1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* Copyright (c) 1988 AT&T */ 27 /* All Rights Reserved */ 28 /* 29 * Copyright 2019 Joyent, Inc. 30 * Copyright 2022 Oxide Computer Company 31 */ 32 33 #include <sys/types.h> 34 #include <sys/param.h> 35 #include <sys/sysmacros.h> 36 #include <sys/systm.h> 37 #include <sys/signal.h> 38 #include <sys/cred_impl.h> 39 #include <sys/policy.h> 40 #include <sys/user.h> 41 #include <sys/errno.h> 42 #include <sys/file.h> 43 #include <sys/vfs.h> 44 #include <sys/vnode.h> 45 #include <sys/mman.h> 46 #include <sys/acct.h> 47 #include <sys/cpuvar.h> 48 #include <sys/proc.h> 49 #include <sys/cmn_err.h> 50 #include <sys/debug.h> 51 #include <sys/pathname.h> 52 #include <sys/vm.h> 53 #include <sys/lgrp.h> 54 #include <sys/vtrace.h> 55 #include <sys/exec.h> 56 #include <sys/exechdr.h> 57 #include <sys/kmem.h> 58 #include <sys/prsystm.h> 59 #include <sys/modctl.h> 60 #include <sys/vmparam.h> 61 #include <sys/door.h> 62 #include <sys/schedctl.h> 63 #include <sys/utrap.h> 64 #include <sys/systeminfo.h> 65 #include <sys/stack.h> 66 #include <sys/rctl.h> 67 #include <sys/dtrace.h> 68 #include <sys/lwpchan_impl.h> 69 #include <sys/pool.h> 70 #include <sys/sdt.h> 71 #include <sys/brand.h> 72 #include <sys/klpd.h> 73 #include <sys/random.h> 74 75 #include <c2/audit.h> 76 77 #include <vm/hat.h> 78 #include <vm/anon.h> 79 #include <vm/as.h> 80 #include <vm/seg.h> 81 #include <vm/seg_vn.h> 82 #include <vm/seg_hole.h> 83 84 #define PRIV_RESET 0x01 /* needs to reset privs */ 85 #define PRIV_SETID 0x02 /* needs to change uids */ 86 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */ 87 #define PRIV_INCREASE 0x08 /* child runs with more privs */ 88 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */ 89 #define PRIV_FORCED 0x20 /* has forced privileges */ 90 91 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *, 92 priv_set_t *, cred_t *, const char *); 93 static int hold_execsw(struct execsw *); 94 95 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */ 96 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */ 97 uint_t auxv_hwcap_3 = 0; /* AT_SUN_HWCAP3 */ 98 #if defined(_SYSCALL32_IMPL) 99 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */ 100 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */ 101 uint_t auxv_hwcap32_3 = 0; /* 32-bit version of auxv_hwcap3 */ 102 #endif 103 104 #define PSUIDFLAGS (SNOCD|SUGID) 105 106 /* 107 * These are consumed within the specific exec modules, but are defined here 108 * because 109 * 110 * 1) The exec modules are unloadable, which would make this near useless. 111 * 112 * 2) We want them to be common across all of them, should more than ELF come 113 * to support them. 114 * 115 * All must be powers of 2. 116 */ 117 size_t aslr_max_brk_skew = 16 * 1024 * 1024; /* 16MB */ 118 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */ 119 size_t aslr_max_stack_skew = 64 * 1024; /* 64KB */ 120 121 /* 122 * Size of guard segment for 64-bit processes and minimum size it can be shrunk 123 * to in the case of grow() operations. These are kept as variables in case 124 * they need to be tuned in an emergency. 125 */ 126 size_t stack_guard_seg_sz = 256 * 1024 * 1024; 127 size_t stack_guard_min_sz = 64 * 1024 * 1024; 128 129 /* 130 * exece() - system call wrapper around exec_common() 131 */ 132 int 133 exece(const char *fname, const char **argp, const char **envp) 134 { 135 int error; 136 137 error = exec_common(fname, argp, envp, EBA_NONE); 138 return (error ? (set_errno(error)) : 0); 139 } 140 141 int 142 exec_common(const char *fname, const char **argp, const char **envp, 143 int brand_action) 144 { 145 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL; 146 proc_t *p = ttoproc(curthread); 147 klwp_t *lwp = ttolwp(curthread); 148 struct user *up = PTOU(p); 149 size_t execsz; /* temporary count of exec size */ 150 int i; 151 int error; 152 char exec_file[MAXCOMLEN+1]; 153 struct pathname pn; 154 struct pathname resolvepn; 155 struct uarg args; 156 struct execa ua; 157 k_sigset_t savedmask; 158 lwpdir_t *lwpdir = NULL; 159 tidhash_t *tidhash; 160 lwpdir_t *old_lwpdir = NULL; 161 uint_t old_lwpdir_sz; 162 tidhash_t *old_tidhash; 163 uint_t old_tidhash_sz; 164 ret_tidhash_t *ret_tidhash; 165 lwpent_t *lep; 166 boolean_t brandme = B_FALSE; 167 168 /* 169 * exec() is not supported for the /proc agent lwp. 170 */ 171 if (curthread == p->p_agenttp) 172 return (ENOTSUP); 173 174 if (brand_action != EBA_NONE) { 175 /* 176 * Brand actions are not supported for processes that are not 177 * running in a branded zone. 178 */ 179 if (!ZONE_IS_BRANDED(p->p_zone)) 180 return (ENOTSUP); 181 182 if (brand_action == EBA_NATIVE) { 183 /* Only branded processes can be unbranded */ 184 if (!PROC_IS_BRANDED(p)) 185 return (ENOTSUP); 186 } else { 187 /* Only unbranded processes can be branded */ 188 if (PROC_IS_BRANDED(p)) 189 return (ENOTSUP); 190 brandme = B_TRUE; 191 } 192 } else { 193 /* 194 * If this is a native zone, or if the process is already 195 * branded, then we don't need to do anything. If this is 196 * a native process in a branded zone, we need to brand the 197 * process as it exec()s the new binary. 198 */ 199 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p)) 200 brandme = B_TRUE; 201 } 202 203 /* 204 * Inform /proc that an exec() has started. 205 * Hold signals that are ignored by default so that we will 206 * not be interrupted by a signal that will be ignored after 207 * successful completion of gexec(). 208 */ 209 mutex_enter(&p->p_lock); 210 prexecstart(); 211 schedctl_finish_sigblock(curthread); 212 savedmask = curthread->t_hold; 213 sigorset(&curthread->t_hold, &ignoredefault); 214 mutex_exit(&p->p_lock); 215 216 /* 217 * Look up path name and remember last component for later. 218 * To help coreadm expand its %d token, we attempt to save 219 * the directory containing the executable in p_execdir. The 220 * first call to lookuppn() may fail and return EINVAL because 221 * dirvpp is non-NULL. In that case, we make a second call to 222 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL, 223 * but coreadm is allowed to expand %d to the empty string and 224 * there are other cases in which that failure may occur. 225 */ 226 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 227 goto out; 228 pn_alloc(&resolvepn); 229 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) { 230 pn_free(&resolvepn); 231 pn_free(&pn); 232 if (error != EINVAL) 233 goto out; 234 235 dir = NULL; 236 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 237 goto out; 238 pn_alloc(&resolvepn); 239 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP, 240 &vp)) != 0) { 241 pn_free(&resolvepn); 242 pn_free(&pn); 243 goto out; 244 } 245 } 246 if (vp == NULL) { 247 if (dir != NULL) 248 VN_RELE(dir); 249 error = ENOENT; 250 pn_free(&resolvepn); 251 pn_free(&pn); 252 goto out; 253 } 254 255 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) { 256 if (dir != NULL) 257 VN_RELE(dir); 258 pn_free(&resolvepn); 259 pn_free(&pn); 260 VN_RELE(vp); 261 goto out; 262 } 263 264 /* 265 * We do not allow executing files in attribute directories. 266 * We test this by determining whether the resolved path 267 * contains a "/" when we're in an attribute directory; 268 * only if the pathname does not contain a "/" the resolved path 269 * points to a file in the current working (attribute) directory. 