1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1988 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Copyright 2014, Joyent, Inc. All rights reserved.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72 #include <sys/random.h>
73
74 #include <c2/audit.h>
75
76 #include <vm/hat.h>
77 #include <vm/anon.h>
78 #include <vm/as.h>
79 #include <vm/seg.h>
80 #include <vm/seg_vn.h>
81
82 #define PRIV_RESET 0x01 /* needs to reset privs */
83 #define PRIV_SETID 0x02 /* needs to change uids */
84 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
85 #define PRIV_INCREASE 0x08 /* child runs with more privs */
86 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */
87 #define PRIV_FORCED 0x20 /* has forced privileges */
88
89 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
90 priv_set_t *, cred_t *, const char *);
91 static int hold_execsw(struct execsw *);
92
93 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
94 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */
95 #if defined(_SYSCALL32_IMPL)
96 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */
97 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */
98 #endif
99
100 #define PSUIDFLAGS (SNOCD|SUGID)
101
102 /*
103 * These are consumed within the specific exec modules, but are defined here
104 * because
105 *
106 * 1) The exec modules are unloadable, which would make this near useless.
107 *
108 * 2) We want them to be common across all of them, should more than ELF come
109 * to support them.
110 *
111 * All must be powers of 2.
112 */
113 size_t aslr_max_brk_skew = 16 * 1024 * 1024; /* 16MB */
114 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */
115 size_t aslr_max_stack_skew = 64 * 1024; /* 64KB */
116
117 /*
118 * exece() - system call wrapper around exec_common()
119 */
120 int
121 exece(const char *fname, const char **argp, const char **envp)
122 {
123 int error;
124
125 error = exec_common(fname, argp, envp, EBA_NONE);
126 return (error ? (set_errno(error)) : 0);
127 }
128
129 int
130 exec_common(const char *fname, const char **argp, const char **envp,
131 int brand_action)
132 {
133 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
134 proc_t *p = ttoproc(curthread);
135 klwp_t *lwp = ttolwp(curthread);
136 struct user *up = PTOU(p);
137 long execsz; /* temporary count of exec size */
138 int i;
139 int error;
140 char exec_file[MAXCOMLEN+1];
141 struct pathname pn;
142 struct pathname resolvepn;
143 struct uarg args;
144 struct execa ua;
145 k_sigset_t savedmask;
146 lwpdir_t *lwpdir = NULL;
147 tidhash_t *tidhash;
148 lwpdir_t *old_lwpdir = NULL;
149 uint_t old_lwpdir_sz;
150 tidhash_t *old_tidhash;
151 uint_t old_tidhash_sz;
152 ret_tidhash_t *ret_tidhash;
153 lwpent_t *lep;
154 boolean_t brandme = B_FALSE;
155
156 /*
157 * exec() is not supported for the /proc agent lwp.
158 */
159 if (curthread == p->p_agenttp)
160 return (ENOTSUP);
161
162 if (brand_action != EBA_NONE) {
163 /*
164 * Brand actions are not supported for processes that are not
165 * running in a branded zone.
166 */
167 if (!ZONE_IS_BRANDED(p->p_zone))
168 return (ENOTSUP);
169
170 if (brand_action == EBA_NATIVE) {
171 /* Only branded processes can be unbranded */
172 if (!PROC_IS_BRANDED(p))
173 return (ENOTSUP);
174 } else {
175 /* Only unbranded processes can be branded */
176 if (PROC_IS_BRANDED(p))
177 return (ENOTSUP);
178 brandme = B_TRUE;
179 }
180 } else {
181 /*
182 * If this is a native zone, or if the process is already
183 * branded, then we don't need to do anything. If this is
184 * a native process in a branded zone, we need to brand the
185 * process as it exec()s the new binary.
186 */
187 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
188 brandme = B_TRUE;
189 }
190
191 /*
192 * Inform /proc that an exec() has started.
193 * Hold signals that are ignored by default so that we will
194 * not be interrupted by a signal that will be ignored after
195 * successful completion of gexec().
196 */
197 mutex_enter(&p->p_lock);
198 prexecstart();
199 schedctl_finish_sigblock(curthread);
200 savedmask = curthread->t_hold;
201 sigorset(&curthread->t_hold, &ignoredefault);
202 mutex_exit(&p->p_lock);
203
204 /*
205 * Look up path name and remember last component for later.
206 * To help coreadm expand its %d token, we attempt to save
207 * the directory containing the executable in p_execdir. The
208 * first call to lookuppn() may fail and return EINVAL because
209 * dirvpp is non-NULL. In that case, we make a second call to
210 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
211 * but coreadm is allowed to expand %d to the empty string and
212 * there are other cases in which that failure may occur.
213 */
214 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
215 goto out;
216 pn_alloc(&resolvepn);
217 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
218 pn_free(&resolvepn);
219 pn_free(&pn);
220 if (error != EINVAL)
221 goto out;
222
223 dir = NULL;
224 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
225 goto out;
226 pn_alloc(&resolvepn);
227 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
228 &vp)) != 0) {
229 pn_free(&resolvepn);
230 pn_free(&pn);
231 goto out;
232 }
233 }
234 if (vp == NULL) {
235 if (dir != NULL)
236 VN_RELE(dir);
237 error = ENOENT;
238 pn_free(&resolvepn);
239 pn_free(&pn);
240 goto out;
241 }
242
243 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
244 if (dir != NULL)
245 VN_RELE(dir);
246 pn_free(&resolvepn);
247 pn_free(&pn);
248 VN_RELE(vp);
249 goto out;
250 }
251
252 /*
253 * We do not allow executing files in attribute directories.
254 * We test this by determining whether the resolved path
255 * contains a "/" when we're in an attribute directory;
256 * only if the pathname does not contain a "/" the resolved path
257 * points to a file in the current working (attribute) directory.
258 */
259 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
260 strchr(resolvepn.pn_path, '/') == NULL) {
261 if (dir != NULL)
262 VN_RELE(dir);
263 error = EACCES;
264 pn_free(&resolvepn);
265 pn_free(&pn);
266 VN_RELE(vp);
267 goto out;
268 }
269
270 bzero(exec_file, MAXCOMLEN+1);
271 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
272 bzero(&args, sizeof (args));
273 args.pathname = resolvepn.pn_path;
274 /* don't free resolvepn until we are done with args */
275 pn_free(&pn);
276
277 /*
278 * If we're running in a profile shell, then call pfexecd.
279 */
280 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
281 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
282 &args.scrubenv);
283
284 /* Returning errno in case we're not allowed to execute. */
285 if (error > 0) {
286 if (dir != NULL)
287 VN_RELE(dir);
288 pn_free(&resolvepn);
289 VN_RELE(vp);
290 goto out;
291 }
292
293 /* Don't change the credentials when using old ptrace. */
294 if (args.pfcred != NULL &&
295 (p->p_proc_flag & P_PR_PTRACE) != 0) {
296 crfree(args.pfcred);
297 args.pfcred = NULL;
298 args.scrubenv = B_FALSE;
299 }
300 }
301
302 /*
303 * Specific exec handlers, or policies determined via
304 * /etc/system may override the historical default.
305 */
306 args.stk_prot = PROT_ZFOD;
307 args.dat_prot = PROT_ZFOD;
308
309 CPU_STATS_ADD_K(sys, sysexec, 1);
310 DTRACE_PROC1(exec, char *, args.pathname);
311
312 ua.fname = fname;
313 ua.argp = argp;
314 ua.envp = envp;
315
316 /* If necessary, brand this process before we start the exec. */
317 if (brandme)
318 brand_setbrand(p);
319
320 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
321 exec_file, p->p_cred, brand_action)) != 0) {
322 if (brandme)
323 brand_clearbrand(p, B_FALSE);
324 VN_RELE(vp);
325 if (dir != NULL)
326 VN_RELE(dir);
327 pn_free(&resolvepn);
328 goto fail;
329 }
330
331 /*
332 * Free floating point registers (sun4u only)
333 */
334 ASSERT(lwp != NULL);
335 lwp_freeregs(lwp, 1);
336
337 /*
338 * Free thread and process context ops.
