In the book, in LAB 5.2, the file ledRGB_rpi3_platform.c is presented. The struct led_dev defines the char led_value of constant size:
struct led_dev
{
[...]
char led_value[8];
};
Then, the writefunctions does the following:
static ssize_t led_write(struct file *file, const char __user *buff, size_t count, loff_t *ppos)
{
[..., but `count` is never modified or tested]
led_device = container_of(file->private_data,
struct led_dev, led_misc_device);
/*
* terminal echo add \n character.
* led_device->led_value = "on\n" or "off\n after copy_from_user"
*/
if(copy_from_user(led_device->led_value, buff, count)) {
pr_info("Bad copied value\n");
return -EFAULT;
}
[...]
}
IIUC, count is a user-supplied value. A user controls both buff and count. By specifying a count greater than the buffer length of 8, a malicious user can overwrite arbitrary kernel memory.
In the book, in LAB 5.2, the file
ledRGB_rpi3_platform.cis presented. Thestruct led_devdefines thechar led_valueof constant size:Then, the
writefunctions does the following:IIUC,
countis a user-supplied value. A user controls bothbuffandcount. By specifying acountgreater than the buffer length of8, a malicious user can overwrite arbitrary kernel memory.Example attack:
Disclaimer: I haven't tested this report.