1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* Copyright (c) 1988 AT&T */ 27 /* All Rights Reserved */ 28 /* 29 * Copyright 2016 Joyent, Inc. 30 */ 31 32 #include <sys/types.h> 33 #include <sys/param.h> 34 #include <sys/sysmacros.h> 35 #include <sys/systm.h> 36 #include <sys/signal.h> 37 #include <sys/cred_impl.h> 38 #include <sys/policy.h> 39 #include <sys/user.h> 40 #include <sys/errno.h> 41 #include <sys/file.h> 42 #include <sys/vfs.h> 43 #include <sys/vnode.h> 44 #include <sys/mman.h> 45 #include <sys/acct.h> 46 #include <sys/cpuvar.h> 47 #include <sys/proc.h> 48 #include <sys/cmn_err.h> 49 #include <sys/debug.h> 50 #include <sys/pathname.h> 51 #include <sys/vm.h> 52 #include <sys/lgrp.h> 53 #include <sys/vtrace.h> 54 #include <sys/exec.h> 55 #include <sys/exechdr.h> 56 #include <sys/kmem.h> 57 #include <sys/prsystm.h> 58 #include <sys/modctl.h> 59 #include <sys/vmparam.h> 60 #include <sys/door.h> 61 #include <sys/schedctl.h> 62 #include <sys/utrap.h> 63 #include <sys/systeminfo.h> 64 #include <sys/stack.h> 65 #include <sys/rctl.h> 66 #include <sys/dtrace.h> 67 #include <sys/lwpchan_impl.h> 68 #include <sys/pool.h> 69 #include <sys/sdt.h> 70 #include <sys/brand.h> 71 #include <sys/klpd.h> 72 #include <sys/random.h> 73 74 #include <c2/audit.h> 75 76 #include <vm/hat.h> 77 #include <vm/anon.h> 78 #include <vm/as.h> 79 #include <vm/seg.h> 80 #include <vm/seg_vn.h> 81 82 #define PRIV_RESET 0x01 /* needs to reset privs */ 83 #define PRIV_SETID 0x02 /* needs to change uids */ 84 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */ 85 #define PRIV_INCREASE 0x08 /* child runs with more privs */ 86 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */ 87 #define PRIV_FORCED 0x20 /* has forced privileges */ 88 89 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *, 90 priv_set_t *, cred_t *, const char *); 91 static int hold_execsw(struct execsw *); 92 93 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */ 94 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */ 95 #if defined(_SYSCALL32_IMPL) 96 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */ 97 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */ 98 #endif 99 100 #define PSUIDFLAGS (SNOCD|SUGID) 101 102 /* 103 * These are consumed within the specific exec modules, but are defined here 104 * because 105 * 106 * 1) The exec modules are unloadable, which would make this near useless. 107 * 108 * 2) We want them to be common across all of them, should more than ELF come 109 * to support them. 110 * 111 * All must be powers of 2. 112 */ 113 size_t aslr_max_brk_skew = 16 * 1024 * 1024; /* 16MB */ 114 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */ 115 size_t aslr_max_stack_skew = 64 * 1024; /* 64KB */ 116 117 /* 118 * exece() - system call wrapper around exec_common() 119 */ 120 int 121 exece(const char *fname, const char **argp, const char **envp) 122 { 123 int error; 124 125 error = exec_common(fname, argp, envp, EBA_NONE); 126 return (error ? (set_errno(error)) : 0); 127 } 128 129 int 130 exec_common(const char *fname, const char **argp, const char **envp, 131 int brand_action) 132 { 133 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL; 134 proc_t *p = ttoproc(curthread); 135 klwp_t *lwp = ttolwp(curthread); 136 struct user *up = PTOU(p); 137 long execsz; /* temporary count of exec size */ 138 int i; 139 int error; 140 char exec_file[MAXCOMLEN+1]; 141 struct pathname pn; 142 struct pathname resolvepn; 143 struct uarg args; 144 struct execa ua; 145 k_sigset_t savedmask; 146 lwpdir_t *lwpdir = NULL; 147 tidhash_t *tidhash; 148 lwpdir_t *old_lwpdir = NULL; 149 uint_t old_lwpdir_sz; 150 tidhash_t *old_tidhash; 151 uint_t old_tidhash_sz; 152 ret_tidhash_t *ret_tidhash; 153 lwpent_t *lep; 154 boolean_t brandme = B_FALSE; 155 156 /* 157 * exec() is not supported for the /proc agent lwp. 158 */ 159 if (curthread == p->p_agenttp) 160 return (ENOTSUP); 161 162 if (brand_action != EBA_NONE) { 163 /* 164 * Brand actions are not supported for processes that are not 165 * running in a branded zone. 166 */ 167 if (!ZONE_IS_BRANDED(p->p_zone)) 168 return (ENOTSUP); 169 170 if (brand_action == EBA_NATIVE) { 171 /* Only branded processes can be unbranded */ 172 if (!PROC_IS_BRANDED(p)) 173 return (ENOTSUP); 174 } else { 175 /* Only unbranded processes can be branded */ 176 if (PROC_IS_BRANDED(p)) 177 return (ENOTSUP); 178 brandme = B_TRUE; 179 } 180 } else { 181 /* 182 * If this is a native zone, or if the process is already 183 * branded, then we don't need to do anything. If this is 184 * a native process in a branded zone, we need to brand the 185 * process as it exec()s the new binary. 186 */ 187 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p)) 188 brandme = B_TRUE; 189 } 190 191 /* 192 * Inform /proc that an exec() has started. 193 * Hold signals that are ignored by default so that we will 194 * not be interrupted by a signal that will be ignored after 195 * successful completion of gexec(). 196 */ 197 mutex_enter(&p->p_lock); 198 prexecstart(); 199 schedctl_finish_sigblock(curthread); 200 savedmask = curthread->t_hold; 201 sigorset(&curthread->t_hold, &ignoredefault); 202 mutex_exit(&p->p_lock); 203 204 /* 205 * Look up path name and remember last component for later. 206 * To help coreadm expand its %d token, we attempt to save 207 * the directory containing the executable in p_execdir. The 208 * first call to lookuppn() may fail and return EINVAL because 209 * dirvpp is non-NULL. In that case, we make a second call to 210 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL, 211 * but coreadm is allowed to expand %d to the empty string and 212 * there are other cases in which that failure may occur. 213 */ 214 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 215 goto out; 216 pn_alloc(&resolvepn); 217 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) { 218 pn_free(&resolvepn); 219 pn_free(&pn); 220 if (error != EINVAL) 221 goto out; 222 223 dir = NULL; 224 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 225 goto out; 226 pn_alloc(&resolvepn); 227 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP, 228 &vp)) != 0) { 229 pn_free(&resolvepn); 230 pn_free(&pn); 231 goto out; 232 } 233 } 234 if (vp == NULL) { 235 if (dir != NULL) 236 VN_RELE(dir); 237 error = ENOENT; 238 pn_free(&resolvepn); 239 pn_free(&pn); 240 goto out; 241 } 242 243 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) { 244 if (dir != NULL) 245 VN_RELE(dir); 246 pn_free(&resolvepn); 247 pn_free(&pn); 248 VN_RELE(vp); 249 goto out; 250 } 251 252 /* 253 * We do not allow executing files in attribute directories. 254 * We test this by determining whether the resolved path 255 * contains a "/" when we're in an attribute directory; 256 * only if the pathname does not contain a "/" the resolved path 257 * points to a file in the current working (attribute) directory. 258 */ 259 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 && 260 strchr(resolvepn.pn_path, '/') == NULL) { 261 if (dir != NULL) 262 VN_RELE(dir); 263 error = EACCES; 264 pn_free(&resolvepn); 265 pn_free(&pn); 266 VN_RELE(vp); 267 goto out; 268 } 269 270 bzero(exec_file, MAXCOMLEN+1); 271 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN); 272 bzero(&args, sizeof (args)); 273 args.pathname = resolvepn.pn_path; 274 /* don't free resolvepn until we are done with args */ 275 pn_free(&pn); 276 277 /* 278 * If we're running in a profile shell, then call pfexecd. 