1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1988 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Copyright 2014, Joyent, Inc. All rights reserved.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72
73 #include <c2/audit.h>
74
75 #include <vm/hat.h>
76 #include <vm/anon.h>
77 #include <vm/as.h>
78 #include <vm/seg.h>
79 #include <vm/seg_vn.h>
80
81 #define PRIV_RESET 0x01 /* needs to reset privs */
82 #define PRIV_SETID 0x02 /* needs to change uids */
83 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
84 #define PRIV_INCREASE 0x08 /* child runs with more privs */
85 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */
86 #define PRIV_FORCED 0x20 /* has forced privileges */
87
88 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
89 priv_set_t *, cred_t *, const char *);
90 static int hold_execsw(struct execsw *);
91
92 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
93 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */
94 #if defined(_SYSCALL32_IMPL)
95 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */
96 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */
97 #endif
98
99 #define PSUIDFLAGS (SNOCD|SUGID)
100
101 /*
102 * exece() - system call wrapper around exec_common()
103 */
104 int
105 exece(const char *fname, const char **argp, const char **envp)
106 {
107 int error;
108
109 error = exec_common(fname, argp, envp, EBA_NONE);
110 return (error ? (set_errno(error)) : 0);
111 }
112
113 int
114 exec_common(const char *fname, const char **argp, const char **envp,
115 int brand_action)
116 {
117 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
118 proc_t *p = ttoproc(curthread);
119 klwp_t *lwp = ttolwp(curthread);
120 struct user *up = PTOU(p);
121 long execsz; /* temporary count of exec size */
122 int i;
123 int error;
124 char exec_file[MAXCOMLEN+1];
125 struct pathname pn;
126 struct pathname resolvepn;
127 struct uarg args;
128 struct execa ua;
129 k_sigset_t savedmask;
130 lwpdir_t *lwpdir = NULL;
131 tidhash_t *tidhash;
132 lwpdir_t *old_lwpdir = NULL;
133 uint_t old_lwpdir_sz;
134 tidhash_t *old_tidhash;
135 uint_t old_tidhash_sz;
136 ret_tidhash_t *ret_tidhash;
137 lwpent_t *lep;
138 boolean_t brandme = B_FALSE;
139
140 /*
141 * exec() is not supported for the /proc agent lwp.
142 */
143 if (curthread == p->p_agenttp)
144 return (ENOTSUP);
145
146 if (brand_action != EBA_NONE) {
147 /*
148 * Brand actions are not supported for processes that are not
149 * running in a branded zone.
150 */
151 if (!ZONE_IS_BRANDED(p->p_zone))
152 return (ENOTSUP);
153
154 if (brand_action == EBA_NATIVE) {
155 /* Only branded processes can be unbranded */
156 if (!PROC_IS_BRANDED(p))
157 return (ENOTSUP);
158 } else {
159 /* Only unbranded processes can be branded */
160 if (PROC_IS_BRANDED(p))
161 return (ENOTSUP);
162 brandme = B_TRUE;
163 }
164 } else {
165 /*
166 * If this is a native zone, or if the process is already
167 * branded, then we don't need to do anything. If this is
168 * a native process in a branded zone, we need to brand the
169 * process as it exec()s the new binary.
170 */
171 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
172 brandme = B_TRUE;
173 }
174
175 /*
176 * Inform /proc that an exec() has started.
177 * Hold signals that are ignored by default so that we will
178 * not be interrupted by a signal that will be ignored after
179 * successful completion of gexec().
180 */
181 mutex_enter(&p->p_lock);
182 prexecstart();
183 schedctl_finish_sigblock(curthread);
184 savedmask = curthread->t_hold;
185 sigorset(&curthread->t_hold, &ignoredefault);
186 mutex_exit(&p->p_lock);
187
188 /*
189 * Look up path name and remember last component for later.
190 * To help coreadm expand its %d token, we attempt to save
191 * the directory containing the executable in p_execdir. The
192 * first call to lookuppn() may fail and return EINVAL because
193 * dirvpp is non-NULL. In that case, we make a second call to
194 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
195 * but coreadm is allowed to expand %d to the empty string and
196 * there are other cases in which that failure may occur.
197 */
198 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
199 goto out;
200 pn_alloc(&resolvepn);
201 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
202 pn_free(&resolvepn);
203 pn_free(&pn);
204 if (error != EINVAL)
205 goto out;
206
207 dir = NULL;
208 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
209 goto out;
210 pn_alloc(&resolvepn);
211 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
212 &vp)) != 0) {
213 pn_free(&resolvepn);
214 pn_free(&pn);
215 goto out;
216 }
217 }
218 if (vp == NULL) {
219 if (dir != NULL)
220 VN_RELE(dir);
221 error = ENOENT;
222 pn_free(&resolvepn);
223 pn_free(&pn);
224 goto out;
225 }
226
227 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
228 if (dir != NULL)
229 VN_RELE(dir);
230 pn_free(&resolvepn);
231 pn_free(&pn);
232 VN_RELE(vp);
233 goto out;
234 }
235
236 /*
237 * We do not allow executing files in attribute directories.
238 * We test this by determining whether the resolved path
239 * contains a "/" when we're in an attribute directory;
240 * only if the pathname does not contain a "/" the resolved path
241 * points to a file in the current working (attribute) directory.
242 */
243 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
244 strchr(resolvepn.pn_path, '/') == NULL) {
245 if (dir != NULL)
246 VN_RELE(dir);
247 error = EACCES;
248 pn_free(&resolvepn);
249 pn_free(&pn);
250 VN_RELE(vp);
251 goto out;
252 }
253
254 bzero(exec_file, MAXCOMLEN+1);
255 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
256 bzero(&args, sizeof (args));
257 args.pathname = resolvepn.pn_path;
258 /* don't free resolvepn until we are done with args */
259 pn_free(&pn);
260
261 /*
262 * If we're running in a profile shell, then call pfexecd.
263 */
264 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
265 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
266 &args.scrubenv);
267
268 /* Returning errno in case we're not allowed to execute. */
269 if (error > 0) {
270 if (dir != NULL)
271 VN_RELE(dir);
272 pn_free(&resolvepn);
273 VN_RELE(vp);
274 goto out;
275 }
276
277 /* Don't change the credentials when using old ptrace. */
278 if (args.pfcred != NULL &&
279 (p->p_proc_flag & P_PR_PTRACE) != 0) {
280 crfree(args.pfcred);
281 args.pfcred = NULL;
282 args.scrubenv = B_FALSE;
283 }
284 }
285
286 /*
287 * Specific exec handlers, or policies determined via
288 * /etc/system may override the historical default.
289 */
290 args.stk_prot = PROT_ZFOD;
291 args.dat_prot = PROT_ZFOD;
292
293 CPU_STATS_ADD_K(sys, sysexec, 1);
294 DTRACE_PROC1(exec, char *, args.pathname);
295
296 ua.fname = fname;
297 ua.argp = argp;
298 ua.envp = envp;
299
300 /* If necessary, brand this process before we start the exec. */
301 if (brandme)
302 brand_setbrand(p);
303
304 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
305 exec_file, p->p_cred, brand_action)) != 0) {
306 if (brandme)
307 brand_clearbrand(p, B_FALSE);
308 VN_RELE(vp);
309 if (dir != NULL)
310 VN_RELE(dir);
311 pn_free(&resolvepn);
312 goto fail;
313 }
314
315 /*
316 * Free floating point registers (sun4u only)
317 */
318 ASSERT(lwp != NULL);
319 lwp_freeregs(lwp, 1);
320
321 /*
322 * Free thread and process context ops.
