Date: Fri, 30 Apr 2010 10:52:29 +0200 From: Gary Jennejohn <gljennjohn@googlemail.com> To: "=?ISO-8859-15?Q?Luk=E1=A8?= Czerner" <czerner.lukas@gmail.com> Cc: freebsd-hackers@freebsd.org, Ryan Stone <rysto32@gmail.com> Subject: Re: ioctl, copy string from user Message-ID: <20100430105229.57dec4f2@ernst.jennejohn.org> In-Reply-To: <alpine.DEB.1.10.1004292320540.30007@a04-0215a.kn.vutbr.cz> References: <alpine.DEB.1.10.1004291938210.30007@a04-0215a.kn.vutbr.cz> <201004291418.09768.jhb@freebsd.org> <alpine.DEB.1.10.1004292114360.30007@a04-0215a.kn.vutbr.cz> <201004291606.35899.jhb@freebsd.org> <alpine.DEB.1.10.1004292220170.30007@a04-0215a.kn.vutbr.cz> <alpine.DEB.1.10.1004292256580.30007@a04-0215a.kn.vutbr.cz> <x2sbc2d971004291419o546d8895vd4fcab2ee15f37b9@mail.gmail.com> <alpine.DEB.1.10.1004292320540.30007@a04-0215a.kn.vutbr.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Apr 2010 23:23:28 +0200 (CEST)
"Lukas Czerner" <czerner.lukas@gmail.com> wrote:
> On Thu, 29 Apr 2010, Ryan Stone wrote:
>
> > Date: Thu, 29 Apr 2010 17:19:41 -0400
> > From: Ryan Stone <rysto32@gmail.com>
> > To: Lukas Czerner <czerner.lukas@gmail.com>
> > Cc: freebsd-hackers@freebsd.org
> > Subject: Re: ioctl, copy string from user
> >
> > > Apparently I need to tell ioctl how big is the variable I am
> > > providing to it ([MAXLEN]). The odd thing is, when I have a structure
> > > like this:
> > >
> > > struct lrfs_attach_info {
> > > char *name;
> > > int priority;
> > > };
> > >
> > > and I pass the pointer to that structure to the ioctl, it just
> > > works. I can even use the 'name' string from the structure without
> > > any problems, apparently it translates the pointer properly, but I
> > > did not expect this...
> >
> > I think that you'll find that what actually happens is that you're
> > reading from the userspace pointer. That will work as long as the
> > pointer is mapped, but you'll panic if what it points to gets swapped
> > out or is invalid.
> >
>
> Hmmm, I can prevent the pointer to be invalidated, but I doubt I can
> prevent to the pointer to been swapped out. Is there some better way
> ? Allocate it statically (char name[MAXLEN]), then it gets copied
> as whole to the kernel space, isn't it ?
Look at the definition of _IOW() in /sys/sys/ioccom.h. It should become
obvious what's going on.
--
Gary Jennejohn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100430105229.57dec4f2>