279 */ 280 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) { 281 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred, 282 &args.scrubenv); 283 284 /* Returning errno in case we're not allowed to execute. */ 285 if (error > 0) { 286 if (dir != NULL) 287 VN_RELE(dir); 288 pn_free(&resolvepn); 289 VN_RELE(vp); 290 goto out; 291 } 292 293 /* Don't change the credentials when using old ptrace. */ 294 if (args.pfcred != NULL && 295 (p->p_proc_flag & P_PR_PTRACE) != 0) { 296 crfree(args.pfcred); 297 args.pfcred = NULL; 298 args.scrubenv = B_FALSE; 299 } 300 } 301 302 /* 303 * Specific exec handlers, or policies determined via 304 * /etc/system may override the historical default. 305 */ 306 args.stk_prot = PROT_ZFOD; 307 args.dat_prot = PROT_ZFOD; 308 309 CPU_STATS_ADD_K(sys, sysexec, 1); 310 DTRACE_PROC1(exec, char *, args.pathname); 311 312 ua.fname = fname; 313 ua.argp = argp; 314 ua.envp = envp; 315 316 /* If necessary, brand this process before we start the exec. */ 317 if (brandme) 318 brand_setbrand(p); 319 320 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz, 321 exec_file, p->p_cred, brand_action)) != 0) { 322 if (brandme) 323 brand_clearbrand(p, B_FALSE); 324 VN_RELE(vp); 325 if (dir != NULL) 326 VN_RELE(dir); 327 pn_free(&resolvepn); 328 goto fail; 329 } 330 331 /* 332 * Free floating point registers (sun4u only) 333 */ 334 ASSERT(lwp != NULL); 335 lwp_freeregs(lwp, 1); 336 337 /* 338 * Free thread and process context ops. 339 */ 340 if (curthread->t_ctx) 341 freectx(curthread, 1); 342 if (p->p_pctx) 343 freepctx(p, 1); 344 345 /* 346 * Remember file name for accounting; clear any cached DTrace predicate. 347 */ 348 up->u_acflag &= ~AFORK; 349 bcopy(exec_file, up->u_comm, MAXCOMLEN+1); 350 curthread->t_predcache = NULL; 351 352 /* 353 * Clear contract template state 354 */ 355 lwp_ctmpl_clear(lwp); 356 357 /* 358 * Save the directory in which we found the executable for expanding 359 * the %d token used in core file patterns. 360 */ 361 mutex_enter(&p->p_lock); 362 tmpvp = p->p_execdir; 363 p->p_execdir = dir; 364 if (p->p_execdir != NULL) 365 VN_HOLD(p->p_execdir); 366 mutex_exit(&p->p_lock); 367 368 if (tmpvp != NULL) 369 VN_RELE(tmpvp); 370 371 /* 372 * Reset stack state to the user stack, clear set of signals 373 * caught on the signal stack, and reset list of signals that 374 * restart system calls; the new program's environment should 375 * not be affected by detritus from the old program. Any 376 * pending held signals remain held, so don't clear t_hold. 377 */ 378 mutex_enter(&p->p_lock); 379 lwp->lwp_oldcontext = 0; 380 lwp->lwp_ustack = 0; 381 lwp->lwp_old_stk_ctl = 0; 382 sigemptyset(&up->u_signodefer); 383 sigemptyset(&up->u_sigonstack); 384 sigemptyset(&up->u_sigresethand); 385 lwp->lwp_sigaltstack.ss_sp = 0; 386 lwp->lwp_sigaltstack.ss_size = 0; 387 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 388 389 /* 390 * Make saved resource limit == current resource limit. 391 */ 392 for (i = 0; i < RLIM_NLIMITS; i++) { 393 /*CONSTCOND*/ 394 if (RLIM_SAVED(i)) { 395 (void) rctl_rlimit_get(rctlproc_legacy[i], p, 396 &up->u_saved_rlimit[i]); 397 } 398 } 399 400 /* 401 * If the action was to catch the signal, then the action 402 * must be reset to SIG_DFL. 403 */ 404 sigdefault(p); 405 p->p_flag &= ~(SNOWAIT|SJCTL); 406 p->p_flag |= (SEXECED|SMSACCT|SMSFORK); 407 up->u_signal[SIGCLD - 1] = SIG_DFL; 408 409 /* 410 * Delete the dot4 sigqueues/signotifies. 411 */ 412 sigqfree(p); 413 414 mutex_exit(&p->p_lock); 415 416 mutex_enter(&p->p_pflock); 417 p->p_prof.pr_base = NULL; 418 p->p_prof.pr_size = 0; 419 p->p_prof.pr_off = 0; 420 p->p_prof.pr_scale = 0; 421 p->p_prof.pr_samples = 0; 422 mutex_exit(&p->p_pflock); 423 424 ASSERT(curthread->t_schedctl == NULL); 425 426 #if defined(__sparc) 427 if (p->p_utraps != NULL) 428 utrap_free(p); 429 #endif /* __sparc */ 430 431 /* 432 * Close all close-on-exec files. 433 */ 434 close_exec(P_FINFO(p)); 435 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up); 436 437 /* Unbrand ourself if necessary. */ 438 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE)) 439 brand_clearbrand(p, B_FALSE); 440 441 setregs(&args); 442 443 /* Mark this as an executable vnode */ 444 mutex_enter(&vp->v_lock); 445 vp->v_flag |= VVMEXEC; 446 mutex_exit(&vp->v_lock); 447 448 VN_RELE(vp); 449 if (dir != NULL) 450 VN_RELE(dir); 451 pn_free(&resolvepn); 452 453 /* 454 * Allocate a new lwp directory and lwpid hash table if necessary. 455 */ 456 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) { 457 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP); 458 lwpdir->ld_next = lwpdir + 1; 459 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP); 460 if (p->p_lwpdir != NULL) 461 lep = p->p_lwpdir[curthread->t_dslot].ld_entry; 462 else 463 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP); 464 } 465 466 if (PROC_IS_BRANDED(p)) 467 BROP(p)->b_exec(); 468 469 mutex_enter(&p->p_lock); 470 prbarrier(p); 471 472 /* 473 * Reset lwp id to the default value of 1. 474 * This is a single-threaded process now 475 * and lwp #1 is lwp_wait()able by default. 476 * The t_unpark flag should not be inherited. 477 */ 478 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0); 479 curthread->t_tid = 1; 480 kpreempt_disable(); 481 ASSERT(curthread->t_lpl != NULL); 482 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid; 483 kpreempt_enable(); 484 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) { 485 lgrp_update_trthr_migrations(1); 486 } 487 curthread->t_unpark = 0; 488 curthread->t_proc_flag |= TP_TWAIT; 489 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */ 490 p->p_lwpdaemon = 0; /* but oh well ... */ 491 p->p_lwpid = 1; 492 493 /* 494 * Install the newly-allocated lwp directory and lwpid hash table 495 * and insert the current thread into the new hash table. 496 */ 497 if (lwpdir != NULL) { 498 old_lwpdir = p->p_lwpdir; 499 old_lwpdir_sz = p->p_lwpdir_sz; 500 old_tidhash = p->p_tidhash; 501 old_tidhash_sz = p->p_tidhash_sz; 502 p->p_lwpdir = p->p_lwpfree = lwpdir; 503 p->p_lwpdir_sz = 2; 504 lep->le_thread = curthread; 505 lep->le_lwpid = curthread->t_tid; 506 lep->le_start = curthread->t_start; 507 lwp_hash_in(p, lep, tidhash, 2, 0); 508 p->p_tidhash = tidhash; 509 p->p_tidhash_sz = 2; 510 } 511 ret_tidhash = p->p_ret_tidhash; 512 p->p_ret_tidhash = NULL; 513 514 /* 515 * Restore the saved signal mask and 516 * inform /proc that the exec() has finished. 517 */ 518 curthread->t_hold = savedmask; 519 prexecend(); 520 mutex_exit(&p->p_lock); 521 if (old_lwpdir) { 522 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t)); 523 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t)); 524 } 525 while (ret_tidhash != NULL) { 526 ret_tidhash_t *next = ret_tidhash->rth_next; 527 kmem_free(ret_tidhash->rth_tidhash, 528 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t)); 529 kmem_free(ret_tidhash, sizeof (*ret_tidhash)); 530 ret_tidhash = next; 531 } 532 533 ASSERT(error == 0); 534 DTRACE_PROC(exec__success); 535 return (0); 536 537 fail: 538 DTRACE_PROC1(exec__failure, int, error); 539 out: /* error return */ 540 mutex_enter(&p->p_lock); 541 curthread->t_hold = savedmask; 542 prexecend(); 543 mutex_exit(&p->p_lock); 544 ASSERT(error != 0); 545 return (error); 546 } 547 548 549 /* 550 * Perform generic exec duties and switchout to object-file specific 551 * handler. 