1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* Copyright (c) 1988 AT&T */ 28 /* All Rights Reserved */ 29 30 #include <sys/types.h> 31 #include <sys/param.h> 32 #include <sys/sysmacros.h> 33 #include <sys/systm.h> 34 #include <sys/signal.h> 35 #include <sys/cred_impl.h> 36 #include <sys/policy.h> 37 #include <sys/user.h> 38 #include <sys/errno.h> 39 #include <sys/file.h> 40 #include <sys/vfs.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> 43 #include <sys/acct.h> 44 #include <sys/cpuvar.h> 45 #include <sys/proc.h> 46 #include <sys/cmn_err.h> 47 #include <sys/debug.h> 48 #include <sys/pathname.h> 49 #include <sys/vm.h> 50 #include <sys/lgrp.h> 51 #include <sys/vtrace.h> 52 #include <sys/exec.h> 53 #include <sys/exechdr.h> 54 #include <sys/kmem.h> 55 #include <sys/prsystm.h> 56 #include <sys/modctl.h> 57 #include <sys/vmparam.h> 58 #include <sys/door.h> 59 #include <sys/schedctl.h> 60 #include <sys/utrap.h> 61 #include <sys/systeminfo.h> 62 #include <sys/stack.h> 63 #include <sys/rctl.h> 64 #include <sys/dtrace.h> 65 #include <sys/lwpchan_impl.h> 66 #include <sys/pool.h> 67 #include <sys/sdt.h> 68 #include <sys/brand.h> 69 70 #include <c2/audit.h> 71 72 #include <vm/hat.h> 73 #include <vm/anon.h> 74 #include <vm/as.h> 75 #include <vm/seg.h> 76 #include <vm/seg_vn.h> 77 78 #define PRIV_RESET 0x01 /* needs to reset privs */ 79 #define PRIV_SETID 0x02 /* needs to change uids */ 80 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */ 81 #define PRIV_INCREASE 0x08 /* child runs with more privs */ 82 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */ 83 84 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *); 85 static int hold_execsw(struct execsw *); 86 87 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */ 88 #if defined(_SYSCALL32_IMPL) 89 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */ 90 #endif 91 92 #define PSUIDFLAGS (SNOCD|SUGID) 93 94 /* 95 * exece() - system call wrapper around exec_common() 96 */ 97 int 98 exece(const char *fname, const char **argp, const char **envp) 99 { 100 int error; 101 102 error = exec_common(fname, argp, envp, EBA_NONE); 103 return (error ? (set_errno(error)) : 0); 104 } 105 106 int 107 exec_common(const char *fname, const char **argp, const char **envp, 108 int brand_action) 109 { 110 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL; 111 proc_t *p = ttoproc(curthread); 112 klwp_t *lwp = ttolwp(curthread); 113 struct user *up = PTOU(p); 114 long execsz; /* temporary count of exec size */ 115 int i; 116 int error; 117 char exec_file[MAXCOMLEN+1]; 118 struct pathname pn; 119 struct pathname resolvepn; 120 struct uarg args; 121 struct execa ua; 122 k_sigset_t savedmask; 123 lwpdir_t *lwpdir = NULL; 124 tidhash_t *tidhash; 125 lwpdir_t *old_lwpdir = NULL; 126 uint_t old_lwpdir_sz; 127 tidhash_t *old_tidhash; 128 uint_t old_tidhash_sz; 129 ret_tidhash_t *ret_tidhash; 130 lwpent_t *lep; 131 boolean_t brandme = B_FALSE; 132 133 /* 134 * exec() is not supported for the /proc agent lwp. 135 */ 136 if (curthread == p->p_agenttp) 137 return (ENOTSUP); 138 139 if (brand_action != EBA_NONE) { 140 /* 141 * Brand actions are not supported for processes that are not 142 * running in a branded zone. 143 */ 144 if (!ZONE_IS_BRANDED(p->p_zone)) 145 return (ENOTSUP); 146 147 if (brand_action == EBA_NATIVE) { 148 /* Only branded processes can be unbranded */ 149 if (!PROC_IS_BRANDED(p)) 150 return (ENOTSUP); 151 } else { 152 /* Only unbranded processes can be branded */ 153 if (PROC_IS_BRANDED(p)) 154 return (ENOTSUP); 155 brandme = B_TRUE; 156 } 157 } else { 158 /* 159 * If this is a native zone, or if the process is already 160 * branded, then we don't need to do anything. If this is 161 * a native process in a branded zone, we need to brand the 162 * process as it exec()s the new binary. 163 */ 164 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p)) 165 brandme = B_TRUE; 166 } 167 168 /* 169 * Inform /proc that an exec() has started. 170 * Hold signals that are ignored by default so that we will 171 * not be interrupted by a signal that will be ignored after 172 * successful completion of gexec(). 173 */ 174 mutex_enter(&p->p_lock); 175 prexecstart(); 176 schedctl_finish_sigblock(curthread); 177 savedmask = curthread->t_hold; 178 sigorset(&curthread->t_hold, &ignoredefault); 179 mutex_exit(&p->p_lock); 180 181 /* 182 * Look up path name and remember last component for later. 183 * To help coreadm expand its %d token, we attempt to save 184 * the directory containing the executable in p_execdir. The 185 * first call to lookuppn() may fail and return EINVAL because 186 * dirvpp is non-NULL. In that case, we make a second call to 187 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL, 188 * but coreadm is allowed to expand %d to the empty string and 189 * there are other cases in which that failure may occur. 190 */ 191 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 192 goto out; 193 pn_alloc(&resolvepn); 194 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) { 195 pn_free(&resolvepn); 196 pn_free(&pn); 197 if (error != EINVAL) 198 goto out; 199 200 dir = NULL; 201 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 202 goto out; 203 pn_alloc(&resolvepn); 204 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP, 205 &vp)) != 0) { 206 pn_free(&resolvepn); 207 pn_free(&pn); 208 goto out; 209 } 210 } 211 if (vp == NULL) { 212 if (dir != NULL) 213 VN_RELE(dir); 214 error = ENOENT; 215 pn_free(&resolvepn); 216 pn_free(&pn); 217 goto out; 218 } 219 220 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) { 221 if (dir != NULL) 222 VN_RELE(dir); 223 pn_free(&resolvepn); 224 pn_free(&pn); 225 VN_RELE(vp); 226 goto out; 227 } 228 229 /* 230 * We do not allow executing files in attribute directories. 231 * We test this by determining whether the resolved path 232 * contains a "/" when we're in an attribute directory; 233 * only if the pathname does not contain a "/" the resolved path 234 * points to a file in the current working (attribute) directory. 235 */ 236 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 && 237 strchr(resolvepn.pn_path, '/') == NULL) { 238 if (dir != NULL) 239 VN_RELE(dir); 240 error = EACCES; 241 pn_free(&resolvepn); 242 pn_free(&pn); 243 VN_RELE(vp); 244 goto out; 245 } 246 247 bzero(exec_file, MAXCOMLEN+1); 248 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN); 249 bzero(&args, sizeof (args)); 250 args.pathname = resolvepn.pn_path; 251 /* don't free resolvepn until we are done with args */ 252 pn_free(&pn); 253 254 /* 255 * Specific exec handlers, or policies determined via 256 * /etc/system may override the historical default. 