1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25 
  26 /*      Copyright (c) 1988 AT&T     */
  27 /*        All Rights Reserved   */
  28 /*
  29  * Copyright 2014, Joyent, Inc.  All rights reserved.
  30  */
  31 
  32 #include <sys/types.h>
  33 #include <sys/param.h>
  34 #include <sys/sysmacros.h>
  35 #include <sys/systm.h>
  36 #include <sys/signal.h>
  37 #include <sys/cred_impl.h>
  38 #include <sys/policy.h>
  39 #include <sys/user.h>
  40 #include <sys/errno.h>
  41 #include <sys/file.h>
  42 #include <sys/vfs.h>
  43 #include <sys/vnode.h>
  44 #include <sys/mman.h>
  45 #include <sys/acct.h>
  46 #include <sys/cpuvar.h>
  47 #include <sys/proc.h>
  48 #include <sys/cmn_err.h>
  49 #include <sys/debug.h>
  50 #include <sys/pathname.h>
  51 #include <sys/vm.h>
  52 #include <sys/lgrp.h>
  53 #include <sys/vtrace.h>
  54 #include <sys/exec.h>
  55 #include <sys/exechdr.h>
  56 #include <sys/kmem.h>
  57 #include <sys/prsystm.h>
  58 #include <sys/modctl.h>
  59 #include <sys/vmparam.h>
  60 #include <sys/door.h>
  61 #include <sys/schedctl.h>
  62 #include <sys/utrap.h>
  63 #include <sys/systeminfo.h>
  64 #include <sys/stack.h>
  65 #include <sys/rctl.h>
  66 #include <sys/dtrace.h>
  67 #include <sys/lwpchan_impl.h>
  68 #include <sys/pool.h>
  69 #include <sys/sdt.h>
  70 #include <sys/brand.h>
  71 #include <sys/klpd.h>
  72 
  73 #include <c2/audit.h>
  74 
  75 #include <vm/hat.h>
  76 #include <vm/anon.h>
  77 #include <vm/as.h>
  78 #include <vm/seg.h>
  79 #include <vm/seg_vn.h>
  80 
  81 #define PRIV_RESET              0x01    /* needs to reset privs */
  82 #define PRIV_SETID              0x02    /* needs to change uids */
  83 #define PRIV_SETUGID            0x04    /* is setuid/setgid/forced privs */
  84 #define PRIV_INCREASE           0x08    /* child runs with more privs */
  85 #define MAC_FLAGS               0x10    /* need to adjust MAC flags */
  86 #define PRIV_FORCED             0x20    /* has forced privileges */
  87 
  88 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
  89     priv_set_t *, cred_t *, const char *);
  90 static int hold_execsw(struct execsw *);
  91 
  92 uint_t auxv_hwcap = 0;  /* auxv AT_SUN_HWCAP value; determined on the fly */
  93 uint_t auxv_hwcap_2 = 0;        /* AT_SUN_HWCAP2 */
  94 #if defined(_SYSCALL32_IMPL)
  95 uint_t auxv_hwcap32 = 0;        /* 32-bit version of auxv_hwcap */
  96 uint_t auxv_hwcap32_2 = 0;      /* 32-bit version of auxv_hwcap2 */
  97 #endif
  98 
  99 #define PSUIDFLAGS              (SNOCD|SUGID)
 100 
 101 /*
 102  * exece() - system call wrapper around exec_common()
 103  */
 104 int
 105 exece(const char *fname, const char **argp, const char **envp)
 106 {
 107         int error;
 108 
 109         error = exec_common(fname, argp, envp, EBA_NONE);
 110         return (error ? (set_errno(error)) : 0);
 111 }
 112 
 113 int
 114 exec_common(const char *fname, const char **argp, const char **envp,
 115     int brand_action)
 116 {
 117         vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
 118         proc_t *p = ttoproc(curthread);
 119         klwp_t *lwp = ttolwp(curthread);
 120         struct user *up = PTOU(p);
 121         long execsz;            /* temporary count of exec size */
 122         int i;
 123         int error;
 124         char exec_file[MAXCOMLEN+1];
 125         struct pathname pn;
 126         struct pathname resolvepn;
 127         struct uarg args;
 128         struct execa ua;
 129         k_sigset_t savedmask;
 130         lwpdir_t *lwpdir = NULL;
 131         tidhash_t *tidhash;
 132         lwpdir_t *old_lwpdir = NULL;
 133         uint_t old_lwpdir_sz;
 134         tidhash_t *old_tidhash;
 135         uint_t old_tidhash_sz;
 136         ret_tidhash_t *ret_tidhash;
 137         lwpent_t *lep;
 138         boolean_t brandme = B_FALSE;
 139 
 140         /*
 141          * exec() is not supported for the /proc agent lwp.
 142          */
 143         if (curthread == p->p_agenttp)
 144                 return (ENOTSUP);
 145 
 146         if (brand_action != EBA_NONE) {
 147                 /*
 148                  * Brand actions are not supported for processes that are not
 149                  * running in a branded zone.
 150                  */
 151                 if (!ZONE_IS_BRANDED(p->p_zone))
 152                         return (ENOTSUP);
 153 
 154                 if (brand_action == EBA_NATIVE) {
 155                         /* Only branded processes can be unbranded */
 156                         if (!PROC_IS_BRANDED(p))
 157                                 return (ENOTSUP);
 158                 } else {
 159                         /* Only unbranded processes can be branded */
 160                         if (PROC_IS_BRANDED(p))
 161                                 return (ENOTSUP);
 162                         brandme = B_TRUE;
 163                 }
 164         } else {
 165                 /*
 166                  * If this is a native zone, or if the process is already
 167                  * branded, then we don't need to do anything.  If this is
 168                  * a native process in a branded zone, we need to brand the
 169                  * process as it exec()s the new binary.
 170                  */
 171                 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
 172                         brandme = B_TRUE;
 173         }
 174 
 175         /*
 176          * Inform /proc that an exec() has started.
 177          * Hold signals that are ignored by default so that we will
 178          * not be interrupted by a signal that will be ignored after
 179          * successful completion of gexec().
 180          */
 181         mutex_enter(&p->p_lock);
 182         prexecstart();
 183         schedctl_finish_sigblock(curthread);
 184         savedmask = curthread->t_hold;
 185         sigorset(&curthread->t_hold, &ignoredefault);
 186         mutex_exit(&p->p_lock);
 187 
 188         /*
 189          * Look up path name and remember last component for later.
 190          * To help coreadm expand its %d token, we attempt to save
 191          * the directory containing the executable in p_execdir. The
 192          * first call to lookuppn() may fail and return EINVAL because
 193          * dirvpp is non-NULL. In that case, we make a second call to
 194          * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
 195          * but coreadm is allowed to expand %d to the empty string and
 196          * there are other cases in which that failure may occur.
 197          */
 198         if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
 199                 goto out;
 200         pn_alloc(&resolvepn);
 201         if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
 202                 pn_free(&resolvepn);
 203                 pn_free(&pn);
 204                 if (error != EINVAL)
 205                         goto out;
 206 
 207                 dir = NULL;
 208                 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
 209                         goto out;
 210                 pn_alloc(&resolvepn);
 211                 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
 212                     &vp)) != 0) {
 213                         pn_free(&resolvepn);
 214                         pn_free(&pn);
 215                         goto out;
 216                 }
 217         }
 218         if (vp == NULL) {
 219                 if (dir != NULL)
 220                         VN_RELE(dir);
 221                 error = ENOENT;
 222                 pn_free(&resolvepn);
 223                 pn_free(&pn);
 224                 goto out;
 225         }
 226 
 227         if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
 228                 if (dir != NULL)
 229                         VN_RELE(dir);
 230                 pn_free(&resolvepn);
 231                 pn_free(&pn);
 232                 VN_RELE(vp);
 233                 goto out;
 234         }
 235 
 236         /*
 237          * We do not allow executing files in attribute directories.
 238          * We test this by determining whether the resolved path
 239          * contains a "/" when we're in an attribute directory;
 240          * only if the pathname does not contain a "/" the resolved path
 241          * points to a file in the current working (attribute) directory.
 242          */
 243         if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
 244             strchr(resolvepn.pn_path, '/') == NULL) {
 245                 if (dir != NULL)
 246                         VN_RELE(dir);
 247                 error = EACCES;
 248                 pn_free(&resolvepn);
 249                 pn_free(&pn);
 250                 VN_RELE(vp);
 251                 goto out;
 252         }
 253 
 254         bzero(exec_file, MAXCOMLEN+1);
 255         (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
 256         bzero(&args, sizeof (args));
 257         args.pathname = resolvepn.pn_path;
 258         /* don't free resolvepn until we are done with args */
 259         pn_free(&pn);
 260 
 261         /*
 262          * If we're running in a profile shell, then call pfexecd.
