xref: /illumos-gate/usr/src/uts/common/os/exec.c (revision 7a0c1e298cab158fe4113f2e75e46140eb4825e9)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*	Copyright (c) 1988 AT&T	*/
27 /*	  All Rights Reserved  	*/
28 
29 #include <sys/types.h>
30 #include <sys/param.h>
31 #include <sys/sysmacros.h>
32 #include <sys/systm.h>
33 #include <sys/signal.h>
34 #include <sys/cred_impl.h>
35 #include <sys/policy.h>
36 #include <sys/user.h>
37 #include <sys/errno.h>
38 #include <sys/file.h>
39 #include <sys/vfs.h>
40 #include <sys/vnode.h>
41 #include <sys/mman.h>
42 #include <sys/acct.h>
43 #include <sys/cpuvar.h>
44 #include <sys/proc.h>
45 #include <sys/cmn_err.h>
46 #include <sys/debug.h>
47 #include <sys/pathname.h>
48 #include <sys/vm.h>
49 #include <sys/lgrp.h>
50 #include <sys/vtrace.h>
51 #include <sys/exec.h>
52 #include <sys/exechdr.h>
53 #include <sys/kmem.h>
54 #include <sys/prsystm.h>
55 #include <sys/modctl.h>
56 #include <sys/vmparam.h>
57 #include <sys/door.h>
58 #include <sys/schedctl.h>
59 #include <sys/utrap.h>
60 #include <sys/systeminfo.h>
61 #include <sys/stack.h>
62 #include <sys/rctl.h>
63 #include <sys/dtrace.h>
64 #include <sys/lwpchan_impl.h>
65 #include <sys/pool.h>
66 #include <sys/sdt.h>
67 #include <sys/brand.h>
68 #include <sys/klpd.h>
69 
70 #include <c2/audit.h>
71 
72 #include <vm/hat.h>
73 #include <vm/anon.h>
74 #include <vm/as.h>
75 #include <vm/seg.h>
76 #include <vm/seg_vn.h>
77 
78 #define	PRIV_RESET		0x01	/* needs to reset privs */
79 #define	PRIV_SETID		0x02	/* needs to change uids */
80 #define	PRIV_SETUGID		0x04	/* is setuid/setgid/forced privs */
81 #define	PRIV_INCREASE		0x08	/* child runs with more privs */
82 #define	MAC_FLAGS		0x10	/* need to adjust MAC flags */
83 #define	PRIV_FORCED		0x20	/* has forced privileges */
84 
85 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
86     priv_set_t *, cred_t *, const char *);
87 static int hold_execsw(struct execsw *);
88 
89 uint_t auxv_hwcap = 0;	/* auxv AT_SUN_HWCAP value; determined on the fly */
90 #if defined(_SYSCALL32_IMPL)
91 uint_t auxv_hwcap32 = 0;	/* 32-bit version of auxv_hwcap */
92 #endif
93 
94 #define	PSUIDFLAGS		(SNOCD|SUGID)
95 
96 /*
97  * exece() - system call wrapper around exec_common()
98  */
99 int
100 exece(const char *fname, const char **argp, const char **envp)
101 {
102 	int error;
103 
104 	error = exec_common(fname, argp, envp, EBA_NONE);
105 	return (error ? (set_errno(error)) : 0);
106 }
107 
108 int
109 exec_common(const char *fname, const char **argp, const char **envp,
110     int brand_action)
111 {
112 	vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
113 	proc_t *p = ttoproc(curthread);
114 	klwp_t *lwp = ttolwp(curthread);
115 	struct user *up = PTOU(p);
116 	long execsz;		/* temporary count of exec size */
117 	int i;
118 	int error;
119 	char exec_file[MAXCOMLEN+1];
120 	struct pathname pn;
121 	struct pathname resolvepn;
122 	struct uarg args;
123 	struct execa ua;
124 	k_sigset_t savedmask;
125 	lwpdir_t *lwpdir = NULL;
126 	tidhash_t *tidhash;
127 	lwpdir_t *old_lwpdir = NULL;
128 	uint_t old_lwpdir_sz;
129 	tidhash_t *old_tidhash;
130 	uint_t old_tidhash_sz;
131 	ret_tidhash_t *ret_tidhash;
132 	lwpent_t *lep;
133 	boolean_t brandme = B_FALSE;
134 
135 	/*
136 	 * exec() is not supported for the /proc agent lwp.
137 	 */
138 	if (curthread == p->p_agenttp)
139 		return (ENOTSUP);
140 
141 	if (brand_action != EBA_NONE) {
142 		/*
143 		 * Brand actions are not supported for processes that are not
144 		 * running in a branded zone.
145 		 */
146 		if (!ZONE_IS_BRANDED(p->p_zone))
147 			return (ENOTSUP);
148 
149 		if (brand_action == EBA_NATIVE) {
150 			/* Only branded processes can be unbranded */
151 			if (!PROC_IS_BRANDED(p))
152 				return (ENOTSUP);
153 		} else {
154 			/* Only unbranded processes can be branded */
155 			if (PROC_IS_BRANDED(p))
156 				return (ENOTSUP);
157 			brandme = B_TRUE;
158 		}
159 	} else {
160 		/*
161 		 * If this is a native zone, or if the process is already
162 		 * branded, then we don't need to do anything.  If this is
163 		 * a native process in a branded zone, we need to brand the
164 		 * process as it exec()s the new binary.
165 		 */
166 		if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
167 			brandme = B_TRUE;
168 	}
169 
170 	/*
171 	 * Inform /proc that an exec() has started.
172 	 * Hold signals that are ignored by default so that we will
173 	 * not be interrupted by a signal that will be ignored after
174 	 * successful completion of gexec().
175 	 */
176 	mutex_enter(&p->p_lock);
177 	prexecstart();
178 	schedctl_finish_sigblock(curthread);
179 	savedmask = curthread->t_hold;
180 	sigorset(&curthread->t_hold, &ignoredefault);
181 	mutex_exit(&p->p_lock);
182 
183 	/*
184 	 * Look up path name and remember last component for later.
185 	 * To help coreadm expand its %d token, we attempt to save
186 	 * the directory containing the executable in p_execdir. The
187 	 * first call to lookuppn() may fail and return EINVAL because
188 	 * dirvpp is non-NULL. In that case, we make a second call to
189 	 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
190 	 * but coreadm is allowed to expand %d to the empty string and
191 	 * there are other cases in which that failure may occur.
192 	 */
193 	if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
194 		goto out;
195 	pn_alloc(&resolvepn);
196 	if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
197 		pn_free(&resolvepn);
198 		pn_free(&pn);
199 		if (error != EINVAL)
200 			goto out;
201 
202 		dir = NULL;
203 		if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
204 			goto out;
205 		pn_alloc(&resolvepn);
206 		if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
207 		    &vp)) != 0) {
208 			pn_free(&resolvepn);
209 			pn_free(&pn);
210 			goto out;
211 		}
212 	}
213 	if (vp == NULL) {
214 		if (dir != NULL)
215 			VN_RELE(dir);
216 		error = ENOENT;
217 		pn_free(&resolvepn);
218 		pn_free(&pn);
219 		goto out;
220 	}
221 
222 	if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
223 		if (dir != NULL)
224 			VN_RELE(dir);
225 		pn_free(&resolvepn);
226 		pn_free(&pn);
227 		VN_RELE(vp);
228 		goto out;
229 	}
230 
231 	/*
232 	 * We do not allow executing files in attribute directories.
233 	 * We test this by determining whether the resolved path
234 	 * contains a "/" when we're in an attribute directory;
235 	 * only if the pathname does not contain a "/" the resolved path
236 	 * points to a file in the current working (attribute) directory.
237 	 */
238 	if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
239 	    strchr(resolvepn.pn_path, '/') == NULL) {
240 		if (dir != NULL)
241 			VN_RELE(dir);
242 		error = EACCES;
243 		pn_free(&resolvepn);
244 		pn_free(&pn);
245 		VN_RELE(vp);
246 		goto out;
247 	}
248 
249 	bzero(exec_file, MAXCOMLEN+1);
250 	(void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
251 	bzero(&args, sizeof (args));
252 	args.pathname = resolvepn.pn_path;
253 	/* don't free resolvepn until we are done with args */
254 	pn_free(&pn);
255 
256 	/*
257 	 * If we're running in a profile shell, then call pfexecd.
