xref: /illumos-gate/usr/src/uts/common/os/exec.c (revision f22cbd2db87ae3945ed6a9166f8b9d61b65c6ab9)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*	Copyright (c) 1988 AT&T	*/
27 /*	  All Rights Reserved  	*/
28 /*
29  * Copyright 2016 Joyent, Inc.
30  */
31 
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72 #include <sys/random.h>
73 
74 #include <c2/audit.h>
75 
76 #include <vm/hat.h>
77 #include <vm/anon.h>
78 #include <vm/as.h>
79 #include <vm/seg.h>
80 #include <vm/seg_vn.h>
81 
82 #define	PRIV_RESET		0x01	/* needs to reset privs */
83 #define	PRIV_SETID		0x02	/* needs to change uids */
84 #define	PRIV_SETUGID		0x04	/* is setuid/setgid/forced privs */
85 #define	PRIV_INCREASE		0x08	/* child runs with more privs */
86 #define	MAC_FLAGS		0x10	/* need to adjust MAC flags */
87 #define	PRIV_FORCED		0x20	/* has forced privileges */
88 
89 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
90     priv_set_t *, cred_t *, const char *);
91 static int hold_execsw(struct execsw *);
92 
93 uint_t auxv_hwcap = 0;	/* auxv AT_SUN_HWCAP value; determined on the fly */
94 uint_t auxv_hwcap_2 = 0;	/* AT_SUN_HWCAP2 */
95 #if defined(_SYSCALL32_IMPL)
96 uint_t auxv_hwcap32 = 0;	/* 32-bit version of auxv_hwcap */
97 uint_t auxv_hwcap32_2 = 0;	/* 32-bit version of auxv_hwcap2 */
98 #endif
99 
100 #define	PSUIDFLAGS		(SNOCD|SUGID)
101 
102 /*
103  * These are consumed within the specific exec modules, but are defined here
104  * because
105  *
106  * 1) The exec modules are unloadable, which would make this near useless.
107  *
108  * 2) We want them to be common across all of them, should more than ELF come
109  *    to support them.
110  *
111  * All must be powers of 2.
112  */
113 size_t aslr_max_brk_skew = 16 * 1024 * 1024; /* 16MB */
114 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */
115 size_t aslr_max_stack_skew = 64 * 1024; /* 64KB */
116 
117 /*
118  * exece() - system call wrapper around exec_common()
119  */
120 int
121 exece(const char *fname, const char **argp, const char **envp)
122 {
123 	int error;
124 
125 	error = exec_common(fname, argp, envp, EBA_NONE);
126 	return (error ? (set_errno(error)) : 0);
127 }
128 
129 int
130 exec_common(const char *fname, const char **argp, const char **envp,
131     int brand_action)
132 {
133 	vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
134 	proc_t *p = ttoproc(curthread);
135 	klwp_t *lwp = ttolwp(curthread);
136 	struct user *up = PTOU(p);
137 	long execsz;		/* temporary count of exec size */
138 	int i;
139 	int error;
140 	char exec_file[MAXCOMLEN+1];
141 	struct pathname pn;
142 	struct pathname resolvepn;
143 	struct uarg args;
144 	struct execa ua;
145 	k_sigset_t savedmask;
146 	lwpdir_t *lwpdir = NULL;
147 	tidhash_t *tidhash;
148 	lwpdir_t *old_lwpdir = NULL;
149 	uint_t old_lwpdir_sz;
150 	tidhash_t *old_tidhash;
151 	uint_t old_tidhash_sz;
152 	ret_tidhash_t *ret_tidhash;
153 	lwpent_t *lep;
154 	boolean_t brandme = B_FALSE;
155 
156 	/*
157 	 * exec() is not supported for the /proc agent lwp.
158 	 */
159 	if (curthread == p->p_agenttp)
160 		return (ENOTSUP);
161 
162 	if (brand_action != EBA_NONE) {
163 		/*
164 		 * Brand actions are not supported for processes that are not
165 		 * running in a branded zone.
166 		 */
167 		if (!ZONE_IS_BRANDED(p->p_zone))
168 			return (ENOTSUP);
169 
170 		if (brand_action == EBA_NATIVE) {
171 			/* Only branded processes can be unbranded */
172 			if (!PROC_IS_BRANDED(p))
173 				return (ENOTSUP);
174 		} else {
175 			/* Only unbranded processes can be branded */
176 			if (PROC_IS_BRANDED(p))
177 				return (ENOTSUP);
178 			brandme = B_TRUE;
179 		}
180 	} else {
181 		/*
182 		 * If this is a native zone, or if the process is already
183 		 * branded, then we don't need to do anything.  If this is
184 		 * a native process in a branded zone, we need to brand the
185 		 * process as it exec()s the new binary.
186 		 */
187 		if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
188 			brandme = B_TRUE;
189 	}
190 
191 	/*
192 	 * Inform /proc that an exec() has started.
193 	 * Hold signals that are ignored by default so that we will
194 	 * not be interrupted by a signal that will be ignored after
195 	 * successful completion of gexec().
196 	 */
197 	mutex_enter(&p->p_lock);
198 	prexecstart();
199 	schedctl_finish_sigblock(curthread);
200 	savedmask = curthread->t_hold;
201 	sigorset(&curthread->t_hold, &ignoredefault);
202 	mutex_exit(&p->p_lock);
203 
204 	/*
205 	 * Look up path name and remember last component for later.
206 	 * To help coreadm expand its %d token, we attempt to save
207 	 * the directory containing the executable in p_execdir. The
208 	 * first call to lookuppn() may fail and return EINVAL because
209 	 * dirvpp is non-NULL. In that case, we make a second call to
210 	 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
211 	 * but coreadm is allowed to expand %d to the empty string and
212 	 * there are other cases in which that failure may occur.
213 	 */
214 	if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
215 		goto out;
216 	pn_alloc(&resolvepn);
217 	if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
218 		pn_free(&resolvepn);
219 		pn_free(&pn);
220 		if (error != EINVAL)
221 			goto out;
222 
223 		dir = NULL;
224 		if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
225 			goto out;
226 		pn_alloc(&resolvepn);
227 		if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
228 		    &vp)) != 0) {
229 			pn_free(&resolvepn);
230 			pn_free(&pn);
231 			goto out;
232 		}
233 	}
234 	if (vp == NULL) {
235 		if (dir != NULL)
236 			VN_RELE(dir);
237 		error = ENOENT;
238 		pn_free(&resolvepn);
239 		pn_free(&pn);
240 		goto out;
241 	}
242 
243 	if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
244 		if (dir != NULL)
245 			VN_RELE(dir);
246 		pn_free(&resolvepn);
247 		pn_free(&pn);
248 		VN_RELE(vp);
249 		goto out;
250 	}
251 
252 	/*
253 	 * We do not allow executing files in attribute directories.
254 	 * We test this by determining whether the resolved path
255 	 * contains a "/" when we're in an attribute directory;
256 	 * only if the pathname does not contain a "/" the resolved path
257 	 * points to a file in the current working (attribute) directory.
258 	 */
259 	if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
260 	    strchr(resolvepn.pn_path, '/') == NULL) {
261 		if (dir != NULL)
262 			VN_RELE(dir);
263 		error = EACCES;
264 		pn_free(&resolvepn);
265 		pn_free(&pn);
266 		VN_RELE(vp);
267 		goto out;
268 	}
269 
270 	bzero(exec_file, MAXCOMLEN+1);
271 	(void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
272 	bzero(&args, sizeof (args));
273 	args.pathname = resolvepn.pn_path;
274 	/* don't free resolvepn until we are done with args */
275 	pn_free(&pn);
276 
277 	/*
278 	 * If we're running in a profile shell, then call pfexecd.
279 	 */
280 	if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
281 		error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
282 		    &args.scrubenv);
283 
284 		/* Returning errno in case we're not allowed to execute. */
285 		if (error > 0) {
286 			if (dir != NULL)
287 				VN_RELE(dir);
288 			pn_free(&resolvepn);
289 			VN_RELE(vp);
290 			goto out;
291 		}
292 
293 		/* Don't change the credentials when using old ptrace. */
294 		if (args.pfcred != NULL &&
295 		    (p->p_proc_flag & P_PR_PTRACE) != 0) {
296 			crfree(args.pfcred);
297 			args.pfcred = NULL;
298 			args.scrubenv = B_FALSE;
299 		}
300 	}
301 
302 	/*
303 	 * Specific exec handlers, or policies determined via
304 	 * /etc/system may override the historical default.