257 */ 258 args.stk_prot = PROT_ZFOD; 259 args.dat_prot = PROT_ZFOD; 260 261 CPU_STATS_ADD_K(sys, sysexec, 1); 262 DTRACE_PROC1(exec, char *, args.pathname); 263 264 ua.fname = fname; 265 ua.argp = argp; 266 ua.envp = envp; 267 268 /* If necessary, brand this process before we start the exec. */ 269 if (brandme) 270 brand_setbrand(p); 271 272 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz, 273 exec_file, p->p_cred, brand_action)) != 0) { 274 if (brandme) 275 brand_clearbrand(p); 276 VN_RELE(vp); 277 if (dir != NULL) 278 VN_RELE(dir); 279 pn_free(&resolvepn); 280 goto fail; 281 } 282 283 /* 284 * Free floating point registers (sun4u only) 285 */ 286 ASSERT(lwp != NULL); 287 lwp_freeregs(lwp, 1); 288 289 /* 290 * Free thread and process context ops. 291 */ 292 if (curthread->t_ctx) 293 freectx(curthread, 1); 294 if (p->p_pctx) 295 freepctx(p, 1); 296 297 /* 298 * Remember file name for accounting; clear any cached DTrace predicate. 299 */ 300 up->u_acflag &= ~AFORK; 301 bcopy(exec_file, up->u_comm, MAXCOMLEN+1); 302 curthread->t_predcache = NULL; 303 304 /* 305 * Clear contract template state 306 */ 307 lwp_ctmpl_clear(lwp); 308 309 /* 310 * Save the directory in which we found the executable for expanding 311 * the %d token used in core file patterns. 312 */ 313 mutex_enter(&p->p_lock); 314 tmpvp = p->p_execdir; 315 p->p_execdir = dir; 316 if (p->p_execdir != NULL) 317 VN_HOLD(p->p_execdir); 318 mutex_exit(&p->p_lock); 319 320 if (tmpvp != NULL) 321 VN_RELE(tmpvp); 322 323 /* 324 * Reset stack state to the user stack, clear set of signals 325 * caught on the signal stack, and reset list of signals that 326 * restart system calls; the new program's environment should 327 * not be affected by detritus from the old program. Any 328 * pending held signals remain held, so don't clear t_hold. 329 */ 330 mutex_enter(&p->p_lock); 331 lwp->lwp_oldcontext = 0; 332 lwp->lwp_ustack = 0; 333 lwp->lwp_old_stk_ctl = 0; 334 sigemptyset(&up->u_signodefer); 335 sigemptyset(&up->u_sigonstack); 336 sigemptyset(&up->u_sigresethand); 337 lwp->lwp_sigaltstack.ss_sp = 0; 338 lwp->lwp_sigaltstack.ss_size = 0; 339 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 340 341 /* 342 * Make saved resource limit == current resource limit. 343 */ 344 for (i = 0; i < RLIM_NLIMITS; i++) { 345 /*CONSTCOND*/ 346 if (RLIM_SAVED(i)) { 347 (void) rctl_rlimit_get(rctlproc_legacy[i], p, 348 &up->u_saved_rlimit[i]); 349 } 350 } 351 352 /* 353 * If the action was to catch the signal, then the action 354 * must be reset to SIG_DFL. 355 */ 356 sigdefault(p); 357 p->p_flag &= ~(SNOWAIT|SJCTL); 358 p->p_flag |= (SEXECED|SMSACCT|SMSFORK); 359 up->u_signal[SIGCLD - 1] = SIG_DFL; 360 361 /* 362 * Delete the dot4 sigqueues/signotifies. 363 */ 364 sigqfree(p); 365 366 mutex_exit(&p->p_lock); 367 368 mutex_enter(&p->p_pflock); 369 p->p_prof.pr_base = NULL; 370 p->p_prof.pr_size = 0; 371 p->p_prof.pr_off = 0; 372 p->p_prof.pr_scale = 0; 373 p->p_prof.pr_samples = 0; 374 mutex_exit(&p->p_pflock); 375 376 ASSERT(curthread->t_schedctl == NULL); 377 378 #if defined(__sparc) 379 if (p->p_utraps != NULL) 380 utrap_free(p); 381 #endif /* __sparc */ 382 383 /* 384 * Close all close-on-exec files. 385 */ 386 close_exec(P_FINFO(p)); 387 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up); 388 389 /* Unbrand ourself if necessary. */ 390 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE)) 391 brand_clearbrand(p); 392 393 setregs(&args); 394 395 /* Mark this as an executable vnode */ 396 mutex_enter(&vp->v_lock); 397 vp->v_flag |= VVMEXEC; 398 mutex_exit(&vp->v_lock); 399 400 VN_RELE(vp); 401 if (dir != NULL) 402 VN_RELE(dir); 403 pn_free(&resolvepn); 404 405 /* 406 * Allocate a new lwp directory and lwpid hash table if necessary. 407 */ 408 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) { 409 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP); 410 lwpdir->ld_next = lwpdir + 1; 411 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP); 412 if (p->p_lwpdir != NULL) 413 lep = p->p_lwpdir[curthread->t_dslot].ld_entry; 414 else 415 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP); 416 } 417 418 if (PROC_IS_BRANDED(p)) 419 BROP(p)->b_exec(); 420 421 mutex_enter(&p->p_lock); 422 prbarrier(p); 423 424 /* 425 * Reset lwp id to the default value of 1. 426 * This is a single-threaded process now 427 * and lwp #1 is lwp_wait()able by default. 428 * The t_unpark flag should not be inherited. 429 */ 430 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0); 431 curthread->t_tid = 1; 432 kpreempt_disable(); 433 ASSERT(curthread->t_lpl != NULL); 434 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid; 435 kpreempt_enable(); 436 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) { 437 lgrp_update_trthr_migrations(1); 438 } 439 curthread->t_unpark = 0; 440 curthread->t_proc_flag |= TP_TWAIT; 441 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */ 442 p->p_lwpdaemon = 0; /* but oh well ... */ 443 p->p_lwpid = 1; 444 445 /* 446 * Install the newly-allocated lwp directory and lwpid hash table 447 * and insert the current thread into the new hash table. 448 */ 449 if (lwpdir != NULL) { 450 old_lwpdir = p->p_lwpdir; 451 old_lwpdir_sz = p->p_lwpdir_sz; 452 old_tidhash = p->p_tidhash; 453 old_tidhash_sz = p->p_tidhash_sz; 454 p->p_lwpdir = p->p_lwpfree = lwpdir; 455 p->p_lwpdir_sz = 2; 456 lep->le_thread = curthread; 457 lep->le_lwpid = curthread->t_tid; 458 lep->le_start = curthread->t_start; 459 lwp_hash_in(p, lep, tidhash, 2, 0); 460 p->p_tidhash = tidhash; 461 p->p_tidhash_sz = 2; 462 } 463 ret_tidhash = p->p_ret_tidhash; 464 p->p_ret_tidhash = NULL; 465 466 /* 467 * Restore the saved signal mask and 468 * inform /proc that the exec() has finished. 469 */ 470 curthread->t_hold = savedmask; 471 prexecend(); 472 mutex_exit(&p->p_lock); 473 if (old_lwpdir) { 474 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t)); 475 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t)); 476 } 477 while (ret_tidhash != NULL) { 478 ret_tidhash_t *next = ret_tidhash->rth_next; 479 kmem_free(ret_tidhash->rth_tidhash, 480 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t)); 481 kmem_free(ret_tidhash, sizeof (*ret_tidhash)); 482 ret_tidhash = next; 483 } 484 485 ASSERT(error == 0); 486 DTRACE_PROC(exec__success); 487 return (0); 488 489 fail: 490 DTRACE_PROC1(exec__failure, int, error); 491 out: /* error return */ 492 mutex_enter(&p->p_lock); 493 curthread->t_hold = savedmask; 494 prexecend(); 495 mutex_exit(&p->p_lock); 496 ASSERT(error != 0); 497 return (error); 498 } 499 500 501 /* 502 * Perform generic exec duties and switchout to object-file specific 503 * handler. 