xref: /illumos-gate/usr/src/uts/common/os/exec.c (revision d6bb6a8465e557cb946ef49d56ed3202f6218652)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*	Copyright (c) 1988 AT&T	*/
29 /*	  All Rights Reserved  	*/
30 
31 
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/vtrace.h>
53 #include <sys/exec.h>
54 #include <sys/exechdr.h>
55 #include <sys/kmem.h>
56 #include <sys/prsystm.h>
57 #include <sys/modctl.h>
58 #include <sys/vmparam.h>
59 #include <sys/schedctl.h>
60 #include <sys/utrap.h>
61 #include <sys/systeminfo.h>
62 #include <sys/stack.h>
63 #include <sys/rctl.h>
64 #include <sys/dtrace.h>
65 #include <sys/lwpchan_impl.h>
66 #include <sys/pool.h>
67 #include <sys/sdt.h>
68 
69 #include <c2/audit.h>
70 
71 #include <vm/hat.h>
72 #include <vm/anon.h>
73 #include <vm/as.h>
74 #include <vm/seg.h>
75 #include <vm/seg_vn.h>
76 
77 #define	PRIV_RESET		0x01	/* needs to reset privs */
78 #define	PRIV_SETID		0x02	/* needs to change uids */
79 #define	PRIV_SETUGID		0x04	/* is setuid/setgid/forced privs */
80 #define	PRIV_INCREASE		0x08	/* child runs with more privs */
81 
82 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *);
83 static int hold_execsw(struct execsw *);
84 
85 uint_t auxv_hwcap = 0;	/* auxv AT_SUN_HWCAP value; determined on the fly */
86 #if defined(_SYSCALL32_IMPL)
87 uint_t auxv_hwcap32 = 0;	/* 32-bit version of auxv_hwcap */
88 #endif
89 
90 int exec_lpg_disable = 0;
91 
92 #define	PSUIDFLAGS		(SNOCD|SUGID)
93 
94 /*
95  * exec() - wrapper around exece providing NULL environment pointer
96  */
97 int
98 exec(const char *fname, const char **argp)
99 {
100 	return (exece(fname, argp, NULL));
101 }
102 
103 /*
104  * exece() - system call wrapper around exec_common()
105  */
106 int
107 exece(const char *fname, const char **argp, const char **envp)
108 {
109 	int error;
110 
111 	error = exec_common(fname, argp, envp);
112 	return (error ? (set_errno(error)) : 0);
113 }
114 
115 int
116 exec_common(const char *fname, const char **argp, const char **envp)
117 {
118 	vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
119 	proc_t *p = ttoproc(curthread);
120 	klwp_t *lwp = ttolwp(curthread);
121 	struct user *up = PTOU(p);
122 	long execsz;		/* temporary count of exec size */
123 	int i;
124 	int error;
125 	char exec_file[MAXCOMLEN+1];
126 	struct pathname pn;
127 	struct pathname resolvepn;
128 	struct uarg args;
129 	struct execa ua;
130 	k_sigset_t savedmask;
131 	lwpdir_t *lwpdir = NULL;
132 	lwpdir_t **tidhash;
133 	lwpdir_t *old_lwpdir = NULL;
134 	uint_t old_lwpdir_sz;
135 	lwpdir_t **old_tidhash;
136 	uint_t old_tidhash_sz;
137 	lwpent_t *lep;
138 
139 	/*
140 	 * exec() is not supported for the /proc agent lwp.
141 	 */
142 	if (curthread == p->p_agenttp)
143 		return (ENOTSUP);
144 
145 	if ((error = secpolicy_basic_exec(CRED())) != 0)
146 		return (error);
147 
148 	/*
149 	 * Inform /proc that an exec() has started.
150 	 * Hold signals that are ignored by default so that we will
151 	 * not be interrupted by a signal that will be ignored after
152 	 * successful completion of gexec().
153 	 */
154 	mutex_enter(&p->p_lock);
155 	prexecstart();
156 	schedctl_finish_sigblock(curthread);
157 	savedmask = curthread->t_hold;
158 	sigorset(&curthread->t_hold, &ignoredefault);
159 	mutex_exit(&p->p_lock);
160 
161 	/*
162 	 * Look up path name and remember last component for later.
163 	 * To help coreadm expand its %d token, we attempt to save
164 	 * the directory containing the executable in p_execdir. The
165 	 * first call to lookuppn() may fail and return EINVAL because
166 	 * dirvpp is non-NULL. In that case, we make a second call to
167 	 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
168 	 * but coreadm is allowed to expand %d to the empty string and
169 	 * there are other cases in which that failure may occur.
170 	 */
171 	if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
172 		goto out;
173 	pn_alloc(&resolvepn);
174 	if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
175 		pn_free(&resolvepn);
176 		pn_free(&pn);
177 		if (error != EINVAL)
178 			goto out;
179 
180 		dir = NULL;
181 		if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
182 			goto out;
183 		pn_alloc(&resolvepn);
184 		if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
185 		    &vp)) != 0) {
186 			pn_free(&resolvepn);
187 			pn_free(&pn);
188 			goto out;
189 		}
190 	}
191 	if (vp == NULL) {
192 		if (dir != NULL)
193 			VN_RELE(dir);
194 		error = ENOENT;
195 		pn_free(&resolvepn);
196 		pn_free(&pn);
197 		goto out;
198 	}
199 
200 	/*
201 	 * We do not allow executing files in attribute directories.
202 	 * We test this by determining whether the resolved path
203 	 * contains a "/" when we're in an attribute directory;
204 	 * only if the pathname does not contain a "/" the resolved path
205 	 * points to a file in the current working (attribute) directory.
206 	 */
207 	if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
208 	    strchr(resolvepn.pn_path, '/') == NULL) {
209 		if (dir != NULL)
210 			VN_RELE(dir);
211 		error = EACCES;
212 		pn_free(&resolvepn);
213 		pn_free(&pn);
214 		VN_RELE(vp);
215 		goto out;
216 	}
217 
218 	bzero(exec_file, MAXCOMLEN+1);
219 	(void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
220 	bzero(&args, sizeof (args));
221 	args.pathname = resolvepn.pn_path;
222 	/* don't free resolvepn until we are done with args */
223 	pn_free(&pn);
224 
225 	/*
226 	 * Specific exec handlers, or policies determined via
227 	 * /etc/system may override the historical default.
228 	 */
229 	args.stk_prot = PROT_ZFOD;
230 	args.dat_prot = PROT_ZFOD;
231 
232 	CPU_STATS_ADD_K(sys, sysexec, 1);
233 	DTRACE_PROC1(exec, char *, args.pathname);
234 
235 	ua.fname = fname;
236 	ua.argp = argp;
237 	ua.envp = envp;
238 
239 	if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
240 	    exec_file, p->p_cred)) != 0) {
241 		VN_RELE(vp);
242 		if (dir != NULL)
243 			VN_RELE(dir);
244 		pn_free(&resolvepn);
245 		goto fail;
246 	}
247 
248 	/*
249 	 * Free floating point registers (sun4u only)
250 	 */
251 	ASSERT(lwp != NULL);
252 	lwp_freeregs(lwp, 1);
253 
254 	/*
255 	 * Free thread and process context ops.
