diff options
author | jhb <jhb@FreeBSD.org> | 2009-10-23 15:14:54 +0000 |
---|---|---|
committer | jhb <jhb@FreeBSD.org> | 2009-10-23 15:14:54 +0000 |
commit | a661f652ad42ad9b26c5a3ef8344be510bad0693 (patch) | |
tree | 57fba792ef7976f2978ea62c352da98e018bc872 /sys/kern/kern_exec.c | |
parent | 9414145b47d76b8115568171eea860c7f0b4988d (diff) | |
download | FreeBSD-src-a661f652ad42ad9b26c5a3ef8344be510bad0693.zip FreeBSD-src-a661f652ad42ad9b26c5a3ef8344be510bad0693.tar.gz |
- Fix several off-by-one errors when using MAXCOMLEN. The p_comm[] and
td_name[] arrays are actually MAXCOMLEN + 1 in size and a few places that
created shadow copies of these arrays were just using MAXCOMLEN.
- Prefer using sizeof() of an array type to explicit constants for the
array length in a few places.
- Ensure that all of p_comm[] and td_name[] is always zero'd during
execve() to guard against any possible information leaks. Previously
trailing garbage in p_comm[] could be leaked to userland in ktrace
record headers via td_name[].
Reviewed by: bde
Diffstat (limited to 'sys/kern/kern_exec.c')
-rw-r--r-- | sys/kern/kern_exec.c | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 033f641..dce624d 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -326,7 +326,7 @@ do_execve(td, args, mac_p) struct ucred *newcred = NULL, *oldcred; struct uidinfo *euip; register_t *stack_base; - int error, len = 0, i; + int error, i; struct image_params image_params, *imgp; struct vattr attr; int (*img_first)(struct image_params *); @@ -602,18 +602,12 @@ interpret: execsigs(p); /* name this process - nameiexec(p, ndp) */ - if (args->fname) { - len = min(nd.ni_cnd.cn_namelen,MAXCOMLEN); - bcopy(nd.ni_cnd.cn_nameptr, p->p_comm, len); - } else { - if (vn_commname(binvp, p->p_comm, MAXCOMLEN + 1) == 0) - len = MAXCOMLEN; - else { - len = sizeof(fexecv_proc_title); - bcopy(fexecv_proc_title, p->p_comm, len); - } - } - p->p_comm[len] = 0; + bzero(p->p_comm, sizeof(p->p_comm)); + if (args->fname) + bcopy(nd.ni_cnd.cn_nameptr, p->p_comm, + min(nd.ni_cnd.cn_namelen, MAXCOMLEN)); + else if (vn_commname(binvp, p->p_comm, sizeof(p->p_comm)) != 0) + bcopy(fexecv_proc_title, p->p_comm, sizeof(fexecv_proc_title)); bcopy(p->p_comm, td->td_name, sizeof(td->td_name)); /* |