The BLKRASET/BLKRAGET ioctls() take unsigned long, if I pass int * to
the BLKRAGET ioctl on x86_64 (or on any other arch where sizeof(int) !=
sizeof(long)) the BLKRAGET ioctl will rewrite four bytes on the stack.
If you look at block/ioctl.c in kernel sources you can clearly see that
BLKRAGET ioctl calls put_long().
Compile following reproducer and run it as ./a.out /dev/sda, you can see
that the second member of the array will be zeroed. If you change the
array to have only one member you will see stack smashing trace.
I also wonder if it's OK to pass int value to ioctl() at all, the arg
value seems to be unsigned long in the syscall definition in fs/ioctl.c
and there does not seem to be any glibc magic around the syscall.
-------------------------8<----------------------------
static int fd;
int main(int argc, char *argv[])
{
int ra[] = {100, 100};
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 1;
}
ioctl(fd, BLKRAGET, ra);
fprintf(stderr, "%i %i\n", ra[0], ra[1]);
return 0;
}
-------------------------8<----------------------------
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Cyril Hrubis <chrubis@suse.cz>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
0x0000125F BLKRRPART void
0x00001260 BLKGETSIZE unsigned long *
0x00001261 BLKFLSBUF void
-0x00001262 BLKRASET int
-0x00001263 BLKRAGET int *
+0x00001262 BLKRASET unsigned long
+0x00001263 BLKRAGET unsigned long *
0x00000001 FIBMAP int * // I-O
0x00000002 FIGETBSZ int *
0x80086601 FS_IOC_GETFLAGS int *