270 */ 271 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 && 272 strchr(resolvepn.pn_path, '/') == NULL) { 273 if (dir != NULL) 274 VN_RELE(dir); 275 error = EACCES; 276 pn_free(&resolvepn); 277 pn_free(&pn); 278 VN_RELE(vp); 279 goto out; 280 } 281 282 bzero(exec_file, MAXCOMLEN+1); 283 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN); 284 bzero(&args, sizeof (args)); 285 args.pathname = resolvepn.pn_path; 286 /* don't free resolvepn until we are done with args */ 287 pn_free(&pn); 288 289 /* 290 * If we're running in a profile shell, then call pfexecd. 291 */ 292 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) { 293 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred, 294 &args.scrubenv); 295 296 /* Returning errno in case we're not allowed to execute. */ 297 if (error > 0) { 298 if (dir != NULL) 299 VN_RELE(dir); 300 pn_free(&resolvepn); 301 VN_RELE(vp); 302 goto out; 303 } 304 305 /* Don't change the credentials when using old ptrace. */ 306 if (args.pfcred != NULL && 307 (p->p_proc_flag & P_PR_PTRACE) != 0) { 308 crfree(args.pfcred); 309 args.pfcred = NULL; 310 args.scrubenv = B_FALSE; 311 } 312 } 313 314 /* 315 * Specific exec handlers, or policies determined via 316 * /etc/system may override the historical default. 317 */ 318 args.stk_prot = PROT_ZFOD; 319 args.dat_prot = PROT_ZFOD; 320 321 CPU_STATS_ADD_K(sys, sysexec, 1); 322 DTRACE_PROC1(exec, char *, args.pathname); 323 324 ua.fname = fname; 325 ua.argp = argp; 326 ua.envp = envp; 327 328 /* If necessary, brand this process before we start the exec. */ 329 if (brandme) 330 brand_setbrand(p); 331 332 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz, 333 exec_file, p->p_cred, brand_action)) != 0) { 334 if (brandme) 335 brand_clearbrand(p, B_FALSE); 336 VN_RELE(vp); 337 if (dir != NULL) 338 VN_RELE(dir); 339 pn_free(&resolvepn); 340 goto fail; 341 } 342 343 /* 344 * Free floating point registers (sun4u only) 345 */ 346 ASSERT(lwp != NULL); 347 lwp_freeregs(lwp, 1); 348 349 /* 350 * Free thread and process context ops. 351 */ 352 if (curthread->t_ctx) 353 freectx(curthread, 1); 354 if (p->p_pctx) 355 freepctx(p, 1); 356 357 /* 358 * Remember file name for accounting; clear any cached DTrace predicate. 359 */ 360 up->u_acflag &= ~AFORK; 361 bcopy(exec_file, up->u_comm, MAXCOMLEN+1); 362 curthread->t_predcache = 0; 363 364 /* 365 * Clear contract template state 366 */ 367 lwp_ctmpl_clear(lwp); 368 369 /* 370 * Save the directory in which we found the executable for expanding 371 * the %d token used in core file patterns. 372 */ 373 mutex_enter(&p->p_lock); 374 tmpvp = p->p_execdir; 375 p->p_execdir = dir; 376 if (p->p_execdir != NULL) 377 VN_HOLD(p->p_execdir); 378 mutex_exit(&p->p_lock); 379 380 if (tmpvp != NULL) 381 VN_RELE(tmpvp); 382 383 /* 384 * Reset stack state to the user stack, clear set of signals 385 * caught on the signal stack, and reset list of signals that 386 * restart system calls; the new program's environment should 387 * not be affected by detritus from the old program. Any 388 * pending held signals remain held, so don't clear t_hold. 389 */ 390 mutex_enter(&p->p_lock); 391 lwp->lwp_oldcontext = 0; 392 lwp->lwp_ustack = 0; 393 lwp->lwp_old_stk_ctl = 0; 394 sigemptyset(&up->u_signodefer); 395 sigemptyset(&up->u_sigonstack); 396 sigemptyset(&up->u_sigresethand); 397 lwp->lwp_sigaltstack.ss_sp = 0; 398 lwp->lwp_sigaltstack.ss_size = 0; 399 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 400 401 /* 402 * Make saved resource limit == current resource limit. 403 */ 404 for (i = 0; i < RLIM_NLIMITS; i++) { 405 /*CONSTCOND*/ 406 if (RLIM_SAVED(i)) { 407 (void) rctl_rlimit_get(rctlproc_legacy[i], p, 408 &up->u_saved_rlimit[i]); 409 } 410 } 411 412 /* 413 * If the action was to catch the signal, then the action 414 * must be reset to SIG_DFL. 415 */ 416 sigdefault(p); 417 p->p_flag &= ~(SNOWAIT|SJCTL); 418 p->p_flag |= (SEXECED|SMSACCT|SMSFORK); 419 up->u_signal[SIGCLD - 1] = SIG_DFL; 420 421 /* 422 * Delete the dot4 sigqueues/signotifies. 423 */ 424 sigqfree(p); 425 426 mutex_exit(&p->p_lock); 427 428 mutex_enter(&p->p_pflock); 429 p->p_prof.pr_base = NULL; 430 p->p_prof.pr_size = 0; 431 p->p_prof.pr_off = 0; 432 p->p_prof.pr_scale = 0; 433 p->p_prof.pr_samples = 0; 434 mutex_exit(&p->p_pflock); 435 436 ASSERT(curthread->t_schedctl == NULL); 437 438 #if defined(__sparc) 439 if (p->p_utraps != NULL) 440 utrap_free(p); 441 #endif /* __sparc */ 442 443 /* 444 * Close all close-on-exec files. 445 */ 446 close_exec(P_FINFO(p)); 447 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up); 448 449 /* Unbrand ourself if necessary. */ 450 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE)) 451 brand_clearbrand(p, B_FALSE); 452 453 setregs(&args); 454 455 /* Mark this as an executable vnode */ 456 mutex_enter(&vp->v_lock); 457 vp->v_flag |= VVMEXEC; 458 mutex_exit(&vp->v_lock); 459 460 VN_RELE(vp); 461 if (dir != NULL) 462 VN_RELE(dir); 463 pn_free(&resolvepn); 464 465 /* 466 * Allocate a new lwp directory and lwpid hash table if necessary. 467 */ 468 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) { 469 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP); 470 lwpdir->ld_next = lwpdir + 1; 471 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP); 472 if (p->p_lwpdir != NULL) 473 lep = p->p_lwpdir[curthread->t_dslot].ld_entry; 474 else 475 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP); 476 } 477 478 if (PROC_IS_BRANDED(p)) 479 BROP(p)->b_exec(); 480 481 mutex_enter(&p->p_lock); 482 prbarrier(p); 483 484 /* 485 * Reset lwp id to the default value of 1. 486 * This is a single-threaded process now 487 * and lwp #1 is lwp_wait()able by default. 488 * The t_unpark flag should not be inherited. 489 */ 490 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0); 491 curthread->t_tid = 1; 492 kpreempt_disable(); 493 ASSERT(curthread->t_lpl != NULL); 494 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid; 495 kpreempt_enable(); 496 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) { 497 lgrp_update_trthr_migrations(1); 498 } 499 curthread->t_unpark = 0; 500 curthread->t_proc_flag |= TP_TWAIT; 501 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */ 502 p->p_lwpdaemon = 0; /* but oh well ... */ 503 p->p_lwpid = 1; 504 505 /* 506 * Install the newly-allocated lwp directory and lwpid hash table 507 * and insert the current thread into the new hash table. 508 */ 509 if (lwpdir != NULL) { 510 old_lwpdir = p->p_lwpdir; 511 old_lwpdir_sz = p->p_lwpdir_sz; 512 old_tidhash = p->p_tidhash; 513 old_tidhash_sz = p->p_tidhash_sz; 514 p->p_lwpdir = p->p_lwpfree = lwpdir; 515 p->p_lwpdir_sz = 2; 516 lep->le_thread = curthread; 517 lep->le_lwpid = curthread->t_tid; 518 lep->le_start = curthread->t_start; 519 lwp_hash_in(p, lep, tidhash, 2, 0); 520 p->p_tidhash = tidhash; 521 p->p_tidhash_sz = 2; 522 } 523 ret_tidhash = p->p_ret_tidhash; 524 p->p_ret_tidhash = NULL; 525 526 /* 527 * Restore the saved signal mask and 528 * inform /proc that the exec() has finished. 529 */ 530 curthread->t_hold = savedmask; 531 prexecend(); 532 mutex_exit(&p->p_lock); 533 if (old_lwpdir) { 534 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t)); 535 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t)); 536 } 537 while (ret_tidhash != NULL) { 538 ret_tidhash_t *next = ret_tidhash->rth_next; 539 kmem_free(ret_tidhash->rth_tidhash, 540 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t)); 541 kmem_free(ret_tidhash, sizeof (*ret_tidhash)); 542 ret_tidhash = next; 543 } 544 545 ASSERT(error == 0); 546 DTRACE_PROC(exec__success); 547 return (0); 548 549 fail: 550 DTRACE_PROC1(exec__failure, int, error); 551 out: /* error return */ 552 mutex_enter(&p->p_lock); 553 curthread->t_hold = savedmask; 554 prexecend(); 555 mutex_exit(&p->p_lock); 556 ASSERT(error != 0); 557 return (error); 558 } 559 560 561 /* 562 * Perform generic exec duties and switchout to object-file specific 563 * handler. 