From 118cec38dee6997a4d1e314ac812152af05bda53 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Thu, 30 Jul 2009 11:33:36 -0700 Subject: [PATCH] Fix nasty bug in exec*() code that can crash the machine. Fix a case where the exec() would sometimes attempt to free a wild pointer, placing it in the objcache and creating nasty kernel memory corruption. Reported-by: Borislav Nikolov --- sys/emulation/linux/i386/linux_machdep.c | 1 + sys/kern/kern_exec.c | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/emulation/linux/i386/linux_machdep.c b/sys/emulation/linux/i386/linux_machdep.c index 894c537ede..279ecea7aa 100644 --- a/sys/emulation/linux/i386/linux_machdep.c +++ b/sys/emulation/linux/i386/linux_machdep.c @@ -119,6 +119,7 @@ sys_linux_execve(struct linux_execve_args *args) kprintf(ARGS(execve, "%s"), path); #endif error = nlookup_init(&nd, path, UIO_SYSSPACE, NLC_FOLLOW); + bzero(&exec_args, sizeof(exec_args)); if (error == 0) { error = exec_copyin_args(&exec_args, path, PATH_SYSSPACE, args->argp, args->envp); diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index a3cdcfc4f1..1247efa54e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -537,6 +537,7 @@ sys_execve(struct execve_args *uap) int error; error = nlookup_init(&nd, uap->fname, UIO_USERSPACE, NLC_FOLLOW); + bzero(&args, sizeof(args)); if (error == 0) { error = exec_copyin_args(&args, uap->fname, PATH_USERSPACE, uap->argv, uap->envv); @@ -754,8 +755,6 @@ exec_copyin_args(struct image_args *args, char *fname, int error = 0; size_t length; - bzero(args, sizeof(*args)); - args->buf = objcache_get(exec_objcache, M_WAITOK); if (args->buf == NULL) return (ENOMEM); -- 2.41.0