305 	 */
306 	args.stk_prot = PROT_ZFOD;
307 	args.dat_prot = PROT_ZFOD;
308 
309 	CPU_STATS_ADD_K(sys, sysexec, 1);
310 	DTRACE_PROC1(exec, char *, args.pathname);
311 
312 	ua.fname = fname;
313 	ua.argp = argp;
314 	ua.envp = envp;
315 
316 	/* If necessary, brand this process before we start the exec. */
317 	if (brandme)
318 		brand_setbrand(p);
319 
320 	if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
321 	    exec_file, p->p_cred, brand_action)) != 0) {
322 		if (brandme)
323 			brand_clearbrand(p, B_FALSE);
324 		VN_RELE(vp);
325 		if (dir != NULL)
326 			VN_RELE(dir);
327 		pn_free(&resolvepn);
328 		goto fail;
329 	}
330 
331 	/*
332 	 * Free floating point registers (sun4u only)
333 	 */
334 	ASSERT(lwp != NULL);
335 	lwp_freeregs(lwp, 1);
336 
337 	/*
338 	 * Free thread and process context ops.
339 	 */
340 	if (curthread->t_ctx)
341 		freectx(curthread, 1);
342 	if (p->p_pctx)
343 		freepctx(p, 1);
344 
345 	/*
346 	 * Remember file name for accounting; clear any cached DTrace predicate.
347 	 */
348 	up->u_acflag &= ~AFORK;
349 	bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
350 	curthread->t_predcache = NULL;
351 
352 	/*
353 	 * Clear contract template state
354 	 */
355 	lwp_ctmpl_clear(lwp);
356 
357 	/*
358 	 * Save the directory in which we found the executable for expanding
359 	 * the %d token used in core file patterns.
360 	 */
361 	mutex_enter(&p->p_lock);
362 	tmpvp = p->p_execdir;
363 	p->p_execdir = dir;
364 	if (p->p_execdir != NULL)
365 		VN_HOLD(p->p_execdir);
366 	mutex_exit(&p->p_lock);
367 
368 	if (tmpvp != NULL)
369 		VN_RELE(tmpvp);
370 
371 	/*
372 	 * Reset stack state to the user stack, clear set of signals
373 	 * caught on the signal stack, and reset list of signals that
374 	 * restart system calls; the new program's environment should
375 	 * not be affected by detritus from the old program.  Any
376 	 * pending held signals remain held, so don't clear t_hold.
377 	 */
378 	mutex_enter(&p->p_lock);
379 	lwp->lwp_oldcontext = 0;
380 	lwp->lwp_ustack = 0;
381 	lwp->lwp_old_stk_ctl = 0;
382 	sigemptyset(&up->u_signodefer);
383 	sigemptyset(&up->u_sigonstack);
384 	sigemptyset(&up->u_sigresethand);
385 	lwp->lwp_sigaltstack.ss_sp = 0;
386 	lwp->lwp_sigaltstack.ss_size = 0;
387 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
388 
389 	/*
390 	 * Make saved resource limit == current resource limit.
391 	 */
392 	for (i = 0; i < RLIM_NLIMITS; i++) {
393 		/*CONSTCOND*/
394 		if (RLIM_SAVED(i)) {
395 			(void) rctl_rlimit_get(rctlproc_legacy[i], p,
396 			    &up->u_saved_rlimit[i]);
397 		}
398 	}
399 
400 	/*
401 	 * If the action was to catch the signal, then the action
402 	 * must be reset to SIG_DFL.
403 	 */
404 	sigdefault(p);
405 	p->p_flag &= ~(SNOWAIT|SJCTL);
406 	p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
407 	up->u_signal[SIGCLD - 1] = SIG_DFL;
408 
409 	/*
410 	 * Delete the dot4 sigqueues/signotifies.
411 	 */
412 	sigqfree(p);
413 
414 	mutex_exit(&p->p_lock);
415 
416 	mutex_enter(&p->p_pflock);
417 	p->p_prof.pr_base = NULL;
418 	p->p_prof.pr_size = 0;
419 	p->p_prof.pr_off = 0;
420 	p->p_prof.pr_scale = 0;
421 	p->p_prof.pr_samples = 0;
422 	mutex_exit(&p->p_pflock);
423 
424 	ASSERT(curthread->t_schedctl == NULL);
425 
426 #if defined(__sparc)
427 	if (p->p_utraps != NULL)
428 		utrap_free(p);
429 #endif	/* __sparc */
430 
431 	/*
432 	 * Close all close-on-exec files.
433 	 */
434 	close_exec(P_FINFO(p));
435 	TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
436 
437 	/* Unbrand ourself if necessary. */
438 	if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
439 		brand_clearbrand(p, B_FALSE);
440 
441 	setregs(&args);
442 
443 	/* Mark this as an executable vnode */
444 	mutex_enter(&vp->v_lock);
445 	vp->v_flag |= VVMEXEC;
446 	mutex_exit(&vp->v_lock);
447 
448 	VN_RELE(vp);
449 	if (dir != NULL)
450 		VN_RELE(dir);
451 	pn_free(&resolvepn);
452 
453 	/*
454 	 * Allocate a new lwp directory and lwpid hash table if necessary.
455 	 */
456 	if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
457 		lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
458 		lwpdir->ld_next = lwpdir + 1;
459 		tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
460 		if (p->p_lwpdir != NULL)
461 			lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
462 		else
463 			lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
464 	}
465 
466 	if (PROC_IS_BRANDED(p))
467 		BROP(p)->b_exec();
468 
469 	mutex_enter(&p->p_lock);
470 	prbarrier(p);
471 
472 	/*
473 	 * Reset lwp id to the default value of 1.
474 	 * This is a single-threaded process now
475 	 * and lwp #1 is lwp_wait()able by default.
476 	 * The t_unpark flag should not be inherited.
477 	 */
478 	ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
479 	curthread->t_tid = 1;
480 	kpreempt_disable();
481 	ASSERT(curthread->t_lpl != NULL);
482 	p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
483 	kpreempt_enable();
484 	if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
485 		lgrp_update_trthr_migrations(1);
486 	}
487 	curthread->t_unpark = 0;
488 	curthread->t_proc_flag |= TP_TWAIT;
489 	curthread->t_proc_flag &= ~TP_DAEMON;	/* daemons shouldn't exec */
490 	p->p_lwpdaemon = 0;			/* but oh well ... */
491 	p->p_lwpid = 1;
492 
493 	/*
494 	 * Install the newly-allocated lwp directory and lwpid hash table
495 	 * and insert the current thread into the new hash table.
496 	 */
497 	if (lwpdir != NULL) {
498 		old_lwpdir = p->p_lwpdir;
499 		old_lwpdir_sz = p->p_lwpdir_sz;
500 		old_tidhash = p->p_tidhash;
501 		old_tidhash_sz = p->p_tidhash_sz;
502 		p->p_lwpdir = p->p_lwpfree = lwpdir;
503 		p->p_lwpdir_sz = 2;
504 		lep->le_thread = curthread;
505 		lep->le_lwpid = curthread->t_tid;
506 		lep->le_start = curthread->t_start;
507 		lwp_hash_in(p, lep, tidhash, 2, 0);
508 		p->p_tidhash = tidhash;
509 		p->p_tidhash_sz = 2;
510 	}
511 	ret_tidhash = p->p_ret_tidhash;
512 	p->p_ret_tidhash = NULL;
513 
514 	/*
515 	 * Restore the saved signal mask and
516 	 * inform /proc that the exec() has finished.
517 	 */
518 	curthread->t_hold = savedmask;
519 	prexecend();
520 	mutex_exit(&p->p_lock);
521 	if (old_lwpdir) {
522 		kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
523 		kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
524 	}
525 	while (ret_tidhash != NULL) {
526 		ret_tidhash_t *next = ret_tidhash->rth_next;
527 		kmem_free(ret_tidhash->rth_tidhash,
528 		    ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
529 		kmem_free(ret_tidhash, sizeof (*ret_tidhash));
530 		ret_tidhash = next;
531 	}
532 
533 	ASSERT(error == 0);
534 	DTRACE_PROC(exec__success);
535 	return (0);
536 
537 fail:
538 	DTRACE_PROC1(exec__failure, int, error);
539 out:		/* error return */
540 	mutex_enter(&p->p_lock);
541 	curthread->t_hold = savedmask;
542 	prexecend();
543 	mutex_exit(&p->p_lock);
544 	ASSERT(error != 0);
545 	return (error);
546 }
547 
548 
549 /*
550  * Perform generic exec duties and switchout to object-file specific
551  * handler.