552 */ 553 int 554 gexec( 555 struct vnode **vpp, 556 struct execa *uap, 557 struct uarg *args, 558 struct intpdata *idatap, 559 int level, 560 long *execsz, 561 caddr_t exec_file, 562 struct cred *cred, 563 int brand_action) 564 { 565 struct vnode *vp, *execvp = NULL; 566 proc_t *pp = ttoproc(curthread); 567 struct execsw *eswp; 568 int error = 0; 569 int suidflags = 0; 570 ssize_t resid; 571 uid_t uid, gid; 572 struct vattr vattr; 573 char magbuf[MAGIC_BYTES]; 574 int setid; 575 cred_t *oldcred, *newcred = NULL; 576 int privflags = 0; 577 int setidfl; 578 priv_set_t fset; 579 secflagset_t old_secflags; 580 581 secflags_copy(&old_secflags, &pp->p_secflags.psf_effective); 582 583 /* 584 * If the SNOCD or SUGID flag is set, turn it off and remember the 585 * previous setting so we can restore it if we encounter an error. 586 */ 587 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) { 588 mutex_enter(&pp->p_lock); 589 suidflags = pp->p_flag & PSUIDFLAGS; 590 pp->p_flag &= ~PSUIDFLAGS; 591 mutex_exit(&pp->p_lock); 592 } 593 594 if ((error = execpermissions(*vpp, &vattr, args)) != 0) 595 goto bad_noclose; 596 597 /* need to open vnode for stateful file systems */ 598 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0) 599 goto bad_noclose; 600 vp = *vpp; 601 602 /* 603 * Note: to support binary compatibility with SunOS a.out 604 * executables, we read in the first four bytes, as the 605 * magic number is in bytes 2-3. 606 */ 607 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf), 608 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) 609 goto bad; 610 if (resid != 0) 611 goto bad; 612 613 if ((eswp = findexec_by_hdr(magbuf)) == NULL) 614 goto bad; 615 616 if (level == 0 && 617 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset, 618 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) { 619 620 /* Pfcred is a credential with a ref count of 1 */ 621 622 if (args->pfcred != NULL) { 623 privflags |= PRIV_INCREASE|PRIV_RESET; 624 newcred = cred = args->pfcred; 625 } else { 626 newcred = cred = crdup(cred); 627 } 628 629 /* If we can, drop the PA bit */ 630 if ((privflags & PRIV_RESET) != 0) 631 priv_adjust_PA(cred); 632 633 if (privflags & PRIV_SETID) { 634 cred->cr_uid = uid; 635 cred->cr_gid = gid; 636 cred->cr_suid = uid; 637 cred->cr_sgid = gid; 638 } 639 640 if (privflags & MAC_FLAGS) { 641 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT)) 642 CR_FLAGS(cred) &= ~NET_MAC_AWARE; 643 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT; 644 } 645 646 /* 647 * Implement the privilege updates: 648 * 649 * Restrict with L: 650 * 651 * I' = I & L 652 * 653 * E' = P' = (I' + F) & A 654 * 655 * But if running under ptrace, we cap I and F with P. 656 */ 657 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) { 658 if ((privflags & PRIV_INCREASE) != 0 && 659 (pp->p_proc_flag & P_PR_PTRACE) != 0) { 660 priv_intersect(&CR_OPPRIV(cred), 661 &CR_IPRIV(cred)); 662 priv_intersect(&CR_OPPRIV(cred), &fset); 663 } 664 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 665 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 666 if (privflags & PRIV_FORCED) { 667 priv_set_PA(cred); 668 priv_union(&fset, &CR_EPRIV(cred)); 669 priv_union(&fset, &CR_PPRIV(cred)); 670 } 671 priv_adjust_PA(cred); 672 } 673 } else if (level == 0 && args->pfcred != NULL) { 674 newcred = cred = args->pfcred; 675 privflags |= PRIV_INCREASE; 676 /* pfcred is not forced to adhere to these settings */ 677 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 678 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 679 priv_adjust_PA(cred); 680 } 681 682 /* The new image gets the inheritable secflags as its secflags */ 683 secflags_promote(pp); 684 685 /* SunOS 4.x buy-back */ 686 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) && 687 (vattr.va_mode & (VSUID|VSGID))) { 688 char path[MAXNAMELEN]; 689 refstr_t *mntpt = NULL; 690 int ret = -1; 691 692 bzero(path, sizeof (path)); 693 zone_hold(pp->p_zone); 694 695 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path, 696 sizeof (path), cred); 697 698 /* fallback to mountpoint if a path can't be found */ 699 if ((ret != 0) || (ret == 0 && path[0] == '\0')) 700 mntpt = vfs_getmntpoint(vp->v_vfsp); 701 702 if (mntpt == NULL) 703 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 704 "!uid %d: setuid execution not allowed, " 705 "file=%s", cred->cr_uid, path); 706 else 707 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 708 "!uid %d: setuid execution not allowed, " 709 "fs=%s, file=%s", cred->cr_uid, 710 ZONE_PATH_TRANSLATE(refstr_value(mntpt), 711 pp->p_zone), exec_file); 712 713 if (!INGLOBALZONE(pp)) { 714 /* zone_rootpath always has trailing / */ 715 if (mntpt == NULL) 716 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 717 "setuid execution not allowed, file=%s%s", 718 pp->p_zone->zone_name, cred->cr_uid, 719 pp->p_zone->zone_rootpath, path + 1); 720 else 721 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 722 "setuid execution not allowed, fs=%s, " 723 "file=%s", pp->p_zone->zone_name, 724 cred->cr_uid, refstr_value(mntpt), 725 exec_file); 726 } 727 728 if (mntpt != NULL) 729 refstr_rele(mntpt); 730 731 zone_rele(pp->p_zone); 732 } 733 734 /* 735 * execsetid() told us whether or not we had to change the 736 * credentials of the process. In privflags, it told us 737 * whether we gained any privileges or executed a set-uid executable. 738 */ 739 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED)); 740 741 /* 742 * Use /etc/system variable to determine if the stack 743 * should be marked as executable by default. 744 */ 745 if ((noexec_user_stack != 0) || 746 secflag_enabled(pp, PROC_SEC_NOEXECSTACK)) 747 args->stk_prot &= ~PROT_EXEC; 748 749 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */ 750 args->ex_vp = vp; 751 752 /* 753 * Traditionally, the setid flags told the sub processes whether 754 * the file just executed was set-uid or set-gid; this caused 755 * some confusion as the 'setid' flag did not match the SUGID 756 * process flag which is only set when the uids/gids do not match. 757 * A script set-gid/set-uid to the real uid/gid would start with 758 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH. 759 * Now we flag those cases where the calling process cannot 760 * be trusted to influence the newly exec'ed process, either 761 * because it runs with more privileges or when the uids/gids 762 * do in fact not match. 763 * This also makes the runtime linker agree with the on exec 764 * values of SNOCD and SUGID. 765 */ 766 setidfl = 0; 767 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid && 768 !supgroupmember(cred->cr_gid, cred))) { 769 setidfl |= EXECSETID_UGIDS; 770 } 771 if (setid & PRIV_SETUGID) 772 setidfl |= EXECSETID_SETID; 773 if (setid & PRIV_FORCED) 774 setidfl |= EXECSETID_PRIVS; 775 776 execvp = pp->p_exec; 777 if (execvp) 778 VN_HOLD(execvp); 779 780 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz, 781 setidfl, exec_file, cred, brand_action); 782 rw_exit(eswp->exec_lock); 783 if (error != 0) { 784 if (execvp) 785 VN_RELE(execvp); 786 /* 787 * If this process's p_exec has been set to the vp of 788 * the executable by exec_func, we will return without 789 * calling VOP_CLOSE because proc_exit will close it 790 * on exit. 791 */ 792 if (pp->p_exec == vp) 793 goto bad_noclose; 794 else 795 goto bad; 796 } 797 798 if (level == 0) { 799 uid_t oruid; 800 801 if (execvp != NULL) { 802 /* 803 * Close the previous executable only if we are 804 * at level 0. 