Skip to content

Fix retrieve user value in IOCTL_VALSET_NUM case#359

Open
applepwc wants to merge 1 commit intosysprog21:masterfrom
applepwc:fix
Open

Fix retrieve user value in IOCTL_VALSET_NUM case#359
applepwc wants to merge 1 commit intosysprog21:masterfrom
applepwc:fix

Conversation

@applepwc
Copy link

@applepwc applepwc commented Feb 10, 2026
edited by cubic-dev-ai bot
Loading

The test program is:

    arg.val = 0xAA;
    ioctl(fd, IOCTL_VALSET_NUM, &arg);

    arg.val = 0;
    ioctl(fd, IOCTL_VALGET_NUM, &arg);
    printf("Read val: 0x%x\n", arg.val);

Summary by cubic

Fix IOCTL_VALSET_NUM to read the integer via get_user from the user pointer instead of using arg directly. Returns -EFAULT on bad pointers, prevents invalid memory access, and makes the set/get test pass.

Written for commit a507630. Summary will update on new commits.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@EricccTaiwan EricccTaiwan requested a review from jserv February 10, 2026 13:32
jserv
jserv requested changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@jserv jserv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove "fix: " in the subject of git commit messages.
Refine git commit message, making it more informative. See https://chris.beams.io/git-commit
Don't close this pull request. Use git force-push instead.

linD026
linD026 requested changes Feb 10, 2026
View reviewed changes
examples/ioctl.c Outdated

case IOCTL_VALSET_NUM:
ioctl_num = arg;
int user_val;
Copy link
Collaborator

@linD026 linD026 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be compatible with the old version, which might still use the C89 standard.
Don't declare the variable inside the switch statement.
Or, you should declare the variable within the block scope.

Also, if you want to declare the variable inside the switch statement, please fix this:

ioctl.c:78:9: error: typename in expression
ioctl.c:78:13: error: Expected ; at end of statement
ioctl.c:78:13: error: got user_val
ioctl.c:78:9: error: undefined identifier 'int'
ioctl.c:79:13: error: undefined identifier 'user_val'
ioctl.c:81:21: error: undefined identifier 'user_val'

@applepwc
Copy link
Author

applepwc commented Feb 13, 2026

Hello, I force-pushed a new commit. Please review it.

@visitorckw
Copy link
Contributor

visitorckw commented Feb 13, 2026

Hello, I force-pushed a new commit. Please review it.

Github notifies the relevant people automatically, so there's no need to leave a comment like this.

@visitorckw
Copy link
Contributor

visitorckw commented Feb 13, 2026

Thanks for the patch.

While this addresses the pointer-to-value mismatch, should we consider whether IOCTL_VALSET_NUM is better suited for "pass-by-value" rather than "pass-by-reference"?

Currently, the macro is defined as:

#define IOCTL_VALSET_NUM _IOW(IOC_MAGIC, 3, int)

Using _IOW implies that arg is a user-space pointer. However, for a simple integer assignment, would it be more idiomatic to use pass-by-value by redefining the macro with _IO? This would allow us to keep the logic lightweight without the overhead of memory copying.

jserv
jserv requested changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@jserv jserv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure consistent code style with 'clang-format' in examples directory.

@jserv jserv changed the title fix: Retrieve user value in IOCTL_VALSET_NUM case Fix retrieve user value in IOCTL_VALSET_NUM case Feb 13, 2026
@applepwc @web3devsad
Fix retrieve user value in IOCTL_VALSET_NUM case
a507630 
The original implementation of IOCTL_VALSET_NUM incorrectly treated the
ioctl 'arg' parameter as the integer value itself, when it's actually a
user-space pointer to an integer.

This caused the global ioctl_num variable to be set to the memory address
of the user-space pointer rather than the intended integer value,
leading to incorrect behavior and potential security issues.

Fix by properly dereferencing the user pointer using get_user() to safely
copy the integer value from user space to kernel space.
@applepwc
Copy link
Author

applepwc commented Feb 13, 2026

Yes, using _IO with pass-by-value is more idiomatic and avoids unnecessary memory copying.
But this would be an ABI change: existing user-space code calling ioctl(fd, IOCTL_VALSET_NUM, &value) would break.

@visitorckw
Copy link
Contributor

visitorckw commented Feb 13, 2026

Wouldn't the proposed patch also change the existing ABI?

@applepwc
Copy link
Author

applepwc commented Feb 13, 2026

Hello, I'm uncertain whether to add more code as shown below or simply rewrite the original.

#define IOCTL_VALSET_NUM2 _IO(IOC_MAGIC, 4)
#define IOCTL_VAL_MAXNR 4
...
case IOCTL_VALSET_NUM2:
    ioctl_num = (int)arg; 
    break;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jserv jserv jserv requested changes

@linD026 linD026 linD026 requested changes

+1 more reviewer

@EricccTaiwan EricccTaiwan EricccTaiwan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@applepwc @visitorckw @jserv @linD026 @EricccTaiwan