339 */
340 if (curthread->t_ctx)
341 freectx(curthread, 1);
342 if (p->p_pctx)
343 freepctx(p, 1);
344
345 /*
346 * Remember file name for accounting; clear any cached DTrace predicate.
347 */
348 up->u_acflag &= ~AFORK;
349 bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
350 curthread->t_predcache = NULL;
351
352 /*
353 * Clear contract template state
354 */
355 lwp_ctmpl_clear(lwp);
356
357 /*
358 * Save the directory in which we found the executable for expanding
359 * the %d token used in core file patterns.
360 */
361 mutex_enter(&p->p_lock);
362 tmpvp = p->p_execdir;
363 p->p_execdir = dir;
364 if (p->p_execdir != NULL)
365 VN_HOLD(p->p_execdir);
366 mutex_exit(&p->p_lock);
367
368 if (tmpvp != NULL)
369 VN_RELE(tmpvp);
370
371 /*
372 * Reset stack state to the user stack, clear set of signals
373 * caught on the signal stack, and reset list of signals that
374 * restart system calls; the new program's environment should
375 * not be affected by detritus from the old program. Any
376 * pending held signals remain held, so don't clear t_hold.
377 */
378 mutex_enter(&p->p_lock);
379 lwp->lwp_oldcontext = 0;
380 lwp->lwp_ustack = 0;
381 lwp->lwp_old_stk_ctl = 0;
382 sigemptyset(&up->u_signodefer);
383 sigemptyset(&up->u_sigonstack);
384 sigemptyset(&up->u_sigresethand);
385 lwp->lwp_sigaltstack.ss_sp = 0;
386 lwp->lwp_sigaltstack.ss_size = 0;
387 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
388
389 /*
390 * Make saved resource limit == current resource limit.
391 */
392 for (i = 0; i < RLIM_NLIMITS; i++) {
393 /*CONSTCOND*/
394 if (RLIM_SAVED(i)) {
395 (void) rctl_rlimit_get(rctlproc_legacy[i], p,
396 &up->u_saved_rlimit[i]);
397 }
398 }
399
400 /*
401 * If the action was to catch the signal, then the action
402 * must be reset to SIG_DFL.
403 */
404 sigdefault(p);
405 p->p_flag &= ~(SNOWAIT|SJCTL);
406 p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
407 up->u_signal[SIGCLD - 1] = SIG_DFL;
408
409 /*
410 * Delete the dot4 sigqueues/signotifies.
411 */
412 sigqfree(p);
413
414 mutex_exit(&p->p_lock);
415
416 mutex_enter(&p->p_pflock);
417 p->p_prof.pr_base = NULL;
418 p->p_prof.pr_size = 0;
419 p->p_prof.pr_off = 0;
420 p->p_prof.pr_scale = 0;
421 p->p_prof.pr_samples = 0;
422 mutex_exit(&p->p_pflock);
423
424 ASSERT(curthread->t_schedctl == NULL);
425
426 #if defined(__sparc)
427 if (p->p_utraps != NULL)
428 utrap_free(p);
429 #endif /* __sparc */
430
431 /*
432 * Close all close-on-exec files.
433 */
434 close_exec(P_FINFO(p));
435 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
436
437 /* Unbrand ourself if necessary. */
438 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
439 brand_clearbrand(p, B_FALSE);
440
441 setregs(&args);
442
443 /* Mark this as an executable vnode */
444 mutex_enter(&vp->v_lock);
445 vp->v_flag |= VVMEXEC;
446 mutex_exit(&vp->v_lock);
447
448 VN_RELE(vp);
449 if (dir != NULL)
450 VN_RELE(dir);
451 pn_free(&resolvepn);
452
453 /*
454 * Allocate a new lwp directory and lwpid hash table if necessary.
455 */
456 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
457 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
458 lwpdir->ld_next = lwpdir + 1;
459 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
460 if (p->p_lwpdir != NULL)
461 lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
462 else
463 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
464 }
465
466 if (PROC_IS_BRANDED(p))
467 BROP(p)->b_exec();
468
469 mutex_enter(&p->p_lock);
470 prbarrier(p);
471
472 /*
473 * Reset lwp id to the default value of 1.
474 * This is a single-threaded process now
475 * and lwp #1 is lwp_wait()able by default.
476 * The t_unpark flag should not be inherited.
477 */
478 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
479 curthread->t_tid = 1;
480 kpreempt_disable();
481 ASSERT(curthread->t_lpl != NULL);
482 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
483 kpreempt_enable();
484 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
485 lgrp_update_trthr_migrations(1);
486 }
487 curthread->t_unpark = 0;
488 curthread->t_proc_flag |= TP_TWAIT;
489 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */
490 p->p_lwpdaemon = 0; /* but oh well ... */
491 p->p_lwpid = 1;
492
493 /*
494 * Install the newly-allocated lwp directory and lwpid hash table
495 * and insert the current thread into the new hash table.
496 */
497 if (lwpdir != NULL) {
498 old_lwpdir = p->p_lwpdir;
499 old_lwpdir_sz = p->p_lwpdir_sz;
500 old_tidhash = p->p_tidhash;
501 old_tidhash_sz = p->p_tidhash_sz;
502 p->p_lwpdir = p->p_lwpfree = lwpdir;
503 p->p_lwpdir_sz = 2;
504 lep->le_thread = curthread;
505 lep->le_lwpid = curthread->t_tid;
506 lep->le_start = curthread->t_start;
507 lwp_hash_in(p, lep, tidhash, 2, 0);
508 p->p_tidhash = tidhash;
509 p->p_tidhash_sz = 2;
510 }
511 ret_tidhash = p->p_ret_tidhash;
512 p->p_ret_tidhash = NULL;
513
514 /*
515 * Restore the saved signal mask and
516 * inform /proc that the exec() has finished.
517 */
518 curthread->t_hold = savedmask;
519 prexecend();
520 mutex_exit(&p->p_lock);
521 if (old_lwpdir) {
522 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
523 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
524 }
525 while (ret_tidhash != NULL) {
526 ret_tidhash_t *next = ret_tidhash->rth_next;
527 kmem_free(ret_tidhash->rth_tidhash,
528 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
529 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
530 ret_tidhash = next;
531 }
532
533 ASSERT(error == 0);
534 DTRACE_PROC(exec__success);
535 return (0);
536
537 fail:
538 DTRACE_PROC1(exec__failure, int, error);
539 out: /* error return */
540 mutex_enter(&p->p_lock);
541 curthread->t_hold = savedmask;
542 prexecend();
543 mutex_exit(&p->p_lock);
544 ASSERT(error != 0);
545 return (error);
546 }
547
548
549 /*
550 * Perform generic exec duties and switchout to object-file specific
551 * handler.
552 */
553 int
554 gexec(
555 struct vnode **vpp,
556 struct execa *uap,
557 struct uarg *args,
558 struct intpdata *idatap,
559 int level,
560 long *execsz,
561 caddr_t exec_file,
562 struct cred *cred,
563 int brand_action)
564 {
565 struct vnode *vp, *execvp = NULL;
566 proc_t *pp = ttoproc(curthread);
567 struct execsw *eswp;
568 int error = 0;
569 int suidflags = 0;
570 ssize_t resid;
571 uid_t uid, gid;
572 struct vattr vattr;
573 char magbuf[MAGIC_BYTES];
574 int setid;
575 cred_t *oldcred, *newcred = NULL;
576 int privflags = 0;
577 int setidfl;
578 priv_set_t fset;
579 secflagset_t old_secflags;
580
581 secflags_copy(&old_secflags, &pp->p_secflags.psf_effective);
582
583 /*
584 * If the SNOCD or SUGID flag is set, turn it off and remember the
585 * previous setting so we can restore it if we encounter an error.
