Hi all!
On 12/09/2021 18:20, Len Baker wrote:
[...]
[extracted from the KSPP]
It should be possible to perform taint tracking of addresses in the kernel
to avoid flaws of the form:
copy_from_user(object, src, ...);
...
memcpy(object.address, something, ...);
[end of extracted]
My question is: Why is this scenario a flaw?
If I understand correctly, the copy_from_user() function copies n bytes of
src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Then, in kernel space the object is
Yup.
modified. So, I don't see the problem. Sorry if it is a trivial question
but I can not figure it out on my own.
Shouldn't the memcpy() be a copy_to_user() as object.address is setup by
the user space and thus a user space address?
MfG,
Bernd
--
Bernd Petrovitsch Email : bernd@xxxxxxxxxxxxxxxxxxx
There is NO CLOUD, just other people's computers. - FSFE
LUGA : http://www.luga.at
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
