Passing args in an IOCTL
Greetings,
I am a layman to Linux and have experience mainly on flat memory model RTOS`s.
I`ve installed a module with certain ioctls.
If I pass a pointer to a local user level structure in the third argument in the ioctl and deref it in the kernel mode, I get access to it (which is fine).
If I pass an invalid pointer (say some junk 0-3Gb address) and try to deref it in the kernel mode the process seg faults but the OS continues to run alright. Now, from what I know to be right (which is very very little) there is no concept of access privilege checking mechanism in the kernel mode, so how does it manage to seg fault?
Worst case it should allow the kernel to deref and write to the given addresses and probably corrupt the process address space of some other process. Whats even more surprising is that the junk addresses are going through access_ok() checks.
Any help or pointers to text which can clarify my misgivings would be very useful.
Regards,
Neeraj
|