 263          */
 264         if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
 265                 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
 266                     &args.scrubenv);
 267 
 268                 /* Returning errno in case we're not allowed to execute. */
 269                 if (error > 0) {
 270                         if (dir != NULL)
 271                                 VN_RELE(dir);
 272                         pn_free(&resolvepn);
 273                         VN_RELE(vp);
 274                         goto out;
 275                 }
 276 
 277                 /* Don't change the credentials when using old ptrace. */
 278                 if (args.pfcred != NULL &&
 279                     (p->p_proc_flag & P_PR_PTRACE) != 0) {
 280                         crfree(args.pfcred);
 281                         args.pfcred = NULL;
 282                         args.scrubenv = B_FALSE;
 283                 }
 284         }
 285 
 286         /*
 287          * Specific exec handlers, or policies determined via
 288          * /etc/system may override the historical default.
 289          */
 290         args.stk_prot = PROT_ZFOD;
 291         args.dat_prot = PROT_ZFOD;
 292 
 293         CPU_STATS_ADD_K(sys, sysexec, 1);
 294         DTRACE_PROC1(exec, char *, args.pathname);
 295 
 296         ua.fname = fname;
 297         ua.argp = argp;
 298         ua.envp = envp;
 299 
 300         /* If necessary, brand this process before we start the exec. */
 301         if (brandme)
 302                 brand_setbrand(p);
 303 
 304         if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
 305             exec_file, p->p_cred, brand_action)) != 0) {
 306                 if (brandme)
 307                         brand_clearbrand(p, B_FALSE);
 308                 VN_RELE(vp);
 309                 if (dir != NULL)
 310                         VN_RELE(dir);
 311                 pn_free(&resolvepn);
 312                 goto fail;
 313         }
 314 
 315         /*
 316          * Free floating point registers (sun4u only)
 317          */
 318         ASSERT(lwp != NULL);
 319         lwp_freeregs(lwp, 1);
 320 
 321         /*
 322          * Free thread and process context ops.
 323          */
 324         if (curthread->t_ctx)
 325                 freectx(curthread, 1);
 326         if (p->p_pctx)
 327                 freepctx(p, 1);
 328 
 329         /*
 330          * Remember file name for accounting; clear any cached DTrace predicate.
 331          */
 332         up->u_acflag &= ~AFORK;
 333         bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
 334         curthread->t_predcache = NULL;
 335 
 336         /*
 337          * Clear contract template state
 338          */
 339         lwp_ctmpl_clear(lwp);
 340 
 341         /*
 342          * Save the directory in which we found the executable for expanding
 343          * the %d token used in core file patterns.
 344          */
 345         mutex_enter(&p->p_lock);
 346         tmpvp = p->p_execdir;
 347         p->p_execdir = dir;
 348         if (p->p_execdir != NULL)
 349                 VN_HOLD(p->p_execdir);
 350         mutex_exit(&p->p_lock);
 351 
 352         if (tmpvp != NULL)
 353                 VN_RELE(tmpvp);
 354 
 355         /*
 356          * Reset stack state to the user stack, clear set of signals
 357          * caught on the signal stack, and reset list of signals that
 358          * restart system calls; the new program's environment should
 359          * not be affected by detritus from the old program.  Any
 360          * pending held signals remain held, so don't clear t_hold.
 361          */
 362         mutex_enter(&p->p_lock);
 363         lwp->lwp_oldcontext = 0;
 364         lwp->lwp_ustack = 0;
 365         lwp->lwp_old_stk_ctl = 0;
 366         sigemptyset(&up->u_signodefer);
 367         sigemptyset(&up->u_sigonstack);
 368         sigemptyset(&up->u_sigresethand);
 369         lwp->lwp_sigaltstack.ss_sp = 0;
 370         lwp->lwp_sigaltstack.ss_size = 0;
 371         lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
 372 
 373         /*
 374          * Make saved resource limit == current resource limit.
 375          */
 376         for (i = 0; i < RLIM_NLIMITS; i++) {
 377                 /*CONSTCOND*/
 378                 if (RLIM_SAVED(i)) {
 379                         (void) rctl_rlimit_get(rctlproc_legacy[i], p,
 380                             &up->u_saved_rlimit[i]);
 381                 }
 382         }
 383 
 384         /*
 385          * If the action was to catch the signal, then the action
 386          * must be reset to SIG_DFL.
 387          */
 388         sigdefault(p);
 389         p->p_flag &= ~(SNOWAIT|SJCTL);
 390         p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
 391         up->u_signal[SIGCLD - 1] = SIG_DFL;
 392 
 393         /*
 394          * Delete the dot4 sigqueues/signotifies.
 395          */
 396         sigqfree(p);
 397 
 398         mutex_exit(&p->p_lock);
 399 
 400         mutex_enter(&p->p_pflock);
 401         p->p_prof.pr_base = NULL;
 402         p->p_prof.pr_size = 0;
 403         p->p_prof.pr_off = 0;
 404         p->p_prof.pr_scale = 0;
 405         p->p_prof.pr_samples = 0;
 406         mutex_exit(&p->p_pflock);
 407 
 408         ASSERT(curthread->t_schedctl == NULL);
 409 
 410 #if defined(__sparc)
 411         if (p->p_utraps != NULL)
 412                 utrap_free(p);
 413 #endif  /* __sparc */
 414 
 415         /*
 416          * Close all close-on-exec files.
 417          */
 418         close_exec(P_FINFO(p));
 419         TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
 420 
 421         /* Unbrand ourself if necessary. */
 422         if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
 423                 brand_clearbrand(p, B_FALSE);
 424 
 425         setregs(&args);
 426 
 427         /* Mark this as an executable vnode */
 428         mutex_enter(&vp->v_lock);
 429         vp->v_flag |= VVMEXEC;
 430         mutex_exit(&vp->v_lock);
 431 
 432         VN_RELE(vp);
 433         if (dir != NULL)
 434                 VN_RELE(dir);
 435         pn_free(&resolvepn);
 436 
 437         /*
 438          * Allocate a new lwp directory and lwpid hash table if necessary.
 439          */
 440         if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
 441                 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
 442                 lwpdir->ld_next = lwpdir + 1;
 443                 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
 444                 if (p->p_lwpdir != NULL)
 445                         lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
 446                 else
 447                         lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
 448         }
 449 
 450         if (PROC_IS_BRANDED(p))
 451                 BROP(p)->b_exec();
 452 
 453         mutex_enter(&p->p_lock);
 454         prbarrier(p);
 455 
 456         /*
 457          * Reset lwp id to the default value of 1.
 458          * This is a single-threaded process now
 459          * and lwp #1 is lwp_wait()able by default.
 460          * The t_unpark flag should not be inherited.
 461          */
 462         ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
 463         curthread->t_tid = 1;
 464         kpreempt_disable();
 465         ASSERT(curthread->t_lpl != NULL);
 466         p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
 467         kpreempt_enable();
 468         if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
 469                 lgrp_update_trthr_migrations(1);
 470         }
 471         curthread->t_unpark = 0;
 472         curthread->t_proc_flag |= TP_TWAIT;
 473         curthread->t_proc_flag &= ~TP_DAEMON;    /* daemons shouldn't exec */
 474         p->p_lwpdaemon = 0;                  /* but oh well ... */
 475         p->p_lwpid = 1;
 476 
 477         /*
 478          * Install the newly-allocated lwp directory and lwpid hash table
 479          * and insert the current thread into the new hash table.
 480          */
 481         if (lwpdir != NULL) {
 482                 old_lwpdir = p->p_lwpdir;
 483                 old_lwpdir_sz = p->p_lwpdir_sz;
 484                 old_tidhash = p->p_tidhash;
 485                 old_tidhash_sz = p->p_tidhash_sz;
 486                 p->p_lwpdir = p->p_lwpfree = lwpdir;
 487                 p->p_lwpdir_sz = 2;
 488                 lep->le_thread = curthread;
 489                 lep->le_lwpid = curthread->t_tid;
 490                 lep->le_start = curthread->t_start;
 491                 lwp_hash_in(p, lep, tidhash, 2, 0);
 492                 p->p_tidhash = tidhash;
 493                 p->p_tidhash_sz = 2;
 494         }
 495         ret_tidhash = p->p_ret_tidhash;
 496         p->p_ret_tidhash = NULL;
 497 
 498         /*
 499          * Restore the saved signal mask and
 500          * inform /proc that the exec() has finished.