258 	 */
259 	if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
260 		error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
261 		    &args.scrubenv);
262 
263 		/* Returning errno in case we're not allowed to execute. */
264 		if (error > 0) {
265 			if (dir != NULL)
266 				VN_RELE(dir);
267 			pn_free(&resolvepn);
268 			VN_RELE(vp);
269 			goto out;
270 		}
271 
272 		/* Don't change the credentials when using old ptrace. */
273 		if (args.pfcred != NULL &&
274 		    (p->p_proc_flag & P_PR_PTRACE) != 0) {
275 			crfree(args.pfcred);
276 			args.pfcred = NULL;
277 			args.scrubenv = B_FALSE;
278 		}
279 	}
280 
281 	/*
282 	 * Specific exec handlers, or policies determined via
283 	 * /etc/system may override the historical default.
284 	 */
285 	args.stk_prot = PROT_ZFOD;
286 	args.dat_prot = PROT_ZFOD;
287 
288 	CPU_STATS_ADD_K(sys, sysexec, 1);
289 	DTRACE_PROC1(exec, char *, args.pathname);
290 
291 	ua.fname = fname;
292 	ua.argp = argp;
293 	ua.envp = envp;
294 
295 	/* If necessary, brand this process before we start the exec. */
296 	if (brandme)
297 		brand_setbrand(p);
298 
299 	if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
300 	    exec_file, p->p_cred, brand_action)) != 0) {
301 		if (brandme)
302 			brand_clearbrand(p);
303 		VN_RELE(vp);
304 		if (dir != NULL)
305 			VN_RELE(dir);
306 		pn_free(&resolvepn);
307 		goto fail;
308 	}
309 
310 	/*
311 	 * Free floating point registers (sun4u only)
312 	 */
313 	ASSERT(lwp != NULL);
314 	lwp_freeregs(lwp, 1);
315 
316 	/*
317 	 * Free thread and process context ops.
318 	 */
319 	if (curthread->t_ctx)
320 		freectx(curthread, 1);
321 	if (p->p_pctx)
322 		freepctx(p, 1);
323 
324 	/*
325 	 * Remember file name for accounting; clear any cached DTrace predicate.
326 	 */
327 	up->u_acflag &= ~AFORK;
328 	bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
329 	curthread->t_predcache = NULL;
330 
331 	/*
332 	 * Clear contract template state
333 	 */
334 	lwp_ctmpl_clear(lwp);
335 
336 	/*
337 	 * Save the directory in which we found the executable for expanding
338 	 * the %d token used in core file patterns.
339 	 */
340 	mutex_enter(&p->p_lock);
341 	tmpvp = p->p_execdir;
342 	p->p_execdir = dir;
343 	if (p->p_execdir != NULL)
344 		VN_HOLD(p->p_execdir);
345 	mutex_exit(&p->p_lock);
346 
347 	if (tmpvp != NULL)
348 		VN_RELE(tmpvp);
349 
350 	/*
351 	 * Reset stack state to the user stack, clear set of signals
352 	 * caught on the signal stack, and reset list of signals that
353 	 * restart system calls; the new program's environment should
354 	 * not be affected by detritus from the old program.  Any
355 	 * pending held signals remain held, so don't clear t_hold.
356 	 */
357 	mutex_enter(&p->p_lock);
358 	lwp->lwp_oldcontext = 0;
359 	lwp->lwp_ustack = 0;
360 	lwp->lwp_old_stk_ctl = 0;
361 	sigemptyset(&up->u_signodefer);
362 	sigemptyset(&up->u_sigonstack);
363 	sigemptyset(&up->u_sigresethand);
364 	lwp->lwp_sigaltstack.ss_sp = 0;
365 	lwp->lwp_sigaltstack.ss_size = 0;
366 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
367 
368 	/*
369 	 * Make saved resource limit == current resource limit.
370 	 */
371 	for (i = 0; i < RLIM_NLIMITS; i++) {
372 		/*CONSTCOND*/
373 		if (RLIM_SAVED(i)) {
374 			(void) rctl_rlimit_get(rctlproc_legacy[i], p,
375 			    &up->u_saved_rlimit[i]);
376 		}
377 	}
378 
379 	/*
380 	 * If the action was to catch the signal, then the action
381 	 * must be reset to SIG_DFL.
382 	 */
383 	sigdefault(p);
384 	p->p_flag &= ~(SNOWAIT|SJCTL);
385 	p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
386 	up->u_signal[SIGCLD - 1] = SIG_DFL;
387 
388 	/*
389 	 * Delete the dot4 sigqueues/signotifies.
390 	 */
391 	sigqfree(p);
392 
393 	mutex_exit(&p->p_lock);
394 
395 	mutex_enter(&p->p_pflock);
396 	p->p_prof.pr_base = NULL;
397 	p->p_prof.pr_size = 0;
398 	p->p_prof.pr_off = 0;
399 	p->p_prof.pr_scale = 0;
400 	p->p_prof.pr_samples = 0;
401 	mutex_exit(&p->p_pflock);
402 
403 	ASSERT(curthread->t_schedctl == NULL);
404 
405 #if defined(__sparc)
406 	if (p->p_utraps != NULL)
407 		utrap_free(p);
408 #endif	/* __sparc */
409 
410 	/*
411 	 * Close all close-on-exec files.
412 	 */
413 	close_exec(P_FINFO(p));
414 	TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
415 
416 	/* Unbrand ourself if necessary. */
417 	if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
418 		brand_clearbrand(p);
419 
420 	setregs(&args);
421 
422 	/* Mark this as an executable vnode */
423 	mutex_enter(&vp->v_lock);
424 	vp->v_flag |= VVMEXEC;
425 	mutex_exit(&vp->v_lock);
426 
427 	VN_RELE(vp);
428 	if (dir != NULL)
429 		VN_RELE(dir);
430 	pn_free(&resolvepn);
431 
432 	/*
433 	 * Allocate a new lwp directory and lwpid hash table if necessary.
434 	 */
435 	if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
436 		lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
437 		lwpdir->ld_next = lwpdir + 1;
438 		tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
439 		if (p->p_lwpdir != NULL)
440 			lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
441 		else
442 			lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
443 	}
444 
445 	if (PROC_IS_BRANDED(p))
446 		BROP(p)->b_exec();
447 
448 	mutex_enter(&p->p_lock);
449 	prbarrier(p);
450 
451 	/*
452 	 * Reset lwp id to the default value of 1.
453 	 * This is a single-threaded process now
454 	 * and lwp #1 is lwp_wait()able by default.
455 	 * The t_unpark flag should not be inherited.
456 	 */
457 	ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
458 	curthread->t_tid = 1;
459 	kpreempt_disable();
460 	ASSERT(curthread->t_lpl != NULL);
461 	p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
462 	kpreempt_enable();
463 	if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
464 		lgrp_update_trthr_migrations(1);
465 	}
466 	curthread->t_unpark = 0;
467 	curthread->t_proc_flag |= TP_TWAIT;
468 	curthread->t_proc_flag &= ~TP_DAEMON;	/* daemons shouldn't exec */
469 	p->p_lwpdaemon = 0;			/* but oh well ... */
470 	p->p_lwpid = 1;
471 
472 	/*
473 	 * Install the newly-allocated lwp directory and lwpid hash table
474 	 * and insert the current thread into the new hash table.
475 	 */
476 	if (lwpdir != NULL) {
477 		old_lwpdir = p->p_lwpdir;
478 		old_lwpdir_sz = p->p_lwpdir_sz;
479 		old_tidhash = p->p_tidhash;
480 		old_tidhash_sz = p->p_tidhash_sz;
481 		p->p_lwpdir = p->p_lwpfree = lwpdir;
482 		p->p_lwpdir_sz = 2;
483 		lep->le_thread = curthread;
484 		lep->le_lwpid = curthread->t_tid;
485 		lep->le_start = curthread->t_start;
486 		lwp_hash_in(p, lep, tidhash, 2, 0);
487 		p->p_tidhash = tidhash;
488 		p->p_tidhash_sz = 2;
489 	}
490 	ret_tidhash = p->p_ret_tidhash;
491 	p->p_ret_tidhash = NULL;
492 
493 	/*
494 	 * Restore the saved signal mask and
495 	 * inform /proc that the exec() has finished.
