From a14a9498726f5797cf697d2e198f08dd64bda168 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Wed, 28 Jul 2010 04:47:40 +0000 Subject: [PATCH] The interpreter name should no longer be treated as a buffer that can be overwritten. (This change should have been included in r210545.) Submitted by: kib --- sys/amd64/linux32/linux32_sysvec.c | 16 +++++----------- sys/i386/linux/linux_sysvec.c | 15 +++++---------- sys/kern/kern_exec.c | 4 ++++ sys/sys/imgact.h | 1 + 4 files changed, 15 insertions(+), 21 deletions(-) diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c index 010e1d60d5e..b9b182ed0e7 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -804,7 +804,7 @@ exec_linux_imgact_try(struct image_params *imgp) { const char *head = (const char *)imgp->image_header; char *rpath; - int error = -1, len; + int error = -1; /* * The interpreter for shell scripts run from a linux binary needs @@ -821,18 +821,12 @@ exec_linux_imgact_try(struct image_params *imgp) linux_emul_convpath(FIRST_THREAD_IN_PROC(imgp->proc), imgp->interpreter_name, UIO_SYSSPACE, &rpath, 0, AT_FDCWD); - if (rpath != NULL) { - len = strlen(rpath) + 1; - - if (len <= MAXSHELLCMDLEN) { - memcpy(imgp->interpreter_name, rpath, - len); - } - free(rpath, M_TEMP); - } + if (rpath != NULL) + imgp->args->fname_buf = + imgp->interpreter_name = rpath; } } - return(error); + return (error); } /* diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index 364cc0cdcd8..56582119e77 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -904,7 +904,7 @@ exec_linux_imgact_try(struct image_params *imgp) { const char *head = (const char *)imgp->image_header; char *rpath; - int error = -1, len; + int error = -1; /* * The interpreter for shell scripts run from a linux binary needs @@ -920,17 +920,12 @@ exec_linux_imgact_try(struct image_params *imgp) if ((error = exec_shell_imgact(imgp)) == 0) { linux_emul_convpath(FIRST_THREAD_IN_PROC(imgp->proc), imgp->interpreter_name, UIO_SYSSPACE, &rpath, 0, AT_FDCWD); - if (rpath != NULL) { - len = strlen(rpath) + 1; - - if (len <= MAXSHELLCMDLEN) { - memcpy(imgp->interpreter_name, rpath, len); - } - free(rpath, M_TEMP); - } + if (rpath != NULL) + imgp->args->fname_buf = + imgp->interpreter_name = rpath; } } - return(error); + return (error); } /* diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 2242328d9ea..c60e3294dd9 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1175,6 +1175,10 @@ exec_free_args(struct image_args *args) PATH_MAX + ARG_MAX); args->buf = NULL; } + if (args->fname_buf != NULL) { + free(args->fname_buf, M_TEMP); + args->fname_buf = NULL; + } } /* diff --git a/sys/sys/imgact.h b/sys/sys/imgact.h index c4075faafb0..8c183ad70cb 100644 --- a/sys/sys/imgact.h +++ b/sys/sys/imgact.h @@ -42,6 +42,7 @@ struct image_args { char *begin_envv; /* beginning of envv in buf */ char *endp; /* current `end' pointer of arg & env strings */ char *fname; /* pointer to filename of executable (system space) */ + char *fname_buf; /* pointer to optional malloc(M_TEMP) buffer */ int stringspace; /* space left in arg & env buffer */ int argc; /* count of argument strings */ int envc; /* count of environment strings */