552  */
553 int
554 gexec(
555 	struct vnode **vpp,
556 	struct execa *uap,
557 	struct uarg *args,
558 	struct intpdata *idatap,
559 	int level,
560 	long *execsz,
561 	caddr_t exec_file,
562 	struct cred *cred,
563 	int brand_action)
564 {
565 	struct vnode *vp, *execvp = NULL;
566 	proc_t *pp = ttoproc(curthread);
567 	struct execsw *eswp;
568 	int error = 0;
569 	int suidflags = 0;
570 	ssize_t resid;
571 	uid_t uid, gid;
572 	struct vattr vattr;
573 	char magbuf[MAGIC_BYTES];
574 	int setid;
575 	cred_t *oldcred, *newcred = NULL;
576 	int privflags = 0;
577 	int setidfl;
578 	priv_set_t fset;
579 	secflagset_t old_secflags;
580 
581 	secflags_copy(&old_secflags, &pp->p_secflags.psf_effective);
582 
583 	/*
584 	 * If the SNOCD or SUGID flag is set, turn it off and remember the
585 	 * previous setting so we can restore it if we encounter an error.
586 	 */
587 	if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
588 		mutex_enter(&pp->p_lock);
589 		suidflags = pp->p_flag & PSUIDFLAGS;
590 		pp->p_flag &= ~PSUIDFLAGS;
591 		mutex_exit(&pp->p_lock);
592 	}
593 
594 	if ((error = execpermissions(*vpp, &vattr, args)) != 0)
595 		goto bad_noclose;
596 
597 	/* need to open vnode for stateful file systems */
598 	if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
599 		goto bad_noclose;
600 	vp = *vpp;
601 
602 	/*
603 	 * Note: to support binary compatibility with SunOS a.out
604 	 * executables, we read in the first four bytes, as the
605 	 * magic number is in bytes 2-3.
606 	 */
607 	if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
608 	    (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
609 		goto bad;
610 	if (resid != 0)
611 		goto bad;
612 
613 	if ((eswp = findexec_by_hdr(magbuf)) == NULL)
614 		goto bad;
615 
616 	if (level == 0 &&
617 	    (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
618 	    args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
619 
620 		/* Pfcred is a credential with a ref count of 1 */
621 
622 		if (args->pfcred != NULL) {
623 			privflags |= PRIV_INCREASE|PRIV_RESET;
624 			newcred = cred = args->pfcred;
625 		} else {
626 			newcred = cred = crdup(cred);
627 		}
628 
629 		/* If we can, drop the PA bit */
630 		if ((privflags & PRIV_RESET) != 0)
631 			priv_adjust_PA(cred);
632 
633 		if (privflags & PRIV_SETID) {
634 			cred->cr_uid = uid;
635 			cred->cr_gid = gid;
636 			cred->cr_suid = uid;
637 			cred->cr_sgid = gid;
638 		}
639 
640 		if (privflags & MAC_FLAGS) {
641 			if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
642 				CR_FLAGS(cred) &= ~NET_MAC_AWARE;
643 			CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
644 		}
645 
646 		/*
647 		 * Implement the privilege updates:
648 		 *
649 		 * Restrict with L:
650 		 *
651 		 *	I' = I & L
652 		 *
653 		 *	E' = P' = (I' + F) & A
654 		 *
655 		 * But if running under ptrace, we cap I and F with P.
656 		 */
657 		if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
658 			if ((privflags & PRIV_INCREASE) != 0 &&
659 			    (pp->p_proc_flag & P_PR_PTRACE) != 0) {
660 				priv_intersect(&CR_OPPRIV(cred),
661 				    &CR_IPRIV(cred));
662 				priv_intersect(&CR_OPPRIV(cred), &fset);
663 			}
664 			priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
665 			CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
666 			if (privflags & PRIV_FORCED) {
667 				priv_set_PA(cred);
668 				priv_union(&fset, &CR_EPRIV(cred));
669 				priv_union(&fset, &CR_PPRIV(cred));
670 			}
671 			priv_adjust_PA(cred);
672 		}
673 	} else if (level == 0 && args->pfcred != NULL) {
674 		newcred = cred = args->pfcred;
675 		privflags |= PRIV_INCREASE;
676 		/* pfcred is not forced to adhere to these settings */
677 		priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
678 		CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
679 		priv_adjust_PA(cred);
680 	}
681 
682 	/* The new image gets the inheritable secflags as its secflags */
683 	secflags_promote(pp);
684 
685 	/* SunOS 4.x buy-back */
686 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
687 	    (vattr.va_mode & (VSUID|VSGID))) {
688 		char path[MAXNAMELEN];
689 		refstr_t *mntpt = NULL;
690 		int ret = -1;
691 
692 		bzero(path, sizeof (path));
693 		zone_hold(pp->p_zone);
694 
695 		ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
696 		    sizeof (path), cred);
697 
698 		/* fallback to mountpoint if a path can't be found */
699 		if ((ret != 0) || (ret == 0 && path[0] == '\0'))
700 			mntpt = vfs_getmntpoint(vp->v_vfsp);
701 
702 		if (mntpt == NULL)
703 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
704 			    "!uid %d: setuid execution not allowed, "
705 			    "file=%s", cred->cr_uid, path);
706 		else
707 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
708 			    "!uid %d: setuid execution not allowed, "
709 			    "fs=%s, file=%s", cred->cr_uid,
710 			    ZONE_PATH_TRANSLATE(refstr_value(mntpt),
711 			    pp->p_zone), exec_file);
712 
713 		if (!INGLOBALZONE(pp)) {
714 			/* zone_rootpath always has trailing / */
715 			if (mntpt == NULL)
716 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
717 				    "setuid execution not allowed, file=%s%s",
718 				    pp->p_zone->zone_name, cred->cr_uid,
719 				    pp->p_zone->zone_rootpath, path + 1);
720 			else
721 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
722 				    "setuid execution not allowed, fs=%s, "
723 				    "file=%s", pp->p_zone->zone_name,
724 				    cred->cr_uid, refstr_value(mntpt),
725 				    exec_file);
726 		}
727 
728 		if (mntpt != NULL)
729 			refstr_rele(mntpt);
730 
731 		zone_rele(pp->p_zone);
732 	}
733 
734 	/*
735 	 * execsetid() told us whether or not we had to change the
736 	 * credentials of the process.  In privflags, it told us
737 	 * whether we gained any privileges or executed a set-uid executable.
738 	 */
739 	setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
740 
741 	/*
742 	 * Use /etc/system variable to determine if the stack
743 	 * should be marked as executable by default.
744 	 */
745 	if ((noexec_user_stack != 0) ||
746 	    secflag_enabled(pp, PROC_SEC_NOEXECSTACK))
747 		args->stk_prot &= ~PROT_EXEC;
748 
749 	args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
750 	args->ex_vp = vp;
751 
752 	/*
753 	 * Traditionally, the setid flags told the sub processes whether
754 	 * the file just executed was set-uid or set-gid; this caused
755 	 * some confusion as the 'setid' flag did not match the SUGID
756 	 * process flag which is only set when the uids/gids do not match.
757 	 * A script set-gid/set-uid to the real uid/gid would start with
758 	 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
759 	 * Now we flag those cases where the calling process cannot
760 	 * be trusted to influence the newly exec'ed process, either
761 	 * because it runs with more privileges or when the uids/gids
762 	 * do in fact not match.
763 	 * This also makes the runtime linker agree with the on exec
764 	 * values of SNOCD and SUGID.
765 	 */
766 	setidfl = 0;
767 	if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
768 	    !supgroupmember(cred->cr_gid, cred))) {
769 		setidfl |= EXECSETID_UGIDS;
770 	}
771 	if (setid & PRIV_SETUGID)
772 		setidfl |= EXECSETID_SETID;
773 	if (setid & PRIV_FORCED)
774 		setidfl |= EXECSETID_PRIVS;
775 
776 	execvp = pp->p_exec;
777 	if (execvp)
778 		VN_HOLD(execvp);
779 
780 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
781 	    setidfl, exec_file, cred, brand_action);
782 	rw_exit(eswp->exec_lock);
783 	if (error != 0) {
784 		if (execvp)
785 			VN_RELE(execvp);
786 		/*
787 		 * If this process's p_exec has been set to the vp of
788 		 * the executable by exec_func, we will return without
789 		 * calling VOP_CLOSE because proc_exit will close it
790 		 * on exit.
791 		 */
792 		if (pp->p_exec == vp)
793 			goto bad_noclose;
794 		else
795 			goto bad;
796 	}
797 
798 	if (level == 0) {
799 		uid_t oruid;
800 
801 		if (execvp != NULL) {
802 			/*
803 			 * Close the previous executable only if we are
804 			 * at level 0.
805 			 */
806 			(void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
807 			    cred, NULL);
808 		}
809 
810 		mutex_enter(&pp->p_crlock);
811 
812 		oruid = pp->p_cred->cr_ruid;
813 
814 		if (newcred != NULL) {
815 			/*
816 			 * Free the old credentials, and set the new ones.
