On Sun, Sep 12, 2021 at 9:21 AM Len Baker <[email protected]> wrote: > It should be possible to perform taint tracking of addresses in the kernel > to avoid flaws of the form: > > copy_from_user(object, src, ...); > ... > memcpy(object.address, something, ...); > > [end of extracted] > > My question is: Why is this scenario a flaw?
Because of the first argument of memcpy. > If I understand correctly, the copy_from_user() function copies n bytes of > src (in user space address) to object (in kernel space address). I think > that it is the correct way to act. Yes. > Then, in kernel space the object is modified. Not necessarily. The object would be modified if memcpy(&object.address, something, ...); was written. Without taking the address it is likely modifying something else. _______________________________________________ Kernelnewbies mailing list [email protected] https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