586 */
587 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
588 mutex_enter(&pp->p_lock);
589 suidflags = pp->p_flag & PSUIDFLAGS;
590 pp->p_flag &= ~PSUIDFLAGS;
591 mutex_exit(&pp->p_lock);
592 }
593
594 if ((error = execpermissions(*vpp, &vattr, args)) != 0)
595 goto bad_noclose;
596
597 /* need to open vnode for stateful file systems */
598 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
599 goto bad_noclose;
600 vp = *vpp;
601
602 /*
603 * Note: to support binary compatibility with SunOS a.out
604 * executables, we read in the first four bytes, as the
605 * magic number is in bytes 2-3.
606 */
607 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
608 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
609 goto bad;
610 if (resid != 0)
611 goto bad;
612
613 if ((eswp = findexec_by_hdr(magbuf)) == NULL)
614 goto bad;
615
616 if (level == 0 &&
617 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
618 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
619
620 /* Pfcred is a credential with a ref count of 1 */
621
622 if (args->pfcred != NULL) {
623 privflags |= PRIV_INCREASE|PRIV_RESET;
624 newcred = cred = args->pfcred;
625 } else {
626 newcred = cred = crdup(cred);
627 }
628
629 /* If we can, drop the PA bit */
630 if ((privflags & PRIV_RESET) != 0)
631 priv_adjust_PA(cred);
632
633 if (privflags & PRIV_SETID) {
634 cred->cr_uid = uid;
635 cred->cr_gid = gid;
636 cred->cr_suid = uid;
637 cred->cr_sgid = gid;
638 }
639
640 if (privflags & MAC_FLAGS) {
641 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
642 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
643 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
644 }
645
646 /*
647 * Implement the privilege updates:
648 *
649 * Restrict with L:
650 *
651 * I' = I & L
652 *
653 * E' = P' = (I' + F) & A
654 *
655 * But if running under ptrace, we cap I and F with P.
656 */
657 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
658 if ((privflags & PRIV_INCREASE) != 0 &&
659 (pp->p_proc_flag & P_PR_PTRACE) != 0) {
660 priv_intersect(&CR_OPPRIV(cred),
661 &CR_IPRIV(cred));
662 priv_intersect(&CR_OPPRIV(cred), &fset);
663 }
664 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
665 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
666 if (privflags & PRIV_FORCED) {
667 priv_set_PA(cred);
668 priv_union(&fset, &CR_EPRIV(cred));
669 priv_union(&fset, &CR_PPRIV(cred));
670 }
671 priv_adjust_PA(cred);
672 }
673 } else if (level == 0 && args->pfcred != NULL) {
674 newcred = cred = args->pfcred;
675 privflags |= PRIV_INCREASE;
676 /* pfcred is not forced to adhere to these settings */
677 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
678 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
679 priv_adjust_PA(cred);
680 }
681
682 /* The new image gets the inheritable secflags as its secflags */
683 secflags_promote(pp);
684
685 /* SunOS 4.x buy-back */
686 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
687 (vattr.va_mode & (VSUID|VSGID))) {
688 char path[MAXNAMELEN];
689 refstr_t *mntpt = NULL;
690 int ret = -1;
691
692 bzero(path, sizeof (path));
693 zone_hold(pp->p_zone);
694
695 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
696 sizeof (path), cred);
697
698 /* fallback to mountpoint if a path can't be found */
699 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
700 mntpt = vfs_getmntpoint(vp->v_vfsp);
701
702 if (mntpt == NULL)
703 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
704 "!uid %d: setuid execution not allowed, "
705 "file=%s", cred->cr_uid, path);
706 else
707 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
708 "!uid %d: setuid execution not allowed, "
709 "fs=%s, file=%s", cred->cr_uid,
710 ZONE_PATH_TRANSLATE(refstr_value(mntpt),
711 pp->p_zone), exec_file);
712
713 if (!INGLOBALZONE(pp)) {
714 /* zone_rootpath always has trailing / */
715 if (mntpt == NULL)
716 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
717 "setuid execution not allowed, file=%s%s",
718 pp->p_zone->zone_name, cred->cr_uid,
719 pp->p_zone->zone_rootpath, path + 1);
720 else
721 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
722 "setuid execution not allowed, fs=%s, "
723 "file=%s", pp->p_zone->zone_name,
724 cred->cr_uid, refstr_value(mntpt),
725 exec_file);
726 }
727
728 if (mntpt != NULL)
729 refstr_rele(mntpt);
730
731 zone_rele(pp->p_zone);
732 }
733
734 /*
735 * execsetid() told us whether or not we had to change the
736 * credentials of the process. In privflags, it told us
737 * whether we gained any privileges or executed a set-uid executable.
738 */
739 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
740
741 /*
742 * Use /etc/system variable to determine if the stack
743 * should be marked as executable by default.
744 */
745 if ((noexec_user_stack != 0) ||
746 secflag_enabled(pp, PROC_SEC_NOEXECSTACK))
747 args->stk_prot &= ~PROT_EXEC;
748
749 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
750 args->ex_vp = vp;
751
752 /*
753 * Traditionally, the setid flags told the sub processes whether
754 * the file just executed was set-uid or set-gid; this caused
755 * some confusion as the 'setid' flag did not match the SUGID
756 * process flag which is only set when the uids/gids do not match.
757 * A script set-gid/set-uid to the real uid/gid would start with
758 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
759 * Now we flag those cases where the calling process cannot
760 * be trusted to influence the newly exec'ed process, either
761 * because it runs with more privileges or when the uids/gids
762 * do in fact not match.
763 * This also makes the runtime linker agree with the on exec
764 * values of SNOCD and SUGID.
765 */
766 setidfl = 0;
767 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
768 !supgroupmember(cred->cr_gid, cred))) {
769 setidfl |= EXECSETID_UGIDS;
770 }
771 if (setid & PRIV_SETUGID)
772 setidfl |= EXECSETID_SETID;
773 if (setid & PRIV_FORCED)
774 setidfl |= EXECSETID_PRIVS;
775
776 execvp = pp->p_exec;
777 if (execvp)
778 VN_HOLD(execvp);
779
780 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
781 setidfl, exec_file, cred, brand_action);
782 rw_exit(eswp->exec_lock);
783 if (error != 0) {
784 if (execvp)
785 VN_RELE(execvp);
786 /*
787 * If this process's p_exec has been set to the vp of
788 * the executable by exec_func, we will return without
789 * calling VOP_CLOSE because proc_exit will close it
790 * on exit.
791 */
792 if (pp->p_exec == vp)
793 goto bad_noclose;
794 else
795 goto bad;
796 }
797
798 if (level == 0) {
799 uid_t oruid;
800
801 if (execvp != NULL) {
802 /*
803 * Close the previous executable only if we are
804 * at level 0.
805 */
806 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
807 cred, NULL);
808 }
809
810 mutex_enter(&pp->p_crlock);
811
812 oruid = pp->p_cred->cr_ruid;
813
814 if (newcred != NULL) {
815 /*
816 * Free the old credentials, and set the new ones.
817 * Do this for both the process and the (single) thread.
818 */
819 crfree(pp->p_cred);
820 pp->p_cred = cred; /* cred already held for proc */
821 crhold(cred); /* hold new cred for thread */
822 /*
823 * DTrace accesses t_cred in probe context. t_cred
824 * must always be either NULL, or point to a valid,
825 * allocated cred structure.
