From: "nobu (Nobuyoshi Nakada)" <noreply@...>
Date: 2021-10-25T08:13:32+00:00
Subject: [ruby-core:105776] [Ruby master Bug#18255] ioctl zeroes the last buffer byte

Issue #18255 has been updated by nobu (Nobuyoshi Nakada).


vihai (Daniele Orlandi) wrote in #note-6:
> The first issue is caused by `<sys/ioctl.h>` not defining `_IOC_SIZE`, ruby falls back to `DEFULT_IOCTL_NARG_LEN`. I guess you have to detect and include `<linux/ioctl.h>` or `<asm/ioctl.h>`.

That means, `linux_iocparm_len` is not defined?
Whether `_IOC_SIZE` is defined seems depending on versions/architectures.
At least, the following code can compile and prints the expected values on Ubuntu 21.10 x86_64.
```C
#include <sys/ioctl.h>
#include <linux/gpio.h>
#include <stdio.h>
int main(void)
{
    const size_t n = GPIO_GET_LINEHANDLE_IOCTL;
    printf("%#zx => %#zx\n", n, _IOC_SIZE(n));
    // 0xc16cb403 => 0x16c
    return 0;
}
```

> The second may be patched like this:

As the buffer is supposed to be overwritten, it is doubtful to be considered a bug.

> Lastly I guess that DEFULT is spelled incorrectly :)

Yes, definitely ;)


----------------------------------------
Bug #18255: ioctl zeroes the last buffer byte
https://bugs.ruby-lang.org/issues/18255#change-94290

* Author: vihai (Daniele Orlandi)
* Status: Open
* Priority: Normal
* Backport: 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED
----------------------------------------

Hello,

I'm running ruby 2.7.4p191 on an armv7 linux and experimenting with GPIO_GET_LINEHANDLE_IOCTL ioctl.

The ioctl sanity check is triggered as if the buffer was too small however the size of the buffer passed to ioctl is correct.

```
io.rb:116:in `ioctl': return value overflowed string (ArgumentError)
```

If I append at least one byte to the buffer the ioctl does not raise an exception.

It seems that the last byte of the buffer is zeroed:


```
puts "SIZE=#{req.bytesize}"
req = req + "XXXXXXXXXX".b     
puts req.unpack("H*")       
fd.ioctl(GPIO_GET_LINEHANDLE_IOCTL, req)                        
puts req.unpack("H*")     
```

```
SIZE=364
[...]0000000000000058585858585858585858
[...]0000000600000058585858585858585800
```

I checked with a C program and the ioctl does not actually touch the buffer beyond the expected 364 bytes.
The ioctl number does encode 364 as size:

```
#include <stdio.h>
#include <linux/gpio.h>

void main()
{
  printf("SIZE=%d", _IOC_SIZE(GPIO_GET_LINEHANDLE_IOCTL));
}
```

```
SIZE=364
```




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>