805 */ 806 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0, 807 cred, NULL); 808 } 809 810 mutex_enter(&pp->p_crlock); 811 812 oruid = pp->p_cred->cr_ruid; 813 814 if (newcred != NULL) { 815 /* 816 * Free the old credentials, and set the new ones. 817 * Do this for both the process and the (single) thread. 818 */ 819 crfree(pp->p_cred); 820 pp->p_cred = cred; /* cred already held for proc */ 821 crhold(cred); /* hold new cred for thread */ 822 /* 823 * DTrace accesses t_cred in probe context. t_cred 824 * must always be either NULL, or point to a valid, 825 * allocated cred structure. 826 */ 827 oldcred = curthread->t_cred; 828 curthread->t_cred = cred; 829 crfree(oldcred); 830 831 if (priv_basic_test >= 0 && 832 !PRIV_ISASSERT(&CR_IPRIV(newcred), 833 priv_basic_test)) { 834 pid_t pid = pp->p_pid; 835 char *fn = PTOU(pp)->u_comm; 836 837 cmn_err(CE_WARN, "%s[%d]: exec: basic_test " 838 "privilege removed from E/I", fn, pid); 839 } 840 } 841 /* 842 * On emerging from a successful exec(), the saved 843 * uid and gid equal the effective uid and gid. 844 */ 845 cred->cr_suid = cred->cr_uid; 846 cred->cr_sgid = cred->cr_gid; 847 848 /* 849 * If the real and effective ids do not match, this 850 * is a setuid process that should not dump core. 851 * The group comparison is tricky; we prevent the code 852 * from flagging SNOCD when executing with an effective gid 853 * which is a supplementary group. 854 */ 855 if (cred->cr_ruid != cred->cr_uid || 856 (cred->cr_rgid != cred->cr_gid && 857 !supgroupmember(cred->cr_gid, cred)) || 858 (privflags & PRIV_INCREASE) != 0) 859 suidflags = PSUIDFLAGS; 860 else 861 suidflags = 0; 862 863 mutex_exit(&pp->p_crlock); 864 if (newcred != NULL && oruid != newcred->cr_ruid) { 865 /* Note that the process remains in the same zone. */ 866 mutex_enter(&pidlock); 867 upcount_dec(oruid, crgetzoneid(newcred)); 868 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred)); 869 mutex_exit(&pidlock); 870 } 871 if (suidflags) { 872 mutex_enter(&pp->p_lock); 873 pp->p_flag |= suidflags; 874 mutex_exit(&pp->p_lock); 875 } 876 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) { 877 /* 878 * If process is traced via /proc, arrange to 879 * invalidate the associated /proc vnode. 880 */ 881 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE)) 882 args->traceinval = 1; 883 } 884 if (pp->p_proc_flag & P_PR_PTRACE) 885 psignal(pp, SIGTRAP); 886 if (args->traceinval) 887 prinvalidate(&pp->p_user); 888 } 889 if (execvp) 890 VN_RELE(execvp); 891 return (0); 892 893 bad: 894 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL); 895 896 bad_noclose: 897 if (newcred != NULL) 898 crfree(newcred); 899 if (error == 0) 900 error = ENOEXEC; 901 902 mutex_enter(&pp->p_lock); 903 if (suidflags) { 904 pp->p_flag |= suidflags; 905 } 906 /* 907 * Restore the effective secflags, to maintain the invariant they 908 * never change for a given process 909 */ 910 secflags_copy(&pp->p_secflags.psf_effective, &old_secflags); 911 mutex_exit(&pp->p_lock); 912 913 return (error); 914 } 915 916 extern char *execswnames[]; 917 918 struct execsw * 919 allocate_execsw(char *name, char *magic, size_t magic_size) 920 { 921 int i, j; 922 char *ename; 923 char *magicp; 924 925 mutex_enter(&execsw_lock); 926 for (i = 0; i < nexectype; i++) { 927 if (execswnames[i] == NULL) { 928 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP); 929 (void) strcpy(ename, name); 930 execswnames[i] = ename; 931 /* 932 * Set the magic number last so that we 933 * don't need to hold the execsw_lock in 934 * findexectype(). 935 */ 936 magicp = kmem_alloc(magic_size, KM_SLEEP); 937 for (j = 0; j < magic_size; j++) 938 magicp[j] = magic[j]; 939 execsw[i].exec_magic = magicp; 940 mutex_exit(&execsw_lock); 941 return (&execsw[i]); 942 } 943 } 944 mutex_exit(&execsw_lock); 945 return (NULL); 946 } 947 948 /* 949 * Find the exec switch table entry with the corresponding magic string. 950 */ 951 struct execsw * 952 findexecsw(char *magic) 953 { 954 struct execsw *eswp; 955 956 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 957 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 958 if (magic && eswp->exec_maglen != 0 && 959 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) 960 return (eswp); 961 } 962 return (NULL); 963 } 964 965 /* 966 * Find the execsw[] index for the given exec header string by looking for the 967 * magic string at a specified offset and length for each kind of executable 968 * file format until one matches. If no execsw[] entry is found, try to 969 * autoload a module for this magic string. 970 */ 971 struct execsw * 972 findexec_by_hdr(char *header) 973 { 974 struct execsw *eswp; 975 976 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 977 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 978 if (header && eswp->exec_maglen != 0 && 979 bcmp(&header[eswp->exec_magoff], eswp->exec_magic, 980 eswp->exec_maglen) == 0) { 981 if (hold_execsw(eswp) != 0) 982 return (NULL); 983 return (eswp); 984 } 985 } 986 return (NULL); /* couldn't find the type */ 987 } 988 989 /* 990 * Find the execsw[] index for the given magic string. If no execsw[] entry 991 * is found, try to autoload a module for this magic string. 992 */ 993 struct execsw * 994 findexec_by_magic(char *magic) 995 { 996 struct execsw *eswp; 997 998 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 999 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 1000 if (magic && eswp->exec_maglen != 0 && 1001 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) { 1002 if (hold_execsw(eswp) != 0) 1003 return (NULL); 1004 return (eswp); 1005 } 1006 } 1007 return (NULL); /* couldn't find the type */ 1008 } 1009 1010 static int 1011 hold_execsw(struct execsw *eswp) 1012 { 1013 char *name; 1014 1015 rw_enter(eswp->exec_lock, RW_READER); 1016 while (!LOADED_EXEC(eswp)) { 1017 rw_exit(eswp->exec_lock); 1018 name = execswnames[eswp-execsw]; 1019 ASSERT(name); 1020 if (modload("exec", name) == -1) 1021 return (-1); 1022 rw_enter(eswp->exec_lock, RW_READER); 1023 } 1024 return (0); 1025 } 1026 1027 static int 1028 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp, 1029 priv_set_t *fset, cred_t *cr, const char *pathname) 1030 { 1031 proc_t *pp = ttoproc(curthread); 1032 uid_t uid, gid; 1033 int privflags = 0; 1034 1035 /* 1036 * Remember credentials. 1037 */ 1038 uid = cr->cr_uid; 1039 gid = cr->cr_gid; 1040 1041 /* Will try to reset the PRIV_AWARE bit later. */ 1042 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE) 1043 privflags |= PRIV_RESET; 1044 1045 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) { 1046 /* 1047 * If it's a set-uid root program we perform the 1048 * forced privilege look-aside. This has three possible 1049 * outcomes: 1050 * no look aside information -> treat as before 1051 * look aside in Limit set -> apply forced privs 1052 * look aside not in Limit set -> ignore set-uid root 1053 * 1054 * Ordinary set-uid root execution only allowed if the limit 1055 * set holds all unsafe privileges. 