On Thu, Mar 18, 2021 at 10:15:43PM +0100, Arnd Bergmann wrote: > On Thu, Mar 18, 2021 at 5:13 PM Alessio Balsini <balsini@xxxxxxxxxxx> wrote: > > On Tue, Mar 16, 2021 at 07:53:06PM +0100, Arnd Bergmann wrote: > > > On Mon, Jan 25, 2021 at 4:48 PM Alessio Balsini <balsini@xxxxxxxxxxx> wrote: > > > > > > > > Thanks for spotting this possible criticality. > > > > I noticed that 32-bit users pace was unable to use the > > FUSE_DEV_IOC_CLONE ioctl on 64-bit kernels, so this change avoid this > > issue by forcing the kernel to interpret 32 and 64 bit > > FUSE_DEV_IOC_CLONE command as if they were the same. > > As far as I can tell from the kernel headers, the command code should > be the same for both 32-bit and 64-bit tasks: 0x8004e500. > Can you find out what exact value you see in the user space that was > causing problems, and how it ended up with a different value than > the 64-bit version? > > If there are two possible command codes, I'd suggest you just change > the driver to handle both variants explicitly, but not any other one. > > > This is the simplest solution I could find as the UAPI is not changed > > as, as you mentioned, the argument doesn't require any conversion. > > > > I understand that this might limit possible future extensions of the > > FUSE_DEV_IOC_XXX ioctls if their in/out argument changed depending on > > the architecture, but only at that point we can switch to using the > > compat layer, right? > > > > What I'm worried about is the direction, do you think this would be an > > issue? > > > > I can start working on a compat layer fix meanwhile. > > For a proper well-designed ioctl interface, compat support should not > need anything beyond the '.compat_ioctl = compat_ptr_ioctl' > assignment. > > Arnd You are right and now I can see what happened here. When I introduce the PASSTHROUGH ioctl, because of the 'void *', the command mismatches on _IOC_SIZE(nr). I solved this by only testing _IOC_NUMBER and _IOC_TYPE, implicitely (mistakenly) removing the _IOC_SIZE check. So, the fuse_dev_ioctl was correctly rejecting the ioctl request from 32-bit userspace because of the wrong size and I was just forcing it to digest the wrong data regardless. Ouch! The commit message for this patch would still be incorrect, but I posted a fix here to bring the ioctl checking back to the original behavior: https://lore.kernel.org/lkml/20210319150514.1315985-1-balsini@xxxxxxxxxxx/ Thanks for spotting this! Alessio
