Hi,
In my tinkering with the ELFSEC mechanism, I have noticed something
possibly troubling. In /sys/kern/exec_script.c shellname is a pointer
to cp which is a pointer to hdrstr which is a pointer to epp->ep_hdr...
When calling the intended set shellname variable, later, I get part of the ELF
header of the program that the script executes. This would be bogus IMO.
So I think what's needed here is a malloc, an strlcpy and a free later.
Here is a patch for review,
Regards,
-peter
Index: exec_script.c
===================================================================
RCS file: /cvs/src/sys/kern/exec_script.c,v
retrieving revision 1.40
diff -u -p -u -r1.40 exec_script.c
--- exec_script.c 11 Feb 2017 19:51:06 -0000 1.40
+++ exec_script.c 9 May 2017 19:44:46 -0000
@@ -184,7 +184,8 @@ check_shell:
/* set up the parameters for the recursive check_exec() call */
epp->ep_ndp->ni_dirfd = AT_FDCWD;
- epp->ep_ndp->ni_dirp = shellname;
+ epp->ep_ndp->ni_dirp = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
+ strlcpy((char *)epp->ep_ndp->ni_dirp, shellname, shellnamelen + 1);
epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
epp->ep_flags |= EXEC_INDIR;
@@ -271,6 +272,9 @@ fail:
}
free(shellargp, M_EXEC, 4 * sizeof(char *));
}
+
+ /* free epp->ep_ndp->ni_dirp */
+ free((char *)epp->ep_ndp->ni_dirp, M_EXEC, shellnamelen + 1);
/*
* free any vmspace-creation commands,