817 			 * Do this for both the process and the (single) thread.
818 			 */
819 			crfree(pp->p_cred);
820 			pp->p_cred = cred;	/* cred already held for proc */
821 			crhold(cred);		/* hold new cred for thread */
822 			/*
823 			 * DTrace accesses t_cred in probe context.  t_cred
824 			 * must always be either NULL, or point to a valid,
825 			 * allocated cred structure.
826 			 */
827 			oldcred = curthread->t_cred;
828 			curthread->t_cred = cred;
829 			crfree(oldcred);
830 
831 			if (priv_basic_test >= 0 &&
832 			    !PRIV_ISASSERT(&CR_IPRIV(newcred),
833 			    priv_basic_test)) {
834 				pid_t pid = pp->p_pid;
835 				char *fn = PTOU(pp)->u_comm;
836 
837 				cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
838 				    "privilege removed from E/I", fn, pid);
839 			}
840 		}
841 		/*
842 		 * On emerging from a successful exec(), the saved
843 		 * uid and gid equal the effective uid and gid.
844 		 */
845 		cred->cr_suid = cred->cr_uid;
846 		cred->cr_sgid = cred->cr_gid;
847 
848 		/*
849 		 * If the real and effective ids do not match, this
850 		 * is a setuid process that should not dump core.
851 		 * The group comparison is tricky; we prevent the code
852 		 * from flagging SNOCD when executing with an effective gid
853 		 * which is a supplementary group.
854 		 */
855 		if (cred->cr_ruid != cred->cr_uid ||
856 		    (cred->cr_rgid != cred->cr_gid &&
857 		    !supgroupmember(cred->cr_gid, cred)) ||
858 		    (privflags & PRIV_INCREASE) != 0)
859 			suidflags = PSUIDFLAGS;
860 		else
861 			suidflags = 0;
862 
863 		mutex_exit(&pp->p_crlock);
864 		if (newcred != NULL && oruid != newcred->cr_ruid) {
865 			/* Note that the process remains in the same zone. */
866 			mutex_enter(&pidlock);
867 			upcount_dec(oruid, crgetzoneid(newcred));
868 			upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
869 			mutex_exit(&pidlock);
870 		}
871 		if (suidflags) {
872 			mutex_enter(&pp->p_lock);
873 			pp->p_flag |= suidflags;
874 			mutex_exit(&pp->p_lock);
875 		}
876 		if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
877 			/*
878 			 * If process is traced via /proc, arrange to
879 			 * invalidate the associated /proc vnode.
880 			 */
881 			if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
882 				args->traceinval = 1;
883 		}
884 		if (pp->p_proc_flag & P_PR_PTRACE)
885 			psignal(pp, SIGTRAP);
886 		if (args->traceinval)
887 			prinvalidate(&pp->p_user);
888 	}
889 	if (execvp)
890 		VN_RELE(execvp);
891 	return (0);
892 
893 bad:
894 	(void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
895 
896 bad_noclose:
897 	if (newcred != NULL)
898 		crfree(newcred);
899 	if (error == 0)
900 		error = ENOEXEC;
901 
902 	mutex_enter(&pp->p_lock);
903 	if (suidflags) {
904 		pp->p_flag |= suidflags;
905 	}
906 	/*
907 	 * Restore the effective secflags, to maintain the invariant they
908 	 * never change for a given process
909 	 */
910 	secflags_copy(&pp->p_secflags.psf_effective, &old_secflags);
911 	mutex_exit(&pp->p_lock);
912 
913 	return (error);
914 }
915 
916 extern char *execswnames[];
917 
918 struct execsw *
919 allocate_execsw(char *name, char *magic, size_t magic_size)
920 {
921 	int i, j;
922 	char *ename;
923 	char *magicp;
924 
925 	mutex_enter(&execsw_lock);
926 	for (i = 0; i < nexectype; i++) {
927 		if (execswnames[i] == NULL) {
928 			ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
929 			(void) strcpy(ename, name);
930 			execswnames[i] = ename;
931 			/*
932 			 * Set the magic number last so that we
933 			 * don't need to hold the execsw_lock in
934 			 * findexectype().
935 			 */
936 			magicp = kmem_alloc(magic_size, KM_SLEEP);
937 			for (j = 0; j < magic_size; j++)
938 				magicp[j] = magic[j];
939 			execsw[i].exec_magic = magicp;
940 			mutex_exit(&execsw_lock);
941 			return (&execsw[i]);
942 		}
943 	}
944 	mutex_exit(&execsw_lock);
945 	return (NULL);
946 }
947 
948 /*
949  * Find the exec switch table entry with the corresponding magic string.
950  */
951 struct execsw *
952 findexecsw(char *magic)
953 {
954 	struct execsw *eswp;
955 
956 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
957 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
958 		if (magic && eswp->exec_maglen != 0 &&
959 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
960 			return (eswp);
961 	}
962 	return (NULL);
963 }
964 
965 /*
966  * Find the execsw[] index for the given exec header string by looking for the
967  * magic string at a specified offset and length for each kind of executable
968  * file format until one matches.  If no execsw[] entry is found, try to
969  * autoload a module for this magic string.
970  */
971 struct execsw *
972 findexec_by_hdr(char *header)
973 {
974 	struct execsw *eswp;
975 
976 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
977 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
978 		if (header && eswp->exec_maglen != 0 &&
979 		    bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
980 		    eswp->exec_maglen) == 0) {
981 			if (hold_execsw(eswp) != 0)
982 				return (NULL);
983 			return (eswp);
984 		}
985 	}
986 	return (NULL);	/* couldn't find the type */
987 }
988 
989 /*
990  * Find the execsw[] index for the given magic string.  If no execsw[] entry
991  * is found, try to autoload a module for this magic string.
992  */
993 struct execsw *
994 findexec_by_magic(char *magic)
995 {
996 	struct execsw *eswp;
997 
998 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
999 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
1000 		if (magic && eswp->exec_maglen != 0 &&
1001 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
1002 			if (hold_execsw(eswp) != 0)
1003 				return (NULL);
1004 			return (eswp);
1005 		}
1006 	}
1007 	return (NULL);	/* couldn't find the type */
1008 }
1009 
1010 static int
1011 hold_execsw(struct execsw *eswp)
1012 {
1013 	char *name;
1014 
1015 	rw_enter(eswp->exec_lock, RW_READER);
1016 	while (!LOADED_EXEC(eswp)) {
1017 		rw_exit(eswp->exec_lock);
1018 		name = execswnames[eswp-execsw];
1019 		ASSERT(name);
1020 		if (modload("exec", name) == -1)
1021 			return (-1);
1022 		rw_enter(eswp->exec_lock, RW_READER);
1023 	}
1024 	return (0);
1025 }
1026 
1027 static int
1028 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1029     priv_set_t *fset, cred_t *cr, const char *pathname)
1030 {
1031 	proc_t *pp = ttoproc(curthread);
1032 	uid_t uid, gid;
1033 	int privflags = 0;
1034 
1035 	/*
1036 	 * Remember credentials.
1037 	 */
1038 	uid = cr->cr_uid;
1039 	gid = cr->cr_gid;
1040 
1041 	/* Will try to reset the PRIV_AWARE bit later. */
1042 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1043 		privflags |= PRIV_RESET;
1044 
1045 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1046 		/*
1047 		 * If it's a set-uid root program we perform the
1048 		 * forced privilege look-aside. This has three possible
1049 		 * outcomes:
1050 		 *	no look aside information -> treat as before
1051 		 *	look aside in Limit set -> apply forced privs
1052 		 *	look aside not in Limit set -> ignore set-uid root
1053 		 *
1054 		 * Ordinary set-uid root execution only allowed if the limit
1055 		 * set holds all unsafe privileges.
1056 		 */
1057 		if (vattrp->va_mode & VSUID) {
1058 			if (vattrp->va_uid == 0) {
1059 				int res = get_forced_privs(cr, pathname, fset);
1060 
1061 				switch (res) {
1062 				case -1:
1063 					if (priv_issubset(&priv_unsafe,
1064 					    &CR_LPRIV(cr))) {
1065 						uid = vattrp->va_uid;
1066 						privflags |= PRIV_SETUGID;
1067 					}
1068 					break;
1069 				case 0:
1070 					privflags |= PRIV_FORCED|PRIV_INCREASE;
1071 					break;
1072 				default:
1073 					break;
1074 				}
1075 			} else {
1076 				uid = vattrp->va_uid;
1077 				privflags |= PRIV_SETUGID;
1078 			}
1079 		}
1080 		if (vattrp->va_mode & VSGID) {
1081 			gid = vattrp->va_gid;
1082 			privflags |= PRIV_SETUGID;
1083 		}
1084 	}
1085 
1086 	/*
1087 	 * Do we need to change our credential anyway?
