Can I pass an integer to `access_ok()` as it's second argument?

1k views Asked by At

In LDD3's example, access_ok() is placed at the beginning of ioctl method of a kernel module to check whether a pointer passed from userspace is valid. It is correct when userspace application calls ioctl() system call, and passes it an address of a variable. In some cases, however, ioctl() system call is invoked with a value instead of a pointer as third argument and finally the second argument of access_ok() in kernel module.

I've tried to pass an integer as access_ok()'s second argument and it works fine. No error was reported. But I don't very sure that is this usage correct?

For example, if I invoke ioctl() in userspace with it's third argument to be '3'. Then, in ioctl() method of struct file_operations, access_ok() will receive 3 as it's second argument. Because the access_ok() expects a pointer, so it translates 3 to be a userspace pointer. Obversely, it's wrong...

2

There are 2 answers

2
Tsyvarev On BEST ANSWER

Actually, access_ok's check is rough. Description of the function (in the source file) say:

Note that, depending on architecture, this function probably just checks that the pointer is in the user space range - after calling this function, memory access functions may still return -EFAULT.

E.g., according to source arch/x86/include/asm/uaccess.h, on x86 access_ok just checks that given address points to the lower area (because kernel besides in the upper area). So, it returns true for address equal to 3.

It is copy_from_user/copy_to_user who return a final verdict about user memory accessibility.

0
CL. On

Userspace programs can give you any random value as a pointer, so access_ok() must be able to handle any random value. So it is definitely OK to call access_ok() with a non-pointer value.

However, unless you are actually going to try to access that memory location, calling access_ok() is utterly pointless. (For that matter, you should, if possible, avoid access_ok() and just check the actual userspace accesses (get_user() etc.) for errors.)