256 	 */
257 	if (curthread->t_ctx)
258 		freectx(curthread, 1);
259 	if (p->p_pctx)
260 		freepctx(p, 1);
261 
262 	/*
263 	 * Remember file name for accounting; clear any cached DTrace predicate.
264 	 */
265 	up->u_acflag &= ~AFORK;
266 	bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
267 	curthread->t_predcache = NULL;
268 
269 	/*
270 	 * Clear contract template state
271 	 */
272 	lwp_ctmpl_clear(lwp);
273 
274 	/*
275 	 * Save the directory in which we found the executable for expanding
276 	 * the %d token used in core file patterns.
277 	 */
278 	mutex_enter(&p->p_lock);
279 	tmpvp = p->p_execdir;
280 	p->p_execdir = dir;
281 	if (p->p_execdir != NULL)
282 		VN_HOLD(p->p_execdir);
283 	mutex_exit(&p->p_lock);
284 
285 	if (tmpvp != NULL)
286 		VN_RELE(tmpvp);
287 
288 	/*
289 	 * Reset stack state to the user stack, clear set of signals
290 	 * caught on the signal stack, and reset list of signals that
291 	 * restart system calls; the new program's environment should
292 	 * not be affected by detritus from the old program.  Any
293 	 * pending held signals remain held, so don't clear t_hold.
294 	 */
295 	mutex_enter(&p->p_lock);
296 	lwp->lwp_oldcontext = 0;
297 	lwp->lwp_ustack = 0;
298 	lwp->lwp_old_stk_ctl = 0;
299 	sigemptyset(&up->u_signodefer);
300 	sigemptyset(&up->u_sigonstack);
301 	sigemptyset(&up->u_sigresethand);
302 	lwp->lwp_sigaltstack.ss_sp = 0;
303 	lwp->lwp_sigaltstack.ss_size = 0;
304 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
305 
306 	/*
307 	 * Make saved resource limit == current resource limit.
308 	 */
309 	for (i = 0; i < RLIM_NLIMITS; i++) {
310 		/*CONSTCOND*/
311 		if (RLIM_SAVED(i)) {
312 			(void) rctl_rlimit_get(rctlproc_legacy[i], p,
313 			    &up->u_saved_rlimit[i]);
314 		}
315 	}
316 
317 	/*
318 	 * If the action was to catch the signal, then the action
319 	 * must be reset to SIG_DFL.
320 	 */
321 	sigdefault(p);
322 	p->p_flag &= ~(SNOWAIT|SJCTL);
323 	p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
324 	up->u_signal[SIGCLD - 1] = SIG_DFL;
325 
326 	/*
327 	 * Delete the dot4 sigqueues/signotifies.
328 	 */
329 	sigqfree(p);
330 
331 	mutex_exit(&p->p_lock);
332 
333 	mutex_enter(&p->p_pflock);
334 	p->p_prof.pr_base = NULL;
335 	p->p_prof.pr_size = 0;
336 	p->p_prof.pr_off = 0;
337 	p->p_prof.pr_scale = 0;
338 	p->p_prof.pr_samples = 0;
339 	mutex_exit(&p->p_pflock);
340 
341 	ASSERT(curthread->t_schedctl == NULL);
342 
343 #if defined(__sparc)
344 	if (p->p_utraps != NULL)
345 		utrap_free(p);
346 #endif	/* __sparc */
347 
348 	/*
349 	 * Close all close-on-exec files.
350 	 */
351 	close_exec(P_FINFO(p));
352 	TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
353 	setregs(&args);
354 
355 	/* Mark this as an executable vnode */
356 	mutex_enter(&vp->v_lock);
357 	vp->v_flag |= VVMEXEC;
358 	mutex_exit(&vp->v_lock);
359 
360 	VN_RELE(vp);
361 	if (dir != NULL)
362 		VN_RELE(dir);
363 	pn_free(&resolvepn);
364 
365 	/*
366 	 * Allocate a new lwp directory and lwpid hash table if necessary.
367 	 */
368 	if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
369 		lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
370 		lwpdir->ld_next = lwpdir + 1;
371 		tidhash = kmem_zalloc(2 * sizeof (lwpdir_t *), KM_SLEEP);
372 		if (p->p_lwpdir != NULL)
373 			lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
374 		else
375 			lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
376 	}
377 
378 	mutex_enter(&p->p_lock);
379 	prbarrier(p);
380 
381 	/*
382 	 * Reset lwp id to the default value of 1.
383 	 * This is a single-threaded process now
384 	 * and lwp #1 is lwp_wait()able by default.
385 	 * The t_unpark flag should not be inherited.
386 	 */
387 	ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
388 	curthread->t_tid = 1;
389 	curthread->t_unpark = 0;
390 	curthread->t_proc_flag |= TP_TWAIT;
391 	curthread->t_proc_flag &= ~TP_DAEMON;	/* daemons shouldn't exec */
392 	p->p_lwpdaemon = 0;			/* but oh well ... */
393 	p->p_lwpid = 1;
394 
395 	/*
396 	 * Install the newly-allocated lwp directory and lwpid hash table
397 	 * and insert the current thread into the new hash table.
398 	 */
399 	if (lwpdir != NULL) {
400 		old_lwpdir = p->p_lwpdir;
401 		old_lwpdir_sz = p->p_lwpdir_sz;
402 		old_tidhash = p->p_tidhash;
403 		old_tidhash_sz = p->p_tidhash_sz;
404 		p->p_lwpdir = p->p_lwpfree = lwpdir;
405 		p->p_lwpdir_sz = 2;
406 		p->p_tidhash = tidhash;
407 		p->p_tidhash_sz = 2;
408 		lep->le_thread = curthread;
409 		lep->le_lwpid = curthread->t_tid;
410 		lep->le_start = curthread->t_start;
411 		lwp_hash_in(p, lep);
412 	}
413 	/*
414 	 * Restore the saved signal mask and
415 	 * inform /proc that the exec() has finished.
416 	 */
417 	curthread->t_hold = savedmask;
418 	prexecend();
419 	mutex_exit(&p->p_lock);
420 	if (old_lwpdir) {
421 		kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
422 		kmem_free(old_tidhash, old_tidhash_sz * sizeof (lwpdir_t *));
423 	}
424 	ASSERT(error == 0);
425 	DTRACE_PROC(exec__success);
426 	return (0);
427 
428 fail:
429 	DTRACE_PROC1(exec__failure, int, error);
430 out:		/* error return */
431 	mutex_enter(&p->p_lock);
432 	curthread->t_hold = savedmask;
433 	prexecend();
434 	mutex_exit(&p->p_lock);
435 	ASSERT(error != 0);
436 	return (error);
437 }
438 
439 
440 /*
441  * Perform generic exec duties and switchout to object-file specific
442  * handler.
