There is NO CLOUD, just other people's computers. - FSFE
LUGA : http://www.luga.at
More information about the Kernelnewbies
mailing list