504 */ 505 int 506 gexec( 507 struct vnode **vpp, 508 struct execa *uap, 509 struct uarg *args, 510 struct intpdata *idatap, 511 int level, 512 long *execsz, 513 caddr_t exec_file, 514 struct cred *cred, 515 int brand_action) 516 { 517 struct vnode *vp, *execvp = NULL; 518 proc_t *pp = ttoproc(curthread); 519 struct execsw *eswp; 520 int error = 0; 521 int suidflags = 0; 522 ssize_t resid; 523 uid_t uid, gid; 524 struct vattr vattr; 525 char magbuf[MAGIC_BYTES]; 526 int setid; 527 cred_t *oldcred, *newcred = NULL; 528 int privflags = 0; 529 int setidfl; 530 531 /* 532 * If the SNOCD or SUGID flag is set, turn it off and remember the 533 * previous setting so we can restore it if we encounter an error. 534 */ 535 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) { 536 mutex_enter(&pp->p_lock); 537 suidflags = pp->p_flag & PSUIDFLAGS; 538 pp->p_flag &= ~PSUIDFLAGS; 539 mutex_exit(&pp->p_lock); 540 } 541 542 if ((error = execpermissions(*vpp, &vattr, args)) != 0) 543 goto bad_noclose; 544 545 /* need to open vnode for stateful file systems */ 546 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0) 547 goto bad_noclose; 548 vp = *vpp; 549 550 /* 551 * Note: to support binary compatibility with SunOS a.out 552 * executables, we read in the first four bytes, as the 553 * magic number is in bytes 2-3. 554 */ 555 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf), 556 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) 557 goto bad; 558 if (resid != 0) 559 goto bad; 560 561 if ((eswp = findexec_by_hdr(magbuf)) == NULL) 562 goto bad; 563 564 if (level == 0 && 565 (privflags = execsetid(vp, &vattr, &uid, &gid)) != 0) { 566 567 newcred = cred = crdup(cred); 568 569 /* If we can, drop the PA bit */ 570 if ((privflags & PRIV_RESET) != 0) 571 priv_adjust_PA(cred); 572 573 if (privflags & PRIV_SETID) { 574 cred->cr_uid = uid; 575 cred->cr_gid = gid; 576 cred->cr_suid = uid; 577 cred->cr_sgid = gid; 578 } 579 580 if (privflags & MAC_FLAGS) { 581 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT)) 582 CR_FLAGS(cred) &= ~NET_MAC_AWARE; 583 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT; 584 } 585 586 /* 587 * Implement the privilege updates: 588 * 589 * Restrict with L: 590 * 591 * I' = I & L 592 * 593 * E' = P' = (I' + F) & A 594 * 595 * But if running under ptrace, we cap I with P. 596 */ 597 if ((privflags & PRIV_RESET) != 0) { 598 if ((privflags & PRIV_INCREASE) != 0 && 599 (pp->p_proc_flag & P_PR_PTRACE) != 0) 600 priv_intersect(&CR_OPPRIV(cred), 601 &CR_IPRIV(cred)); 602 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 603 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 604 priv_adjust_PA(cred); 605 } 606 } 607 608 /* SunOS 4.x buy-back */ 609 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) && 610 (vattr.va_mode & (VSUID|VSGID))) { 611 char path[MAXNAMELEN]; 612 refstr_t *mntpt = NULL; 613 int ret = -1; 614 615 bzero(path, sizeof (path)); 616 zone_hold(pp->p_zone); 617 618 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path, 619 sizeof (path), cred); 620 621 /* fallback to mountpoint if a path can't be found */ 622 if ((ret != 0) || (ret == 0 && path[0] == '\0')) 623 mntpt = vfs_getmntpoint(vp->v_vfsp); 624 625 if (mntpt == NULL) 626 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 627 "!uid %d: setuid execution not allowed, " 628 "file=%s", cred->cr_uid, path); 629 else 630 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 631 "!uid %d: setuid execution not allowed, " 632 "fs=%s, file=%s", cred->cr_uid, 633 ZONE_PATH_TRANSLATE(refstr_value(mntpt), 634 pp->p_zone), exec_file); 635 636 if (!INGLOBALZONE(pp)) { 637 /* zone_rootpath always has trailing / */ 638 if (mntpt == NULL) 639 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 640 "setuid execution not allowed, file=%s%s", 641 pp->p_zone->zone_name, cred->cr_uid, 642 pp->p_zone->zone_rootpath, path + 1); 643 else 644 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 645 "setuid execution not allowed, fs=%s, " 646 "file=%s", pp->p_zone->zone_name, 647 cred->cr_uid, refstr_value(mntpt), 648 exec_file); 649 } 650 651 if (mntpt != NULL) 652 refstr_rele(mntpt); 653 654 zone_rele(pp->p_zone); 655 } 656 657 /* 658 * execsetid() told us whether or not we had to change the 659 * credentials of the process. In privflags, it told us 660 * whether we gained any privileges or executed a set-uid executable. 661 */ 662 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE)); 663 664 /* 665 * Use /etc/system variable to determine if the stack 666 * should be marked as executable by default. 667 */ 668 if (noexec_user_stack) 669 args->stk_prot &= ~PROT_EXEC; 670 671 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */ 672 args->ex_vp = vp; 673 674 /* 675 * Traditionally, the setid flags told the sub processes whether 676 * the file just executed was set-uid or set-gid; this caused 677 * some confusion as the 'setid' flag did not match the SUGID 678 * process flag which is only set when the uids/gids do not match. 679 * A script set-gid/set-uid to the real uid/gid would start with 680 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH. 681 * Now we flag those cases where the calling process cannot 682 * be trusted to influence the newly exec'ed process, either 683 * because it runs with more privileges or when the uids/gids 684 * do in fact not match. 685 * This also makes the runtime linker agree with the on exec 686 * values of SNOCD and SUGID. 687 */ 688 setidfl = 0; 689 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid && 690 !supgroupmember(cred->cr_gid, cred))) { 691 setidfl |= EXECSETID_UGIDS; 692 } 693 if (setid & PRIV_SETUGID) 694 setidfl |= EXECSETID_SETID; 695 if (setid & PRIV_INCREASE) 696 setidfl |= EXECSETID_PRIVS; 697 698 execvp = pp->p_exec; 699 if (execvp) 700 VN_HOLD(execvp); 701 702 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz, 703 setidfl, exec_file, cred, brand_action); 704 rw_exit(eswp->exec_lock); 705 if (error != 0) { 706 if (newcred != NULL) 707 crfree(newcred); 708 if (execvp) 709 VN_RELE(execvp); 710 goto bad; 711 } 712 713 if (level == 0) { 714 if (execvp != NULL) { 715 /* 716 * Close the previous executable only if we are 717 * at level 0. 718 */ 719 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0, 720 cred, NULL); 721 } 722 723 mutex_enter(&pp->p_crlock); 724 if (newcred != NULL) { 725 /* 726 * Free the old credentials, and set the new ones. 727 * Do this for both the process and the (single) thread. 