323 */
324 if (curthread->t_ctx)
325 freectx(curthread, 1);
326 if (p->p_pctx)
327 freepctx(p, 1);
328
329 /*
330 * Remember file name for accounting; clear any cached DTrace predicate.
331 */
332 up->u_acflag &= ~AFORK;
333 bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
334 curthread->t_predcache = NULL;
335
336 /*
337 * Clear contract template state
338 */
339 lwp_ctmpl_clear(lwp);
340
341 /*
342 * Save the directory in which we found the executable for expanding
343 * the %d token used in core file patterns.
344 */
345 mutex_enter(&p->p_lock);
346 tmpvp = p->p_execdir;
347 p->p_execdir = dir;
348 if (p->p_execdir != NULL)
349 VN_HOLD(p->p_execdir);
350 mutex_exit(&p->p_lock);
351
352 if (tmpvp != NULL)
353 VN_RELE(tmpvp);
354
355 /*
356 * Reset stack state to the user stack, clear set of signals
357 * caught on the signal stack, and reset list of signals that
358 * restart system calls; the new program's environment should
359 * not be affected by detritus from the old program. Any
360 * pending held signals remain held, so don't clear t_hold.
361 */
362 mutex_enter(&p->p_lock);
363 lwp->lwp_oldcontext = 0;
364 lwp->lwp_ustack = 0;
365 lwp->lwp_old_stk_ctl = 0;
366 sigemptyset(&up->u_signodefer);
367 sigemptyset(&up->u_sigonstack);
368 sigemptyset(&up->u_sigresethand);
369 lwp->lwp_sigaltstack.ss_sp = 0;
370 lwp->lwp_sigaltstack.ss_size = 0;
371 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
372
373 /*
374 * Make saved resource limit == current resource limit.
375 */
376 for (i = 0; i < RLIM_NLIMITS; i++) {
377 /*CONSTCOND*/
378 if (RLIM_SAVED(i)) {
379 (void) rctl_rlimit_get(rctlproc_legacy[i], p,
380 &up->u_saved_rlimit[i]);
381 }
382 }
383
384 /*
385 * If the action was to catch the signal, then the action
386 * must be reset to SIG_DFL.
387 */
388 sigdefault(p);
389 p->p_flag &= ~(SNOWAIT|SJCTL);
390 p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
391 up->u_signal[SIGCLD - 1] = SIG_DFL;
392
393 /*
394 * Delete the dot4 sigqueues/signotifies.
395 */
396 sigqfree(p);
397
398 mutex_exit(&p->p_lock);
399
400 mutex_enter(&p->p_pflock);
401 p->p_prof.pr_base = NULL;
402 p->p_prof.pr_size = 0;
403 p->p_prof.pr_off = 0;
404 p->p_prof.pr_scale = 0;
405 p->p_prof.pr_samples = 0;
406 mutex_exit(&p->p_pflock);
407
408 ASSERT(curthread->t_schedctl == NULL);
409
410 #if defined(__sparc)
411 if (p->p_utraps != NULL)
412 utrap_free(p);
413 #endif /* __sparc */
414
415 /*
416 * Close all close-on-exec files.
417 */
418 close_exec(P_FINFO(p));
419 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
420
421 /* Unbrand ourself if necessary. */
422 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
423 brand_clearbrand(p, B_FALSE);
424
425 setregs(&args);
426
427 /* Mark this as an executable vnode */
428 mutex_enter(&vp->v_lock);
429 vp->v_flag |= VVMEXEC;
430 mutex_exit(&vp->v_lock);
431
432 VN_RELE(vp);
433 if (dir != NULL)
434 VN_RELE(dir);
435 pn_free(&resolvepn);
436
437 /*
438 * Allocate a new lwp directory and lwpid hash table if necessary.
439 */
440 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
441 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
442 lwpdir->ld_next = lwpdir + 1;
443 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
444 if (p->p_lwpdir != NULL)
445 lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
446 else
447 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
448 }
449
450 if (PROC_IS_BRANDED(p))
451 BROP(p)->b_exec();
452
453 mutex_enter(&p->p_lock);
454 prbarrier(p);
455
456 /*
457 * Reset lwp id to the default value of 1.
458 * This is a single-threaded process now
459 * and lwp #1 is lwp_wait()able by default.
460 * The t_unpark flag should not be inherited.
461 */
462 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
463 curthread->t_tid = 1;
464 kpreempt_disable();
465 ASSERT(curthread->t_lpl != NULL);
466 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
467 kpreempt_enable();
468 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
469 lgrp_update_trthr_migrations(1);
470 }
471 curthread->t_unpark = 0;
472 curthread->t_proc_flag |= TP_TWAIT;
473 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */
474 p->p_lwpdaemon = 0; /* but oh well ... */
475 p->p_lwpid = 1;
476
477 /*
478 * Install the newly-allocated lwp directory and lwpid hash table
479 * and insert the current thread into the new hash table.
480 */
481 if (lwpdir != NULL) {
482 old_lwpdir = p->p_lwpdir;
483 old_lwpdir_sz = p->p_lwpdir_sz;
484 old_tidhash = p->p_tidhash;
485 old_tidhash_sz = p->p_tidhash_sz;
486 p->p_lwpdir = p->p_lwpfree = lwpdir;
487 p->p_lwpdir_sz = 2;
488 lep->le_thread = curthread;
489 lep->le_lwpid = curthread->t_tid;
490 lep->le_start = curthread->t_start;
491 lwp_hash_in(p, lep, tidhash, 2, 0);
492 p->p_tidhash = tidhash;
493 p->p_tidhash_sz = 2;
494 }
495 ret_tidhash = p->p_ret_tidhash;
496 p->p_ret_tidhash = NULL;
497
498 /*
499 * Restore the saved signal mask and
500 * inform /proc that the exec() has finished.
501 */
502 curthread->t_hold = savedmask;
503 prexecend();
504 mutex_exit(&p->p_lock);
505 if (old_lwpdir) {
506 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
507 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
508 }
509 while (ret_tidhash != NULL) {
510 ret_tidhash_t *next = ret_tidhash->rth_next;
511 kmem_free(ret_tidhash->rth_tidhash,
512 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
513 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
514 ret_tidhash = next;
515 }
516
517 ASSERT(error == 0);
518 DTRACE_PROC(exec__success);
519 return (0);
520
521 fail:
522 DTRACE_PROC1(exec__failure, int, error);
523 out: /* error return */
524 mutex_enter(&p->p_lock);
525 curthread->t_hold = savedmask;
526 prexecend();
527 mutex_exit(&p->p_lock);
528 ASSERT(error != 0);
529 return (error);
530 }
531
532
533 /*
534 * Perform generic exec duties and switchout to object-file specific
535 * handler.
536 */
537 int
538 gexec(
539 struct vnode **vpp,
540 struct execa *uap,
541 struct uarg *args,
542 struct intpdata *idatap,
543 int level,
544 long *execsz,
545 caddr_t exec_file,
546 struct cred *cred,
547 int brand_action)
548 {
549 struct vnode *vp, *execvp = NULL;
550 proc_t *pp = ttoproc(curthread);
551 struct execsw *eswp;
552 int error = 0;
553 int suidflags = 0;
554 ssize_t resid;
555 uid_t uid, gid;
556 struct vattr vattr;
557 char magbuf[MAGIC_BYTES];
558 int setid;
559 cred_t *oldcred, *newcred = NULL;
560 int privflags = 0;
561 int setidfl;
562 priv_set_t fset;
563
564 /*
565 * If the SNOCD or SUGID flag is set, turn it off and remember the
566 * previous setting so we can restore it if we encounter an error.
