[Clarification] writes to kernel addresses that came from userspace

Random Guy random.guy.from.russia at gmail.com
Wed Sep 15 20:59:15 EDT 2021


On Sun, Sep 12, 2021 at 9:21 AM Len Baker <len.baker at gmx.com> wrote:
> It should be possible to perform taint tracking of addresses in the kernel
> to avoid flaws of the form:
>
> copy_from_user(object, src, ...);
> ...
> memcpy(object.address, something, ...);
>
> [end of extracted]
>
> My question is: Why is this scenario a flaw?

Because of the first argument of memcpy.

> If I understand correctly, the copy_from_user() function copies n bytes of
> src (in user space address) to object (in kernel space address). I think
> that it is the correct way to act.

Yes.

> Then, in kernel space the object is modified.

Not necessarily. The object would be modified if

  memcpy(&object.address, something, ...);

was written. Without taking the address it is likely modifying something else.



More information about the Kernelnewbies mailing list