564 */ 565 int 566 gexec( 567 struct vnode **vpp, 568 struct execa *uap, 569 struct uarg *args, 570 struct intpdata *idatap, 571 int level, 572 size_t *execsz, 573 caddr_t exec_file, 574 struct cred *cred, 575 int brand_action) 576 { 577 struct vnode *vp, *execvp = NULL; 578 proc_t *pp = ttoproc(curthread); 579 struct execsw *eswp; 580 int error = 0; 581 int suidflags = 0; 582 ssize_t resid; 583 uid_t uid, gid; 584 struct vattr vattr; 585 char magbuf[MAGIC_BYTES]; 586 int setid; 587 cred_t *oldcred, *newcred = NULL; 588 int privflags = 0; 589 int setidfl; 590 priv_set_t fset; 591 secflagset_t old_secflags; 592 593 secflags_copy(&old_secflags, &pp->p_secflags.psf_effective); 594 595 /* 596 * If the SNOCD or SUGID flag is set, turn it off and remember the 597 * previous setting so we can restore it if we encounter an error. 598 */ 599 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) { 600 mutex_enter(&pp->p_lock); 601 suidflags = pp->p_flag & PSUIDFLAGS; 602 pp->p_flag &= ~PSUIDFLAGS; 603 mutex_exit(&pp->p_lock); 604 } 605 606 if ((error = execpermissions(*vpp, &vattr, args)) != 0) 607 goto bad_noclose; 608 609 /* need to open vnode for stateful file systems */ 610 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0) 611 goto bad_noclose; 612 vp = *vpp; 613 614 /* 615 * Note: to support binary compatibility with SunOS a.out 616 * executables, we read in the first four bytes, as the 617 * magic number is in bytes 2-3. 618 */ 619 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf), 620 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) 621 goto bad; 622 if (resid != 0) 623 goto bad; 624 625 if ((eswp = findexec_by_hdr(magbuf)) == NULL) 626 goto bad; 627 628 if (level == 0 && 629 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset, 630 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) { 631 632 /* Pfcred is a credential with a ref count of 1 */ 633 634 if (args->pfcred != NULL) { 635 privflags |= PRIV_INCREASE|PRIV_RESET; 636 newcred = cred = args->pfcred; 637 } else { 638 newcred = cred = crdup(cred); 639 } 640 641 /* If we can, drop the PA bit */ 642 if ((privflags & PRIV_RESET) != 0) 643 priv_adjust_PA(cred); 644 645 if (privflags & PRIV_SETID) { 646 cred->cr_uid = uid; 647 cred->cr_gid = gid; 648 cred->cr_suid = uid; 649 cred->cr_sgid = gid; 650 } 651 652 if (privflags & MAC_FLAGS) { 653 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT)) 654 CR_FLAGS(cred) &= ~NET_MAC_AWARE; 655 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT; 656 } 657 658 /* 659 * Implement the privilege updates: 660 * 661 * Restrict with L: 662 * 663 * I' = I & L 664 * 665 * E' = P' = (I' + F) & A 666 * 667 * But if running under ptrace, we cap I and F with P. 668 */ 669 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) { 670 if ((privflags & PRIV_INCREASE) != 0 && 671 (pp->p_proc_flag & P_PR_PTRACE) != 0) { 672 priv_intersect(&CR_OPPRIV(cred), 673 &CR_IPRIV(cred)); 674 priv_intersect(&CR_OPPRIV(cred), &fset); 675 } 676 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 677 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 678 if (privflags & PRIV_FORCED) { 679 priv_set_PA(cred); 680 priv_union(&fset, &CR_EPRIV(cred)); 681 priv_union(&fset, &CR_PPRIV(cred)); 682 } 683 priv_adjust_PA(cred); 684 } 685 } else if (level == 0 && args->pfcred != NULL) { 686 newcred = cred = args->pfcred; 687 privflags |= PRIV_INCREASE; 688 /* pfcred is not forced to adhere to these settings */ 689 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 690 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 691 priv_adjust_PA(cred); 692 } 693 694 /* The new image gets the inheritable secflags as its secflags */ 695 secflags_promote(pp); 696 697 /* SunOS 4.x buy-back */ 698 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) && 699 (vattr.va_mode & (VSUID|VSGID))) { 700 char path[MAXNAMELEN]; 701 refstr_t *mntpt = NULL; 702 int ret = -1; 703 704 bzero(path, sizeof (path)); 705 zone_hold(pp->p_zone); 706 707 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path, 708 sizeof (path), cred); 709 710 /* fallback to mountpoint if a path can't be found */ 711 if ((ret != 0) || (ret == 0 && path[0] == '\0')) 712 mntpt = vfs_getmntpoint(vp->v_vfsp); 713 714 if (mntpt == NULL) 715 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 716 "!uid %d: setuid execution not allowed, " 717 "file=%s", cred->cr_uid, path); 718 else 719 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 720 "!uid %d: setuid execution not allowed, " 721 "fs=%s, file=%s", cred->cr_uid, 722 ZONE_PATH_TRANSLATE(refstr_value(mntpt), 723 pp->p_zone), exec_file); 724 725 if (!INGLOBALZONE(pp)) { 726 /* zone_rootpath always has trailing / */ 727 if (mntpt == NULL) 728 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 729 "setuid execution not allowed, file=%s%s", 730 pp->p_zone->zone_name, cred->cr_uid, 731 pp->p_zone->zone_rootpath, path + 1); 732 else 733 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 734 "setuid execution not allowed, fs=%s, " 735 "file=%s", pp->p_zone->zone_name, 736 cred->cr_uid, refstr_value(mntpt), 737 exec_file); 738 } 739 740 if (mntpt != NULL) 741 refstr_rele(mntpt); 742 743 zone_rele(pp->p_zone); 744 } 745 746 /* 747 * execsetid() told us whether or not we had to change the 748 * credentials of the process. In privflags, it told us 749 * whether we gained any privileges or executed a set-uid executable. 750 */ 751 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED)); 752 753 /* 754 * Use /etc/system variable to determine if the stack 755 * should be marked as executable by default. 756 */ 757 if ((noexec_user_stack != 0) || 758 secflag_enabled(pp, PROC_SEC_NOEXECSTACK)) 759 args->stk_prot &= ~PROT_EXEC; 760 761 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */ 762 args->ex_vp = vp; 763 764 /* 765 * Traditionally, the setid flags told the sub processes whether 766 * the file just executed was set-uid or set-gid; this caused 767 * some confusion as the 'setid' flag did not match the SUGID 768 * process flag which is only set when the uids/gids do not match. 769 * A script set-gid/set-uid to the real uid/gid would start with 770 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH. 771 * Now we flag those cases where the calling process cannot 772 * be trusted to influence the newly exec'ed process, either 773 * because it runs with more privileges or when the uids/gids 774 * do in fact not match. 775 * This also makes the runtime linker agree with the on exec 776 * values of SNOCD and SUGID. 777 */ 778 setidfl = 0; 779 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid && 780 !supgroupmember(cred->cr_gid, cred))) { 781 setidfl |= EXECSETID_UGIDS; 782 } 783 if (setid & PRIV_SETUGID) 784 setidfl |= EXECSETID_SETID; 785 if (setid & PRIV_FORCED) 786 setidfl |= EXECSETID_PRIVS; 787 788 execvp = pp->p_exec; 789 if (execvp) 790 VN_HOLD(execvp); 791 792 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz, 793 setidfl, exec_file, cred, brand_action); 794 rw_exit(eswp->exec_lock); 795 if (error != 0) { 796 if (execvp) 797 VN_RELE(execvp); 798 /* 799 * If this process's p_exec has been set to the vp of 800 * the executable by exec_func, we will return without 801 * calling VOP_CLOSE because proc_exit will close it 802 * on exit. 803 */ 804 if (pp->p_exec == vp) 805 goto bad_noclose; 806 else 807 goto bad; 808 } 809 810 if (level == 0) { 811 uid_t oruid; 812 813 if (execvp != NULL) { 814 /* 815 * Close the previous executable only if we are 816 * at level 0. 