496 	 */
497 	curthread->t_hold = savedmask;
498 	prexecend();
499 	mutex_exit(&p->p_lock);
500 	if (old_lwpdir) {
501 		kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
502 		kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
503 	}
504 	while (ret_tidhash != NULL) {
505 		ret_tidhash_t *next = ret_tidhash->rth_next;
506 		kmem_free(ret_tidhash->rth_tidhash,
507 		    ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
508 		kmem_free(ret_tidhash, sizeof (*ret_tidhash));
509 		ret_tidhash = next;
510 	}
511 
512 	ASSERT(error == 0);
513 	DTRACE_PROC(exec__success);
514 	return (0);
515 
516 fail:
517 	DTRACE_PROC1(exec__failure, int, error);
518 out:		/* error return */
519 	mutex_enter(&p->p_lock);
520 	curthread->t_hold = savedmask;
521 	prexecend();
522 	mutex_exit(&p->p_lock);
523 	ASSERT(error != 0);
524 	return (error);
525 }
526 
527 
528 /*
529  * Perform generic exec duties and switchout to object-file specific
530  * handler.
531  */
532 int
533 gexec(
534 	struct vnode **vpp,
535 	struct execa *uap,
536 	struct uarg *args,
537 	struct intpdata *idatap,
538 	int level,
539 	long *execsz,
540 	caddr_t exec_file,
541 	struct cred *cred,
542 	int brand_action)
543 {
544 	struct vnode *vp, *execvp = NULL;
545 	proc_t *pp = ttoproc(curthread);
546 	struct execsw *eswp;
547 	int error = 0;
548 	int suidflags = 0;
549 	ssize_t resid;
550 	uid_t uid, gid;
551 	struct vattr vattr;
552 	char magbuf[MAGIC_BYTES];
553 	int setid;
554 	cred_t *oldcred, *newcred = NULL;
555 	int privflags = 0;
556 	int setidfl;
557 	priv_set_t fset;
558 
559 	/*
560 	 * If the SNOCD or SUGID flag is set, turn it off and remember the
561 	 * previous setting so we can restore it if we encounter an error.
562 	 */
563 	if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
564 		mutex_enter(&pp->p_lock);
565 		suidflags = pp->p_flag & PSUIDFLAGS;
566 		pp->p_flag &= ~PSUIDFLAGS;
567 		mutex_exit(&pp->p_lock);
568 	}
569 
570 	if ((error = execpermissions(*vpp, &vattr, args)) != 0)
571 		goto bad_noclose;
572 
573 	/* need to open vnode for stateful file systems */
574 	if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
575 		goto bad_noclose;
576 	vp = *vpp;
577 
578 	/*
579 	 * Note: to support binary compatibility with SunOS a.out
580 	 * executables, we read in the first four bytes, as the
581 	 * magic number is in bytes 2-3.
582 	 */
583 	if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
584 	    (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
585 		goto bad;
586 	if (resid != 0)
587 		goto bad;
588 
589 	if ((eswp = findexec_by_hdr(magbuf)) == NULL)
590 		goto bad;
591 
592 	if (level == 0 &&
593 	    (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
594 	    args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
595 
596 		/* Pfcred is a credential with a ref count of 1 */
597 
598 		if (args->pfcred != NULL) {
599 			privflags |= PRIV_INCREASE|PRIV_RESET;
600 			newcred = cred = args->pfcred;
601 		} else {
602 			newcred = cred = crdup(cred);
603 		}
604 
605 		/* If we can, drop the PA bit */
606 		if ((privflags & PRIV_RESET) != 0)
607 			priv_adjust_PA(cred);
608 
609 		if (privflags & PRIV_SETID) {
610 			cred->cr_uid = uid;
611 			cred->cr_gid = gid;
612 			cred->cr_suid = uid;
613 			cred->cr_sgid = gid;
614 		}
615 
616 		if (privflags & MAC_FLAGS) {
617 			if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
618 				CR_FLAGS(cred) &= ~NET_MAC_AWARE;
619 			CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
620 		}
621 
622 		/*
623 		 * Implement the privilege updates:
624 		 *
625 		 * Restrict with L:
626 		 *
627 		 *	I' = I & L
628 		 *
629 		 *	E' = P' = (I' + F) & A
630 		 *
631 		 * But if running under ptrace, we cap I and F with P.
632 		 */
633 		if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
634 			if ((privflags & PRIV_INCREASE) != 0 &&
635 			    (pp->p_proc_flag & P_PR_PTRACE) != 0) {
636 				priv_intersect(&CR_OPPRIV(cred),
637 				    &CR_IPRIV(cred));
638 				priv_intersect(&CR_OPPRIV(cred), &fset);
639 			}
640 			priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
641 			CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
642 			if (privflags & PRIV_FORCED) {
643 				priv_set_PA(cred);
644 				priv_union(&fset, &CR_EPRIV(cred));
645 				priv_union(&fset, &CR_PPRIV(cred));
646 			}
647 			priv_adjust_PA(cred);
648 		}
649 	} else if (level == 0 && args->pfcred != NULL) {
650 		newcred = cred = args->pfcred;
651 		privflags |= PRIV_INCREASE;
652 		/* pfcred is not forced to adhere to these settings */
653 		priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
654 		CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
655 		priv_adjust_PA(cred);
656 	}
657 
658 	/* SunOS 4.x buy-back */
659 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
660 	    (vattr.va_mode & (VSUID|VSGID))) {
661 		char path[MAXNAMELEN];
662 		refstr_t *mntpt = NULL;
663 		int ret = -1;
664 
665 		bzero(path, sizeof (path));
666 		zone_hold(pp->p_zone);
667 
668 		ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
669 		    sizeof (path), cred);
670 
671 		/* fallback to mountpoint if a path can't be found */
672 		if ((ret != 0) || (ret == 0 && path[0] == '\0'))
673 			mntpt = vfs_getmntpoint(vp->v_vfsp);
674 
675 		if (mntpt == NULL)
676 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
677 			    "!uid %d: setuid execution not allowed, "
678 			    "file=%s", cred->cr_uid, path);
679 		else
680 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
681 			    "!uid %d: setuid execution not allowed, "
682 			    "fs=%s, file=%s", cred->cr_uid,
683 			    ZONE_PATH_TRANSLATE(refstr_value(mntpt),
684 			    pp->p_zone), exec_file);
685 
686 		if (!INGLOBALZONE(pp)) {
687 			/* zone_rootpath always has trailing / */
688 			if (mntpt == NULL)
689 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
690 				    "setuid execution not allowed, file=%s%s",
691 				    pp->p_zone->zone_name, cred->cr_uid,
692 				    pp->p_zone->zone_rootpath, path + 1);
693 			else
694 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
695 				    "setuid execution not allowed, fs=%s, "
696 				    "file=%s", pp->p_zone->zone_name,
697 				    cred->cr_uid, refstr_value(mntpt),
698 				    exec_file);
699 		}
700 
701 		if (mntpt != NULL)
702 			refstr_rele(mntpt);
703 
704 		zone_rele(pp->p_zone);
705 	}
706 
707 	/*
708 	 * execsetid() told us whether or not we had to change the
709 	 * credentials of the process.  In privflags, it told us
710 	 * whether we gained any privileges or executed a set-uid executable.
711 	 */
712 	setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
713 
714 	/*
715 	 * Use /etc/system variable to determine if the stack
716 	 * should be marked as executable by default.
717 	 */
718 	if (noexec_user_stack)
719 		args->stk_prot &= ~PROT_EXEC;
720 
721 	args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
722 	args->ex_vp = vp;
723 
724 	/*
725 	 * Traditionally, the setid flags told the sub processes whether
726 	 * the file just executed was set-uid or set-gid; this caused
727 	 * some confusion as the 'setid' flag did not match the SUGID
728 	 * process flag which is only set when the uids/gids do not match.
729 	 * A script set-gid/set-uid to the real uid/gid would start with
730 	 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
731 	 * Now we flag those cases where the calling process cannot
732 	 * be trusted to influence the newly exec'ed process, either
733 	 * because it runs with more privileges or when the uids/gids
734 	 * do in fact not match.
735 	 * This also makes the runtime linker agree with the on exec
736 	 * values of SNOCD and SUGID.
