Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#15058 closed bug (fixed)

_user_ioctl checks int argument as a buffer address

Reported by: korli Owned by: nobody
Priority: normal Milestone: R1/beta2
Component: System/POSIX Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

http://pubs.opengroup.org/onlinepubs/9699919799/functions/ioctl.html clearly specifies that:

The arg argument represents additional information that is needed by this specific STREAMS device to perform the requested function. The type of arg depends upon the particular control request, but it shall be either an integer or a pointer to a device-specific data structure.

But the way _user_ioctl() checks doesn't allow an integer argument, only a pointer argument.

status_t
_user_ioctl(int fd, uint32 op, void* buffer, size_t length)
{
	if (buffer != NULL && !IS_USER_ADDRESS(buffer))
		return B_BAD_ADDRESS;


Functions like tcdrain(), tcflow(), tcflush() and tcsendbreak() use an int argument, thus can't work as expected.

Change History (4)

comment:1 by korli, 6 years ago

I would just remove the buffer check, delegating this check to the component.

comment:3 by waddlesplash, 6 years ago

Resolution: fixed
Status: newclosed

Merged in hrev53121.

comment:4 by nielx, 5 years ago

Milestone: UnscheduledR1/beta2

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone

Note: See TracTickets for help on using tickets.