1088 	 * This is the case when E != I or P != I, as
1089 	 * we need to do the assignments (with F empty and A full)
1090 	 * Or when I is not a subset of L; in that case we need to
1091 	 * enforce L.
1092 	 *
1093 	 *		I' = L & I
1094 	 *
1095 	 *		E' = P' = (I' + F) & A
1096 	 * or
1097 	 *		E' = P' = I'
1098 	 */
1099 	if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1100 	    !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1101 	    !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1102 		privflags |= PRIV_RESET;
1103 
1104 	/* Child has more privileges than parent */
1105 	if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1106 		privflags |= PRIV_INCREASE;
1107 
1108 	/* If MAC-aware flag(s) are on, need to update cred to remove. */
1109 	if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1110 	    (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1111 		privflags |= MAC_FLAGS;
1112 	/*
1113 	 * Set setuid/setgid protections if no ptrace() compatibility.
1114 	 * For privileged processes, honor setuid/setgid even in
1115 	 * the presence of ptrace() compatibility.
1116 	 */
1117 	if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1118 	    PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1119 	    (cr->cr_uid != uid ||
1120 	    cr->cr_gid != gid ||
1121 	    cr->cr_suid != uid ||
1122 	    cr->cr_sgid != gid)) {
1123 		*uidp = uid;
1124 		*gidp = gid;
1125 		privflags |= PRIV_SETID;
1126 	}
1127 	return (privflags);
1128 }
1129 
1130 int
1131 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1132 {
1133 	int error;
1134 	proc_t *p = ttoproc(curthread);
1135 
1136 	vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1137 	if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1138 		return (error);
1139 	/*
1140 	 * Check the access mode.
1141 	 * If VPROC, ask /proc if the file is an object file.
1142 	 */
1143 	if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1144 	    !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1145 	    (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1146 	    (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1147 		if (error == 0)
1148 			error = EACCES;
1149 		return (error);
1150 	}
1151 
1152 	if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1153 	    (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1154 		/*
1155 		 * If process is under ptrace(2) compatibility,
1156 		 * fail the exec(2).
1157 		 */
1158 		if (p->p_proc_flag & P_PR_PTRACE)
1159 			goto bad;
1160 		/*
1161 		 * Process is traced via /proc.
1162 		 * Arrange to invalidate the /proc vnode.
1163 		 */
1164 		args->traceinval = 1;
1165 	}
1166 	return (0);
1167 bad:
1168 	if (error == 0)
1169 		error = ENOEXEC;
1170 	return (error);
1171 }
1172 
1173 /*
1174  * Map a section of an executable file into the user's
1175  * address space.
1176  */
1177 int
1178 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1179     off_t offset, int prot, int page, uint_t szc)
1180 {
1181 	int error = 0;
1182 	off_t oldoffset;
1183 	caddr_t zfodbase, oldaddr;
1184 	size_t end, oldlen;
1185 	size_t zfoddiff;
1186 	label_t ljb;
1187 	proc_t *p = ttoproc(curthread);
1188 
1189 	oldaddr = addr;
1190 	addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1191 	if (len) {
1192 		oldlen = len;
1193 		len += ((size_t)oldaddr - (size_t)addr);
1194 		oldoffset = offset;
1195 		offset = (off_t)((uintptr_t)offset & PAGEMASK);
1196 		if (page) {
1197 			spgcnt_t  prefltmem, availm, npages;
1198 			int preread;
1199 			uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1200 
1201 			if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1202 				mflag |= MAP_TEXT;
1203 			} else {
1204 				mflag |= MAP_INITDATA;
1205 			}
1206 
1207 			if (valid_usr_range(addr, len, prot, p->p_as,
1208 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1209 				error = ENOMEM;
1210 				goto bad;
1211 			}
1212 			if (error = VOP_MAP(vp, (offset_t)offset,
1213 			    p->p_as, &addr, len, prot, PROT_ALL,
1214 			    mflag, CRED(), NULL))
1215 				goto bad;
1216 
1217 			/*
1218 			 * If the segment can fit, then we prefault
1219 			 * the entire segment in.  This is based on the
1220 			 * model that says the best working set of a
1221 			 * small program is all of its pages.
1222 			 */
1223 			npages = (spgcnt_t)btopr(len);
1224 			prefltmem = freemem - desfree;
1225 			preread =
1226 			    (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1227 
1228 			/*
1229 			 * If we aren't prefaulting the segment,
1230 			 * increment "deficit", if necessary to ensure
1231 			 * that pages will become available when this
1232 			 * process starts executing.
1233 			 */
1234 			availm = freemem - lotsfree;
1235 			if (preread == 0 && npages > availm &&
1236 			    deficit < lotsfree) {
1237 				deficit += MIN((pgcnt_t)(npages - availm),
1238 				    lotsfree - deficit);
1239 			}
1240 
1241 			if (preread) {
1242 				TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1243 				    "execmap preread:freemem %d size %lu",
1244 				    freemem, len);
1245 				(void) as_fault(p->p_as->a_hat, p->p_as,
1246 				    (caddr_t)addr, len, F_INVAL, S_READ);
1247 			}
1248 		} else {
1249 			if (valid_usr_range(addr, len, prot, p->p_as,
1250 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1251 				error = ENOMEM;
1252 				goto bad;
1253 			}
1254 
1255 			if (error = as_map(p->p_as, addr, len,
1256 			    segvn_create, zfod_argsp))
1257 				goto bad;
1258 			/*
1259 			 * Read in the segment in one big chunk.
1260 			 */
1261 			if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1262 			    oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1263 			    (rlim64_t)0, CRED(), (ssize_t *)0))
1264 				goto bad;
1265 			/*
1266 			 * Now set protections.
1267 			 */
1268 			if (prot != PROT_ZFOD) {
1269 				(void) as_setprot(p->p_as, (caddr_t)addr,
1270 				    len, prot);
1271 			}
1272 		}
1273 	}
1274 
1275 	if (zfodlen) {
1276 		struct as *as = curproc->p_as;
1277 		struct seg *seg;
1278 		uint_t zprot = 0;
1279 
1280 		end = (size_t)addr + len;
1281 		zfodbase = (caddr_t)roundup(end, PAGESIZE);
1282 		zfoddiff = (uintptr_t)zfodbase - end;
1283 		if (zfoddiff) {
1284 			/*
1285 			 * Before we go to zero the remaining space on the last
1286 			 * page, make sure we have write permission.
1287 			 *
1288 			 * Normal illumos binaries don't even hit the case
1289 			 * where we have to change permission on the last page
1290 			 * since their protection is typically either
1291 			 *    PROT_USER | PROT_WRITE | PROT_READ
1292 			 * or
1293 			 *    PROT_ZFOD (same as PROT_ALL).
1294 			 *
1295 			 * We need to be careful how we zero-fill the last page
1296 			 * if the segment protection does not include
1297 			 * PROT_WRITE. Using as_setprot() can cause the VM
1298 			 * segment code to call segvn_vpage(), which must
1299 			 * allocate a page struct for each page in the segment.
1300 			 * If we have a very large segment, this may fail, so
1301 			 * we have to check for that, even though we ignore
1302 			 * other return values from as_setprot.
1303 			 */
1304 
1305 			AS_LOCK_ENTER(as, RW_READER);
1306 			seg = as_segat(curproc->p_as, (caddr_t)end);
1307 			if (seg != NULL)
1308 				SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1309 				    &zprot);
1310 			AS_LOCK_EXIT(as);
1311 
1312 			if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1313 				if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1314 				    zprot | PROT_WRITE) == ENOMEM) {
1315 					error = ENOMEM;
1316 					goto bad;
1317 				}
1318 			}
1319 
1320 			if (on_fault(&ljb)) {
1321 				no_fault();
1322 				if (seg != NULL && (zprot & PROT_WRITE) == 0)
1323 					(void) as_setprot(as, (caddr_t)end,
1324 					    zfoddiff - 1, zprot);
1325 				error = EFAULT;
1326 				goto bad;
1327 			}
1328 			uzero((void *)end, zfoddiff);
1329 			no_fault();
1330 			if (seg != NULL && (zprot & PROT_WRITE) == 0)
1331 				(void) as_setprot(as, (caddr_t)end,
1332 				    zfoddiff - 1, zprot);
1333 		}
1334 		if (zfodlen > zfoddiff) {
1335 			struct segvn_crargs crargs =
1336 			    SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1337 
1338 			zfodlen -= zfoddiff;
1339 			if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1340 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1341 				error = ENOMEM;
1342 				goto bad;
1343 			}
1344 			if (szc > 0) {
1345 				/*
1346 				 * ASSERT alignment because the mapelfexec()
1347 				 * caller for the szc > 0 case extended zfod
1348 				 * so it's end is pgsz aligned.