567 */
568 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
569 mutex_enter(&pp->p_lock);
570 suidflags = pp->p_flag & PSUIDFLAGS;
571 pp->p_flag &= ~PSUIDFLAGS;
572 mutex_exit(&pp->p_lock);
573 }
574
575 if ((error = execpermissions(*vpp, &vattr, args)) != 0)
576 goto bad_noclose;
577
578 /* need to open vnode for stateful file systems */
579 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
580 goto bad_noclose;
581 vp = *vpp;
582
583 /*
584 * Note: to support binary compatibility with SunOS a.out
585 * executables, we read in the first four bytes, as the
586 * magic number is in bytes 2-3.
587 */
588 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
589 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
590 goto bad;
591 if (resid != 0)
592 goto bad;
593
594 if ((eswp = findexec_by_hdr(magbuf)) == NULL)
595 goto bad;
596
597 if (level == 0 &&
598 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
599 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
600
601 /* Pfcred is a credential with a ref count of 1 */
602
603 if (args->pfcred != NULL) {
604 privflags |= PRIV_INCREASE|PRIV_RESET;
605 newcred = cred = args->pfcred;
606 } else {
607 newcred = cred = crdup(cred);
608 }
609
610 /* If we can, drop the PA bit */
611 if ((privflags & PRIV_RESET) != 0)
612 priv_adjust_PA(cred);
613
614 if (privflags & PRIV_SETID) {
615 cred->cr_uid = uid;
616 cred->cr_gid = gid;
617 cred->cr_suid = uid;
618 cred->cr_sgid = gid;
619 }
620
621 if (privflags & MAC_FLAGS) {
622 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
623 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
624 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
625 }
626
627 /*
628 * Implement the privilege updates:
629 *
630 * Restrict with L:
631 *
632 * I' = I & L
633 *
634 * E' = P' = (I' + F) & A
635 *
636 * But if running under ptrace, we cap I and F with P.
637 */
638 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
639 if ((privflags & PRIV_INCREASE) != 0 &&
640 (pp->p_proc_flag & P_PR_PTRACE) != 0) {
641 priv_intersect(&CR_OPPRIV(cred),
642 &CR_IPRIV(cred));
643 priv_intersect(&CR_OPPRIV(cred), &fset);
644 }
645 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
646 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
647 if (privflags & PRIV_FORCED) {
648 priv_set_PA(cred);
649 priv_union(&fset, &CR_EPRIV(cred));
650 priv_union(&fset, &CR_PPRIV(cred));
651 }
652 priv_adjust_PA(cred);
653 }
654 } else if (level == 0 && args->pfcred != NULL) {
655 newcred = cred = args->pfcred;
656 privflags |= PRIV_INCREASE;
657 /* pfcred is not forced to adhere to these settings */
658 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
659 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
660 priv_adjust_PA(cred);
661 }
662
663 /* SunOS 4.x buy-back */
664 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
665 (vattr.va_mode & (VSUID|VSGID))) {
666 char path[MAXNAMELEN];
667 refstr_t *mntpt = NULL;
668 int ret = -1;
669
670 bzero(path, sizeof (path));
671 zone_hold(pp->p_zone);
672
673 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
674 sizeof (path), cred);
675
676 /* fallback to mountpoint if a path can't be found */
677 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
678 mntpt = vfs_getmntpoint(vp->v_vfsp);
679
680 if (mntpt == NULL)
681 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
682 "!uid %d: setuid execution not allowed, "
683 "file=%s", cred->cr_uid, path);
684 else
685 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
686 "!uid %d: setuid execution not allowed, "
687 "fs=%s, file=%s", cred->cr_uid,
688 ZONE_PATH_TRANSLATE(refstr_value(mntpt),
689 pp->p_zone), exec_file);
690
691 if (!INGLOBALZONE(pp)) {
692 /* zone_rootpath always has trailing / */
693 if (mntpt == NULL)
694 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
695 "setuid execution not allowed, file=%s%s",
696 pp->p_zone->zone_name, cred->cr_uid,
697 pp->p_zone->zone_rootpath, path + 1);
698 else
699 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
700 "setuid execution not allowed, fs=%s, "
701 "file=%s", pp->p_zone->zone_name,
702 cred->cr_uid, refstr_value(mntpt),
703 exec_file);
704 }
705
706 if (mntpt != NULL)
707 refstr_rele(mntpt);
708
709 zone_rele(pp->p_zone);
710 }
711
712 /*
713 * execsetid() told us whether or not we had to change the
714 * credentials of the process. In privflags, it told us
715 * whether we gained any privileges or executed a set-uid executable.
716 */
717 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
718
719 /*
720 * Use /etc/system variable to determine if the stack
721 * should be marked as executable by default.
722 */
723 if (noexec_user_stack)
724 args->stk_prot &= ~PROT_EXEC;
725
726 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
727 args->ex_vp = vp;
728
729 /*
730 * Traditionally, the setid flags told the sub processes whether
731 * the file just executed was set-uid or set-gid; this caused
732 * some confusion as the 'setid' flag did not match the SUGID
733 * process flag which is only set when the uids/gids do not match.
734 * A script set-gid/set-uid to the real uid/gid would start with
735 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
736 * Now we flag those cases where the calling process cannot
737 * be trusted to influence the newly exec'ed process, either
738 * because it runs with more privileges or when the uids/gids
739 * do in fact not match.
740 * This also makes the runtime linker agree with the on exec
741 * values of SNOCD and SUGID.
742 */
743 setidfl = 0;
744 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
745 !supgroupmember(cred->cr_gid, cred))) {
746 setidfl |= EXECSETID_UGIDS;
747 }
748 if (setid & PRIV_SETUGID)
749 setidfl |= EXECSETID_SETID;
750 if (setid & PRIV_FORCED)
751 setidfl |= EXECSETID_PRIVS;
752
753 execvp = pp->p_exec;
754 if (execvp)
755 VN_HOLD(execvp);
756
757 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
758 setidfl, exec_file, cred, brand_action);
759 rw_exit(eswp->exec_lock);
760 if (error != 0) {
761 if (execvp)
762 VN_RELE(execvp);
763 /*
764 * If this process's p_exec has been set to the vp of
765 * the executable by exec_func, we will return without
766 * calling VOP_CLOSE because proc_exit will close it
767 * on exit.
768 */
769 if (pp->p_exec == vp)
770 goto bad_noclose;
771 else
772 goto bad;
773 }
774
775 if (level == 0) {
776 uid_t oruid;
777
778 if (execvp != NULL) {
779 /*
780 * Close the previous executable only if we are
781 * at level 0.
782 */
783 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
784 cred, NULL);
785 }
786
787 mutex_enter(&pp->p_crlock);
788
789 oruid = pp->p_cred->cr_ruid;
790
791 if (newcred != NULL) {
792 /*
793 * Free the old credentials, and set the new ones.
794 * Do this for both the process and the (single) thread.
795 */
796 crfree(pp->p_cred);
797 pp->p_cred = cred; /* cred already held for proc */
798 crhold(cred); /* hold new cred for thread */
799 /*
800 * DTrace accesses t_cred in probe context. t_cred
801 * must always be either NULL, or point to a valid,
802 * allocated cred structure.