728 */ 729 crfree(pp->p_cred); 730 pp->p_cred = cred; /* cred already held for proc */ 731 crhold(cred); /* hold new cred for thread */ 732 /* 733 * DTrace accesses t_cred in probe context. t_cred 734 * must always be either NULL, or point to a valid, 735 * allocated cred structure. 736 */ 737 oldcred = curthread->t_cred; 738 curthread->t_cred = cred; 739 crfree(oldcred); 740 741 if (priv_basic_test >= 0 && 742 !PRIV_ISASSERT(&CR_IPRIV(newcred), 743 priv_basic_test)) { 744 pid_t pid = pp->p_pid; 745 char *fn = PTOU(pp)->u_comm; 746 747 cmn_err(CE_WARN, "%s[%d]: exec: basic_test " 748 "privilege removed from E/I", fn, pid); 749 } 750 } 751 /* 752 * On emerging from a successful exec(), the saved 753 * uid and gid equal the effective uid and gid. 754 */ 755 cred->cr_suid = cred->cr_uid; 756 cred->cr_sgid = cred->cr_gid; 757 758 /* 759 * If the real and effective ids do not match, this 760 * is a setuid process that should not dump core. 761 * The group comparison is tricky; we prevent the code 762 * from flagging SNOCD when executing with an effective gid 763 * which is a supplementary group. 764 */ 765 if (cred->cr_ruid != cred->cr_uid || 766 (cred->cr_rgid != cred->cr_gid && 767 !supgroupmember(cred->cr_gid, cred)) || 768 (privflags & PRIV_INCREASE) != 0) 769 suidflags = PSUIDFLAGS; 770 else 771 suidflags = 0; 772 773 mutex_exit(&pp->p_crlock); 774 if (suidflags) { 775 mutex_enter(&pp->p_lock); 776 pp->p_flag |= suidflags; 777 mutex_exit(&pp->p_lock); 778 } 779 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) { 780 /* 781 * If process is traced via /proc, arrange to 782 * invalidate the associated /proc vnode. 783 */ 784 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE)) 785 args->traceinval = 1; 786 } 787 if (pp->p_proc_flag & P_PR_PTRACE) 788 psignal(pp, SIGTRAP); 789 if (args->traceinval) 790 prinvalidate(&pp->p_user); 791 } 792 if (execvp) 793 VN_RELE(execvp); 794 return (0); 795 796 bad: 797 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL); 798 799 bad_noclose: 800 if (error == 0) 801 error = ENOEXEC; 802 803 if (suidflags) { 804 mutex_enter(&pp->p_lock); 805 pp->p_flag |= suidflags; 806 mutex_exit(&pp->p_lock); 807 } 808 return (error); 809 } 810 811 extern char *execswnames[]; 812 813 struct execsw * 814 allocate_execsw(char *name, char *magic, size_t magic_size) 815 { 816 int i, j; 817 char *ename; 818 char *magicp; 819 820 mutex_enter(&execsw_lock); 821 for (i = 0; i < nexectype; i++) { 822 if (execswnames[i] == NULL) { 823 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP); 824 (void) strcpy(ename, name); 825 execswnames[i] = ename; 826 /* 827 * Set the magic number last so that we 828 * don't need to hold the execsw_lock in 829 * findexectype(). 830 */ 831 magicp = kmem_alloc(magic_size, KM_SLEEP); 832 for (j = 0; j < magic_size; j++) 833 magicp[j] = magic[j]; 834 execsw[i].exec_magic = magicp; 835 mutex_exit(&execsw_lock); 836 return (&execsw[i]); 837 } 838 } 839 mutex_exit(&execsw_lock); 840 return (NULL); 841 } 842 843 /* 844 * Find the exec switch table entry with the corresponding magic string. 845 */ 846 struct execsw * 847 findexecsw(char *magic) 848 { 849 struct execsw *eswp; 850 851 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 852 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 853 if (magic && eswp->exec_maglen != 0 && 854 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) 855 return (eswp); 856 } 857 return (NULL); 858 } 859 860 /* 861 * Find the execsw[] index for the given exec header string by looking for the 862 * magic string at a specified offset and length for each kind of executable 863 * file format until one matches. If no execsw[] entry is found, try to 864 * autoload a module for this magic string. 865 */ 866 struct execsw * 867 findexec_by_hdr(char *header) 868 { 869 struct execsw *eswp; 870 871 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 872 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 873 if (header && eswp->exec_maglen != 0 && 874 bcmp(&header[eswp->exec_magoff], eswp->exec_magic, 875 eswp->exec_maglen) == 0) { 876 if (hold_execsw(eswp) != 0) 877 return (NULL); 878 return (eswp); 879 } 880 } 881 return (NULL); /* couldn't find the type */ 882 } 883 884 /* 885 * Find the execsw[] index for the given magic string. If no execsw[] entry 886 * is found, try to autoload a module for this magic string. 887 */ 888 struct execsw * 889 findexec_by_magic(char *magic) 890 { 891 struct execsw *eswp; 892 893 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 894 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 895 if (magic && eswp->exec_maglen != 0 && 896 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) { 897 if (hold_execsw(eswp) != 0) 898 return (NULL); 899 return (eswp); 900 } 901 } 902 return (NULL); /* couldn't find the type */ 903 } 904 905 static int 906 hold_execsw(struct execsw *eswp) 907 { 908 char *name; 909 910 rw_enter(eswp->exec_lock, RW_READER); 911 while (!LOADED_EXEC(eswp)) { 912 rw_exit(eswp->exec_lock); 913 name = execswnames[eswp-execsw]; 914 ASSERT(name); 915 if (modload("exec", name) == -1) 916 return (-1); 917 rw_enter(eswp->exec_lock, RW_READER); 918 } 919 return (0); 920 } 921 922 static int 923 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp) 924 { 925 proc_t *pp = ttoproc(curthread); 926 uid_t uid, gid; 927 cred_t *cr = pp->p_cred; 928 int privflags = 0; 929 930 /* 931 * Remember credentials. 932 */ 933 uid = cr->cr_uid; 934 gid = cr->cr_gid; 935 936 /* Will try to reset the PRIV_AWARE bit later. */ 937 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE) 938 privflags |= PRIV_RESET; 939 940 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) { 941 /* 942 * Set-uid root execution only allowed if the limit set 943 * holds all unsafe privileges. 944 */ 945 if ((vattrp->va_mode & VSUID) && (vattrp->va_uid != 0 || 946 priv_issubset(&priv_unsafe, &CR_LPRIV(cr)))) { 947 uid = vattrp->va_uid; 948 privflags |= PRIV_SETUGID; 949 } 950 if (vattrp->va_mode & VSGID) { 951 gid = vattrp->va_gid; 952 privflags |= PRIV_SETUGID; 953 } 954 } 955 956 /* 957 * Do we need to change our credential anyway? 