1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1988 AT&T */
27 /* All Rights Reserved */
28
29 #include <sys/types.h>
30 #include <sys/param.h>
31 #include <sys/sysmacros.h>
32 #include <sys/systm.h>
33 #include <sys/signal.h>
34 #include <sys/cred_impl.h>
35 #include <sys/policy.h>
36 #include <sys/user.h>
37 #include <sys/errno.h>
38 #include <sys/file.h>
39 #include <sys/vfs.h>
40 #include <sys/vnode.h>
41 #include <sys/mman.h>
42 #include <sys/acct.h>
43 #include <sys/cpuvar.h>
44 #include <sys/proc.h>
45 #include <sys/cmn_err.h>
46 #include <sys/debug.h>
47 #include <sys/pathname.h>
48 #include <sys/vm.h>
49 #include <sys/lgrp.h>
50 #include <sys/vtrace.h>
51 #include <sys/exec.h>
52 #include <sys/exechdr.h>
53 #include <sys/kmem.h>
54 #include <sys/prsystm.h>
55 #include <sys/modctl.h>
56 #include <sys/vmparam.h>
57 #include <sys/door.h>
58 #include <sys/schedctl.h>
59 #include <sys/utrap.h>
60 #include <sys/systeminfo.h>
61 #include <sys/stack.h>
62 #include <sys/rctl.h>
63 #include <sys/dtrace.h>
64 #include <sys/lwpchan_impl.h>
65 #include <sys/pool.h>
66 #include <sys/sdt.h>
67 #include <sys/brand.h>
68 #include <sys/klpd.h>
69
70 #include <c2/audit.h>
71
72 #include <vm/hat.h>
73 #include <vm/anon.h>
74 #include <vm/as.h>
75 #include <vm/seg.h>
76 #include <vm/seg_vn.h>
77
78 #define PRIV_RESET 0x01 /* needs to reset privs */
79 #define PRIV_SETID 0x02 /* needs to change uids */
80 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
81 #define PRIV_INCREASE 0x08 /* child runs with more privs */
82 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */
83 #define PRIV_FORCED 0x20 /* has forced privileges */
84
85 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
86 priv_set_t *, cred_t *, const char *);
87 static int hold_execsw(struct execsw *);
88
89 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
90 #if defined(_SYSCALL32_IMPL)
91 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */
92 #endif
93
94 #define PSUIDFLAGS (SNOCD|SUGID)
95
96 /*
97 * exece() - system call wrapper around exec_common()
98 */
99 int
exece(const char * fname,const char ** argp,const char ** envp)100 exece(const char *fname, const char **argp, const char **envp)
101 {
102 int error;
103
104 error = exec_common(fname, argp, envp, EBA_NONE);
105 return (error ? (set_errno(error)) : 0);
106 }
107
108 int
exec_common(const char * fname,const char ** argp,const char ** envp,int brand_action)109 exec_common(const char *fname, const char **argp, const char **envp,
110 int brand_action)
111 {
112 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
113 proc_t *p = ttoproc(curthread);
114 klwp_t *lwp = ttolwp(curthread);
115 struct user *up = PTOU(p);
116 long execsz; /* temporary count of exec size */
117 int i;
118 int error;
119 char exec_file[MAXCOMLEN+1];
120 struct pathname pn;
121 struct pathname resolvepn;
122 struct uarg args;
123 struct execa ua;
124 k_sigset_t savedmask;
125 lwpdir_t *lwpdir = NULL;
126 tidhash_t *tidhash;
127 lwpdir_t *old_lwpdir = NULL;
128 uint_t old_lwpdir_sz;
129 tidhash_t *old_tidhash;
130 uint_t old_tidhash_sz;
131 ret_tidhash_t *ret_tidhash;
132 lwpent_t *lep;
133 boolean_t brandme = B_FALSE;
134
135 /*
136 * exec() is not supported for the /proc agent lwp.
137 */
138 if (curthread == p->p_agenttp)
139 return (ENOTSUP);
140
141 if (brand_action != EBA_NONE) {
142 /*
143 * Brand actions are not supported for processes that are not
144 * running in a branded zone.
145 */
146 if (!ZONE_IS_BRANDED(p->p_zone))
147 return (ENOTSUP);
148
149 if (brand_action == EBA_NATIVE) {
150 /* Only branded processes can be unbranded */
151 if (!PROC_IS_BRANDED(p))
152 return (ENOTSUP);
153 } else {
154 /* Only unbranded processes can be branded */
155 if (PROC_IS_BRANDED(p))
156 return (ENOTSUP);
157 brandme = B_TRUE;
158 }
159 } else {
160 /*
161 * If this is a native zone, or if the process is already
162 * branded, then we don't need to do anything. If this is
163 * a native process in a branded zone, we need to brand the
164 * process as it exec()s the new binary.
165 */
166 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
167 brandme = B_TRUE;
168 }
169
170 /*
171 * Inform /proc that an exec() has started.
172 * Hold signals that are ignored by default so that we will
173 * not be interrupted by a signal that will be ignored after
174 * successful completion of gexec().
175 */
176 mutex_enter(&p->p_lock);
177 prexecstart();
178 schedctl_finish_sigblock(curthread);
179 savedmask = curthread->t_hold;
180 sigorset(&curthread->t_hold, &ignoredefault);
181 mutex_exit(&p->p_lock);
182
183 /*
184 * Look up path name and remember last component for later.
185 * To help coreadm expand its %d token, we attempt to save
186 * the directory containing the executable in p_execdir. The
187 * first call to lookuppn() may fail and return EINVAL because
188 * dirvpp is non-NULL. In that case, we make a second call to
189 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
190 * but coreadm is allowed to expand %d to the empty string and
191 * there are other cases in which that failure may occur.
192 */
193 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
194 goto out;
195 pn_alloc(&resolvepn);
196 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
197 pn_free(&resolvepn);
198 pn_free(&pn);
199 if (error != EINVAL)
200 goto out;
201
202 dir = NULL;
203 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
204 goto out;
205 pn_alloc(&resolvepn);
206 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
207 &vp)) != 0) {
208 pn_free(&resolvepn);
209 pn_free(&pn);
210 goto out;
211 }
212 }
213 if (vp == NULL) {
214 if (dir != NULL)
215 VN_RELE(dir);
216 error = ENOENT;
217 pn_free(&resolvepn);
218 pn_free(&pn);
219 goto out;
220 }
221
222 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
223 if (dir != NULL)
224 VN_RELE(dir);
225 pn_free(&resolvepn);
226 pn_free(&pn);
227 VN_RELE(vp);
228 goto out;
229 }
230
231 /*
232 * We do not allow executing files in attribute directories.
233 * We test this by determining whether the resolved path
234 * contains a "/" when we're in an attribute directory;
235 * only if the pathname does not contain a "/" the resolved path
236 * points to a file in the current working (attribute) directory.
237 */
238 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
239 strchr(resolvepn.pn_path, '/') == NULL) {
240 if (dir != NULL)
241 VN_RELE(dir);
242 error = EACCES;
243 pn_free(&resolvepn);
244 pn_free(&pn);
245 VN_RELE(vp);
246 goto out;
247 }
248
249 bzero(exec_file, MAXCOMLEN+1);
250 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
251 bzero(&args, sizeof (args));
252 args.pathname = resolvepn.pn_path;
253 /* don't free resolvepn until we are done with args */
254 pn_free(&pn);
255
256 /*
257 * If we're running in a profile shell, then call pfexecd.