443  */
444 int
445 gexec(
446 	struct vnode **vpp,
447 	struct execa *uap,
448 	struct uarg *args,
449 	struct intpdata *idatap,
450 	int level,
451 	long *execsz,
452 	caddr_t exec_file,
453 	struct cred *cred)
454 {
455 	struct vnode *vp;
456 	proc_t *pp = ttoproc(curthread);
457 	struct execsw *eswp;
458 	int error = 0;
459 	int suidflags = 0;
460 	ssize_t resid;
461 	uid_t uid, gid;
462 	struct vattr vattr;
463 	char magbuf[MAGIC_BYTES];
464 	int setid;
465 	cred_t *oldcred, *newcred = NULL;
466 	int privflags = 0;
467 	int setidfl;
468 
469 	/*
470 	 * If the SNOCD or SUGID flag is set, turn it off and remember the
471 	 * previous setting so we can restore it if we encounter an error.
472 	 */
473 	if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
474 		mutex_enter(&pp->p_lock);
475 		suidflags = pp->p_flag & PSUIDFLAGS;
476 		pp->p_flag &= ~PSUIDFLAGS;
477 		mutex_exit(&pp->p_lock);
478 	}
479 
480 	if ((error = execpermissions(*vpp, &vattr, args)) != 0)
481 		goto bad;
482 
483 	/* need to open vnode for stateful file systems like rfs */
484 	if ((error = VOP_OPEN(vpp, FREAD, CRED())) != 0)
485 		goto bad;
486 	vp = *vpp;
487 
488 	/*
489 	 * Note: to support binary compatibility with SunOS a.out
490 	 * executables, we read in the first four bytes, as the
491 	 * magic number is in bytes 2-3.
492 	 */
493 	if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
494 	    (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
495 		goto bad;
496 	if (resid != 0)
497 		goto bad;
498 
499 	if ((eswp = findexec_by_hdr(magbuf)) == NULL)
500 		goto bad;
501 
502 	if (level == 0 &&
503 	    (privflags = execsetid(vp, &vattr, &uid, &gid)) != 0) {
504 
505 		newcred = cred = crdup(cred);
506 
507 		/* If we can, drop the PA bit */
508 		if ((privflags & PRIV_RESET) != 0)
509 			priv_adjust_PA(cred);
510 
511 		if (privflags & PRIV_SETID) {
512 			cred->cr_uid = uid;
513 			cred->cr_gid = gid;
514 			cred->cr_suid = uid;
515 			cred->cr_sgid = gid;
516 		}
517 
518 		/*
519 		 * Implement the privilege updates:
520 		 *
521 		 * Restrict with L:
522 		 *
523 		 *	I' = I & L
524 		 *
525 		 *	E' = P' = (I' + F) & A
526 		 *
527 		 * But if running under ptrace, we cap I with P.
528 		 */
529 		if ((privflags & PRIV_RESET) != 0) {
530 			if ((privflags & PRIV_INCREASE) != 0 &&
531 			    (pp->p_proc_flag & P_PR_PTRACE) != 0)
532 				priv_intersect(&CR_OPPRIV(cred),
533 						    &CR_IPRIV(cred));
534 			priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
535 			CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
536 			priv_adjust_PA(cred);
537 		}
538 	}
539 
540 	/* SunOS 4.x buy-back */
541 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
542 	    (vattr.va_mode & (VSUID|VSGID))) {
543 		cmn_err(CE_NOTE,
544 		    "!%s, uid %d: setuid execution not allowed, dev=%lx",
545 		    exec_file, cred->cr_uid, vp->v_vfsp->vfs_dev);
546 	}
547 
548 	/*
549 	 * execsetid() told us whether or not we had to change the
550 	 * credentials of the process.  In privflags, it told us
551 	 * whether we gained any privileges or executed a set-uid executable.
552 	 */
553 	setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE));
554 
555 	/*
556 	 * Use /etc/system variable to determine if the stack
557 	 * should be marked as executable by default.
558 	 */
559 	if (noexec_user_stack)
560 		args->stk_prot &= ~PROT_EXEC;
561 
562 	args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
563 
564 	/*
565 	 * Traditionally, the setid flags told the sub processes whether
566 	 * the file just executed was set-uid or set-gid; this caused
567 	 * some confusion as the 'setid' flag did not match the SUGID
568 	 * process flag which is only set when the uids/gids do not match.
569 	 * A script set-gid/set-uid to the real uid/gid would start with
570 	 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
571 	 * Now we flag those cases where the calling process cannot
572 	 * be trusted to influence the newly exec'ed process, either
573 	 * because it runs with more privileges or when the uids/gids
574 	 * do in fact not match.
575 	 * This also makes the runtime linker agree with the on exec
576 	 * values of SNOCD and SUGID.
577 	 */
578 	setidfl = 0;
579 	if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
580 	    !supgroupmember(cred->cr_gid, cred))) {
581 		setidfl |= EXECSETID_UGIDS;
582 	}
583 	if (setid & PRIV_SETUGID)
584 		setidfl |= EXECSETID_SETID;
585 	if (setid & PRIV_INCREASE)
586 		setidfl |= EXECSETID_PRIVS;
587 
588 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
589 		setidfl, exec_file, cred);
590 	rw_exit(eswp->exec_lock);
591 	if (error != 0) {
592 		if (newcred != NULL)
593 			crfree(newcred);
594 		goto bad;
595 	}
596 
597 	if (level == 0) {
598 		mutex_enter(&pp->p_crlock);
599 		if (newcred != NULL) {
600 			/*
601 			 * Free the old credentials, and set the new ones.
602 			 * Do this for both the process and the (single) thread.
603 			 */
604 			crfree(pp->p_cred);
605 			pp->p_cred = cred;	/* cred already held for proc */
606 			crhold(cred);		/* hold new cred for thread */
607 			/*
608 			 * DTrace accesses t_cred in probe context.  t_cred
609 			 * must always be either NULL, or point to a valid,
610 			 * allocated cred structure.
611 			 */
612 			oldcred = curthread->t_cred;
613 			curthread->t_cred = cred;
614 			crfree(oldcred);
615 		}
616 		/*
617 		 * On emerging from a successful exec(), the saved
618 		 * uid and gid equal the effective uid and gid.
619 		 */
620 		cred->cr_suid = cred->cr_uid;
621 		cred->cr_sgid = cred->cr_gid;
622 
623 		/*
624 		 * If the real and effective ids do not match, this
625 		 * is a setuid process that should not dump core.
626 		 * The group comparison is tricky; we prevent the code
627 		 * from flagging SNOCD when executing with an effective gid
628 		 * which is a supplementary group.
629 		 */
630 		if (cred->cr_ruid != cred->cr_uid ||
631 		    (cred->cr_rgid != cred->cr_gid &&
632 		    !supgroupmember(cred->cr_gid, cred)) ||
633 		    (privflags & PRIV_INCREASE) != 0)
634 			suidflags = PSUIDFLAGS;
635 		else
636 			suidflags = 0;
637 
638 		mutex_exit(&pp->p_crlock);
639 		if (suidflags) {
640 			mutex_enter(&pp->p_lock);
641 			pp->p_flag |= suidflags;
642 			mutex_exit(&pp->p_lock);
643 		}
644 		if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
645 			/*
646 			 * If process is traced via /proc, arrange to
647 			 * invalidate the associated /proc vnode.