 501          */
 502         curthread->t_hold = savedmask;
 503         prexecend();
 504         mutex_exit(&p->p_lock);
 505         if (old_lwpdir) {
 506                 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
 507                 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
 508         }
 509         while (ret_tidhash != NULL) {
 510                 ret_tidhash_t *next = ret_tidhash->rth_next;
 511                 kmem_free(ret_tidhash->rth_tidhash,
 512                     ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
 513                 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
 514                 ret_tidhash = next;
 515         }
 516 
 517         ASSERT(error == 0);
 518         DTRACE_PROC(exec__success);
 519         return (0);
 520 
 521 fail:
 522         DTRACE_PROC1(exec__failure, int, error);
 523 out:            /* error return */
 524         mutex_enter(&p->p_lock);
 525         curthread->t_hold = savedmask;
 526         prexecend();
 527         mutex_exit(&p->p_lock);
 528         ASSERT(error != 0);
 529         return (error);
 530 }
 531 
 532 
 533 /*
 534  * Perform generic exec duties and switchout to object-file specific
 535  * handler.
 536  */
 537 int
 538 gexec(
 539         struct vnode **vpp,
 540         struct execa *uap,
 541         struct uarg *args,
 542         struct intpdata *idatap,
 543         int level,
 544         long *execsz,
 545         caddr_t exec_file,
 546         struct cred *cred,
 547         int brand_action)
 548 {
 549         struct vnode *vp, *execvp = NULL;
 550         proc_t *pp = ttoproc(curthread);
 551         struct execsw *eswp;
 552         int error = 0;
 553         int suidflags = 0;
 554         ssize_t resid;
 555         uid_t uid, gid;
 556         struct vattr vattr;
 557         char magbuf[MAGIC_BYTES];
 558         int setid;
 559         cred_t *oldcred, *newcred = NULL;
 560         int privflags = 0;
 561         int setidfl;
 562         priv_set_t fset;
 563 
 564         /*
 565          * If the SNOCD or SUGID flag is set, turn it off and remember the
 566          * previous setting so we can restore it if we encounter an error.
 567          */
 568         if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
 569                 mutex_enter(&pp->p_lock);
 570                 suidflags = pp->p_flag & PSUIDFLAGS;
 571                 pp->p_flag &= ~PSUIDFLAGS;
 572                 mutex_exit(&pp->p_lock);
 573         }
 574 
 575         if ((error = execpermissions(*vpp, &vattr, args)) != 0)
 576                 goto bad_noclose;
 577 
 578         /* need to open vnode for stateful file systems */
 579         if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
 580                 goto bad_noclose;
 581         vp = *vpp;
 582 
 583         /*
 584          * Note: to support binary compatibility with SunOS a.out
 585          * executables, we read in the first four bytes, as the
 586          * magic number is in bytes 2-3.
 587          */
 588         if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
 589             (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
 590                 goto bad;
 591         if (resid != 0)
 592                 goto bad;
 593 
 594         if ((eswp = findexec_by_hdr(magbuf)) == NULL)
 595                 goto bad;
 596 
 597         if (level == 0 &&
 598             (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
 599             args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
 600 
 601                 /* Pfcred is a credential with a ref count of 1 */
 602 
 603                 if (args->pfcred != NULL) {
 604                         privflags |= PRIV_INCREASE|PRIV_RESET;
 605                         newcred = cred = args->pfcred;
 606                 } else {
 607                         newcred = cred = crdup(cred);
 608                 }
 609 
 610                 /* If we can, drop the PA bit */
 611                 if ((privflags & PRIV_RESET) != 0)
 612                         priv_adjust_PA(cred);
 613 
 614                 if (privflags & PRIV_SETID) {
 615                         cred->cr_uid = uid;
 616                         cred->cr_gid = gid;
 617                         cred->cr_suid = uid;
 618                         cred->cr_sgid = gid;
 619                 }
 620 
 621                 if (privflags & MAC_FLAGS) {
 622                         if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
 623                                 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
 624                         CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
 625                 }
 626 
 627                 /*
 628                  * Implement the privilege updates:
 629                  *
 630                  * Restrict with L:
 631                  *
 632                  *      I' = I & L
 633                  *
 634                  *      E' = P' = (I' + F) & A
 635                  *
 636                  * But if running under ptrace, we cap I and F with P.
 637                  */
 638                 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
 639                         if ((privflags & PRIV_INCREASE) != 0 &&
 640                             (pp->p_proc_flag & P_PR_PTRACE) != 0) {
 641                                 priv_intersect(&CR_OPPRIV(cred),
 642                                     &CR_IPRIV(cred));
 643                                 priv_intersect(&CR_OPPRIV(cred), &fset);
 644                         }
 645                         priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
 646                         CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
 647                         if (privflags & PRIV_FORCED) {
 648                                 priv_set_PA(cred);
 649                                 priv_union(&fset, &CR_EPRIV(cred));
 650                                 priv_union(&fset, &CR_PPRIV(cred));
 651                         }
 652                         priv_adjust_PA(cred);
 653                 }
 654         } else if (level == 0 && args->pfcred != NULL) {
 655                 newcred = cred = args->pfcred;
 656                 privflags |= PRIV_INCREASE;
 657                 /* pfcred is not forced to adhere to these settings */
 658                 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
 659                 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
 660                 priv_adjust_PA(cred);
 661         }
 662 
 663         /* SunOS 4.x buy-back */
 664         if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
 665             (vattr.va_mode & (VSUID|VSGID))) {
 666                 char path[MAXNAMELEN];
 667                 refstr_t *mntpt = NULL;
 668                 int ret = -1;
 669 
 670                 bzero(path, sizeof (path));
 671                 zone_hold(pp->p_zone);
 672 
 673                 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
 674                     sizeof (path), cred);
 675 
 676                 /* fallback to mountpoint if a path can't be found */
 677                 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
 678                         mntpt = vfs_getmntpoint(vp->v_vfsp);
 679 
 680                 if (mntpt == NULL)
 681                         zcmn_err(pp->p_zone->zone_id, CE_NOTE,
 682                             "!uid %d: setuid execution not allowed, "
 683                             "file=%s", cred->cr_uid, path);
 684                 else
 685                         zcmn_err(pp->p_zone->zone_id, CE_NOTE,
 686                             "!uid %d: setuid execution not allowed, "
 687                             "fs=%s, file=%s", cred->cr_uid,
 688                             ZONE_PATH_TRANSLATE(refstr_value(mntpt),
 689                             pp->p_zone), exec_file);
 690 
 691                 if (!INGLOBALZONE(pp)) {
 692                         /* zone_rootpath always has trailing / */
 693                         if (mntpt == NULL)
 694                                 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
 695                                     "setuid execution not allowed, file=%s%s",
 696                                     pp->p_zone->zone_name, cred->cr_uid,
 697                                     pp->p_zone->zone_rootpath, path + 1);
 698                         else
 699                                 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
 700                                     "setuid execution not allowed, fs=%s, "
 701                                     "file=%s", pp->p_zone->zone_name,
 702                                     cred->cr_uid, refstr_value(mntpt),
 703                                     exec_file);
 704                 }
 705 
 706                 if (mntpt != NULL)
 707                         refstr_rele(mntpt);
 708 
 709                 zone_rele(pp->p_zone);
 710         }
 711 
 712         /*
 713          * execsetid() told us whether or not we had to change the
 714          * credentials of the process.  In privflags, it told us
 715          * whether we gained any privileges or executed a set-uid executable.
 716          */
 717         setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
 718 
 719         /*
 720          * Use /etc/system variable to determine if the stack
 721          * should be marked as executable by default.
 722          */
 723         if (noexec_user_stack)
 724                 args->stk_prot &= ~PROT_EXEC;
 725 
 726         args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
 727         args->ex_vp = vp;
 728 
 729         /*
 730          * Traditionally, the setid flags told the sub processes whether
 731          * the file just executed was set-uid or set-gid; this caused
 732          * some confusion as the 'setid' flag did not match the SUGID
 733          * process flag which is only set when the uids/gids do not match.
 734          * A script set-gid/set-uid to the real uid/gid would start with
 735          * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
 736          * Now we flag those cases where the calling process cannot
 737          * be trusted to influence the newly exec'ed process, either
 738          * because it runs with more privileges or when the uids/gids
 739          * do in fact not match.
 740          * This also makes the runtime linker agree with the on exec
 741          * values of SNOCD and SUGID.
