Summary: | ioctl() incorrectly decodes argument | ||
---|---|---|---|
Product: | glibc | Reporter: | Samuel Thibault <samuel.thibault> |
Component: | hurd | Assignee: | Roland McGrath <roland> |
Status: | NEW --- | ||
Severity: | normal | CC: | bug-hurd, glibc-bugs, tschwinge |
Priority: | P2 | Flags: | fweimer:
security-
|
Version: | 2.3.6 | ||
Target Milestone: | --- | ||
Host: | i686-unknown-gnu0.3 | Target: | |
Build: | Last reconfirmed: | ||
Attachments: |
Proposed patch
testcase (was failing) Testcase (still works) |
Description
Samuel Thibault
2005-02-25 18:32:20 UTC
Created attachment 561 [details]
Proposed patch
This patch corrects the no-parameter case, and add an _IOIW() ioctl declaration
macro for ioctls that would get value as immediates rather that by pointer (IO
Immediate Write).
Created attachment 562 [details]
testcase (was failing)
This testcase was failing with this error message:
ioctl: (ipc/mig) server type check failure
With previously attached patch, it now works.
Created attachment 563 [details]
Testcase (still works)
This testcase checks that ioctls continue to work, event "1 integer passed via
pointer" ones.
Hi, I attached a patch to correct the bug: it corrects the meaning of IOC_VOID / IOC_IN / IOC_OUT: - IOC_OUT / IOC_IN means that data is passed via a pointer (input/output/both ways); - IOC_VOID means that either there is no data (_IOT_COUNT0 (type) == 0), or the only data is an integer passed as an immediate value (_IOT_COUNT0 (type) == 1). When (_IOT_COUNT0(type) == 0), that means there is no data, so va_start/va_arg/va_end are now not even called, avoiding any random value or even crash. I looked through the list of hurd's ioctls, there is none that uses an immediate argument, but since there is code to handle that case when building the RPC, I guess it was yet considered to be possible. And indeed some other systems sometimes define ioctl with immediate arguments: TCSBRK, TCXONC, TCFLSH, TIOSCTTY, HDIO_SET_DMA & such, LPCHAR, ... So that I added an _IOIW() macro to let people define such ioctl calls (IO Immediate Write). Please ignore the "TIOCSETD segfaults" testcase in previous bug report: of course the integer should be passed via a pointer in this case. The two attached testcases work correctly with the patch applied. Regards, Samuel Comment on attachment 561 [details] Proposed patch 2005-07-28 Samuel Thibault <samuel.thibault@ens-lyon.org> * ioctl.c (__ioctl): Add handling of parameter-less ioctls. 2005-07-28 Samuel Thibault <samuel.thibault@ens-lyon.org> * ioctls.h (_IOIW): New macro for immediate-write ioctls. Any progress on this issue? updated version, still outstanding post-2.3.6 6753048948b86f3b045710f77e1616b348562fa9 Is the test case worth being added, too? Having regression cases in the libc test suite is always a good idea. *** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/adult-chat-rooms Marked for reference. Resolved as fixed @bugzilla. |