737 	 */
738 	setidfl = 0;
739 	if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
740 	    !supgroupmember(cred->cr_gid, cred))) {
741 		setidfl |= EXECSETID_UGIDS;
742 	}
743 	if (setid & PRIV_SETUGID)
744 		setidfl |= EXECSETID_SETID;
745 	if (setid & PRIV_FORCED)
746 		setidfl |= EXECSETID_PRIVS;
747 
748 	execvp = pp->p_exec;
749 	if (execvp)
750 		VN_HOLD(execvp);
751 
752 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
753 	    setidfl, exec_file, cred, brand_action);
754 	rw_exit(eswp->exec_lock);
755 	if (error != 0) {
756 		if (execvp)
757 			VN_RELE(execvp);
758 		/*
759 		 * If this process's p_exec has been set to the vp of
760 		 * the executable by exec_func, we will return without
761 		 * calling VOP_CLOSE because proc_exit will close it
762 		 * on exit.
763 		 */
764 		if (pp->p_exec == vp)
765 			goto bad_noclose;
766 		else
767 			goto bad;
768 	}
769 
770 	if (level == 0) {
771 		uid_t oruid;
772 
773 		if (execvp != NULL) {
774 			/*
775 			 * Close the previous executable only if we are
776 			 * at level 0.
777 			 */
778 			(void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
779 			    cred, NULL);
780 		}
781 
782 		mutex_enter(&pp->p_crlock);
783 
784 		oruid = pp->p_cred->cr_ruid;
785 
786 		if (newcred != NULL) {
787 			/*
788 			 * Free the old credentials, and set the new ones.
789 			 * Do this for both the process and the (single) thread.
790 			 */
791 			crfree(pp->p_cred);
792 			pp->p_cred = cred;	/* cred already held for proc */
793 			crhold(cred);		/* hold new cred for thread */
794 			/*
795 			 * DTrace accesses t_cred in probe context.  t_cred
796 			 * must always be either NULL, or point to a valid,
797 			 * allocated cred structure.
798 			 */
799 			oldcred = curthread->t_cred;
800 			curthread->t_cred = cred;
801 			crfree(oldcred);
802 
803 			if (priv_basic_test >= 0 &&
804 			    !PRIV_ISASSERT(&CR_IPRIV(newcred),
805 			    priv_basic_test)) {
806 				pid_t pid = pp->p_pid;
807 				char *fn = PTOU(pp)->u_comm;
808 
809 				cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
810 				    "privilege removed from E/I", fn, pid);
811 			}
812 		}
813 		/*
814 		 * On emerging from a successful exec(), the saved
815 		 * uid and gid equal the effective uid and gid.
816 		 */
817 		cred->cr_suid = cred->cr_uid;
818 		cred->cr_sgid = cred->cr_gid;
819 
820 		/*
821 		 * If the real and effective ids do not match, this
822 		 * is a setuid process that should not dump core.
823 		 * The group comparison is tricky; we prevent the code
824 		 * from flagging SNOCD when executing with an effective gid
825 		 * which is a supplementary group.
826 		 */
827 		if (cred->cr_ruid != cred->cr_uid ||
828 		    (cred->cr_rgid != cred->cr_gid &&
829 		    !supgroupmember(cred->cr_gid, cred)) ||
830 		    (privflags & PRIV_INCREASE) != 0)
831 			suidflags = PSUIDFLAGS;
832 		else
833 			suidflags = 0;
834 
835 		mutex_exit(&pp->p_crlock);
836 		if (newcred != NULL && oruid != newcred->cr_ruid) {
837 			/* Note that the process remains in the same zone. */
838 			mutex_enter(&pidlock);
839 			upcount_dec(oruid, crgetzoneid(newcred));
840 			upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
841 			mutex_exit(&pidlock);
842 		}
843 		if (suidflags) {
844 			mutex_enter(&pp->p_lock);
845 			pp->p_flag |= suidflags;
846 			mutex_exit(&pp->p_lock);
847 		}
848 		if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
849 			/*
850 			 * If process is traced via /proc, arrange to
851 			 * invalidate the associated /proc vnode.
852 			 */
853 			if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
854 				args->traceinval = 1;
855 		}
856 		if (pp->p_proc_flag & P_PR_PTRACE)
857 			psignal(pp, SIGTRAP);
858 		if (args->traceinval)
859 			prinvalidate(&pp->p_user);
860 	}
861 	if (execvp)
862 		VN_RELE(execvp);
863 	return (0);
864 
865 bad:
866 	(void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
867 
868 bad_noclose:
869 	if (newcred != NULL)
870 		crfree(newcred);
871 	if (error == 0)
872 		error = ENOEXEC;
873 
874 	if (suidflags) {
875 		mutex_enter(&pp->p_lock);
876 		pp->p_flag |= suidflags;
877 		mutex_exit(&pp->p_lock);
878 	}
879 	return (error);
880 }
881 
882 extern char *execswnames[];
883 
884 struct execsw *
885 allocate_execsw(char *name, char *magic, size_t magic_size)
886 {
887 	int i, j;
888 	char *ename;
889 	char *magicp;
890 
891 	mutex_enter(&execsw_lock);
892 	for (i = 0; i < nexectype; i++) {
893 		if (execswnames[i] == NULL) {
894 			ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
895 			(void) strcpy(ename, name);
896 			execswnames[i] = ename;
897 			/*
898 			 * Set the magic number last so that we
899 			 * don't need to hold the execsw_lock in
900 			 * findexectype().
901 			 */
902 			magicp = kmem_alloc(magic_size, KM_SLEEP);
903 			for (j = 0; j < magic_size; j++)
904 				magicp[j] = magic[j];
905 			execsw[i].exec_magic = magicp;
906 			mutex_exit(&execsw_lock);
907 			return (&execsw[i]);
908 		}
909 	}
910 	mutex_exit(&execsw_lock);
911 	return (NULL);
912 }
913 
914 /*
915  * Find the exec switch table entry with the corresponding magic string.
916  */
917 struct execsw *
918 findexecsw(char *magic)
919 {
920 	struct execsw *eswp;
921 
922 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
923 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
924 		if (magic && eswp->exec_maglen != 0 &&
925 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
926 			return (eswp);
927 	}
928 	return (NULL);
929 }
930 
931 /*
932  * Find the execsw[] index for the given exec header string by looking for the
933  * magic string at a specified offset and length for each kind of executable
934  * file format until one matches.  If no execsw[] entry is found, try to
935  * autoload a module for this magic string.
936  */
937 struct execsw *
938 findexec_by_hdr(char *header)
939 {
940 	struct execsw *eswp;
941 
942 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
943 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
944 		if (header && eswp->exec_maglen != 0 &&
945 		    bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
946 		    eswp->exec_maglen) == 0) {
947 			if (hold_execsw(eswp) != 0)
948 				return (NULL);
949 			return (eswp);
950 		}
951 	}
952 	return (NULL);	/* couldn't find the type */
953 }
954 
955 /*
956  * Find the execsw[] index for the given magic string.  If no execsw[] entry
957  * is found, try to autoload a module for this magic string.
958  */
959 struct execsw *
960 findexec_by_magic(char *magic)
961 {
962 	struct execsw *eswp;
963 
964 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
965 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
966 		if (magic && eswp->exec_maglen != 0 &&
967 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
968 			if (hold_execsw(eswp) != 0)
969 				return (NULL);
970 			return (eswp);
971 		}
972 	}
973 	return (NULL);	/* couldn't find the type */
974 }
975 
976 static int
977 hold_execsw(struct execsw *eswp)
978 {
979 	char *name;
980 
981 	rw_enter(eswp->exec_lock, RW_READER);
982 	while (!LOADED_EXEC(eswp)) {
983 		rw_exit(eswp->exec_lock);
984 		name = execswnames[eswp-execsw];
985 		ASSERT(name);
986 		if (modload("exec", name) == -1)
987 			return (-1);
988 		rw_enter(eswp->exec_lock, RW_READER);
989 	}
990 	return (0);
991 }
992 
993 static int
994 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
995     priv_set_t *fset, cred_t *cr, const char *pathname)
996 {
997 	proc_t *pp = ttoproc(curthread);
998 	uid_t uid, gid;
999 	int privflags = 0;
1000 
1001 	/*
1002 	 * Remember credentials.
1003 	 */
1004 	uid = cr->cr_uid;
1005 	gid = cr->cr_gid;
1006 
1007 	/* Will try to reset the PRIV_AWARE bit later. */
1008 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1009 		privflags |= PRIV_RESET;
1010 
1011 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1012 		/*
1013 		 * If it's a set-uid root program we perform the
1014 		 * forced privilege look-aside. This has three possible
1015 		 * outcomes:
1016 		 *	no look aside information -> treat as before
1017 		 *	look aside in Limit set -> apply forced privs
1018 		 *	look aside not in Limit set -> ignore set-uid root
1019 		 *
1020 		 * Ordinary set-uid root execution only allowed if the limit
1021 		 * set holds all unsafe privileges.