817 */ 818 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0, 819 cred, NULL); 820 } 821 822 mutex_enter(&pp->p_crlock); 823 824 oruid = pp->p_cred->cr_ruid; 825 826 if (newcred != NULL) { 827 /* 828 * Free the old credentials, and set the new ones. 829 * Do this for both the process and the (single) thread. 830 */ 831 crfree(pp->p_cred); 832 pp->p_cred = cred; /* cred already held for proc */ 833 crhold(cred); /* hold new cred for thread */ 834 /* 835 * DTrace accesses t_cred in probe context. t_cred 836 * must always be either NULL, or point to a valid, 837 * allocated cred structure. 838 */ 839 oldcred = curthread->t_cred; 840 curthread->t_cred = cred; 841 crfree(oldcred); 842 843 if (priv_basic_test >= 0 && 844 !PRIV_ISASSERT(&CR_IPRIV(newcred), 845 priv_basic_test)) { 846 pid_t pid = pp->p_pid; 847 char *fn = PTOU(pp)->u_comm; 848 849 cmn_err(CE_WARN, "%s[%d]: exec: basic_test " 850 "privilege removed from E/I", fn, pid); 851 } 852 } 853 /* 854 * On emerging from a successful exec(), the saved 855 * uid and gid equal the effective uid and gid. 856 */ 857 cred->cr_suid = cred->cr_uid; 858 cred->cr_sgid = cred->cr_gid; 859 860 /* 861 * If the real and effective ids do not match, this 862 * is a setuid process that should not dump core. 863 * The group comparison is tricky; we prevent the code 864 * from flagging SNOCD when executing with an effective gid 865 * which is a supplementary group. 866 */ 867 if (cred->cr_ruid != cred->cr_uid || 868 (cred->cr_rgid != cred->cr_gid && 869 !supgroupmember(cred->cr_gid, cred)) || 870 (privflags & PRIV_INCREASE) != 0) 871 suidflags = PSUIDFLAGS; 872 else 873 suidflags = 0; 874 875 mutex_exit(&pp->p_crlock); 876 if (newcred != NULL && oruid != newcred->cr_ruid) { 877 /* Note that the process remains in the same zone. */ 878 mutex_enter(&pidlock); 879 upcount_dec(oruid, crgetzoneid(newcred)); 880 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred)); 881 mutex_exit(&pidlock); 882 } 883 if (suidflags) { 884 mutex_enter(&pp->p_lock); 885 pp->p_flag |= suidflags; 886 mutex_exit(&pp->p_lock); 887 } 888 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) { 889 /* 890 * If process is traced via /proc, arrange to 891 * invalidate the associated /proc vnode. 892 */ 893 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE)) 894 args->traceinval = 1; 895 } 896 if (pp->p_proc_flag & P_PR_PTRACE) 897 psignal(pp, SIGTRAP); 898 if (args->traceinval) 899 prinvalidate(&pp->p_user); 900 } 901 if (execvp) 902 VN_RELE(execvp); 903 return (0); 904 905 bad: 906 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL); 907 908 bad_noclose: 909 if (newcred != NULL) 910 crfree(newcred); 911 if (error == 0) 912 error = ENOEXEC; 913 914 mutex_enter(&pp->p_lock); 915 if (suidflags) { 916 pp->p_flag |= suidflags; 917 } 918 /* 919 * Restore the effective secflags, to maintain the invariant they 920 * never change for a given process 921 */ 922 secflags_copy(&pp->p_secflags.psf_effective, &old_secflags); 923 mutex_exit(&pp->p_lock); 924 925 return (error); 926 } 927 928 extern char *execswnames[]; 929 930 struct execsw * 931 allocate_execsw(char *name, char *magic, size_t magic_size) 932 { 933 int i, j; 934 char *ename; 935 char *magicp; 936 937 mutex_enter(&execsw_lock); 938 for (i = 0; i < nexectype; i++) { 939 if (execswnames[i] == NULL) { 940 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP); 941 (void) strcpy(ename, name); 942 execswnames[i] = ename; 943 /* 944 * Set the magic number last so that we 945 * don't need to hold the execsw_lock in 946 * findexectype(). 947 */ 948 magicp = kmem_alloc(magic_size, KM_SLEEP); 949 for (j = 0; j < magic_size; j++) 950 magicp[j] = magic[j]; 951 execsw[i].exec_magic = magicp; 952 mutex_exit(&execsw_lock); 953 return (&execsw[i]); 954 } 955 } 956 mutex_exit(&execsw_lock); 957 return (NULL); 958 } 959 960 /* 961 * Find the exec switch table entry with the corresponding magic string. 962 */ 963 struct execsw * 964 findexecsw(char *magic) 965 { 966 struct execsw *eswp; 967 968 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 969 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 970 if (magic && eswp->exec_maglen != 0 && 971 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) 972 return (eswp); 973 } 974 return (NULL); 975 } 976 977 /* 978 * Find the execsw[] index for the given exec header string by looking for the 979 * magic string at a specified offset and length for each kind of executable 980 * file format until one matches. If no execsw[] entry is found, try to 981 * autoload a module for this magic string. 982 */ 983 struct execsw * 984 findexec_by_hdr(char *header) 985 { 986 struct execsw *eswp; 987 988 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 989 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 990 if (header && eswp->exec_maglen != 0 && 991 bcmp(&header[eswp->exec_magoff], eswp->exec_magic, 992 eswp->exec_maglen) == 0) { 993 if (hold_execsw(eswp) != 0) 994 return (NULL); 995 return (eswp); 996 } 997 } 998 return (NULL); /* couldn't find the type */ 999 } 1000 1001 /* 1002 * Find the execsw[] index for the given magic string. If no execsw[] entry 1003 * is found, try to autoload a module for this magic string. 1004 */ 1005 struct execsw * 1006 findexec_by_magic(char *magic) 1007 { 1008 struct execsw *eswp; 1009 1010 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 1011 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 1012 if (magic && eswp->exec_maglen != 0 && 1013 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) { 1014 if (hold_execsw(eswp) != 0) 1015 return (NULL); 1016 return (eswp); 1017 } 1018 } 1019 return (NULL); /* couldn't find the type */ 1020 } 1021 1022 static int 1023 hold_execsw(struct execsw *eswp) 1024 { 1025 char *name; 1026 1027 rw_enter(eswp->exec_lock, RW_READER); 1028 while (!LOADED_EXEC(eswp)) { 1029 rw_exit(eswp->exec_lock); 1030 name = execswnames[eswp-execsw]; 1031 ASSERT(name); 1032 if (modload("exec", name) == -1) 1033 return (-1); 1034 rw_enter(eswp->exec_lock, RW_READER); 1035 } 1036 return (0); 1037 } 1038 1039 static int 1040 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp, 1041 priv_set_t *fset, cred_t *cr, const char *pathname) 1042 { 1043 proc_t *pp = ttoproc(curthread); 1044 uid_t uid, gid; 1045 int privflags = 0; 1046 1047 /* 1048 * Remember credentials. 1049 */ 1050 uid = cr->cr_uid; 1051 gid = cr->cr_gid; 1052 1053 /* Will try to reset the PRIV_AWARE bit later. */ 1054 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE) 1055 privflags |= PRIV_RESET; 1056 1057 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) { 1058 /* 1059 * If it's a set-uid root program we perform the 1060 * forced privilege look-aside. This has three possible 1061 * outcomes: 1062 * no look aside information -> treat as before 1063 * look aside in Limit set -> apply forced privs 1064 * look aside not in Limit set -> ignore set-uid root 1065 * 1066 * Ordinary set-uid root execution only allowed if the limit 1067 * set holds all unsafe privileges. 1068 */ 1069 if (vattrp->va_mode & VSUID) { 1070 if (vattrp->va_uid == 0) { 1071 int res = get_forced_privs(cr, pathname, fset); 1072 1073 switch (res) { 1074 case -1: 1075 if (priv_issubset(&priv_unsafe, 1076 &CR_LPRIV(cr))) { 1077 uid = vattrp->va_uid; 1078 privflags |= PRIV_SETUGID; 1079 } 1080 break; 1081 case 0: 1082 privflags |= PRIV_FORCED|PRIV_INCREASE; 1083 break; 1084 default: 1085 break; 1086 } 1087 } else { 1088 uid = vattrp->va_uid; 1089 privflags |= PRIV_SETUGID; 1090 } 1091 } 1092 if (vattrp->va_mode & VSGID) { 1093 gid = vattrp->va_gid; 1094 privflags |= PRIV_SETUGID; 1095 } 1096 } 1097 1098 /* 1099 * Do we need to change our credential anyway? 