kernel: have to validate argv[] again when copying to the new stack

we have to validaddr() and vmemchr() all argv[] elements a second
time when we copy to the new stack to deal with the fact that another
process can come in and modify the memory of the process doing the
exec. so the argv[] strings could have changed and increased in
length. we just make sure the data being copied will fit into the
new stack and error when we would overflow.

also make sure to free the ESEG in case the copy pass errors.
This commit is contained in:
cinap_lenrek 2015-08-06 13:20:41 +02:00
parent 281729551f
commit 87d7a3c875

View file

@ -295,8 +295,13 @@ sysexec(va_list list)
free(elem);
free(args);
/* Disaster after commit */
if(!up->seg[SSEG])
if(up->seg[SSEG] == nil)
pexit(up->errstr, 1);
s = up->seg[ESEG];
if(s != nil){
putseg(s);
up->seg[ESEG] = nil;
}
nexterror();
}
align = BY2PG;
@ -438,7 +443,6 @@ sysexec(va_list list)
argv = (char**)(tstk - ssize);
charp = (char*)(tstk - nbytes);
a = charp;
if(indir)
argp = progarg;
else
@ -450,12 +454,22 @@ sysexec(va_list list)
argp = argp0;
}
*argv++ = charp + (USTKTOP-tstk);
n = strlen(*argp) + 1;
memmove(charp, *argp++, n);
a = *argp++;
if(indir)
e = strchr(a, 0);
else {
validaddr((uintptr)a, 1, 0);
e = vmemchr(a, 0, (char*)tstk - charp);
if(e == nil)
error(Ebadarg);
}
n = (e - a) + 1;
memmove(charp, a, n);
charp += n;
}
/* copy args; easiest from new process's stack */
a = (char*)(tstk - nbytes);
n = charp - a;
if(n > 128) /* don't waste too much space on huge arg lists */
n = 128;