1056 */ 1057 if (vattrp->va_mode & VSUID) { 1058 if (vattrp->va_uid == 0) { 1059 int res = get_forced_privs(cr, pathname, fset); 1060 1061 switch (res) { 1062 case -1: 1063 if (priv_issubset(&priv_unsafe, 1064 &CR_LPRIV(cr))) { 1065 uid = vattrp->va_uid; 1066 privflags |= PRIV_SETUGID; 1067 } 1068 break; 1069 case 0: 1070 privflags |= PRIV_FORCED|PRIV_INCREASE; 1071 break; 1072 default: 1073 break; 1074 } 1075 } else { 1076 uid = vattrp->va_uid; 1077 privflags |= PRIV_SETUGID; 1078 } 1079 } 1080 if (vattrp->va_mode & VSGID) { 1081 gid = vattrp->va_gid; 1082 privflags |= PRIV_SETUGID; 1083 } 1084 } 1085 1086 /* 1087 * Do we need to change our credential anyway? 1088 * This is the case when E != I or P != I, as 1089 * we need to do the assignments (with F empty and A full) 1090 * Or when I is not a subset of L; in that case we need to 1091 * enforce L. 1092 * 1093 * I' = L & I 1094 * 1095 * E' = P' = (I' + F) & A 1096 * or 1097 * E' = P' = I' 1098 */ 1099 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) || 1100 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) || 1101 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr))) 1102 privflags |= PRIV_RESET; 1103 1104 /* Child has more privileges than parent */ 1105 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr))) 1106 privflags |= PRIV_INCREASE; 1107 1108 /* If MAC-aware flag(s) are on, need to update cred to remove. */ 1109 if ((CR_FLAGS(cr) & NET_MAC_AWARE) || 1110 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT)) 1111 privflags |= MAC_FLAGS; 1112 /* 1113 * Set setuid/setgid protections if no ptrace() compatibility. 1114 * For privileged processes, honor setuid/setgid even in 1115 * the presence of ptrace() compatibility. 1116 */ 1117 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 || 1118 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) && 1119 (cr->cr_uid != uid || 1120 cr->cr_gid != gid || 1121 cr->cr_suid != uid || 1122 cr->cr_sgid != gid)) { 1123 *uidp = uid; 1124 *gidp = gid; 1125 privflags |= PRIV_SETID; 1126 } 1127 return (privflags); 1128 } 1129 1130 int 1131 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args) 1132 { 1133 int error; 1134 proc_t *p = ttoproc(curthread); 1135 1136 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE; 1137 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL)) 1138 return (error); 1139 /* 1140 * Check the access mode. 1141 * If VPROC, ask /proc if the file is an object file. 1142 */ 1143 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 || 1144 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) || 1145 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 || 1146 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) { 1147 if (error == 0) 1148 error = EACCES; 1149 return (error); 1150 } 1151 1152 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) && 1153 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) { 1154 /* 1155 * If process is under ptrace(2) compatibility, 1156 * fail the exec(2). 1157 */ 1158 if (p->p_proc_flag & P_PR_PTRACE) 1159 goto bad; 1160 /* 1161 * Process is traced via /proc. 1162 * Arrange to invalidate the /proc vnode. 1163 */ 1164 args->traceinval = 1; 1165 } 1166 return (0); 1167 bad: 1168 if (error == 0) 1169 error = ENOEXEC; 1170 return (error); 1171 } 1172 1173 /* 1174 * Map a section of an executable file into the user's 1175 * address space. 1176 */ 1177 int 1178 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen, 1179 off_t offset, int prot, int page, uint_t szc) 1180 { 1181 int error = 0; 1182 off_t oldoffset; 1183 caddr_t zfodbase, oldaddr; 1184 size_t end, oldlen; 1185 size_t zfoddiff; 1186 label_t ljb; 1187 proc_t *p = ttoproc(curthread); 1188 1189 oldaddr = addr; 1190 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK); 1191 if (len) { 1192 oldlen = len; 1193 len += ((size_t)oldaddr - (size_t)addr); 1194 oldoffset = offset; 1195 offset = (off_t)((uintptr_t)offset & PAGEMASK); 1196 if (page) { 1197 spgcnt_t prefltmem, availm, npages; 1198 int preread; 1199 uint_t mflag = MAP_PRIVATE | MAP_FIXED; 1200 1201 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) { 1202 mflag |= MAP_TEXT; 1203 } else { 1204 mflag |= MAP_INITDATA; 1205 } 1206 1207 if (valid_usr_range(addr, len, prot, p->p_as, 1208 p->p_as->a_userlimit) != RANGE_OKAY) { 1209 error = ENOMEM; 1210 goto bad; 1211 } 1212 if (error = VOP_MAP(vp, (offset_t)offset, 1213 p->p_as, &addr, len, prot, PROT_ALL, 1214 mflag, CRED(), NULL)) 1215 goto bad; 1216 1217 /* 1218 * If the segment can fit, then we prefault 1219 * the entire segment in. This is based on the 1220 * model that says the best working set of a 1221 * small program is all of its pages. 1222 */ 1223 npages = (spgcnt_t)btopr(len); 1224 prefltmem = freemem - desfree; 1225 preread = 1226 (npages < prefltmem && len < PGTHRESH) ? 1 : 0; 1227 1228 /* 1229 * If we aren't prefaulting the segment, 1230 * increment "deficit", if necessary to ensure 1231 * that pages will become available when this 1232 * process starts executing. 1233 */ 1234 availm = freemem - lotsfree; 1235 if (preread == 0 && npages > availm && 1236 deficit < lotsfree) { 1237 deficit += MIN((pgcnt_t)(npages - availm), 1238 lotsfree - deficit); 1239 } 1240 1241 if (preread) { 1242 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD, 1243 "execmap preread:freemem %d size %lu", 1244 freemem, len); 1245 (void) as_fault(p->p_as->a_hat, p->p_as, 1246 (caddr_t)addr, len, F_INVAL, S_READ); 1247 } 1248 } else { 1249 if (valid_usr_range(addr, len, prot, p->p_as, 1250 p->p_as->a_userlimit) != RANGE_OKAY) { 1251 error = ENOMEM; 1252 goto bad; 1253 } 1254 1255 if (error = as_map(p->p_as, addr, len, 1256 segvn_create, zfod_argsp)) 1257 goto bad; 1258 /* 1259 * Read in the segment in one big chunk. 1260 */ 1261 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr, 1262 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0, 1263 (rlim64_t)0, CRED(), (ssize_t *)0)) 1264 goto bad; 1265 /* 1266 * Now set protections. 1267 */ 1268 if (prot != PROT_ZFOD) { 1269 (void) as_setprot(p->p_as, (caddr_t)addr, 1270 len, prot); 1271 } 1272 } 1273 } 1274 1275 if (zfodlen) { 1276 struct as *as = curproc->p_as; 1277 struct seg *seg; 1278 uint_t zprot = 0; 1279 1280 end = (size_t)addr + len; 1281 zfodbase = (caddr_t)roundup(end, PAGESIZE); 1282 zfoddiff = (uintptr_t)zfodbase - end; 1283 if (zfoddiff) { 1284 /* 1285 * Before we go to zero the remaining space on the last 1286 * page, make sure we have write permission. 1287 * 1288 * Normal illumos binaries don't even hit the case 1289 * where we have to change permission on the last page 1290 * since their protection is typically either 1291 * PROT_USER | PROT_WRITE | PROT_READ 1292 * or 1293 * PROT_ZFOD (same as PROT_ALL). 1294 * 1295 * We need to be careful how we zero-fill the last page 1296 * if the segment protection does not include 1297 * PROT_WRITE. Using as_setprot() can cause the VM 1298 * segment code to call segvn_vpage(), which must 1299 * allocate a page struct for each page in the segment. 1300 * If we have a very large segment, this may fail, so 1301 * we have to check for that, even though we ignore 1302 * other return values from as_setprot. 