803 */
804 oldcred = curthread->t_cred;
805 curthread->t_cred = cred;
806 crfree(oldcred);
807
808 if (priv_basic_test >= 0 &&
809 !PRIV_ISASSERT(&CR_IPRIV(newcred),
810 priv_basic_test)) {
811 pid_t pid = pp->p_pid;
812 char *fn = PTOU(pp)->u_comm;
813
814 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
815 "privilege removed from E/I", fn, pid);
816 }
817 }
818 /*
819 * On emerging from a successful exec(), the saved
820 * uid and gid equal the effective uid and gid.
821 */
822 cred->cr_suid = cred->cr_uid;
823 cred->cr_sgid = cred->cr_gid;
824
825 /*
826 * If the real and effective ids do not match, this
827 * is a setuid process that should not dump core.
828 * The group comparison is tricky; we prevent the code
829 * from flagging SNOCD when executing with an effective gid
830 * which is a supplementary group.
831 */
832 if (cred->cr_ruid != cred->cr_uid ||
833 (cred->cr_rgid != cred->cr_gid &&
834 !supgroupmember(cred->cr_gid, cred)) ||
835 (privflags & PRIV_INCREASE) != 0)
836 suidflags = PSUIDFLAGS;
837 else
838 suidflags = 0;
839
840 mutex_exit(&pp->p_crlock);
841 if (newcred != NULL && oruid != newcred->cr_ruid) {
842 /* Note that the process remains in the same zone. */
843 mutex_enter(&pidlock);
844 upcount_dec(oruid, crgetzoneid(newcred));
845 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
846 mutex_exit(&pidlock);
847 }
848 if (suidflags) {
849 mutex_enter(&pp->p_lock);
850 pp->p_flag |= suidflags;
851 mutex_exit(&pp->p_lock);
852 }
853 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
854 /*
855 * If process is traced via /proc, arrange to
856 * invalidate the associated /proc vnode.
857 */
858 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
859 args->traceinval = 1;
860 }
861 if (pp->p_proc_flag & P_PR_PTRACE)
862 psignal(pp, SIGTRAP);
863 if (args->traceinval)
864 prinvalidate(&pp->p_user);
865 }
866 if (execvp)
867 VN_RELE(execvp);
868 return (0);
869
870 bad:
871 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
872
873 bad_noclose:
874 if (newcred != NULL)
875 crfree(newcred);
876 if (error == 0)
877 error = ENOEXEC;
878
879 if (suidflags) {
880 mutex_enter(&pp->p_lock);
881 pp->p_flag |= suidflags;
882 mutex_exit(&pp->p_lock);
883 }
884 return (error);
885 }
886
887 extern char *execswnames[];
888
889 struct execsw *
890 allocate_execsw(char *name, char *magic, size_t magic_size)
891 {
892 int i, j;
893 char *ename;
894 char *magicp;
895
896 mutex_enter(&execsw_lock);
897 for (i = 0; i < nexectype; i++) {
898 if (execswnames[i] == NULL) {
899 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
900 (void) strcpy(ename, name);
901 execswnames[i] = ename;
902 /*
903 * Set the magic number last so that we
904 * don't need to hold the execsw_lock in
905 * findexectype().
906 */
907 magicp = kmem_alloc(magic_size, KM_SLEEP);
908 for (j = 0; j < magic_size; j++)
909 magicp[j] = magic[j];
910 execsw[i].exec_magic = magicp;
911 mutex_exit(&execsw_lock);
912 return (&execsw[i]);
913 }
914 }
915 mutex_exit(&execsw_lock);
916 return (NULL);
917 }
918
919 /*
920 * Find the exec switch table entry with the corresponding magic string.
921 */
922 struct execsw *
923 findexecsw(char *magic)
924 {
925 struct execsw *eswp;
926
927 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
928 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
929 if (magic && eswp->exec_maglen != 0 &&
930 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
931 return (eswp);
932 }
933 return (NULL);
934 }
935
936 /*
937 * Find the execsw[] index for the given exec header string by looking for the
938 * magic string at a specified offset and length for each kind of executable
939 * file format until one matches. If no execsw[] entry is found, try to
940 * autoload a module for this magic string.
941 */
942 struct execsw *
943 findexec_by_hdr(char *header)
944 {
945 struct execsw *eswp;
946
947 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
948 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
949 if (header && eswp->exec_maglen != 0 &&
950 bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
951 eswp->exec_maglen) == 0) {
952 if (hold_execsw(eswp) != 0)
953 return (NULL);
954 return (eswp);
955 }
956 }
957 return (NULL); /* couldn't find the type */
958 }
959
960 /*
961 * Find the execsw[] index for the given magic string. If no execsw[] entry
962 * is found, try to autoload a module for this magic string.
963 */
964 struct execsw *
965 findexec_by_magic(char *magic)
966 {
967 struct execsw *eswp;
968
969 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
970 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
971 if (magic && eswp->exec_maglen != 0 &&
972 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
973 if (hold_execsw(eswp) != 0)
974 return (NULL);
975 return (eswp);
976 }
977 }
978 return (NULL); /* couldn't find the type */
979 }
980
981 static int
982 hold_execsw(struct execsw *eswp)
983 {
984 char *name;
985
986 rw_enter(eswp->exec_lock, RW_READER);
987 while (!LOADED_EXEC(eswp)) {
988 rw_exit(eswp->exec_lock);
989 name = execswnames[eswp-execsw];
990 ASSERT(name);
991 if (modload("exec", name) == -1)
992 return (-1);
993 rw_enter(eswp->exec_lock, RW_READER);
994 }
995 return (0);
996 }
997
998 static int
999 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1000 priv_set_t *fset, cred_t *cr, const char *pathname)
1001 {
1002 proc_t *pp = ttoproc(curthread);
1003 uid_t uid, gid;
1004 int privflags = 0;
1005
1006 /*
1007 * Remember credentials.
1008 */
1009 uid = cr->cr_uid;
1010 gid = cr->cr_gid;
1011
1012 /* Will try to reset the PRIV_AWARE bit later. */
1013 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1014 privflags |= PRIV_RESET;
1015
1016 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1017 /*
1018 * If it's a set-uid root program we perform the
1019 * forced privilege look-aside. This has three possible
1020 * outcomes:
1021 * no look aside information -> treat as before
1022 * look aside in Limit set -> apply forced privs
1023 * look aside not in Limit set -> ignore set-uid root
1024 *
1025 * Ordinary set-uid root execution only allowed if the limit
1026 * set holds all unsafe privileges.
1027 */
1028 if (vattrp->va_mode & VSUID) {
1029 if (vattrp->va_uid == 0) {
1030 int res = get_forced_privs(cr, pathname, fset);
1031
1032 switch (res) {
1033 case -1:
1034 if (priv_issubset(&priv_unsafe,
1035 &CR_LPRIV(cr))) {
1036 uid = vattrp->va_uid;
1037 privflags |= PRIV_SETUGID;
1038 }
1039 break;
1040 case 0:
1041 privflags |= PRIV_FORCED|PRIV_INCREASE;
1042 break;
1043 default:
1044 break;
1045 }
1046 } else {
1047 uid = vattrp->va_uid;
1048 privflags |= PRIV_SETUGID;
1049 }
1050 }
1051 if (vattrp->va_mode & VSGID) {
1052 gid = vattrp->va_gid;
1053 privflags |= PRIV_SETUGID;
1054 }
1055 }
1056
1057 /*
1058 * Do we need to change our credential anyway?
1059 * This is the case when E != I or P != I, as
1060 * we need to do the assignments (with F empty and A full)
1061 * Or when I is not a subset of L; in that case we need to
1062 * enforce L.
