[Clarification] writes to kernel addresses that came from userspace

Bernd Petrovitsch bernd at petrovitsch.priv.at
Mon Sep 13 03:59:36 EDT 2021


Hi all!

On 12/09/2021 18:20, Len Baker wrote:
[...]
> [extracted from the KSPP]
> 
> It should be possible to perform taint tracking of addresses in the kernel
> to avoid flaws of the form:
> 
> copy_from_user(object, src, ...);
> ...
> memcpy(object.address, something, ...);
> 
> [end of extracted]
> 
> My question is: Why is this scenario a flaw?
> 
> If I understand correctly, the copy_from_user() function copies n bytes of
> src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is

Yup.

> modified. So, I don't see the problem. Sorry if it is a trivial question
> but I can not figure it out on my own.

Shouldn't the memcpy() be a copy_to_user() as object.address is setup by 
the user space and thus a user space address?

MfG,
	Bernd
-- 
Bernd Petrovitsch                  Email : bernd at petrovitsch.priv.at
      There is NO CLOUD, just other people's computers. - FSFE
                      LUGA : http://www.luga.at



More information about the Kernelnewbies mailing list