1100 * This is the case when E != I or P != I, as 1101 * we need to do the assignments (with F empty and A full) 1102 * Or when I is not a subset of L; in that case we need to 1103 * enforce L. 1104 * 1105 * I' = L & I 1106 * 1107 * E' = P' = (I' + F) & A 1108 * or 1109 * E' = P' = I' 1110 */ 1111 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) || 1112 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) || 1113 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr))) 1114 privflags |= PRIV_RESET; 1115 1116 /* Child has more privileges than parent */ 1117 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr))) 1118 privflags |= PRIV_INCREASE; 1119 1120 /* If MAC-aware flag(s) are on, need to update cred to remove. */ 1121 if ((CR_FLAGS(cr) & NET_MAC_AWARE) || 1122 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT)) 1123 privflags |= MAC_FLAGS; 1124 /* 1125 * Set setuid/setgid protections if no ptrace() compatibility. 1126 * For privileged processes, honor setuid/setgid even in 1127 * the presence of ptrace() compatibility. 1128 */ 1129 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 || 1130 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) && 1131 (cr->cr_uid != uid || 1132 cr->cr_gid != gid || 1133 cr->cr_suid != uid || 1134 cr->cr_sgid != gid)) { 1135 *uidp = uid; 1136 *gidp = gid; 1137 privflags |= PRIV_SETID; 1138 } 1139 return (privflags); 1140 } 1141 1142 int 1143 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args) 1144 { 1145 int error; 1146 proc_t *p = ttoproc(curthread); 1147 1148 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE; 1149 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL)) 1150 return (error); 1151 /* 1152 * Check the access mode. 1153 * If VPROC, ask /proc if the file is an object file. 1154 */ 1155 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 || 1156 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) || 1157 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 || 1158 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) { 1159 if (error == 0) 1160 error = EACCES; 1161 return (error); 1162 } 1163 1164 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) && 1165 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) { 1166 /* 1167 * If process is under ptrace(2) compatibility, 1168 * fail the exec(2). 1169 */ 1170 if (p->p_proc_flag & P_PR_PTRACE) 1171 goto bad; 1172 /* 1173 * Process is traced via /proc. 1174 * Arrange to invalidate the /proc vnode. 1175 */ 1176 args->traceinval = 1; 1177 } 1178 return (0); 1179 bad: 1180 if (error == 0) 1181 error = ENOEXEC; 1182 return (error); 1183 } 1184 1185 /* 1186 * Map a section of an executable file into the user's 1187 * address space. 1188 */ 1189 int 1190 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen, 1191 off_t offset, int prot, int page, uint_t szc) 1192 { 1193 int error = 0; 1194 off_t oldoffset; 1195 caddr_t zfodbase, oldaddr; 1196 size_t end, oldlen; 1197 size_t zfoddiff; 1198 label_t ljb; 1199 proc_t *p = ttoproc(curthread); 1200 1201 oldaddr = addr; 1202 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK); 1203 if (len) { 1204 oldlen = len; 1205 len += ((size_t)oldaddr - (size_t)addr); 1206 oldoffset = offset; 1207 offset = (off_t)((uintptr_t)offset & PAGEMASK); 1208 if (page) { 1209 spgcnt_t prefltmem, availm, npages; 1210 int preread; 1211 uint_t mflag = MAP_PRIVATE | MAP_FIXED; 1212 1213 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) { 1214 mflag |= MAP_TEXT; 1215 } else { 1216 mflag |= MAP_INITDATA; 1217 } 1218 1219 if (valid_usr_range(addr, len, prot, p->p_as, 1220 p->p_as->a_userlimit) != RANGE_OKAY) { 1221 error = ENOMEM; 1222 goto bad; 1223 } 1224 if (error = VOP_MAP(vp, (offset_t)offset, 1225 p->p_as, &addr, len, prot, PROT_ALL, 1226 mflag, CRED(), NULL)) 1227 goto bad; 1228 1229 /* 1230 * If the segment can fit, then we prefault 1231 * the entire segment in. This is based on the 1232 * model that says the best working set of a 1233 * small program is all of its pages. 1234 */ 1235 npages = (spgcnt_t)btopr(len); 1236 prefltmem = freemem - desfree; 1237 preread = 1238 (npages < prefltmem && len < PGTHRESH) ? 1 : 0; 1239 1240 /* 1241 * If we aren't prefaulting the segment, 1242 * increment "deficit", if necessary to ensure 1243 * that pages will become available when this 1244 * process starts executing. 1245 */ 1246 availm = freemem - lotsfree; 1247 if (preread == 0 && npages > availm && 1248 deficit < lotsfree) { 1249 deficit += MIN((pgcnt_t)(npages - availm), 1250 lotsfree - deficit); 1251 } 1252 1253 if (preread) { 1254 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD, 1255 "execmap preread:freemem %d size %lu", 1256 freemem, len); 1257 (void) as_fault(p->p_as->a_hat, p->p_as, 1258 (caddr_t)addr, len, F_INVAL, S_READ); 1259 } 1260 } else { 1261 if (valid_usr_range(addr, len, prot, p->p_as, 1262 p->p_as->a_userlimit) != RANGE_OKAY) { 1263 error = ENOMEM; 1264 goto bad; 1265 } 1266 1267 if (error = as_map(p->p_as, addr, len, 1268 segvn_create, zfod_argsp)) 1269 goto bad; 1270 /* 1271 * Read in the segment in one big chunk. 1272 */ 1273 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr, 1274 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0, 1275 (rlim64_t)0, CRED(), (ssize_t *)0)) 1276 goto bad; 1277 /* 1278 * Now set protections. 1279 */ 1280 if (prot != PROT_ZFOD) { 1281 (void) as_setprot(p->p_as, (caddr_t)addr, 1282 len, prot); 1283 } 1284 } 1285 } 1286 1287 if (zfodlen) { 1288 struct as *as = curproc->p_as; 1289 struct seg *seg; 1290 uint_t zprot = 0; 1291 1292 end = (size_t)addr + len; 1293 zfodbase = (caddr_t)roundup(end, PAGESIZE); 1294 zfoddiff = (uintptr_t)zfodbase - end; 1295 if (zfoddiff) { 1296 /* 1297 * Before we go to zero the remaining space on the last 1298 * page, make sure we have write permission. 1299 * 1300 * Normal illumos binaries don't even hit the case 1301 * where we have to change permission on the last page 1302 * since their protection is typically either 1303 * PROT_USER | PROT_WRITE | PROT_READ 1304 * or 1305 * PROT_ZFOD (same as PROT_ALL). 1306 * 1307 * We need to be careful how we zero-fill the last page 1308 * if the segment protection does not include 1309 * PROT_WRITE. Using as_setprot() can cause the VM 1310 * segment code to call segvn_vpage(), which must 1311 * allocate a page struct for each page in the segment. 1312 * If we have a very large segment, this may fail, so 1313 * we have to check for that, even though we ignore 1314 * other return values from as_setprot. 1315 */ 1316 1317 AS_LOCK_ENTER(as, RW_READER); 1318 seg = as_segat(curproc->p_as, (caddr_t)end); 1319 if (seg != NULL) 1320 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1, 1321 &zprot); 1322 AS_LOCK_EXIT(as); 1323 1324 if (seg != NULL && (zprot & PROT_WRITE) == 0) { 1325 if (as_setprot(as, (caddr_t)end, zfoddiff - 1, 1326 zprot | PROT_WRITE) == ENOMEM) { 1327 error = ENOMEM; 1328 goto bad; 1329 } 1330 } 1331 1332 if (on_fault(&ljb)) { 1333 no_fault(); 1334 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1335 (void) as_setprot(as, (caddr_t)end, 1336 zfoddiff - 1, zprot); 1337 error = EFAULT; 1338 goto bad; 1339 } 1340 uzero((void *)end, zfoddiff); 1341 no_fault(); 1342 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1343 (void) as_setprot(as, (caddr_t)end, 1344 zfoddiff - 1, zprot); 1345 } 1346 if (zfodlen > zfoddiff) { 1347 struct segvn_crargs crargs = 1348 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL); 1349 1350 zfodlen -= zfoddiff; 1351 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as, 1352 p->p_as->a_userlimit) != RANGE_OKAY) { 1353 error = ENOMEM; 1354 goto bad; 1355 } 1356 if (szc > 0) { 1357 /* 1358 * ASSERT alignment because the mapelfexec() 1359 * caller for the szc > 0 case extended zfod 1360 * so it's end is pgsz aligned. 