 742          */
 743         setidfl = 0;
 744         if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
 745             !supgroupmember(cred->cr_gid, cred))) {
 746                 setidfl |= EXECSETID_UGIDS;
 747         }
 748         if (setid & PRIV_SETUGID)
 749                 setidfl |= EXECSETID_SETID;
 750         if (setid & PRIV_FORCED)
 751                 setidfl |= EXECSETID_PRIVS;
 752 
 753         execvp = pp->p_exec;
 754         if (execvp)
 755                 VN_HOLD(execvp);
 756 
 757         error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
 758             setidfl, exec_file, cred, brand_action);
 759         rw_exit(eswp->exec_lock);
 760         if (error != 0) {
 761                 if (execvp)
 762                         VN_RELE(execvp);
 763                 /*
 764                  * If this process's p_exec has been set to the vp of
 765                  * the executable by exec_func, we will return without
 766                  * calling VOP_CLOSE because proc_exit will close it
 767                  * on exit.
 768                  */
 769                 if (pp->p_exec == vp)
 770                         goto bad_noclose;
 771                 else
 772                         goto bad;
 773         }
 774 
 775         if (level == 0) {
 776                 uid_t oruid;
 777 
 778                 if (execvp != NULL) {
 779                         /*
 780                          * Close the previous executable only if we are
 781                          * at level 0.
 782                          */
 783                         (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
 784                             cred, NULL);
 785                 }
 786 
 787                 mutex_enter(&pp->p_crlock);
 788 
 789                 oruid = pp->p_cred->cr_ruid;
 790 
 791                 if (newcred != NULL) {
 792                         /*
 793                          * Free the old credentials, and set the new ones.
 794                          * Do this for both the process and the (single) thread.
 795                          */
 796                         crfree(pp->p_cred);
 797                         pp->p_cred = cred;   /* cred already held for proc */
 798                         crhold(cred);           /* hold new cred for thread */
 799                         /*
 800                          * DTrace accesses t_cred in probe context.  t_cred
 801                          * must always be either NULL, or point to a valid,
 802                          * allocated cred structure.
 803                          */
 804                         oldcred = curthread->t_cred;
 805                         curthread->t_cred = cred;
 806                         crfree(oldcred);
 807 
 808                         if (priv_basic_test >= 0 &&
 809                             !PRIV_ISASSERT(&CR_IPRIV(newcred),
 810                             priv_basic_test)) {
 811                                 pid_t pid = pp->p_pid;
 812                                 char *fn = PTOU(pp)->u_comm;
 813 
 814                                 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
 815                                     "privilege removed from E/I", fn, pid);
 816                         }
 817                 }
 818                 /*
 819                  * On emerging from a successful exec(), the saved
 820                  * uid and gid equal the effective uid and gid.
 821                  */
 822                 cred->cr_suid = cred->cr_uid;
 823                 cred->cr_sgid = cred->cr_gid;
 824 
 825                 /*
 826                  * If the real and effective ids do not match, this
 827                  * is a setuid process that should not dump core.
 828                  * The group comparison is tricky; we prevent the code
 829                  * from flagging SNOCD when executing with an effective gid
 830                  * which is a supplementary group.
 831                  */
 832                 if (cred->cr_ruid != cred->cr_uid ||
 833                     (cred->cr_rgid != cred->cr_gid &&
 834                     !supgroupmember(cred->cr_gid, cred)) ||
 835                     (privflags & PRIV_INCREASE) != 0)
 836                         suidflags = PSUIDFLAGS;
 837                 else
 838                         suidflags = 0;
 839 
 840                 mutex_exit(&pp->p_crlock);
 841                 if (newcred != NULL && oruid != newcred->cr_ruid) {
 842                         /* Note that the process remains in the same zone. */
 843                         mutex_enter(&pidlock);
 844                         upcount_dec(oruid, crgetzoneid(newcred));
 845                         upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
 846                         mutex_exit(&pidlock);
 847                 }
 848                 if (suidflags) {
 849                         mutex_enter(&pp->p_lock);
 850                         pp->p_flag |= suidflags;
 851                         mutex_exit(&pp->p_lock);
 852                 }
 853                 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
 854                         /*
 855                          * If process is traced via /proc, arrange to
 856                          * invalidate the associated /proc vnode.
 857                          */
 858                         if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
 859                                 args->traceinval = 1;
 860                 }
 861                 if (pp->p_proc_flag & P_PR_PTRACE)
 862                         psignal(pp, SIGTRAP);
 863                 if (args->traceinval)
 864                         prinvalidate(&pp->p_user);
 865         }
 866         if (execvp)
 867                 VN_RELE(execvp);
 868         return (0);
 869 
 870 bad:
 871         (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
 872 
 873 bad_noclose:
 874         if (newcred != NULL)
 875                 crfree(newcred);
 876         if (error == 0)
 877                 error = ENOEXEC;
 878 
 879         if (suidflags) {
 880                 mutex_enter(&pp->p_lock);
 881                 pp->p_flag |= suidflags;
 882                 mutex_exit(&pp->p_lock);
 883         }
 884         return (error);
 885 }
 886 
 887 extern char *execswnames[];
 888 
 889 struct execsw *
 890 allocate_execsw(char *name, char *magic, size_t magic_size)
 891 {
 892         int i, j;
 893         char *ename;
 894         char *magicp;
 895 
 896         mutex_enter(&execsw_lock);
 897         for (i = 0; i < nexectype; i++) {
 898                 if (execswnames[i] == NULL) {
 899                         ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
 900                         (void) strcpy(ename, name);
 901                         execswnames[i] = ename;
 902                         /*
 903                          * Set the magic number last so that we
 904                          * don't need to hold the execsw_lock in
 905                          * findexectype().
 906                          */
 907                         magicp = kmem_alloc(magic_size, KM_SLEEP);
 908                         for (j = 0; j < magic_size; j++)
 909                                 magicp[j] = magic[j];
 910                         execsw[i].exec_magic = magicp;
 911                         mutex_exit(&execsw_lock);
 912                         return (&execsw[i]);
 913                 }
 914         }
 915         mutex_exit(&execsw_lock);
 916         return (NULL);
 917 }
 918 
 919 /*
 920  * Find the exec switch table entry with the corresponding magic string.
 921  */
 922 struct execsw *
 923 findexecsw(char *magic)
 924 {
 925         struct execsw *eswp;
 926 
 927         for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
 928                 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
 929                 if (magic && eswp->exec_maglen != 0 &&
 930                     bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
 931                         return (eswp);
 932         }
 933         return (NULL);
 934 }
 935 
 936 /*
 937  * Find the execsw[] index for the given exec header string by looking for the
 938  * magic string at a specified offset and length for each kind of executable
 939  * file format until one matches.  If no execsw[] entry is found, try to
 940  * autoload a module for this magic string.
 941  */
 942 struct execsw *
 943 findexec_by_hdr(char *header)
 944 {
 945         struct execsw *eswp;
 946 
 947         for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
 948                 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
 949                 if (header && eswp->exec_maglen != 0 &&
 950                     bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
 951                     eswp->exec_maglen) == 0) {
 952                         if (hold_execsw(eswp) != 0)
 953                                 return (NULL);
 954                         return (eswp);
 955                 }
 956         }
 957         return (NULL);  /* couldn't find the type */
 958 }
 959 
 960 /*
 961  * Find the execsw[] index for the given magic string.  If no execsw[] entry
 962  * is found, try to autoload a module for this magic string.
 963  */
 964 struct execsw *
 965 findexec_by_magic(char *magic)
 966 {
 967         struct execsw *eswp;
 968 
 969         for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
 970                 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
 971                 if (magic && eswp->exec_maglen != 0 &&
 972                     bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
 973                         if (hold_execsw(eswp) != 0)
 974                                 return (NULL);
 975                         return (eswp);
 976                 }
 977         }
 978         return (NULL);  /* couldn't find the type */
 979 }
 980 
 981 static int
 982 hold_execsw(struct execsw *eswp)
 983 {
 984         char *name;
 985 
 986         rw_enter(eswp->exec_lock, RW_READER);
 987         while (!LOADED_EXEC(eswp)) {
 988                 rw_exit(eswp->exec_lock);
 989                 name = execswnames[eswp-execsw];
 990                 ASSERT(name);
 991                 if (modload("exec", name) == -1)
 992                         return (-1);
 993                 rw_enter(eswp->exec_lock, RW_READER);
 994         }
 995         return (0);
 996 }
 997 
 998 static int
 999 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1000     priv_set_t *fset, cred_t *cr, const char *pathname)
1001 {
1002         proc_t *pp = ttoproc(curthread);
1003         uid_t uid, gid;
1004         int privflags = 0;
1005 
1006         /*
1007          * Remember credentials.