958 * This is the case when E != I or P != I, as 959 * we need to do the assignments (with F empty and A full) 960 * Or when I is not a subset of L; in that case we need to 961 * enforce L. 962 * 963 * I' = L & I 964 * 965 * E' = P' = (I' + F) & A 966 * or 967 * E' = P' = I' 968 */ 969 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) || 970 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) || 971 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr))) 972 privflags |= PRIV_RESET; 973 974 /* If MAC-aware flag(s) are on, need to update cred to remove. */ 975 if ((CR_FLAGS(cr) & NET_MAC_AWARE) || 976 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT)) 977 privflags |= MAC_FLAGS; 978 979 /* 980 * When we introduce the "forced" set then we will need 981 * to set PRIV_INCREASE here if I not a subset of P. 982 * If the "allowed" set is introduced we will need to do 983 * a similar thing; however, it seems more reasonable to 984 * have the allowed set reduce "L": script language interpreters 985 * would typically have an allowed set of "all". 986 */ 987 988 /* 989 * Set setuid/setgid protections if no ptrace() compatibility. 990 * For privileged processes, honor setuid/setgid even in 991 * the presence of ptrace() compatibility. 992 */ 993 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 || 994 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) && 995 (cr->cr_uid != uid || 996 cr->cr_gid != gid || 997 cr->cr_suid != uid || 998 cr->cr_sgid != gid)) { 999 *uidp = uid; 1000 *gidp = gid; 1001 privflags |= PRIV_SETID; 1002 } 1003 return (privflags); 1004 } 1005 1006 int 1007 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args) 1008 { 1009 int error; 1010 proc_t *p = ttoproc(curthread); 1011 1012 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE; 1013 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL)) 1014 return (error); 1015 /* 1016 * Check the access mode. 1017 * If VPROC, ask /proc if the file is an object file. 1018 */ 1019 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 || 1020 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) || 1021 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 || 1022 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) { 1023 if (error == 0) 1024 error = EACCES; 1025 return (error); 1026 } 1027 1028 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) && 1029 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) { 1030 /* 1031 * If process is under ptrace(2) compatibility, 1032 * fail the exec(2). 1033 */ 1034 if (p->p_proc_flag & P_PR_PTRACE) 1035 goto bad; 1036 /* 1037 * Process is traced via /proc. 1038 * Arrange to invalidate the /proc vnode. 1039 */ 1040 args->traceinval = 1; 1041 } 1042 return (0); 1043 bad: 1044 if (error == 0) 1045 error = ENOEXEC; 1046 return (error); 1047 } 1048 1049 /* 1050 * Map a section of an executable file into the user's 1051 * address space. 1052 */ 1053 int 1054 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen, 1055 off_t offset, int prot, int page, uint_t szc) 1056 { 1057 int error = 0; 1058 off_t oldoffset; 1059 caddr_t zfodbase, oldaddr; 1060 size_t end, oldlen; 1061 size_t zfoddiff; 1062 label_t ljb; 1063 proc_t *p = ttoproc(curthread); 1064 1065 oldaddr = addr; 1066 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK); 1067 if (len) { 1068 oldlen = len; 1069 len += ((size_t)oldaddr - (size_t)addr); 1070 oldoffset = offset; 1071 offset = (off_t)((uintptr_t)offset & PAGEMASK); 1072 if (page) { 1073 spgcnt_t prefltmem, availm, npages; 1074 int preread; 1075 uint_t mflag = MAP_PRIVATE | MAP_FIXED; 1076 1077 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) { 1078 mflag |= MAP_TEXT; 1079 } else { 1080 mflag |= MAP_INITDATA; 1081 } 1082 1083 if (valid_usr_range(addr, len, prot, p->p_as, 1084 p->p_as->a_userlimit) != RANGE_OKAY) { 1085 error = ENOMEM; 1086 goto bad; 1087 } 1088 if (error = VOP_MAP(vp, (offset_t)offset, 1089 p->p_as, &addr, len, prot, PROT_ALL, 1090 mflag, CRED(), NULL)) 1091 goto bad; 1092 1093 /* 1094 * If the segment can fit, then we prefault 1095 * the entire segment in. This is based on the 1096 * model that says the best working set of a 1097 * small program is all of its pages. 1098 */ 1099 npages = (spgcnt_t)btopr(len); 1100 prefltmem = freemem - desfree; 1101 preread = 1102 (npages < prefltmem && len < PGTHRESH) ? 1 : 0; 1103 1104 /* 1105 * If we aren't prefaulting the segment, 1106 * increment "deficit", if necessary to ensure 1107 * that pages will become available when this 1108 * process starts executing. 1109 */ 1110 availm = freemem - lotsfree; 1111 if (preread == 0 && npages > availm && 1112 deficit < lotsfree) { 1113 deficit += MIN((pgcnt_t)(npages - availm), 1114 lotsfree - deficit); 1115 } 1116 1117 if (preread) { 1118 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD, 1119 "execmap preread:freemem %d size %lu", 1120 freemem, len); 1121 (void) as_fault(p->p_as->a_hat, p->p_as, 1122 (caddr_t)addr, len, F_INVAL, S_READ); 1123 } 1124 } else { 1125 if (valid_usr_range(addr, len, prot, p->p_as, 1126 p->p_as->a_userlimit) != RANGE_OKAY) { 1127 error = ENOMEM; 1128 goto bad; 1129 } 1130 1131 if (error = as_map(p->p_as, addr, len, 1132 segvn_create, zfod_argsp)) 1133 goto bad; 1134 /* 1135 * Read in the segment in one big chunk. 1136 */ 1137 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr, 1138 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0, 1139 (rlim64_t)0, CRED(), (ssize_t *)0)) 1140 goto bad; 1141 /* 1142 * Now set protections. 1143 */ 1144 if (prot != PROT_ZFOD) { 1145 (void) as_setprot(p->p_as, (caddr_t)addr, 1146 len, prot); 1147 } 1148 } 1149 } 1150 1151 if (zfodlen) { 1152 struct as *as = curproc->p_as; 1153 struct seg *seg; 1154 uint_t zprot = 0; 1155 1156 end = (size_t)addr + len; 1157 zfodbase = (caddr_t)roundup(end, PAGESIZE); 1158 zfoddiff = (uintptr_t)zfodbase - end; 1159 if (zfoddiff) { 1160 /* 1161 * Before we go to zero the remaining space on the last 1162 * page, make sure we have write permission. 1163 */ 1164 1165 AS_LOCK_ENTER(as, &as->a_lock, RW_READER); 1166 seg = as_segat(curproc->p_as, (caddr_t)end); 1167 if (seg != NULL) 1168 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1, 1169 &zprot); 1170 AS_LOCK_EXIT(as, &as->a_lock); 1171 1172 if (seg != NULL && (zprot & PROT_WRITE) == 0) { 1173 (void) as_setprot(as, (caddr_t)end, 1174 zfoddiff - 1, zprot | PROT_WRITE); 1175 } 1176 1177 if (on_fault(&ljb)) { 1178 no_fault(); 1179 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1180 (void) as_setprot(as, (caddr_t)end, 1181 zfoddiff - 1, zprot); 1182 error = EFAULT; 1183 goto bad; 1184 } 1185 uzero((void *)end, zfoddiff); 1186 no_fault(); 1187 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1188 (void) as_setprot(as, (caddr_t)end, 1189 zfoddiff - 1, zprot); 1190 } 1191 if (zfodlen > zfoddiff) { 1192 struct segvn_crargs crargs = 1193 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL); 1194 1195 zfodlen -= zfoddiff; 1196 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as, 1197 p->p_as->a_userlimit) != RANGE_OKAY) { 1198 error = ENOMEM; 1199 goto bad; 1200 } 1201 if (szc > 0) { 1202 /* 1203 * ASSERT alignment because the mapelfexec() 1204 * caller for the szc > 0 case extended zfod 1205 * so it's end is pgsz aligned. 