On 2025-09-10, Christian Brauner <brauner@kernel.org> wrote:
> Validate extensible ioctls stricter than we do now.
>
> Signed-off-by: Christian Brauner <brauner@kernel.org>
> ---
> fs/pidfs.c | 2 +-
> include/linux/fs.h | 14 ++++++++++++++
> 2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/fs/pidfs.c b/fs/pidfs.c
> index edc35522d75c..0a5083b9cce5 100644
> --- a/fs/pidfs.c
> +++ b/fs/pidfs.c
> @@ -440,7 +440,7 @@ static bool pidfs_ioctl_valid(unsigned int cmd)
> * erronously mistook the file descriptor for a pidfd.
> * This is not perfect but will catch most cases.
> */
> - return (_IOC_TYPE(cmd) == _IOC_TYPE(PIDFD_GET_INFO));
> + return extensible_ioctl_valid(cmd, PIDFD_GET_INFO, PIDFD_INFO_SIZE_VER0);
> }
>
> return false;
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index d7ab4f96d705..2f2edc53bf3c 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -4023,4 +4023,18 @@ static inline bool vfs_empty_path(int dfd, const char __user *path)
>
> int generic_atomic_write_valid(struct kiocb *iocb, struct iov_iter *iter);
>
> +static inline bool extensible_ioctl_valid(unsigned int cmd_a,
> + unsigned int cmd_b, size_t min_size)
> +{
> + if (_IOC_DIR(cmd_a) != _IOC_DIR(cmd_b))
> + return false;
> + if (_IOC_TYPE(cmd_a) != _IOC_TYPE(cmd_b))
> + return false;
> + if (_IOC_NR(cmd_a) != _IOC_NR(cmd_b))
> + return false;
> + if (_IOC_SIZE(cmd_a) < min_size)
> + return false;
> + return true;
> +}
> +
nit: I know only we use them for now, but does this maybe belong in
ioctl.h (or even uaccess.h with the other extensible struct stuff)?
Otherwise,
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
> #endif /* _LINUX_FS_H */
>
> --
> 2.47.3
>
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/