826 */
827 oldcred = curthread->t_cred;
828 curthread->t_cred = cred;
829 crfree(oldcred);
830
831 if (priv_basic_test >= 0 &&
832 !PRIV_ISMEMBER(&CR_IPRIV(newcred),
833 priv_basic_test)) {
834 pid_t pid = pp->p_pid;
835 char *fn = PTOU(pp)->u_comm;
836
837 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
838 "privilege removed from E/I", fn, pid);
839 }
840 }
841 /*
842 * On emerging from a successful exec(), the saved
843 * uid and gid equal the effective uid and gid.
844 */
845 cred->cr_suid = cred->cr_uid;
846 cred->cr_sgid = cred->cr_gid;
847
848 /*
849 * If the real and effective ids do not match, this
850 * is a setuid process that should not dump core.
851 * The group comparison is tricky; we prevent the code
852 * from flagging SNOCD when executing with an effective gid
853 * which is a supplementary group.
854 */
855 if (cred->cr_ruid != cred->cr_uid ||
856 (cred->cr_rgid != cred->cr_gid &&
857 !supgroupmember(cred->cr_gid, cred)) ||
858 (privflags & PRIV_INCREASE) != 0)
859 suidflags = PSUIDFLAGS;
860 else
861 suidflags = 0;
862
863 mutex_exit(&pp->p_crlock);
864 if (newcred != NULL && oruid != newcred->cr_ruid) {
865 /* Note that the process remains in the same zone. */
866 mutex_enter(&pidlock);
867 upcount_dec(oruid, crgetzoneid(newcred));
868 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
869 mutex_exit(&pidlock);
870 }
871 if (suidflags) {
872 mutex_enter(&pp->p_lock);
873 pp->p_flag |= suidflags;
874 mutex_exit(&pp->p_lock);
875 }
876 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
877 /*
878 * If process is traced via /proc, arrange to
879 * invalidate the associated /proc vnode.
880 */
881 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
882 args->traceinval = 1;
883 }
884 if (pp->p_proc_flag & P_PR_PTRACE)
885 psignal(pp, SIGTRAP);
886 if (args->traceinval)
887 prinvalidate(&pp->p_user);
888 }
889 if (execvp)
890 VN_RELE(execvp);
891 return (0);
892
893 bad:
894 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
895
896 bad_noclose:
897 if (newcred != NULL)
898 crfree(newcred);
899 if (error == 0)
900 error = ENOEXEC;
901
902 mutex_enter(&pp->p_lock);
903 if (suidflags) {
904 pp->p_flag |= suidflags;
905 }
906 /*
907 * Restore the effective secflags, to maintain the invariant they
908 * never change for a given process
909 */
910 secflags_copy(&pp->p_secflags.psf_effective, &old_secflags);
911 mutex_exit(&pp->p_lock);
912
913 return (error);
914 }
915
916 extern char *execswnames[];
917
918 struct execsw *
919 allocate_execsw(char *name, char *magic, size_t magic_size)
920 {
921 int i, j;
922 char *ename;
923 char *magicp;
924
925 mutex_enter(&execsw_lock);
926 for (i = 0; i < nexectype; i++) {
927 if (execswnames[i] == NULL) {
928 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
929 (void) strcpy(ename, name);
930 execswnames[i] = ename;
931 /*
932 * Set the magic number last so that we
933 * don't need to hold the execsw_lock in
934 * findexectype().
935 */
936 magicp = kmem_alloc(magic_size, KM_SLEEP);
937 for (j = 0; j < magic_size; j++)
938 magicp[j] = magic[j];
939 execsw[i].exec_magic = magicp;
940 mutex_exit(&execsw_lock);
941 return (&execsw[i]);
942 }
943 }
944 mutex_exit(&execsw_lock);
945 return (NULL);
946 }
947
948 /*
949 * Find the exec switch table entry with the corresponding magic string.
950 */
951 struct execsw *
952 findexecsw(char *magic)
953 {
954 struct execsw *eswp;
955
956 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
957 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
958 if (magic && eswp->exec_maglen != 0 &&
959 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
960 return (eswp);
961 }
962 return (NULL);
963 }
964
965 /*
966 * Find the execsw[] index for the given exec header string by looking for the
967 * magic string at a specified offset and length for each kind of executable
968 * file format until one matches. If no execsw[] entry is found, try to
969 * autoload a module for this magic string.
970 */
971 struct execsw *
972 findexec_by_hdr(char *header)
973 {
974 struct execsw *eswp;
975
976 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
977 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
978 if (header && eswp->exec_maglen != 0 &&
979 bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
980 eswp->exec_maglen) == 0) {
981 if (hold_execsw(eswp) != 0)
982 return (NULL);
983 return (eswp);
984 }
985 }
986 return (NULL); /* couldn't find the type */
987 }
988
989 /*
990 * Find the execsw[] index for the given magic string. If no execsw[] entry
991 * is found, try to autoload a module for this magic string.
992 */
993 struct execsw *
994 findexec_by_magic(char *magic)
995 {
996 struct execsw *eswp;
997
998 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
999 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
1000 if (magic && eswp->exec_maglen != 0 &&
1001 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
1002 if (hold_execsw(eswp) != 0)
1003 return (NULL);
1004 return (eswp);
1005 }
1006 }
1007 return (NULL); /* couldn't find the type */
1008 }
1009
1010 static int
1011 hold_execsw(struct execsw *eswp)
1012 {
1013 char *name;
1014
1015 rw_enter(eswp->exec_lock, RW_READER);
1016 while (!LOADED_EXEC(eswp)) {
1017 rw_exit(eswp->exec_lock);
1018 name = execswnames[eswp-execsw];
1019 ASSERT(name);
1020 if (modload("exec", name) == -1)
1021 return (-1);
1022 rw_enter(eswp->exec_lock, RW_READER);
1023 }
1024 return (0);
1025 }
1026
1027 static int
1028 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1029 priv_set_t *fset, cred_t *cr, const char *pathname)
1030 {
1031 proc_t *pp = ttoproc(curthread);
1032 uid_t uid, gid;
1033 int privflags = 0;
1034
1035 /*
1036 * Remember credentials.
1037 */
1038 uid = cr->cr_uid;
1039 gid = cr->cr_gid;
1040
1041 /* Will try to reset the PRIV_AWARE bit later. */
1042 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1043 privflags |= PRIV_RESET;
1044
1045 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1046 /*
1047 * If it's a set-uid root program we perform the
1048 * forced privilege look-aside. This has three possible
1049 * outcomes:
1050 * no look aside information -> treat as before
1051 * look aside in Limit set -> apply forced privs
1052 * look aside not in Limit set -> ignore set-uid root
1053 *
1054 * Ordinary set-uid root execution only allowed if the limit
1055 * set holds all unsafe privileges.
1056 */
1057 if (vattrp->va_mode & VSUID) {
1058 if (vattrp->va_uid == 0) {
1059 int res = get_forced_privs(cr, pathname, fset);
1060
1061 switch (res) {
1062 case -1:
1063 if (priv_issubset(&priv_unsafe,
1064 &CR_LPRIV(cr))) {
1065 uid = vattrp->va_uid;
1066 privflags |= PRIV_SETUGID;
1067 }
1068 break;
1069 case 0:
1070 privflags |= PRIV_FORCED|PRIV_INCREASE;
1071 break;
1072 default:
1073 break;
1074 }
1075 } else {
1076 uid = vattrp->va_uid;
1077 privflags |= PRIV_SETUGID;
1078 }
1079 }
1080 if (vattrp->va_mode & VSGID) {
1081 gid = vattrp->va_gid;
1082 privflags |= PRIV_SETUGID;
1083 }
1084 }
1085
1086 /*
1087 * Do we need to change our credential anyway?
1088 * This is the case when E != I or P != I, as
1089 * we need to do the assignments (with F empty and A full)
1090 * Or when I is not a subset of L; in that case we need to
1091 * enforce L.