1063 *
1064 * I' = L & I
1065 *
1066 * E' = P' = (I' + F) & A
1067 * or
1068 * E' = P' = I'
1069 */
1070 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1071 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1072 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1073 privflags |= PRIV_RESET;
1074
1075 /* Child has more privileges than parent */
1076 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1077 privflags |= PRIV_INCREASE;
1078
1079 /* If MAC-aware flag(s) are on, need to update cred to remove. */
1080 if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1081 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1082 privflags |= MAC_FLAGS;
1083 /*
1084 * Set setuid/setgid protections if no ptrace() compatibility.
1085 * For privileged processes, honor setuid/setgid even in
1086 * the presence of ptrace() compatibility.
1087 */
1088 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1089 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1090 (cr->cr_uid != uid ||
1091 cr->cr_gid != gid ||
1092 cr->cr_suid != uid ||
1093 cr->cr_sgid != gid)) {
1094 *uidp = uid;
1095 *gidp = gid;
1096 privflags |= PRIV_SETID;
1097 }
1098 return (privflags);
1099 }
1100
1101 int
1102 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1103 {
1104 int error;
1105 proc_t *p = ttoproc(curthread);
1106
1107 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1108 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1109 return (error);
1110 /*
1111 * Check the access mode.
1112 * If VPROC, ask /proc if the file is an object file.
1113 */
1114 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1115 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1116 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1117 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1118 if (error == 0)
1119 error = EACCES;
1120 return (error);
1121 }
1122
1123 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1124 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1125 /*
1126 * If process is under ptrace(2) compatibility,
1127 * fail the exec(2).
1128 */
1129 if (p->p_proc_flag & P_PR_PTRACE)
1130 goto bad;
1131 /*
1132 * Process is traced via /proc.
1133 * Arrange to invalidate the /proc vnode.
1134 */
1135 args->traceinval = 1;
1136 }
1137 return (0);
1138 bad:
1139 if (error == 0)
1140 error = ENOEXEC;
1141 return (error);
1142 }
1143
1144 /*
1145 * Map a section of an executable file into the user's
1146 * address space.
1147 */
1148 int
1149 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1150 off_t offset, int prot, int page, uint_t szc)
1151 {
1152 int error = 0;
1153 off_t oldoffset;
1154 caddr_t zfodbase, oldaddr;
1155 size_t end, oldlen;
1156 size_t zfoddiff;
1157 label_t ljb;
1158 proc_t *p = ttoproc(curthread);
1159
1160 oldaddr = addr;
1161 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1162 if (len) {
1163 oldlen = len;
1164 len += ((size_t)oldaddr - (size_t)addr);
1165 oldoffset = offset;
1166 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1167 if (page) {
1168 spgcnt_t prefltmem, availm, npages;
1169 int preread;
1170 uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1171
1172 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1173 mflag |= MAP_TEXT;
1174 } else {
1175 mflag |= MAP_INITDATA;
1176 }
1177
1178 if (valid_usr_range(addr, len, prot, p->p_as,
1179 p->p_as->a_userlimit) != RANGE_OKAY) {
1180 error = ENOMEM;
1181 goto bad;
1182 }
1183 if (error = VOP_MAP(vp, (offset_t)offset,
1184 p->p_as, &addr, len, prot, PROT_ALL,
1185 mflag, CRED(), NULL))
1186 goto bad;
1187
1188 /*
1189 * If the segment can fit, then we prefault
1190 * the entire segment in. This is based on the
1191 * model that says the best working set of a
1192 * small program is all of its pages.
1193 */
1194 npages = (spgcnt_t)btopr(len);
1195 prefltmem = freemem - desfree;
1196 preread =
1197 (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1198
1199 /*
1200 * If we aren't prefaulting the segment,
1201 * increment "deficit", if necessary to ensure
1202 * that pages will become available when this
1203 * process starts executing.
1204 */
1205 availm = freemem - lotsfree;
1206 if (preread == 0 && npages > availm &&
1207 deficit < lotsfree) {
1208 deficit += MIN((pgcnt_t)(npages - availm),
1209 lotsfree - deficit);
1210 }
1211
1212 if (preread) {
1213 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1214 "execmap preread:freemem %d size %lu",
1215 freemem, len);
1216 (void) as_fault(p->p_as->a_hat, p->p_as,
1217 (caddr_t)addr, len, F_INVAL, S_READ);
1218 }
1219 } else {
1220 if (valid_usr_range(addr, len, prot, p->p_as,
1221 p->p_as->a_userlimit) != RANGE_OKAY) {
1222 error = ENOMEM;
1223 goto bad;
1224 }
1225
1226 if (error = as_map(p->p_as, addr, len,
1227 segvn_create, zfod_argsp))
1228 goto bad;
1229 /*
1230 * Read in the segment in one big chunk.
1231 */
1232 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1233 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1234 (rlim64_t)0, CRED(), (ssize_t *)0))
1235 goto bad;
1236 /*
1237 * Now set protections.
1238 */
1239 if (prot != PROT_ZFOD) {
1240 (void) as_setprot(p->p_as, (caddr_t)addr,
1241 len, prot);
1242 }
1243 }
1244 }
1245
1246 if (zfodlen) {
1247 struct as *as = curproc->p_as;
1248 struct seg *seg;
1249 uint_t zprot = 0;
1250
1251 end = (size_t)addr + len;
1252 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1253 zfoddiff = (uintptr_t)zfodbase - end;
1254 if (zfoddiff) {
1255 /*
1256 * Before we go to zero the remaining space on the last
1257 * page, make sure we have write permission.
1258 *
1259 * Normal illumos binaries don't even hit the case
1260 * where we have to change permission on the last page
1261 * since their protection is typically either
1262 * PROT_USER | PROT_WRITE | PROT_READ
1263 * or
1264 * PROT_ZFOD (same as PROT_ALL).
1265 *
1266 * We need to be careful how we zero-fill the last page
1267 * if the segment protection does not include
1268 * PROT_WRITE. Using as_setprot() can cause the VM
1269 * segment code to call segvn_vpage(), which must
1270 * allocate a page struct for each page in the segment.
1271 * If we have a very large segment, this may fail, so
1272 * we have to check for that, even though we ignore
1273 * other return values from as_setprot.
1274 */
1275
1276 AS_LOCK_ENTER(as, RW_READER);
1277 seg = as_segat(curproc->p_as, (caddr_t)end);
1278 if (seg != NULL)
1279 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1280 &zprot);
1281 AS_LOCK_EXIT(as);
1282
1283 if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1284 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1285 zprot | PROT_WRITE) == ENOMEM) {
1286 error = ENOMEM;
1287 goto bad;
1288 }
1289 }
1290
1291 if (on_fault(&ljb)) {
1292 no_fault();
1293 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1294 (void) as_setprot(as, (caddr_t)end,
1295 zfoddiff - 1, zprot);
1296 error = EFAULT;
1297 goto bad;
1298 }
1299 uzero((void *)end, zfoddiff);
1300 no_fault();
1301 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1302 (void) as_setprot(as, (caddr_t)end,
1303 zfoddiff - 1, zprot);
1304 }
1305 if (zfodlen > zfoddiff) {
1306 struct segvn_crargs crargs =
1307 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1308
1309 zfodlen -= zfoddiff;
1310 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1311 p->p_as->a_userlimit) != RANGE_OKAY) {
1312 error = ENOMEM;
1313 goto bad;
1314 }
1315 if (szc > 0) {
1316 /*
1317 * ASSERT alignment because the mapelfexec()
1318 * caller for the szc > 0 case extended zfod
1319 * so it's end is pgsz aligned.