1022 		 */
1023 		if (vattrp->va_mode & VSUID) {
1024 			if (vattrp->va_uid == 0) {
1025 				int res = get_forced_privs(cr, pathname, fset);
1026 
1027 				switch (res) {
1028 				case -1:
1029 					if (priv_issubset(&priv_unsafe,
1030 					    &CR_LPRIV(cr))) {
1031 						uid = vattrp->va_uid;
1032 						privflags |= PRIV_SETUGID;
1033 					}
1034 					break;
1035 				case 0:
1036 					privflags |= PRIV_FORCED|PRIV_INCREASE;
1037 					break;
1038 				default:
1039 					break;
1040 				}
1041 			} else {
1042 				uid = vattrp->va_uid;
1043 				privflags |= PRIV_SETUGID;
1044 			}
1045 		}
1046 		if (vattrp->va_mode & VSGID) {
1047 			gid = vattrp->va_gid;
1048 			privflags |= PRIV_SETUGID;
1049 		}
1050 	}
1051 
1052 	/*
1053 	 * Do we need to change our credential anyway?
1054 	 * This is the case when E != I or P != I, as
1055 	 * we need to do the assignments (with F empty and A full)
1056 	 * Or when I is not a subset of L; in that case we need to
1057 	 * enforce L.
1058 	 *
1059 	 *		I' = L & I
1060 	 *
1061 	 *		E' = P' = (I' + F) & A
1062 	 * or
1063 	 *		E' = P' = I'
1064 	 */
1065 	if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1066 	    !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1067 	    !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1068 		privflags |= PRIV_RESET;
1069 
1070 	/* Child has more privileges than parent */
1071 	if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1072 		privflags |= PRIV_INCREASE;
1073 
1074 	/* If MAC-aware flag(s) are on, need to update cred to remove. */
1075 	if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1076 	    (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1077 		privflags |= MAC_FLAGS;
1078 	/*
1079 	 * Set setuid/setgid protections if no ptrace() compatibility.
1080 	 * For privileged processes, honor setuid/setgid even in
1081 	 * the presence of ptrace() compatibility.
1082 	 */
1083 	if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1084 	    PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1085 	    (cr->cr_uid != uid ||
1086 	    cr->cr_gid != gid ||
1087 	    cr->cr_suid != uid ||
1088 	    cr->cr_sgid != gid)) {
1089 		*uidp = uid;
1090 		*gidp = gid;
1091 		privflags |= PRIV_SETID;
1092 	}
1093 	return (privflags);
1094 }
1095 
1096 int
1097 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1098 {
1099 	int error;
1100 	proc_t *p = ttoproc(curthread);
1101 
1102 	vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1103 	if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1104 		return (error);
1105 	/*
1106 	 * Check the access mode.
1107 	 * If VPROC, ask /proc if the file is an object file.
1108 	 */
1109 	if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1110 	    !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1111 	    (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1112 	    (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1113 		if (error == 0)
1114 			error = EACCES;
1115 		return (error);
1116 	}
1117 
1118 	if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1119 	    (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1120 		/*
1121 		 * If process is under ptrace(2) compatibility,
1122 		 * fail the exec(2).
1123 		 */
1124 		if (p->p_proc_flag & P_PR_PTRACE)
1125 			goto bad;
1126 		/*
1127 		 * Process is traced via /proc.
1128 		 * Arrange to invalidate the /proc vnode.
1129 		 */
1130 		args->traceinval = 1;
1131 	}
1132 	return (0);
1133 bad:
1134 	if (error == 0)
1135 		error = ENOEXEC;
1136 	return (error);
1137 }
1138 
1139 /*
1140  * Map a section of an executable file into the user's
1141  * address space.
1142  */
1143 int
1144 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1145     off_t offset, int prot, int page, uint_t szc)
1146 {
1147 	int error = 0;
1148 	off_t oldoffset;
1149 	caddr_t zfodbase, oldaddr;
1150 	size_t end, oldlen;
1151 	size_t zfoddiff;
1152 	label_t ljb;
1153 	proc_t *p = ttoproc(curthread);
1154 
1155 	oldaddr = addr;
1156 	addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1157 	if (len) {
1158 		oldlen = len;
1159 		len += ((size_t)oldaddr - (size_t)addr);
1160 		oldoffset = offset;
1161 		offset = (off_t)((uintptr_t)offset & PAGEMASK);
1162 		if (page) {
1163 			spgcnt_t  prefltmem, availm, npages;
1164 			int preread;
1165 			uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1166 
1167 			if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1168 				mflag |= MAP_TEXT;
1169 			} else {
1170 				mflag |= MAP_INITDATA;
1171 			}
1172 
1173 			if (valid_usr_range(addr, len, prot, p->p_as,
1174 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1175 				error = ENOMEM;
1176 				goto bad;
1177 			}
1178 			if (error = VOP_MAP(vp, (offset_t)offset,
1179 			    p->p_as, &addr, len, prot, PROT_ALL,
1180 			    mflag, CRED(), NULL))
1181 				goto bad;
1182 
1183 			/*
1184 			 * If the segment can fit, then we prefault
1185 			 * the entire segment in.  This is based on the
1186 			 * model that says the best working set of a
1187 			 * small program is all of its pages.
1188 			 */
1189 			npages = (spgcnt_t)btopr(len);
1190 			prefltmem = freemem - desfree;
1191 			preread =
1192 			    (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1193 
1194 			/*
1195 			 * If we aren't prefaulting the segment,
1196 			 * increment "deficit", if necessary to ensure
1197 			 * that pages will become available when this
1198 			 * process starts executing.
1199 			 */
1200 			availm = freemem - lotsfree;
1201 			if (preread == 0 && npages > availm &&
1202 			    deficit < lotsfree) {
1203 				deficit += MIN((pgcnt_t)(npages - availm),
1204 				    lotsfree - deficit);
1205 			}
1206 
1207 			if (preread) {
1208 				TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1209 				    "execmap preread:freemem %d size %lu",
1210 				    freemem, len);
1211 				(void) as_fault(p->p_as->a_hat, p->p_as,
1212 				    (caddr_t)addr, len, F_INVAL, S_READ);
1213 			}
1214 		} else {
1215 			if (valid_usr_range(addr, len, prot, p->p_as,
1216 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1217 				error = ENOMEM;
1218 				goto bad;
1219 			}
1220 
1221 			if (error = as_map(p->p_as, addr, len,
1222 			    segvn_create, zfod_argsp))
1223 				goto bad;
1224 			/*
1225 			 * Read in the segment in one big chunk.
1226 			 */
1227 			if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1228 			    oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1229 			    (rlim64_t)0, CRED(), (ssize_t *)0))
1230 				goto bad;
1231 			/*
1232 			 * Now set protections.
1233 			 */
1234 			if (prot != PROT_ZFOD) {
1235 				(void) as_setprot(p->p_as, (caddr_t)addr,
1236 				    len, prot);
1237 			}
1238 		}
1239 	}
1240 
1241 	if (zfodlen) {
1242 		struct as *as = curproc->p_as;
1243 		struct seg *seg;
1244 		uint_t zprot = 0;
1245 
1246 		end = (size_t)addr + len;
1247 		zfodbase = (caddr_t)roundup(end, PAGESIZE);
1248 		zfoddiff = (uintptr_t)zfodbase - end;
1249 		if (zfoddiff) {
1250 			/*
1251 			 * Before we go to zero the remaining space on the last
1252 			 * page, make sure we have write permission.