1092 *
1093 * I' = L & I
1094 *
1095 * E' = P' = (I' + F) & A
1096 * or
1097 * E' = P' = I'
1098 */
1099 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1100 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1101 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1102 privflags |= PRIV_RESET;
1103
1104 /* Child has more privileges than parent */
1105 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1106 privflags |= PRIV_INCREASE;
1107
1108 /* If MAC-aware flag(s) are on, need to update cred to remove. */
1109 if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1110 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1111 privflags |= MAC_FLAGS;
1112 /*
1113 * Set setuid/setgid protections if no ptrace() compatibility.
1114 * For privileged processes, honor setuid/setgid even in
1115 * the presence of ptrace() compatibility.
1116 */
1117 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1118 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1119 (cr->cr_uid != uid ||
1120 cr->cr_gid != gid ||
1121 cr->cr_suid != uid ||
1122 cr->cr_sgid != gid)) {
1123 *uidp = uid;
1124 *gidp = gid;
1125 privflags |= PRIV_SETID;
1126 }
1127 return (privflags);
1128 }
1129
1130 int
1131 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1132 {
1133 int error;
1134 proc_t *p = ttoproc(curthread);
1135
1136 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1137 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1138 return (error);
1139 /*
1140 * Check the access mode.
1141 * If VPROC, ask /proc if the file is an object file.
1142 */
1143 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1144 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1145 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1146 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1147 if (error == 0)
1148 error = EACCES;
1149 return (error);
1150 }
1151
1152 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1153 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1154 /*
1155 * If process is under ptrace(2) compatibility,
1156 * fail the exec(2).
1157 */
1158 if (p->p_proc_flag & P_PR_PTRACE)
1159 goto bad;
1160 /*
1161 * Process is traced via /proc.
1162 * Arrange to invalidate the /proc vnode.
1163 */
1164 args->traceinval = 1;
1165 }
1166 return (0);
1167 bad:
1168 if (error == 0)
1169 error = ENOEXEC;
1170 return (error);
1171 }
1172
1173 /*
1174 * Map a section of an executable file into the user's
1175 * address space.
1176 */
1177 int
1178 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1179 off_t offset, int prot, int page, uint_t szc)
1180 {
1181 int error = 0;
1182 off_t oldoffset;
1183 caddr_t zfodbase, oldaddr;
1184 size_t end, oldlen;
1185 size_t zfoddiff;
1186 label_t ljb;
1187 proc_t *p = ttoproc(curthread);
1188
1189 oldaddr = addr;
1190 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1191 if (len) {
1192 oldlen = len;
1193 len += ((size_t)oldaddr - (size_t)addr);
1194 oldoffset = offset;
1195 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1196 if (page) {
1197 spgcnt_t prefltmem, availm, npages;
1198 int preread;
1199 uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1200
1201 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1202 mflag |= MAP_TEXT;
1203 } else {
1204 mflag |= MAP_INITDATA;
1205 }
1206
1207 if (valid_usr_range(addr, len, prot, p->p_as,
1208 p->p_as->a_userlimit) != RANGE_OKAY) {
1209 error = ENOMEM;
1210 goto bad;
1211 }
1212 if (error = VOP_MAP(vp, (offset_t)offset,
1213 p->p_as, &addr, len, prot, PROT_ALL,
1214 mflag, CRED(), NULL))
1215 goto bad;
1216
1217 /*
1218 * If the segment can fit, then we prefault
1219 * the entire segment in. This is based on the
1220 * model that says the best working set of a
1221 * small program is all of its pages.
1222 */
1223 npages = (spgcnt_t)btopr(len);
1224 prefltmem = freemem - desfree;
1225 preread =
1226 (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1227
1228 /*
1229 * If we aren't prefaulting the segment,
1230 * increment "deficit", if necessary to ensure
1231 * that pages will become available when this
1232 * process starts executing.
1233 */
1234 availm = freemem - lotsfree;
1235 if (preread == 0 && npages > availm &&
1236 deficit < lotsfree) {
1237 deficit += MIN((pgcnt_t)(npages - availm),
1238 lotsfree - deficit);
1239 }
1240
1241 if (preread) {
1242 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1243 "execmap preread:freemem %d size %lu",
1244 freemem, len);
1245 (void) as_fault(p->p_as->a_hat, p->p_as,
1246 (caddr_t)addr, len, F_INVAL, S_READ);
1247 }
1248 } else {
1249 if (valid_usr_range(addr, len, prot, p->p_as,
1250 p->p_as->a_userlimit) != RANGE_OKAY) {
1251 error = ENOMEM;
1252 goto bad;
1253 }
1254
1255 if (error = as_map(p->p_as, addr, len,
1256 segvn_create, zfod_argsp))
1257 goto bad;
1258 /*
1259 * Read in the segment in one big chunk.
1260 */
1261 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1262 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1263 (rlim64_t)0, CRED(), (ssize_t *)0))
1264 goto bad;
1265 /*
1266 * Now set protections.
1267 */
1268 if (prot != PROT_ZFOD) {
1269 (void) as_setprot(p->p_as, (caddr_t)addr,
1270 len, prot);
1271 }
1272 }
1273 }
1274
1275 if (zfodlen) {
1276 struct as *as = curproc->p_as;
1277 struct seg *seg;
1278 uint_t zprot = 0;
1279
1280 end = (size_t)addr + len;
1281 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1282 zfoddiff = (uintptr_t)zfodbase - end;
1283 if (zfoddiff) {
1284 /*
1285 * Before we go to zero the remaining space on the last
1286 * page, make sure we have write permission.
1287 *
1288 * Normal illumos binaries don't even hit the case
1289 * where we have to change permission on the last page
1290 * since their protection is typically either
1291 * PROT_USER | PROT_WRITE | PROT_READ
1292 * or
1293 * PROT_ZFOD (same as PROT_ALL).
1294 *
1295 * We need to be careful how we zero-fill the last page
1296 * if the segment protection does not include
1297 * PROT_WRITE. Using as_setprot() can cause the VM
1298 * segment code to call segvn_vpage(), which must
1299 * allocate a page struct for each page in the segment.
1300 * If we have a very large segment, this may fail, so
1301 * we have to check for that, even though we ignore
1302 * other return values from as_setprot.
1303 */
1304
1305 AS_LOCK_ENTER(as, RW_READER);
1306 seg = as_segat(curproc->p_as, (caddr_t)end);
1307 if (seg != NULL)
1308 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1309 &zprot);
1310 AS_LOCK_EXIT(as);
1311
1312 if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1313 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1314 zprot | PROT_WRITE) == ENOMEM) {
1315 error = ENOMEM;
1316 goto bad;
1317 }
1318 }
1319
1320 if (on_fault(&ljb)) {
1321 no_fault();
1322 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1323 (void) as_setprot(as, (caddr_t)end,
1324 zfoddiff - 1, zprot);
1325 error = EFAULT;
1326 goto bad;
1327 }
1328 uzero((void *)end, zfoddiff);
1329 no_fault();
1330 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1331 (void) as_setprot(as, (caddr_t)end,
1332 zfoddiff - 1, zprot);
1333 }
1334 if (zfodlen > zfoddiff) {
1335 struct segvn_crargs crargs =
1336 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1337
1338 zfodlen -= zfoddiff;
1339 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1340 p->p_as->a_userlimit) != RANGE_OKAY) {
1341 error = ENOMEM;
1342 goto bad;
1343 }
1344 if (szc > 0) {
1345 /*
1346 * ASSERT alignment because the mapelfexec()
1347 * caller for the szc > 0 case extended zfod
1348 * so it's end is pgsz aligned.
