On Sun, Sep 12, 2021 at 06:20:30PM +0200, Len Baker wrote: > I am taking a look to the issues in the Kernel Self Protection Project [1] > and this one [2] (perform taint-tracking of writes to kernel addresses > that came from userspace) take my attention. Reading the explanation does > not make it clear to me where the flaw is. > > [extracted from the KSPP] > > It should be possible to perform taint tracking of addresses in the kernel > to avoid flaws of the form: > > copy_from_user(object, src, ...); > ... > memcpy(object.address, something, ...); > > [end of extracted] > > My question is: Why is this scenario a flaw? > > If I understand correctly, the copy_from_user() function copies n bytes of > src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is > modified. So, I don't see the problem. Sorry if it is a trivial question > but I can not figure it out on my own. I suppose the problem is that userspace sets the value of object.address to point to something dangerous. If the kernel tries to write to that location later it will cause a crash or worse... -- Valentin _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