648 			 */
649 			if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
650 				args->traceinval = 1;
651 		}
652 		if (pp->p_proc_flag & P_PR_PTRACE)
653 			psignal(pp, SIGTRAP);
654 		if (args->traceinval)
655 			prinvalidate(&pp->p_user);
656 	}
657 
658 	return (0);
659 bad:
660 	if (error == 0)
661 		error = ENOEXEC;
662 
663 	if (suidflags) {
664 		mutex_enter(&pp->p_lock);
665 		pp->p_flag |= suidflags;
666 		mutex_exit(&pp->p_lock);
667 	}
668 	return (error);
669 }
670 
671 extern char *execswnames[];
672 
673 struct execsw *
674 allocate_execsw(char *name, char *magic, size_t magic_size)
675 {
676 	int i, j;
677 	char *ename;
678 	char *magicp;
679 
680 	mutex_enter(&execsw_lock);
681 	for (i = 0; i < nexectype; i++) {
682 		if (execswnames[i] == NULL) {
683 			ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
684 			(void) strcpy(ename, name);
685 			execswnames[i] = ename;
686 			/*
687 			 * Set the magic number last so that we
688 			 * don't need to hold the execsw_lock in
689 			 * findexectype().
690 			 */
691 			magicp = kmem_alloc(magic_size, KM_SLEEP);
692 			for (j = 0; j < magic_size; j++)
693 				magicp[j] = magic[j];
694 			execsw[i].exec_magic = magicp;
695 			mutex_exit(&execsw_lock);
696 			return (&execsw[i]);
697 		}
698 	}
699 	mutex_exit(&execsw_lock);
700 	return (NULL);
701 }
702 
703 /*
704  * Find the exec switch table entry with the corresponding magic string.
705  */
706 struct execsw *
707 findexecsw(char *magic)
708 {
709 	struct execsw *eswp;
710 
711 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
712 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
713 		if (magic && eswp->exec_maglen != 0 &&
714 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
715 			return (eswp);
716 	}
717 	return (NULL);
718 }
719 
720 /*
721  * Find the execsw[] index for the given exec header string by looking for the
722  * magic string at a specified offset and length for each kind of executable
723  * file format until one matches.  If no execsw[] entry is found, try to
724  * autoload a module for this magic string.
725  */
726 struct execsw *
727 findexec_by_hdr(char *header)
728 {
729 	struct execsw *eswp;
730 
731 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
732 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
733 		if (header && eswp->exec_maglen != 0 &&
734 		    bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
735 			    eswp->exec_maglen) == 0) {
736 			if (hold_execsw(eswp) != 0)
737 				return (NULL);
738 			return (eswp);
739 		}
740 	}
741 	return (NULL);	/* couldn't find the type */
742 }
743 
744 /*
745  * Find the execsw[] index for the given magic string.  If no execsw[] entry
746  * is found, try to autoload a module for this magic string.
747  */
748 struct execsw *
749 findexec_by_magic(char *magic)
750 {
751 	struct execsw *eswp;
752 
753 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
754 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
755 		if (magic && eswp->exec_maglen != 0 &&
756 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
757 			if (hold_execsw(eswp) != 0)
758 				return (NULL);
759 			return (eswp);
760 		}
761 	}
762 	return (NULL);	/* couldn't find the type */
763 }
764 
765 static int
766 hold_execsw(struct execsw *eswp)
767 {
768 	char *name;
769 
770 	rw_enter(eswp->exec_lock, RW_READER);
771 	while (!LOADED_EXEC(eswp)) {
772 		rw_exit(eswp->exec_lock);
773 		name = execswnames[eswp-execsw];
774 		ASSERT(name);
775 		if (modload("exec", name) == -1)
776 			return (-1);
777 		rw_enter(eswp->exec_lock, RW_READER);
778 	}
779 	return (0);
780 }
781 
782 static int
783 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp)
784 {
785 	proc_t *pp = ttoproc(curthread);
786 	uid_t uid, gid;
787 	cred_t *cr = pp->p_cred;
788 	int privflags = 0;
789 
790 	/*
791 	 * Remember credentials.
792 	 */
793 	uid = cr->cr_uid;
794 	gid = cr->cr_gid;
795 
796 	/* Will try to reset the PRIV_AWARE bit later. */
797 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
798 		privflags |= PRIV_RESET;
799 
800 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
801 		/*
802 		 * Set-uid root execution only allowed if the limit set
803 		 * holds all unsafe privileges.
804 		 */
805 		if ((vattrp->va_mode & VSUID) && (vattrp->va_uid != 0 ||
806 		    priv_issubset(&priv_unsafe, &CR_LPRIV(cr)))) {
807 			uid = vattrp->va_uid;
808 			privflags |= PRIV_SETUGID;
809 		}
810 		if (vattrp->va_mode & VSGID) {
811 			gid = vattrp->va_gid;
812 			privflags |= PRIV_SETUGID;
813 		}
814 	}
815 
816 	/*
817 	 * Do we need to change our credential anyway?
818 	 * This is the case when E != I or P != I, as
819 	 * we need to do the assignments (with F empty and A full)
820 	 * Or when I is not a subset of L; in that case we need to
821 	 * enforce L.
822 	 *
823 	 *		I' = L & I
824 	 *
825 	 *		E' = P' = (I' + F) & A
826 	 * or
827 	 *		E' = P' = I'
828 	 */
829 	if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
830 	    !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
831 	    !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
832 		privflags |= PRIV_RESET;
833 
834 	/*
835 	 * When we introduce the "forced" set then we will need
836 	 * to set PRIV_INCREASE here if I not a subset of P.
837 	 * If the "allowed" set is introduced we will need to do
838 	 * a similar thing; however, it seems more reasonable to
839 	 * have the allowed set reduce "L": script language interpreters
840 	 * would typically have an allowed set of "all".
841 	 */
842 
843 	/*
844 	 * Set setuid/setgid protections if no ptrace() compatibility.
845 	 * For privileged processes, honor setuid/setgid even in
846 	 * the presence of ptrace() compatibility.
847 	 */
848 	if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
849 	    PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
850 	    (cr->cr_uid != uid ||
851 	    cr->cr_gid != gid ||
852 	    cr->cr_suid != uid ||
853 	    cr->cr_sgid != gid)) {
854 		*uidp = uid;
855 		*gidp = gid;
856 		privflags |= PRIV_SETID;
857 	}
858 	return (privflags);
859 }
860 
861 int
862 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
863 {
864 	int error;
865 	proc_t *p = ttoproc(curthread);
866 
867 	vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
868 	if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred))
869 		return (error);
870 	/*
871 	 * Check the access mode.
872 	 * If VPROC, ask /proc if the file is an object file.
873 	 */
874 	if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred)) != 0 ||
875 	    !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
876 	    (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
877 	    (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
878 		if (error == 0)
879 			error = EACCES;
880 		return (error);
881 	}
882 
883 	if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
884 	    (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred))) {
885 		/*
886 		 * If process is under ptrace(2) compatibility,
887 		 * fail the exec(2).
