1 /*
2 * Copyright (c) 1991, 1992 Paul Kranenburg <pk@cs.few.eur.nl>
3 * Copyright (c) 1993 Branko Lankester <branko@hacktic.nl>
4 * Copyright (c) 1993, 1994, 1995, 1996 Rick Sladkey <jrs@world.std.com>
5 * Copyright (c) 1996-2001 Wichert Akkerman <wichert@cistron.nl>
6 * Copyright (c) 1999-2023 The strace developers.
7 * All rights reserved.
8 *
9 * SPDX-License-Identifier: LGPL-2.1-or-later
10 */
11
12 #include "defs.h"
13 #include <linux/ioctl.h>
14 #include "xlat/ioctl_dirs.h"
15
16 #if defined(SPARC) || defined(SPARC64)
17 /*
18 * While Alpha, MIPS, PA-RISC, and POWER simply define _IOC_SIZEBITS to 13
19 * and utilise 3 bits for _IOC_DIRBITS, SPARC tries to provide 14 bits
20 * for the size field ("as on i386") by (ab)using the lowest direction bit.
21 * Unfortunately, while doing so, they decide to define _IOC_SIZE to 0
22 * when the direction doesn't have _IOC_READ/_IOC_WRITE bits set, which
23 * breaks the invariant
24 *
25 * _IOC_SIZE(_IOC(dir, type, nr, size)) == size
26 *
27 * for _IOC_DIR(val) that doesn't include _IOC_READ or _IOC_WRITE, which
28 * is unacceptable for strace's use case.
29 * So, let's redefine _IOC_SIZE in a way that is more suitable for us.
30 */
31 # undef _IOC_SIZE
32 # define _IOC_SIZE(nr) \
33 ((_IOC_DIR(nr) & (_IOC_WRITE | _IOC_READ)) \
34 ? (((nr) >> _IOC_SIZESHIFT) & _IOC_XSIZEMASK) \
35 : (((nr) >> _IOC_SIZESHIFT) & _IOC_SIZEMASK)) \
36 /* end of _IOC_SIZE definition */
37 #endif
38
39 static int
40 compare(const void *a, const void *b)
41 {
42 const unsigned int code1 = (const uintptr_t) a;
43 const unsigned int code2 = ((struct_ioctlent *) b)->code;
44 return (code1 > code2) ? 1 : (code1 < code2) ? -1 : 0;
45 }
46
47 static const struct_ioctlent *
48 ioctl_lookup(const unsigned int code)
49 {
50 struct_ioctlent *iop;
51
52 iop = bsearch((const void *) (const uintptr_t) code, ioctlent,
53 nioctlents, sizeof(ioctlent[0]), compare);
54 while (iop > ioctlent) {
55 iop--;
56 if (iop->code != code) {
57 iop++;
58 break;
59 }
60 }
61 return iop;
62 }
63
64 static const struct_ioctlent *
65 ioctl_next_match(const struct_ioctlent *iop)
66 {
67 const unsigned int code = iop->code;
68 iop++;
69 if (iop < ioctlent + nioctlents && iop->code == code)
70 return iop;
71 return NULL;
72 }
73
74 static void
75 ioctl_print_code(const unsigned int code)
76 {
77 const bool abbrev = xlat_verbose(xlat_verbosity) != XLAT_STYLE_VERBOSE;
78
79 tprints_arg_begin("_IOC");
80
81 tprint_flags_begin();
82 printflags_ex(_IOC_DIR(code), abbrev ? "_IOC_???" : "",
83 abbrev ? XLAT_STYLE_DEFAULT : XLAT_STYLE_ABBREV,
84 ioctl_dirs, NULL);
85 tprint_flags_end();
86 tprint_arg_next();
87
88 PRINT_VAL_X(_IOC_TYPE(code));
89 tprint_arg_next();
90
91 PRINT_VAL_X(_IOC_NR(code));
92 tprint_arg_next();
93
94 PRINT_VAL_X(_IOC_SIZE(code));
95 tprint_arg_end();
96 }
97
98 static int