1349 				 */
1350 				size_t pgsz = page_get_pagesize(szc);
1351 				ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1352 
1353 				if (IS_P2ALIGNED(zfodbase, pgsz)) {
1354 					crargs.szc = szc;
1355 				} else {
1356 					crargs.szc = AS_MAP_HEAP;
1357 				}
1358 			} else {
1359 				crargs.szc = AS_MAP_NO_LPOOB;
1360 			}
1361 			if (error = as_map(p->p_as, (caddr_t)zfodbase,
1362 			    zfodlen, segvn_create, &crargs))
1363 				goto bad;
1364 			if (prot != PROT_ZFOD) {
1365 				(void) as_setprot(p->p_as, (caddr_t)zfodbase,
1366 				    zfodlen, prot);
1367 			}
1368 		}
1369 	}
1370 	return (0);
1371 bad:
1372 	return (error);
1373 }
1374 
1375 void
1376 setexecenv(struct execenv *ep)
1377 {
1378 	proc_t *p = ttoproc(curthread);
1379 	klwp_t *lwp = ttolwp(curthread);
1380 	struct vnode *vp;
1381 
1382 	p->p_bssbase = ep->ex_bssbase;
1383 	p->p_brkbase = ep->ex_brkbase;
1384 	p->p_brksize = ep->ex_brksize;
1385 	if (p->p_exec)
1386 		VN_RELE(p->p_exec);	/* out with the old */
1387 	vp = p->p_exec = ep->ex_vp;
1388 	if (vp != NULL)
1389 		VN_HOLD(vp);		/* in with the new */
1390 
1391 	lwp->lwp_sigaltstack.ss_sp = 0;
1392 	lwp->lwp_sigaltstack.ss_size = 0;
1393 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1394 }
1395 
1396 int
1397 execopen(struct vnode **vpp, int *fdp)
1398 {
1399 	struct vnode *vp = *vpp;
1400 	file_t *fp;
1401 	int error = 0;
1402 	int filemode = FREAD;
1403 
1404 	VN_HOLD(vp);		/* open reference */
1405 	if (error = falloc(NULL, filemode, &fp, fdp)) {
1406 		VN_RELE(vp);
1407 		*fdp = -1;	/* just in case falloc changed value */
1408 		return (error);
1409 	}
1410 	if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1411 		VN_RELE(vp);
1412 		setf(*fdp, NULL);
1413 		unfalloc(fp);
1414 		*fdp = -1;
1415 		return (error);
1416 	}
1417 	*vpp = vp;		/* vnode should not have changed */
1418 	fp->f_vnode = vp;
1419 	mutex_exit(&fp->f_tlock);
1420 	setf(*fdp, fp);
1421 	return (0);
1422 }
1423 
1424 int
1425 execclose(int fd)
1426 {
1427 	return (closeandsetf(fd, NULL));
1428 }
1429 
1430 
1431 /*
1432  * noexec stub function.
1433  */
1434 /*ARGSUSED*/
1435 int
1436 noexec(
1437     struct vnode *vp,
1438     struct execa *uap,
1439     struct uarg *args,
1440     struct intpdata *idatap,
1441     int level,
1442     long *execsz,
1443     int setid,
1444     caddr_t exec_file,
1445     struct cred *cred)
1446 {
1447 	cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1448 	return (ENOEXEC);
1449 }
1450 
1451 /*
1452  * Support routines for building a user stack.
1453  *
1454  * execve(path, argv, envp) must construct a new stack with the specified
1455  * arguments and environment variables (see exec_args() for a description
1456  * of the user stack layout).  To do this, we copy the arguments and
1457  * environment variables from the old user address space into the kernel,
1458  * free the old as, create the new as, and copy our buffered information
1459  * to the new stack.  Our kernel buffer has the following structure:
1460  *
1461  *	+-----------------------+ <--- stk_base + stk_size
1462  *	| string offsets	|
1463  *	+-----------------------+ <--- stk_offp
1464  *	|			|
1465  *	| STK_AVAIL() space	|
1466  *	|			|
1467  *	+-----------------------+ <--- stk_strp
1468  *	| strings		|
1469  *	+-----------------------+ <--- stk_base
1470  *
1471  * When we add a string, we store the string's contents (including the null
1472  * terminator) at stk_strp, and we store the offset of the string relative to
1473  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1474  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1475  * the difference between these pointers.  If we run out of space, we return
1476  * an error and exec_args() starts all over again with a buffer twice as large.
1477  * When we're all done, the kernel buffer looks like this:
1478  *
1479  *	+-----------------------+ <--- stk_base + stk_size
1480  *	| argv[0] offset	|
1481  *	+-----------------------+
1482  *	| ...			|
1483  *	+-----------------------+
1484  *	| argv[argc-1] offset	|
1485  *	+-----------------------+
1486  *	| envp[0] offset	|
1487  *	+-----------------------+
1488  *	| ...			|
1489  *	+-----------------------+
1490  *	| envp[envc-1] offset	|
1491  *	+-----------------------+
1492  *	| AT_SUN_PLATFORM offset|
1493  *	+-----------------------+
1494  *	| AT_SUN_EXECNAME offset|
1495  *	+-----------------------+ <--- stk_offp
1496  *	|			|
1497  *	| STK_AVAIL() space	|
1498  *	|			|
1499  *	+-----------------------+ <--- stk_strp
1500  *	| AT_SUN_EXECNAME offset|
1501  *	+-----------------------+
1502  *	| AT_SUN_PLATFORM offset|
1503  *	+-----------------------+
1504  *	| envp[envc-1] string	|
1505  *	+-----------------------+
1506  *	| ...			|
1507  *	+-----------------------+
1508  *	| envp[0] string	|
1509  *	+-----------------------+
1510  *	| argv[argc-1] string	|
1511  *	+-----------------------+
1512  *	| ...			|
1513  *	+-----------------------+
1514  *	| argv[0] string	|
1515  *	+-----------------------+ <--- stk_base
1516  */
1517 
1518 #define	STK_AVAIL(args)		((char *)(args)->stk_offp - (args)->stk_strp)
1519 
1520 /*
1521  * Add a string to the stack.
1522  */
1523 static int
1524 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1525 {
1526 	int error;
1527 	size_t len;
1528 
1529 	if (STK_AVAIL(args) < sizeof (int))
1530 		return (E2BIG);
1531 	*--args->stk_offp = args->stk_strp - args->stk_base;
1532 
1533 	if (segflg == UIO_USERSPACE) {
1534 		error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1535 		if (error != 0)
1536 			return (error);
1537 	} else {
1538 		len = strlen(sp) + 1;
1539 		if (len > STK_AVAIL(args))
1540 			return (E2BIG);
1541 		bcopy(sp, args->stk_strp, len);
1542 	}
1543 
1544 	args->stk_strp += len;
1545 
1546 	return (0);
1547 }
1548 
1549 static int
1550 stk_getptr(uarg_t *args, char *src, char **dst)
1551 {
1552 	int error;
1553 
1554 	if (args->from_model == DATAMODEL_NATIVE) {
1555 		ulong_t ptr;
1556 		error = fulword(src, &ptr);
1557 		*dst = (caddr_t)ptr;
1558 	} else {
1559 		uint32_t ptr;
1560 		error = fuword32(src, &ptr);
1561 		*dst = (caddr_t)(uintptr_t)ptr;
1562 	}
1563 	return (error);
1564 }
1565 
1566 static int
1567 stk_putptr(uarg_t *args, char *addr, char *value)
1568 {
1569 	if (args->to_model == DATAMODEL_NATIVE)
1570 		return (sulword(addr, (ulong_t)value));
1571 	else
1572 		return (suword32(addr, (uint32_t)(uintptr_t)value));
1573 }
1574 
1575 static int
1576 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1577 {
1578 	char *sp;
1579 	int argc, error;
1580 	int argv_empty = 0;
1581 	size_t ptrsize = args->from_ptrsize;
1582 	size_t size, pad;
1583 	char *argv = (char *)uap->argp;
1584 	char *envp = (char *)uap->envp;
1585 
1586 	/*
1587 	 * Copy interpreter's name and argument to argv[0] and argv[1].
1588 	 * In the rare case that we have nested interpreters then those names
1589 	 * and arguments are also copied to the subsequent slots in argv.