1253 			 */
1254 
1255 			AS_LOCK_ENTER(as, &as->a_lock, RW_READER);
1256 			seg = as_segat(curproc->p_as, (caddr_t)end);
1257 			if (seg != NULL)
1258 				SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1259 				    &zprot);
1260 			AS_LOCK_EXIT(as, &as->a_lock);
1261 
1262 			if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1263 				(void) as_setprot(as, (caddr_t)end,
1264 				    zfoddiff - 1, zprot | PROT_WRITE);
1265 			}
1266 
1267 			if (on_fault(&ljb)) {
1268 				no_fault();
1269 				if (seg != NULL && (zprot & PROT_WRITE) == 0)
1270 					(void) as_setprot(as, (caddr_t)end,
1271 					    zfoddiff - 1, zprot);
1272 				error = EFAULT;
1273 				goto bad;
1274 			}
1275 			uzero((void *)end, zfoddiff);
1276 			no_fault();
1277 			if (seg != NULL && (zprot & PROT_WRITE) == 0)
1278 				(void) as_setprot(as, (caddr_t)end,
1279 				    zfoddiff - 1, zprot);
1280 		}
1281 		if (zfodlen > zfoddiff) {
1282 			struct segvn_crargs crargs =
1283 			    SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1284 
1285 			zfodlen -= zfoddiff;
1286 			if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1287 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1288 				error = ENOMEM;
1289 				goto bad;
1290 			}
1291 			if (szc > 0) {
1292 				/*
1293 				 * ASSERT alignment because the mapelfexec()
1294 				 * caller for the szc > 0 case extended zfod
1295 				 * so it's end is pgsz aligned.
1296 				 */
1297 				size_t pgsz = page_get_pagesize(szc);
1298 				ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1299 
1300 				if (IS_P2ALIGNED(zfodbase, pgsz)) {
1301 					crargs.szc = szc;
1302 				} else {
1303 					crargs.szc = AS_MAP_HEAP;
1304 				}
1305 			} else {
1306 				crargs.szc = AS_MAP_NO_LPOOB;
1307 			}
1308 			if (error = as_map(p->p_as, (caddr_t)zfodbase,
1309 			    zfodlen, segvn_create, &crargs))
1310 				goto bad;
1311 			if (prot != PROT_ZFOD) {
1312 				(void) as_setprot(p->p_as, (caddr_t)zfodbase,
1313 				    zfodlen, prot);
1314 			}
1315 		}
1316 	}
1317 	return (0);
1318 bad:
1319 	return (error);
1320 }
1321 
1322 void
1323 setexecenv(struct execenv *ep)
1324 {
1325 	proc_t *p = ttoproc(curthread);
1326 	klwp_t *lwp = ttolwp(curthread);
1327 	struct vnode *vp;
1328 
1329 	p->p_bssbase = ep->ex_bssbase;
1330 	p->p_brkbase = ep->ex_brkbase;
1331 	p->p_brksize = ep->ex_brksize;
1332 	if (p->p_exec)
1333 		VN_RELE(p->p_exec);	/* out with the old */
1334 	vp = p->p_exec = ep->ex_vp;
1335 	if (vp != NULL)
1336 		VN_HOLD(vp);		/* in with the new */
1337 
1338 	lwp->lwp_sigaltstack.ss_sp = 0;
1339 	lwp->lwp_sigaltstack.ss_size = 0;
1340 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1341 }
1342 
1343 int
1344 execopen(struct vnode **vpp, int *fdp)
1345 {
1346 	struct vnode *vp = *vpp;
1347 	file_t *fp;
1348 	int error = 0;
1349 	int filemode = FREAD;
1350 
1351 	VN_HOLD(vp);		/* open reference */
1352 	if (error = falloc(NULL, filemode, &fp, fdp)) {
1353 		VN_RELE(vp);
1354 		*fdp = -1;	/* just in case falloc changed value */
1355 		return (error);
1356 	}
1357 	if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1358 		VN_RELE(vp);
1359 		setf(*fdp, NULL);
1360 		unfalloc(fp);
1361 		*fdp = -1;
1362 		return (error);
1363 	}
1364 	*vpp = vp;		/* vnode should not have changed */
1365 	fp->f_vnode = vp;
1366 	mutex_exit(&fp->f_tlock);
1367 	setf(*fdp, fp);
1368 	return (0);
1369 }
1370 
1371 int
1372 execclose(int fd)
1373 {
1374 	return (closeandsetf(fd, NULL));
1375 }
1376 
1377 
1378 /*
1379  * noexec stub function.
1380  */
1381 /*ARGSUSED*/
1382 int
1383 noexec(
1384     struct vnode *vp,
1385     struct execa *uap,
1386     struct uarg *args,
1387     struct intpdata *idatap,
1388     int level,
1389     long *execsz,
1390     int setid,
1391     caddr_t exec_file,
1392     struct cred *cred)
1393 {
1394 	cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1395 	return (ENOEXEC);
1396 }
1397 
1398 /*
1399  * Support routines for building a user stack.
1400  *
1401  * execve(path, argv, envp) must construct a new stack with the specified
1402  * arguments and environment variables (see exec_args() for a description
1403  * of the user stack layout).  To do this, we copy the arguments and
1404  * environment variables from the old user address space into the kernel,
1405  * free the old as, create the new as, and copy our buffered information
1406  * to the new stack.  Our kernel buffer has the following structure:
1407  *
1408  *	+-----------------------+ <--- stk_base + stk_size
1409  *	| string offsets	|
1410  *	+-----------------------+ <--- stk_offp
1411  *	|			|
1412  *	| STK_AVAIL() space	|
1413  *	|			|
1414  *	+-----------------------+ <--- stk_strp
1415  *	| strings		|
1416  *	+-----------------------+ <--- stk_base
1417  *
1418  * When we add a string, we store the string's contents (including the null
1419  * terminator) at stk_strp, and we store the offset of the string relative to
1420  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1421  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1422  * the difference between these pointers.  If we run out of space, we return
1423  * an error and exec_args() starts all over again with a buffer twice as large.
1424  * When we're all done, the kernel buffer looks like this:
1425  *
1426  *	+-----------------------+ <--- stk_base + stk_size
1427  *	| argv[0] offset	|
1428  *	+-----------------------+
1429  *	| ...			|
1430  *	+-----------------------+
1431  *	| argv[argc-1] offset	|
1432  *	+-----------------------+
1433  *	| envp[0] offset	|
1434  *	+-----------------------+
1435  *	| ...			|
1436  *	+-----------------------+
1437  *	| envp[envc-1] offset	|
1438  *	+-----------------------+
1439  *	| AT_SUN_PLATFORM offset|
1440  *	+-----------------------+
1441  *	| AT_SUN_EXECNAME offset|
1442  *	+-----------------------+ <--- stk_offp
1443  *	|			|
1444  *	| STK_AVAIL() space	|
1445  *	|			|
1446  *	+-----------------------+ <--- stk_strp
1447  *	| AT_SUN_EXECNAME offset|
1448  *	+-----------------------+
1449  *	| AT_SUN_PLATFORM offset|
1450  *	+-----------------------+
1451  *	| envp[envc-1] string	|
1452  *	+-----------------------+
1453  *	| ...			|
1454  *	+-----------------------+
1455  *	| envp[0] string	|
1456  *	+-----------------------+
1457  *	| argv[argc-1] string	|
1458  *	+-----------------------+
1459  *	| ...			|
1460  *	+-----------------------+
1461  *	| argv[0] string	|
1462  *	+-----------------------+ <--- stk_base
1463  */
1464 
1465 #define	STK_AVAIL(args)		((char *)(args)->stk_offp - (args)->stk_strp)
1466 
1467 /*
1468  * Add a string to the stack.
1469  */
1470 static int
1471 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1472 {
1473 	int error;
1474 	size_t len;
1475 
1476 	if (STK_AVAIL(args) < sizeof (int))
1477 		return (E2BIG);
1478 	*--args->stk_offp = args->stk_strp - args->stk_base;
1479 
1480 	if (segflg == UIO_USERSPACE) {
1481 		error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1482 		if (error != 0)
1483 			return (error);
1484 	} else {
1485 		len = strlen(sp) + 1;
1486 		if (len > STK_AVAIL(args))
1487 			return (E2BIG);
1488 		bcopy(sp, args->stk_strp, len);
1489 	}
1490 
1491 	args->stk_strp += len;
1492 
1493 	return (0);
1494 }
1495 
1496 static int
1497 stk_getptr(uarg_t *args, char *src, char **dst)
1498 {
1499 	int error;
1500 
1501 	if (args->from_model == DATAMODEL_NATIVE) {
1502 		ulong_t ptr;
1503 		error = fulword(src, &ptr);
1504 		*dst = (caddr_t)ptr;
1505 	} else {
1506 		uint32_t ptr;
1507 		error = fuword32(src, &ptr);
1508 		*dst = (caddr_t)(uintptr_t)ptr;
1509 	}
1510 	return (error);
1511 }
1512 
1513 static int
1514 stk_putptr(uarg_t *args, char *addr, char *value)
1515 {
1516 	if (args->to_model == DATAMODEL_NATIVE)
1517 		return (sulword(addr, (ulong_t)value));
1518 	else
1519 		return (suword32(addr, (uint32_t)(uintptr_t)value));
1520 }
1521 
1522 static int
1523 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1524 {
1525 	char *sp;
1526 	int argc, error;
1527 	int argv_empty = 0;
1528 	size_t ptrsize = args->from_ptrsize;
1529 	size_t size, pad;
1530 	char *argv = (char *)uap->argp;
1531 	char *envp = (char *)uap->envp;
1532 
1533 	/*
1534 	 * Copy interpreter's name and argument to argv[0] and argv[1].
