Opened 4 months ago

Closed 4 months ago

#15058 closed bug (fixed)

_user_ioctl checks int argument as a buffer address

Reported by: korli Owned by: nobody
Priority: normal Milestone: Unscheduled
Component: System/POSIX Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

http://pubs.opengroup.org/onlinepubs/9699919799/functions/ioctl.html clearly specifies that:

The arg argument represents additional information that is needed by this specific STREAMS device to perform the requested function. The type of arg depends upon the particular control request, but it shall be either an integer or a pointer to a device-specific data structure.

But the way _user_ioctl() checks doesn't allow an integer argument, only a pointer argument.

status_t
_user_ioctl(int fd, uint32 op, void* buffer, size_t length)
{
	if (buffer != NULL && !IS_USER_ADDRESS(buffer))
		return B_BAD_ADDRESS;


Functions like tcdrain(), tcflow(), tcflush() and tcsendbreak() use an int argument, thus can't work as expected.

Change History (3)

comment:1 by korli, 4 months ago

I would just remove the buffer check, delegating this check to the component.

comment:3 by waddlesplash, 4 months ago

Resolution: fixed
Status: newclosed

Merged in hrev53121.

Note: See TracTickets for help on using tickets.