258 */
259 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
260 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
261 &args.scrubenv);
262
263 /* Returning errno in case we're not allowed to execute. */
264 if (error > 0) {
265 if (dir != NULL)
266 VN_RELE(dir);
267 pn_free(&resolvepn);
268 VN_RELE(vp);
269 goto out;
270 }
271
272 /* Don't change the credentials when using old ptrace. */
273 if (args.pfcred != NULL &&
274 (p->p_proc_flag & P_PR_PTRACE) != 0) {
275 crfree(args.pfcred);
276 args.pfcred = NULL;
277 args.scrubenv = B_FALSE;
278 }
279 }
280
281 /*
282 * Specific exec handlers, or policies determined via
283 * /etc/system may override the historical default.
284 */
285 args.stk_prot = PROT_ZFOD;
286 args.dat_prot = PROT_ZFOD;
287
288 CPU_STATS_ADD_K(sys, sysexec, 1);
289 DTRACE_PROC1(exec, char *, args.pathname);
290
291 ua.fname = fname;
292 ua.argp = argp;
293 ua.envp = envp;
294
295 /* If necessary, brand this process before we start the exec. */
296 if (brandme)
297 brand_setbrand(p);
298
299 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
300 exec_file, p->p_cred, brand_action)) != 0) {
301 if (brandme)
302 brand_clearbrand(p, B_FALSE);
303 VN_RELE(vp);
304 if (dir != NULL)
305 VN_RELE(dir);
306 pn_free(&resolvepn);
307 goto fail;
308 }
309
310 /*
311 * Free floating point registers (sun4u only)
312 */
313 ASSERT(lwp != NULL);
314 lwp_freeregs(lwp, 1);
315
316 /*
317 * Free thread and process context ops.
318 */
319 if (curthread->t_ctx)
320 freectx(curthread, 1);
321 if (p->p_pctx)
322 freepctx(p, 1);
323
324 /*
325 * Remember file name for accounting; clear any cached DTrace predicate.
326 */
327 up->u_acflag &= ~AFORK;
328 bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
329 curthread->t_predcache = NULL;
330
331 /*
332 * Clear contract template state
333 */
334 lwp_ctmpl_clear(lwp);
335
336 /*
337 * Save the directory in which we found the executable for expanding
338 * the %d token used in core file patterns.
339 */
340 mutex_enter(&p->p_lock);
341 tmpvp = p->p_execdir;
342 p->p_execdir = dir;
343 if (p->p_execdir != NULL)
344 VN_HOLD(p->p_execdir);
345 mutex_exit(&p->p_lock);
346
347 if (tmpvp != NULL)
348 VN_RELE(tmpvp);
349
350 /*
351 * Reset stack state to the user stack, clear set of signals
352 * caught on the signal stack, and reset list of signals that
353 * restart system calls; the new program's environment should
354 * not be affected by detritus from the old program. Any
355 * pending held signals remain held, so don't clear t_hold.
356 */
357 mutex_enter(&p->p_lock);
358 lwp->lwp_oldcontext = 0;
359 lwp->lwp_ustack = 0;
360 lwp->lwp_old_stk_ctl = 0;
361 sigemptyset(&up->u_signodefer);
362 sigemptyset(&up->u_sigonstack);
363 sigemptyset(&up->u_sigresethand);
364 lwp->lwp_sigaltstack.ss_sp = 0;
365 lwp->lwp_sigaltstack.ss_size = 0;
366 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
367
368 /*
369 * Make saved resource limit == current resource limit.
370 */
371 for (i = 0; i < RLIM_NLIMITS; i++) {
372 /*CONSTCOND*/
373 if (RLIM_SAVED(i)) {
374 (void) rctl_rlimit_get(rctlproc_legacy[i], p,
375 &up->u_saved_rlimit[i]);
376 }
377 }
378
379 /*
380 * If the action was to catch the signal, then the action
381 * must be reset to SIG_DFL.
382 */
383 sigdefault(p);
384 p->p_flag &= ~(SNOWAIT|SJCTL);
385 p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
386 up->u_signal[SIGCLD - 1] = SIG_DFL;
387
388 /*
389 * Delete the dot4 sigqueues/signotifies.
390 */
391 sigqfree(p);
392
393 mutex_exit(&p->p_lock);
394
395 mutex_enter(&p->p_pflock);
396 p->p_prof.pr_base = NULL;
397 p->p_prof.pr_size = 0;
398 p->p_prof.pr_off = 0;
399 p->p_prof.pr_scale = 0;
400 p->p_prof.pr_samples = 0;
401 mutex_exit(&p->p_pflock);
402
403 ASSERT(curthread->t_schedctl == NULL);
404
405 #if defined(__sparc)
406 if (p->p_utraps != NULL)
407 utrap_free(p);
408 #endif /* __sparc */
409
410 /*
411 * Close all close-on-exec files.
412 */
413 close_exec(P_FINFO(p));
414 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
415
416 /* Unbrand ourself if necessary. */
417 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
418 brand_clearbrand(p, B_FALSE);
419
420 setregs(&args);
421
422 /* Mark this as an executable vnode */
423 mutex_enter(&vp->v_lock);
424 vp->v_flag |= VVMEXEC;
425 mutex_exit(&vp->v_lock);
426
427 VN_RELE(vp);
428 if (dir != NULL)
429 VN_RELE(dir);
430 pn_free(&resolvepn);
431
432 /*
433 * Allocate a new lwp directory and lwpid hash table if necessary.
434 */
435 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
436 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
437 lwpdir->ld_next = lwpdir + 1;
438 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
439 if (p->p_lwpdir != NULL)
440 lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
441 else
442 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
443 }
444
445 if (PROC_IS_BRANDED(p))
446 BROP(p)->b_exec();
447
448 mutex_enter(&p->p_lock);
449 prbarrier(p);
450
451 /*
452 * Reset lwp id to the default value of 1.
453 * This is a single-threaded process now
454 * and lwp #1 is lwp_wait()able by default.
455 * The t_unpark flag should not be inherited.
456 */
457 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
458 curthread->t_tid = 1;
459 kpreempt_disable();
460 ASSERT(curthread->t_lpl != NULL);
461 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
462 kpreempt_enable();
463 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
464 lgrp_update_trthr_migrations(1);
465 }
466 curthread->t_unpark = 0;
467 curthread->t_proc_flag |= TP_TWAIT;
468 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */
469 p->p_lwpdaemon = 0; /* but oh well ... */
470 p->p_lwpid = 1;
471
472 /*
473 * Install the newly-allocated lwp directory and lwpid hash table
474 * and insert the current thread into the new hash table.
475 */
476 if (lwpdir != NULL) {
477 old_lwpdir = p->p_lwpdir;
478 old_lwpdir_sz = p->p_lwpdir_sz;
479 old_tidhash = p->p_tidhash;
480 old_tidhash_sz = p->p_tidhash_sz;
481 p->p_lwpdir = p->p_lwpfree = lwpdir;
482 p->p_lwpdir_sz = 2;
483 lep->le_thread = curthread;
484 lep->le_lwpid = curthread->t_tid;
485 lep->le_start = curthread->t_start;
486 lwp_hash_in(p, lep, tidhash, 2, 0);
487 p->p_tidhash = tidhash;
488 p->p_tidhash_sz = 2;
489 }
490 ret_tidhash = p->p_ret_tidhash;
491 p->p_ret_tidhash = NULL;
492
493 /*
494 * Restore the saved signal mask and
495 * inform /proc that the exec() has finished.
496 */
497 curthread->t_hold = savedmask;
498 prexecend();
499 mutex_exit(&p->p_lock);
500 if (old_lwpdir) {
501 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
502 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
503 }
504 while (ret_tidhash != NULL) {
505 ret_tidhash_t *next = ret_tidhash->rth_next;
506 kmem_free(ret_tidhash->rth_tidhash,
507 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
508 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
509 ret_tidhash = next;
510 }
511
512 ASSERT(error == 0);
513 DTRACE_PROC(exec__success);
514 return (0);
515
516 fail:
517 DTRACE_PROC1(exec__failure, int, error);
518 out: /* error return */
519 mutex_enter(&p->p_lock);
520 curthread->t_hold = savedmask;
521 prexecend();
522 mutex_exit(&p->p_lock);
523 ASSERT(error != 0);
524 return (error);
525 }
526
527
528 /*
529 * Perform generic exec duties and switchout to object-file specific
530 * handler.
