[Clarification] writes to kernel addresses that came from userspace
random.guy.from.russia at gmail.com
Wed Sep 15 20:59:15 EDT 2021
On Sun, Sep 12, 2021 at 9:21 AM Len Baker <len.baker at gmx.com> wrote:
> It should be possible to perform taint tracking of addresses in the kernel
> to avoid flaws of the form:
> copy_from_user(object, src, ...);
> memcpy(object.address, something, ...);
> [end of extracted]
> My question is: Why is this scenario a flaw?
Because of the first argument of memcpy.
> If I understand correctly, the copy_from_user() function copies n bytes of
> src (in user space address) to object (in kernel space address). I think
> that it is the correct way to act.
> Then, in kernel space the object is modified.
Not necessarily. The object would be modified if
memcpy(&object.address, something, ...);
was written. Without taking the address it is likely modifying something else.
More information about the Kernelnewbies