1349 */
1350 size_t pgsz = page_get_pagesize(szc);
1351 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1352
1353 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1354 crargs.szc = szc;
1355 } else {
1356 crargs.szc = AS_MAP_HEAP;
1357 }
1358 } else {
1359 crargs.szc = AS_MAP_NO_LPOOB;
1360 }
1361 if (error = as_map(p->p_as, (caddr_t)zfodbase,
1362 zfodlen, segvn_create, &crargs))
1363 goto bad;
1364 if (prot != PROT_ZFOD) {
1365 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1366 zfodlen, prot);
1367 }
1368 }
1369 }
1370 return (0);
1371 bad:
1372 return (error);
1373 }
1374
1375 void
1376 setexecenv(struct execenv *ep)
1377 {
1378 proc_t *p = ttoproc(curthread);
1379 klwp_t *lwp = ttolwp(curthread);
1380 struct vnode *vp;
1381
1382 p->p_bssbase = ep->ex_bssbase;
1383 p->p_brkbase = ep->ex_brkbase;
1384 p->p_brksize = ep->ex_brksize;
1385 if (p->p_exec)
1386 VN_RELE(p->p_exec); /* out with the old */
1387 vp = p->p_exec = ep->ex_vp;
1388 if (vp != NULL)
1389 VN_HOLD(vp); /* in with the new */
1390
1391 lwp->lwp_sigaltstack.ss_sp = 0;
1392 lwp->lwp_sigaltstack.ss_size = 0;
1393 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1394 }
1395
1396 int
1397 execopen(struct vnode **vpp, int *fdp)
1398 {
1399 struct vnode *vp = *vpp;
1400 file_t *fp;
1401 int error = 0;
1402 int filemode = FREAD;
1403
1404 VN_HOLD(vp); /* open reference */
1405 if (error = falloc(NULL, filemode, &fp, fdp)) {
1406 VN_RELE(vp);
1407 *fdp = -1; /* just in case falloc changed value */
1408 return (error);
1409 }
1410 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1411 VN_RELE(vp);
1412 setf(*fdp, NULL);
1413 unfalloc(fp);
1414 *fdp = -1;
1415 return (error);
1416 }
1417 *vpp = vp; /* vnode should not have changed */
1418 fp->f_vnode = vp;
1419 mutex_exit(&fp->f_tlock);
1420 setf(*fdp, fp);
1421 return (0);
1422 }
1423
1424 int
1425 execclose(int fd)
1426 {
1427 return (closeandsetf(fd, NULL));
1428 }
1429
1430
1431 /*
1432 * noexec stub function.
1433 */
1434 /*ARGSUSED*/
1435 int
1436 noexec(
1437 struct vnode *vp,
1438 struct execa *uap,
1439 struct uarg *args,
1440 struct intpdata *idatap,
1441 int level,
1442 long *execsz,
1443 int setid,
1444 caddr_t exec_file,
1445 struct cred *cred)
1446 {
1447 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1448 return (ENOEXEC);
1449 }
1450
1451 /*
1452 * Support routines for building a user stack.
1453 *
1454 * execve(path, argv, envp) must construct a new stack with the specified
1455 * arguments and environment variables (see exec_args() for a description
1456 * of the user stack layout). To do this, we copy the arguments and
1457 * environment variables from the old user address space into the kernel,
1458 * free the old as, create the new as, and copy our buffered information
1459 * to the new stack. Our kernel buffer has the following structure:
1460 *
1461 * +-----------------------+ <--- stk_base + stk_size
1462 * | string offsets |
1463 * +-----------------------+ <--- stk_offp
1464 * | |
1465 * | STK_AVAIL() space |
1466 * | |
1467 * +-----------------------+ <--- stk_strp
1468 * | strings |
1469 * +-----------------------+ <--- stk_base
1470 *
1471 * When we add a string, we store the string's contents (including the null
1472 * terminator) at stk_strp, and we store the offset of the string relative to
1473 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1474 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1475 * the difference between these pointers. If we run out of space, we return
1476 * an error and exec_args() starts all over again with a buffer twice as large.
1477 * When we're all done, the kernel buffer looks like this:
1478 *
1479 * +-----------------------+ <--- stk_base + stk_size
1480 * | argv[0] offset |
1481 * +-----------------------+
1482 * | ... |
1483 * +-----------------------+
1484 * | argv[argc-1] offset |
1485 * +-----------------------+
1486 * | envp[0] offset |
1487 * +-----------------------+
1488 * | ... |
1489 * +-----------------------+
1490 * | envp[envc-1] offset |
1491 * +-----------------------+
1492 * | AT_SUN_PLATFORM offset|
1493 * +-----------------------+
1494 * | AT_SUN_EXECNAME offset|
1495 * +-----------------------+ <--- stk_offp
1496 * | |
1497 * | STK_AVAIL() space |
1498 * | |
1499 * +-----------------------+ <--- stk_strp
1500 * | AT_SUN_EXECNAME offset|
1501 * +-----------------------+
1502 * | AT_SUN_PLATFORM offset|
1503 * +-----------------------+
1504 * | envp[envc-1] string |
1505 * +-----------------------+
1506 * | ... |
1507 * +-----------------------+
1508 * | envp[0] string |
1509 * +-----------------------+
1510 * | argv[argc-1] string |
1511 * +-----------------------+
1512 * | ... |
1513 * +-----------------------+
1514 * | argv[0] string |
1515 * +-----------------------+ <--- stk_base
1516 */
1517
1518 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1519
1520 /*
1521 * Add a string to the stack.
1522 */
1523 static int
1524 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1525 {
1526 int error;
1527 size_t len;
1528
1529 if (STK_AVAIL(args) < sizeof (int))
1530 return (E2BIG);
1531 *--args->stk_offp = args->stk_strp - args->stk_base;
1532
1533 if (segflg == UIO_USERSPACE) {
1534 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1535 if (error != 0)
1536 return (error);
1537 } else {
1538 len = strlen(sp) + 1;
1539 if (len > STK_AVAIL(args))
1540 return (E2BIG);
1541 bcopy(sp, args->stk_strp, len);
1542 }
1543
1544 args->stk_strp += len;
1545
1546 return (0);
1547 }
1548
1549 static int
1550 stk_getptr(uarg_t *args, char *src, char **dst)
1551 {
1552 int error;
1553
1554 if (args->from_model == DATAMODEL_NATIVE) {
1555 ulong_t ptr;
1556 error = fulword(src, &ptr);
1557 *dst = (caddr_t)ptr;
1558 } else {
1559 uint32_t ptr;
1560 error = fuword32(src, &ptr);
1561 *dst = (caddr_t)(uintptr_t)ptr;
1562 }
1563 return (error);
1564 }
1565
1566 static int
1567 stk_putptr(uarg_t *args, char *addr, char *value)
1568 {
1569 if (args->to_model == DATAMODEL_NATIVE)
1570 return (sulword(addr, (ulong_t)value));
1571 else
1572 return (suword32(addr, (uint32_t)(uintptr_t)value));
1573 }
1574
1575 static int
1576 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1577 {
1578 char *sp;
1579 int argc, error;
1580 int argv_empty = 0;
1581 size_t ptrsize = args->from_ptrsize;
1582 size_t size, pad;
1583 char *argv = (char *)uap->argp;
1584 char *envp = (char *)uap->envp;
1585
1586 /*
1587 * Copy interpreter's name and argument to argv[0] and argv[1].
1588 * In the rare case that we have nested interpreters then those names
1589 * and arguments are also copied to the subsequent slots in argv.
1590 */
1591 if (intp != NULL && intp->intp_name[0] != NULL) {
1592 int i;
1593
1594 for (i = 0; i < INTP_MAXDEPTH; i++) {
1595 if (intp->intp_name[i] == NULL)
1596 break;
1597 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1598 if (error != 0)
1599 return (error);
1600 if (intp->intp_arg[i] != NULL) {
1601 error = stk_add(args, intp->intp_arg[i],
1602 UIO_SYSSPACE);
1603 if (error != 0)
1604 return (error);
1605 }
1606 }
1607
1608 if (args->fname != NULL)
1609 error = stk_add(args, args->fname, UIO_SYSSPACE);
1610 else
1611 error = stk_add(args, uap->fname, UIO_USERSPACE);
1612 if (error)
1613 return (error);
1614
1615 /*
1616 * Check for an empty argv[].