1008          */
1009         uid = cr->cr_uid;
1010         gid = cr->cr_gid;
1011 
1012         /* Will try to reset the PRIV_AWARE bit later. */
1013         if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1014                 privflags |= PRIV_RESET;
1015 
1016         if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1017                 /*
1018                  * If it's a set-uid root program we perform the
1019                  * forced privilege look-aside. This has three possible
1020                  * outcomes:
1021                  *      no look aside information -> treat as before
1022                  *      look aside in Limit set -> apply forced privs
1023                  *      look aside not in Limit set -> ignore set-uid root
1024                  *
1025                  * Ordinary set-uid root execution only allowed if the limit
1026                  * set holds all unsafe privileges.
1027                  */
1028                 if (vattrp->va_mode & VSUID) {
1029                         if (vattrp->va_uid == 0) {
1030                                 int res = get_forced_privs(cr, pathname, fset);
1031 
1032                                 switch (res) {
1033                                 case -1:
1034                                         if (priv_issubset(&priv_unsafe,
1035                                             &CR_LPRIV(cr))) {
1036                                                 uid = vattrp->va_uid;
1037                                                 privflags |= PRIV_SETUGID;
1038                                         }
1039                                         break;
1040                                 case 0:
1041                                         privflags |= PRIV_FORCED|PRIV_INCREASE;
1042                                         break;
1043                                 default:
1044                                         break;
1045                                 }
1046                         } else {
1047                                 uid = vattrp->va_uid;
1048                                 privflags |= PRIV_SETUGID;
1049                         }
1050                 }
1051                 if (vattrp->va_mode & VSGID) {
1052                         gid = vattrp->va_gid;
1053                         privflags |= PRIV_SETUGID;
1054                 }
1055         }
1056 
1057         /*
1058          * Do we need to change our credential anyway?
1059          * This is the case when E != I or P != I, as
1060          * we need to do the assignments (with F empty and A full)
1061          * Or when I is not a subset of L; in that case we need to
1062          * enforce L.
1063          *
1064          *              I' = L & I
1065          *
1066          *              E' = P' = (I' + F) & A
1067          * or
1068          *              E' = P' = I'
1069          */
1070         if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1071             !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1072             !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1073                 privflags |= PRIV_RESET;
1074 
1075         /* Child has more privileges than parent */
1076         if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1077                 privflags |= PRIV_INCREASE;
1078 
1079         /* If MAC-aware flag(s) are on, need to update cred to remove. */
1080         if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1081             (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1082                 privflags |= MAC_FLAGS;
1083         /*
1084          * Set setuid/setgid protections if no ptrace() compatibility.
1085          * For privileged processes, honor setuid/setgid even in
1086          * the presence of ptrace() compatibility.
1087          */
1088         if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1089             PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1090             (cr->cr_uid != uid ||
1091             cr->cr_gid != gid ||
1092             cr->cr_suid != uid ||
1093             cr->cr_sgid != gid)) {
1094                 *uidp = uid;
1095                 *gidp = gid;
1096                 privflags |= PRIV_SETID;
1097         }
1098         return (privflags);
1099 }
1100 
1101 int
1102 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1103 {
1104         int error;
1105         proc_t *p = ttoproc(curthread);
1106 
1107         vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1108         if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1109                 return (error);
1110         /*
1111          * Check the access mode.
1112          * If VPROC, ask /proc if the file is an object file.
1113          */
1114         if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1115             !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1116             (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1117             (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1118                 if (error == 0)
1119                         error = EACCES;
1120                 return (error);
1121         }
1122 
1123         if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1124             (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1125                 /*
1126                  * If process is under ptrace(2) compatibility,
1127                  * fail the exec(2).
1128                  */
1129                 if (p->p_proc_flag & P_PR_PTRACE)
1130                         goto bad;
1131                 /*
1132                  * Process is traced via /proc.
1133                  * Arrange to invalidate the /proc vnode.
1134                  */
1135                 args->traceinval = 1;
1136         }
1137         return (0);
1138 bad:
1139         if (error == 0)
1140                 error = ENOEXEC;
1141         return (error);
1142 }
1143 
1144 /*
1145  * Map a section of an executable file into the user's
1146  * address space.
1147  */
1148 int
1149 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1150     off_t offset, int prot, int page, uint_t szc)
1151 {
1152         int error = 0;
1153         off_t oldoffset;
1154         caddr_t zfodbase, oldaddr;
1155         size_t end, oldlen;
1156         size_t zfoddiff;
1157         label_t ljb;
1158         proc_t *p = ttoproc(curthread);
1159 
1160         oldaddr = addr;
1161         addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1162         if (len) {
1163                 oldlen = len;
1164                 len += ((size_t)oldaddr - (size_t)addr);
1165                 oldoffset = offset;
1166                 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1167                 if (page) {
1168                         spgcnt_t  prefltmem, availm, npages;
1169                         int preread;
1170                         uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1171 
1172                         if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1173                                 mflag |= MAP_TEXT;
1174                         } else {
1175                                 mflag |= MAP_INITDATA;
1176                         }
1177 
1178                         if (valid_usr_range(addr, len, prot, p->p_as,
1179                             p->p_as->a_userlimit) != RANGE_OKAY) {
1180                                 error = ENOMEM;
1181                                 goto bad;
1182                         }
1183                         if (error = VOP_MAP(vp, (offset_t)offset,
1184                             p->p_as, &addr, len, prot, PROT_ALL,
1185                             mflag, CRED(), NULL))
1186                                 goto bad;
1187 
1188                         /*
1189                          * If the segment can fit, then we prefault
1190                          * the entire segment in.  This is based on the
1191                          * model that says the best working set of a
1192                          * small program is all of its pages.
1193                          */
1194                         npages = (spgcnt_t)btopr(len);
1195                         prefltmem = freemem - desfree;
1196                         preread =
1197                             (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1198 
1199                         /*
1200                          * If we aren't prefaulting the segment,
1201                          * increment "deficit", if necessary to ensure
1202                          * that pages will become available when this
1203                          * process starts executing.
1204                          */
1205                         availm = freemem - lotsfree;
1206                         if (preread == 0 && npages > availm &&
1207                             deficit < lotsfree) {
1208                                 deficit += MIN((pgcnt_t)(npages - availm),
1209                                     lotsfree - deficit);
1210                         }
1211 
1212                         if (preread) {
1213                                 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1214                                     "execmap preread:freemem %d size %lu",
1215                                     freemem, len);
1216                                 (void) as_fault(p->p_as->a_hat, p->p_as,
1217                                     (caddr_t)addr, len, F_INVAL, S_READ);
1218                         }
1219                 } else {
1220                         if (valid_usr_range(addr, len, prot, p->p_as,
1221                             p->p_as->a_userlimit) != RANGE_OKAY) {
1222                                 error = ENOMEM;
1223                                 goto bad;
1224                         }
1225 
1226                         if (error = as_map(p->p_as, addr, len,
1227                             segvn_create, zfod_argsp))
1228                                 goto bad;
1229                         /*
1230                          * Read in the segment in one big chunk.
1231                          */
1232                         if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1233                             oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1234                             (rlim64_t)0, CRED(), (ssize_t *)0))
1235                                 goto bad;
1236                         /*
1237                          * Now set protections.
1238                          */
1239                         if (prot != PROT_ZFOD) {
1240                                 (void) as_setprot(p->p_as, (caddr_t)addr,
1241                                     len, prot);
1242                         }
1243                 }
1244         }
1245 
1246         if (zfodlen) {
1247                 struct as *as = curproc->p_as;
1248                 struct seg *seg;
1249                 uint_t zprot = 0;
1250 
1251                 end = (size_t)addr + len;
1252                 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1253                 zfoddiff = (uintptr_t)zfodbase - end;
1254                 if (zfoddiff) {
1255                         /*
1256                          * Before we go to zero the remaining space on the last
1257                          * page, make sure we have write permission.
1258                          *
1259                          * Normal illumos binaries don't even hit the case
1260                          * where we have to change permission on the last page
1261                          * since their protection is typically either
1262                          *    PROT_USER | PROT_WRITE | PROT_READ
1263                          * or
1264                          *    PROT_ZFOD (same as PROT_ALL).
1265                          *
1266                          * We need to be careful how we zero-fill the last page
1267                          * if the segment protection does not include
1268                          * PROT_WRITE. Using as_setprot() can cause the VM
1269                          * segment code to call segvn_vpage(), which must
1270                          * allocate a page struct for each page in the segment.