1303 */ 1304 1305 AS_LOCK_ENTER(as, RW_READER); 1306 seg = as_segat(curproc->p_as, (caddr_t)end); 1307 if (seg != NULL) 1308 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1, 1309 &zprot); 1310 AS_LOCK_EXIT(as); 1311 1312 if (seg != NULL && (zprot & PROT_WRITE) == 0) { 1313 if (as_setprot(as, (caddr_t)end, zfoddiff - 1, 1314 zprot | PROT_WRITE) == ENOMEM) { 1315 error = ENOMEM; 1316 goto bad; 1317 } 1318 } 1319 1320 if (on_fault(&ljb)) { 1321 no_fault(); 1322 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1323 (void) as_setprot(as, (caddr_t)end, 1324 zfoddiff - 1, zprot); 1325 error = EFAULT; 1326 goto bad; 1327 } 1328 uzero((void *)end, zfoddiff); 1329 no_fault(); 1330 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1331 (void) as_setprot(as, (caddr_t)end, 1332 zfoddiff - 1, zprot); 1333 } 1334 if (zfodlen > zfoddiff) { 1335 struct segvn_crargs crargs = 1336 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL); 1337 1338 zfodlen -= zfoddiff; 1339 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as, 1340 p->p_as->a_userlimit) != RANGE_OKAY) { 1341 error = ENOMEM; 1342 goto bad; 1343 } 1344 if (szc > 0) { 1345 /* 1346 * ASSERT alignment because the mapelfexec() 1347 * caller for the szc > 0 case extended zfod 1348 * so it's end is pgsz aligned. 1349 */ 1350 size_t pgsz = page_get_pagesize(szc); 1351 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz)); 1352 1353 if (IS_P2ALIGNED(zfodbase, pgsz)) { 1354 crargs.szc = szc; 1355 } else { 1356 crargs.szc = AS_MAP_HEAP; 1357 } 1358 } else { 1359 crargs.szc = AS_MAP_NO_LPOOB; 1360 } 1361 if (error = as_map(p->p_as, (caddr_t)zfodbase, 1362 zfodlen, segvn_create, &crargs)) 1363 goto bad; 1364 if (prot != PROT_ZFOD) { 1365 (void) as_setprot(p->p_as, (caddr_t)zfodbase, 1366 zfodlen, prot); 1367 } 1368 } 1369 } 1370 return (0); 1371 bad: 1372 return (error); 1373 } 1374 1375 void 1376 setexecenv(struct execenv *ep) 1377 { 1378 proc_t *p = ttoproc(curthread); 1379 klwp_t *lwp = ttolwp(curthread); 1380 struct vnode *vp; 1381 1382 p->p_bssbase = ep->ex_bssbase; 1383 p->p_brkbase = ep->ex_brkbase; 1384 p->p_brksize = ep->ex_brksize; 1385 if (p->p_exec) 1386 VN_RELE(p->p_exec); /* out with the old */ 1387 vp = p->p_exec = ep->ex_vp; 1388 if (vp != NULL) 1389 VN_HOLD(vp); /* in with the new */ 1390 1391 lwp->lwp_sigaltstack.ss_sp = 0; 1392 lwp->lwp_sigaltstack.ss_size = 0; 1393 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 1394 } 1395 1396 int 1397 execopen(struct vnode **vpp, int *fdp) 1398 { 1399 struct vnode *vp = *vpp; 1400 file_t *fp; 1401 int error = 0; 1402 int filemode = FREAD; 1403 1404 VN_HOLD(vp); /* open reference */ 1405 if (error = falloc(NULL, filemode, &fp, fdp)) { 1406 VN_RELE(vp); 1407 *fdp = -1; /* just in case falloc changed value */ 1408 return (error); 1409 } 1410 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) { 1411 VN_RELE(vp); 1412 setf(*fdp, NULL); 1413 unfalloc(fp); 1414 *fdp = -1; 1415 return (error); 1416 } 1417 *vpp = vp; /* vnode should not have changed */ 1418 fp->f_vnode = vp; 1419 mutex_exit(&fp->f_tlock); 1420 setf(*fdp, fp); 1421 return (0); 1422 } 1423 1424 int 1425 execclose(int fd) 1426 { 1427 return (closeandsetf(fd, NULL)); 1428 } 1429 1430 1431 /* 1432 * noexec stub function. 1433 */ 1434 /*ARGSUSED*/ 1435 int 1436 noexec( 1437 struct vnode *vp, 1438 struct execa *uap, 1439 struct uarg *args, 1440 struct intpdata *idatap, 1441 int level, 1442 long *execsz, 1443 int setid, 1444 caddr_t exec_file, 1445 struct cred *cred) 1446 { 1447 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname); 1448 return (ENOEXEC); 1449 } 1450 1451 /* 1452 * Support routines for building a user stack. 1453 * 1454 * execve(path, argv, envp) must construct a new stack with the specified 1455 * arguments and environment variables (see exec_args() for a description 1456 * of the user stack layout). To do this, we copy the arguments and 1457 * environment variables from the old user address space into the kernel, 1458 * free the old as, create the new as, and copy our buffered information 1459 * to the new stack. Our kernel buffer has the following structure: 1460 * 1461 * +-----------------------+ <--- stk_base + stk_size 1462 * | string offsets | 1463 * +-----------------------+ <--- stk_offp 1464 * | | 1465 * | STK_AVAIL() space | 1466 * | | 1467 * +-----------------------+ <--- stk_strp 1468 * | strings | 1469 * +-----------------------+ <--- stk_base 1470 * 1471 * When we add a string, we store the string's contents (including the null 1472 * terminator) at stk_strp, and we store the offset of the string relative to 1473 * stk_base at --stk_offp. At strings are added, stk_strp increases and 1474 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just 1475 * the difference between these pointers. If we run out of space, we return 1476 * an error and exec_args() starts all over again with a buffer twice as large. 1477 * When we're all done, the kernel buffer looks like this: 1478 * 1479 * +-----------------------+ <--- stk_base + stk_size 1480 * | argv[0] offset | 1481 * +-----------------------+ 1482 * | ... | 1483 * +-----------------------+ 1484 * | argv[argc-1] offset | 1485 * +-----------------------+ 1486 * | envp[0] offset | 1487 * +-----------------------+ 1488 * | ... | 1489 * +-----------------------+ 1490 * | envp[envc-1] offset | 1491 * +-----------------------+ 1492 * | AT_SUN_PLATFORM offset| 1493 * +-----------------------+ 1494 * | AT_SUN_EXECNAME offset| 1495 * +-----------------------+ <--- stk_offp 1496 * | | 1497 * | STK_AVAIL() space | 1498 * | | 1499 * +-----------------------+ <--- stk_strp 1500 * | AT_SUN_EXECNAME offset| 1501 * +-----------------------+ 1502 * | AT_SUN_PLATFORM offset| 1503 * +-----------------------+ 1504 * | envp[envc-1] string | 1505 * +-----------------------+ 1506 * | ... | 1507 * +-----------------------+ 1508 * | envp[0] string | 1509 * +-----------------------+ 1510 * | argv[argc-1] string | 1511 * +-----------------------+ 1512 * | ... | 1513 * +-----------------------+ 1514 * | argv[0] string | 1515 * +-----------------------+ <--- stk_base 1516 */ 1517 1518 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp) 1519 1520 /* 1521 * Add a string to the stack. 1522 */ 1523 static int 1524 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg) 1525 { 1526 int error; 1527 size_t len; 1528 1529 if (STK_AVAIL(args) < sizeof (int)) 1530 return (E2BIG); 1531 *--args->stk_offp = args->stk_strp - args->stk_base; 1532 1533 if (segflg == UIO_USERSPACE) { 1534 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len); 1535 if (error != 0) 1536 return (error); 1537 } else { 1538 len = strlen(sp) + 1; 1539 if (len > STK_AVAIL(args)) 1540 return (E2BIG); 1541 bcopy(sp, args->stk_strp, len); 1542 } 1543 1544 args->stk_strp += len; 1545 1546 return (0); 1547 } 1548 1549 static int 1550 stk_getptr(uarg_t *args, char *src, char **dst) 1551 { 1552 int error; 1553 1554 if (args->from_model == DATAMODEL_NATIVE) { 1555 ulong_t ptr; 1556 error = fulword(src, &ptr); 1557 *dst = (caddr_t)ptr; 1558 } else { 1559 uint32_t ptr; 1560 error = fuword32(src, &ptr); 1561 *dst = (caddr_t)(uintptr_t)ptr; 1562 } 1563 return (error); 1564 } 1565 1566 static int 1567 stk_putptr(uarg_t *args, char *addr, char *value) 1568 { 1569 if (args->to_model == DATAMODEL_NATIVE) 1570 return (sulword(addr, (ulong_t)value)); 1571 else 1572 return (suword32(addr, (uint32_t)(uintptr_t)value)); 1573 } 1574 1575 static int 1576 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1577 { 1578 char *sp; 1579 int argc, error; 1580 int argv_empty = 0; 1581 size_t ptrsize = args->from_ptrsize; 1582 size_t size, pad; 1583 char *argv = (char *)uap->argp; 1584 char *envp = (char *)uap->envp; 1585 1586 /* 1587 * Copy interpreter's name and argument to argv[0] and argv[1]. 