Subject: Returning a struct from an ioctl
To: None <>
From: Julio Merino <>
List: tech-kern
Date: 04/29/2002 21:57:13
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all,

I'm adding two ioctl's to wscons to get console mouse support, though
I'll only talk about one because I know how to do the other.

The ioctl is called WSDISPLAYIO_GETWSCHAR. What I have in mind is the
following calling form: pass to the ioctl a pointer to a structure of
type wsdisplay_char. This structure holds data related to any char
on screen, like the letter it contains, background/foreground color,
position, etc.

So, when I call the ioctl I pass a pointer to that structure with the
row and column fields set. Then, in the kernel, I fill up the struct
with the missing data (letter, attributes), and this is what is
worring me. As I've been thinking, this may lead to security problems,
isn't it? Imagine you pass an invalid pointer to the ioctl (well, a
pointer that points outside your program). Then the kernel would
overwrite the memory it points to without any problem. Or am I wrong?

BTW, the ioctls are implemented in wsdisplay_cfg_ioctl, that is used
trought the /dev/ttyEcfg (so it is by default owned by root:wheel, so
this is not a security problem...)

How would you do this in a secure way?


Of course it runs NetBSD -
HispaBSD member -
Julio Merino <>

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see