1206 */ 1207 size_t pgsz = page_get_pagesize(szc); 1208 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz)); 1209 1210 if (IS_P2ALIGNED(zfodbase, pgsz)) { 1211 crargs.szc = szc; 1212 } else { 1213 crargs.szc = AS_MAP_HEAP; 1214 } 1215 } else { 1216 crargs.szc = AS_MAP_NO_LPOOB; 1217 } 1218 if (error = as_map(p->p_as, (caddr_t)zfodbase, 1219 zfodlen, segvn_create, &crargs)) 1220 goto bad; 1221 if (prot != PROT_ZFOD) { 1222 (void) as_setprot(p->p_as, (caddr_t)zfodbase, 1223 zfodlen, prot); 1224 } 1225 } 1226 } 1227 return (0); 1228 bad: 1229 return (error); 1230 } 1231 1232 void 1233 setexecenv(struct execenv *ep) 1234 { 1235 proc_t *p = ttoproc(curthread); 1236 klwp_t *lwp = ttolwp(curthread); 1237 struct vnode *vp; 1238 1239 p->p_bssbase = ep->ex_bssbase; 1240 p->p_brkbase = ep->ex_brkbase; 1241 p->p_brksize = ep->ex_brksize; 1242 if (p->p_exec) 1243 VN_RELE(p->p_exec); /* out with the old */ 1244 vp = p->p_exec = ep->ex_vp; 1245 if (vp != NULL) 1246 VN_HOLD(vp); /* in with the new */ 1247 1248 lwp->lwp_sigaltstack.ss_sp = 0; 1249 lwp->lwp_sigaltstack.ss_size = 0; 1250 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 1251 } 1252 1253 int 1254 execopen(struct vnode **vpp, int *fdp) 1255 { 1256 struct vnode *vp = *vpp; 1257 file_t *fp; 1258 int error = 0; 1259 int filemode = FREAD; 1260 1261 VN_HOLD(vp); /* open reference */ 1262 if (error = falloc(NULL, filemode, &fp, fdp)) { 1263 VN_RELE(vp); 1264 *fdp = -1; /* just in case falloc changed value */ 1265 return (error); 1266 } 1267 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) { 1268 VN_RELE(vp); 1269 setf(*fdp, NULL); 1270 unfalloc(fp); 1271 *fdp = -1; 1272 return (error); 1273 } 1274 *vpp = vp; /* vnode should not have changed */ 1275 fp->f_vnode = vp; 1276 mutex_exit(&fp->f_tlock); 1277 setf(*fdp, fp); 1278 return (0); 1279 } 1280 1281 int 1282 execclose(int fd) 1283 { 1284 return (closeandsetf(fd, NULL)); 1285 } 1286 1287 1288 /* 1289 * noexec stub function. 1290 */ 1291 /*ARGSUSED*/ 1292 int 1293 noexec( 1294 struct vnode *vp, 1295 struct execa *uap, 1296 struct uarg *args, 1297 struct intpdata *idatap, 1298 int level, 1299 long *execsz, 1300 int setid, 1301 caddr_t exec_file, 1302 struct cred *cred) 1303 { 1304 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname); 1305 return (ENOEXEC); 1306 } 1307 1308 /* 1309 * Support routines for building a user stack. 1310 * 1311 * execve(path, argv, envp) must construct a new stack with the specified 1312 * arguments and environment variables (see exec_args() for a description 1313 * of the user stack layout). To do this, we copy the arguments and 1314 * environment variables from the old user address space into the kernel, 1315 * free the old as, create the new as, and copy our buffered information 1316 * to the new stack. Our kernel buffer has the following structure: 1317 * 1318 * +-----------------------+ <--- stk_base + stk_size 1319 * | string offsets | 1320 * +-----------------------+ <--- stk_offp 1321 * | | 1322 * | STK_AVAIL() space | 1323 * | | 1324 * +-----------------------+ <--- stk_strp 1325 * | strings | 1326 * +-----------------------+ <--- stk_base 1327 * 1328 * When we add a string, we store the string's contents (including the null 1329 * terminator) at stk_strp, and we store the offset of the string relative to 1330 * stk_base at --stk_offp. At strings are added, stk_strp increases and 1331 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just 1332 * the difference between these pointers. If we run out of space, we return 1333 * an error and exec_args() starts all over again with a buffer twice as large. 1334 * When we're all done, the kernel buffer looks like this: 1335 * 1336 * +-----------------------+ <--- stk_base + stk_size 1337 * | argv[0] offset | 1338 * +-----------------------+ 1339 * | ... | 1340 * +-----------------------+ 1341 * | argv[argc-1] offset | 1342 * +-----------------------+ 1343 * | envp[0] offset | 1344 * +-----------------------+ 1345 * | ... | 1346 * +-----------------------+ 1347 * | envp[envc-1] offset | 1348 * +-----------------------+ 1349 * | AT_SUN_PLATFORM offset| 1350 * +-----------------------+ 1351 * | AT_SUN_EXECNAME offset| 1352 * +-----------------------+ <--- stk_offp 1353 * | | 1354 * | STK_AVAIL() space | 1355 * | | 1356 * +-----------------------+ <--- stk_strp 1357 * | AT_SUN_EXECNAME offset| 1358 * +-----------------------+ 1359 * | AT_SUN_PLATFORM offset| 1360 * +-----------------------+ 1361 * | envp[envc-1] string | 1362 * +-----------------------+ 1363 * | ... | 1364 * +-----------------------+ 1365 * | envp[0] string | 1366 * +-----------------------+ 1367 * | argv[argc-1] string | 1368 * +-----------------------+ 1369 * | ... | 1370 * +-----------------------+ 1371 * | argv[0] string | 1372 * +-----------------------+ <--- stk_base 1373 */ 1374 1375 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp) 1376 1377 /* 1378 * Add a string to the stack. 1379 */ 1380 static int 1381 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg) 1382 { 1383 int error; 1384 size_t len; 1385 1386 if (STK_AVAIL(args) < sizeof (int)) 1387 return (E2BIG); 1388 *--args->stk_offp = args->stk_strp - args->stk_base; 1389 1390 if (segflg == UIO_USERSPACE) { 1391 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len); 1392 if (error != 0) 1393 return (error); 1394 } else { 1395 len = strlen(sp) + 1; 1396 if (len > STK_AVAIL(args)) 1397 return (E2BIG); 1398 bcopy(sp, args->stk_strp, len); 1399 } 1400 1401 args->stk_strp += len; 1402 1403 return (0); 1404 } 1405 1406 static int 1407 stk_getptr(uarg_t *args, char *src, char **dst) 1408 { 1409 int error; 1410 1411 if (args->from_model == DATAMODEL_NATIVE) { 1412 ulong_t ptr; 1413 error = fulword(src, &ptr); 1414 *dst = (caddr_t)ptr; 1415 } else { 1416 uint32_t ptr; 1417 error = fuword32(src, &ptr); 1418 *dst = (caddr_t)(uintptr_t)ptr; 1419 } 1420 return (error); 1421 } 1422 1423 static int 1424 stk_putptr(uarg_t *args, char *addr, char *value) 1425 { 1426 if (args->to_model == DATAMODEL_NATIVE) 1427 return (sulword(addr, (ulong_t)value)); 1428 else 1429 return (suword32(addr, (uint32_t)(uintptr_t)value)); 1430 } 1431 1432 static int 1433 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1434 { 1435 char *sp; 1436 int argc, error; 1437 int argv_empty = 0; 1438 size_t ptrsize = args->from_ptrsize; 1439 size_t size, pad; 1440 char *argv = (char *)uap->argp; 1441 char *envp = (char *)uap->envp; 1442 1443 /* 1444 * Copy interpreter's name and argument to argv[0] and argv[1]. 