1588 * In the rare case that we have nested interpreters then those names 1589 * and arguments are also copied to the subsequent slots in argv. 1590 */ 1591 if (intp != NULL && intp->intp_name[0] != NULL) { 1592 int i; 1593 1594 for (i = 0; i < INTP_MAXDEPTH; i++) { 1595 if (intp->intp_name[i] == NULL) 1596 break; 1597 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE); 1598 if (error != 0) 1599 return (error); 1600 if (intp->intp_arg[i] != NULL) { 1601 error = stk_add(args, intp->intp_arg[i], 1602 UIO_SYSSPACE); 1603 if (error != 0) 1604 return (error); 1605 } 1606 } 1607 1608 if (args->fname != NULL) 1609 error = stk_add(args, args->fname, UIO_SYSSPACE); 1610 else 1611 error = stk_add(args, uap->fname, UIO_USERSPACE); 1612 if (error) 1613 return (error); 1614 1615 /* 1616 * Check for an empty argv[]. 1617 */ 1618 if (stk_getptr(args, argv, &sp)) 1619 return (EFAULT); 1620 if (sp == NULL) 1621 argv_empty = 1; 1622 1623 argv += ptrsize; /* ignore original argv[0] */ 1624 } 1625 1626 if (argv_empty == 0) { 1627 /* 1628 * Add argv[] strings to the stack. 1629 */ 1630 for (;;) { 1631 if (stk_getptr(args, argv, &sp)) 1632 return (EFAULT); 1633 if (sp == NULL) 1634 break; 1635 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1636 return (error); 1637 argv += ptrsize; 1638 } 1639 } 1640 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1641 args->arglen = args->stk_strp - args->stk_base; 1642 1643 /* 1644 * Add environ[] strings to the stack. 1645 */ 1646 if (envp != NULL) { 1647 for (;;) { 1648 char *tmp = args->stk_strp; 1649 if (stk_getptr(args, envp, &sp)) 1650 return (EFAULT); 1651 if (sp == NULL) 1652 break; 1653 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1654 return (error); 1655 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) { 1656 /* Undo the copied string */ 1657 args->stk_strp = tmp; 1658 *(args->stk_offp++) = NULL; 1659 } 1660 envp += ptrsize; 1661 } 1662 } 1663 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1664 args->ne = args->na - argc; 1665 1666 /* 1667 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and 1668 * AT_SUN_EMULATOR strings to the stack. 1669 */ 1670 if (auxvpp != NULL && *auxvpp != NULL) { 1671 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0) 1672 return (error); 1673 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0) 1674 return (error); 1675 if (args->brandname != NULL && 1676 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0) 1677 return (error); 1678 if (args->emulator != NULL && 1679 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0) 1680 return (error); 1681 } 1682 1683 /* 1684 * Compute the size of the stack. This includes all the pointers, 1685 * the space reserved for the aux vector, and all the strings. 1686 * The total number of pointers is args->na (which is argc + envc) 1687 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL 1688 * after the last argument (i.e. argv[argc]); (3) the NULL after the 1689 * last environment variable (i.e. envp[envc]); and (4) the NULL after 1690 * all the strings, at the very top of the stack. 1691 */ 1692 size = (args->na + 4) * args->to_ptrsize + args->auxsize + 1693 (args->stk_strp - args->stk_base); 1694 1695 /* 1696 * Pad the string section with zeroes to align the stack size. 1697 */ 1698 pad = P2NPHASE(size, args->stk_align); 1699 1700 if (STK_AVAIL(args) < pad) 1701 return (E2BIG); 1702 1703 args->usrstack_size = size + pad; 1704 1705 while (pad-- != 0) 1706 *args->stk_strp++ = 0; 1707 1708 args->nc = args->stk_strp - args->stk_base; 1709 1710 return (0); 1711 } 1712 1713 static int 1714 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up) 1715 { 1716 size_t ptrsize = args->to_ptrsize; 1717 ssize_t pslen; 1718 char *kstrp = args->stk_base; 1719 char *ustrp = usrstack - args->nc - ptrsize; 1720 char *usp = usrstack - args->usrstack_size; 1721 int *offp = (int *)(args->stk_base + args->stk_size); 1722 int envc = args->ne; 1723 int argc = args->na - envc; 1724 int i; 1725 1726 /* 1727 * Record argc for /proc. 1728 */ 1729 up->u_argc = argc; 1730 1731 /* 1732 * Put argc on the stack. Note that even though it's an int, 1733 * it always consumes ptrsize bytes (for alignment). 1734 */ 1735 if (stk_putptr(args, usp, (char *)(uintptr_t)argc)) 1736 return (-1); 1737 1738 /* 1739 * Add argc space (ptrsize) to usp and record argv for /proc. 1740 */ 1741 up->u_argv = (uintptr_t)(usp += ptrsize); 1742 1743 /* 1744 * Put the argv[] pointers on the stack. 1745 */ 1746 for (i = 0; i < argc; i++, usp += ptrsize) 1747 if (stk_putptr(args, usp, &ustrp[*--offp])) 1748 return (-1); 1749 1750 /* 1751 * Copy arguments to u_psargs. 1752 */ 1753 pslen = MIN(args->arglen, PSARGSZ) - 1; 1754 for (i = 0; i < pslen; i++) 1755 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]); 1756 while (i < PSARGSZ) 1757 up->u_psargs[i++] = '\0'; 1758 1759 /* 1760 * Add space for argv[]'s NULL terminator (ptrsize) to usp and 1761 * record envp for /proc. 1762 */ 1763 up->u_envp = (uintptr_t)(usp += ptrsize); 1764 1765 /* 1766 * Put the envp[] pointers on the stack. 1767 */ 1768 for (i = 0; i < envc; i++, usp += ptrsize) 1769 if (stk_putptr(args, usp, &ustrp[*--offp])) 1770 return (-1); 1771 1772 /* 1773 * Add space for envp[]'s NULL terminator (ptrsize) to usp and 1774 * remember where the stack ends, which is also where auxv begins. 1775 */ 1776 args->stackend = usp += ptrsize; 1777 1778 /* 1779 * Put all the argv[], envp[], and auxv strings on the stack. 1780 */ 1781 if (copyout(args->stk_base, ustrp, args->nc)) 1782 return (-1); 1783 1784 /* 1785 * Fill in the aux vector now that we know the user stack addresses 1786 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and 1787 * AT_SUN_EMULATOR strings. 1788 */ 1789 if (auxvpp != NULL && *auxvpp != NULL) { 1790 if (args->to_model == DATAMODEL_NATIVE) { 1791 auxv_t **a = (auxv_t **)auxvpp; 1792 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp]) 1793 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp]) 1794 if (args->brandname != NULL) 1795 ADDAUX(*a, 1796 AT_SUN_BRANDNAME, (long)&ustrp[*--offp]) 1797 if (args->emulator != NULL) 1798 ADDAUX(*a, 1799 AT_SUN_EMULATOR, (long)&ustrp[*--offp]) 1800 } else { 1801 auxv32_t **a = (auxv32_t **)auxvpp; 1802 ADDAUX(*a, 1803 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp]) 1804 ADDAUX(*a, 1805 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp]) 1806 if (args->brandname != NULL) 1807 ADDAUX(*a, AT_SUN_BRANDNAME, 1808 (int)(uintptr_t)&ustrp[*--offp]) 1809 if (args->emulator != NULL) 1810 ADDAUX(*a, AT_SUN_EMULATOR, 1811 (int)(uintptr_t)&ustrp[*--offp]) 1812 } 1813 } 1814 1815 return (0); 1816 } 1817 1818 /* 1819 * Though the actual stack base is constant, slew the %sp by a random aligned 1820 * amount in [0,aslr_max_stack_skew). Mostly, this makes life slightly more 1821 * complicated for buffer overflows hoping to overwrite the return address. 1822 * 1823 * On some platforms this helps avoid cache thrashing when identical processes 1824 * simultaneously share caches that don't provide enough associativity 1825 * (e.g. sun4v systems). In this case stack slewing makes the same hot stack 1826 * variables in different processes live in different cache sets increasing 1827 * effective associativity. 