531 */
532 int
gexec(struct vnode ** vpp,struct execa * uap,struct uarg * args,struct intpdata * idatap,int level,long * execsz,caddr_t exec_file,struct cred * cred,int brand_action)533 gexec(
534 struct vnode **vpp,
535 struct execa *uap,
536 struct uarg *args,
537 struct intpdata *idatap,
538 int level,
539 long *execsz,
540 caddr_t exec_file,
541 struct cred *cred,
542 int brand_action)
543 {
544 struct vnode *vp, *execvp = NULL;
545 proc_t *pp = ttoproc(curthread);
546 struct execsw *eswp;
547 int error = 0;
548 int suidflags = 0;
549 ssize_t resid;
550 uid_t uid, gid;
551 struct vattr vattr;
552 char magbuf[MAGIC_BYTES];
553 int setid;
554 cred_t *oldcred, *newcred = NULL;
555 int privflags = 0;
556 int setidfl;
557 priv_set_t fset;
558
559 /*
560 * If the SNOCD or SUGID flag is set, turn it off and remember the
561 * previous setting so we can restore it if we encounter an error.
562 */
563 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
564 mutex_enter(&pp->p_lock);
565 suidflags = pp->p_flag & PSUIDFLAGS;
566 pp->p_flag &= ~PSUIDFLAGS;
567 mutex_exit(&pp->p_lock);
568 }
569
570 if ((error = execpermissions(*vpp, &vattr, args)) != 0)
571 goto bad_noclose;
572
573 /* need to open vnode for stateful file systems */
574 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
575 goto bad_noclose;
576 vp = *vpp;
577
578 /*
579 * Note: to support binary compatibility with SunOS a.out
580 * executables, we read in the first four bytes, as the
581 * magic number is in bytes 2-3.
582 */
583 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
584 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
585 goto bad;
586 if (resid != 0)
587 goto bad;
588
589 if ((eswp = findexec_by_hdr(magbuf)) == NULL)
590 goto bad;
591
592 if (level == 0 &&
593 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
594 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
595
596 /* Pfcred is a credential with a ref count of 1 */
597
598 if (args->pfcred != NULL) {
599 privflags |= PRIV_INCREASE|PRIV_RESET;
600 newcred = cred = args->pfcred;
601 } else {
602 newcred = cred = crdup(cred);
603 }
604
605 /* If we can, drop the PA bit */
606 if ((privflags & PRIV_RESET) != 0)
607 priv_adjust_PA(cred);
608
609 if (privflags & PRIV_SETID) {
610 cred->cr_uid = uid;
611 cred->cr_gid = gid;
612 cred->cr_suid = uid;
613 cred->cr_sgid = gid;
614 }
615
616 if (privflags & MAC_FLAGS) {
617 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
618 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
619 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
620 }
621
622 /*
623 * Implement the privilege updates:
624 *
625 * Restrict with L:
626 *
627 * I' = I & L
628 *
629 * E' = P' = (I' + F) & A
630 *
631 * But if running under ptrace, we cap I and F with P.
632 */
633 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
634 if ((privflags & PRIV_INCREASE) != 0 &&
635 (pp->p_proc_flag & P_PR_PTRACE) != 0) {
636 priv_intersect(&CR_OPPRIV(cred),
637 &CR_IPRIV(cred));
638 priv_intersect(&CR_OPPRIV(cred), &fset);
639 }
640 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
641 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
642 if (privflags & PRIV_FORCED) {
643 priv_set_PA(cred);
644 priv_union(&fset, &CR_EPRIV(cred));
645 priv_union(&fset, &CR_PPRIV(cred));
646 }
647 priv_adjust_PA(cred);
648 }
649 } else if (level == 0 && args->pfcred != NULL) {
650 newcred = cred = args->pfcred;
651 privflags |= PRIV_INCREASE;
652 /* pfcred is not forced to adhere to these settings */
653 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
654 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
655 priv_adjust_PA(cred);
656 }
657
658 /* SunOS 4.x buy-back */
659 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
660 (vattr.va_mode & (VSUID|VSGID))) {
661 char path[MAXNAMELEN];
662 refstr_t *mntpt = NULL;
663 int ret = -1;
664
665 bzero(path, sizeof (path));
666 zone_hold(pp->p_zone);
667
668 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
669 sizeof (path), cred);
670
671 /* fallback to mountpoint if a path can't be found */
672 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
673 mntpt = vfs_getmntpoint(vp->v_vfsp);
674
675 if (mntpt == NULL)
676 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
677 "!uid %d: setuid execution not allowed, "
678 "file=%s", cred->cr_uid, path);
679 else
680 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
681 "!uid %d: setuid execution not allowed, "
682 "fs=%s, file=%s", cred->cr_uid,
683 ZONE_PATH_TRANSLATE(refstr_value(mntpt),
684 pp->p_zone), exec_file);
685
686 if (!INGLOBALZONE(pp)) {
687 /* zone_rootpath always has trailing / */
688 if (mntpt == NULL)
689 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
690 "setuid execution not allowed, file=%s%s",
691 pp->p_zone->zone_name, cred->cr_uid,
692 pp->p_zone->zone_rootpath, path + 1);
693 else
694 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
695 "setuid execution not allowed, fs=%s, "
696 "file=%s", pp->p_zone->zone_name,
697 cred->cr_uid, refstr_value(mntpt),
698 exec_file);
699 }
700
701 if (mntpt != NULL)
702 refstr_rele(mntpt);
703
704 zone_rele(pp->p_zone);
705 }
706
707 /*
708 * execsetid() told us whether or not we had to change the
709 * credentials of the process. In privflags, it told us
710 * whether we gained any privileges or executed a set-uid executable.
711 */
712 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
713
714 /*
715 * Use /etc/system variable to determine if the stack
716 * should be marked as executable by default.
717 */
718 if (noexec_user_stack)
719 args->stk_prot &= ~PROT_EXEC;
720
721 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
722 args->ex_vp = vp;
723
724 /*
725 * Traditionally, the setid flags told the sub processes whether
726 * the file just executed was set-uid or set-gid; this caused
727 * some confusion as the 'setid' flag did not match the SUGID
728 * process flag which is only set when the uids/gids do not match.
729 * A script set-gid/set-uid to the real uid/gid would start with
730 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
731 * Now we flag those cases where the calling process cannot
732 * be trusted to influence the newly exec'ed process, either
733 * because it runs with more privileges or when the uids/gids
734 * do in fact not match.
735 * This also makes the runtime linker agree with the on exec
736 * values of SNOCD and SUGID.
737 */
738 setidfl = 0;
739 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
740 !supgroupmember(cred->cr_gid, cred))) {
741 setidfl |= EXECSETID_UGIDS;
742 }
743 if (setid & PRIV_SETUGID)
744 setidfl |= EXECSETID_SETID;
745 if (setid & PRIV_FORCED)
746 setidfl |= EXECSETID_PRIVS;
747
748 execvp = pp->p_exec;
749 if (execvp)
750 VN_HOLD(execvp);
751
752 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
753 setidfl, exec_file, cred, brand_action);
754 rw_exit(eswp->exec_lock);
755 if (error != 0) {
756 if (execvp)
757 VN_RELE(execvp);
758 /*
759 * If this process's p_exec has been set to the vp of
760 * the executable by exec_func, we will return without
761 * calling VOP_CLOSE because proc_exit will close it
762 * on exit.