99 evdev_decode_number(const unsigned int code)
100 {
101 const unsigned int nr = _IOC_NR(code);
102 const bool abbrev = xlat_verbose(xlat_verbosity) != XLAT_STYLE_VERBOSE;
103
104 if (_IOC_DIR(code) == _IOC_WRITE) {
105 if (nr >= 0xc0 && nr <= 0xc0 + 0x3f) {
106 tprints_arg_begin("EVIOCSABS");
107 printxval_ex(evdev_abs, nr - 0xc0,
108 abbrev ? "ABS_???" : "",
109 abbrev ? XLAT_STYLE_DEFAULT
110 : XLAT_STYLE_ABBREV);
111 tprint_arg_end();
112 return 1;
113 }
114 }
115
116 if (_IOC_DIR(code) != _IOC_READ)
117 return 0;
118
119 if (nr >= 0x20 && nr <= 0x20 + 0x1f) {
120 tprints_arg_begin("EVIOCGBIT");
121 if (nr == 0x20)
122 PRINT_VAL_U(0);
123 else
124 printxval_ex(evdev_ev, nr - 0x20,
125 abbrev ? "EV_???" : "",
126 abbrev ? XLAT_STYLE_DEFAULT
127 : XLAT_STYLE_ABBREV);
128 tprint_arg_next();
129 PRINT_VAL_U(_IOC_SIZE(code));
130 tprint_arg_end();
131 return 1;
132 } else if (nr >= 0x40 && nr <= 0x40 + 0x3f) {
133 tprints_arg_begin("EVIOCGABS");
134 printxval_ex(evdev_abs, nr - 0x40, abbrev ? "ABS_???" : "",
135 abbrev ? XLAT_STYLE_DEFAULT : XLAT_STYLE_ABBREV);
136 tprint_arg_end();
137 return 1;
138 }
139
140 switch (nr) {
141 case 0x06:
142 tprints_arg_begin("EVIOCGNAME");
143 PRINT_VAL_U(_IOC_SIZE(code));
144 tprint_arg_end();
145 return 1;
146 case 0x07:
147 tprints_arg_begin("EVIOCGPHYS");
148 PRINT_VAL_U(_IOC_SIZE(code));
149 tprint_arg_end();
150 return 1;
151 case 0x08:
152 tprints_arg_begin("EVIOCGUNIQ");
153 PRINT_VAL_U(_IOC_SIZE(code));
154 tprint_arg_end();
155 return 1;
156 case 0x09:
157 tprints_arg_begin("EVIOCGPROP");
158 PRINT_VAL_U(_IOC_SIZE(code));
159 tprint_arg_end();
160 return 1;
161 case 0x0a:
162 tprints_arg_begin("EVIOCGMTSLOTS");
163 PRINT_VAL_U(_IOC_SIZE(code));
164 tprint_arg_end();
165 return 1;
166 case 0x18:
167 tprints_arg_begin("EVIOCGKEY");
168 PRINT_VAL_U(_IOC_SIZE(code));
169 tprint_arg_end();
170 return 1;
171 case 0x19:
172 tprints_arg_begin("EVIOCGLED");
173 PRINT_VAL_U(_IOC_SIZE(code));
174 tprint_arg_end();
175 return 1;
176 case 0x1a:
177 tprints_arg_begin("EVIOCGSND");
178 PRINT_VAL_U(_IOC_SIZE(code));
179 tprint_arg_end();
180 return 1;
181 case 0x1b:
182 tprints_arg_begin("EVIOCGSW");
183 PRINT_VAL_U(_IOC_SIZE(code));
184 tprint_arg_end();
185 return 1;
186 default:
187 return 0;
188 }
189 }
190
191 static int
192 hiddev_decode_number(const unsigned int code)
193 {
194 if (_IOC_DIR(code) == _IOC_READ) {
195 switch (_IOC_NR(code)) {
196 case 0x04:
197 tprints_arg_begin("HIDIOCGRAWNAME");
198 PRINT_VAL_U(_IOC_SIZE(code));
199 tprint_arg_end();
200 return 1;
201 case 0x05:
202 tprints_arg_begin("HIDIOCGRAWPHYS");
203 PRINT_VAL_U(_IOC_SIZE(code));
204 tprint_arg_end();
205 return 1;
206 case 0x06:
207 tprints_arg_begin("HIDIOCSFEATURE");
208 PRINT_VAL_U(_IOC_SIZE(code));
209 tprint_arg_end();
210 return 1;
211 case 0x08:
212 tprints_arg_begin("HIDIOCGRAWUNIQ");
213 PRINT_VAL_U(_IOC_SIZE(code));
214 tprint_arg_end();
215 return 1;
216 case 0x12:
217 tprints_arg_begin("HIDIOCGPHYS");
218 PRINT_VAL_U(_IOC_SIZE(code));
219 tprint_arg_end();
220 return 1;
221 default:
222 return 0;
223 }
224 } else if (_IOC_DIR(code) == (_IOC_READ | _IOC_WRITE)) {
225 switch (_IOC_NR(code)) {
226 case 0x06:
227 tprints_arg_begin("HIDIOCSFEATURE");
228 PRINT_VAL_U(_IOC_SIZE(code));
229 tprint_arg_end();
230 return 1;
231 case 0x07:
232 tprints_arg_begin("HIDIOCGFEATURE");
233 PRINT_VAL_U(_IOC_SIZE(code));
234 tprint_arg_end();
235 return 1;
236 default:
237 return 0;
238 }
239 }
240
241 return 0;
242 }
243
244 static int
245 ioctl_decode_command_number(struct tcb *tcp, const struct finfo *finfo)
246 {
247 const unsigned int code = tcp->u_arg[1];
248
249 switch (_IOC_TYPE(code)) {
250 case '!': /* 0x21 */
251 if (code == _IOC(_IOC_READ, '!', 2, sizeof(uint64_t))) {
252 tprints_string("SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR");
253 return 1;
254 }
255 return 0;
256 case 'E':
257 return evdev_decode_number(code);
258 case 'H':
259 return hiddev_decode_number(code);
260 case 'M':
261 if (_IOC_DIR(code) == _IOC_WRITE) {
262 tprints_arg_begin("MIXER_WRITE");
263 PRINT_VAL_U(_IOC_NR(code));
264 tprint_arg_end();
265 return 1;
266 } else if (_IOC_DIR(code) == _IOC_READ) {
267 tprints_arg_begin("MIXER_READ");
268 PRINT_VAL_U(_IOC_NR(code));
269 tprint_arg_end();
270 return 1;
271 }
272 return 0;
273 case 'T':
274 return term_ioctl_decode_command_number(tcp, finfo, code);
275 case 'U':
276 if (_IOC_DIR(code) == _IOC_READ && _IOC_NR(code) == 0x2c) {
277 tprints_arg_begin("UI_GET_SYSNAME");
278 PRINT_VAL_U(_IOC_SIZE(code));
279 tprint_arg_end();
280 return 1;
281 }
282 return 0;
283 case 'j':
284 if (_IOC_DIR(code) == _IOC_READ && _IOC_NR(code) == 0x13) {
285 tprints_arg_begin("JSIOCGNAME");
286 PRINT_VAL_U(_IOC_SIZE(code));
287 tprint_arg_end();
288 return 1;
289 }
290 return 0;
291 case 'k':
292 if (_IOC_DIR(code) == _IOC_WRITE && _IOC_NR(code) == 0) {
293 tprints_arg_begin("SPI_IOC_MESSAGE");
294 PRINT_VAL_U(_IOC_SIZE(code));
295 tprint_arg_end();
296 return 1;
297 }
298 return 0;
299 default:
300 return 0;
301 }
302 }
303
304 static int
305 f_ioctl(struct tcb *tcp, const unsigned int code, const kernel_ulong_t arg)
306 {
307 int rc = fs_f_ioctl(tcp, code, arg);
308 #if defined ALPHA
309 if (rc == RVAL_DECODED)
310 rc = sock_ioctl(tcp, code, arg);
311 if (rc == RVAL_DECODED)
312 rc = term_ioctl(tcp, code, arg);
313 #elif defined MIPS || defined SH || defined XTENSA
314 if (rc == RVAL_DECODED)
315 rc = sock_ioctl(tcp, code, arg);
316 #elif defined POWERPC
317 if (rc == RVAL_DECODED)
318 rc = term_ioctl(tcp, code, arg);
319 #endif
320 return rc;
321 }
322
323 /**
324 * Decode arg parameter of the ioctl call.
