The Linux IOCTL Census: A Source-Derived Database of the Linux Kernel Control-Code Surface

The ioctl system call is Linux's catch-all device-control interface. A userspace program opens a device node and hands the driver a numeric command code and an argument buffer, and the driver does whatever that code means, whether configuring hardware, reading back state, or moving data into and out of the kernel. Drivers define these commands themselves, by the thousand, and parse their arguments in kernel context, which makes ioctl handlers one of the broadest and least uniform local attack surfaces in the kernel. A handler that trusts an argument length it never validates can read or write kernel memory out of bounds, and the command space is catalogued in no central place. We present the Linux IOCTL Census, a source-derived and queryable inventory of that surface. An allmodconfig build compiles 878 modules across 169 subtrees, and over them a single deterministic libclang pass over the kernel source recovers 586 ioctl dispatch entry points, 1,289 decoded _IOC command codes, 3,583 controlled-input sinks, and 1,298 permission gates. A second pass encodes the kernel's own documented threat model as a queryable column, separating the capability-ungated ioctl surface, an upper bound on unprivileged reach rather than proven reach, from the part a hard capability gate puts out of scope. We backtest the census against 22 recent in-tree ioctl CVEs and release the structural tier as open data, on a schema shared with the companion Windows IOCTL Census so a single query spans both operating systems.

翻译：ioctl系统调用是Linux通用的设备控制接口。用户空间程序打开设备节点后，向驱动程序传递数值型命令码和参数缓冲区，驱动程序根据该命令码执行相应操作——无论是配置硬件、读取状态，还是在内核与用户空间之间传输数据。驱动程序自行定义数以千计的命令，并在内核上下文中解析参数，这使得ioctl处理程序成为内核中最广泛且最不统一的局部攻击面之一。若处理程序信任未经校验的参数长度，可能导致越界读写内核内存，而命令空间没有任何中央编录体系。本文提出Linux IOCTL普查系统——一个从源代码衍生且可查询的攻击面清单。通过全模块配置编译，我们在169个子系统中构建了878个模块；在此基础上，对内核源代码执行单次确定性libclang扫描，恢复了586个ioctl调度入口点、1289条已解码的_IOC命令码、3583个受控输入接收点以及1298个权限门控。第二轮扫描将内核自有的文档化威胁模型编码为可查询列，将权限门缺失的ioctl攻击面（即无特权可触及范围的上界，而非经证实的可触及范围）与硬权限门控隔离的部分加以区分。我们以22个近期内核树内ioctl相关CVE对该普查系统进行回溯验证，并将结构性层级数据作为开放数据集发布，其数据模式与配套的Windows IOCTL普查系统兼容，从而可通过单一查询跨两个操作系统执行分析。