763 */
764 if (pp->p_exec == vp)
765 goto bad_noclose;
766 else
767 goto bad;
768 }
769
770 if (level == 0) {
771 uid_t oruid;
772
773 if (execvp != NULL) {
774 /*
775 * Close the previous executable only if we are
776 * at level 0.
777 */
778 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
779 cred, NULL);
780 }
781
782 mutex_enter(&pp->p_crlock);
783
784 oruid = pp->p_cred->cr_ruid;
785
786 if (newcred != NULL) {
787 /*
788 * Free the old credentials, and set the new ones.
789 * Do this for both the process and the (single) thread.
790 */
791 crfree(pp->p_cred);
792 pp->p_cred = cred; /* cred already held for proc */
793 crhold(cred); /* hold new cred for thread */
794 /*
795 * DTrace accesses t_cred in probe context. t_cred
796 * must always be either NULL, or point to a valid,
797 * allocated cred structure.
798 */
799 oldcred = curthread->t_cred;
800 curthread->t_cred = cred;
801 crfree(oldcred);
802
803 if (priv_basic_test >= 0 &&
804 !PRIV_ISASSERT(&CR_IPRIV(newcred),
805 priv_basic_test)) {
806 pid_t pid = pp->p_pid;
807 char *fn = PTOU(pp)->u_comm;
808
809 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
810 "privilege removed from E/I", fn, pid);
811 }
812 }
813 /*
814 * On emerging from a successful exec(), the saved
815 * uid and gid equal the effective uid and gid.
816 */
817 cred->cr_suid = cred->cr_uid;
818 cred->cr_sgid = cred->cr_gid;
819
820 /*
821 * If the real and effective ids do not match, this
822 * is a setuid process that should not dump core.
823 * The group comparison is tricky; we prevent the code
824 * from flagging SNOCD when executing with an effective gid
825 * which is a supplementary group.
826 */
827 if (cred->cr_ruid != cred->cr_uid ||
828 (cred->cr_rgid != cred->cr_gid &&
829 !supgroupmember(cred->cr_gid, cred)) ||
830 (privflags & PRIV_INCREASE) != 0)
831 suidflags = PSUIDFLAGS;
832 else
833 suidflags = 0;
834
835 mutex_exit(&pp->p_crlock);
836 if (newcred != NULL && oruid != newcred->cr_ruid) {
837 /* Note that the process remains in the same zone. */
838 mutex_enter(&pidlock);
839 upcount_dec(oruid, crgetzoneid(newcred));
840 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
841 mutex_exit(&pidlock);
842 }
843 if (suidflags) {
844 mutex_enter(&pp->p_lock);
845 pp->p_flag |= suidflags;
846 mutex_exit(&pp->p_lock);
847 }
848 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
849 /*
850 * If process is traced via /proc, arrange to
851 * invalidate the associated /proc vnode.
852 */
853 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
854 args->traceinval = 1;
855 }
856 if (pp->p_proc_flag & P_PR_PTRACE)
857 psignal(pp, SIGTRAP);
858 if (args->traceinval)
859 prinvalidate(&pp->p_user);
860 }
861 if (execvp)
862 VN_RELE(execvp);
863 return (0);
864
865 bad:
866 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
867
868 bad_noclose:
869 if (newcred != NULL)
870 crfree(newcred);
871 if (error == 0)
872 error = ENOEXEC;
873
874 if (suidflags) {
875 mutex_enter(&pp->p_lock);
876 pp->p_flag |= suidflags;
877 mutex_exit(&pp->p_lock);
878 }
879 return (error);
880 }
881
882 extern char *execswnames[];
883
884 struct execsw *
allocate_execsw(char * name,char * magic,size_t magic_size)885 allocate_execsw(char *name, char *magic, size_t magic_size)
886 {
887 int i, j;
888 char *ename;
889 char *magicp;
890
891 mutex_enter(&execsw_lock);
892 for (i = 0; i < nexectype; i++) {
893 if (execswnames[i] == NULL) {
894 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
895 (void) strcpy(ename, name);
896 execswnames[i] = ename;
897 /*
898 * Set the magic number last so that we
899 * don't need to hold the execsw_lock in
900 * findexectype().
901 */
902 magicp = kmem_alloc(magic_size, KM_SLEEP);
903 for (j = 0; j < magic_size; j++)
904 magicp[j] = magic[j];
905 execsw[i].exec_magic = magicp;
906 mutex_exit(&execsw_lock);
907 return (&execsw[i]);
908 }
909 }
910 mutex_exit(&execsw_lock);
911 return (NULL);
912 }
913
914 /*
915 * Find the exec switch table entry with the corresponding magic string.
916 */
917 struct execsw *
findexecsw(char * magic)918 findexecsw(char *magic)
919 {
920 struct execsw *eswp;
921
922 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
923 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
924 if (magic && eswp->exec_maglen != 0 &&
925 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
926 return (eswp);
927 }
928 return (NULL);
929 }
930
931 /*
932 * Find the execsw[] index for the given exec header string by looking for the
933 * magic string at a specified offset and length for each kind of executable
934 * file format until one matches. If no execsw[] entry is found, try to
935 * autoload a module for this magic string.
936 */
937 struct execsw *
findexec_by_hdr(char * header)938 findexec_by_hdr(char *header)
939 {
940 struct execsw *eswp;
941
942 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
943 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
944 if (header && eswp->exec_maglen != 0 &&
945 bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
946 eswp->exec_maglen) == 0) {
947 if (hold_execsw(eswp) != 0)
948 return (NULL);
949 return (eswp);
950 }
951 }
952 return (NULL); /* couldn't find the type */
953 }
954
955 /*
956 * Find the execsw[] index for the given magic string. If no execsw[] entry
957 * is found, try to autoload a module for this magic string.
958 */
959 struct execsw *
findexec_by_magic(char * magic)960 findexec_by_magic(char *magic)
961 {
962 struct execsw *eswp;
963
964 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
965 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
966 if (magic && eswp->exec_maglen != 0 &&
967 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
968 if (hold_execsw(eswp) != 0)
969 return (NULL);
970 return (eswp);
971 }
972 }
973 return (NULL); /* couldn't find the type */
974 }
975
976 static int
hold_execsw(struct execsw * eswp)977 hold_execsw(struct execsw *eswp)
978 {
979 char *name;
980
981 rw_enter(eswp->exec_lock, RW_READER);
982 while (!LOADED_EXEC(eswp)) {
983 rw_exit(eswp->exec_lock);
984 name = execswnames[eswp-execsw];
985 ASSERT(name);
986 if (modload("exec", name) == -1)
987 return (-1);
988 rw_enter(eswp->exec_lock, RW_READER);
989 }
990 return (0);
991 }
992
993 static int
execsetid(struct vnode * vp,struct vattr * vattrp,uid_t * uidp,uid_t * gidp,priv_set_t * fset,cred_t * cr,const char * pathname)994 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
995 priv_set_t *fset, cred_t *cr, const char *pathname)
996 {
997 proc_t *pp = ttoproc(curthread);
998 uid_t uid, gid;
999 int privflags = 0;
1000
1001 /*
1002 * Remember credentials.
1003 */
1004 uid = cr->cr_uid;
1005 gid = cr->cr_gid;
1006
1007 /* Will try to reset the PRIV_AWARE bit later. */
1008 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1009 privflags |= PRIV_RESET;
1010
1011 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1012 /*
1013 * If it's a set-uid root program we perform the
1014 * forced privilege look-aside. This has three possible
1015 * outcomes:
1016 * no look aside information -> treat as before
1017 * look aside in Limit set -> apply forced privs
1018 * look aside not in Limit set -> ignore set-uid root
1019 *
1020 * Ordinary set-uid root execution only allowed if the limit
1021 * set holds all unsafe privileges.