1271                          * If we have a very large segment, this may fail, so
1272                          * we have to check for that, even though we ignore
1273                          * other return values from as_setprot.
1274                          */
1275 
1276                         AS_LOCK_ENTER(as, RW_READER);
1277                         seg = as_segat(curproc->p_as, (caddr_t)end);
1278                         if (seg != NULL)
1279                                 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1280                                     &zprot);
1281                         AS_LOCK_EXIT(as);
1282 
1283                         if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1284                                 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1285                                     zprot | PROT_WRITE) == ENOMEM) {
1286                                         error = ENOMEM;
1287                                         goto bad;
1288                                 }
1289                         }
1290 
1291                         if (on_fault(&ljb)) {
1292                                 no_fault();
1293                                 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1294                                         (void) as_setprot(as, (caddr_t)end,
1295                                             zfoddiff - 1, zprot);
1296                                 error = EFAULT;
1297                                 goto bad;
1298                         }
1299                         uzero((void *)end, zfoddiff);
1300                         no_fault();
1301                         if (seg != NULL && (zprot & PROT_WRITE) == 0)
1302                                 (void) as_setprot(as, (caddr_t)end,
1303                                     zfoddiff - 1, zprot);
1304                 }
1305                 if (zfodlen > zfoddiff) {
1306                         struct segvn_crargs crargs =
1307                             SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1308 
1309                         zfodlen -= zfoddiff;
1310                         if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1311                             p->p_as->a_userlimit) != RANGE_OKAY) {
1312                                 error = ENOMEM;
1313                                 goto bad;
1314                         }
1315                         if (szc > 0) {
1316                                 /*
1317                                  * ASSERT alignment because the mapelfexec()
1318                                  * caller for the szc > 0 case extended zfod
1319                                  * so it's end is pgsz aligned.
1320                                  */
1321                                 size_t pgsz = page_get_pagesize(szc);
1322                                 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1323 
1324                                 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1325                                         crargs.szc = szc;
1326                                 } else {
1327                                         crargs.szc = AS_MAP_HEAP;
1328                                 }
1329                         } else {
1330                                 crargs.szc = AS_MAP_NO_LPOOB;
1331                         }
1332                         if (error = as_map(p->p_as, (caddr_t)zfodbase,
1333                             zfodlen, segvn_create, &crargs))
1334                                 goto bad;
1335                         if (prot != PROT_ZFOD) {
1336                                 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1337                                     zfodlen, prot);
1338                         }
1339                 }
1340         }
1341         return (0);
1342 bad:
1343         return (error);
1344 }
1345 
1346 void
1347 setexecenv(struct execenv *ep)
1348 {
1349         proc_t *p = ttoproc(curthread);
1350         klwp_t *lwp = ttolwp(curthread);
1351         struct vnode *vp;
1352 
1353         p->p_bssbase = ep->ex_bssbase;
1354         p->p_brkbase = ep->ex_brkbase;
1355         p->p_brksize = ep->ex_brksize;
1356         if (p->p_exec)
1357                 VN_RELE(p->p_exec);  /* out with the old */
1358         vp = p->p_exec = ep->ex_vp;
1359         if (vp != NULL)
1360                 VN_HOLD(vp);            /* in with the new */
1361 
1362         lwp->lwp_sigaltstack.ss_sp = 0;
1363         lwp->lwp_sigaltstack.ss_size = 0;
1364         lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1365 }
1366 
1367 int
1368 execopen(struct vnode **vpp, int *fdp)
1369 {
1370         struct vnode *vp = *vpp;
1371         file_t *fp;
1372         int error = 0;
1373         int filemode = FREAD;
1374 
1375         VN_HOLD(vp);            /* open reference */
1376         if (error = falloc(NULL, filemode, &fp, fdp)) {
1377                 VN_RELE(vp);
1378                 *fdp = -1;      /* just in case falloc changed value */
1379                 return (error);
1380         }
1381         if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1382                 VN_RELE(vp);
1383                 setf(*fdp, NULL);
1384                 unfalloc(fp);
1385                 *fdp = -1;
1386                 return (error);
1387         }
1388         *vpp = vp;              /* vnode should not have changed */
1389         fp->f_vnode = vp;
1390         mutex_exit(&fp->f_tlock);
1391         setf(*fdp, fp);
1392         return (0);
1393 }
1394 
1395 int
1396 execclose(int fd)
1397 {
1398         return (closeandsetf(fd, NULL));
1399 }
1400 
1401 
1402 /*
1403  * noexec stub function.
1404  */
1405 /*ARGSUSED*/
1406 int
1407 noexec(
1408     struct vnode *vp,
1409     struct execa *uap,
1410     struct uarg *args,
1411     struct intpdata *idatap,
1412     int level,
1413     long *execsz,
1414     int setid,
1415     caddr_t exec_file,
1416     struct cred *cred)
1417 {
1418         cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1419         return (ENOEXEC);
1420 }
1421 
1422 /*
1423  * Support routines for building a user stack.
1424  *
1425  * execve(path, argv, envp) must construct a new stack with the specified
1426  * arguments and environment variables (see exec_args() for a description
1427  * of the user stack layout).  To do this, we copy the arguments and
1428  * environment variables from the old user address space into the kernel,
1429  * free the old as, create the new as, and copy our buffered information
1430  * to the new stack.  Our kernel buffer has the following structure:
1431  *
1432  *      +-----------------------+ <--- stk_base + stk_size
1433  *      | string offsets        |
1434  *      +-----------------------+ <--- stk_offp
1435  *      |                       |
1436  *      | STK_AVAIL() space     |
1437  *      |                       |
1438  *      +-----------------------+ <--- stk_strp
1439  *      | strings               |
1440  *      +-----------------------+ <--- stk_base
1441  *
1442  * When we add a string, we store the string's contents (including the null
1443  * terminator) at stk_strp, and we store the offset of the string relative to
1444  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1445  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1446  * the difference between these pointers.  If we run out of space, we return
1447  * an error and exec_args() starts all over again with a buffer twice as large.
1448  * When we're all done, the kernel buffer looks like this:
1449  *
1450  *      +-----------------------+ <--- stk_base + stk_size
1451  *      | argv[0] offset        |
1452  *      +-----------------------+
1453  *      | ...                   |
1454  *      +-----------------------+
1455  *      | argv[argc-1] offset   |
1456  *      +-----------------------+
1457  *      | envp[0] offset        |
1458  *      +-----------------------+
1459  *      | ...                   |
1460  *      +-----------------------+
1461  *      | envp[envc-1] offset   |
1462  *      +-----------------------+
1463  *      | AT_SUN_PLATFORM offset|
1464  *      +-----------------------+
1465  *      | AT_SUN_EXECNAME offset|
1466  *      +-----------------------+ <--- stk_offp
1467  *      |                       |
1468  *      | STK_AVAIL() space     |
1469  *      |                       |
1470  *      +-----------------------+ <--- stk_strp
1471  *      | AT_SUN_EXECNAME offset|
1472  *      +-----------------------+
1473  *      | AT_SUN_PLATFORM offset|
1474  *      +-----------------------+
1475  *      | envp[envc-1] string   |
1476  *      +-----------------------+
1477  *      | ...                   |
1478  *      +-----------------------+
1479  *      | envp[0] string        |
1480  *      +-----------------------+
1481  *      | argv[argc-1] string   |
1482  *      +-----------------------+
1483  *      | ...                   |
1484  *      +-----------------------+
1485  *      | argv[0] string        |
1486  *      +-----------------------+ <--- stk_base
1487  */
1488 
1489 #define STK_AVAIL(args)         ((char *)(args)->stk_offp - (args)->stk_strp)
1490 
1491 /*
1492  * Add a string to the stack.