1361 */ 1362 size_t pgsz = page_get_pagesize(szc); 1363 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz)); 1364 1365 if (IS_P2ALIGNED(zfodbase, pgsz)) { 1366 crargs.szc = szc; 1367 } else { 1368 crargs.szc = AS_MAP_HEAP; 1369 } 1370 } else { 1371 crargs.szc = AS_MAP_NO_LPOOB; 1372 } 1373 if (error = as_map(p->p_as, (caddr_t)zfodbase, 1374 zfodlen, segvn_create, &crargs)) 1375 goto bad; 1376 if (prot != PROT_ZFOD) { 1377 (void) as_setprot(p->p_as, (caddr_t)zfodbase, 1378 zfodlen, prot); 1379 } 1380 } 1381 } 1382 return (0); 1383 bad: 1384 return (error); 1385 } 1386 1387 void 1388 setexecenv(struct execenv *ep) 1389 { 1390 proc_t *p = ttoproc(curthread); 1391 klwp_t *lwp = ttolwp(curthread); 1392 struct vnode *vp; 1393 1394 p->p_bssbase = ep->ex_bssbase; 1395 p->p_brkbase = ep->ex_brkbase; 1396 p->p_brksize = ep->ex_brksize; 1397 if (p->p_exec) 1398 VN_RELE(p->p_exec); /* out with the old */ 1399 vp = p->p_exec = ep->ex_vp; 1400 if (vp != NULL) 1401 VN_HOLD(vp); /* in with the new */ 1402 1403 lwp->lwp_sigaltstack.ss_sp = 0; 1404 lwp->lwp_sigaltstack.ss_size = 0; 1405 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 1406 } 1407 1408 int 1409 execopen(struct vnode **vpp, int *fdp) 1410 { 1411 struct vnode *vp = *vpp; 1412 file_t *fp; 1413 int error = 0; 1414 int filemode = FREAD; 1415 1416 VN_HOLD(vp); /* open reference */ 1417 if (error = falloc(NULL, filemode, &fp, fdp)) { 1418 VN_RELE(vp); 1419 *fdp = -1; /* just in case falloc changed value */ 1420 return (error); 1421 } 1422 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) { 1423 VN_RELE(vp); 1424 setf(*fdp, NULL); 1425 unfalloc(fp); 1426 *fdp = -1; 1427 return (error); 1428 } 1429 *vpp = vp; /* vnode should not have changed */ 1430 fp->f_vnode = vp; 1431 mutex_exit(&fp->f_tlock); 1432 setf(*fdp, fp); 1433 return (0); 1434 } 1435 1436 int 1437 execclose(int fd) 1438 { 1439 return (closeandsetf(fd, NULL)); 1440 } 1441 1442 1443 /* 1444 * noexec stub function. 1445 */ 1446 /*ARGSUSED*/ 1447 int 1448 noexec( 1449 struct vnode *vp, 1450 struct execa *uap, 1451 struct uarg *args, 1452 struct intpdata *idatap, 1453 int level, 1454 size_t *execsz, 1455 int setid, 1456 caddr_t exec_file, 1457 struct cred *cred) 1458 { 1459 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname); 1460 return (ENOEXEC); 1461 } 1462 1463 /* 1464 * Support routines for building a user stack. 1465 * 1466 * execve(path, argv, envp) must construct a new stack with the specified 1467 * arguments and environment variables (see exec_args() for a description 1468 * of the user stack layout). To do this, we copy the arguments and 1469 * environment variables from the old user address space into the kernel, 1470 * free the old as, create the new as, and copy our buffered information 1471 * to the new stack. Our kernel buffer has the following structure: 1472 * 1473 * +-----------------------+ <--- stk_base + stk_size 1474 * | string offsets | 1475 * +-----------------------+ <--- stk_offp 1476 * | | 1477 * | STK_AVAIL() space | 1478 * | | 1479 * +-----------------------+ <--- stk_strp 1480 * | strings | 1481 * +-----------------------+ <--- stk_base 1482 * 1483 * When we add a string, we store the string's contents (including the null 1484 * terminator) at stk_strp, and we store the offset of the string relative to 1485 * stk_base at --stk_offp. At strings are added, stk_strp increases and 1486 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just 1487 * the difference between these pointers. If we run out of space, we return 1488 * an error and exec_args() starts all over again with a buffer twice as large. 1489 * When we're all done, the kernel buffer looks like this: 1490 * 1491 * +-----------------------+ <--- stk_base + stk_size 1492 * | argv[0] offset | 1493 * +-----------------------+ 1494 * | ... | 1495 * +-----------------------+ 1496 * | argv[argc-1] offset | 1497 * +-----------------------+ 1498 * | envp[0] offset | 1499 * +-----------------------+ 1500 * | ... | 1501 * +-----------------------+ 1502 * | envp[envc-1] offset | 1503 * +-----------------------+ 1504 * | AT_SUN_PLATFORM offset| 1505 * +-----------------------+ 1506 * | AT_SUN_EXECNAME offset| 1507 * +-----------------------+ <--- stk_offp 1508 * | | 1509 * | STK_AVAIL() space | 1510 * | | 1511 * +-----------------------+ <--- stk_strp 1512 * | AT_SUN_EXECNAME offset| 1513 * +-----------------------+ 1514 * | AT_SUN_PLATFORM offset| 1515 * +-----------------------+ 1516 * | envp[envc-1] string | 1517 * +-----------------------+ 1518 * | ... | 1519 * +-----------------------+ 1520 * | envp[0] string | 1521 * +-----------------------+ 1522 * | argv[argc-1] string | 1523 * +-----------------------+ 1524 * | ... | 1525 * +-----------------------+ 1526 * | argv[0] string | 1527 * +-----------------------+ <--- stk_base 1528 */ 1529 1530 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp) 1531 1532 /* 1533 * Add a string to the stack. 1534 */ 1535 static int 1536 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg) 1537 { 1538 int error; 1539 size_t len; 1540 1541 if (STK_AVAIL(args) < sizeof (int)) 1542 return (E2BIG); 1543 *--args->stk_offp = args->stk_strp - args->stk_base; 1544 1545 if (segflg == UIO_USERSPACE) { 1546 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len); 1547 if (error != 0) 1548 return (error); 1549 } else { 1550 len = strlen(sp) + 1; 1551 if (len > STK_AVAIL(args)) 1552 return (E2BIG); 1553 bcopy(sp, args->stk_strp, len); 1554 } 1555 1556 args->stk_strp += len; 1557 1558 return (0); 1559 } 1560 1561 static int 1562 stk_getptr(uarg_t *args, char *src, char **dst) 1563 { 1564 int error; 1565 1566 if (args->from_model == DATAMODEL_NATIVE) { 1567 ulong_t ptr; 1568 error = fulword(src, &ptr); 1569 *dst = (caddr_t)ptr; 1570 } else { 1571 uint32_t ptr; 1572 error = fuword32(src, &ptr); 1573 *dst = (caddr_t)(uintptr_t)ptr; 1574 } 1575 return (error); 1576 } 1577 1578 static int 1579 stk_putptr(uarg_t *args, char *addr, char *value) 1580 { 1581 if (args->to_model == DATAMODEL_NATIVE) 1582 return (sulword(addr, (ulong_t)value)); 1583 else 1584 return (suword32(addr, (uint32_t)(uintptr_t)value)); 1585 } 1586 1587 static int 1588 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1589 { 1590 char *sp; 1591 int argc, error; 1592 int argv_empty = 0; 1593 size_t ptrsize = args->from_ptrsize; 1594 size_t size, pad; 1595 char *argv = (char *)uap->argp; 1596 char *envp = (char *)uap->envp; 1597 1598 /* 1599 * Copy interpreter's name and argument to argv[0] and argv[1]. 1600 * In the rare case that we have nested interpreters then those names 1601 * and arguments are also copied to the subsequent slots in argv. 1602 */ 1603 if (intp != NULL && intp->intp_name[0] != NULL) { 1604 int i; 1605 1606 for (i = 0; i < INTP_MAXDEPTH; i++) { 1607 if (intp->intp_name[i] == NULL) 1608 break; 1609 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE); 1610 if (error != 0) 1611 return (error); 1612 if (intp->intp_arg[i] != NULL) { 1613 error = stk_add(args, intp->intp_arg[i], 1614 UIO_SYSSPACE); 1615 if (error != 0) 1616 return (error); 1617 } 1618 } 1619 1620 if (args->fname != NULL) 1621 error = stk_add(args, args->fname, UIO_SYSSPACE); 1622 else 1623 error = stk_add(args, uap->fname, UIO_USERSPACE); 1624 if (error) 1625 return (error); 1626 1627 /* 1628 * Check for an empty argv[]. 