Hi, In my tinkering with the ELFSEC mechanism, I have noticed something possibly troubling. In /sys/kern/exec_script.c shellname is a pointer to cp which is a pointer to hdrstr which is a pointer to epp->ep_hdr... When calling the intended set shellname variable, later, I get part of the ELF header of the program that the script executes. This would be bogus IMO. So I think what's needed here is a malloc, an strlcpy and a free later.
Here is a patch for review, Regards, -peter Index: exec_script.c =================================================================== RCS file: /cvs/src/sys/kern/exec_script.c,v retrieving revision 1.40 diff -u -p -u -r1.40 exec_script.c --- exec_script.c 11 Feb 2017 19:51:06 -0000 1.40 +++ exec_script.c 9 May 2017 19:44:46 -0000 @@ -184,7 +184,8 @@ check_shell: /* set up the parameters for the recursive check_exec() call */ epp->ep_ndp->ni_dirfd = AT_FDCWD; - epp->ep_ndp->ni_dirp = shellname; + epp->ep_ndp->ni_dirp = malloc(shellnamelen + 1, M_EXEC, M_WAITOK); + strlcpy((char *)epp->ep_ndp->ni_dirp, shellname, shellnamelen + 1); epp->ep_ndp->ni_segflg = UIO_SYSSPACE; epp->ep_flags |= EXEC_INDIR; @@ -271,6 +272,9 @@ fail: } free(shellargp, M_EXEC, 4 * sizeof(char *)); } + + /* free epp->ep_ndp->ni_dirp */ + free((char *)epp->ep_ndp->ni_dirp, M_EXEC, shellnamelen + 1); /* * free any vmspace-creation commands,