888 		 */
889 		if (p->p_proc_flag & P_PR_PTRACE)
890 			goto bad;
891 		/*
892 		 * Process is traced via /proc.
893 		 * Arrange to invalidate the /proc vnode.
894 		 */
895 		args->traceinval = 1;
896 	}
897 	return (0);
898 bad:
899 	if (error == 0)
900 		error = ENOEXEC;
901 	return (error);
902 }
903 
904 /*
905  * Map a section of an executable file into the user's
906  * address space.
907  */
908 int
909 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
910     off_t offset, int prot, int page, uint_t szc)
911 {
912 	int error = 0;
913 	off_t oldoffset;
914 	caddr_t zfodbase, oldaddr;
915 	size_t end, oldlen;
916 	size_t zfoddiff;
917 	label_t ljb;
918 	proc_t *p = ttoproc(curthread);
919 
920 	oldaddr = addr;
921 	addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
922 	if (len) {
923 		oldlen = len;
924 		len += ((size_t)oldaddr - (size_t)addr);
925 		oldoffset = offset;
926 		offset = (off_t)((uintptr_t)offset & PAGEMASK);
927 		if (page) {
928 			spgcnt_t  prefltmem, availm, npages;
929 			int preread;
930 			uint_t mflag = MAP_PRIVATE | MAP_FIXED;
931 
932 			if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
933 				mflag |= MAP_TEXT;
934 			} else {
935 				mflag |= MAP_INITDATA;
936 			}
937 
938 			if (valid_usr_range(addr, len, prot, p->p_as,
939 			    p->p_as->a_userlimit) != RANGE_OKAY) {
940 				error = ENOMEM;
941 				goto bad;
942 			}
943 			if (error = VOP_MAP(vp, (offset_t)offset,
944 			    p->p_as, &addr, len, prot, PROT_ALL,
945 			    mflag, CRED()))
946 				goto bad;
947 
948 			/*
949 			 * If the segment can fit, then we prefault
950 			 * the entire segment in.  This is based on the
951 			 * model that says the best working set of a
952 			 * small program is all of its pages.
953 			 */
954 			npages = (spgcnt_t)btopr(len);
955 			prefltmem = freemem - desfree;
956 			preread =
957 			    (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
958 
959 			/*
960 			 * If we aren't prefaulting the segment,
961 			 * increment "deficit", if necessary to ensure
962 			 * that pages will become available when this
963 			 * process starts executing.
964 			 */
965 			availm = freemem - lotsfree;
966 			if (preread == 0 && npages > availm &&
967 			    deficit < lotsfree) {
968 				deficit += MIN((pgcnt_t)(npages - availm),
969 				    lotsfree - deficit);
970 			}
971 
972 			if (preread) {
973 				TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
974 				    "execmap preread:freemem %d size %lu",
975 				    freemem, len);
976 				(void) as_fault(p->p_as->a_hat, p->p_as,
977 				    (caddr_t)addr, len, F_INVAL, S_READ);
978 			}
979 		} else {
980 			if (valid_usr_range(addr, len, prot, p->p_as,
981 			    p->p_as->a_userlimit) != RANGE_OKAY) {
982 				error = ENOMEM;
983 				goto bad;
984 			}
985 
986 			if (error = as_map(p->p_as, addr, len,
987 			    segvn_create, zfod_argsp))
988 				goto bad;
989 			/*
990 			 * Read in the segment in one big chunk.
991 			 */
992 			if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
993 			    oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
994 			    (rlim64_t)0, CRED(), (ssize_t *)0))
995 				goto bad;
996 			/*
997 			 * Now set protections.
998 			 */
999 			if (prot != PROT_ZFOD) {
1000 				(void) as_setprot(p->p_as, (caddr_t)addr,
1001 				    len, prot);
1002 			}
1003 		}
1004 	}
1005 
1006 	if (zfodlen) {
1007 		end = (size_t)addr + len;
1008 		zfodbase = (caddr_t)roundup(end, PAGESIZE);
1009 		zfoddiff = (uintptr_t)zfodbase - end;
1010 		if (zfoddiff) {
1011 			if (on_fault(&ljb)) {
1012 				no_fault();
1013 				error = EFAULT;
1014 				goto bad;
1015 			}
1016 			uzero((void *)end, zfoddiff);
1017 			no_fault();
1018 		}
1019 		if (zfodlen > zfoddiff) {
1020 			struct segvn_crargs crargs =
1021 			    SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1022 
1023 			zfodlen -= zfoddiff;
1024 			if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1025 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1026 				error = ENOMEM;
1027 				goto bad;
1028 			}
1029 			crargs.szc = szc;
1030 			if (error = as_map(p->p_as, (caddr_t)zfodbase,
1031 			    zfodlen, segvn_create, &crargs))
1032 				goto bad;
1033 			if (prot != PROT_ZFOD) {
1034 				(void) as_setprot(p->p_as, (caddr_t)zfodbase,
1035 				    zfodlen, prot);
1036 			}
1037 		}
1038 	}
1039 	return (0);
1040 bad:
1041 	return (error);
1042 }
1043 
1044 void
1045 setexecenv(struct execenv *ep)
1046 {
1047 	proc_t *p = ttoproc(curthread);
1048 	klwp_t *lwp = ttolwp(curthread);
1049 	struct vnode *vp;
1050 
1051 	p->p_bssbase = ep->ex_bssbase;
1052 	p->p_brkbase = ep->ex_brkbase;
1053 	p->p_brksize = ep->ex_brksize;
1054 	if (p->p_exec)
1055 		VN_RELE(p->p_exec);	/* out with the old */
1056 	vp = p->p_exec = ep->ex_vp;
1057 	if (vp != NULL)
1058 		VN_HOLD(vp);		/* in with the new */
1059 
1060 	lwp->lwp_sigaltstack.ss_sp = 0;
1061 	lwp->lwp_sigaltstack.ss_size = 0;
1062 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1063 }
1064 
1065 int
1066 execopen(struct vnode **vpp, int *fdp)
1067 {
1068 	struct vnode *vp = *vpp;
1069 	file_t *fp;
1070 	int error = 0;
1071 	int filemode = FREAD;
1072 
1073 	VN_HOLD(vp);		/* open reference */
1074 	if (error = falloc(NULL, filemode, &fp, fdp)) {
1075 		VN_RELE(vp);
1076 		*fdp = -1;	/* just in case falloc changed value */
1077 		return (error);
1078 	}
1079 	if (error = VOP_OPEN(&vp, filemode, CRED())) {
1080 		VN_RELE(vp);
1081 		setf(*fdp, NULL);
1082 		unfalloc(fp);
1083 		*fdp = -1;
1084 		return (error);
1085 	}
1086 	*vpp = vp;		/* vnode should not have changed */
1087 	fp->f_vnode = vp;
1088 	mutex_exit(&fp->f_tlock);
1089 	setf(*fdp, fp);
1090 	return (0);
1091 }
1092 
1093 int
1094 execclose(int fd)
1095 {
1096 	return (closeandsetf(fd, NULL));
1097 }
1098 
1099 
1100 /*
1101  * noexec stub function.