1629 */ 1630 if (stk_getptr(args, argv, &sp)) 1631 return (EFAULT); 1632 if (sp == NULL) 1633 argv_empty = 1; 1634 1635 argv += ptrsize; /* ignore original argv[0] */ 1636 } 1637 1638 if (argv_empty == 0) { 1639 /* 1640 * Add argv[] strings to the stack. 1641 */ 1642 for (;;) { 1643 if (stk_getptr(args, argv, &sp)) 1644 return (EFAULT); 1645 if (sp == NULL) 1646 break; 1647 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1648 return (error); 1649 argv += ptrsize; 1650 } 1651 } 1652 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1653 args->arglen = args->stk_strp - args->stk_base; 1654 1655 /* 1656 * Add environ[] strings to the stack. 1657 */ 1658 if (envp != NULL) { 1659 for (;;) { 1660 char *tmp = args->stk_strp; 1661 if (stk_getptr(args, envp, &sp)) 1662 return (EFAULT); 1663 if (sp == NULL) 1664 break; 1665 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1666 return (error); 1667 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) { 1668 /* Undo the copied string */ 1669 args->stk_strp = tmp; 1670 *(args->stk_offp++) = 0; 1671 } 1672 envp += ptrsize; 1673 } 1674 } 1675 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1676 args->ne = args->na - argc; 1677 1678 /* 1679 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and 1680 * AT_SUN_EMULATOR strings to the stack. 1681 */ 1682 if (auxvpp != NULL && *auxvpp != NULL) { 1683 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0) 1684 return (error); 1685 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0) 1686 return (error); 1687 if (args->brandname != NULL && 1688 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0) 1689 return (error); 1690 if (args->emulator != NULL && 1691 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0) 1692 return (error); 1693 } 1694 1695 /* 1696 * Compute the size of the stack. This includes all the pointers, 1697 * the space reserved for the aux vector, and all the strings. 1698 * The total number of pointers is args->na (which is argc + envc) 1699 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL 1700 * after the last argument (i.e. argv[argc]); (3) the NULL after the 1701 * last environment variable (i.e. envp[envc]); and (4) the NULL after 1702 * all the strings, at the very top of the stack. 1703 */ 1704 size = (args->na + 4) * args->to_ptrsize + args->auxsize + 1705 (args->stk_strp - args->stk_base); 1706 1707 /* 1708 * Pad the string section with zeroes to align the stack size. 1709 */ 1710 pad = P2NPHASE(size, args->stk_align); 1711 1712 if (STK_AVAIL(args) < pad) 1713 return (E2BIG); 1714 1715 args->usrstack_size = size + pad; 1716 1717 while (pad-- != 0) 1718 *args->stk_strp++ = 0; 1719 1720 args->nc = args->stk_strp - args->stk_base; 1721 1722 return (0); 1723 } 1724 1725 static int 1726 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up) 1727 { 1728 size_t ptrsize = args->to_ptrsize; 1729 ssize_t pslen; 1730 char *kstrp = args->stk_base; 1731 char *ustrp = usrstack - args->nc - ptrsize; 1732 char *usp = usrstack - args->usrstack_size; 1733 int *offp = (int *)(args->stk_base + args->stk_size); 1734 int envc = args->ne; 1735 int argc = args->na - envc; 1736 int i; 1737 1738 /* 1739 * Record argc for /proc. 1740 */ 1741 up->u_argc = argc; 1742 1743 /* 1744 * Put argc on the stack. Note that even though it's an int, 1745 * it always consumes ptrsize bytes (for alignment). 1746 */ 1747 if (stk_putptr(args, usp, (char *)(uintptr_t)argc)) 1748 return (-1); 1749 1750 /* 1751 * Add argc space (ptrsize) to usp and record argv for /proc. 1752 */ 1753 up->u_argv = (uintptr_t)(usp += ptrsize); 1754 1755 /* 1756 * Put the argv[] pointers on the stack. 1757 */ 1758 for (i = 0; i < argc; i++, usp += ptrsize) 1759 if (stk_putptr(args, usp, &ustrp[*--offp])) 1760 return (-1); 1761 1762 /* 1763 * Copy arguments to u_psargs. 1764 */ 1765 pslen = MIN(args->arglen, PSARGSZ) - 1; 1766 for (i = 0; i < pslen; i++) 1767 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]); 1768 while (i < PSARGSZ) 1769 up->u_psargs[i++] = '\0'; 1770 1771 /* 1772 * Add space for argv[]'s NULL terminator (ptrsize) to usp and 1773 * record envp for /proc. 1774 */ 1775 up->u_envp = (uintptr_t)(usp += ptrsize); 1776 1777 /* 1778 * Put the envp[] pointers on the stack. 1779 */ 1780 for (i = 0; i < envc; i++, usp += ptrsize) 1781 if (stk_putptr(args, usp, &ustrp[*--offp])) 1782 return (-1); 1783 1784 /* 1785 * Add space for envp[]'s NULL terminator (ptrsize) to usp and 1786 * remember where the stack ends, which is also where auxv begins. 1787 */ 1788 args->stackend = usp += ptrsize; 1789 1790 /* 1791 * Put all the argv[], envp[], and auxv strings on the stack. 1792 */ 1793 if (copyout(args->stk_base, ustrp, args->nc)) 1794 return (-1); 1795 1796 /* 1797 * Fill in the aux vector now that we know the user stack addresses 1798 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and 1799 * AT_SUN_EMULATOR strings. 1800 */ 1801 if (auxvpp != NULL && *auxvpp != NULL) { 1802 if (args->to_model == DATAMODEL_NATIVE) { 1803 auxv_t **a = (auxv_t **)auxvpp; 1804 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp]) 1805 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp]) 1806 if (args->brandname != NULL) 1807 ADDAUX(*a, 1808 AT_SUN_BRANDNAME, (long)&ustrp[*--offp]) 1809 if (args->emulator != NULL) 1810 ADDAUX(*a, 1811 AT_SUN_EMULATOR, (long)&ustrp[*--offp]) 1812 } else { 1813 auxv32_t **a = (auxv32_t **)auxvpp; 1814 ADDAUX(*a, 1815 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp]) 1816 ADDAUX(*a, 1817 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp]) 1818 if (args->brandname != NULL) 1819 ADDAUX(*a, AT_SUN_BRANDNAME, 1820 (int)(uintptr_t)&ustrp[*--offp]) 1821 if (args->emulator != NULL) 1822 ADDAUX(*a, AT_SUN_EMULATOR, 1823 (int)(uintptr_t)&ustrp[*--offp]) 1824 } 1825 } 1826 1827 return (0); 1828 } 1829 1830 /* 1831 * Though the actual stack base is constant, slew the %sp by a random aligned 1832 * amount in [0,aslr_max_stack_skew). Mostly, this makes life slightly more 1833 * complicated for buffer overflows hoping to overwrite the return address. 1834 * 1835 * On some platforms this helps avoid cache thrashing when identical processes 1836 * simultaneously share caches that don't provide enough associativity 1837 * (e.g. sun4v systems). In this case stack slewing makes the same hot stack 1838 * variables in different processes live in different cache sets increasing 1839 * effective associativity. 1840 */ 1841 size_t 1842 exec_get_spslew(void) 1843 { 1844 #ifdef sun4v 1845 static uint_t sp_color_stride = 16; 1846 static uint_t sp_color_mask = 0x1f; 1847 static uint_t sp_current_color = (uint_t)-1; 1848 #endif 1849 size_t off; 1850 1851 ASSERT(ISP2(aslr_max_stack_skew)); 1852 1853 if ((aslr_max_stack_skew == 0) || 1854 !secflag_enabled(curproc, PROC_SEC_ASLR)) { 1855 #ifdef sun4v 1856 uint_t spcolor = atomic_inc_32_nv(&sp_current_color); 1857 return ((size_t)((spcolor & sp_color_mask) * 1858 SA(sp_color_stride))); 1859 #else 1860 return (0); 1861 #endif 1862 } 1863 1864 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off)); 1865 return (SA(P2PHASE(off, aslr_max_stack_skew))); 1866 } 1867 1868 /* 1869 * Initialize a new user stack with the specified arguments and environment. 1870 * The initial user stack layout is as follows: 1871 * 1872 * User Stack 1873 * +---------------+ 1874 * | | 1875 * | stack guard | 1876 * | (64-bit only) | 1877 * | | 1878 * +...............+ <--- stack limit (base - curproc->p_stk_ctl) 1879 * . . 1880 * . . 1881 * . . 