On Wed, Jun 10, 2020 at 08:48:45AM +0000, David Laight wrote: > From: Sargun Dhillon > > Sent: 10 June 2020 09:13 > In essence the 'copy_to_user' is done by the wrapper code. > The code filling in the CMSG buffer can be considered to be > writing a kernel buffer. > > IIRC other kernels (eg NetBSD) do the copies for ioctl() requests > in the ioctl syscall wrapper. > The IOW/IOR/IOWR flags have to be right. Yeah, this seems like it'd make a lot more sense (and would have easily caught the IOR/IOW issue pointed out later in the thread). I wonder how insane it would be to try to fix that globally in the kernel... -- Kees Cook
