From c42e554dc94e2282ddd9fe20bfff7b07fe489104 Mon Sep 17 00:00:00 2001
From: Marcin Wojtas <mw@FreeBSD.org>
Date: Tue, 19 Mar 2019 02:45:32 +0000
Subject: [PATCH] Add missing boot.4th verification

During initialization of the forth interpreter
the loader looks for "/boot/boot.4th"
and executes any code found there.
That file was loaded bypassing verification.
Add a call to verify_file to change that.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
---
 stand/common/interp_forth.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/stand/common/interp_forth.c b/stand/common/interp_forth.c
index be56d514180..68ecb8ab136 100644
--- a/stand/common/interp_forth.c
+++ b/stand/common/interp_forth.c
@@ -283,6 +283,12 @@ bf_init(void)
 
 	/* try to load and run init file if present */
 	if ((fd = open("/boot/boot.4th", O_RDONLY)) != -1) {
+#ifdef LOADER_VERIEXEC
+		if (verify_file(fd, "/boot/boot.4th", 0, VE_GUESS) < 0) {
+			close(fd);
+			return;
+		}
+#endif
 		(void)ficlExecFD(bf_vm, fd);
 		close(fd);
 	}