Opened 15 months ago

Closed 15 months ago

Last modified 4 months ago

#15058 closed bug (fixed)

_user_ioctl checks int argument as a buffer address

Reported by: korli Owned by: nobody
Priority: normal Milestone: R1/beta2
Component: System/POSIX Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description clearly specifies that:

The arg argument represents additional information that is needed by this specific STREAMS device to perform the requested function. The type of arg depends upon the particular control request, but it shall be either an integer or a pointer to a device-specific data structure.

But the way _user_ioctl() checks doesn't allow an integer argument, only a pointer argument.

_user_ioctl(int fd, uint32 op, void* buffer, size_t length)
	if (buffer != NULL && !IS_USER_ADDRESS(buffer))
		return B_BAD_ADDRESS;

Functions like tcdrain(), tcflow(), tcflush() and tcsendbreak() use an int argument, thus can't work as expected.

Change History (4)

comment:1 by korli, 15 months ago

I would just remove the buffer check, delegating this check to the component.

comment:3 by waddlesplash, 15 months ago

Resolution: fixed
Status: newclosed

Merged in hrev53121.

comment:4 by nielx, 4 months ago

Milestone: UnscheduledR1/beta2

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone

Note: See TracTickets for help on using tickets.