1320 */
1321 size_t pgsz = page_get_pagesize(szc);
1322 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1323
1324 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1325 crargs.szc = szc;
1326 } else {
1327 crargs.szc = AS_MAP_HEAP;
1328 }
1329 } else {
1330 crargs.szc = AS_MAP_NO_LPOOB;
1331 }
1332 if (error = as_map(p->p_as, (caddr_t)zfodbase,
1333 zfodlen, segvn_create, &crargs))
1334 goto bad;
1335 if (prot != PROT_ZFOD) {
1336 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1337 zfodlen, prot);
1338 }
1339 }
1340 }
1341 return (0);
1342 bad:
1343 return (error);
1344 }
1345
1346 void
1347 setexecenv(struct execenv *ep)
1348 {
1349 proc_t *p = ttoproc(curthread);
1350 klwp_t *lwp = ttolwp(curthread);
1351 struct vnode *vp;
1352
1353 p->p_bssbase = ep->ex_bssbase;
1354 p->p_brkbase = ep->ex_brkbase;
1355 p->p_brksize = ep->ex_brksize;
1356 if (p->p_exec)
1357 VN_RELE(p->p_exec); /* out with the old */
1358 vp = p->p_exec = ep->ex_vp;
1359 if (vp != NULL)
1360 VN_HOLD(vp); /* in with the new */
1361
1362 lwp->lwp_sigaltstack.ss_sp = 0;
1363 lwp->lwp_sigaltstack.ss_size = 0;
1364 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1365 }
1366
1367 int
1368 execopen(struct vnode **vpp, int *fdp)
1369 {
1370 struct vnode *vp = *vpp;
1371 file_t *fp;
1372 int error = 0;
1373 int filemode = FREAD;
1374
1375 VN_HOLD(vp); /* open reference */
1376 if (error = falloc(NULL, filemode, &fp, fdp)) {
1377 VN_RELE(vp);
1378 *fdp = -1; /* just in case falloc changed value */
1379 return (error);
1380 }
1381 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1382 VN_RELE(vp);
1383 setf(*fdp, NULL);
1384 unfalloc(fp);
1385 *fdp = -1;
1386 return (error);
1387 }
1388 *vpp = vp; /* vnode should not have changed */
1389 fp->f_vnode = vp;
1390 mutex_exit(&fp->f_tlock);
1391 setf(*fdp, fp);
1392 return (0);
1393 }
1394
1395 int
1396 execclose(int fd)
1397 {
1398 return (closeandsetf(fd, NULL));
1399 }
1400
1401
1402 /*
1403 * noexec stub function.
1404 */
1405 /*ARGSUSED*/
1406 int
1407 noexec(
1408 struct vnode *vp,
1409 struct execa *uap,
1410 struct uarg *args,
1411 struct intpdata *idatap,
1412 int level,
1413 long *execsz,
1414 int setid,
1415 caddr_t exec_file,
1416 struct cred *cred)
1417 {
1418 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1419 return (ENOEXEC);
1420 }
1421
1422 /*
1423 * Support routines for building a user stack.
1424 *
1425 * execve(path, argv, envp) must construct a new stack with the specified
1426 * arguments and environment variables (see exec_args() for a description
1427 * of the user stack layout). To do this, we copy the arguments and
1428 * environment variables from the old user address space into the kernel,
1429 * free the old as, create the new as, and copy our buffered information
1430 * to the new stack. Our kernel buffer has the following structure:
1431 *
1432 * +-----------------------+ <--- stk_base + stk_size
1433 * | string offsets |
1434 * +-----------------------+ <--- stk_offp
1435 * | |
1436 * | STK_AVAIL() space |
1437 * | |
1438 * +-----------------------+ <--- stk_strp
1439 * | strings |
1440 * +-----------------------+ <--- stk_base
1441 *
1442 * When we add a string, we store the string's contents (including the null
1443 * terminator) at stk_strp, and we store the offset of the string relative to
1444 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1445 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1446 * the difference between these pointers. If we run out of space, we return
1447 * an error and exec_args() starts all over again with a buffer twice as large.
1448 * When we're all done, the kernel buffer looks like this:
1449 *
1450 * +-----------------------+ <--- stk_base + stk_size
1451 * | argv[0] offset |
1452 * +-----------------------+
1453 * | ... |
1454 * +-----------------------+
1455 * | argv[argc-1] offset |
1456 * +-----------------------+
1457 * | envp[0] offset |
1458 * +-----------------------+
1459 * | ... |
1460 * +-----------------------+
1461 * | envp[envc-1] offset |
1462 * +-----------------------+
1463 * | AT_SUN_PLATFORM offset|
1464 * +-----------------------+
1465 * | AT_SUN_EXECNAME offset|
1466 * +-----------------------+ <--- stk_offp
1467 * | |
1468 * | STK_AVAIL() space |
1469 * | |
1470 * +-----------------------+ <--- stk_strp
1471 * | AT_SUN_EXECNAME offset|
1472 * +-----------------------+
1473 * | AT_SUN_PLATFORM offset|
1474 * +-----------------------+
1475 * | envp[envc-1] string |
1476 * +-----------------------+
1477 * | ... |
1478 * +-----------------------+
1479 * | envp[0] string |
1480 * +-----------------------+
1481 * | argv[argc-1] string |
1482 * +-----------------------+
1483 * | ... |
1484 * +-----------------------+
1485 * | argv[0] string |
1486 * +-----------------------+ <--- stk_base
1487 */
1488
1489 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1490
1491 /*
1492 * Add a string to the stack.
1493 */
1494 static int
1495 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1496 {
1497 int error;
1498 size_t len;
1499
1500 if (STK_AVAIL(args) < sizeof (int))
1501 return (E2BIG);
1502 *--args->stk_offp = args->stk_strp - args->stk_base;
1503
1504 if (segflg == UIO_USERSPACE) {
1505 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1506 if (error != 0)
1507 return (error);
1508 } else {
1509 len = strlen(sp) + 1;
1510 if (len > STK_AVAIL(args))
1511 return (E2BIG);
1512 bcopy(sp, args->stk_strp, len);
1513 }
1514
1515 args->stk_strp += len;
1516
1517 return (0);
1518 }
1519
1520 static int
1521 stk_getptr(uarg_t *args, char *src, char **dst)
1522 {
1523 int error;
1524
1525 if (args->from_model == DATAMODEL_NATIVE) {
1526 ulong_t ptr;
1527 error = fulword(src, &ptr);
1528 *dst = (caddr_t)ptr;
1529 } else {
1530 uint32_t ptr;
1531 error = fuword32(src, &ptr);
1532 *dst = (caddr_t)(uintptr_t)ptr;
1533 }
1534 return (error);
1535 }
1536
1537 static int
1538 stk_putptr(uarg_t *args, char *addr, char *value)
1539 {
1540 if (args->to_model == DATAMODEL_NATIVE)
1541 return (sulword(addr, (ulong_t)value));
1542 else
1543 return (suword32(addr, (uint32_t)(uintptr_t)value));
1544 }
1545
1546 static int
1547 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1548 {
1549 char *sp;
1550 int argc, error;
1551 int argv_empty = 0;
1552 size_t ptrsize = args->from_ptrsize;
1553 size_t size, pad;
1554 char *argv = (char *)uap->argp;
1555 char *envp = (char *)uap->envp;
1556
1557 /*
1558 * Copy interpreter's name and argument to argv[0] and argv[1].
1559 * In the rare case that we have nested interpreters then those names
1560 * and arguments are also copied to the subsequent slots in argv.