1022 */
1023 if (vattrp->va_mode & VSUID) {
1024 if (vattrp->va_uid == 0) {
1025 int res = get_forced_privs(cr, pathname, fset);
1026
1027 switch (res) {
1028 case -1:
1029 if (priv_issubset(&priv_unsafe,
1030 &CR_LPRIV(cr))) {
1031 uid = vattrp->va_uid;
1032 privflags |= PRIV_SETUGID;
1033 }
1034 break;
1035 case 0:
1036 privflags |= PRIV_FORCED|PRIV_INCREASE;
1037 break;
1038 default:
1039 break;
1040 }
1041 } else {
1042 uid = vattrp->va_uid;
1043 privflags |= PRIV_SETUGID;
1044 }
1045 }
1046 if (vattrp->va_mode & VSGID) {
1047 gid = vattrp->va_gid;
1048 privflags |= PRIV_SETUGID;
1049 }
1050 }
1051
1052 /*
1053 * Do we need to change our credential anyway?
1054 * This is the case when E != I or P != I, as
1055 * we need to do the assignments (with F empty and A full)
1056 * Or when I is not a subset of L; in that case we need to
1057 * enforce L.
1058 *
1059 * I' = L & I
1060 *
1061 * E' = P' = (I' + F) & A
1062 * or
1063 * E' = P' = I'
1064 */
1065 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1066 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1067 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1068 privflags |= PRIV_RESET;
1069
1070 /* Child has more privileges than parent */
1071 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1072 privflags |= PRIV_INCREASE;
1073
1074 /* If MAC-aware flag(s) are on, need to update cred to remove. */
1075 if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1076 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1077 privflags |= MAC_FLAGS;
1078 /*
1079 * Set setuid/setgid protections if no ptrace() compatibility.
1080 * For privileged processes, honor setuid/setgid even in
1081 * the presence of ptrace() compatibility.
1082 */
1083 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1084 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1085 (cr->cr_uid != uid ||
1086 cr->cr_gid != gid ||
1087 cr->cr_suid != uid ||
1088 cr->cr_sgid != gid)) {
1089 *uidp = uid;
1090 *gidp = gid;
1091 privflags |= PRIV_SETID;
1092 }
1093 return (privflags);
1094 }
1095
1096 int
execpermissions(struct vnode * vp,struct vattr * vattrp,struct uarg * args)1097 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1098 {
1099 int error;
1100 proc_t *p = ttoproc(curthread);
1101
1102 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1103 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1104 return (error);
1105 /*
1106 * Check the access mode.
1107 * If VPROC, ask /proc if the file is an object file.
1108 */
1109 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1110 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1111 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1112 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1113 if (error == 0)
1114 error = EACCES;
1115 return (error);
1116 }
1117
1118 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1119 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1120 /*
1121 * If process is under ptrace(2) compatibility,
1122 * fail the exec(2).
1123 */
1124 if (p->p_proc_flag & P_PR_PTRACE)
1125 goto bad;
1126 /*
1127 * Process is traced via /proc.
1128 * Arrange to invalidate the /proc vnode.
1129 */
1130 args->traceinval = 1;
1131 }
1132 return (0);
1133 bad:
1134 if (error == 0)
1135 error = ENOEXEC;
1136 return (error);
1137 }
1138
1139 /*
1140 * Map a section of an executable file into the user's
1141 * address space.
1142 */
1143 int
execmap(struct vnode * vp,caddr_t addr,size_t len,size_t zfodlen,off_t offset,int prot,int page,uint_t szc)1144 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1145 off_t offset, int prot, int page, uint_t szc)
1146 {
1147 int error = 0;
1148 off_t oldoffset;
1149 caddr_t zfodbase, oldaddr;
1150 size_t end, oldlen;
1151 size_t zfoddiff;
1152 label_t ljb;
1153 proc_t *p = ttoproc(curthread);
1154
1155 oldaddr = addr;
1156 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1157 if (len) {
1158 oldlen = len;
1159 len += ((size_t)oldaddr - (size_t)addr);
1160 oldoffset = offset;
1161 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1162 if (page) {
1163 spgcnt_t prefltmem, availm, npages;
1164 int preread;
1165 uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1166
1167 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1168 mflag |= MAP_TEXT;
1169 } else {
1170 mflag |= MAP_INITDATA;
1171 }
1172
1173 if (valid_usr_range(addr, len, prot, p->p_as,
1174 p->p_as->a_userlimit) != RANGE_OKAY) {
1175 error = ENOMEM;
1176 goto bad;
1177 }
1178 if (error = VOP_MAP(vp, (offset_t)offset,
1179 p->p_as, &addr, len, prot, PROT_ALL,
1180 mflag, CRED(), NULL))
1181 goto bad;
1182
1183 /*
1184 * If the segment can fit, then we prefault
1185 * the entire segment in. This is based on the
1186 * model that says the best working set of a
1187 * small program is all of its pages.
1188 */
1189 npages = (spgcnt_t)btopr(len);
1190 prefltmem = freemem - desfree;
1191 preread =
1192 (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1193
1194 /*
1195 * If we aren't prefaulting the segment,
1196 * increment "deficit", if necessary to ensure
1197 * that pages will become available when this
1198 * process starts executing.
1199 */
1200 availm = freemem - lotsfree;
1201 if (preread == 0 && npages > availm &&
1202 deficit < lotsfree) {
1203 deficit += MIN((pgcnt_t)(npages - availm),
1204 lotsfree - deficit);
1205 }
1206
1207 if (preread) {
1208 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1209 "execmap preread:freemem %d size %lu",
1210 freemem, len);
1211 (void) as_fault(p->p_as->a_hat, p->p_as,
1212 (caddr_t)addr, len, F_INVAL, S_READ);
1213 }
1214 } else {
1215 if (valid_usr_range(addr, len, prot, p->p_as,
1216 p->p_as->a_userlimit) != RANGE_OKAY) {
1217 error = ENOMEM;
1218 goto bad;
1219 }
1220
1221 if (error = as_map(p->p_as, addr, len,
1222 segvn_create, zfod_argsp))
1223 goto bad;
1224 /*
1225 * Read in the segment in one big chunk.
1226 */
1227 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1228 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1229 (rlim64_t)0, CRED(), (ssize_t *)0))
1230 goto bad;
1231 /*
1232 * Now set protections.
1233 */
1234 if (prot != PROT_ZFOD) {
1235 (void) as_setprot(p->p_as, (caddr_t)addr,
1236 len, prot);
1237 }
1238 }
1239 }
1240
1241 if (zfodlen) {
1242 struct as *as = curproc->p_as;
1243 struct seg *seg;
1244 uint_t zprot = 0;
1245
1246 end = (size_t)addr + len;
1247 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1248 zfoddiff = (uintptr_t)zfodbase - end;
1249 if (zfoddiff) {
1250 /*
1251 * Before we go to zero the remaining space on the last
1252 * page, make sure we have write permission.
1253 */
1254
1255 AS_LOCK_ENTER(as, &as->a_lock, RW_READER);
1256 seg = as_segat(curproc->p_as, (caddr_t)end);
1257 if (seg != NULL)
1258 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1259 &zprot);
1260 AS_LOCK_EXIT(as, &as->a_lock);
1261
1262 if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1263 (void) as_setprot(as, (caddr_t)end,
1264 zfoddiff - 1, zprot | PROT_WRITE);
1265 }
1266
1267 if (on_fault(&ljb)) {
1268 no_fault();
1269 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1270 (void) as_setprot(as, (caddr_t)end,
1271 zfoddiff - 1, zprot);
1272 error = EFAULT;
1273 goto bad;
1274 }
1275 uzero((void *)end, zfoddiff);
1276 no_fault();
1277 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1278 (void) as_setprot(as, (caddr_t)end,
1279 zfoddiff - 1, zprot);
1280 }
1281 if (zfodlen > zfoddiff) {
1282 struct segvn_crargs crargs =
1283 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1284
1285 zfodlen -= zfoddiff;
1286 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1287 p->p_as->a_userlimit) != RANGE_OKAY) {
1288 error = ENOMEM;
1289 goto bad;
1290 }
1291 if (szc > 0) {
1292 /*
1293 * ASSERT alignment because the mapelfexec()
1294 * caller for the szc > 0 case extended zfod
1295 * so it's end is pgsz aligned.