1102  */
1103 /*ARGSUSED*/
1104 int
1105 noexec(
1106     struct vnode *vp,
1107     struct execa *uap,
1108     struct uarg *args,
1109     struct intpdata *idatap,
1110     int level,
1111     long *execsz,
1112     int setid,
1113     caddr_t exec_file,
1114     struct cred *cred)
1115 {
1116 	cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1117 	return (ENOEXEC);
1118 }
1119 
1120 /*
1121  * Support routines for building a user stack.
1122  *
1123  * execve(path, argv, envp) must construct a new stack with the specified
1124  * arguments and environment variables (see exec_args() for a description
1125  * of the user stack layout).  To do this, we copy the arguments and
1126  * environment variables from the old user address space into the kernel,
1127  * free the old as, create the new as, and copy our buffered information
1128  * to the new stack.  Our kernel buffer has the following structure:
1129  *
1130  *	+-----------------------+ <--- stk_base + stk_size
1131  *	| string offsets	|
1132  *	+-----------------------+ <--- stk_offp
1133  *	|			|
1134  *	| STK_AVAIL() space	|
1135  *	|			|
1136  *	+-----------------------+ <--- stk_strp
1137  *	| strings		|
1138  *	+-----------------------+ <--- stk_base
1139  *
1140  * When we add a string, we store the string's contents (including the null
1141  * terminator) at stk_strp, and we store the offset of the string relative to
1142  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1143  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1144  * the difference between these pointers.  If we run out of space, we return
1145  * an error and exec_args() starts all over again with a buffer twice as large.
1146  * When we're all done, the kernel buffer looks like this:
1147  *
1148  *	+-----------------------+ <--- stk_base + stk_size
1149  *	| argv[0] offset	|
1150  *	+-----------------------+
1151  *	| ...			|
1152  *	+-----------------------+
1153  *	| argv[argc-1] offset	|
1154  *	+-----------------------+
1155  *	| envp[0] offset	|
1156  *	+-----------------------+
1157  *	| ...			|
1158  *	+-----------------------+
1159  *	| envp[envc-1] offset	|
1160  *	+-----------------------+
1161  *	| AT_SUN_PLATFORM offset|
1162  *	+-----------------------+
1163  *	| AT_SUN_EXECNAME offset|
1164  *	+-----------------------+ <--- stk_offp
1165  *	|			|
1166  *	| STK_AVAIL() space	|
1167  *	|			|
1168  *	+-----------------------+ <--- stk_strp
1169  *	| AT_SUN_EXECNAME offset|
1170  *	+-----------------------+
1171  *	| AT_SUN_PLATFORM offset|
1172  *	+-----------------------+
1173  *	| envp[envc-1] string	|
1174  *	+-----------------------+
1175  *	| ...			|
1176  *	+-----------------------+
1177  *	| envp[0] string	|
1178  *	+-----------------------+
1179  *	| argv[argc-1] string	|
1180  *	+-----------------------+
1181  *	| ...			|
1182  *	+-----------------------+
1183  *	| argv[0] string	|
1184  *	+-----------------------+ <--- stk_base
1185  */
1186 
1187 #define	STK_AVAIL(args)		((char *)(args)->stk_offp - (args)->stk_strp)
1188 
1189 /*
1190  * Add a string to the stack.
1191  */
1192 static int
1193 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1194 {
1195 	int error;
1196 	size_t len;
1197 
1198 	if (STK_AVAIL(args) < sizeof (int))
1199 		return (E2BIG);
1200 	*--args->stk_offp = args->stk_strp - args->stk_base;
1201 
1202 	if (segflg == UIO_USERSPACE) {
1203 		error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1204 		if (error != 0)
1205 			return (error);
1206 	} else {
1207 		len = strlen(sp) + 1;
1208 		if (len > STK_AVAIL(args))
1209 			return (E2BIG);
1210 		bcopy(sp, args->stk_strp, len);
1211 	}
1212 
1213 	args->stk_strp += len;
1214 
1215 	return (0);
1216 }
1217 
1218 static int
1219 stk_getptr(uarg_t *args, char *src, char **dst)
1220 {
1221 	int error;
1222 
1223 	if (args->from_model == DATAMODEL_NATIVE) {
1224 		ulong_t ptr;
1225 		error = fulword(src, &ptr);
1226 		*dst = (caddr_t)ptr;
1227 	} else {
1228 		uint32_t ptr;
1229 		error = fuword32(src, &ptr);
1230 		*dst = (caddr_t)(uintptr_t)ptr;
1231 	}
1232 	return (error);
1233 }
1234 
1235 static int
1236 stk_putptr(uarg_t *args, char *addr, char *value)
1237 {
1238 	if (args->to_model == DATAMODEL_NATIVE)
1239 		return (sulword(addr, (ulong_t)value));
1240 	else
1241 		return (suword32(addr, (uint32_t)(uintptr_t)value));
1242 }
1243 
1244 static int
1245 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1246 {
1247 	char *sp;
1248 	int argc, error;
1249 	int argv_empty = 0;
1250 	size_t ptrsize = args->from_ptrsize;
1251 	size_t size, pad;
1252 	char *argv = (char *)uap->argp;
1253 	char *envp = (char *)uap->envp;
1254 
1255 	/*
1256 	 * Copy interpreter's name and argument to argv[0] and argv[1].
1257 	 */
1258 	if (intp != NULL && intp->intp_name != NULL) {
1259 		if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0)
1260 			return (error);
1261 		if (intp->intp_arg != NULL &&
1262 		    (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0)
1263 			return (error);
1264 		if (args->fname != NULL)
1265 			error = stk_add(args, args->fname, UIO_SYSSPACE);
1266 		else
1267 			error = stk_add(args, uap->fname, UIO_USERSPACE);
1268 		if (error)
1269 			return (error);
1270 
1271 		/*
1272 		 * Check for an empty argv[].
1273 		 */
1274 		if (stk_getptr(args, argv, &sp))
1275 			return (EFAULT);
1276 		if (sp == NULL)
1277 			argv_empty = 1;
1278 
1279 		argv += ptrsize;		/* ignore original argv[0] */
1280 	}
1281 
1282 	if (argv_empty == 0) {
1283 		/*
1284 		 * Add argv[] strings to the stack.
1285 		 */
1286 		for (;;) {
1287 			if (stk_getptr(args, argv, &sp))
1288 				return (EFAULT);
1289 			if (sp == NULL)
1290 				break;
1291 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1292 				return (error);
1293 			argv += ptrsize;
1294 		}
1295 	}
1296 	argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1297 	args->arglen = args->stk_strp - args->stk_base;
1298 
1299 	/*
1300 	 * Add environ[] strings to the stack.