1561 */
1562 if (intp != NULL && intp->intp_name[0] != NULL) {
1563 int i;
1564
1565 for (i = 0; i < INTP_MAXDEPTH; i++) {
1566 if (intp->intp_name[i] == NULL)
1567 break;
1568 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1569 if (error != 0)
1570 return (error);
1571 if (intp->intp_arg[i] != NULL) {
1572 error = stk_add(args, intp->intp_arg[i],
1573 UIO_SYSSPACE);
1574 if (error != 0)
1575 return (error);
1576 }
1577 }
1578
1579 if (args->fname != NULL)
1580 error = stk_add(args, args->fname, UIO_SYSSPACE);
1581 else
1582 error = stk_add(args, uap->fname, UIO_USERSPACE);
1583 if (error)
1584 return (error);
1585
1586 /*
1587 * Check for an empty argv[].
1588 */
1589 if (stk_getptr(args, argv, &sp))
1590 return (EFAULT);
1591 if (sp == NULL)
1592 argv_empty = 1;
1593
1594 argv += ptrsize; /* ignore original argv[0] */
1595 }
1596
1597 if (argv_empty == 0) {
1598 /*
1599 * Add argv[] strings to the stack.
1600 */
1601 for (;;) {
1602 if (stk_getptr(args, argv, &sp))
1603 return (EFAULT);
1604 if (sp == NULL)
1605 break;
1606 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1607 return (error);
1608 argv += ptrsize;
1609 }
1610 }
1611 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1612 args->arglen = args->stk_strp - args->stk_base;
1613
1614 /*
1615 * Add environ[] strings to the stack.
1616 */
1617 if (envp != NULL) {
1618 for (;;) {
1619 char *tmp = args->stk_strp;
1620 if (stk_getptr(args, envp, &sp))
1621 return (EFAULT);
1622 if (sp == NULL)
1623 break;
1624 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1625 return (error);
1626 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1627 /* Undo the copied string */
1628 args->stk_strp = tmp;
1629 *(args->stk_offp++) = NULL;
1630 }
1631 envp += ptrsize;
1632 }
1633 }
1634 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1635 args->ne = args->na - argc;
1636
1637 /*
1638 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1639 * AT_SUN_EMULATOR strings to the stack.
1640 */
1641 if (auxvpp != NULL && *auxvpp != NULL) {
1642 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1643 return (error);
1644 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1645 return (error);
1646 if (args->brandname != NULL &&
1647 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1648 return (error);
1649 if (args->emulator != NULL &&
1650 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1651 return (error);
1652 }
1653
1654 /*
1655 * Compute the size of the stack. This includes all the pointers,
1656 * the space reserved for the aux vector, and all the strings.
1657 * The total number of pointers is args->na (which is argc + envc)
1658 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1659 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1660 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1661 * all the strings, at the very top of the stack.
1662 */
1663 size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1664 (args->stk_strp - args->stk_base);
1665
1666 /*
1667 * Pad the string section with zeroes to align the stack size.
1668 */
1669 pad = P2NPHASE(size, args->stk_align);
1670
1671 if (STK_AVAIL(args) < pad)
1672 return (E2BIG);
1673
1674 args->usrstack_size = size + pad;
1675
1676 while (pad-- != 0)
1677 *args->stk_strp++ = 0;
1678
1679 args->nc = args->stk_strp - args->stk_base;
1680
1681 return (0);
1682 }
1683
1684 static int
1685 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1686 {
1687 size_t ptrsize = args->to_ptrsize;
1688 ssize_t pslen;
1689 char *kstrp = args->stk_base;
1690 char *ustrp = usrstack - args->nc - ptrsize;
1691 char *usp = usrstack - args->usrstack_size;
1692 int *offp = (int *)(args->stk_base + args->stk_size);
1693 int envc = args->ne;
1694 int argc = args->na - envc;
1695 int i;
1696
1697 /*
1698 * Record argc for /proc.
1699 */
1700 up->u_argc = argc;
1701
1702 /*
1703 * Put argc on the stack. Note that even though it's an int,
1704 * it always consumes ptrsize bytes (for alignment).
1705 */
1706 if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1707 return (-1);
1708
1709 /*
1710 * Add argc space (ptrsize) to usp and record argv for /proc.
1711 */
1712 up->u_argv = (uintptr_t)(usp += ptrsize);
1713
1714 /*
1715 * Put the argv[] pointers on the stack.
1716 */
1717 for (i = 0; i < argc; i++, usp += ptrsize)
1718 if (stk_putptr(args, usp, &ustrp[*--offp]))
1719 return (-1);
1720
1721 /*
1722 * Copy arguments to u_psargs.
1723 */
1724 pslen = MIN(args->arglen, PSARGSZ) - 1;
1725 for (i = 0; i < pslen; i++)
1726 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1727 while (i < PSARGSZ)
1728 up->u_psargs[i++] = '\0';
1729
1730 /*
1731 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1732 * record envp for /proc.
1733 */
1734 up->u_envp = (uintptr_t)(usp += ptrsize);
1735
1736 /*
1737 * Put the envp[] pointers on the stack.
1738 */
1739 for (i = 0; i < envc; i++, usp += ptrsize)
1740 if (stk_putptr(args, usp, &ustrp[*--offp]))
1741 return (-1);
1742
1743 /*
1744 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1745 * remember where the stack ends, which is also where auxv begins.
1746 */
1747 args->stackend = usp += ptrsize;
1748
1749 /*
1750 * Put all the argv[], envp[], and auxv strings on the stack.
1751 */
1752 if (copyout(args->stk_base, ustrp, args->nc))
1753 return (-1);
1754
1755 /*
1756 * Fill in the aux vector now that we know the user stack addresses
1757 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1758 * AT_SUN_EMULATOR strings.
1759 */
1760 if (auxvpp != NULL && *auxvpp != NULL) {
1761 if (args->to_model == DATAMODEL_NATIVE) {
1762 auxv_t **a = (auxv_t **)auxvpp;
1763 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1764 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1765 if (args->brandname != NULL)
1766 ADDAUX(*a,
1767 AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1768 if (args->emulator != NULL)
1769 ADDAUX(*a,
1770 AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1771 } else {
1772 auxv32_t **a = (auxv32_t **)auxvpp;
1773 ADDAUX(*a,
1774 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1775 ADDAUX(*a,
1776 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1777 if (args->brandname != NULL)
1778 ADDAUX(*a, AT_SUN_BRANDNAME,
1779 (int)(uintptr_t)&ustrp[*--offp])
1780 if (args->emulator != NULL)
1781 ADDAUX(*a, AT_SUN_EMULATOR,
1782 (int)(uintptr_t)&ustrp[*--offp])
1783 }
1784 }
1785
1786 return (0);
1787 }
1788
1789 /*
1790 * Initialize a new user stack with the specified arguments and environment.
