Open kees opened 3 years ago
It should be possible to perform taint tracking of addresses (or any data, really) in the kernel to avoid flaws of the form:
copy_from_user(object, src, ...); ... *no validation of object.address* ... memcpy(object.address, something, ...);
We need better tooling to perform this kind of "taint tracking" within the kernel to better catch cases where validation is missing.
On the static analysis front:
__user
sparse
smatch
Better yet would be run-time analysis:
It should be possible to perform taint tracking of addresses (or any data, really) in the kernel to avoid flaws of the form:
We need better tooling to perform this kind of "taint tracking" within the kernel to better catch cases where validation is missing.
On the static analysis front:
__userannotation and the "address space" checkssparsedoes, but its application has been rather limited in scope.smatchis likely better suited to the job, using function-graph data-flow analysis.Better yet would be run-time analysis: