1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25 
  26 /*      Copyright (c) 1988 AT&T     */
  27 /*        All Rights Reserved   */
  28 /*
  29  * Copyright 2014, Joyent, Inc.  All rights reserved.
  30  */
  31 
  32 #include <sys/types.h>
  33 #include <sys/param.h>
  34 #include <sys/sysmacros.h>
  35 #include <sys/systm.h>
  36 #include <sys/signal.h>
  37 #include <sys/cred_impl.h>
  38 #include <sys/policy.h>
  39 #include <sys/user.h>
  40 #include <sys/errno.h>
  41 #include <sys/file.h>
  42 #include <sys/vfs.h>
  43 #include <sys/vnode.h>
  44 #include <sys/mman.h>
  45 #include <sys/acct.h>
  46 #include <sys/cpuvar.h>
  47 #include <sys/proc.h>
  48 #include <sys/cmn_err.h>
  49 #include <sys/debug.h>
  50 #include <sys/pathname.h>
  51 #include <sys/vm.h>
  52 #include <sys/lgrp.h>
  53 #include <sys/vtrace.h>
  54 #include <sys/exec.h>
  55 #include <sys/exechdr.h>
  56 #include <sys/kmem.h>
  57 #include <sys/prsystm.h>
  58 #include <sys/modctl.h>
  59 #include <sys/vmparam.h>
  60 #include <sys/door.h>
  61 #include <sys/schedctl.h>
  62 #include <sys/utrap.h>
  63 #include <sys/systeminfo.h>
  64 #include <sys/stack.h>
  65 #include <sys/rctl.h>
  66 #include <sys/dtrace.h>
  67 #include <sys/lwpchan_impl.h>
  68 #include <sys/pool.h>
  69 #include <sys/sdt.h>
  70 #include <sys/brand.h>
  71 #include <sys/klpd.h>
  72 #include <sys/random.h>
  73 
  74 #include <c2/audit.h>
  75 
  76 #include <vm/hat.h>
  77 #include <vm/anon.h>
  78 #include <vm/as.h>
  79 #include <vm/seg.h>
  80 #include <vm/seg_vn.h>
  81 
  82 #define PRIV_RESET              0x01    /* needs to reset privs */
  83 #define PRIV_SETID              0x02    /* needs to change uids */
  84 #define PRIV_SETUGID            0x04    /* is setuid/setgid/forced privs */
  85 #define PRIV_INCREASE           0x08    /* child runs with more privs */
  86 #define MAC_FLAGS               0x10    /* need to adjust MAC flags */
  87 #define PRIV_FORCED             0x20    /* has forced privileges */
  88 
  89 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
  90     priv_set_t *, cred_t *, const char *);
  91 static int hold_execsw(struct execsw *);
  92 
  93 uint_t auxv_hwcap = 0;  /* auxv AT_SUN_HWCAP value; determined on the fly */
  94 uint_t auxv_hwcap_2 = 0;        /* AT_SUN_HWCAP2 */
  95 #if defined(_SYSCALL32_IMPL)
  96 uint_t auxv_hwcap32 = 0;        /* 32-bit version of auxv_hwcap */
  97 uint_t auxv_hwcap32_2 = 0;      /* 32-bit version of auxv_hwcap2 */
  98 #endif
  99 
 100 #define PSUIDFLAGS              (SNOCD|SUGID)
 101 
 102 /*
 103  * These are consumed within the specific exec modules, but are defined here
 104  * because
 105  *
 106  * 1) The exec modules are unloadable, which would make this near useless.
 107  *
 108  * 2) We want them to be common across all of them, should more than ELF come
 109  *    to support them.
 110  *
 111  * All must be powers of 2.
 112  */
 113 size_t aslr_max_brk_skew = 16 * 1024 * 1024; /* 16MB */
 114 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */
 115 size_t aslr_max_stack_skew = 64 * 1024; /* 64KB */
 116 
 117 /*
 118  * exece() - system call wrapper around exec_common()
 119  */
 120 int
 121 exece(const char *fname, const char **argp, const char **envp)
 122 {
 123         int error;
 124 
 125         error = exec_common(fname, argp, envp, EBA_NONE);
 126         return (error ? (set_errno(error)) : 0);
 127 }
 128 
 129 int
 130 exec_common(const char *fname, const char **argp, const char **envp,
 131     int brand_action)
 132 {
 133         vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
 134         proc_t *p = ttoproc(curthread);
 135         klwp_t *lwp = ttolwp(curthread);
 136         struct user *up = PTOU(p);
 137         long execsz;            /* temporary count of exec size */
 138         int i;
 139         int error;
 140         char exec_file[MAXCOMLEN+1];
 141         struct pathname pn;
 142         struct pathname resolvepn;
 143         struct uarg args;
 144         struct execa ua;
 145         k_sigset_t savedmask;
 146         lwpdir_t *lwpdir = NULL;
 147         tidhash_t *tidhash;
 148         lwpdir_t *old_lwpdir = NULL;
 149         uint_t old_lwpdir_sz;
 150         tidhash_t *old_tidhash;
 151         uint_t old_tidhash_sz;
 152         ret_tidhash_t *ret_tidhash;
 153         lwpent_t *lep;
 154         boolean_t brandme = B_FALSE;
 155 
 156         /*
 157          * exec() is not supported for the /proc agent lwp.
 158          */
 159         if (curthread == p->p_agenttp)
 160                 return (ENOTSUP);
 161 
 162         if (brand_action != EBA_NONE) {
 163                 /*
 164                  * Brand actions are not supported for processes that are not
 165                  * running in a branded zone.
 166                  */
 167                 if (!ZONE_IS_BRANDED(p->p_zone))
 168                         return (ENOTSUP);
 169 
 170                 if (brand_action == EBA_NATIVE) {
 171                         /* Only branded processes can be unbranded */
 172                         if (!PROC_IS_BRANDED(p))
 173                                 return (ENOTSUP);
 174                 } else {
 175                         /* Only unbranded processes can be branded */
 176                         if (PROC_IS_BRANDED(p))
 177                                 return (ENOTSUP);
 178                         brandme = B_TRUE;
 179                 }
 180         } else {
 181                 /*
 182                  * If this is a native zone, or if the process is already
 183                  * branded, then we don't need to do anything.  If this is
 184                  * a native process in a branded zone, we need to brand the
 185                  * process as it exec()s the new binary.
 186                  */
 187                 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
 188                         brandme = B_TRUE;
 189         }
 190 
 191         /*
 192          * Inform /proc that an exec() has started.
 193          * Hold signals that are ignored by default so that we will
 194          * not be interrupted by a signal that will be ignored after
 195          * successful completion of gexec().
 196          */
 197         mutex_enter(&p->p_lock);
 198         prexecstart();
 199         schedctl_finish_sigblock(curthread);
 200         savedmask = curthread->t_hold;
 201         sigorset(&curthread->t_hold, &ignoredefault);
 202         mutex_exit(&p->p_lock);
 203 
 204         /*
 205          * Look up path name and remember last component for later.
 206          * To help coreadm expand its %d token, we attempt to save
 207          * the directory containing the executable in p_execdir. The
 208          * first call to lookuppn() may fail and return EINVAL because
 209          * dirvpp is non-NULL. In that case, we make a second call to
 210          * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
 211          * but coreadm is allowed to expand %d to the empty string and
 212          * there are other cases in which that failure may occur.
 213          */
 214         if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
 215                 goto out;
 216         pn_alloc(&resolvepn);
 217         if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
 218                 pn_free(&resolvepn);
 219                 pn_free(&pn);
 220                 if (error != EINVAL)
 221                         goto out;
 222 
 223                 dir = NULL;
 224                 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
 225                         goto out;
 226                 pn_alloc(&resolvepn);
 227                 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
 228                     &vp)) != 0) {
 229                         pn_free(&resolvepn);
 230                         pn_free(&pn);
 231                         goto out;
 232                 }
 233         }
 234         if (vp == NULL) {
 235                 if (dir != NULL)
 236                         VN_RELE(dir);
 237                 error = ENOENT;
 238                 pn_free(&resolvepn);
 239                 pn_free(&pn);
 240                 goto out;
 241         }
 242 
 243         if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
 244                 if (dir != NULL)
 245                         VN_RELE(dir);
 246                 pn_free(&resolvepn);
 247                 pn_free(&pn);
 248                 VN_RELE(vp);
 249                 goto out;
 250         }
 251 
 252         /*
 253          * We do not allow executing files in attribute directories.
 254          * We test this by determining whether the resolved path
 255          * contains a "/" when we're in an attribute directory;
 256          * only if the pathname does not contain a "/" the resolved path
 257          * points to a file in the current working (attribute) directory.
 258          */
 259         if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
 260             strchr(resolvepn.pn_path, '/') == NULL) {
 261                 if (dir != NULL)
 262                         VN_RELE(dir);
 263                 error = EACCES;
 264                 pn_free(&resolvepn);
 265                 pn_free(&pn);
 266                 VN_RELE(vp);
 267                 goto out;
 268         }
 269 
 270         bzero(exec_file, MAXCOMLEN+1);
 271         (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
 272         bzero(&args, sizeof (args));
 273         args.pathname = resolvepn.pn_path;
 274         /* don't free resolvepn until we are done with args */
 275         pn_free(&pn);
 276 
 277         /*
 278          * If we're running in a profile shell, then call pfexecd.
 279          */
 280         if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
 281                 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
 282                     &args.scrubenv);
 283 
 284                 /* Returning errno in case we're not allowed to execute. */
 285                 if (error > 0) {
 286                         if (dir != NULL)
 287                                 VN_RELE(dir);
 288                         pn_free(&resolvepn);
 289                         VN_RELE(vp);
 290                         goto out;
 291                 }
 292 
 293                 /* Don't change the credentials when using old ptrace. */
 294                 if (args.pfcred != NULL &&
 295                     (p->p_proc_flag & P_PR_PTRACE) != 0) {
 296                         crfree(args.pfcred);
 297                         args.pfcred = NULL;
 298                         args.scrubenv = B_FALSE;
 299                 }
 300         }
 301 
 302         /*
 303          * Specific exec handlers, or policies determined via
 304          * /etc/system may override the historical default.
 305          */
 306         args.stk_prot = PROT_ZFOD;
 307         args.dat_prot = PROT_ZFOD;
 308 
 309         CPU_STATS_ADD_K(sys, sysexec, 1);
 310         DTRACE_PROC1(exec, char *, args.pathname);
 311 
 312         ua.fname = fname;
 313         ua.argp = argp;
 314         ua.envp = envp;
 315 
 316         /* If necessary, brand this process before we start the exec. */
 317         if (brandme)
 318                 brand_setbrand(p);
 319 
 320         if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
 321             exec_file, p->p_cred, brand_action)) != 0) {
 322                 if (brandme)
 323                         brand_clearbrand(p, B_FALSE);
 324                 VN_RELE(vp);
 325                 if (dir != NULL)
 326                         VN_RELE(dir);
 327                 pn_free(&resolvepn);
 328                 goto fail;
 329         }
 330 
 331         /*
 332          * Free floating point registers (sun4u only)
 333          */
 334         ASSERT(lwp != NULL);
 335         lwp_freeregs(lwp, 1);
 336 
 337         /*
 338          * Free thread and process context ops.
 339          */
 340         if (curthread->t_ctx)
 341                 freectx(curthread, 1);
 342         if (p->p_pctx)
 343                 freepctx(p, 1);
 344 
 345         /*
 346          * Remember file name for accounting; clear any cached DTrace predicate.
 347          */
 348         up->u_acflag &= ~AFORK;
 349         bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
 350         curthread->t_predcache = NULL;
 351 
 352         /*
 353          * Clear contract template state
 354          */
 355         lwp_ctmpl_clear(lwp);
 356 
 357         /*
 358          * Save the directory in which we found the executable for expanding
 359          * the %d token used in core file patterns.
 360          */
 361         mutex_enter(&p->p_lock);
 362         tmpvp = p->p_execdir;
 363         p->p_execdir = dir;
 364         if (p->p_execdir != NULL)
 365                 VN_HOLD(p->p_execdir);
 366         mutex_exit(&p->p_lock);
 367 
 368         if (tmpvp != NULL)
 369                 VN_RELE(tmpvp);
 370 
 371         /*
 372          * Reset stack state to the user stack, clear set of signals
 373          * caught on the signal stack, and reset list of signals that
 374          * restart system calls; the new program's environment should
 375          * not be affected by detritus from the old program.  Any
 376          * pending held signals remain held, so don't clear t_hold.
 377          */
 378         mutex_enter(&p->p_lock);
 379         lwp->lwp_oldcontext = 0;
 380         lwp->lwp_ustack = 0;
 381         lwp->lwp_old_stk_ctl = 0;
 382         sigemptyset(&up->u_signodefer);
 383         sigemptyset(&up->u_sigonstack);
 384         sigemptyset(&up->u_sigresethand);
 385         lwp->lwp_sigaltstack.ss_sp = 0;
 386         lwp->lwp_sigaltstack.ss_size = 0;
 387         lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
 388 
 389         /*
 390          * Make saved resource limit == current resource limit.
 391          */
 392         for (i = 0; i < RLIM_NLIMITS; i++) {
 393                 /*CONSTCOND*/
 394                 if (RLIM_SAVED(i)) {
 395                         (void) rctl_rlimit_get(rctlproc_legacy[i], p,
 396                             &up->u_saved_rlimit[i]);
 397                 }
 398         }
 399 
 400         /*
 401          * If the action was to catch the signal, then the action
 402          * must be reset to SIG_DFL.
 403          */
 404         sigdefault(p);
 405         p->p_flag &= ~(SNOWAIT|SJCTL);
 406         p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
 407         up->u_signal[SIGCLD - 1] = SIG_DFL;
 408 
 409         /*
 410          * Delete the dot4 sigqueues/signotifies.
 411          */
 412         sigqfree(p);
 413 
 414         mutex_exit(&p->p_lock);
 415 
 416         mutex_enter(&p->p_pflock);
 417         p->p_prof.pr_base = NULL;
 418         p->p_prof.pr_size = 0;
 419         p->p_prof.pr_off = 0;
 420         p->p_prof.pr_scale = 0;
 421         p->p_prof.pr_samples = 0;
 422         mutex_exit(&p->p_pflock);
 423 
 424         ASSERT(curthread->t_schedctl == NULL);
 425 
 426 #if defined(__sparc)
 427         if (p->p_utraps != NULL)
 428                 utrap_free(p);
 429 #endif  /* __sparc */
 430 
 431         /*
 432          * Close all close-on-exec files.
 433          */
 434         close_exec(P_FINFO(p));
 435         TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
 436 
 437         /* Unbrand ourself if necessary. */
 438         if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
 439                 brand_clearbrand(p, B_FALSE);
 440 
 441         setregs(&args);
 442 
 443         /* Mark this as an executable vnode */
 444         mutex_enter(&vp->v_lock);
 445         vp->v_flag |= VVMEXEC;
 446         mutex_exit(&vp->v_lock);
 447 
 448         VN_RELE(vp);
 449         if (dir != NULL)
 450                 VN_RELE(dir);
 451         pn_free(&resolvepn);
 452 
 453         /*
 454          * Allocate a new lwp directory and lwpid hash table if necessary.
 455          */
 456         if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
 457                 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
 458                 lwpdir->ld_next = lwpdir + 1;
 459                 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
 460                 if (p->p_lwpdir != NULL)
 461                         lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
 462                 else
 463                         lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
 464         }
 465 
 466         if (PROC_IS_BRANDED(p))
 467                 BROP(p)->b_exec();
 468 
 469         mutex_enter(&p->p_lock);
 470         prbarrier(p);
 471 
 472         /*
 473          * Reset lwp id to the default value of 1.
 474          * This is a single-threaded process now
 475          * and lwp #1 is lwp_wait()able by default.
 476          * The t_unpark flag should not be inherited.
 477          */
 478         ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
 479         curthread->t_tid = 1;
 480         kpreempt_disable();
 481         ASSERT(curthread->t_lpl != NULL);
 482         p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
 483         kpreempt_enable();
 484         if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
 485                 lgrp_update_trthr_migrations(1);
 486         }
 487         curthread->t_unpark = 0;
 488         curthread->t_proc_flag |= TP_TWAIT;
 489         curthread->t_proc_flag &= ~TP_DAEMON;    /* daemons shouldn't exec */
 490         p->p_lwpdaemon = 0;                  /* but oh well ... */
 491         p->p_lwpid = 1;
 492 
 493         /*
 494          * Install the newly-allocated lwp directory and lwpid hash table
 495          * and insert the current thread into the new hash table.
 496          */
 497         if (lwpdir != NULL) {
 498                 old_lwpdir = p->p_lwpdir;
 499                 old_lwpdir_sz = p->p_lwpdir_sz;
 500                 old_tidhash = p->p_tidhash;
 501                 old_tidhash_sz = p->p_tidhash_sz;
 502                 p->p_lwpdir = p->p_lwpfree = lwpdir;
 503                 p->p_lwpdir_sz = 2;
 504                 lep->le_thread = curthread;
 505                 lep->le_lwpid = curthread->t_tid;
 506                 lep->le_start = curthread->t_start;
 507                 lwp_hash_in(p, lep, tidhash, 2, 0);
 508                 p->p_tidhash = tidhash;
 509                 p->p_tidhash_sz = 2;
 510         }
 511         ret_tidhash = p->p_ret_tidhash;
 512         p->p_ret_tidhash = NULL;
 513 
 514         /*
 515          * Restore the saved signal mask and
 516          * inform /proc that the exec() has finished.
 517          */
 518         curthread->t_hold = savedmask;
 519         prexecend();
 520         mutex_exit(&p->p_lock);
 521         if (old_lwpdir) {
 522                 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
 523                 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
 524         }
 525         while (ret_tidhash != NULL) {
 526                 ret_tidhash_t *next = ret_tidhash->rth_next;
 527                 kmem_free(ret_tidhash->rth_tidhash,
 528                     ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
 529                 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
 530                 ret_tidhash = next;
 531         }
 532 
 533         ASSERT(error == 0);
 534         DTRACE_PROC(exec__success);
 535         return (0);
 536 
 537 fail:
 538         DTRACE_PROC1(exec__failure, int, error);
 539 out:            /* error return */
 540         mutex_enter(&p->p_lock);
 541         curthread->t_hold = savedmask;
 542         prexecend();
 543         mutex_exit(&p->p_lock);
 544         ASSERT(error != 0);
 545         return (error);
 546 }
 547 
 548 
 549 /*
 550  * Perform generic exec duties and switchout to object-file specific
 551  * handler.
 552  */
 553 int
 554 gexec(
 555         struct vnode **vpp,
 556         struct execa *uap,
 557         struct uarg *args,
 558         struct intpdata *idatap,
 559         int level,
 560         long *execsz,
 561         caddr_t exec_file,
 562         struct cred *cred,
 563         int brand_action)
 564 {
 565         struct vnode *vp, *execvp = NULL;
 566         proc_t *pp = ttoproc(curthread);
 567         struct execsw *eswp;
 568         int error = 0;
 569         int suidflags = 0;
 570         ssize_t resid;
 571         uid_t uid, gid;
 572         struct vattr vattr;
 573         char magbuf[MAGIC_BYTES];
 574         int setid;
 575         cred_t *oldcred, *newcred = NULL;
 576         int privflags = 0;
 577         int setidfl;
 578         priv_set_t fset;
 579         secflagset_t old_secflags;
 580 
 581         secflags_copy(&old_secflags, &pp->p_secflags.psf_effective);
 582 
 583         /*
 584          * If the SNOCD or SUGID flag is set, turn it off and remember the
 585          * previous setting so we can restore it if we encounter an error.
 586          */
 587         if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
 588                 mutex_enter(&pp->p_lock);
 589                 suidflags = pp->p_flag & PSUIDFLAGS;
 590                 pp->p_flag &= ~PSUIDFLAGS;
 591                 mutex_exit(&pp->p_lock);
 592         }
 593 
 594         if ((error = execpermissions(*vpp, &vattr, args)) != 0)
 595                 goto bad_noclose;
 596 
 597         /* need to open vnode for stateful file systems */
 598         if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
 599                 goto bad_noclose;
 600         vp = *vpp;
 601 
 602         /*
 603          * Note: to support binary compatibility with SunOS a.out
 604          * executables, we read in the first four bytes, as the
 605          * magic number is in bytes 2-3.
 606          */
 607         if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
 608             (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
 609                 goto bad;
 610         if (resid != 0)
 611                 goto bad;
 612 
 613         if ((eswp = findexec_by_hdr(magbuf)) == NULL)
 614                 goto bad;
 615 
 616         if (level == 0 &&
 617             (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
 618             args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
 619 
 620                 /* Pfcred is a credential with a ref count of 1 */
 621 
 622                 if (args->pfcred != NULL) {
 623                         privflags |= PRIV_INCREASE|PRIV_RESET;
 624                         newcred = cred = args->pfcred;
 625                 } else {
 626                         newcred = cred = crdup(cred);
 627                 }
 628 
 629                 /* If we can, drop the PA bit */
 630                 if ((privflags & PRIV_RESET) != 0)
 631                         priv_adjust_PA(cred);
 632 
 633                 if (privflags & PRIV_SETID) {
 634                         cred->cr_uid = uid;
 635                         cred->cr_gid = gid;
 636                         cred->cr_suid = uid;
 637                         cred->cr_sgid = gid;
 638                 }
 639 
 640                 if (privflags & MAC_FLAGS) {
 641                         if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
 642                                 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
 643                         CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
 644                 }
 645 
 646                 /*
 647                  * Implement the privilege updates:
 648                  *
 649                  * Restrict with L:
 650                  *
 651                  *      I' = I & L
 652                  *
 653                  *      E' = P' = (I' + F) & A
 654                  *
 655                  * But if running under ptrace, we cap I and F with P.
 656                  */
 657                 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
 658                         if ((privflags & PRIV_INCREASE) != 0 &&
 659                             (pp->p_proc_flag & P_PR_PTRACE) != 0) {
 660                                 priv_intersect(&CR_OPPRIV(cred),
 661                                     &CR_IPRIV(cred));
 662                                 priv_intersect(&CR_OPPRIV(cred), &fset);
 663                         }
 664                         priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
 665                         CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
 666                         if (privflags & PRIV_FORCED) {
 667                                 priv_set_PA(cred);
 668                                 priv_union(&fset, &CR_EPRIV(cred));
 669                                 priv_union(&fset, &CR_PPRIV(cred));
 670                         }
 671                         priv_adjust_PA(cred);
 672                 }
 673         } else if (level == 0 && args->pfcred != NULL) {
 674                 newcred = cred = args->pfcred;
 675                 privflags |= PRIV_INCREASE;
 676                 /* pfcred is not forced to adhere to these settings */
 677                 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
 678                 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
 679                 priv_adjust_PA(cred);
 680         }
 681 
 682         /* The new image gets the inheritable secflags as its secflags */
 683         secflags_promote(pp);
 684 
 685         /* SunOS 4.x buy-back */
 686         if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
 687             (vattr.va_mode & (VSUID|VSGID))) {
 688                 char path[MAXNAMELEN];
 689                 refstr_t *mntpt = NULL;
 690                 int ret = -1;
 691 
 692                 bzero(path, sizeof (path));
 693                 zone_hold(pp->p_zone);
 694 
 695                 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
 696                     sizeof (path), cred);
 697 
 698                 /* fallback to mountpoint if a path can't be found */
 699                 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
 700                         mntpt = vfs_getmntpoint(vp->v_vfsp);
 701 
 702                 if (mntpt == NULL)
 703                         zcmn_err(pp->p_zone->zone_id, CE_NOTE,
 704                             "!uid %d: setuid execution not allowed, "
 705                             "file=%s", cred->cr_uid, path);
 706                 else
 707                         zcmn_err(pp->p_zone->zone_id, CE_NOTE,
 708                             "!uid %d: setuid execution not allowed, "
 709                             "fs=%s, file=%s", cred->cr_uid,
 710                             ZONE_PATH_TRANSLATE(refstr_value(mntpt),
 711                             pp->p_zone), exec_file);
 712 
 713                 if (!INGLOBALZONE(pp)) {
 714                         /* zone_rootpath always has trailing / */
 715                         if (mntpt == NULL)
 716                                 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
 717                                     "setuid execution not allowed, file=%s%s",
 718                                     pp->p_zone->zone_name, cred->cr_uid,
 719                                     pp->p_zone->zone_rootpath, path + 1);
 720                         else
 721                                 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
 722                                     "setuid execution not allowed, fs=%s, "
 723                                     "file=%s", pp->p_zone->zone_name,
 724                                     cred->cr_uid, refstr_value(mntpt),
 725                                     exec_file);
 726                 }
 727 
 728                 if (mntpt != NULL)
 729                         refstr_rele(mntpt);
 730 
 731                 zone_rele(pp->p_zone);
 732         }
 733 
 734         /*
 735          * execsetid() told us whether or not we had to change the
 736          * credentials of the process.  In privflags, it told us
 737          * whether we gained any privileges or executed a set-uid executable.
 738          */
 739         setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
 740 
 741         /*
 742          * Use /etc/system variable to determine if the stack
 743          * should be marked as executable by default.
 744          */
 745         if ((noexec_user_stack != 0) ||
 746             secflag_enabled(pp, PROC_SEC_NOEXECSTACK))
 747                 args->stk_prot &= ~PROT_EXEC;
 748 
 749         args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
 750         args->ex_vp = vp;
 751 
 752         /*
 753          * Traditionally, the setid flags told the sub processes whether
 754          * the file just executed was set-uid or set-gid; this caused
 755          * some confusion as the 'setid' flag did not match the SUGID
 756          * process flag which is only set when the uids/gids do not match.
 757          * A script set-gid/set-uid to the real uid/gid would start with
 758          * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
 759          * Now we flag those cases where the calling process cannot
 760          * be trusted to influence the newly exec'ed process, either
 761          * because it runs with more privileges or when the uids/gids
 762          * do in fact not match.
 763          * This also makes the runtime linker agree with the on exec
 764          * values of SNOCD and SUGID.
 765          */
 766         setidfl = 0;
 767         if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
 768             !supgroupmember(cred->cr_gid, cred))) {
 769                 setidfl |= EXECSETID_UGIDS;
 770         }
 771         if (setid & PRIV_SETUGID)
 772                 setidfl |= EXECSETID_SETID;
 773         if (setid & PRIV_FORCED)
 774                 setidfl |= EXECSETID_PRIVS;
 775 
 776         execvp = pp->p_exec;
 777         if (execvp)
 778                 VN_HOLD(execvp);
 779 
 780         error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
 781             setidfl, exec_file, cred, brand_action);
 782         rw_exit(eswp->exec_lock);
 783         if (error != 0) {
 784                 if (execvp)
 785                         VN_RELE(execvp);
 786                 /*
 787                  * If this process's p_exec has been set to the vp of
 788                  * the executable by exec_func, we will return without
 789                  * calling VOP_CLOSE because proc_exit will close it
 790                  * on exit.
 791                  */
 792                 if (pp->p_exec == vp)
 793                         goto bad_noclose;
 794                 else
 795                         goto bad;
 796         }
 797 
 798         if (level == 0) {
 799                 uid_t oruid;
 800 
 801                 if (execvp != NULL) {
 802                         /*
 803                          * Close the previous executable only if we are
 804                          * at level 0.
 805                          */
 806                         (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
 807                             cred, NULL);
 808                 }
 809 
 810                 mutex_enter(&pp->p_crlock);
 811 
 812                 oruid = pp->p_cred->cr_ruid;
 813 
 814                 if (newcred != NULL) {
 815                         /*
 816                          * Free the old credentials, and set the new ones.
 817                          * Do this for both the process and the (single) thread.
 818                          */
 819                         crfree(pp->p_cred);
 820                         pp->p_cred = cred;   /* cred already held for proc */
 821                         crhold(cred);           /* hold new cred for thread */
 822                         /*
 823                          * DTrace accesses t_cred in probe context.  t_cred
 824                          * must always be either NULL, or point to a valid,
 825                          * allocated cred structure.
 826                          */
 827                         oldcred = curthread->t_cred;
 828                         curthread->t_cred = cred;
 829                         crfree(oldcred);
 830 
 831                         if (priv_basic_test >= 0 &&
 832                             !PRIV_ISMEMBER(&CR_IPRIV(newcred),
 833                             priv_basic_test)) {
 834                                 pid_t pid = pp->p_pid;
 835                                 char *fn = PTOU(pp)->u_comm;
 836 
 837                                 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
 838                                     "privilege removed from E/I", fn, pid);
 839                         }
 840                 }
 841                 /*
 842                  * On emerging from a successful exec(), the saved
 843                  * uid and gid equal the effective uid and gid.
 844                  */
 845                 cred->cr_suid = cred->cr_uid;
 846                 cred->cr_sgid = cred->cr_gid;
 847 
 848                 /*
 849                  * If the real and effective ids do not match, this
 850                  * is a setuid process that should not dump core.
 851                  * The group comparison is tricky; we prevent the code
 852                  * from flagging SNOCD when executing with an effective gid
 853                  * which is a supplementary group.
 854                  */
 855                 if (cred->cr_ruid != cred->cr_uid ||
 856                     (cred->cr_rgid != cred->cr_gid &&
 857                     !supgroupmember(cred->cr_gid, cred)) ||
 858                     (privflags & PRIV_INCREASE) != 0)
 859                         suidflags = PSUIDFLAGS;
 860                 else
 861                         suidflags = 0;
 862 
 863                 mutex_exit(&pp->p_crlock);
 864                 if (newcred != NULL && oruid != newcred->cr_ruid) {
 865                         /* Note that the process remains in the same zone. */
 866                         mutex_enter(&pidlock);
 867                         upcount_dec(oruid, crgetzoneid(newcred));
 868                         upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
 869                         mutex_exit(&pidlock);
 870                 }
 871                 if (suidflags) {
 872                         mutex_enter(&pp->p_lock);
 873                         pp->p_flag |= suidflags;
 874                         mutex_exit(&pp->p_lock);
 875                 }
 876                 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
 877                         /*
 878                          * If process is traced via /proc, arrange to
 879                          * invalidate the associated /proc vnode.
 880                          */
 881                         if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
 882                                 args->traceinval = 1;
 883                 }
 884                 if (pp->p_proc_flag & P_PR_PTRACE)
 885                         psignal(pp, SIGTRAP);
 886                 if (args->traceinval)
 887                         prinvalidate(&pp->p_user);
 888         }
 889         if (execvp)
 890                 VN_RELE(execvp);
 891         return (0);
 892 
 893 bad:
 894         (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
 895 
 896 bad_noclose:
 897         if (newcred != NULL)
 898                 crfree(newcred);
 899         if (error == 0)
 900                 error = ENOEXEC;
 901 
 902         mutex_enter(&pp->p_lock);
 903         if (suidflags) {
 904                 pp->p_flag |= suidflags;
 905         }
 906         /*
 907          * Restore the effective secflags, to maintain the invariant they
 908          * never change for a given process
 909          */
 910         secflags_copy(&pp->p_secflags.psf_effective, &old_secflags);
 911         mutex_exit(&pp->p_lock);
 912 
 913         return (error);
 914 }
 915 
 916 extern char *execswnames[];
 917 
 918 struct execsw *
 919 allocate_execsw(char *name, char *magic, size_t magic_size)
 920 {
 921         int i, j;
 922         char *ename;
 923         char *magicp;
 924 
 925         mutex_enter(&execsw_lock);
 926         for (i = 0; i < nexectype; i++) {
 927                 if (execswnames[i] == NULL) {
 928                         ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
 929                         (void) strcpy(ename, name);
 930                         execswnames[i] = ename;
 931                         /*
 932                          * Set the magic number last so that we
 933                          * don't need to hold the execsw_lock in
 934                          * findexectype().
 935                          */
 936                         magicp = kmem_alloc(magic_size, KM_SLEEP);
 937                         for (j = 0; j < magic_size; j++)
 938                                 magicp[j] = magic[j];
 939                         execsw[i].exec_magic = magicp;
 940                         mutex_exit(&execsw_lock);
 941                         return (&execsw[i]);
 942                 }
 943         }
 944         mutex_exit(&execsw_lock);
 945         return (NULL);
 946 }
 947 
 948 /*
 949  * Find the exec switch table entry with the corresponding magic string.
 950  */
 951 struct execsw *
 952 findexecsw(char *magic)
 953 {
 954         struct execsw *eswp;
 955 
 956         for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
 957                 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
 958                 if (magic && eswp->exec_maglen != 0 &&
 959                     bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
 960                         return (eswp);
 961         }
 962         return (NULL);
 963 }
 964 
 965 /*
 966  * Find the execsw[] index for the given exec header string by looking for the
 967  * magic string at a specified offset and length for each kind of executable
 968  * file format until one matches.  If no execsw[] entry is found, try to
 969  * autoload a module for this magic string.
 970  */
 971 struct execsw *
 972 findexec_by_hdr(char *header)
 973 {
 974         struct execsw *eswp;
 975 
 976         for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
 977                 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
 978                 if (header && eswp->exec_maglen != 0 &&
 979                     bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
 980                     eswp->exec_maglen) == 0) {
 981                         if (hold_execsw(eswp) != 0)
 982                                 return (NULL);
 983                         return (eswp);
 984                 }
 985         }
 986         return (NULL);  /* couldn't find the type */
 987 }
 988 
 989 /*
 990  * Find the execsw[] index for the given magic string.  If no execsw[] entry
 991  * is found, try to autoload a module for this magic string.
 992  */
 993 struct execsw *
 994 findexec_by_magic(char *magic)
 995 {
 996         struct execsw *eswp;
 997 
 998         for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
 999                 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
1000                 if (magic && eswp->exec_maglen != 0 &&
1001                     bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
1002                         if (hold_execsw(eswp) != 0)
1003                                 return (NULL);
1004                         return (eswp);
1005                 }
1006         }
1007         return (NULL);  /* couldn't find the type */
1008 }
1009 
1010 static int
1011 hold_execsw(struct execsw *eswp)
1012 {
1013         char *name;
1014 
1015         rw_enter(eswp->exec_lock, RW_READER);
1016         while (!LOADED_EXEC(eswp)) {
1017                 rw_exit(eswp->exec_lock);
1018                 name = execswnames[eswp-execsw];
1019                 ASSERT(name);
1020                 if (modload("exec", name) == -1)
1021                         return (-1);
1022                 rw_enter(eswp->exec_lock, RW_READER);
1023         }
1024         return (0);
1025 }
1026 
1027 static int
1028 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1029     priv_set_t *fset, cred_t *cr, const char *pathname)
1030 {
1031         proc_t *pp = ttoproc(curthread);
1032         uid_t uid, gid;
1033         int privflags = 0;
1034 
1035         /*
1036          * Remember credentials.
1037          */
1038         uid = cr->cr_uid;
1039         gid = cr->cr_gid;
1040 
1041         /* Will try to reset the PRIV_AWARE bit later. */
1042         if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1043                 privflags |= PRIV_RESET;
1044 
1045         if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1046                 /*
1047                  * If it's a set-uid root program we perform the
1048                  * forced privilege look-aside. This has three possible
1049                  * outcomes:
1050                  *      no look aside information -> treat as before
1051                  *      look aside in Limit set -> apply forced privs
1052                  *      look aside not in Limit set -> ignore set-uid root
1053                  *
1054                  * Ordinary set-uid root execution only allowed if the limit
1055                  * set holds all unsafe privileges.
1056                  */
1057                 if (vattrp->va_mode & VSUID) {
1058                         if (vattrp->va_uid == 0) {
1059                                 int res = get_forced_privs(cr, pathname, fset);
1060 
1061                                 switch (res) {
1062                                 case -1:
1063                                         if (priv_issubset(&priv_unsafe,
1064                                             &CR_LPRIV(cr))) {
1065                                                 uid = vattrp->va_uid;
1066                                                 privflags |= PRIV_SETUGID;
1067                                         }
1068                                         break;
1069                                 case 0:
1070                                         privflags |= PRIV_FORCED|PRIV_INCREASE;
1071                                         break;
1072                                 default:
1073                                         break;
1074                                 }
1075                         } else {
1076                                 uid = vattrp->va_uid;
1077                                 privflags |= PRIV_SETUGID;
1078                         }
1079                 }
1080                 if (vattrp->va_mode & VSGID) {
1081                         gid = vattrp->va_gid;
1082                         privflags |= PRIV_SETUGID;
1083                 }
1084         }
1085 
1086         /*
1087          * Do we need to change our credential anyway?
1088          * This is the case when E != I or P != I, as
1089          * we need to do the assignments (with F empty and A full)
1090          * Or when I is not a subset of L; in that case we need to
1091          * enforce L.
1092          *
1093          *              I' = L & I
1094          *
1095          *              E' = P' = (I' + F) & A
1096          * or
1097          *              E' = P' = I'
1098          */
1099         if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1100             !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1101             !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1102                 privflags |= PRIV_RESET;
1103 
1104         /* Child has more privileges than parent */
1105         if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1106                 privflags |= PRIV_INCREASE;
1107 
1108         /* If MAC-aware flag(s) are on, need to update cred to remove. */
1109         if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1110             (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1111                 privflags |= MAC_FLAGS;
1112         /*
1113          * Set setuid/setgid protections if no ptrace() compatibility.
1114          * For privileged processes, honor setuid/setgid even in
1115          * the presence of ptrace() compatibility.
1116          */
1117         if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1118             PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1119             (cr->cr_uid != uid ||
1120             cr->cr_gid != gid ||
1121             cr->cr_suid != uid ||
1122             cr->cr_sgid != gid)) {
1123                 *uidp = uid;
1124                 *gidp = gid;
1125                 privflags |= PRIV_SETID;
1126         }
1127         return (privflags);
1128 }
1129 
1130 int
1131 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1132 {
1133         int error;
1134         proc_t *p = ttoproc(curthread);
1135 
1136         vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1137         if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1138                 return (error);
1139         /*
1140          * Check the access mode.
1141          * If VPROC, ask /proc if the file is an object file.
1142          */
1143         if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1144             !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1145             (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1146             (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1147                 if (error == 0)
1148                         error = EACCES;
1149                 return (error);
1150         }
1151 
1152         if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1153             (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1154                 /*
1155                  * If process is under ptrace(2) compatibility,
1156                  * fail the exec(2).
1157                  */
1158                 if (p->p_proc_flag & P_PR_PTRACE)
1159                         goto bad;
1160                 /*
1161                  * Process is traced via /proc.
1162                  * Arrange to invalidate the /proc vnode.
1163                  */
1164                 args->traceinval = 1;
1165         }
1166         return (0);
1167 bad:
1168         if (error == 0)
1169                 error = ENOEXEC;
1170         return (error);
1171 }
1172 
1173 /*
1174  * Map a section of an executable file into the user's
1175  * address space.
1176  */
1177 int
1178 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1179     off_t offset, int prot, int page, uint_t szc)
1180 {
1181         int error = 0;
1182         off_t oldoffset;
1183         caddr_t zfodbase, oldaddr;
1184         size_t end, oldlen;
1185         size_t zfoddiff;
1186         label_t ljb;
1187         proc_t *p = ttoproc(curthread);
1188 
1189         oldaddr = addr;
1190         addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1191         if (len) {
1192                 oldlen = len;
1193                 len += ((size_t)oldaddr - (size_t)addr);
1194                 oldoffset = offset;
1195                 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1196                 if (page) {
1197                         spgcnt_t  prefltmem, availm, npages;
1198                         int preread;
1199                         uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1200 
1201                         if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1202                                 mflag |= MAP_TEXT;
1203                         } else {
1204                                 mflag |= MAP_INITDATA;
1205                         }
1206 
1207                         if (valid_usr_range(addr, len, prot, p->p_as,
1208                             p->p_as->a_userlimit) != RANGE_OKAY) {
1209                                 error = ENOMEM;
1210                                 goto bad;
1211                         }
1212                         if (error = VOP_MAP(vp, (offset_t)offset,
1213                             p->p_as, &addr, len, prot, PROT_ALL,
1214                             mflag, CRED(), NULL))
1215                                 goto bad;
1216 
1217                         /*
1218                          * If the segment can fit, then we prefault
1219                          * the entire segment in.  This is based on the
1220                          * model that says the best working set of a
1221                          * small program is all of its pages.
1222                          */
1223                         npages = (spgcnt_t)btopr(len);
1224                         prefltmem = freemem - desfree;
1225                         preread =
1226                             (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1227 
1228                         /*
1229                          * If we aren't prefaulting the segment,
1230                          * increment "deficit", if necessary to ensure
1231                          * that pages will become available when this
1232                          * process starts executing.
1233                          */
1234                         availm = freemem - lotsfree;
1235                         if (preread == 0 && npages > availm &&
1236                             deficit < lotsfree) {
1237                                 deficit += MIN((pgcnt_t)(npages - availm),
1238                                     lotsfree - deficit);
1239                         }
1240 
1241                         if (preread) {
1242                                 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1243                                     "execmap preread:freemem %d size %lu",
1244                                     freemem, len);
1245                                 (void) as_fault(p->p_as->a_hat, p->p_as,
1246                                     (caddr_t)addr, len, F_INVAL, S_READ);
1247                         }
1248                 } else {
1249                         if (valid_usr_range(addr, len, prot, p->p_as,
1250                             p->p_as->a_userlimit) != RANGE_OKAY) {
1251                                 error = ENOMEM;
1252                                 goto bad;
1253                         }
1254 
1255                         if (error = as_map(p->p_as, addr, len,
1256                             segvn_create, zfod_argsp))
1257                                 goto bad;
1258                         /*
1259                          * Read in the segment in one big chunk.
1260                          */
1261                         if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1262                             oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1263                             (rlim64_t)0, CRED(), (ssize_t *)0))
1264                                 goto bad;
1265                         /*
1266                          * Now set protections.
1267                          */
1268                         if (prot != PROT_ZFOD) {
1269                                 (void) as_setprot(p->p_as, (caddr_t)addr,
1270                                     len, prot);
1271                         }
1272                 }
1273         }
1274 
1275         if (zfodlen) {
1276                 struct as *as = curproc->p_as;
1277                 struct seg *seg;
1278                 uint_t zprot = 0;
1279 
1280                 end = (size_t)addr + len;
1281                 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1282                 zfoddiff = (uintptr_t)zfodbase - end;
1283                 if (zfoddiff) {
1284                         /*
1285                          * Before we go to zero the remaining space on the last
1286                          * page, make sure we have write permission.
1287                          *
1288                          * Normal illumos binaries don't even hit the case
1289                          * where we have to change permission on the last page
1290                          * since their protection is typically either
1291                          *    PROT_USER | PROT_WRITE | PROT_READ
1292                          * or
1293                          *    PROT_ZFOD (same as PROT_ALL).
1294                          *
1295                          * We need to be careful how we zero-fill the last page
1296                          * if the segment protection does not include
1297                          * PROT_WRITE. Using as_setprot() can cause the VM
1298                          * segment code to call segvn_vpage(), which must
1299                          * allocate a page struct for each page in the segment.
1300                          * If we have a very large segment, this may fail, so
1301                          * we have to check for that, even though we ignore
1302                          * other return values from as_setprot.
1303                          */
1304 
1305                         AS_LOCK_ENTER(as, RW_READER);
1306                         seg = as_segat(curproc->p_as, (caddr_t)end);
1307                         if (seg != NULL)
1308                                 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1309                                     &zprot);
1310                         AS_LOCK_EXIT(as);
1311 
1312                         if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1313                                 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1314                                     zprot | PROT_WRITE) == ENOMEM) {
1315                                         error = ENOMEM;
1316                                         goto bad;
1317                                 }
1318                         }
1319 
1320                         if (on_fault(&ljb)) {
1321                                 no_fault();
1322                                 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1323                                         (void) as_setprot(as, (caddr_t)end,
1324                                             zfoddiff - 1, zprot);
1325                                 error = EFAULT;
1326                                 goto bad;
1327                         }
1328                         uzero((void *)end, zfoddiff);
1329                         no_fault();
1330                         if (seg != NULL && (zprot & PROT_WRITE) == 0)
1331                                 (void) as_setprot(as, (caddr_t)end,
1332                                     zfoddiff - 1, zprot);
1333                 }
1334                 if (zfodlen > zfoddiff) {
1335                         struct segvn_crargs crargs =
1336                             SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1337 
1338                         zfodlen -= zfoddiff;
1339                         if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1340                             p->p_as->a_userlimit) != RANGE_OKAY) {
1341                                 error = ENOMEM;
1342                                 goto bad;
1343                         }
1344                         if (szc > 0) {
1345                                 /*
1346                                  * ASSERT alignment because the mapelfexec()
1347                                  * caller for the szc > 0 case extended zfod
1348                                  * so it's end is pgsz aligned.
1349                                  */
1350                                 size_t pgsz = page_get_pagesize(szc);
1351                                 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1352 
1353                                 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1354                                         crargs.szc = szc;
1355                                 } else {
1356                                         crargs.szc = AS_MAP_HEAP;
1357                                 }
1358                         } else {
1359                                 crargs.szc = AS_MAP_NO_LPOOB;
1360                         }
1361                         if (error = as_map(p->p_as, (caddr_t)zfodbase,
1362                             zfodlen, segvn_create, &crargs))
1363                                 goto bad;
1364                         if (prot != PROT_ZFOD) {
1365                                 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1366                                     zfodlen, prot);
1367                         }
1368                 }
1369         }
1370         return (0);
1371 bad:
1372         return (error);
1373 }
1374 
1375 void
1376 setexecenv(struct execenv *ep)
1377 {
1378         proc_t *p = ttoproc(curthread);
1379         klwp_t *lwp = ttolwp(curthread);
1380         struct vnode *vp;
1381 
1382         p->p_bssbase = ep->ex_bssbase;
1383         p->p_brkbase = ep->ex_brkbase;
1384         p->p_brksize = ep->ex_brksize;
1385         if (p->p_exec)
1386                 VN_RELE(p->p_exec);  /* out with the old */
1387         vp = p->p_exec = ep->ex_vp;
1388         if (vp != NULL)
1389                 VN_HOLD(vp);            /* in with the new */
1390 
1391         lwp->lwp_sigaltstack.ss_sp = 0;
1392         lwp->lwp_sigaltstack.ss_size = 0;
1393         lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1394 }
1395 
1396 int
1397 execopen(struct vnode **vpp, int *fdp)
1398 {
1399         struct vnode *vp = *vpp;
1400         file_t *fp;
1401         int error = 0;
1402         int filemode = FREAD;
1403 
1404         VN_HOLD(vp);            /* open reference */
1405         if (error = falloc(NULL, filemode, &fp, fdp)) {
1406                 VN_RELE(vp);
1407                 *fdp = -1;      /* just in case falloc changed value */
1408                 return (error);
1409         }
1410         if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1411                 VN_RELE(vp);
1412                 setf(*fdp, NULL);
1413                 unfalloc(fp);
1414                 *fdp = -1;
1415                 return (error);
1416         }
1417         *vpp = vp;              /* vnode should not have changed */
1418         fp->f_vnode = vp;
1419         mutex_exit(&fp->f_tlock);
1420         setf(*fdp, fp);
1421         return (0);
1422 }
1423 
1424 int
1425 execclose(int fd)
1426 {
1427         return (closeandsetf(fd, NULL));
1428 }
1429 
1430 
1431 /*
1432  * noexec stub function.
1433  */
1434 /*ARGSUSED*/
1435 int
1436 noexec(
1437     struct vnode *vp,
1438     struct execa *uap,
1439     struct uarg *args,
1440     struct intpdata *idatap,
1441     int level,
1442     long *execsz,
1443     int setid,
1444     caddr_t exec_file,
1445     struct cred *cred)
1446 {
1447         cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1448         return (ENOEXEC);
1449 }
1450 
1451 /*
1452  * Support routines for building a user stack.
1453  *
1454  * execve(path, argv, envp) must construct a new stack with the specified
1455  * arguments and environment variables (see exec_args() for a description
1456  * of the user stack layout).  To do this, we copy the arguments and
1457  * environment variables from the old user address space into the kernel,
1458  * free the old as, create the new as, and copy our buffered information
1459  * to the new stack.  Our kernel buffer has the following structure:
1460  *
1461  *      +-----------------------+ <--- stk_base + stk_size
1462  *      | string offsets        |
1463  *      +-----------------------+ <--- stk_offp
1464  *      |                       |
1465  *      | STK_AVAIL() space     |
1466  *      |                       |
1467  *      +-----------------------+ <--- stk_strp
1468  *      | strings               |
1469  *      +-----------------------+ <--- stk_base
1470  *
1471  * When we add a string, we store the string's contents (including the null
1472  * terminator) at stk_strp, and we store the offset of the string relative to
1473  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1474  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1475  * the difference between these pointers.  If we run out of space, we return
1476  * an error and exec_args() starts all over again with a buffer twice as large.
1477  * When we're all done, the kernel buffer looks like this:
1478  *
1479  *      +-----------------------+ <--- stk_base + stk_size
1480  *      | argv[0] offset        |
1481  *      +-----------------------+
1482  *      | ...                   |
1483  *      +-----------------------+
1484  *      | argv[argc-1] offset   |
1485  *      +-----------------------+
1486  *      | envp[0] offset        |
1487  *      +-----------------------+
1488  *      | ...                   |
1489  *      +-----------------------+
1490  *      | envp[envc-1] offset   |
1491  *      +-----------------------+
1492  *      | AT_SUN_PLATFORM offset|
1493  *      +-----------------------+
1494  *      | AT_SUN_EXECNAME offset|
1495  *      +-----------------------+ <--- stk_offp
1496  *      |                       |
1497  *      | STK_AVAIL() space     |
1498  *      |                       |
1499  *      +-----------------------+ <--- stk_strp
1500  *      | AT_SUN_EXECNAME offset|
1501  *      +-----------------------+
1502  *      | AT_SUN_PLATFORM offset|
1503  *      +-----------------------+
1504  *      | envp[envc-1] string   |
1505  *      +-----------------------+
1506  *      | ...                   |
1507  *      +-----------------------+
1508  *      | envp[0] string        |
1509  *      +-----------------------+
1510  *      | argv[argc-1] string   |
1511  *      +-----------------------+
1512  *      | ...                   |
1513  *      +-----------------------+
1514  *      | argv[0] string        |
1515  *      +-----------------------+ <--- stk_base
1516  */
1517 
1518 #define STK_AVAIL(args)         ((char *)(args)->stk_offp - (args)->stk_strp)
1519 
1520 /*
1521  * Add a string to the stack.
1522  */
1523 static int
1524 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1525 {
1526         int error;
1527         size_t len;
1528 
1529         if (STK_AVAIL(args) < sizeof (int))
1530                 return (E2BIG);
1531         *--args->stk_offp = args->stk_strp - args->stk_base;
1532 
1533         if (segflg == UIO_USERSPACE) {
1534                 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1535                 if (error != 0)
1536                         return (error);
1537         } else {
1538                 len = strlen(sp) + 1;
1539                 if (len > STK_AVAIL(args))
1540                         return (E2BIG);
1541                 bcopy(sp, args->stk_strp, len);
1542         }
1543 
1544         args->stk_strp += len;
1545 
1546         return (0);
1547 }
1548 
1549 static int
1550 stk_getptr(uarg_t *args, char *src, char **dst)
1551 {
1552         int error;
1553 
1554         if (args->from_model == DATAMODEL_NATIVE) {
1555                 ulong_t ptr;
1556                 error = fulword(src, &ptr);
1557                 *dst = (caddr_t)ptr;
1558         } else {
1559                 uint32_t ptr;
1560                 error = fuword32(src, &ptr);
1561                 *dst = (caddr_t)(uintptr_t)ptr;
1562         }
1563         return (error);
1564 }
1565 
1566 static int
1567 stk_putptr(uarg_t *args, char *addr, char *value)
1568 {
1569         if (args->to_model == DATAMODEL_NATIVE)
1570                 return (sulword(addr, (ulong_t)value));
1571         else
1572                 return (suword32(addr, (uint32_t)(uintptr_t)value));
1573 }
1574 
1575 static int
1576 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1577 {
1578         char *sp;
1579         int argc, error;
1580         int argv_empty = 0;
1581         size_t ptrsize = args->from_ptrsize;
1582         size_t size, pad;
1583         char *argv = (char *)uap->argp;
1584         char *envp = (char *)uap->envp;
1585 
1586         /*
1587          * Copy interpreter's name and argument to argv[0] and argv[1].
1588          * In the rare case that we have nested interpreters then those names
1589          * and arguments are also copied to the subsequent slots in argv.
1590          */
1591         if (intp != NULL && intp->intp_name[0] != NULL) {
1592                 int i;
1593 
1594                 for (i = 0; i < INTP_MAXDEPTH; i++) {
1595                         if (intp->intp_name[i] == NULL)
1596                                 break;
1597                         error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1598                         if (error != 0)
1599                                 return (error);
1600                         if (intp->intp_arg[i] != NULL) {
1601                                 error = stk_add(args, intp->intp_arg[i],
1602                                     UIO_SYSSPACE);
1603                                 if (error != 0)
1604                                         return (error);
1605                         }
1606                 }
1607 
1608                 if (args->fname != NULL)
1609                         error = stk_add(args, args->fname, UIO_SYSSPACE);
1610                 else
1611                         error = stk_add(args, uap->fname, UIO_USERSPACE);
1612                 if (error)
1613                         return (error);
1614 
1615                 /*
1616                  * Check for an empty argv[].
1617                  */
1618                 if (stk_getptr(args, argv, &sp))
1619                         return (EFAULT);
1620                 if (sp == NULL)
1621                         argv_empty = 1;
1622 
1623                 argv += ptrsize;                /* ignore original argv[0] */
1624         }
1625 
1626         if (argv_empty == 0) {
1627                 /*
1628                  * Add argv[] strings to the stack.
1629                  */
1630                 for (;;) {
1631                         if (stk_getptr(args, argv, &sp))
1632                                 return (EFAULT);
1633                         if (sp == NULL)
1634                                 break;
1635                         if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1636                                 return (error);
1637                         argv += ptrsize;
1638                 }
1639         }
1640         argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1641         args->arglen = args->stk_strp - args->stk_base;
1642 
1643         /*
1644          * Add environ[] strings to the stack.
1645          */
1646         if (envp != NULL) {
1647                 for (;;) {
1648                         char *tmp = args->stk_strp;
1649                         if (stk_getptr(args, envp, &sp))
1650                                 return (EFAULT);
1651                         if (sp == NULL)
1652                                 break;
1653                         if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1654                                 return (error);
1655                         if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1656                                 /* Undo the copied string */
1657                                 args->stk_strp = tmp;
1658                                 *(args->stk_offp++) = NULL;
1659                         }
1660                         envp += ptrsize;
1661                 }
1662         }
1663         args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1664         args->ne = args->na - argc;
1665 
1666         /*
1667          * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1668          * AT_SUN_EMULATOR strings to the stack.
1669          */
1670         if (auxvpp != NULL && *auxvpp != NULL) {
1671                 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1672                         return (error);
1673                 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1674                         return (error);
1675                 if (args->brandname != NULL &&
1676                     (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1677                         return (error);
1678                 if (args->emulator != NULL &&
1679                     (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1680                         return (error);
1681         }
1682 
1683         /*
1684          * Compute the size of the stack.  This includes all the pointers,
1685          * the space reserved for the aux vector, and all the strings.
1686          * The total number of pointers is args->na (which is argc + envc)
1687          * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1688          * after the last argument (i.e. argv[argc]); (3) the NULL after the
1689          * last environment variable (i.e. envp[envc]); and (4) the NULL after
1690          * all the strings, at the very top of the stack.
1691          */
1692         size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1693             (args->stk_strp - args->stk_base);
1694 
1695         /*
1696          * Pad the string section with zeroes to align the stack size.
1697          */
1698         pad = P2NPHASE(size, args->stk_align);
1699 
1700         if (STK_AVAIL(args) < pad)
1701                 return (E2BIG);
1702 
1703         args->usrstack_size = size + pad;
1704 
1705         while (pad-- != 0)
1706                 *args->stk_strp++ = 0;
1707 
1708         args->nc = args->stk_strp - args->stk_base;
1709 
1710         return (0);
1711 }
1712 
1713 static int
1714 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1715 {
1716         size_t ptrsize = args->to_ptrsize;
1717         ssize_t pslen;
1718         char *kstrp = args->stk_base;
1719         char *ustrp = usrstack - args->nc - ptrsize;
1720         char *usp = usrstack - args->usrstack_size;
1721         int *offp = (int *)(args->stk_base + args->stk_size);
1722         int envc = args->ne;
1723         int argc = args->na - envc;
1724         int i;
1725 
1726         /*
1727          * Record argc for /proc.
1728          */
1729         up->u_argc = argc;
1730 
1731         /*
1732          * Put argc on the stack.  Note that even though it's an int,
1733          * it always consumes ptrsize bytes (for alignment).
1734          */
1735         if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1736                 return (-1);
1737 
1738         /*
1739          * Add argc space (ptrsize) to usp and record argv for /proc.
1740          */
1741         up->u_argv = (uintptr_t)(usp += ptrsize);
1742 
1743         /*
1744          * Put the argv[] pointers on the stack.
1745          */
1746         for (i = 0; i < argc; i++, usp += ptrsize)
1747                 if (stk_putptr(args, usp, &ustrp[*--offp]))
1748                         return (-1);
1749 
1750         /*
1751          * Copy arguments to u_psargs.
1752          */
1753         pslen = MIN(args->arglen, PSARGSZ) - 1;
1754         for (i = 0; i < pslen; i++)
1755                 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1756         while (i < PSARGSZ)
1757                 up->u_psargs[i++] = '\0';
1758 
1759         /*
1760          * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1761          * record envp for /proc.
1762          */
1763         up->u_envp = (uintptr_t)(usp += ptrsize);
1764 
1765         /*
1766          * Put the envp[] pointers on the stack.
1767          */
1768         for (i = 0; i < envc; i++, usp += ptrsize)
1769                 if (stk_putptr(args, usp, &ustrp[*--offp]))
1770                         return (-1);
1771 
1772         /*
1773          * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1774          * remember where the stack ends, which is also where auxv begins.
1775          */
1776         args->stackend = usp += ptrsize;
1777 
1778         /*
1779          * Put all the argv[], envp[], and auxv strings on the stack.
1780          */
1781         if (copyout(args->stk_base, ustrp, args->nc))
1782                 return (-1);
1783 
1784         /*
1785          * Fill in the aux vector now that we know the user stack addresses
1786          * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1787          * AT_SUN_EMULATOR strings.
1788          */
1789         if (auxvpp != NULL && *auxvpp != NULL) {
1790                 if (args->to_model == DATAMODEL_NATIVE) {
1791                         auxv_t **a = (auxv_t **)auxvpp;
1792                         ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1793                         ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1794                         if (args->brandname != NULL)
1795                                 ADDAUX(*a,
1796                                     AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1797                         if (args->emulator != NULL)
1798                                 ADDAUX(*a,
1799                                     AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1800                 } else {
1801                         auxv32_t **a = (auxv32_t **)auxvpp;
1802                         ADDAUX(*a,
1803                             AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1804                         ADDAUX(*a,
1805                             AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1806                         if (args->brandname != NULL)
1807                                 ADDAUX(*a, AT_SUN_BRANDNAME,
1808                                     (int)(uintptr_t)&ustrp[*--offp])
1809                         if (args->emulator != NULL)
1810                                 ADDAUX(*a, AT_SUN_EMULATOR,
1811                                     (int)(uintptr_t)&ustrp[*--offp])
1812                 }
1813         }
1814 
1815         return (0);
1816 }
1817 
1818 /*
1819  * Though the actual stack base is constant, slew the %sp by a random aligned
1820  * amount in [0,aslr_max_stack_skew).  Mostly, this makes life slightly more
1821  * complicated for buffer overflows hoping to overwrite the return address.
1822  *
1823  * On some platforms this helps avoid cache thrashing when identical processes
1824  * simultaneously share caches that don't provide enough associativity
1825  * (e.g. sun4v systems). In this case stack slewing makes the same hot stack
1826  * variables in different processes live in different cache sets increasing
1827  * effective associativity.