1617 */
1618 if (stk_getptr(args, argv, &sp))
1619 return (EFAULT);
1620 if (sp == NULL)
1621 argv_empty = 1;
1622
1623 argv += ptrsize; /* ignore original argv[0] */
1624 }
1625
1626 if (argv_empty == 0) {
1627 /*
1628 * Add argv[] strings to the stack.
1629 */
1630 for (;;) {
1631 if (stk_getptr(args, argv, &sp))
1632 return (EFAULT);
1633 if (sp == NULL)
1634 break;
1635 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1636 return (error);
1637 argv += ptrsize;
1638 }
1639 }
1640 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1641 args->arglen = args->stk_strp - args->stk_base;
1642
1643 /*
1644 * Add environ[] strings to the stack.
1645 */
1646 if (envp != NULL) {
1647 for (;;) {
1648 char *tmp = args->stk_strp;
1649 if (stk_getptr(args, envp, &sp))
1650 return (EFAULT);
1651 if (sp == NULL)
1652 break;
1653 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1654 return (error);
1655 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1656 /* Undo the copied string */
1657 args->stk_strp = tmp;
1658 *(args->stk_offp++) = NULL;
1659 }
1660 envp += ptrsize;
1661 }
1662 }
1663 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1664 args->ne = args->na - argc;
1665
1666 /*
1667 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1668 * AT_SUN_EMULATOR strings to the stack.
1669 */
1670 if (auxvpp != NULL && *auxvpp != NULL) {
1671 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1672 return (error);
1673 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1674 return (error);
1675 if (args->brandname != NULL &&
1676 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1677 return (error);
1678 if (args->emulator != NULL &&
1679 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1680 return (error);
1681 }
1682
1683 /*
1684 * Compute the size of the stack. This includes all the pointers,
1685 * the space reserved for the aux vector, and all the strings.
1686 * The total number of pointers is args->na (which is argc + envc)
1687 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1688 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1689 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1690 * all the strings, at the very top of the stack.
1691 */
1692 size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1693 (args->stk_strp - args->stk_base);
1694
1695 /*
1696 * Pad the string section with zeroes to align the stack size.
1697 */
1698 pad = P2NPHASE(size, args->stk_align);
1699
1700 if (STK_AVAIL(args) < pad)
1701 return (E2BIG);
1702
1703 args->usrstack_size = size + pad;
1704
1705 while (pad-- != 0)
1706 *args->stk_strp++ = 0;
1707
1708 args->nc = args->stk_strp - args->stk_base;
1709
1710 return (0);
1711 }
1712
1713 static int
1714 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1715 {
1716 size_t ptrsize = args->to_ptrsize;
1717 ssize_t pslen;
1718 char *kstrp = args->stk_base;
1719 char *ustrp = usrstack - args->nc - ptrsize;
1720 char *usp = usrstack - args->usrstack_size;
1721 int *offp = (int *)(args->stk_base + args->stk_size);
1722 int envc = args->ne;
1723 int argc = args->na - envc;
1724 int i;
1725
1726 /*
1727 * Record argc for /proc.
1728 */
1729 up->u_argc = argc;
1730
1731 /*
1732 * Put argc on the stack. Note that even though it's an int,
1733 * it always consumes ptrsize bytes (for alignment).
1734 */
1735 if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1736 return (-1);
1737
1738 /*
1739 * Add argc space (ptrsize) to usp and record argv for /proc.
1740 */
1741 up->u_argv = (uintptr_t)(usp += ptrsize);
1742
1743 /*
1744 * Put the argv[] pointers on the stack.
1745 */
1746 for (i = 0; i < argc; i++, usp += ptrsize)
1747 if (stk_putptr(args, usp, &ustrp[*--offp]))
1748 return (-1);
1749
1750 /*
1751 * Copy arguments to u_psargs.
1752 */
1753 pslen = MIN(args->arglen, PSARGSZ) - 1;
1754 for (i = 0; i < pslen; i++)
1755 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1756 while (i < PSARGSZ)
1757 up->u_psargs[i++] = '\0';
1758
1759 /*
1760 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1761 * record envp for /proc.
1762 */
1763 up->u_envp = (uintptr_t)(usp += ptrsize);
1764
1765 /*
1766 * Put the envp[] pointers on the stack.
1767 */
1768 for (i = 0; i < envc; i++, usp += ptrsize)
1769 if (stk_putptr(args, usp, &ustrp[*--offp]))
1770 return (-1);
1771
1772 /*
1773 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1774 * remember where the stack ends, which is also where auxv begins.
1775 */
1776 args->stackend = usp += ptrsize;
1777
1778 /*
1779 * Put all the argv[], envp[], and auxv strings on the stack.
1780 */
1781 if (copyout(args->stk_base, ustrp, args->nc))
1782 return (-1);
1783
1784 /*
1785 * Fill in the aux vector now that we know the user stack addresses
1786 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1787 * AT_SUN_EMULATOR strings.
1788 */
1789 if (auxvpp != NULL && *auxvpp != NULL) {
1790 if (args->to_model == DATAMODEL_NATIVE) {
1791 auxv_t **a = (auxv_t **)auxvpp;
1792 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1793 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1794 if (args->brandname != NULL)
1795 ADDAUX(*a,
1796 AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1797 if (args->emulator != NULL)
1798 ADDAUX(*a,
1799 AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1800 } else {
1801 auxv32_t **a = (auxv32_t **)auxvpp;
1802 ADDAUX(*a,
1803 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1804 ADDAUX(*a,
1805 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1806 if (args->brandname != NULL)
1807 ADDAUX(*a, AT_SUN_BRANDNAME,
1808 (int)(uintptr_t)&ustrp[*--offp])
1809 if (args->emulator != NULL)
1810 ADDAUX(*a, AT_SUN_EMULATOR,
1811 (int)(uintptr_t)&ustrp[*--offp])
1812 }
1813 }
1814
1815 return (0);
1816 }
1817
1818 /*
1819 * Though the actual stack base is constant, slew the %sp by a random aligned
1820 * amount in [0,aslr_max_stack_skew). Mostly, this makes life slightly more
1821 * complicated for buffer overflows hoping to overwrite the return address.
1822 *
1823 * On some platforms this helps avoid cache thrashing when identical processes
1824 * simultaneously share caches that don't provide enough associativity
1825 * (e.g. sun4v systems). In this case stack slewing makes the same hot stack
1826 * variables in different processes live in different cache sets increasing
1827 * effective associativity.
1828 */
1829 size_t
1830 exec_get_spslew(void)
1831 {
1832 #ifdef sun4v
1833 static uint_t sp_color_stride = 16;
1834 static uint_t sp_color_mask = 0x1f;
1835 static uint_t sp_current_color = (uint_t)-1;
1836 #endif
1837 size_t off;
1838
1839 ASSERT(ISP2(aslr_max_stack_skew));
1840
1841 if ((aslr_max_stack_skew == 0) ||
1842 !secflag_enabled(curproc, PROC_SEC_ASLR)) {
1843 #ifdef sun4v
1844 uint_t spcolor = atomic_inc_32_nv(&sp_current_color);
1845 return ((size_t)((spcolor & sp_color_mask) *
1846 SA(sp_color_stride)));
1847 #else
1848 return (0);
1849 #endif
1850 }
1851
1852 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
1853 return (SA(P2PHASE(off, aslr_max_stack_skew)));
1854 }
1855
1856 /*
1857 * Initialize a new user stack with the specified arguments and environment.