1535 	 */
1536 	if (intp != NULL && intp->intp_name != NULL) {
1537 		if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0)
1538 			return (error);
1539 		if (intp->intp_arg != NULL &&
1540 		    (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0)
1541 			return (error);
1542 		if (args->fname != NULL)
1543 			error = stk_add(args, args->fname, UIO_SYSSPACE);
1544 		else
1545 			error = stk_add(args, uap->fname, UIO_USERSPACE);
1546 		if (error)
1547 			return (error);
1548 
1549 		/*
1550 		 * Check for an empty argv[].
1551 		 */
1552 		if (stk_getptr(args, argv, &sp))
1553 			return (EFAULT);
1554 		if (sp == NULL)
1555 			argv_empty = 1;
1556 
1557 		argv += ptrsize;		/* ignore original argv[0] */
1558 	}
1559 
1560 	if (argv_empty == 0) {
1561 		/*
1562 		 * Add argv[] strings to the stack.
1563 		 */
1564 		for (;;) {
1565 			if (stk_getptr(args, argv, &sp))
1566 				return (EFAULT);
1567 			if (sp == NULL)
1568 				break;
1569 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1570 				return (error);
1571 			argv += ptrsize;
1572 		}
1573 	}
1574 	argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1575 	args->arglen = args->stk_strp - args->stk_base;
1576 
1577 	/*
1578 	 * Add environ[] strings to the stack.
1579 	 */
1580 	if (envp != NULL) {
1581 		for (;;) {
1582 			char *tmp = args->stk_strp;
1583 			if (stk_getptr(args, envp, &sp))
1584 				return (EFAULT);
1585 			if (sp == NULL)
1586 				break;
1587 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1588 				return (error);
1589 			if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1590 				/* Undo the copied string */
1591 				args->stk_strp = tmp;
1592 				*(args->stk_offp++) = NULL;
1593 			}
1594 			envp += ptrsize;
1595 		}
1596 	}
1597 	args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1598 	args->ne = args->na - argc;
1599 
1600 	/*
1601 	 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1602 	 * AT_SUN_EMULATOR strings to the stack.
1603 	 */
1604 	if (auxvpp != NULL && *auxvpp != NULL) {
1605 		if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1606 			return (error);
1607 		if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1608 			return (error);
1609 		if (args->brandname != NULL &&
1610 		    (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1611 			return (error);
1612 		if (args->emulator != NULL &&
1613 		    (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1614 			return (error);
1615 	}
1616 
1617 	/*
1618 	 * Compute the size of the stack.  This includes all the pointers,
1619 	 * the space reserved for the aux vector, and all the strings.
1620 	 * The total number of pointers is args->na (which is argc + envc)
1621 	 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1622 	 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1623 	 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1624 	 * all the strings, at the very top of the stack.
1625 	 */
1626 	size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1627 	    (args->stk_strp - args->stk_base);
1628 
1629 	/*
1630 	 * Pad the string section with zeroes to align the stack size.
1631 	 */
1632 	pad = P2NPHASE(size, args->stk_align);
1633 
1634 	if (STK_AVAIL(args) < pad)
1635 		return (E2BIG);
1636 
1637 	args->usrstack_size = size + pad;
1638 
1639 	while (pad-- != 0)
1640 		*args->stk_strp++ = 0;
1641 
1642 	args->nc = args->stk_strp - args->stk_base;
1643 
1644 	return (0);
1645 }
1646 
1647 static int
1648 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1649 {
1650 	size_t ptrsize = args->to_ptrsize;
1651 	ssize_t pslen;
1652 	char *kstrp = args->stk_base;
1653 	char *ustrp = usrstack - args->nc - ptrsize;
1654 	char *usp = usrstack - args->usrstack_size;
1655 	int *offp = (int *)(args->stk_base + args->stk_size);
1656 	int envc = args->ne;
1657 	int argc = args->na - envc;
1658 	int i;
1659 
1660 	/*
1661 	 * Record argc for /proc.
1662 	 */
1663 	up->u_argc = argc;
1664 
1665 	/*
1666 	 * Put argc on the stack.  Note that even though it's an int,
1667 	 * it always consumes ptrsize bytes (for alignment).
1668 	 */
1669 	if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1670 		return (-1);
1671 
1672 	/*
1673 	 * Add argc space (ptrsize) to usp and record argv for /proc.
1674 	 */
1675 	up->u_argv = (uintptr_t)(usp += ptrsize);
1676 
1677 	/*
1678 	 * Put the argv[] pointers on the stack.
1679 	 */
1680 	for (i = 0; i < argc; i++, usp += ptrsize)
1681 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1682 			return (-1);
1683 
1684 	/*
1685 	 * Copy arguments to u_psargs.
1686 	 */
1687 	pslen = MIN(args->arglen, PSARGSZ) - 1;
1688 	for (i = 0; i < pslen; i++)
1689 		up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1690 	while (i < PSARGSZ)
1691 		up->u_psargs[i++] = '\0';
1692 
1693 	/*
1694 	 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1695 	 * record envp for /proc.
1696 	 */
1697 	up->u_envp = (uintptr_t)(usp += ptrsize);
1698 
1699 	/*
1700 	 * Put the envp[] pointers on the stack.
1701 	 */
1702 	for (i = 0; i < envc; i++, usp += ptrsize)
1703 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1704 			return (-1);
1705 
1706 	/*
1707 	 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1708 	 * remember where the stack ends, which is also where auxv begins.
1709 	 */
1710 	args->stackend = usp += ptrsize;
1711 
1712 	/*
1713 	 * Put all the argv[], envp[], and auxv strings on the stack.
1714 	 */
1715 	if (copyout(args->stk_base, ustrp, args->nc))
1716 		return (-1);
1717 
1718 	/*
1719 	 * Fill in the aux vector now that we know the user stack addresses
1720 	 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1721 	 * AT_SUN_EMULATOR strings.
1722 	 */
1723 	if (auxvpp != NULL && *auxvpp != NULL) {
1724 		if (args->to_model == DATAMODEL_NATIVE) {
1725 			auxv_t **a = (auxv_t **)auxvpp;
1726 			ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1727 			ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1728 			if (args->brandname != NULL)
1729 				ADDAUX(*a,
1730 				    AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1731 			if (args->emulator != NULL)
1732 				ADDAUX(*a,
1733 				    AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1734 		} else {
1735 			auxv32_t **a = (auxv32_t **)auxvpp;
1736 			ADDAUX(*a,
1737 			    AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1738 			ADDAUX(*a,
1739 			    AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1740 			if (args->brandname != NULL)
1741 				ADDAUX(*a, AT_SUN_BRANDNAME,
1742 				    (int)(uintptr_t)&ustrp[*--offp])
1743 			if (args->emulator != NULL)
1744 				ADDAUX(*a, AT_SUN_EMULATOR,
1745 				    (int)(uintptr_t)&ustrp[*--offp])
1746 		}
1747 	}
1748 
1749 	return (0);
1750 }
1751 
1752 /*
1753  * Initialize a new user stack with the specified arguments and environment.