1828  */
1829 size_t
1830 exec_get_spslew(void)
1831 {
1832 #ifdef sun4v
1833         static uint_t sp_color_stride = 16;
1834         static uint_t sp_color_mask = 0x1f;
1835         static uint_t sp_current_color = (uint_t)-1;
1836 #endif
1837         size_t off;
1838 
1839         ASSERT(ISP2(aslr_max_stack_skew));
1840 
1841         if ((aslr_max_stack_skew == 0) ||
1842             !secflag_enabled(curproc, PROC_SEC_ASLR)) {
1843 #ifdef sun4v
1844                 uint_t spcolor = atomic_inc_32_nv(&sp_current_color);
1845                 return ((size_t)((spcolor & sp_color_mask) *
1846                     SA(sp_color_stride)));
1847 #else
1848                 return (0);
1849 #endif
1850         }
1851 
1852         (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
1853         return (SA(P2PHASE(off, aslr_max_stack_skew)));
1854 }
1855 
1856 /*
1857  * Initialize a new user stack with the specified arguments and environment.
1858  * The initial user stack layout is as follows:
1859  *
1860  *      User Stack
1861  *      +---------------+ <--- curproc->p_usrstack
1862  *      |               |
1863  *      | slew          |
1864  *      |               |
1865  *      +---------------+
1866  *      | NULL          |
1867  *      +---------------+
1868  *      |               |
1869  *      | auxv strings  |
1870  *      |               |
1871  *      +---------------+
1872  *      |               |
1873  *      | envp strings  |
1874  *      |               |
1875  *      +---------------+
1876  *      |               |
1877  *      | argv strings  |
1878  *      |               |
1879  *      +---------------+ <--- ustrp
1880  *      |               |
1881  *      | aux vector    |
1882  *      |               |
1883  *      +---------------+ <--- auxv
1884  *      | NULL          |
1885  *      +---------------+
1886  *      | envp[envc-1]  |
1887  *      +---------------+
1888  *      | ...           |
1889  *      +---------------+
1890  *      | envp[0]       |
1891  *      +---------------+ <--- envp[]
1892  *      | NULL          |
1893  *      +---------------+
1894  *      | argv[argc-1]  |
1895  *      +---------------+
1896  *      | ...           |
1897  *      +---------------+
1898  *      | argv[0]       |
1899  *      +---------------+ <--- argv[]
1900  *      | argc          |
1901  *      +---------------+ <--- stack base
1902  */
1903 int
1904 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1905 {
1906         size_t size;
1907         int error;
1908         proc_t *p = ttoproc(curthread);
1909         user_t *up = PTOU(p);
1910         char *usrstack;
1911         rctl_entity_p_t e;
1912         struct as *as;
1913         extern int use_stk_lpg;
1914         size_t sp_slew;
1915 
1916         args->from_model = p->p_model;
1917         if (p->p_model == DATAMODEL_NATIVE) {
1918                 args->from_ptrsize = sizeof (long);
1919         } else {
1920                 args->from_ptrsize = sizeof (int32_t);
1921         }
1922 
1923         if (args->to_model == DATAMODEL_NATIVE) {
1924                 args->to_ptrsize = sizeof (long);
1925                 args->ncargs = NCARGS;
1926                 args->stk_align = STACK_ALIGN;
1927                 if (args->addr32)
1928                         usrstack = (char *)USRSTACK64_32;
1929                 else
1930                         usrstack = (char *)USRSTACK;
1931         } else {
1932                 args->to_ptrsize = sizeof (int32_t);
1933                 args->ncargs = NCARGS32;
1934                 args->stk_align = STACK_ALIGN32;
1935                 usrstack = (char *)USRSTACK32;
1936         }
1937 
1938         ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1939 
1940 #if defined(__sparc)
1941         /*
1942          * Make sure user register windows are empty before
1943          * attempting to make a new stack.
1944          */
1945         (void) flush_user_windows_to_stack(NULL);
1946 #endif
1947 
1948         for (size = PAGESIZE; ; size *= 2) {
1949                 args->stk_size = size;
1950                 args->stk_base = kmem_alloc(size, KM_SLEEP);
1951                 args->stk_strp = args->stk_base;
1952                 args->stk_offp = (int *)(args->stk_base + size);
1953                 error = stk_copyin(uap, args, intp, auxvpp);
1954                 if (error == 0)
1955                         break;
1956                 kmem_free(args->stk_base, size);
1957                 if (error != E2BIG && error != ENAMETOOLONG)
1958                         return (error);
1959                 if (size >= args->ncargs)
1960                         return (E2BIG);
1961         }
1962 
1963         size = args->usrstack_size;
1964 
1965         ASSERT(error == 0);
1966         ASSERT(P2PHASE(size, args->stk_align) == 0);
1967         ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1968 
1969         if (size > args->ncargs) {
1970                 kmem_free(args->stk_base, args->stk_size);
1971                 return (E2BIG);
1972         }
1973 
1974         /*
1975          * Leave only the current lwp and force the other lwps to exit.
1976          * If another lwp beat us to the punch by calling exit(), bail out.
1977          */
1978         if ((error = exitlwps(0)) != 0) {
1979                 kmem_free(args->stk_base, args->stk_size);
1980                 return (error);
1981         }
1982 
1983         /*
1984          * Revoke any doors created by the process.
1985          */
1986         if (p->p_door_list)
1987                 door_exit();
1988 
1989         /*
1990          * Release schedctl data structures.
1991          */
1992         if (p->p_pagep)
1993                 schedctl_proc_cleanup();
1994 
1995         /*
1996          * Clean up any DTrace helpers for the process.
1997          */
1998         if (p->p_dtrace_helpers != NULL) {
1999                 ASSERT(dtrace_helpers_cleanup != NULL);
2000                 (*dtrace_helpers_cleanup)();
2001         }
2002 
2003         mutex_enter(&p->p_lock);
2004         /*
2005          * Cleanup the DTrace provider associated with this process.
2006          */
2007         if (p->p_dtrace_probes) {
2008                 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
2009                 dtrace_fasttrap_exec_ptr(p);
2010         }
2011         mutex_exit(&p->p_lock);
2012 
2013         /*
2014          * discard the lwpchan cache.
2015          */
2016         if (p->p_lcp != NULL)
2017                 lwpchan_destroy_cache(1);
2018 
2019         /*
2020          * Delete the POSIX timers.
2021          */
2022         if (p->p_itimer != NULL)
2023                 timer_exit();
2024 
2025         /*
2026          * Delete the ITIMER_REALPROF interval timer.
2027          * The other ITIMER_* interval timers are specified
2028          * to be inherited across exec().
2029          */
2030         delete_itimer_realprof();
2031 
2032         if (AU_AUDITING())
2033                 audit_exec(args->stk_base, args->stk_base + args->arglen,
2034                     args->na - args->ne, args->ne, args->pfcred);
2035 
2036         /*
2037          * Ensure that we don't change resource associations while we
2038          * change address spaces.
2039          */
2040         mutex_enter(&p->p_lock);
2041         pool_barrier_enter();
2042         mutex_exit(&p->p_lock);
2043 
2044         /*
2045          * Destroy the old address space and create a new one.
2046          * From here on, any errors are fatal to the exec()ing process.
2047          * On error we return -1, which means the caller must SIGKILL
2048          * the process.
2049          */
2050         relvm();
2051 
2052         mutex_enter(&p->p_lock);
2053         pool_barrier_exit();
2054         mutex_exit(&p->p_lock);
2055 
2056         up->u_execsw = args->execswp;
2057 
2058         p->p_brkbase = NULL;
2059         p->p_brksize = 0;
2060         p->p_brkpageszc = 0;
2061         p->p_stksize = 0;
2062         p->p_stkpageszc = 0;
2063         p->p_model = args->to_model;
2064         p->p_usrstack = usrstack;
2065         p->p_stkprot = args->stk_prot;
2066         p->p_datprot = args->dat_prot;
2067 
2068         /*
2069          * Reset resource controls such that all controls are again active as
2070          * well as appropriate to the potentially new address model for the
2071          * process.
2072          */
2073         e.rcep_p.proc = p;
2074         e.rcep_t = RCENTITY_PROCESS;
2075         rctl_set_reset(p->p_rctls, p, &e);
2076 
2077         /* Too early to call map_pgsz for the heap */
2078         if (use_stk_lpg) {
2079                 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2080         }
2081 
2082         mutex_enter(&p->p_lock);
2083         p->p_flag |= SAUTOLPG;       /* kernel controls page sizes */
2084         mutex_exit(&p->p_lock);
2085 
2086         sp_slew = exec_get_spslew();
2087         ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2088         /* Be certain we don't underflow */
2089         VERIFY((curproc->p_usrstack - (size + sp_slew)) < curproc->p_usrstack);
2090         exec_set_sp(size + sp_slew);
2091 
2092         as = as_alloc();
2093         p->p_as = as;
2094         as->a_proc = p;
2095         if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2096                 as->a_userlimit = (caddr_t)USERLIMIT32;
2097         (void) hat_setup(as->a_hat, HAT_ALLOC);
2098         hat_join_srd(as->a_hat, args->ex_vp);
2099 
2100         /*
2101          * Finally, write out the contents of the new stack.
2102          */
2103         error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2104         kmem_free(args->stk_base, args->stk_size);
2105         return (error);
2106 }