325 *
326 * @param finfo The target file descriptor related information.
327 * finfo is NULL when
328 * - ioctl_decode() is called in leaving stages, or
329 * - the file descriptor is not valid (e.g. -1).
330 *
331 * @return There are two flags of the return value important for the purposes of
332 * processing by SYS_FUNC(ioctl):
333 * - RVAL_IOCTL_DECODED: indicates that ioctl decoder code
334 * has printed arg parameter;
335 * - RVAL_DECODED: indicates that decoding is done.
336 * As a result, the following behaviour is expected:
337 * - on entering:
338 * - 0: decoding should be continued on exiting;
339 * - RVAL_IOCTL_DECODED: decoding on exiting is not needed
340 * and decoder has printed arg value;
341 * - RVAL_DECODED: decoding on exiting is not needed
342 * and generic handler should print arg value.
343 * - on exiting:
344 * - 0: generic handler should print arg value;
345 * - RVAL_IOCTL_DECODED: decoder has printed arg value.
346 *
347 * Note that it makes no sense to return just RVAL_DECODED on exiting,
348 * but, of course, it is not prohibited (for example, it may be useful
349 * in cases where the return path is common on entering and on exiting
350 * the syscall).
351 *
352 * SYS_FUNC(ioctl) converts RVAL_IOCTL_DECODED flag to RVAL_DECODED,
353 * and passes all other bits of ioctl_decode return value unchanged.
354 */
355 static int
356 ioctl_decode(struct tcb *tcp, const struct finfo *finfo)
357 {
358 const unsigned int code = tcp->u_arg[1];
359 const kernel_ulong_t arg = tcp->u_arg[2];
360
361 switch (_IOC_TYPE(code)) {
362 case 0x03:
363 return hdio_ioctl(tcp, code, arg);
364 case 0x12:
365 return block_ioctl(tcp, code, arg);
366 case '!': /* 0x21 */
367 return seccomp_ioctl(tcp, code, arg);
368 case '"': /* 0x22 */
369 return scsi_ioctl(tcp, code, arg);
370 case '$': /* 0x24 */
371 return perf_ioctl(tcp, code, arg);
372 case '=': /* 0x3d */
373 return ptp_ioctl(tcp, code, arg);
374 case '>': /* 0x3e */
375 return counter_ioctl(tcp, code, arg);
376 case 'E':
377 return evdev_ioctl(tcp, code, arg);
378 case 'I':
379 return inotify_ioctl(tcp, code, arg);
380 case 'K':
381 return kd_ioctl(tcp, code, arg);
382 case 'L':
383 return loop_ioctl(tcp, code, arg);
384 case 'M':
385 return mtd_ioctl(tcp, code, arg);
386 case 'O':
387 return ubi_ioctl(tcp, code, arg);
388 case 'R':
389 return random_ioctl(tcp, code, arg);
390 case 'T':
391 return term_ioctl(tcp, code, arg);
392 case 'V':
393 return v4l2_ioctl(tcp, code, arg);
394 case 'W':
395 return watchdog_ioctl(tcp, code, arg);
396 case 'X':
397 return fs_x_ioctl(tcp, code, arg);
398 case 'f':
399 return f_ioctl(tcp, code, arg);
400 case 'i':
401 return lirc_ioctl(tcp, code, arg);
402 case 'o':
403 return ubi_ioctl(tcp, code, arg);
404 case 'p':