1858 * The initial user stack layout is as follows:
1859 *
1860 * User Stack
1861 * +---------------+ <--- curproc->p_usrstack
1862 * | |
1863 * | slew |
1864 * | |
1865 * +---------------+
1866 * | NULL |
1867 * +---------------+
1868 * | |
1869 * | auxv strings |
1870 * | |
1871 * +---------------+
1872 * | |
1873 * | envp strings |
1874 * | |
1875 * +---------------+
1876 * | |
1877 * | argv strings |
1878 * | |
1879 * +---------------+ <--- ustrp
1880 * | |
1881 * | aux vector |
1882 * | |
1883 * +---------------+ <--- auxv
1884 * | NULL |
1885 * +---------------+
1886 * | envp[envc-1] |
1887 * +---------------+
1888 * | ... |
1889 * +---------------+
1890 * | envp[0] |
1891 * +---------------+ <--- envp[]
1892 * | NULL |
1893 * +---------------+
1894 * | argv[argc-1] |
1895 * +---------------+
1896 * | ... |
1897 * +---------------+
1898 * | argv[0] |
1899 * +---------------+ <--- argv[]
1900 * | argc |
1901 * +---------------+ <--- stack base
1902 */
1903 int
1904 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1905 {
1906 size_t size;
1907 int error;
1908 proc_t *p = ttoproc(curthread);
1909 user_t *up = PTOU(p);
1910 char *usrstack;
1911 rctl_entity_p_t e;
1912 struct as *as;
1913 extern int use_stk_lpg;
1914 size_t sp_slew;
1915
1916 args->from_model = p->p_model;
1917 if (p->p_model == DATAMODEL_NATIVE) {
1918 args->from_ptrsize = sizeof (long);
1919 } else {
1920 args->from_ptrsize = sizeof (int32_t);
1921 }
1922
1923 if (args->to_model == DATAMODEL_NATIVE) {
1924 args->to_ptrsize = sizeof (long);
1925 args->ncargs = NCARGS;
1926 args->stk_align = STACK_ALIGN;
1927 if (args->addr32)
1928 usrstack = (char *)USRSTACK64_32;
1929 else
1930 usrstack = (char *)USRSTACK;
1931 } else {
1932 args->to_ptrsize = sizeof (int32_t);
1933 args->ncargs = NCARGS32;
1934 args->stk_align = STACK_ALIGN32;
1935 usrstack = (char *)USRSTACK32;
1936 }
1937
1938 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1939
1940 #if defined(__sparc)
1941 /*
1942 * Make sure user register windows are empty before
1943 * attempting to make a new stack.
1944 */
1945 (void) flush_user_windows_to_stack(NULL);
1946 #endif
1947
1948 for (size = PAGESIZE; ; size *= 2) {
1949 args->stk_size = size;
1950 args->stk_base = kmem_alloc(size, KM_SLEEP);
1951 args->stk_strp = args->stk_base;
1952 args->stk_offp = (int *)(args->stk_base + size);
1953 error = stk_copyin(uap, args, intp, auxvpp);
1954 if (error == 0)
1955 break;
1956 kmem_free(args->stk_base, size);
1957 if (error != E2BIG && error != ENAMETOOLONG)
1958 return (error);
1959 if (size >= args->ncargs)
1960 return (E2BIG);
1961 }
1962
1963 size = args->usrstack_size;
1964
1965 ASSERT(error == 0);
1966 ASSERT(P2PHASE(size, args->stk_align) == 0);
1967 ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1968
1969 if (size > args->ncargs) {
1970 kmem_free(args->stk_base, args->stk_size);
1971 return (E2BIG);
1972 }
1973
1974 /*
1975 * Leave only the current lwp and force the other lwps to exit.
1976 * If another lwp beat us to the punch by calling exit(), bail out.
1977 */
1978 if ((error = exitlwps(0)) != 0) {
1979 kmem_free(args->stk_base, args->stk_size);
1980 return (error);
1981 }
1982
1983 /*
1984 * Revoke any doors created by the process.
1985 */
1986 if (p->p_door_list)
1987 door_exit();
1988
1989 /*
1990 * Release schedctl data structures.
1991 */
1992 if (p->p_pagep)
1993 schedctl_proc_cleanup();
1994
1995 /*
1996 * Clean up any DTrace helpers for the process.
1997 */
1998 if (p->p_dtrace_helpers != NULL) {
1999 ASSERT(dtrace_helpers_cleanup != NULL);
2000 (*dtrace_helpers_cleanup)();
2001 }
2002
2003 mutex_enter(&p->p_lock);
2004 /*
2005 * Cleanup the DTrace provider associated with this process.
2006 */
2007 if (p->p_dtrace_probes) {
2008 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
2009 dtrace_fasttrap_exec_ptr(p);
2010 }
2011 mutex_exit(&p->p_lock);
2012
2013 /*
2014 * discard the lwpchan cache.
2015 */
2016 if (p->p_lcp != NULL)
2017 lwpchan_destroy_cache(1);
2018
2019 /*
2020 * Delete the POSIX timers.
2021 */
2022 if (p->p_itimer != NULL)
2023 timer_exit();
2024
2025 /*
2026 * Delete the ITIMER_REALPROF interval timer.
2027 * The other ITIMER_* interval timers are specified
2028 * to be inherited across exec().
2029 */
2030 delete_itimer_realprof();
2031
2032 if (AU_AUDITING())
2033 audit_exec(args->stk_base, args->stk_base + args->arglen,
2034 args->na - args->ne, args->ne, args->pfcred);
2035
2036 /*
2037 * Ensure that we don't change resource associations while we
2038 * change address spaces.
2039 */
2040 mutex_enter(&p->p_lock);
2041 pool_barrier_enter();
2042 mutex_exit(&p->p_lock);
2043
2044 /*
2045 * Destroy the old address space and create a new one.
2046 * From here on, any errors are fatal to the exec()ing process.
2047 * On error we return -1, which means the caller must SIGKILL
2048 * the process.
2049 */
2050 relvm();
2051
2052 mutex_enter(&p->p_lock);
2053 pool_barrier_exit();
2054 mutex_exit(&p->p_lock);
2055
2056 up->u_execsw = args->execswp;
2057
2058 p->p_brkbase = NULL;
2059 p->p_brksize = 0;
2060 p->p_brkpageszc = 0;
2061 p->p_stksize = 0;
2062 p->p_stkpageszc = 0;
2063 p->p_model = args->to_model;
2064 p->p_usrstack = usrstack;
2065 p->p_stkprot = args->stk_prot;
2066 p->p_datprot = args->dat_prot;
2067
2068 /*
2069 * Reset resource controls such that all controls are again active as
2070 * well as appropriate to the potentially new address model for the
2071 * process.
2072 */
2073 e.rcep_p.proc = p;
2074 e.rcep_t = RCENTITY_PROCESS;
2075 rctl_set_reset(p->p_rctls, p, &e);
2076
2077 /* Too early to call map_pgsz for the heap */
2078 if (use_stk_lpg) {
2079 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2080 }
2081
2082 mutex_enter(&p->p_lock);
2083 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */
2084 mutex_exit(&p->p_lock);
2085
2086 sp_slew = exec_get_spslew();
2087 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2088 /* Be certain we don't underflow */
2089 VERIFY((curproc->p_usrstack - (size + sp_slew)) < curproc->p_usrstack);
2090 exec_set_sp(size + sp_slew);
2091
2092 as = as_alloc();
2093 p->p_as = as;
2094 as->a_proc = p;
2095 if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2096 as->a_userlimit = (caddr_t)USERLIMIT32;
2097 (void) hat_setup(as->a_hat, HAT_ALLOC);
2098 hat_join_srd(as->a_hat, args->ex_vp);
2099
2100 /*
2101 * Finally, write out the contents of the new stack.
2102 */
2103 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2104 kmem_free(args->stk_base, args->stk_size);
2105 return (error);
2106 }