1296 */
1297 size_t pgsz = page_get_pagesize(szc);
1298 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1299
1300 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1301 crargs.szc = szc;
1302 } else {
1303 crargs.szc = AS_MAP_HEAP;
1304 }
1305 } else {
1306 crargs.szc = AS_MAP_NO_LPOOB;
1307 }
1308 if (error = as_map(p->p_as, (caddr_t)zfodbase,
1309 zfodlen, segvn_create, &crargs))
1310 goto bad;
1311 if (prot != PROT_ZFOD) {
1312 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1313 zfodlen, prot);
1314 }
1315 }
1316 }
1317 return (0);
1318 bad:
1319 return (error);
1320 }
1321
1322 void
setexecenv(struct execenv * ep)1323 setexecenv(struct execenv *ep)
1324 {
1325 proc_t *p = ttoproc(curthread);
1326 klwp_t *lwp = ttolwp(curthread);
1327 struct vnode *vp;
1328
1329 p->p_bssbase = ep->ex_bssbase;
1330 p->p_brkbase = ep->ex_brkbase;
1331 p->p_brksize = ep->ex_brksize;
1332 if (p->p_exec)
1333 VN_RELE(p->p_exec); /* out with the old */
1334 vp = p->p_exec = ep->ex_vp;
1335 if (vp != NULL)
1336 VN_HOLD(vp); /* in with the new */
1337
1338 lwp->lwp_sigaltstack.ss_sp = 0;
1339 lwp->lwp_sigaltstack.ss_size = 0;
1340 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1341 }
1342
1343 int
execopen(struct vnode ** vpp,int * fdp)1344 execopen(struct vnode **vpp, int *fdp)
1345 {
1346 struct vnode *vp = *vpp;
1347 file_t *fp;
1348 int error = 0;
1349 int filemode = FREAD;
1350
1351 VN_HOLD(vp); /* open reference */
1352 if (error = falloc(NULL, filemode, &fp, fdp)) {
1353 VN_RELE(vp);
1354 *fdp = -1; /* just in case falloc changed value */
1355 return (error);
1356 }
1357 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1358 VN_RELE(vp);
1359 setf(*fdp, NULL);
1360 unfalloc(fp);
1361 *fdp = -1;
1362 return (error);
1363 }
1364 *vpp = vp; /* vnode should not have changed */
1365 fp->f_vnode = vp;
1366 mutex_exit(&fp->f_tlock);
1367 setf(*fdp, fp);
1368 return (0);
1369 }
1370
1371 int
execclose(int fd)1372 execclose(int fd)
1373 {
1374 return (closeandsetf(fd, NULL));
1375 }
1376
1377
1378 /*
1379 * noexec stub function.
1380 */
1381 /*ARGSUSED*/
1382 int
noexec(struct vnode * vp,struct execa * uap,struct uarg * args,struct intpdata * idatap,int level,long * execsz,int setid,caddr_t exec_file,struct cred * cred)1383 noexec(
1384 struct vnode *vp,
1385 struct execa *uap,
1386 struct uarg *args,
1387 struct intpdata *idatap,
1388 int level,
1389 long *execsz,
1390 int setid,
1391 caddr_t exec_file,
1392 struct cred *cred)
1393 {
1394 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1395 return (ENOEXEC);
1396 }
1397
1398 /*
1399 * Support routines for building a user stack.
1400 *
1401 * execve(path, argv, envp) must construct a new stack with the specified
1402 * arguments and environment variables (see exec_args() for a description
1403 * of the user stack layout). To do this, we copy the arguments and
1404 * environment variables from the old user address space into the kernel,
1405 * free the old as, create the new as, and copy our buffered information
1406 * to the new stack. Our kernel buffer has the following structure:
1407 *
1408 * +-----------------------+ <--- stk_base + stk_size
1409 * | string offsets |
1410 * +-----------------------+ <--- stk_offp
1411 * | |
1412 * | STK_AVAIL() space |
1413 * | |
1414 * +-----------------------+ <--- stk_strp
1415 * | strings |
1416 * +-----------------------+ <--- stk_base
1417 *
1418 * When we add a string, we store the string's contents (including the null
1419 * terminator) at stk_strp, and we store the offset of the string relative to
1420 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1421 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1422 * the difference between these pointers. If we run out of space, we return
1423 * an error and exec_args() starts all over again with a buffer twice as large.
1424 * When we're all done, the kernel buffer looks like this:
1425 *
1426 * +-----------------------+ <--- stk_base + stk_size
1427 * | argv[0] offset |
1428 * +-----------------------+
1429 * | ... |
1430 * +-----------------------+
1431 * | argv[argc-1] offset |
1432 * +-----------------------+
1433 * | envp[0] offset |
1434 * +-----------------------+
1435 * | ... |
1436 * +-----------------------+
1437 * | envp[envc-1] offset |
1438 * +-----------------------+
1439 * | AT_SUN_PLATFORM offset|
1440 * +-----------------------+
1441 * | AT_SUN_EXECNAME offset|
1442 * +-----------------------+ <--- stk_offp
1443 * | |
1444 * | STK_AVAIL() space |
1445 * | |
1446 * +-----------------------+ <--- stk_strp
1447 * | AT_SUN_EXECNAME offset|
1448 * +-----------------------+
1449 * | AT_SUN_PLATFORM offset|
1450 * +-----------------------+
1451 * | envp[envc-1] string |
1452 * +-----------------------+
1453 * | ... |
1454 * +-----------------------+
1455 * | envp[0] string |
1456 * +-----------------------+
1457 * | argv[argc-1] string |
1458 * +-----------------------+
1459 * | ... |
1460 * +-----------------------+
1461 * | argv[0] string |
1462 * +-----------------------+ <--- stk_base
1463 */
1464
1465 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1466
1467 /*
1468 * Add a string to the stack.
1469 */
1470 static int
stk_add(uarg_t * args,const char * sp,enum uio_seg segflg)1471 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1472 {
1473 int error;
1474 size_t len;
1475
1476 if (STK_AVAIL(args) < sizeof (int))
1477 return (E2BIG);
1478 *--args->stk_offp = args->stk_strp - args->stk_base;
1479
1480 if (segflg == UIO_USERSPACE) {
1481 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1482 if (error != 0)
1483 return (error);
1484 } else {
1485 len = strlen(sp) + 1;
1486 if (len > STK_AVAIL(args))
1487 return (E2BIG);
1488 bcopy(sp, args->stk_strp, len);
1489 }
1490
1491 args->stk_strp += len;
1492
1493 return (0);
1494 }
1495
1496 static int
stk_getptr(uarg_t * args,char * src,char ** dst)1497 stk_getptr(uarg_t *args, char *src, char **dst)
1498 {
1499 int error;
1500
1501 if (args->from_model == DATAMODEL_NATIVE) {
1502 ulong_t ptr;
1503 error = fulword(src, &ptr);
1504 *dst = (caddr_t)ptr;
1505 } else {
1506 uint32_t ptr;
1507 error = fuword32(src, &ptr);
1508 *dst = (caddr_t)(uintptr_t)ptr;
1509 }
1510 return (error);
1511 }
1512
1513 static int
stk_putptr(uarg_t * args,char * addr,char * value)1514 stk_putptr(uarg_t *args, char *addr, char *value)
1515 {
1516 if (args->to_model == DATAMODEL_NATIVE)
1517 return (sulword(addr, (ulong_t)value));
1518 else
1519 return (suword32(addr, (uint32_t)(uintptr_t)value));
1520 }
1521
1522 static int
stk_copyin(execa_t * uap,uarg_t * args,intpdata_t * intp,void ** auxvpp)1523 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1524 {
1525 char *sp;
1526 int argc, error;
1527 int argv_empty = 0;
1528 size_t ptrsize = args->from_ptrsize;
1529 size_t size, pad;
1530 char *argv = (char *)uap->argp;
1531 char *envp = (char *)uap->envp;
1532
1533 /*
1534 * Copy interpreter's name and argument to argv[0] and argv[1].