1445 */ 1446 if (intp != NULL && intp->intp_name != NULL) { 1447 if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0) 1448 return (error); 1449 if (intp->intp_arg != NULL && 1450 (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0) 1451 return (error); 1452 if (args->fname != NULL) 1453 error = stk_add(args, args->fname, UIO_SYSSPACE); 1454 else 1455 error = stk_add(args, uap->fname, UIO_USERSPACE); 1456 if (error) 1457 return (error); 1458 1459 /* 1460 * Check for an empty argv[]. 1461 */ 1462 if (stk_getptr(args, argv, &sp)) 1463 return (EFAULT); 1464 if (sp == NULL) 1465 argv_empty = 1; 1466 1467 argv += ptrsize; /* ignore original argv[0] */ 1468 } 1469 1470 if (argv_empty == 0) { 1471 /* 1472 * Add argv[] strings to the stack. 1473 */ 1474 for (;;) { 1475 if (stk_getptr(args, argv, &sp)) 1476 return (EFAULT); 1477 if (sp == NULL) 1478 break; 1479 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1480 return (error); 1481 argv += ptrsize; 1482 } 1483 } 1484 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1485 args->arglen = args->stk_strp - args->stk_base; 1486 1487 /* 1488 * Add environ[] strings to the stack. 1489 */ 1490 if (envp != NULL) { 1491 for (;;) { 1492 if (stk_getptr(args, envp, &sp)) 1493 return (EFAULT); 1494 if (sp == NULL) 1495 break; 1496 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1497 return (error); 1498 envp += ptrsize; 1499 } 1500 } 1501 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1502 args->ne = args->na - argc; 1503 1504 /* 1505 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and 1506 * AT_SUN_EMULATOR strings to the stack. 1507 */ 1508 if (auxvpp != NULL && *auxvpp != NULL) { 1509 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0) 1510 return (error); 1511 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0) 1512 return (error); 1513 if (args->brandname != NULL && 1514 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0) 1515 return (error); 1516 if (args->emulator != NULL && 1517 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0) 1518 return (error); 1519 } 1520 1521 /* 1522 * Compute the size of the stack. This includes all the pointers, 1523 * the space reserved for the aux vector, and all the strings. 1524 * The total number of pointers is args->na (which is argc + envc) 1525 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL 1526 * after the last argument (i.e. argv[argc]); (3) the NULL after the 1527 * last environment variable (i.e. envp[envc]); and (4) the NULL after 1528 * all the strings, at the very top of the stack. 1529 */ 1530 size = (args->na + 4) * args->to_ptrsize + args->auxsize + 1531 (args->stk_strp - args->stk_base); 1532 1533 /* 1534 * Pad the string section with zeroes to align the stack size. 1535 */ 1536 pad = P2NPHASE(size, args->stk_align); 1537 1538 if (STK_AVAIL(args) < pad) 1539 return (E2BIG); 1540 1541 args->usrstack_size = size + pad; 1542 1543 while (pad-- != 0) 1544 *args->stk_strp++ = 0; 1545 1546 args->nc = args->stk_strp - args->stk_base; 1547 1548 return (0); 1549 } 1550 1551 static int 1552 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up) 1553 { 1554 size_t ptrsize = args->to_ptrsize; 1555 ssize_t pslen; 1556 char *kstrp = args->stk_base; 1557 char *ustrp = usrstack - args->nc - ptrsize; 1558 char *usp = usrstack - args->usrstack_size; 1559 int *offp = (int *)(args->stk_base + args->stk_size); 1560 int envc = args->ne; 1561 int argc = args->na - envc; 1562 int i; 1563 1564 /* 1565 * Record argc for /proc. 1566 */ 1567 up->u_argc = argc; 1568 1569 /* 1570 * Put argc on the stack. Note that even though it's an int, 1571 * it always consumes ptrsize bytes (for alignment). 1572 */ 1573 if (stk_putptr(args, usp, (char *)(uintptr_t)argc)) 1574 return (-1); 1575 1576 /* 1577 * Add argc space (ptrsize) to usp and record argv for /proc. 1578 */ 1579 up->u_argv = (uintptr_t)(usp += ptrsize); 1580 1581 /* 1582 * Put the argv[] pointers on the stack. 1583 */ 1584 for (i = 0; i < argc; i++, usp += ptrsize) 1585 if (stk_putptr(args, usp, &ustrp[*--offp])) 1586 return (-1); 1587 1588 /* 1589 * Copy arguments to u_psargs. 1590 */ 1591 pslen = MIN(args->arglen, PSARGSZ) - 1; 1592 for (i = 0; i < pslen; i++) 1593 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]); 1594 while (i < PSARGSZ) 1595 up->u_psargs[i++] = '\0'; 1596 1597 /* 1598 * Add space for argv[]'s NULL terminator (ptrsize) to usp and 1599 * record envp for /proc. 1600 */ 1601 up->u_envp = (uintptr_t)(usp += ptrsize); 1602 1603 /* 1604 * Put the envp[] pointers on the stack. 1605 */ 1606 for (i = 0; i < envc; i++, usp += ptrsize) 1607 if (stk_putptr(args, usp, &ustrp[*--offp])) 1608 return (-1); 1609 1610 /* 1611 * Add space for envp[]'s NULL terminator (ptrsize) to usp and 1612 * remember where the stack ends, which is also where auxv begins. 1613 */ 1614 args->stackend = usp += ptrsize; 1615 1616 /* 1617 * Put all the argv[], envp[], and auxv strings on the stack. 1618 */ 1619 if (copyout(args->stk_base, ustrp, args->nc)) 1620 return (-1); 1621 1622 /* 1623 * Fill in the aux vector now that we know the user stack addresses 1624 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and 1625 * AT_SUN_EMULATOR strings. 1626 */ 1627 if (auxvpp != NULL && *auxvpp != NULL) { 1628 if (args->to_model == DATAMODEL_NATIVE) { 1629 auxv_t **a = (auxv_t **)auxvpp; 1630 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp]) 1631 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp]) 1632 if (args->brandname != NULL) 1633 ADDAUX(*a, 1634 AT_SUN_BRANDNAME, (long)&ustrp[*--offp]) 1635 if (args->emulator != NULL) 1636 ADDAUX(*a, 1637 AT_SUN_EMULATOR, (long)&ustrp[*--offp]) 1638 } else { 1639 auxv32_t **a = (auxv32_t **)auxvpp; 1640 ADDAUX(*a, 1641 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp]) 1642 ADDAUX(*a, 1643 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp]) 1644 if (args->brandname != NULL) 1645 ADDAUX(*a, AT_SUN_BRANDNAME, 1646 (int)(uintptr_t)&ustrp[*--offp]) 1647 if (args->emulator != NULL) 1648 ADDAUX(*a, AT_SUN_EMULATOR, 1649 (int)(uintptr_t)&ustrp[*--offp]) 1650 } 1651 } 1652 1653 return (0); 1654 } 1655 1656 /* 1657 * Initialize a new user stack with the specified arguments and environment. 