1828 */ 1829 size_t 1830 exec_get_spslew(void) 1831 { 1832 #ifdef sun4v 1833 static uint_t sp_color_stride = 16; 1834 static uint_t sp_color_mask = 0x1f; 1835 static uint_t sp_current_color = (uint_t)-1; 1836 #endif 1837 size_t off; 1838 1839 ASSERT(ISP2(aslr_max_stack_skew)); 1840 1841 if ((aslr_max_stack_skew == 0) || 1842 !secflag_enabled(curproc, PROC_SEC_ASLR)) { 1843 #ifdef sun4v 1844 uint_t spcolor = atomic_inc_32_nv(&sp_current_color); 1845 return ((size_t)((spcolor & sp_color_mask) * 1846 SA(sp_color_stride))); 1847 #else 1848 return (0); 1849 #endif 1850 } 1851 1852 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off)); 1853 return (SA(P2PHASE(off, aslr_max_stack_skew))); 1854 } 1855 1856 /* 1857 * Initialize a new user stack with the specified arguments and environment. 1858 * The initial user stack layout is as follows: 1859 * 1860 * User Stack 1861 * +---------------+ <--- curproc->p_usrstack 1862 * | | 1863 * | slew | 1864 * | | 1865 * +---------------+ 1866 * | NULL | 1867 * +---------------+ 1868 * | | 1869 * | auxv strings | 1870 * | | 1871 * +---------------+ 1872 * | | 1873 * | envp strings | 1874 * | | 1875 * +---------------+ 1876 * | | 1877 * | argv strings | 1878 * | | 1879 * +---------------+ <--- ustrp 1880 * | | 1881 * | aux vector | 1882 * | | 1883 * +---------------+ <--- auxv 1884 * | NULL | 1885 * +---------------+ 1886 * | envp[envc-1] | 1887 * +---------------+ 1888 * | ... | 1889 * +---------------+ 1890 * | envp[0] | 1891 * +---------------+ <--- envp[] 1892 * | NULL | 1893 * +---------------+ 1894 * | argv[argc-1] | 1895 * +---------------+ 1896 * | ... | 1897 * +---------------+ 1898 * | argv[0] | 1899 * +---------------+ <--- argv[] 1900 * | argc | 1901 * +---------------+ <--- stack base 1902 */ 1903 int 1904 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1905 { 1906 size_t size; 1907 int error; 1908 proc_t *p = ttoproc(curthread); 1909 user_t *up = PTOU(p); 1910 char *usrstack; 1911 rctl_entity_p_t e; 1912 struct as *as; 1913 extern int use_stk_lpg; 1914 size_t sp_slew; 1915 1916 args->from_model = p->p_model; 1917 if (p->p_model == DATAMODEL_NATIVE) { 1918 args->from_ptrsize = sizeof (long); 1919 } else { 1920 args->from_ptrsize = sizeof (int32_t); 1921 } 1922 1923 if (args->to_model == DATAMODEL_NATIVE) { 1924 args->to_ptrsize = sizeof (long); 1925 args->ncargs = NCARGS; 1926 args->stk_align = STACK_ALIGN; 1927 if (args->addr32) 1928 usrstack = (char *)USRSTACK64_32; 1929 else 1930 usrstack = (char *)USRSTACK; 1931 } else { 1932 args->to_ptrsize = sizeof (int32_t); 1933 args->ncargs = NCARGS32; 1934 args->stk_align = STACK_ALIGN32; 1935 usrstack = (char *)USRSTACK32; 1936 } 1937 1938 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0); 1939 1940 #if defined(__sparc) 1941 /* 1942 * Make sure user register windows are empty before 1943 * attempting to make a new stack. 1944 */ 1945 (void) flush_user_windows_to_stack(NULL); 1946 #endif 1947 1948 for (size = PAGESIZE; ; size *= 2) { 1949 args->stk_size = size; 1950 args->stk_base = kmem_alloc(size, KM_SLEEP); 1951 args->stk_strp = args->stk_base; 1952 args->stk_offp = (int *)(args->stk_base + size); 1953 error = stk_copyin(uap, args, intp, auxvpp); 1954 if (error == 0) 1955 break; 1956 kmem_free(args->stk_base, size); 1957 if (error != E2BIG && error != ENAMETOOLONG) 1958 return (error); 1959 if (size >= args->ncargs) 1960 return (E2BIG); 1961 } 1962 1963 size = args->usrstack_size; 1964 1965 ASSERT(error == 0); 1966 ASSERT(P2PHASE(size, args->stk_align) == 0); 1967 ASSERT((ssize_t)STK_AVAIL(args) >= 0); 1968 1969 if (size > args->ncargs) { 1970 kmem_free(args->stk_base, args->stk_size); 1971 return (E2BIG); 1972 } 1973 1974 /* 1975 * Leave only the current lwp and force the other lwps to exit. 1976 * If another lwp beat us to the punch by calling exit(), bail out. 1977 */ 1978 if ((error = exitlwps(0)) != 0) { 1979 kmem_free(args->stk_base, args->stk_size); 1980 return (error); 1981 } 1982 1983 /* 1984 * Revoke any doors created by the process. 1985 */ 1986 if (p->p_door_list) 1987 door_exit(); 1988 1989 /* 1990 * Release schedctl data structures. 1991 */ 1992 if (p->p_pagep) 1993 schedctl_proc_cleanup(); 1994 1995 /* 1996 * Clean up any DTrace helpers for the process. 1997 */ 1998 if (p->p_dtrace_helpers != NULL) { 1999 ASSERT(dtrace_helpers_cleanup != NULL); 2000 (*dtrace_helpers_cleanup)(p); 2001 } 2002 2003 mutex_enter(&p->p_lock); 2004 /* 2005 * Cleanup the DTrace provider associated with this process. 2006 */ 2007 if (p->p_dtrace_probes) { 2008 ASSERT(dtrace_fasttrap_exec_ptr != NULL); 2009 dtrace_fasttrap_exec_ptr(p); 2010 } 2011 mutex_exit(&p->p_lock); 2012 2013 /* 2014 * discard the lwpchan cache. 2015 */ 2016 if (p->p_lcp != NULL) 2017 lwpchan_destroy_cache(1); 2018 2019 /* 2020 * Delete the POSIX timers. 2021 */ 2022 if (p->p_itimer != NULL) 2023 timer_exit(); 2024 2025 /* 2026 * Delete the ITIMER_REALPROF interval timer. 2027 * The other ITIMER_* interval timers are specified 2028 * to be inherited across exec(). 2029 */ 2030 delete_itimer_realprof(); 2031 2032 if (AU_AUDITING()) 2033 audit_exec(args->stk_base, args->stk_base + args->arglen, 2034 args->na - args->ne, args->ne, args->pfcred); 2035 2036 /* 2037 * Ensure that we don't change resource associations while we 2038 * change address spaces. 2039 */ 2040 mutex_enter(&p->p_lock); 2041 pool_barrier_enter(); 2042 mutex_exit(&p->p_lock); 2043 2044 /* 2045 * Destroy the old address space and create a new one. 2046 * From here on, any errors are fatal to the exec()ing process. 2047 * On error we return -1, which means the caller must SIGKILL 2048 * the process. 2049 */ 2050 relvm(); 2051 2052 mutex_enter(&p->p_lock); 2053 pool_barrier_exit(); 2054 mutex_exit(&p->p_lock); 2055 2056 up->u_execsw = args->execswp; 2057 2058 p->p_brkbase = NULL; 2059 p->p_brksize = 0; 2060 p->p_brkpageszc = 0; 2061 p->p_stksize = 0; 2062 p->p_stkpageszc = 0; 2063 p->p_model = args->to_model; 2064 p->p_usrstack = usrstack; 2065 p->p_stkprot = args->stk_prot; 2066 p->p_datprot = args->dat_prot; 2067 2068 /* 2069 * Reset resource controls such that all controls are again active as 2070 * well as appropriate to the potentially new address model for the 2071 * process. 2072 */ 2073 e.rcep_p.proc = p; 2074 e.rcep_t = RCENTITY_PROCESS; 2075 rctl_set_reset(p->p_rctls, p, &e); 2076 2077 /* Too early to call map_pgsz for the heap */ 2078 if (use_stk_lpg) { 2079 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0)); 2080 } 2081 2082 mutex_enter(&p->p_lock); 2083 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */ 2084 mutex_exit(&p->p_lock); 2085 2086 sp_slew = exec_get_spslew(); 2087 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0); 2088 /* Be certain we don't underflow */ 2089 VERIFY((curproc->p_usrstack - (size + sp_slew)) < curproc->p_usrstack); 2090 exec_set_sp(size + sp_slew); 2091 2092 as = as_alloc(); 2093 p->p_as = as; 2094 as->a_proc = p; 2095 if (p->p_model == DATAMODEL_ILP32 || args->addr32) 2096 as->a_userlimit = (caddr_t)USERLIMIT32; 2097 (void) hat_setup(as->a_hat, HAT_ALLOC); 2098 hat_join_srd(as->a_hat, args->ex_vp); 2099 2100 /* 2101 * Finally, write out the contents of the new stack. 2102 */ 2103 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up); 2104 kmem_free(args->stk_base, args->stk_size); 2105 return (error); 2106 } 2107