1590 	 */
1591 	if (intp != NULL && intp->intp_name[0] != NULL) {
1592 		int i;
1593 
1594 		for (i = 0; i < INTP_MAXDEPTH; i++) {
1595 			if (intp->intp_name[i] == NULL)
1596 				break;
1597 			error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1598 			if (error != 0)
1599 				return (error);
1600 			if (intp->intp_arg[i] != NULL) {
1601 				error = stk_add(args, intp->intp_arg[i],
1602 				    UIO_SYSSPACE);
1603 				if (error != 0)
1604 					return (error);
1605 			}
1606 		}
1607 
1608 		if (args->fname != NULL)
1609 			error = stk_add(args, args->fname, UIO_SYSSPACE);
1610 		else
1611 			error = stk_add(args, uap->fname, UIO_USERSPACE);
1612 		if (error)
1613 			return (error);
1614 
1615 		/*
1616 		 * Check for an empty argv[].
1617 		 */
1618 		if (stk_getptr(args, argv, &sp))
1619 			return (EFAULT);
1620 		if (sp == NULL)
1621 			argv_empty = 1;
1622 
1623 		argv += ptrsize;		/* ignore original argv[0] */
1624 	}
1625 
1626 	if (argv_empty == 0) {
1627 		/*
1628 		 * Add argv[] strings to the stack.
1629 		 */
1630 		for (;;) {
1631 			if (stk_getptr(args, argv, &sp))
1632 				return (EFAULT);
1633 			if (sp == NULL)
1634 				break;
1635 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1636 				return (error);
1637 			argv += ptrsize;
1638 		}
1639 	}
1640 	argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1641 	args->arglen = args->stk_strp - args->stk_base;
1642 
1643 	/*
1644 	 * Add environ[] strings to the stack.
1645 	 */
1646 	if (envp != NULL) {
1647 		for (;;) {
1648 			char *tmp = args->stk_strp;
1649 			if (stk_getptr(args, envp, &sp))
1650 				return (EFAULT);
1651 			if (sp == NULL)
1652 				break;
1653 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1654 				return (error);
1655 			if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1656 				/* Undo the copied string */
1657 				args->stk_strp = tmp;
1658 				*(args->stk_offp++) = NULL;
1659 			}
1660 			envp += ptrsize;
1661 		}
1662 	}
1663 	args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1664 	args->ne = args->na - argc;
1665 
1666 	/*
1667 	 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1668 	 * AT_SUN_EMULATOR strings to the stack.
1669 	 */
1670 	if (auxvpp != NULL && *auxvpp != NULL) {
1671 		if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1672 			return (error);
1673 		if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1674 			return (error);
1675 		if (args->brandname != NULL &&
1676 		    (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1677 			return (error);
1678 		if (args->emulator != NULL &&
1679 		    (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1680 			return (error);
1681 	}
1682 
1683 	/*
1684 	 * Compute the size of the stack.  This includes all the pointers,
1685 	 * the space reserved for the aux vector, and all the strings.
1686 	 * The total number of pointers is args->na (which is argc + envc)
1687 	 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1688 	 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1689 	 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1690 	 * all the strings, at the very top of the stack.
1691 	 */
1692 	size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1693 	    (args->stk_strp - args->stk_base);
1694 
1695 	/*
1696 	 * Pad the string section with zeroes to align the stack size.
1697 	 */
1698 	pad = P2NPHASE(size, args->stk_align);
1699 
1700 	if (STK_AVAIL(args) < pad)
1701 		return (E2BIG);
1702 
1703 	args->usrstack_size = size + pad;
1704 
1705 	while (pad-- != 0)
1706 		*args->stk_strp++ = 0;
1707 
1708 	args->nc = args->stk_strp - args->stk_base;
1709 
1710 	return (0);
1711 }
1712 
1713 static int
1714 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1715 {
1716 	size_t ptrsize = args->to_ptrsize;
1717 	ssize_t pslen;
1718 	char *kstrp = args->stk_base;
1719 	char *ustrp = usrstack - args->nc - ptrsize;
1720 	char *usp = usrstack - args->usrstack_size;
1721 	int *offp = (int *)(args->stk_base + args->stk_size);
1722 	int envc = args->ne;
1723 	int argc = args->na - envc;
1724 	int i;
1725 
1726 	/*
1727 	 * Record argc for /proc.
1728 	 */
1729 	up->u_argc = argc;
1730 
1731 	/*
1732 	 * Put argc on the stack.  Note that even though it's an int,
1733 	 * it always consumes ptrsize bytes (for alignment).
1734 	 */
1735 	if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1736 		return (-1);
1737 
1738 	/*
1739 	 * Add argc space (ptrsize) to usp and record argv for /proc.
1740 	 */
1741 	up->u_argv = (uintptr_t)(usp += ptrsize);
1742 
1743 	/*
1744 	 * Put the argv[] pointers on the stack.
1745 	 */
1746 	for (i = 0; i < argc; i++, usp += ptrsize)
1747 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1748 			return (-1);
1749 
1750 	/*
1751 	 * Copy arguments to u_psargs.
1752 	 */
1753 	pslen = MIN(args->arglen, PSARGSZ) - 1;
1754 	for (i = 0; i < pslen; i++)
1755 		up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1756 	while (i < PSARGSZ)
1757 		up->u_psargs[i++] = '\0';
1758 
1759 	/*
1760 	 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1761 	 * record envp for /proc.
1762 	 */
1763 	up->u_envp = (uintptr_t)(usp += ptrsize);
1764 
1765 	/*
1766 	 * Put the envp[] pointers on the stack.
1767 	 */
1768 	for (i = 0; i < envc; i++, usp += ptrsize)
1769 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1770 			return (-1);
1771 
1772 	/*
1773 	 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1774 	 * remember where the stack ends, which is also where auxv begins.
1775 	 */
1776 	args->stackend = usp += ptrsize;
1777 
1778 	/*
1779 	 * Put all the argv[], envp[], and auxv strings on the stack.
1780 	 */
1781 	if (copyout(args->stk_base, ustrp, args->nc))
1782 		return (-1);
1783 
1784 	/*
1785 	 * Fill in the aux vector now that we know the user stack addresses
1786 	 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1787 	 * AT_SUN_EMULATOR strings.
1788 	 */
1789 	if (auxvpp != NULL && *auxvpp != NULL) {
1790 		if (args->to_model == DATAMODEL_NATIVE) {
1791 			auxv_t **a = (auxv_t **)auxvpp;
1792 			ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1793 			ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1794 			if (args->brandname != NULL)
1795 				ADDAUX(*a,
1796 				    AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1797 			if (args->emulator != NULL)
1798 				ADDAUX(*a,
1799 				    AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1800 		} else {
1801 			auxv32_t **a = (auxv32_t **)auxvpp;
1802 			ADDAUX(*a,
1803 			    AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1804 			ADDAUX(*a,
1805 			    AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1806 			if (args->brandname != NULL)
1807 				ADDAUX(*a, AT_SUN_BRANDNAME,
1808 				    (int)(uintptr_t)&ustrp[*--offp])
1809 			if (args->emulator != NULL)
1810 				ADDAUX(*a, AT_SUN_EMULATOR,
1811 				    (int)(uintptr_t)&ustrp[*--offp])
1812 		}
1813 	}
1814 
1815 	return (0);
1816 }
1817 
1818 /*
1819  * Though the actual stack base is constant, slew the %sp by a random aligned
1820  * amount in [0,aslr_max_stack_skew).  Mostly, this makes life slightly more
1821  * complicated for buffer overflows hoping to overwrite the return address.
1822  *
1823  * On some platforms this helps avoid cache thrashing when identical processes
1824  * simultaneously share caches that don't provide enough associativity
1825  * (e.g. sun4v systems). In this case stack slewing makes the same hot stack
1826  * variables in different processes live in different cache sets increasing
1827  * effective associativity.
1828  */
1829 size_t
1830 exec_get_spslew(void)
1831 {
1832 #ifdef sun4v
1833 	static uint_t sp_color_stride = 16;
1834 	static uint_t sp_color_mask = 0x1f;
1835 	static uint_t sp_current_color = (uint_t)-1;
1836 #endif
1837 	size_t off;
1838 
1839 	ASSERT(ISP2(aslr_max_stack_skew));
1840 
1841 	if ((aslr_max_stack_skew == 0) ||
1842 	    !secflag_enabled(curproc, PROC_SEC_ASLR)) {
1843 #ifdef sun4v
1844 		uint_t spcolor = atomic_inc_32_nv(&sp_current_color);
1845 		return ((size_t)((spcolor & sp_color_mask) *
1846 		    SA(sp_color_stride)));
1847 #else
1848 		return (0);
1849 #endif
1850 	}
1851 
1852 	(void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
1853 	return (SA(P2PHASE(off, aslr_max_stack_skew)));
1854 }
1855 
1856 /*
1857  * Initialize a new user stack with the specified arguments and environment.