1535 */
1536 if (intp != NULL && intp->intp_name != NULL) {
1537 if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0)
1538 return (error);
1539 if (intp->intp_arg != NULL &&
1540 (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0)
1541 return (error);
1542 if (args->fname != NULL)
1543 error = stk_add(args, args->fname, UIO_SYSSPACE);
1544 else
1545 error = stk_add(args, uap->fname, UIO_USERSPACE);
1546 if (error)
1547 return (error);
1548
1549 /*
1550 * Check for an empty argv[].
1551 */
1552 if (stk_getptr(args, argv, &sp))
1553 return (EFAULT);
1554 if (sp == NULL)
1555 argv_empty = 1;
1556
1557 argv += ptrsize; /* ignore original argv[0] */
1558 }
1559
1560 if (argv_empty == 0) {
1561 /*
1562 * Add argv[] strings to the stack.
1563 */
1564 for (;;) {
1565 if (stk_getptr(args, argv, &sp))
1566 return (EFAULT);
1567 if (sp == NULL)
1568 break;
1569 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1570 return (error);
1571 argv += ptrsize;
1572 }
1573 }
1574 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1575 args->arglen = args->stk_strp - args->stk_base;
1576
1577 /*
1578 * Add environ[] strings to the stack.
1579 */
1580 if (envp != NULL) {
1581 for (;;) {
1582 char *tmp = args->stk_strp;
1583 if (stk_getptr(args, envp, &sp))
1584 return (EFAULT);
1585 if (sp == NULL)
1586 break;
1587 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1588 return (error);
1589 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1590 /* Undo the copied string */
1591 args->stk_strp = tmp;
1592 *(args->stk_offp++) = NULL;
1593 }
1594 envp += ptrsize;
1595 }
1596 }
1597 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1598 args->ne = args->na - argc;
1599
1600 /*
1601 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1602 * AT_SUN_EMULATOR strings to the stack.
1603 */
1604 if (auxvpp != NULL && *auxvpp != NULL) {
1605 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1606 return (error);
1607 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1608 return (error);
1609 if (args->brandname != NULL &&
1610 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1611 return (error);
1612 if (args->emulator != NULL &&
1613 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1614 return (error);
1615 }
1616
1617 /*
1618 * Compute the size of the stack. This includes all the pointers,
1619 * the space reserved for the aux vector, and all the strings.
1620 * The total number of pointers is args->na (which is argc + envc)
1621 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1622 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1623 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1624 * all the strings, at the very top of the stack.
1625 */
1626 size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1627 (args->stk_strp - args->stk_base);
1628
1629 /*
1630 * Pad the string section with zeroes to align the stack size.
1631 */
1632 pad = P2NPHASE(size, args->stk_align);
1633
1634 if (STK_AVAIL(args) < pad)
1635 return (E2BIG);
1636
1637 args->usrstack_size = size + pad;
1638
1639 while (pad-- != 0)
1640 *args->stk_strp++ = 0;
1641
1642 args->nc = args->stk_strp - args->stk_base;
1643
1644 return (0);
1645 }
1646
1647 static int
stk_copyout(uarg_t * args,char * usrstack,void ** auxvpp,user_t * up)1648 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1649 {
1650 size_t ptrsize = args->to_ptrsize;
1651 ssize_t pslen;
1652 char *kstrp = args->stk_base;
1653 char *ustrp = usrstack - args->nc - ptrsize;
1654 char *usp = usrstack - args->usrstack_size;
1655 int *offp = (int *)(args->stk_base + args->stk_size);
1656 int envc = args->ne;
1657 int argc = args->na - envc;
1658 int i;
1659
1660 /*
1661 * Record argc for /proc.
1662 */
1663 up->u_argc = argc;
1664
1665 /*
1666 * Put argc on the stack. Note that even though it's an int,
1667 * it always consumes ptrsize bytes (for alignment).
1668 */
1669 if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1670 return (-1);
1671
1672 /*
1673 * Add argc space (ptrsize) to usp and record argv for /proc.
1674 */
1675 up->u_argv = (uintptr_t)(usp += ptrsize);
1676
1677 /*
1678 * Put the argv[] pointers on the stack.
1679 */
1680 for (i = 0; i < argc; i++, usp += ptrsize)
1681 if (stk_putptr(args, usp, &ustrp[*--offp]))
1682 return (-1);
1683
1684 /*
1685 * Copy arguments to u_psargs.
1686 */
1687 pslen = MIN(args->arglen, PSARGSZ) - 1;
1688 for (i = 0; i < pslen; i++)
1689 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1690 while (i < PSARGSZ)
1691 up->u_psargs[i++] = '\0';
1692
1693 /*
1694 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1695 * record envp for /proc.
1696 */
1697 up->u_envp = (uintptr_t)(usp += ptrsize);
1698
1699 /*
1700 * Put the envp[] pointers on the stack.
1701 */
1702 for (i = 0; i < envc; i++, usp += ptrsize)
1703 if (stk_putptr(args, usp, &ustrp[*--offp]))
1704 return (-1);
1705
1706 /*
1707 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1708 * remember where the stack ends, which is also where auxv begins.
1709 */
1710 args->stackend = usp += ptrsize;
1711
1712 /*
1713 * Put all the argv[], envp[], and auxv strings on the stack.
1714 */
1715 if (copyout(args->stk_base, ustrp, args->nc))
1716 return (-1);
1717
1718 /*
1719 * Fill in the aux vector now that we know the user stack addresses
1720 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1721 * AT_SUN_EMULATOR strings.
1722 */
1723 if (auxvpp != NULL && *auxvpp != NULL) {
1724 if (args->to_model == DATAMODEL_NATIVE) {
1725 auxv_t **a = (auxv_t **)auxvpp;
1726 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1727 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1728 if (args->brandname != NULL)
1729 ADDAUX(*a,
1730 AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1731 if (args->emulator != NULL)
1732 ADDAUX(*a,
1733 AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1734 } else {
1735 auxv32_t **a = (auxv32_t **)auxvpp;
1736 ADDAUX(*a,
1737 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1738 ADDAUX(*a,
1739 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1740 if (args->brandname != NULL)
1741 ADDAUX(*a, AT_SUN_BRANDNAME,
1742 (int)(uintptr_t)&ustrp[*--offp])
1743 if (args->emulator != NULL)
1744 ADDAUX(*a, AT_SUN_EMULATOR,
1745 (int)(uintptr_t)&ustrp[*--offp])
1746 }
1747 }
1748
1749 return (0);
1750 }
1751
1752 /*
1753 * Initialize a new user stack with the specified arguments and environment.