1301 	 */
1302 	if (envp != NULL) {
1303 		for (;;) {
1304 			if (stk_getptr(args, envp, &sp))
1305 				return (EFAULT);
1306 			if (sp == NULL)
1307 				break;
1308 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1309 				return (error);
1310 			envp += ptrsize;
1311 		}
1312 	}
1313 	args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1314 	args->ne = args->na - argc;
1315 
1316 	/*
1317 	 * Add AT_SUN_PLATFORM and AT_SUN_EXECNAME strings to the stack.
1318 	 */
1319 	if (auxvpp != NULL && *auxvpp != NULL) {
1320 		if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1321 			return (error);
1322 		if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1323 			return (error);
1324 	}
1325 
1326 	/*
1327 	 * Compute the size of the stack.  This includes all the pointers,
1328 	 * the space reserved for the aux vector, and all the strings.
1329 	 * The total number of pointers is args->na (which is argc + envc)
1330 	 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1331 	 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1332 	 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1333 	 * all the strings, at the very top of the stack.
1334 	 */
1335 	size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1336 	    (args->stk_strp - args->stk_base);
1337 
1338 	/*
1339 	 * Pad the string section with zeroes to align the stack size.
1340 	 */
1341 	pad = P2NPHASE(size, args->stk_align);
1342 
1343 	if (STK_AVAIL(args) < pad)
1344 		return (E2BIG);
1345 
1346 	args->usrstack_size = size + pad;
1347 
1348 	while (pad-- != 0)
1349 		*args->stk_strp++ = 0;
1350 
1351 	args->nc = args->stk_strp - args->stk_base;
1352 
1353 	return (0);
1354 }
1355 
1356 static int
1357 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1358 {
1359 	size_t ptrsize = args->to_ptrsize;
1360 	ssize_t pslen;
1361 	char *kstrp = args->stk_base;
1362 	char *ustrp = usrstack - args->nc - ptrsize;
1363 	char *usp = usrstack - args->usrstack_size;
1364 	int *offp = (int *)(args->stk_base + args->stk_size);
1365 	int envc = args->ne;
1366 	int argc = args->na - envc;
1367 	int i;
1368 
1369 	/*
1370 	 * Record argc for /proc.
1371 	 */
1372 	up->u_argc = argc;
1373 
1374 	/*
1375 	 * Put argc on the stack.  Note that even though it's an int,
1376 	 * it always consumes ptrsize bytes (for alignment).
1377 	 */
1378 	if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1379 		return (-1);
1380 
1381 	/*
1382 	 * Add argc space (ptrsize) to usp and record argv for /proc.
1383 	 */
1384 	up->u_argv = (uintptr_t)(usp += ptrsize);
1385 
1386 	/*
1387 	 * Put the argv[] pointers on the stack.
1388 	 */
1389 	for (i = 0; i < argc; i++, usp += ptrsize)
1390 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1391 			return (-1);
1392 
1393 	/*
1394 	 * Copy arguments to u_psargs.
1395 	 */
1396 	pslen = MIN(args->arglen, PSARGSZ) - 1;
1397 	for (i = 0; i < pslen; i++)
1398 		up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1399 	while (i < PSARGSZ)
1400 		up->u_psargs[i++] = '\0';
1401 
1402 	/*
1403 	 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1404 	 * record envp for /proc.
1405 	 */
1406 	up->u_envp = (uintptr_t)(usp += ptrsize);
1407 
1408 	/*
1409 	 * Put the envp[] pointers on the stack.
1410 	 */
1411 	for (i = 0; i < envc; i++, usp += ptrsize)
1412 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1413 			return (-1);
1414 
1415 	/*
1416 	 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1417 	 * remember where the stack ends, which is also where auxv begins.
1418 	 */
1419 	args->stackend = usp += ptrsize;
1420 
1421 	/*
1422 	 * Put all the argv[], envp[], and auxv strings on the stack.
1423 	 */
1424 	if (copyout(args->stk_base, ustrp, args->nc))
1425 		return (-1);
1426 
1427 	/*
1428 	 * Fill in the aux vector now that we know the user stack addresses
1429 	 * for the AT_SUN_PLATFORM and AT_SUN_EXECNAME strings.
1430 	 */
1431 	if (auxvpp != NULL && *auxvpp != NULL) {
1432 		if (args->to_model == DATAMODEL_NATIVE) {
1433 			auxv_t **a = (auxv_t **)auxvpp;
1434 			ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1435 			ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1436 		} else {
1437 			auxv32_t **a = (auxv32_t **)auxvpp;
1438 			ADDAUX(*a,
1439 			    AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1440 			ADDAUX(*a,
1441 			    AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp]);
1442 		}
1443 	}
1444 
1445 	return (0);
1446 }
1447 
1448 #ifdef DEBUG
1449 int mpss_brkpgszsel = 0;
1450 int mpss_stkpgszsel = 0;
1451 #endif
1452 
1453 /*
1454  * Initialize a new user stack with the specified arguments and environment.
1455  * The initial user stack layout is as follows:
1456  *
1457  *	User Stack
1458  *	+---------------+ <--- curproc->p_usrstack
1459  *	| NULL		|
1460  *	+---------------+
1461  *	|		|
1462  *	| auxv strings	|
1463  *	|		|
1464  *	+---------------+
1465  *	|		|
1466  *	| envp strings	|
1467  *	|		|
1468  *	+---------------+
1469  *	|		|
1470  *	| argv strings	|
1471  *	|		|
1472  *	+---------------+ <--- ustrp
1473  *	|		|
1474  *	| aux vector	|
1475  *	|		|
1476  *	+---------------+ <--- auxv
1477  *	| NULL		|
1478  *	+---------------+
1479  *	| envp[envc-1]	|
1480  *	+---------------+
1481  *	| ...		|
1482  *	+---------------+
1483  *	| envp[0]	|
1484  *	+---------------+ <--- envp[]
1485  *	| NULL		|
1486  *	+---------------+
1487  *	| argv[argc-1]	|
1488  *	+---------------+
1489  *	| ...		|
1490  *	+---------------+
1491  *	| argv[0]	|
1492  *	+---------------+ <--- argv[]
1493  *	| argc		|
1494  *	+---------------+ <--- stack base
1495  */
1496 int
1497 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1498 {
1499 	size_t size;
1500 	int error;
1501 	proc_t *p = ttoproc(curthread);
1502 	user_t *up = PTOU(p);
1503 	char *usrstack;
1504 	rctl_entity_p_t e;
1505 
1506 	struct as *as;
1507 
1508 	args->from_model = p->p_model;
1509 	if (p->p_model == DATAMODEL_NATIVE) {
1510 		args->from_ptrsize = sizeof (long);
1511 	} else {
1512 		args->from_ptrsize = sizeof (int32_t);
1513 	}
1514 
1515 	if (args->to_model == DATAMODEL_NATIVE) {
1516 		args->to_ptrsize = sizeof (long);
1517 		args->ncargs = NCARGS;
1518 		args->stk_align = STACK_ALIGN;
1519 		usrstack = (char *)USRSTACK;
1520 	} else {
1521 		args->to_ptrsize = sizeof (int32_t);
1522 		args->ncargs = NCARGS32;
1523 		args->stk_align = STACK_ALIGN32;
1524 		usrstack = (char *)USRSTACK32;
1525 	}
1526 
1527 	ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1528 
1529 #if defined(__sparc)
1530 	/*
1531 	 * Make sure user register windows are empty before
1532 	 * attempting to make a new stack.