1882 * +---------------+ <--- curproc->p_usrstack 1883 * | | 1884 * | slew | 1885 * | | 1886 * +---------------+ 1887 * | NULL | 1888 * +---------------+ 1889 * | | 1890 * | auxv strings | 1891 * | | 1892 * +---------------+ 1893 * | | 1894 * | envp strings | 1895 * | | 1896 * +---------------+ 1897 * | | 1898 * | argv strings | 1899 * | | 1900 * +---------------+ <--- ustrp 1901 * | | 1902 * | aux vector | 1903 * | | 1904 * +---------------+ <--- auxv 1905 * | NULL | 1906 * +---------------+ 1907 * | envp[envc-1] | 1908 * +---------------+ 1909 * | ... | 1910 * +---------------+ 1911 * | envp[0] | 1912 * +---------------+ <--- envp[] 1913 * | NULL | 1914 * +---------------+ 1915 * | argv[argc-1] | 1916 * +---------------+ 1917 * | ... | 1918 * +---------------+ 1919 * | argv[0] | 1920 * +---------------+ <--- argv[] 1921 * | argc | 1922 * +---------------+ <--- stack base 1923 * 1924 * In 64-bit processes, a stack guard segment is allocated at the address 1925 * immediately below where the stack limit ends. This protects new library 1926 * mappings (such as the linker) from being placed in relatively dangerous 1927 * proximity to the stack. 1928 */ 1929 int 1930 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1931 { 1932 size_t size; 1933 int error; 1934 proc_t *p = ttoproc(curthread); 1935 user_t *up = PTOU(p); 1936 char *usrstack; 1937 rctl_entity_p_t e; 1938 struct as *as; 1939 extern int use_stk_lpg; 1940 size_t sp_slew; 1941 #if defined(_LP64) 1942 const size_t sg_sz = (stack_guard_seg_sz & PAGEMASK); 1943 #endif /* defined(_LP64) */ 1944 1945 args->from_model = p->p_model; 1946 if (p->p_model == DATAMODEL_NATIVE) { 1947 args->from_ptrsize = sizeof (long); 1948 } else { 1949 args->from_ptrsize = sizeof (int32_t); 1950 } 1951 1952 if (args->to_model == DATAMODEL_NATIVE) { 1953 args->to_ptrsize = sizeof (long); 1954 args->ncargs = NCARGS; 1955 args->stk_align = STACK_ALIGN; 1956 if (args->addr32) 1957 usrstack = (char *)USRSTACK64_32; 1958 else 1959 usrstack = (char *)USRSTACK; 1960 } else { 1961 args->to_ptrsize = sizeof (int32_t); 1962 args->ncargs = NCARGS32; 1963 args->stk_align = STACK_ALIGN32; 1964 usrstack = (char *)USRSTACK32; 1965 } 1966 1967 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0); 1968 1969 #if defined(__sparc) 1970 /* 1971 * Make sure user register windows are empty before 1972 * attempting to make a new stack. 1973 */ 1974 (void) flush_user_windows_to_stack(NULL); 1975 #endif 1976 1977 for (size = PAGESIZE; ; size *= 2) { 1978 args->stk_size = size; 1979 args->stk_base = kmem_alloc(size, KM_SLEEP); 1980 args->stk_strp = args->stk_base; 1981 args->stk_offp = (int *)(args->stk_base + size); 1982 error = stk_copyin(uap, args, intp, auxvpp); 1983 if (error == 0) 1984 break; 1985 kmem_free(args->stk_base, size); 1986 if (error != E2BIG && error != ENAMETOOLONG) 1987 return (error); 1988 if (size >= args->ncargs) 1989 return (E2BIG); 1990 } 1991 1992 size = args->usrstack_size; 1993 1994 ASSERT(error == 0); 1995 ASSERT(P2PHASE(size, args->stk_align) == 0); 1996 ASSERT((ssize_t)STK_AVAIL(args) >= 0); 1997 1998 if (size > args->ncargs) { 1999 kmem_free(args->stk_base, args->stk_size); 2000 return (E2BIG); 2001 } 2002 2003 /* 2004 * Leave only the current lwp and force the other lwps to exit. 2005 * If another lwp beat us to the punch by calling exit(), bail out. 2006 */ 2007 if ((error = exitlwps(0)) != 0) { 2008 kmem_free(args->stk_base, args->stk_size); 2009 return (error); 2010 } 2011 2012 /* 2013 * Revoke any doors created by the process. 2014 */ 2015 if (p->p_door_list) 2016 door_exit(); 2017 2018 /* 2019 * Release schedctl data structures. 2020 */ 2021 if (p->p_pagep) 2022 schedctl_proc_cleanup(); 2023 2024 /* 2025 * Clean up any DTrace helpers for the process. 2026 */ 2027 if (p->p_dtrace_helpers != NULL) { 2028 ASSERT(dtrace_helpers_cleanup != NULL); 2029 (*dtrace_helpers_cleanup)(p); 2030 } 2031 2032 mutex_enter(&p->p_lock); 2033 /* 2034 * Cleanup the DTrace provider associated with this process. 2035 */ 2036 if (p->p_dtrace_probes) { 2037 ASSERT(dtrace_fasttrap_exec_ptr != NULL); 2038 dtrace_fasttrap_exec_ptr(p); 2039 } 2040 mutex_exit(&p->p_lock); 2041 2042 /* 2043 * discard the lwpchan cache. 2044 */ 2045 if (p->p_lcp != NULL) 2046 lwpchan_destroy_cache(1); 2047 2048 /* 2049 * Delete the POSIX timers. 2050 */ 2051 if (p->p_itimer != NULL) 2052 timer_exit(); 2053 2054 /* 2055 * Delete the ITIMER_REALPROF interval timer. 2056 * The other ITIMER_* interval timers are specified 2057 * to be inherited across exec(). 2058 */ 2059 delete_itimer_realprof(); 2060 2061 if (AU_AUDITING()) 2062 audit_exec(args->stk_base, args->stk_base + args->arglen, 2063 args->na - args->ne, args->ne, args->pfcred); 2064 2065 /* 2066 * Ensure that we don't change resource associations while we 2067 * change address spaces. 2068 */ 2069 mutex_enter(&p->p_lock); 2070 pool_barrier_enter(); 2071 mutex_exit(&p->p_lock); 2072 2073 /* 2074 * Destroy the old address space and create a new one. 2075 * From here on, any errors are fatal to the exec()ing process. 2076 * On error we return -1, which means the caller must SIGKILL 2077 * the process. 2078 */ 2079 relvm(); 2080 2081 mutex_enter(&p->p_lock); 2082 pool_barrier_exit(); 2083 mutex_exit(&p->p_lock); 2084 2085 up->u_execsw = args->execswp; 2086 2087 p->p_brkbase = NULL; 2088 p->p_brksize = 0; 2089 p->p_brkpageszc = 0; 2090 p->p_stksize = 0; 2091 p->p_stkpageszc = 0; 2092 p->p_stkg_start = 0; 2093 p->p_stkg_end = 0; 2094 p->p_model = args->to_model; 2095 p->p_usrstack = usrstack; 2096 p->p_stkprot = args->stk_prot; 2097 p->p_datprot = args->dat_prot; 2098 2099 /* 2100 * Reset resource controls such that all controls are again active as 2101 * well as appropriate to the potentially new address model for the 2102 * process. 2103 */ 2104 e.rcep_p.proc = p; 2105 e.rcep_t = RCENTITY_PROCESS; 2106 rctl_set_reset(p->p_rctls, p, &e); 2107 2108 /* Too early to call map_pgsz for the heap */ 2109 if (use_stk_lpg) { 2110 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0)); 2111 } 2112 2113 mutex_enter(&p->p_lock); 2114 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */ 2115 mutex_exit(&p->p_lock); 2116 2117 sp_slew = exec_get_spslew(); 2118 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0); 2119 /* Be certain we don't underflow */ 2120 VERIFY((curproc->p_usrstack - (size + sp_slew)) < curproc->p_usrstack); 2121 exec_set_sp(size + sp_slew); 2122 2123 as = as_alloc(); 2124 p->p_as = as; 2125 as->a_proc = p; 2126 if (p->p_model == DATAMODEL_ILP32 || args->addr32) 2127 as->a_userlimit = (caddr_t)USERLIMIT32; 2128 (void) hat_setup(as->a_hat, HAT_ALLOC); 2129 hat_join_srd(as->a_hat, args->ex_vp); 2130 2131 /* Write out the contents of the new stack. */ 2132 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up); 2133 kmem_free(args->stk_base, args->stk_size); 2134 2135 #if defined(_LP64) 2136 /* Add stack guard segment (if needed) after successful copyout */ 2137 if (error == 0 && p->p_model == DATAMODEL_LP64 && sg_sz != 0) { 2138 seghole_crargs_t sca; 2139 caddr_t addr_end = (caddr_t)(((uintptr_t)usrstack - 2140 p->p_stk_ctl) & PAGEMASK); 2141 caddr_t addr_start = addr_end - sg_sz; 2142 2143 DTRACE_PROBE4(stack__guard__chk, proc_t *, p, 2144 caddr_t, addr_start, caddr_t, addr_end, size_t, sg_sz); 2145 2146 if (addr_end >= usrstack || addr_start >= addr_end || 2147 valid_usr_range(addr_start, sg_sz, PROT_NONE, as, 2148 as->a_userlimit) != RANGE_OKAY) { 2149 return (E2BIG); 2150 } 2151 2152 /* Create un-mappable area in AS with seg_hole */ 2153 sca.name = "stack_guard"; 2154 error = as_map(as, addr_start, sg_sz, seghole_create, &sca); 2155 if (error == 0) { 2156 p->p_stkg_start = (uintptr_t)addr_start; 2157 p->p_stkg_end = (uintptr_t)addr_start + sg_sz; 2158 } 2159 } 2160 #endif /* defined(_LP64) */ 2161 2162 return (error); 2163 } 2164