1791 * The initial user stack layout is as follows:
1792 *
1793 * User Stack
1794 * +---------------+ <--- curproc->p_usrstack
1795 * | |
1796 * | slew |
1797 * | |
1798 * +---------------+
1799 * | NULL |
1800 * +---------------+
1801 * | |
1802 * | auxv strings |
1803 * | |
1804 * +---------------+
1805 * | |
1806 * | envp strings |
1807 * | |
1808 * +---------------+
1809 * | |
1810 * | argv strings |
1811 * | |
1812 * +---------------+ <--- ustrp
1813 * | |
1814 * | aux vector |
1815 * | |
1816 * +---------------+ <--- auxv
1817 * | NULL |
1818 * +---------------+
1819 * | envp[envc-1] |
1820 * +---------------+
1821 * | ... |
1822 * +---------------+
1823 * | envp[0] |
1824 * +---------------+ <--- envp[]
1825 * | NULL |
1826 * +---------------+
1827 * | argv[argc-1] |
1828 * +---------------+
1829 * | ... |
1830 * +---------------+
1831 * | argv[0] |
1832 * +---------------+ <--- argv[]
1833 * | argc |
1834 * +---------------+ <--- stack base
1835 */
1836 int
1837 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1838 {
1839 size_t size;
1840 int error;
1841 proc_t *p = ttoproc(curthread);
1842 user_t *up = PTOU(p);
1843 char *usrstack;
1844 rctl_entity_p_t e;
1845 struct as *as;
1846 extern int use_stk_lpg;
1847 size_t sp_slew;
1848
1849 args->from_model = p->p_model;
1850 if (p->p_model == DATAMODEL_NATIVE) {
1851 args->from_ptrsize = sizeof (long);
1852 } else {
1853 args->from_ptrsize = sizeof (int32_t);
1854 }
1855
1856 if (args->to_model == DATAMODEL_NATIVE) {
1857 args->to_ptrsize = sizeof (long);
1858 args->ncargs = NCARGS;
1859 args->stk_align = STACK_ALIGN;
1860 if (args->addr32)
1861 usrstack = (char *)USRSTACK64_32;
1862 else
1863 usrstack = (char *)USRSTACK;
1864 } else {
1865 args->to_ptrsize = sizeof (int32_t);
1866 args->ncargs = NCARGS32;
1867 args->stk_align = STACK_ALIGN32;
1868 usrstack = (char *)USRSTACK32;
1869 }
1870
1871 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1872
1873 #if defined(__sparc)
1874 /*
1875 * Make sure user register windows are empty before
1876 * attempting to make a new stack.
1877 */
1878 (void) flush_user_windows_to_stack(NULL);
1879 #endif
1880
1881 for (size = PAGESIZE; ; size *= 2) {
1882 args->stk_size = size;
1883 args->stk_base = kmem_alloc(size, KM_SLEEP);
1884 args->stk_strp = args->stk_base;
1885 args->stk_offp = (int *)(args->stk_base + size);
1886 error = stk_copyin(uap, args, intp, auxvpp);
1887 if (error == 0)
1888 break;
1889 kmem_free(args->stk_base, size);
1890 if (error != E2BIG && error != ENAMETOOLONG)
1891 return (error);
1892 if (size >= args->ncargs)
1893 return (E2BIG);
1894 }
1895
1896 size = args->usrstack_size;
1897
1898 ASSERT(error == 0);
1899 ASSERT(P2PHASE(size, args->stk_align) == 0);
1900 ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1901
1902 if (size > args->ncargs) {
1903 kmem_free(args->stk_base, args->stk_size);
1904 return (E2BIG);
1905 }
1906
1907 /*
1908 * Leave only the current lwp and force the other lwps to exit.
1909 * If another lwp beat us to the punch by calling exit(), bail out.
1910 */
1911 if ((error = exitlwps(0)) != 0) {
1912 kmem_free(args->stk_base, args->stk_size);
1913 return (error);
1914 }
1915
1916 /*
1917 * Revoke any doors created by the process.
1918 */
1919 if (p->p_door_list)
1920 door_exit();
1921
1922 /*
1923 * Release schedctl data structures.
1924 */
1925 if (p->p_pagep)
1926 schedctl_proc_cleanup();
1927
1928 /*
1929 * Clean up any DTrace helpers for the process.
1930 */
1931 if (p->p_dtrace_helpers != NULL) {
1932 ASSERT(dtrace_helpers_cleanup != NULL);
1933 (*dtrace_helpers_cleanup)();
1934 }
1935
1936 mutex_enter(&p->p_lock);
1937 /*
1938 * Cleanup the DTrace provider associated with this process.
1939 */
1940 if (p->p_dtrace_probes) {
1941 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1942 dtrace_fasttrap_exec_ptr(p);
1943 }
1944 mutex_exit(&p->p_lock);
1945
1946 /*
1947 * discard the lwpchan cache.
1948 */
1949 if (p->p_lcp != NULL)
1950 lwpchan_destroy_cache(1);
1951
1952 /*
1953 * Delete the POSIX timers.
1954 */
1955 if (p->p_itimer != NULL)
1956 timer_exit();
1957
1958 /*
1959 * Delete the ITIMER_REALPROF interval timer.
1960 * The other ITIMER_* interval timers are specified
1961 * to be inherited across exec().
1962 */
1963 delete_itimer_realprof();
1964
1965 if (AU_AUDITING())
1966 audit_exec(args->stk_base, args->stk_base + args->arglen,
1967 args->na - args->ne, args->ne, args->pfcred);
1968
1969 /*
1970 * Ensure that we don't change resource associations while we
1971 * change address spaces.
1972 */
1973 mutex_enter(&p->p_lock);
1974 pool_barrier_enter();
1975 mutex_exit(&p->p_lock);
1976
1977 /*
1978 * Destroy the old address space and create a new one.
1979 * From here on, any errors are fatal to the exec()ing process.
1980 * On error we return -1, which means the caller must SIGKILL
1981 * the process.
1982 */
1983 relvm();
1984
1985 mutex_enter(&p->p_lock);
1986 pool_barrier_exit();
1987 mutex_exit(&p->p_lock);
1988
1989 up->u_execsw = args->execswp;
1990
1991 p->p_brkbase = NULL;
1992 p->p_brksize = 0;
1993 p->p_brkpageszc = 0;
1994 p->p_stksize = 0;
1995 p->p_stkpageszc = 0;
1996 p->p_model = args->to_model;
1997 p->p_usrstack = usrstack;
1998 p->p_stkprot = args->stk_prot;
1999 p->p_datprot = args->dat_prot;
2000
2001 /*
2002 * Reset resource controls such that all controls are again active as
2003 * well as appropriate to the potentially new address model for the
2004 * process.
2005 */
2006 e.rcep_p.proc = p;
2007 e.rcep_t = RCENTITY_PROCESS;
2008 rctl_set_reset(p->p_rctls, p, &e);
2009
2010 /* Too early to call map_pgsz for the heap */
2011 if (use_stk_lpg) {
2012 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2013 }
2014
2015 mutex_enter(&p->p_lock);
2016 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */
2017 mutex_exit(&p->p_lock);
2018
2019 /*
2020 * Some platforms may choose to randomize real stack start by adding a
2021 * small slew (not more than a few hundred bytes) to the top of the
2022 * stack. This helps avoid cache thrashing when identical processes
2023 * simultaneously share caches that don't provide enough associativity
2024 * (e.g. sun4v systems). In this case stack slewing makes the same hot
2025 * stack variables in different processes to live in different cache
2026 * sets increasing effective associativity.
2027 */
2028 sp_slew = exec_get_spslew();
2029 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2030 exec_set_sp(size + sp_slew);
2031
2032 as = as_alloc();
2033 p->p_as = as;
2034 as->a_proc = p;
2035 if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2036 as->a_userlimit = (caddr_t)USERLIMIT32;
2037 (void) hat_setup(as->a_hat, HAT_ALLOC);
2038 hat_join_srd(as->a_hat, args->ex_vp);
2039
2040 /*
2041 * Finally, write out the contents of the new stack.
2042 */
2043 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2044 kmem_free(args->stk_base, args->stk_size);
2045 return (error);
2046 }