1858  * The initial user stack layout is as follows:
1859  *
1860  *	User Stack
1861  *	+---------------+ <--- curproc->p_usrstack
1862  *	|		|
1863  *	| slew		|
1864  *	|		|
1865  *	+---------------+
1866  *	| NULL		|
1867  *	+---------------+
1868  *	|		|
1869  *	| auxv strings	|
1870  *	|		|
1871  *	+---------------+
1872  *	|		|
1873  *	| envp strings	|
1874  *	|		|
1875  *	+---------------+
1876  *	|		|
1877  *	| argv strings	|
1878  *	|		|
1879  *	+---------------+ <--- ustrp
1880  *	|		|
1881  *	| aux vector	|
1882  *	|		|
1883  *	+---------------+ <--- auxv
1884  *	| NULL		|
1885  *	+---------------+
1886  *	| envp[envc-1]	|
1887  *	+---------------+
1888  *	| ...		|
1889  *	+---------------+
1890  *	| envp[0]	|
1891  *	+---------------+ <--- envp[]
1892  *	| NULL		|
1893  *	+---------------+
1894  *	| argv[argc-1]	|
1895  *	+---------------+
1896  *	| ...		|
1897  *	+---------------+
1898  *	| argv[0]	|
1899  *	+---------------+ <--- argv[]
1900  *	| argc		|
1901  *	+---------------+ <--- stack base
1902  */
1903 int
1904 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1905 {
1906 	size_t size;
1907 	int error;
1908 	proc_t *p = ttoproc(curthread);
1909 	user_t *up = PTOU(p);
1910 	char *usrstack;
1911 	rctl_entity_p_t e;
1912 	struct as *as;
1913 	extern int use_stk_lpg;
1914 	size_t sp_slew;
1915 
1916 	args->from_model = p->p_model;
1917 	if (p->p_model == DATAMODEL_NATIVE) {
1918 		args->from_ptrsize = sizeof (long);
1919 	} else {
1920 		args->from_ptrsize = sizeof (int32_t);
1921 	}
1922 
1923 	if (args->to_model == DATAMODEL_NATIVE) {
1924 		args->to_ptrsize = sizeof (long);
1925 		args->ncargs = NCARGS;
1926 		args->stk_align = STACK_ALIGN;
1927 		if (args->addr32)
1928 			usrstack = (char *)USRSTACK64_32;
1929 		else
1930 			usrstack = (char *)USRSTACK;
1931 	} else {
1932 		args->to_ptrsize = sizeof (int32_t);
1933 		args->ncargs = NCARGS32;
1934 		args->stk_align = STACK_ALIGN32;
1935 		usrstack = (char *)USRSTACK32;
1936 	}
1937 
1938 	ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1939 
1940 #if defined(__sparc)
1941 	/*
1942 	 * Make sure user register windows are empty before
1943 	 * attempting to make a new stack.
1944 	 */
1945 	(void) flush_user_windows_to_stack(NULL);
1946 #endif
1947 
1948 	for (size = PAGESIZE; ; size *= 2) {
1949 		args->stk_size = size;
1950 		args->stk_base = kmem_alloc(size, KM_SLEEP);
1951 		args->stk_strp = args->stk_base;
1952 		args->stk_offp = (int *)(args->stk_base + size);
1953 		error = stk_copyin(uap, args, intp, auxvpp);
1954 		if (error == 0)
1955 			break;
1956 		kmem_free(args->stk_base, size);
1957 		if (error != E2BIG && error != ENAMETOOLONG)
1958 			return (error);
1959 		if (size >= args->ncargs)
1960 			return (E2BIG);
1961 	}
1962 
1963 	size = args->usrstack_size;
1964 
1965 	ASSERT(error == 0);
1966 	ASSERT(P2PHASE(size, args->stk_align) == 0);
1967 	ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1968 
1969 	if (size > args->ncargs) {
1970 		kmem_free(args->stk_base, args->stk_size);
1971 		return (E2BIG);
1972 	}
1973 
1974 	/*
1975 	 * Leave only the current lwp and force the other lwps to exit.
1976 	 * If another lwp beat us to the punch by calling exit(), bail out.
1977 	 */
1978 	if ((error = exitlwps(0)) != 0) {
1979 		kmem_free(args->stk_base, args->stk_size);
1980 		return (error);
1981 	}
1982 
1983 	/*
1984 	 * Revoke any doors created by the process.
1985 	 */
1986 	if (p->p_door_list)
1987 		door_exit();
1988 
1989 	/*
1990 	 * Release schedctl data structures.
1991 	 */
1992 	if (p->p_pagep)
1993 		schedctl_proc_cleanup();
1994 
1995 	/*
1996 	 * Clean up any DTrace helpers for the process.
1997 	 */
1998 	if (p->p_dtrace_helpers != NULL) {
1999 		ASSERT(dtrace_helpers_cleanup != NULL);
2000 		(*dtrace_helpers_cleanup)(p);
2001 	}
2002 
2003 	mutex_enter(&p->p_lock);
2004 	/*
2005 	 * Cleanup the DTrace provider associated with this process.
2006 	 */
2007 	if (p->p_dtrace_probes) {
2008 		ASSERT(dtrace_fasttrap_exec_ptr != NULL);
2009 		dtrace_fasttrap_exec_ptr(p);
2010 	}
2011 	mutex_exit(&p->p_lock);
2012 
2013 	/*
2014 	 * discard the lwpchan cache.
2015 	 */
2016 	if (p->p_lcp != NULL)
2017 		lwpchan_destroy_cache(1);
2018 
2019 	/*
2020 	 * Delete the POSIX timers.
2021 	 */
2022 	if (p->p_itimer != NULL)
2023 		timer_exit();
2024 
2025 	/*
2026 	 * Delete the ITIMER_REALPROF interval timer.
2027 	 * The other ITIMER_* interval timers are specified
2028 	 * to be inherited across exec().
2029 	 */
2030 	delete_itimer_realprof();
2031 
2032 	if (AU_AUDITING())
2033 		audit_exec(args->stk_base, args->stk_base + args->arglen,
2034 		    args->na - args->ne, args->ne, args->pfcred);
2035 
2036 	/*
2037 	 * Ensure that we don't change resource associations while we
2038 	 * change address spaces.
2039 	 */
2040 	mutex_enter(&p->p_lock);
2041 	pool_barrier_enter();
2042 	mutex_exit(&p->p_lock);
2043 
2044 	/*
2045 	 * Destroy the old address space and create a new one.
2046 	 * From here on, any errors are fatal to the exec()ing process.
2047 	 * On error we return -1, which means the caller must SIGKILL
2048 	 * the process.
2049 	 */
2050 	relvm();
2051 
2052 	mutex_enter(&p->p_lock);
2053 	pool_barrier_exit();
2054 	mutex_exit(&p->p_lock);
2055 
2056 	up->u_execsw = args->execswp;
2057 
2058 	p->p_brkbase = NULL;
2059 	p->p_brksize = 0;
2060 	p->p_brkpageszc = 0;
2061 	p->p_stksize = 0;
2062 	p->p_stkpageszc = 0;
2063 	p->p_model = args->to_model;
2064 	p->p_usrstack = usrstack;
2065 	p->p_stkprot = args->stk_prot;
2066 	p->p_datprot = args->dat_prot;
2067 
2068 	/*
2069 	 * Reset resource controls such that all controls are again active as
2070 	 * well as appropriate to the potentially new address model for the
2071 	 * process.
2072 	 */
2073 	e.rcep_p.proc = p;
2074 	e.rcep_t = RCENTITY_PROCESS;
2075 	rctl_set_reset(p->p_rctls, p, &e);
2076 
2077 	/* Too early to call map_pgsz for the heap */
2078 	if (use_stk_lpg) {
2079 		p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2080 	}
2081 
2082 	mutex_enter(&p->p_lock);
2083 	p->p_flag |= SAUTOLPG;	/* kernel controls page sizes */
2084 	mutex_exit(&p->p_lock);
2085 
2086 	sp_slew = exec_get_spslew();
2087 	ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2088 	/* Be certain we don't underflow */
2089 	VERIFY((curproc->p_usrstack - (size + sp_slew)) < curproc->p_usrstack);
2090 	exec_set_sp(size + sp_slew);
2091 
2092 	as = as_alloc();
2093 	p->p_as = as;
2094 	as->a_proc = p;
2095 	if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2096 		as->a_userlimit = (caddr_t)USERLIMIT32;
2097 	(void) hat_setup(as->a_hat, HAT_ALLOC);
2098 	hat_join_srd(as->a_hat, args->ex_vp);
2099 
2100 	/*
2101 	 * Finally, write out the contents of the new stack.
2102 	 */
2103 	error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2104 	kmem_free(args->stk_base, args->stk_size);
2105 	return (error);
2106 }
2107