On Tue, Feb 25, 2020 at 10:08 PM Gregory Nutt <spudan...@gmail.com> wrote: > > > > i meant that, if userspace wants to read some kernel memory, it can pass > > the kernel pointer to eg. write system call as the buffer argument, > > and then read the contents of the file. > I guess I still don't understand. Access is still via file descriptor. > You could certainly clobber kernel memory with a read in that way. But > it is not clear how you could read the kernel memory into user space.
Here is an example: Program open malicious elf and call read with a pointer to kernel stack, then kernel may run code from elf after kernel finish and return. > > my question was if these kinds of checks were for some reasons considered > > unnecessary for nuttx. > > At this point, there were never considered at all. Whenever I find > security issues in PROTECTED builds, I add that to the TODO list (if I > don't fix them). > I think that most syscall which contain pointer has the security issue in PROTECTED/KERNEL mode. > Greg >