1493  */
1494 static int
1495 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1496 {
1497         int error;
1498         size_t len;
1499 
1500         if (STK_AVAIL(args) < sizeof (int))
1501                 return (E2BIG);
1502         *--args->stk_offp = args->stk_strp - args->stk_base;
1503 
1504         if (segflg == UIO_USERSPACE) {
1505                 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1506                 if (error != 0)
1507                         return (error);
1508         } else {
1509                 len = strlen(sp) + 1;
1510                 if (len > STK_AVAIL(args))
1511                         return (E2BIG);
1512                 bcopy(sp, args->stk_strp, len);
1513         }
1514 
1515         args->stk_strp += len;
1516 
1517         return (0);
1518 }
1519 
1520 static int
1521 stk_getptr(uarg_t *args, char *src, char **dst)
1522 {
1523         int error;
1524 
1525         if (args->from_model == DATAMODEL_NATIVE) {
1526                 ulong_t ptr;
1527                 error = fulword(src, &ptr);
1528                 *dst = (caddr_t)ptr;
1529         } else {
1530                 uint32_t ptr;
1531                 error = fuword32(src, &ptr);
1532                 *dst = (caddr_t)(uintptr_t)ptr;
1533         }
1534         return (error);
1535 }
1536 
1537 static int
1538 stk_putptr(uarg_t *args, char *addr, char *value)
1539 {
1540         if (args->to_model == DATAMODEL_NATIVE)
1541                 return (sulword(addr, (ulong_t)value));
1542         else
1543                 return (suword32(addr, (uint32_t)(uintptr_t)value));
1544 }
1545 
1546 static int
1547 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1548 {
1549         char *sp;
1550         int argc, error;
1551         int argv_empty = 0;
1552         size_t ptrsize = args->from_ptrsize;
1553         size_t size, pad;
1554         char *argv = (char *)uap->argp;
1555         char *envp = (char *)uap->envp;
1556 
1557         /*
1558          * Copy interpreter's name and argument to argv[0] and argv[1].
1559          * In the rare case that we have nested interpreters then those names
1560          * and arguments are also copied to the subsequent slots in argv.
1561          */
1562         if (intp != NULL && intp->intp_name[0] != NULL) {
1563                 int i;
1564 
1565                 for (i = 0; i < INTP_MAXDEPTH; i++) {
1566                         if (intp->intp_name[i] == NULL)
1567                                 break;
1568                         error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1569                         if (error != 0)
1570                                 return (error);
1571                         if (intp->intp_arg[i] != NULL) {
1572                                 error = stk_add(args, intp->intp_arg[i],
1573                                     UIO_SYSSPACE);
1574                                 if (error != 0)
1575                                         return (error);
1576                         }
1577                 }
1578 
1579                 if (args->fname != NULL)
1580                         error = stk_add(args, args->fname, UIO_SYSSPACE);
1581                 else
1582                         error = stk_add(args, uap->fname, UIO_USERSPACE);
1583                 if (error)
1584                         return (error);
1585 
1586                 /*
1587                  * Check for an empty argv[].
1588                  */
1589                 if (stk_getptr(args, argv, &sp))
1590                         return (EFAULT);
1591                 if (sp == NULL)
1592                         argv_empty = 1;
1593 
1594                 argv += ptrsize;                /* ignore original argv[0] */
1595         }
1596 
1597         if (argv_empty == 0) {
1598                 /*
1599                  * Add argv[] strings to the stack.
1600                  */
1601                 for (;;) {
1602                         if (stk_getptr(args, argv, &sp))
1603                                 return (EFAULT);
1604                         if (sp == NULL)
1605                                 break;
1606                         if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1607                                 return (error);
1608                         argv += ptrsize;
1609                 }
1610         }
1611         argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1612         args->arglen = args->stk_strp - args->stk_base;
1613 
1614         /*
1615          * Add environ[] strings to the stack.
1616          */
1617         if (envp != NULL) {
1618                 for (;;) {
1619                         char *tmp = args->stk_strp;
1620                         if (stk_getptr(args, envp, &sp))
1621                                 return (EFAULT);
1622                         if (sp == NULL)
1623                                 break;
1624                         if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1625                                 return (error);
1626                         if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1627                                 /* Undo the copied string */
1628                                 args->stk_strp = tmp;
1629                                 *(args->stk_offp++) = NULL;
1630                         }
1631                         envp += ptrsize;
1632                 }
1633         }
1634         args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1635         args->ne = args->na - argc;
1636 
1637         /*
1638          * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1639          * AT_SUN_EMULATOR strings to the stack.
1640          */
1641         if (auxvpp != NULL && *auxvpp != NULL) {
1642                 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1643                         return (error);
1644                 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1645                         return (error);
1646                 if (args->brandname != NULL &&
1647                     (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1648                         return (error);
1649                 if (args->emulator != NULL &&
1650                     (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1651                         return (error);
1652         }
1653 
1654         /*
1655          * Compute the size of the stack.  This includes all the pointers,
1656          * the space reserved for the aux vector, and all the strings.
1657          * The total number of pointers is args->na (which is argc + envc)
1658          * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1659          * after the last argument (i.e. argv[argc]); (3) the NULL after the
1660          * last environment variable (i.e. envp[envc]); and (4) the NULL after
1661          * all the strings, at the very top of the stack.
1662          */
1663         size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1664             (args->stk_strp - args->stk_base);
1665 
1666         /*
1667          * Pad the string section with zeroes to align the stack size.
1668          */
1669         pad = P2NPHASE(size, args->stk_align);
1670 
1671         if (STK_AVAIL(args) < pad)
1672                 return (E2BIG);
1673 
1674         args->usrstack_size = size + pad;
1675 
1676         while (pad-- != 0)
1677                 *args->stk_strp++ = 0;
1678 
1679         args->nc = args->stk_strp - args->stk_base;
1680 
1681         return (0);
1682 }
1683 
1684 static int
1685 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1686 {
1687         size_t ptrsize = args->to_ptrsize;
1688         ssize_t pslen;
1689         char *kstrp = args->stk_base;
1690         char *ustrp = usrstack - args->nc - ptrsize;
1691         char *usp = usrstack - args->usrstack_size;
1692         int *offp = (int *)(args->stk_base + args->stk_size);
1693         int envc = args->ne;
1694         int argc = args->na - envc;
1695         int i;
1696 
1697         /*
1698          * Record argc for /proc.
1699          */
1700         up->u_argc = argc;
1701 
1702         /*
1703          * Put argc on the stack.  Note that even though it's an int,
1704          * it always consumes ptrsize bytes (for alignment).
1705          */
1706         if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1707                 return (-1);
1708 
1709         /*
1710          * Add argc space (ptrsize) to usp and record argv for /proc.
1711          */
1712         up->u_argv = (uintptr_t)(usp += ptrsize);
1713 
1714         /*
1715          * Put the argv[] pointers on the stack.
1716          */
1717         for (i = 0; i < argc; i++, usp += ptrsize)
1718                 if (stk_putptr(args, usp, &ustrp[*--offp]))
1719                         return (-1);
1720 
1721         /*
1722          * Copy arguments to u_psargs.
1723          */
1724         pslen = MIN(args->arglen, PSARGSZ) - 1;
1725         for (i = 0; i < pslen; i++)
1726                 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1727         while (i < PSARGSZ)
1728                 up->u_psargs[i++] = '\0';
1729 
1730         /*
1731          * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1732          * record envp for /proc.
1733          */
1734         up->u_envp = (uintptr_t)(usp += ptrsize);
1735 
1736         /*
1737          * Put the envp[] pointers on the stack.
1738          */
1739         for (i = 0; i < envc; i++, usp += ptrsize)
1740                 if (stk_putptr(args, usp, &ustrp[*--offp]))
1741                         return (-1);
1742 
1743         /*
1744          * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1745          * remember where the stack ends, which is also where auxv begins.
1746          */
1747         args->stackend = usp += ptrsize;
1748 
1749         /*
1750          * Put all the argv[], envp[], and auxv strings on the stack.
1751          */
1752         if (copyout(args->stk_base, ustrp, args->nc))
1753                 return (-1);
1754 
1755         /*
1756          * Fill in the aux vector now that we know the user stack addresses
1757          * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1758          * AT_SUN_EMULATOR strings.
1759          */
1760         if (auxvpp != NULL && *auxvpp != NULL) {
1761                 if (args->to_model == DATAMODEL_NATIVE) {
1762                         auxv_t **a = (auxv_t **)auxvpp;
1763                         ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1764                         ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1765                         if (args->brandname != NULL)
1766                                 ADDAUX(*a,
1767                                     AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1768                         if (args->emulator != NULL)
1769                                 ADDAUX(*a,
1770                                     AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1771                 } else {
1772                         auxv32_t **a = (auxv32_t **)auxvpp;
1773                         ADDAUX(*a,
1774                             AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1775                         ADDAUX(*a,
1776                             AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1777                         if (args->brandname != NULL)
1778                                 ADDAUX(*a, AT_SUN_BRANDNAME,
1779                                     (int)(uintptr_t)&ustrp[*--offp])
1780                         if (args->emulator != NULL)
1781                                 ADDAUX(*a, AT_SUN_EMULATOR,
1782                                     (int)(uintptr_t)&ustrp[*--offp])
1783                 }
1784         }
1785 
1786         return (0);
1787 }
1788 
1789 /*
1790  * Initialize a new user stack with the specified arguments and environment.
