Hi, I am taking a look to the issues in the Kernel Self Protection Project [1] and this one [2] (perform taint-tracking of writes to kernel addresses that came from userspace) take my attention. Reading the explanation does not make it clear to me where the flaw is. [extracted from the KSPP] It should be possible to perform taint tracking of addresses in the kernel to avoid flaws of the form: copy_from_user(object, src, ...); ... memcpy(object.address, something, ...); [end of extracted] My question is: Why is this scenario a flaw? If I understand correctly, the copy_from_user() function copies n bytes of src (in user space address) to object (in kernel space address). I think that it is the correct way to act. Then, in kernel space the object is modified. So, I don't see the problem. Sorry if it is a trivial question but I can not figure it out on my own. [1] https://github.com/KSPP/linux/issues [2] https://github.com/KSPP/linux/issues/126 Thanks in advance. Regards, Len _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