1533 	 */
1534 	(void) flush_user_windows_to_stack(NULL);
1535 #endif
1536 
1537 	for (size = PAGESIZE; ; size *= 2) {
1538 		args->stk_size = size;
1539 		args->stk_base = kmem_alloc(size, KM_SLEEP);
1540 		args->stk_strp = args->stk_base;
1541 		args->stk_offp = (int *)(args->stk_base + size);
1542 		error = stk_copyin(uap, args, intp, auxvpp);
1543 		if (error == 0)
1544 			break;
1545 		kmem_free(args->stk_base, size);
1546 		if (error != E2BIG && error != ENAMETOOLONG)
1547 			return (error);
1548 		if (size >= args->ncargs)
1549 			return (E2BIG);
1550 	}
1551 
1552 	size = args->usrstack_size;
1553 
1554 	ASSERT(error == 0);
1555 	ASSERT(P2PHASE(size, args->stk_align) == 0);
1556 	ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1557 
1558 	if (size > args->ncargs) {
1559 		kmem_free(args->stk_base, args->stk_size);
1560 		return (E2BIG);
1561 	}
1562 
1563 	/*
1564 	 * Leave only the current lwp and force the other lwps to exit.
1565 	 * If another lwp beat us to the punch by calling exit(), bail out.
1566 	 */
1567 	if ((error = exitlwps(0)) != 0) {
1568 		kmem_free(args->stk_base, args->stk_size);
1569 		return (error);
1570 	}
1571 
1572 	/*
1573 	 * Revoke any doors created by the process.
1574 	 */
1575 	if (p->p_door_list)
1576 		door_exit();
1577 
1578 	/*
1579 	 * Release schedctl data structures.
1580 	 */
1581 	if (p->p_pagep)
1582 		schedctl_proc_cleanup();
1583 
1584 	/*
1585 	 * Clean up any DTrace helpers for the process.
1586 	 */
1587 	if (p->p_dtrace_helpers != NULL) {
1588 		ASSERT(dtrace_helpers_cleanup != NULL);
1589 		(*dtrace_helpers_cleanup)();
1590 	}
1591 
1592 	mutex_enter(&p->p_lock);
1593 	/*
1594 	 * Cleanup the DTrace provider associated with this process.
1595 	 */
1596 	if (p->p_dtrace_probes) {
1597 		ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1598 		dtrace_fasttrap_exec_ptr(p);
1599 	}
1600 	mutex_exit(&p->p_lock);
1601 
1602 	/*
1603 	 * discard the lwpchan cache.
1604 	 */
1605 	if (p->p_lcp != NULL)
1606 		lwpchan_destroy_cache(1);
1607 
1608 	/*
1609 	 * Delete the POSIX timers.
1610 	 */
1611 	if (p->p_itimer != NULL)
1612 		timer_exit();
1613 
1614 #ifdef C2_AUDIT
1615 	if (audit_active)
1616 		audit_exec(args->stk_base, args->stk_base + args->arglen,
1617 		    args->na - args->ne, args->ne);
1618 #endif
1619 
1620 	/*
1621 	 * Ensure that we don't change resource associations while we
1622 	 * change address spaces.
1623 	 */
1624 	mutex_enter(&p->p_lock);
1625 	pool_barrier_enter();
1626 	mutex_exit(&p->p_lock);
1627 
1628 	/*
1629 	 * Destroy the old address space and create a new one.
1630 	 * From here on, any errors are fatal to the exec()ing process.
1631 	 * On error we return -1, which means the caller must SIGKILL
1632 	 * the process.
1633 	 */
1634 	relvm();
1635 
1636 	mutex_enter(&p->p_lock);
1637 	pool_barrier_exit();
1638 	mutex_exit(&p->p_lock);
1639 
1640 	up->u_execsw = args->execswp;
1641 
1642 	p->p_brkbase = NULL;
1643 	p->p_brksize = 0;
1644 	p->p_stksize = 0;
1645 	p->p_model = args->to_model;
1646 	p->p_usrstack = usrstack;
1647 	p->p_stkprot = args->stk_prot;
1648 	p->p_datprot = args->dat_prot;
1649 
1650 	/*
1651 	 * Reset resource controls such that all controls are again active as
1652 	 * well as appropriate to the potentially new address model for the
1653 	 * process.
1654 	 */
1655 	e.rcep_p.proc = p;
1656 	e.rcep_t = RCENTITY_PROCESS;
1657 	rctl_set_reset(p->p_rctls, p, &e);
1658 
1659 	if (exec_lpg_disable == 0) {
1660 #ifdef DEBUG
1661 		uint_t pgsizes = page_num_pagesizes();
1662 		uint_t szc;
1663 #endif
1664 		p->p_brkpageszc = args->brkpageszc;
1665 		p->p_stkpageszc = args->stkpageszc;
1666 
1667 		if (p->p_brkpageszc == 0) {
1668 			p->p_brkpageszc = page_szc(map_pgsz(MAPPGSZ_HEAP,
1669 			    p, 0, 0, NULL));
1670 		}
1671 		if (p->p_stkpageszc == 0) {
1672 			p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK,
1673 			    p, 0, 0, NULL));
1674 		}
1675 
1676 #ifdef DEBUG
1677 		if (mpss_brkpgszsel != 0) {
1678 			if (mpss_brkpgszsel == -1) {
1679 				szc = ((uint_t)gethrtime() >> 8) % pgsizes;
1680 			} else {
1681 				szc = mpss_brkpgszsel % pgsizes;
1682 			}
1683 			p->p_brkpageszc = szc;
1684 		}
1685 
1686 		if (mpss_stkpgszsel != 0) {
1687 			if (mpss_stkpgszsel == -1) {
1688 				szc = ((uint_t)gethrtime() >> 7) % pgsizes;
1689 			} else {
1690 				szc = mpss_stkpgszsel % pgsizes;
1691 			}
1692 			p->p_stkpageszc = szc;
1693 		}
1694 
1695 #endif
1696 		mutex_enter(&p->p_lock);
1697 		p->p_flag |= SAUTOLPG;	/* kernel controls page sizes */
1698 		mutex_exit(&p->p_lock);
1699 
1700 	} else {
1701 		p->p_brkpageszc = 0;
1702 		p->p_stkpageszc = 0;
1703 	}
1704 
1705 	exec_set_sp(size);
1706 
1707 	as = as_alloc();
1708 	p->p_as = as;
1709 	if (p->p_model == DATAMODEL_ILP32)
1710 		as->a_userlimit = (caddr_t)USERLIMIT32;
1711 	(void) hat_setup(as->a_hat, HAT_ALLOC);
1712 
1713 	/*
1714 	 * Finally, write out the contents of the new stack.
1715 	 */
1716 	error = stk_copyout(args, usrstack, auxvpp, up);
1717 	kmem_free(args->stk_base, args->stk_size);
1718 	return (error);
1719 }
1720