1658 * The initial user stack layout is as follows: 1659 * 1660 * User Stack 1661 * +---------------+ <--- curproc->p_usrstack 1662 * | | 1663 * | slew | 1664 * | | 1665 * +---------------+ 1666 * | NULL | 1667 * +---------------+ 1668 * | | 1669 * | auxv strings | 1670 * | | 1671 * +---------------+ 1672 * | | 1673 * | envp strings | 1674 * | | 1675 * +---------------+ 1676 * | | 1677 * | argv strings | 1678 * | | 1679 * +---------------+ <--- ustrp 1680 * | | 1681 * | aux vector | 1682 * | | 1683 * +---------------+ <--- auxv 1684 * | NULL | 1685 * +---------------+ 1686 * | envp[envc-1] | 1687 * +---------------+ 1688 * | ... | 1689 * +---------------+ 1690 * | envp[0] | 1691 * +---------------+ <--- envp[] 1692 * | NULL | 1693 * +---------------+ 1694 * | argv[argc-1] | 1695 * +---------------+ 1696 * | ... | 1697 * +---------------+ 1698 * | argv[0] | 1699 * +---------------+ <--- argv[] 1700 * | argc | 1701 * +---------------+ <--- stack base 1702 */ 1703 int 1704 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1705 { 1706 size_t size; 1707 int error; 1708 proc_t *p = ttoproc(curthread); 1709 user_t *up = PTOU(p); 1710 char *usrstack; 1711 rctl_entity_p_t e; 1712 struct as *as; 1713 extern int use_stk_lpg; 1714 size_t sp_slew; 1715 1716 args->from_model = p->p_model; 1717 if (p->p_model == DATAMODEL_NATIVE) { 1718 args->from_ptrsize = sizeof (long); 1719 } else { 1720 args->from_ptrsize = sizeof (int32_t); 1721 } 1722 1723 if (args->to_model == DATAMODEL_NATIVE) { 1724 args->to_ptrsize = sizeof (long); 1725 args->ncargs = NCARGS; 1726 args->stk_align = STACK_ALIGN; 1727 if (args->addr32) 1728 usrstack = (char *)USRSTACK64_32; 1729 else 1730 usrstack = (char *)USRSTACK; 1731 } else { 1732 args->to_ptrsize = sizeof (int32_t); 1733 args->ncargs = NCARGS32; 1734 args->stk_align = STACK_ALIGN32; 1735 usrstack = (char *)USRSTACK32; 1736 } 1737 1738 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0); 1739 1740 #if defined(__sparc) 1741 /* 1742 * Make sure user register windows are empty before 1743 * attempting to make a new stack. 1744 */ 1745 (void) flush_user_windows_to_stack(NULL); 1746 #endif 1747 1748 for (size = PAGESIZE; ; size *= 2) { 1749 args->stk_size = size; 1750 args->stk_base = kmem_alloc(size, KM_SLEEP); 1751 args->stk_strp = args->stk_base; 1752 args->stk_offp = (int *)(args->stk_base + size); 1753 error = stk_copyin(uap, args, intp, auxvpp); 1754 if (error == 0) 1755 break; 1756 kmem_free(args->stk_base, size); 1757 if (error != E2BIG && error != ENAMETOOLONG) 1758 return (error); 1759 if (size >= args->ncargs) 1760 return (E2BIG); 1761 } 1762 1763 size = args->usrstack_size; 1764 1765 ASSERT(error == 0); 1766 ASSERT(P2PHASE(size, args->stk_align) == 0); 1767 ASSERT((ssize_t)STK_AVAIL(args) >= 0); 1768 1769 if (size > args->ncargs) { 1770 kmem_free(args->stk_base, args->stk_size); 1771 return (E2BIG); 1772 } 1773 1774 /* 1775 * Leave only the current lwp and force the other lwps to exit. 1776 * If another lwp beat us to the punch by calling exit(), bail out. 1777 */ 1778 if ((error = exitlwps(0)) != 0) { 1779 kmem_free(args->stk_base, args->stk_size); 1780 return (error); 1781 } 1782 1783 /* 1784 * Revoke any doors created by the process. 1785 */ 1786 if (p->p_door_list) 1787 door_exit(); 1788 1789 /* 1790 * Release schedctl data structures. 1791 */ 1792 if (p->p_pagep) 1793 schedctl_proc_cleanup(); 1794 1795 /* 1796 * Clean up any DTrace helpers for the process. 1797 */ 1798 if (p->p_dtrace_helpers != NULL) { 1799 ASSERT(dtrace_helpers_cleanup != NULL); 1800 (*dtrace_helpers_cleanup)(); 1801 } 1802 1803 mutex_enter(&p->p_lock); 1804 /* 1805 * Cleanup the DTrace provider associated with this process. 1806 */ 1807 if (p->p_dtrace_probes) { 1808 ASSERT(dtrace_fasttrap_exec_ptr != NULL); 1809 dtrace_fasttrap_exec_ptr(p); 1810 } 1811 mutex_exit(&p->p_lock); 1812 1813 /* 1814 * discard the lwpchan cache. 1815 */ 1816 if (p->p_lcp != NULL) 1817 lwpchan_destroy_cache(1); 1818 1819 /* 1820 * Delete the POSIX timers. 1821 */ 1822 if (p->p_itimer != NULL) 1823 timer_exit(); 1824 1825 /* 1826 * Delete the ITIMER_REALPROF interval timer. 1827 * The other ITIMER_* interval timers are specified 1828 * to be inherited across exec(). 1829 */ 1830 delete_itimer_realprof(); 1831 1832 if (audit_active) 1833 audit_exec(args->stk_base, args->stk_base + args->arglen, 1834 args->na - args->ne, args->ne); 1835 1836 /* 1837 * Ensure that we don't change resource associations while we 1838 * change address spaces. 1839 */ 1840 mutex_enter(&p->p_lock); 1841 pool_barrier_enter(); 1842 mutex_exit(&p->p_lock); 1843 1844 /* 1845 * Destroy the old address space and create a new one. 1846 * From here on, any errors are fatal to the exec()ing process. 1847 * On error we return -1, which means the caller must SIGKILL 1848 * the process. 1849 */ 1850 relvm(); 1851 1852 mutex_enter(&p->p_lock); 1853 pool_barrier_exit(); 1854 mutex_exit(&p->p_lock); 1855 1856 up->u_execsw = args->execswp; 1857 1858 p->p_brkbase = NULL; 1859 p->p_brksize = 0; 1860 p->p_brkpageszc = 0; 1861 p->p_stksize = 0; 1862 p->p_stkpageszc = 0; 1863 p->p_model = args->to_model; 1864 p->p_usrstack = usrstack; 1865 p->p_stkprot = args->stk_prot; 1866 p->p_datprot = args->dat_prot; 1867 1868 /* 1869 * Reset resource controls such that all controls are again active as 1870 * well as appropriate to the potentially new address model for the 1871 * process. 1872 */ 1873 e.rcep_p.proc = p; 1874 e.rcep_t = RCENTITY_PROCESS; 1875 rctl_set_reset(p->p_rctls, p, &e); 1876 1877 /* Too early to call map_pgsz for the heap */ 1878 if (use_stk_lpg) { 1879 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0)); 1880 } 1881 1882 mutex_enter(&p->p_lock); 1883 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */ 1884 mutex_exit(&p->p_lock); 1885 1886 /* 1887 * Some platforms may choose to randomize real stack start by adding a 1888 * small slew (not more than a few hundred bytes) to the top of the 1889 * stack. This helps avoid cache thrashing when identical processes 1890 * simultaneously share caches that don't provide enough associativity 1891 * (e.g. sun4v systems). In this case stack slewing makes the same hot 1892 * stack variables in different processes to live in different cache 1893 * sets increasing effective associativity. 1894 */ 1895 sp_slew = exec_get_spslew(); 1896 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0); 1897 exec_set_sp(size + sp_slew); 1898 1899 as = as_alloc(); 1900 p->p_as = as; 1901 as->a_proc = p; 1902 if (p->p_model == DATAMODEL_ILP32 || args->addr32) 1903 as->a_userlimit = (caddr_t)USERLIMIT32; 1904 (void) hat_setup(as->a_hat, HAT_ALLOC); 1905 hat_join_srd(as->a_hat, args->ex_vp); 1906 1907 /* 1908 * Finally, write out the contents of the new stack. 1909 */ 1910 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up); 1911 kmem_free(args->stk_base, args->stk_size); 1912 return (error); 1913 } 1914