From: Kees Cook
Sent: 11 June 2020 04:03
...
IIRC other kernels (eg NetBSD) do the copies for ioctl() requests in the ioctl syscall wrapper. The IOW/IOR/IOWR flags have to be right.
Yeah, this seems like it'd make a lot more sense (and would have easily caught the IOR/IOW issue pointed out later in the thread). I wonder how insane it would be to try to fix that globally in the kernel...
Seems like a good idea to me. (Even though I'll need to fix our 'out of tree' modules.)
Unlike [sg]etsockopt() at least the buffer is bounded to 1k.
But you'd really need to add new kernel_ioctl() entry points before deprecating the existing ones a release or two later.
With a bit of luck there aren't any drivers ported from SYSV that just treat the ioctl command as a 32bit transparent value and the argument as an integer.
I actually suspect that BSD added IOW (etc) in the 16bit to 32bit port. The kernel copies being moved to the syscall stub at the same time. Since Linux has only ever been 32bit and uses IOW is it actually odd that Linus didn't do the copies in the stub.
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)