1791  * The initial user stack layout is as follows:
1792  *
1793  *      User Stack
1794  *      +---------------+ <--- curproc->p_usrstack
1795  *      |               |
1796  *      | slew          |
1797  *      |               |
1798  *      +---------------+
1799  *      | NULL          |
1800  *      +---------------+
1801  *      |               |
1802  *      | auxv strings  |
1803  *      |               |
1804  *      +---------------+
1805  *      |               |
1806  *      | envp strings  |
1807  *      |               |
1808  *      +---------------+
1809  *      |               |
1810  *      | argv strings  |
1811  *      |               |
1812  *      +---------------+ <--- ustrp
1813  *      |               |
1814  *      | aux vector    |
1815  *      |               |
1816  *      +---------------+ <--- auxv
1817  *      | NULL          |
1818  *      +---------------+
1819  *      | envp[envc-1]  |
1820  *      +---------------+
1821  *      | ...           |
1822  *      +---------------+
1823  *      | envp[0]       |
1824  *      +---------------+ <--- envp[]
1825  *      | NULL          |
1826  *      +---------------+
1827  *      | argv[argc-1]  |
1828  *      +---------------+
1829  *      | ...           |
1830  *      +---------------+
1831  *      | argv[0]       |
1832  *      +---------------+ <--- argv[]
1833  *      | argc          |
1834  *      +---------------+ <--- stack base
1835  */
1836 int
1837 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1838 {
1839         size_t size;
1840         int error;
1841         proc_t *p = ttoproc(curthread);
1842         user_t *up = PTOU(p);
1843         char *usrstack;
1844         rctl_entity_p_t e;
1845         struct as *as;
1846         extern int use_stk_lpg;
1847         size_t sp_slew;
1848 
1849         args->from_model = p->p_model;
1850         if (p->p_model == DATAMODEL_NATIVE) {
1851                 args->from_ptrsize = sizeof (long);
1852         } else {
1853                 args->from_ptrsize = sizeof (int32_t);
1854         }
1855 
1856         if (args->to_model == DATAMODEL_NATIVE) {
1857                 args->to_ptrsize = sizeof (long);
1858                 args->ncargs = NCARGS;
1859                 args->stk_align = STACK_ALIGN;
1860                 if (args->addr32)
1861                         usrstack = (char *)USRSTACK64_32;
1862                 else
1863                         usrstack = (char *)USRSTACK;
1864         } else {
1865                 args->to_ptrsize = sizeof (int32_t);
1866                 args->ncargs = NCARGS32;
1867                 args->stk_align = STACK_ALIGN32;
1868                 usrstack = (char *)USRSTACK32;
1869         }
1870 
1871         ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1872 
1873 #if defined(__sparc)
1874         /*
1875          * Make sure user register windows are empty before
1876          * attempting to make a new stack.
1877          */
1878         (void) flush_user_windows_to_stack(NULL);
1879 #endif
1880 
1881         for (size = PAGESIZE; ; size *= 2) {
1882                 args->stk_size = size;
1883                 args->stk_base = kmem_alloc(size, KM_SLEEP);
1884                 args->stk_strp = args->stk_base;
1885                 args->stk_offp = (int *)(args->stk_base + size);
1886                 error = stk_copyin(uap, args, intp, auxvpp);
1887                 if (error == 0)
1888                         break;
1889                 kmem_free(args->stk_base, size);
1890                 if (error != E2BIG && error != ENAMETOOLONG)
1891                         return (error);
1892                 if (size >= args->ncargs)
1893                         return (E2BIG);
1894         }
1895 
1896         size = args->usrstack_size;
1897 
1898         ASSERT(error == 0);
1899         ASSERT(P2PHASE(size, args->stk_align) == 0);
1900         ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1901 
1902         if (size > args->ncargs) {
1903                 kmem_free(args->stk_base, args->stk_size);
1904                 return (E2BIG);
1905         }
1906 
1907         /*
1908          * Leave only the current lwp and force the other lwps to exit.
1909          * If another lwp beat us to the punch by calling exit(), bail out.
1910          */
1911         if ((error = exitlwps(0)) != 0) {
1912                 kmem_free(args->stk_base, args->stk_size);
1913                 return (error);
1914         }
1915 
1916         /*
1917          * Revoke any doors created by the process.
1918          */
1919         if (p->p_door_list)
1920                 door_exit();
1921 
1922         /*
1923          * Release schedctl data structures.
1924          */
1925         if (p->p_pagep)
1926                 schedctl_proc_cleanup();
1927 
1928         /*
1929          * Clean up any DTrace helpers for the process.
1930          */
1931         if (p->p_dtrace_helpers != NULL) {
1932                 ASSERT(dtrace_helpers_cleanup != NULL);
1933                 (*dtrace_helpers_cleanup)();
1934         }
1935 
1936         mutex_enter(&p->p_lock);
1937         /*
1938          * Cleanup the DTrace provider associated with this process.
1939          */
1940         if (p->p_dtrace_probes) {
1941                 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1942                 dtrace_fasttrap_exec_ptr(p);
1943         }
1944         mutex_exit(&p->p_lock);
1945 
1946         /*
1947          * discard the lwpchan cache.
1948          */
1949         if (p->p_lcp != NULL)
1950                 lwpchan_destroy_cache(1);
1951 
1952         /*
1953          * Delete the POSIX timers.
1954          */
1955         if (p->p_itimer != NULL)
1956                 timer_exit();
1957 
1958         /*
1959          * Delete the ITIMER_REALPROF interval timer.
1960          * The other ITIMER_* interval timers are specified
1961          * to be inherited across exec().
1962          */
1963         delete_itimer_realprof();
1964 
1965         if (AU_AUDITING())
1966                 audit_exec(args->stk_base, args->stk_base + args->arglen,
1967                     args->na - args->ne, args->ne, args->pfcred);
1968 
1969         /*
1970          * Ensure that we don't change resource associations while we
1971          * change address spaces.
1972          */
1973         mutex_enter(&p->p_lock);
1974         pool_barrier_enter();
1975         mutex_exit(&p->p_lock);
1976 
1977         /*
1978          * Destroy the old address space and create a new one.
1979          * From here on, any errors are fatal to the exec()ing process.
1980          * On error we return -1, which means the caller must SIGKILL
1981          * the process.
1982          */
1983         relvm();
1984 
1985         mutex_enter(&p->p_lock);
1986         pool_barrier_exit();
1987         mutex_exit(&p->p_lock);
1988 
1989         up->u_execsw = args->execswp;
1990 
1991         p->p_brkbase = NULL;
1992         p->p_brksize = 0;
1993         p->p_brkpageszc = 0;
1994         p->p_stksize = 0;
1995         p->p_stkpageszc = 0;
1996         p->p_model = args->to_model;
1997         p->p_usrstack = usrstack;
1998         p->p_stkprot = args->stk_prot;
1999         p->p_datprot = args->dat_prot;
2000 
2001         /*
2002          * Reset resource controls such that all controls are again active as
2003          * well as appropriate to the potentially new address model for the
2004          * process.
2005          */
2006         e.rcep_p.proc = p;
2007         e.rcep_t = RCENTITY_PROCESS;
2008         rctl_set_reset(p->p_rctls, p, &e);
2009 
2010         /* Too early to call map_pgsz for the heap */
2011         if (use_stk_lpg) {
2012                 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2013         }
2014 
2015         mutex_enter(&p->p_lock);
2016         p->p_flag |= SAUTOLPG;       /* kernel controls page sizes */
2017         mutex_exit(&p->p_lock);
2018 
2019         /*
2020          * Some platforms may choose to randomize real stack start by adding a
2021          * small slew (not more than a few hundred bytes) to the top of the
2022          * stack. This helps avoid cache thrashing when identical processes
2023          * simultaneously share caches that don't provide enough associativity
2024          * (e.g. sun4v systems). In this case stack slewing makes the same hot
2025          * stack variables in different processes to live in different cache
2026          * sets increasing effective associativity.
2027          */
2028         sp_slew = exec_get_spslew();
2029         ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2030         exec_set_sp(size + sp_slew);
2031 
2032         as = as_alloc();
2033         p->p_as = as;
2034         as->a_proc = p;
2035         if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2036                 as->a_userlimit = (caddr_t)USERLIMIT32;
2037         (void) hat_setup(as->a_hat, HAT_ALLOC);
2038         hat_join_srd(as->a_hat, args->ex_vp);
2039 
2040         /*
2041          * Finally, write out the contents of the new stack.
2042          */
2043         error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2044         kmem_free(args->stk_base, args->stk_size);
2045         return (error);
2046 }