1754  * The initial user stack layout is as follows:
1755  *
1756  *	User Stack
1757  *	+---------------+ <--- curproc->p_usrstack
1758  *	|		|
1759  *	| slew		|
1760  *	|		|
1761  *	+---------------+
1762  *	| NULL		|
1763  *	+---------------+
1764  *	|		|
1765  *	| auxv strings	|
1766  *	|		|
1767  *	+---------------+
1768  *	|		|
1769  *	| envp strings	|
1770  *	|		|
1771  *	+---------------+
1772  *	|		|
1773  *	| argv strings	|
1774  *	|		|
1775  *	+---------------+ <--- ustrp
1776  *	|		|
1777  *	| aux vector	|
1778  *	|		|
1779  *	+---------------+ <--- auxv
1780  *	| NULL		|
1781  *	+---------------+
1782  *	| envp[envc-1]	|
1783  *	+---------------+
1784  *	| ...		|
1785  *	+---------------+
1786  *	| envp[0]	|
1787  *	+---------------+ <--- envp[]
1788  *	| NULL		|
1789  *	+---------------+
1790  *	| argv[argc-1]	|
1791  *	+---------------+
1792  *	| ...		|
1793  *	+---------------+
1794  *	| argv[0]	|
1795  *	+---------------+ <--- argv[]
1796  *	| argc		|
1797  *	+---------------+ <--- stack base
1798  */
1799 int
1800 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1801 {
1802 	size_t size;
1803 	int error;
1804 	proc_t *p = ttoproc(curthread);
1805 	user_t *up = PTOU(p);
1806 	char *usrstack;
1807 	rctl_entity_p_t e;
1808 	struct as *as;
1809 	extern int use_stk_lpg;
1810 	size_t sp_slew;
1811 
1812 	args->from_model = p->p_model;
1813 	if (p->p_model == DATAMODEL_NATIVE) {
1814 		args->from_ptrsize = sizeof (long);
1815 	} else {
1816 		args->from_ptrsize = sizeof (int32_t);
1817 	}
1818 
1819 	if (args->to_model == DATAMODEL_NATIVE) {
1820 		args->to_ptrsize = sizeof (long);
1821 		args->ncargs = NCARGS;
1822 		args->stk_align = STACK_ALIGN;
1823 		if (args->addr32)
1824 			usrstack = (char *)USRSTACK64_32;
1825 		else
1826 			usrstack = (char *)USRSTACK;
1827 	} else {
1828 		args->to_ptrsize = sizeof (int32_t);
1829 		args->ncargs = NCARGS32;
1830 		args->stk_align = STACK_ALIGN32;
1831 		usrstack = (char *)USRSTACK32;
1832 	}
1833 
1834 	ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1835 
1836 #if defined(__sparc)
1837 	/*
1838 	 * Make sure user register windows are empty before
1839 	 * attempting to make a new stack.
1840 	 */
1841 	(void) flush_user_windows_to_stack(NULL);
1842 #endif
1843 
1844 	for (size = PAGESIZE; ; size *= 2) {
1845 		args->stk_size = size;
1846 		args->stk_base = kmem_alloc(size, KM_SLEEP);
1847 		args->stk_strp = args->stk_base;
1848 		args->stk_offp = (int *)(args->stk_base + size);
1849 		error = stk_copyin(uap, args, intp, auxvpp);
1850 		if (error == 0)
1851 			break;
1852 		kmem_free(args->stk_base, size);
1853 		if (error != E2BIG && error != ENAMETOOLONG)
1854 			return (error);
1855 		if (size >= args->ncargs)
1856 			return (E2BIG);
1857 	}
1858 
1859 	size = args->usrstack_size;
1860 
1861 	ASSERT(error == 0);
1862 	ASSERT(P2PHASE(size, args->stk_align) == 0);
1863 	ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1864 
1865 	if (size > args->ncargs) {
1866 		kmem_free(args->stk_base, args->stk_size);
1867 		return (E2BIG);
1868 	}
1869 
1870 	/*
1871 	 * Leave only the current lwp and force the other lwps to exit.
1872 	 * If another lwp beat us to the punch by calling exit(), bail out.
1873 	 */
1874 	if ((error = exitlwps(0)) != 0) {
1875 		kmem_free(args->stk_base, args->stk_size);
1876 		return (error);
1877 	}
1878 
1879 	/*
1880 	 * Revoke any doors created by the process.
1881 	 */
1882 	if (p->p_door_list)
1883 		door_exit();
1884 
1885 	/*
1886 	 * Release schedctl data structures.
1887 	 */
1888 	if (p->p_pagep)
1889 		schedctl_proc_cleanup();
1890 
1891 	/*
1892 	 * Clean up any DTrace helpers for the process.
1893 	 */
1894 	if (p->p_dtrace_helpers != NULL) {
1895 		ASSERT(dtrace_helpers_cleanup != NULL);
1896 		(*dtrace_helpers_cleanup)();
1897 	}
1898 
1899 	mutex_enter(&p->p_lock);
1900 	/*
1901 	 * Cleanup the DTrace provider associated with this process.
1902 	 */
1903 	if (p->p_dtrace_probes) {
1904 		ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1905 		dtrace_fasttrap_exec_ptr(p);
1906 	}
1907 	mutex_exit(&p->p_lock);
1908 
1909 	/*
1910 	 * discard the lwpchan cache.
1911 	 */
1912 	if (p->p_lcp != NULL)
1913 		lwpchan_destroy_cache(1);
1914 
1915 	/*
1916 	 * Delete the POSIX timers.
1917 	 */
1918 	if (p->p_itimer != NULL)
1919 		timer_exit();
1920 
1921 	/*
1922 	 * Delete the ITIMER_REALPROF interval timer.
1923 	 * The other ITIMER_* interval timers are specified
1924 	 * to be inherited across exec().
1925 	 */
1926 	delete_itimer_realprof();
1927 
1928 	if (AU_AUDITING())
1929 		audit_exec(args->stk_base, args->stk_base + args->arglen,
1930 		    args->na - args->ne, args->ne, args->pfcred);
1931 
1932 	/*
1933 	 * Ensure that we don't change resource associations while we
1934 	 * change address spaces.
1935 	 */
1936 	mutex_enter(&p->p_lock);
1937 	pool_barrier_enter();
1938 	mutex_exit(&p->p_lock);
1939 
1940 	/*
1941 	 * Destroy the old address space and create a new one.
1942 	 * From here on, any errors are fatal to the exec()ing process.
1943 	 * On error we return -1, which means the caller must SIGKILL
1944 	 * the process.
1945 	 */
1946 	relvm();
1947 
1948 	mutex_enter(&p->p_lock);
1949 	pool_barrier_exit();
1950 	mutex_exit(&p->p_lock);
1951 
1952 	up->u_execsw = args->execswp;
1953 
1954 	p->p_brkbase = NULL;
1955 	p->p_brksize = 0;
1956 	p->p_brkpageszc = 0;
1957 	p->p_stksize = 0;
1958 	p->p_stkpageszc = 0;
1959 	p->p_model = args->to_model;
1960 	p->p_usrstack = usrstack;
1961 	p->p_stkprot = args->stk_prot;
1962 	p->p_datprot = args->dat_prot;
1963 
1964 	/*
1965 	 * Reset resource controls such that all controls are again active as
1966 	 * well as appropriate to the potentially new address model for the
1967 	 * process.
1968 	 */
1969 	e.rcep_p.proc = p;
1970 	e.rcep_t = RCENTITY_PROCESS;
1971 	rctl_set_reset(p->p_rctls, p, &e);
1972 
1973 	/* Too early to call map_pgsz for the heap */
1974 	if (use_stk_lpg) {
1975 		p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
1976 	}
1977 
1978 	mutex_enter(&p->p_lock);
1979 	p->p_flag |= SAUTOLPG;	/* kernel controls page sizes */
1980 	mutex_exit(&p->p_lock);
1981 
1982 	/*
1983 	 * Some platforms may choose to randomize real stack start by adding a
1984 	 * small slew (not more than a few hundred bytes) to the top of the
1985 	 * stack. This helps avoid cache thrashing when identical processes
1986 	 * simultaneously share caches that don't provide enough associativity
1987 	 * (e.g. sun4v systems). In this case stack slewing makes the same hot
1988 	 * stack variables in different processes to live in different cache
1989 	 * sets increasing effective associativity.
1990 	 */
1991 	sp_slew = exec_get_spslew();
1992 	ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
1993 	exec_set_sp(size + sp_slew);
1994 
1995 	as = as_alloc();
1996 	p->p_as = as;
1997 	as->a_proc = p;
1998 	if (p->p_model == DATAMODEL_ILP32 || args->addr32)
1999 		as->a_userlimit = (caddr_t)USERLIMIT32;
2000 	(void) hat_setup(as->a_hat, HAT_ALLOC);
2001 	hat_join_srd(as->a_hat, args->ex_vp);
2002 
2003 	/*
2004 	 * Finally, write out the contents of the new stack.
2005 	 */
2006 	error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2007 	kmem_free(args->stk_base, args->stk_size);
2008 	return (error);
2009 }
2010