1754 * The initial user stack layout is as follows:
1755 *
1756 * User Stack
1757 * +---------------+ <--- curproc->p_usrstack
1758 * | |
1759 * | slew |
1760 * | |
1761 * +---------------+
1762 * | NULL |
1763 * +---------------+
1764 * | |
1765 * | auxv strings |
1766 * | |
1767 * +---------------+
1768 * | |
1769 * | envp strings |
1770 * | |
1771 * +---------------+
1772 * | |
1773 * | argv strings |
1774 * | |
1775 * +---------------+ <--- ustrp
1776 * | |
1777 * | aux vector |
1778 * | |
1779 * +---------------+ <--- auxv
1780 * | NULL |
1781 * +---------------+
1782 * | envp[envc-1] |
1783 * +---------------+
1784 * | ... |
1785 * +---------------+
1786 * | envp[0] |
1787 * +---------------+ <--- envp[]
1788 * | NULL |
1789 * +---------------+
1790 * | argv[argc-1] |
1791 * +---------------+
1792 * | ... |
1793 * +---------------+
1794 * | argv[0] |
1795 * +---------------+ <--- argv[]
1796 * | argc |
1797 * +---------------+ <--- stack base
1798 */
1799 int
exec_args(execa_t * uap,uarg_t * args,intpdata_t * intp,void ** auxvpp)1800 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1801 {
1802 size_t size;
1803 int error;
1804 proc_t *p = ttoproc(curthread);
1805 user_t *up = PTOU(p);
1806 char *usrstack;
1807 rctl_entity_p_t e;
1808 struct as *as;
1809 extern int use_stk_lpg;
1810 size_t sp_slew;
1811
1812 args->from_model = p->p_model;
1813 if (p->p_model == DATAMODEL_NATIVE) {
1814 args->from_ptrsize = sizeof (long);
1815 } else {
1816 args->from_ptrsize = sizeof (int32_t);
1817 }
1818
1819 if (args->to_model == DATAMODEL_NATIVE) {
1820 args->to_ptrsize = sizeof (long);
1821 args->ncargs = NCARGS;
1822 args->stk_align = STACK_ALIGN;
1823 if (args->addr32)
1824 usrstack = (char *)USRSTACK64_32;
1825 else
1826 usrstack = (char *)USRSTACK;
1827 } else {
1828 args->to_ptrsize = sizeof (int32_t);
1829 args->ncargs = NCARGS32;
1830 args->stk_align = STACK_ALIGN32;
1831 usrstack = (char *)USRSTACK32;
1832 }
1833
1834 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1835
1836 #if defined(__sparc)
1837 /*
1838 * Make sure user register windows are empty before
1839 * attempting to make a new stack.
1840 */
1841 (void) flush_user_windows_to_stack(NULL);
1842 #endif
1843
1844 for (size = PAGESIZE; ; size *= 2) {
1845 args->stk_size = size;
1846 args->stk_base = kmem_alloc(size, KM_SLEEP);
1847 args->stk_strp = args->stk_base;
1848 args->stk_offp = (int *)(args->stk_base + size);
1849 error = stk_copyin(uap, args, intp, auxvpp);
1850 if (error == 0)
1851 break;
1852 kmem_free(args->stk_base, size);
1853 if (error != E2BIG && error != ENAMETOOLONG)
1854 return (error);
1855 if (size >= args->ncargs)
1856 return (E2BIG);
1857 }
1858
1859 size = args->usrstack_size;
1860
1861 ASSERT(error == 0);
1862 ASSERT(P2PHASE(size, args->stk_align) == 0);
1863 ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1864
1865 if (size > args->ncargs) {
1866 kmem_free(args->stk_base, args->stk_size);
1867 return (E2BIG);
1868 }
1869
1870 /*
1871 * Leave only the current lwp and force the other lwps to exit.
1872 * If another lwp beat us to the punch by calling exit(), bail out.
1873 */
1874 if ((error = exitlwps(0)) != 0) {
1875 kmem_free(args->stk_base, args->stk_size);
1876 return (error);
1877 }
1878
1879 /*
1880 * Revoke any doors created by the process.
1881 */
1882 if (p->p_door_list)
1883 door_exit();
1884
1885 /*
1886 * Release schedctl data structures.
1887 */
1888 if (p->p_pagep)
1889 schedctl_proc_cleanup();
1890
1891 /*
1892 * Clean up any DTrace helpers for the process.
1893 */
1894 if (p->p_dtrace_helpers != NULL) {
1895 ASSERT(dtrace_helpers_cleanup != NULL);
1896 (*dtrace_helpers_cleanup)();
1897 }
1898
1899 mutex_enter(&p->p_lock);
1900 /*
1901 * Cleanup the DTrace provider associated with this process.
1902 */
1903 if (p->p_dtrace_probes) {
1904 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1905 dtrace_fasttrap_exec_ptr(p);
1906 }
1907 mutex_exit(&p->p_lock);
1908
1909 /*
1910 * discard the lwpchan cache.
1911 */
1912 if (p->p_lcp != NULL)
1913 lwpchan_destroy_cache(1);
1914
1915 /*
1916 * Delete the POSIX timers.
1917 */
1918 if (p->p_itimer != NULL)
1919 timer_exit();
1920
1921 /*
1922 * Delete the ITIMER_REALPROF interval timer.
1923 * The other ITIMER_* interval timers are specified
1924 * to be inherited across exec().
1925 */
1926 delete_itimer_realprof();
1927
1928 if (AU_AUDITING())
1929 audit_exec(args->stk_base, args->stk_base + args->arglen,
1930 args->na - args->ne, args->ne, args->pfcred);
1931
1932 /*
1933 * Ensure that we don't change resource associations while we
1934 * change address spaces.
1935 */
1936 mutex_enter(&p->p_lock);
1937 pool_barrier_enter();
1938 mutex_exit(&p->p_lock);
1939
1940 /*
1941 * Destroy the old address space and create a new one.
1942 * From here on, any errors are fatal to the exec()ing process.
1943 * On error we return -1, which means the caller must SIGKILL
1944 * the process.
1945 */
1946 relvm();
1947
1948 mutex_enter(&p->p_lock);
1949 pool_barrier_exit();
1950 mutex_exit(&p->p_lock);
1951
1952 up->u_execsw = args->execswp;
1953
1954 p->p_brkbase = NULL;
1955 p->p_brksize = 0;
1956 p->p_brkpageszc = 0;
1957 p->p_stksize = 0;
1958 p->p_stkpageszc = 0;
1959 p->p_model = args->to_model;
1960 p->p_usrstack = usrstack;
1961 p->p_stkprot = args->stk_prot;
1962 p->p_datprot = args->dat_prot;
1963
1964 /*
1965 * Reset resource controls such that all controls are again active as
1966 * well as appropriate to the potentially new address model for the
1967 * process.
1968 */
1969 e.rcep_p.proc = p;
1970 e.rcep_t = RCENTITY_PROCESS;
1971 rctl_set_reset(p->p_rctls, p, &e);
1972
1973 /* Too early to call map_pgsz for the heap */
1974 if (use_stk_lpg) {
1975 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
1976 }
1977
1978 mutex_enter(&p->p_lock);
1979 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */
1980 mutex_exit(&p->p_lock);
1981
1982 /*
1983 * Some platforms may choose to randomize real stack start by adding a
1984 * small slew (not more than a few hundred bytes) to the top of the
1985 * stack. This helps avoid cache thrashing when identical processes
1986 * simultaneously share caches that don't provide enough associativity
1987 * (e.g. sun4v systems). In this case stack slewing makes the same hot
1988 * stack variables in different processes to live in different cache
1989 * sets increasing effective associativity.
1990 */
1991 sp_slew = exec_get_spslew();
1992 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
1993 exec_set_sp(size + sp_slew);
1994
1995 as = as_alloc();
1996 p->p_as = as;
1997 as->a_proc = p;
1998 if (p->p_model == DATAMODEL_ILP32 || args->addr32)
1999 as->a_userlimit = (caddr_t)USERLIMIT32;
2000 (void) hat_setup(as->a_hat, HAT_ALLOC);
2001 hat_join_srd(as->a_hat, args->ex_vp);
2002
2003 /*
2004 * Finally, write out the contents of the new stack.
2005 */
2006 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2007 kmem_free(args->stk_base, args->stk_size);
2008 return (error);
2009 }
2010