405 return rtc_ioctl(tcp, code, arg);
406 #if defined ALPHA || defined MIPS || defined SH || defined XTENSA
407 case 's':
408 return sock_ioctl(tcp, code, arg);
409 #endif
410 #if defined(ALPHA) || defined(MIPS) || defined(POWERPC) \
411 || defined(SPARC) || defined(SPARC64)
412 case 't':
413 return term_ioctl(tcp, code, arg);
414 #endif
415 case 0x89:
416 return sock_ioctl(tcp, code, arg);
417 case 0x94:
418 return fs_0x94_ioctl(tcp, code, arg);
419 case 0xa4:
420 return tee_ioctl(tcp, code, arg);
421 case 0xaa:
422 return uffdio_ioctl(tcp, code, arg);
423 case 0xab:
424 return nbd_ioctl(tcp, code, arg);
425 #ifdef HAVE_LINUX_KVM_H
426 case 0xae:
427 return kvm_ioctl(tcp, code, arg);
428 #endif
429 case 0xb4:
430 return gpio_ioctl(tcp, code, arg);
431 case 0xb7:
432 return nsfs_ioctl(tcp, code, arg);
433 case 0xfd:
434 return dm_ioctl(tcp, code, arg);
435 default:
436 break;
437 }
438 return 0;
439 }
440
441 /*
442 * Return true if the specified ioctl command may overlap.
443 */
444 static bool
445 ioctl_command_overlaps(unsigned int code)
446 {
447 /* see <asm-generic/ioctls.h> and <linux/soundcard.h> */
448 return (0x5401 <= code && code <= 0x5408);
449 }
450
451 SYS_FUNC(ioctl)
452 {
453 const struct_ioctlent *iop;
454 int ret;
455
456 if (entering(tcp)) {
457 struct finfo finfoa;
458 struct finfo *finfo = NULL;
459 char path[PATH_MAX + 1];
460 bool deleted;
461 if (ioctl_command_overlaps(tcp->u_arg[1]) &&
462 getfdpath_pid(tcp->pid, tcp->u_arg[0], path, sizeof(path),
463 &deleted) >= 0) {
464 finfo = get_finfo_for_dev(path, &finfoa);
465 finfo->deleted = deleted;
466 printfd_with_finfo(tcp, tcp->u_arg[0], finfo);
467 } else
468 printfd(tcp, tcp->u_arg[0]);
469
470 tprint_arg_next();
471
472 if (xlat_verbosity != XLAT_STYLE_ABBREV)
473 PRINT_VAL_X((unsigned int) tcp->u_arg[1]);
474 if (xlat_verbosity == XLAT_STYLE_VERBOSE)
475 tprint_comment_begin();
476 if (xlat_verbosity != XLAT_STYLE_RAW) {
477 ret = ioctl_decode_command_number(tcp, finfo);
478 if (!(ret & IOCTL_NUMBER_STOP_LOOKUP)) {
479 iop = ioctl_lookup(tcp->u_arg[1]);
480 if (iop) {
481 if (ret)
482 tprint_alternative_value();
483 tprints_string(iop->symbol);
484 while ((iop = ioctl_next_match(iop))) {
485 tprint_alternative_value();
486 tprints_string(iop->symbol);
487 }
488 } else if (!ret) {
489 ioctl_print_code(tcp->u_arg[1]);
490 }
491 }
492 }
493 if (xlat_verbosity == XLAT_STYLE_VERBOSE)
494 tprint_comment_end();
495
496 ret = ioctl_decode(tcp, finfo);
497 } else {
498 ret = ioctl_decode(tcp, NULL) | RVAL_DECODED;
499 }
500
501 if (ret & RVAL_IOCTL_DECODED) {
502 ret &= ~RVAL_IOCTL_DECODED;
503 ret |= RVAL_DECODED;
504 } else if (ret & RVAL_DECODED) {
505 tprint_arg_next();
506 PRINT_VAL_X(tcp->u_arg[2]);
507 }
508
509 return ret;
510 }