diff options
author | cperciva <cperciva@FreeBSD.org> | 2005-10-03 12:49:54 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2005-10-03 12:49:54 +0000 |
commit | 9e9bb7c93583404b33bc79d1e22137c8ac58afe2 (patch) | |
tree | 41a849e3d89b15356aaf22731432226f452107db /sys/kern | |
parent | dc2be3828898bb3809fe9fac9e2c94341fff2cb2 (diff) | |
download | FreeBSD-src-9e9bb7c93583404b33bc79d1e22137c8ac58afe2.zip FreeBSD-src-9e9bb7c93583404b33bc79d1e22137c8ac58afe2.tar.gz |
If sufficiently bad things happen during a call to kern_execve(), it is
possible for do_execve() to call exit1() rather than returning. As a
result, the sequence "allocate memory; call kern_execve; free memory"
can end up leaking memory.
This commit documents this astonishing behaviour and adds a call to
exec_free_args() before the exit1() call in do_execve(). Since all
the users of kern_execve() in the tree use exec_free_args() to free
the command-line arguments after kern_execve() returns, this should
be safe, and it fixes the memory leak which can otherwise occur.
Submitted by: Peter Holm
MFC after: 3 days
Security: Local denial of service
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_exec.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 689f88d..b84343f 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -230,6 +230,13 @@ __mac_execve(td, uap) #endif } +/* + * XXX: kern_execve has the astonishing property of not always + * returning to the caller. If sufficiently bad things happen during + * the call to do_execve(), it can end up calling exit1(); as a result, + * callers must avoid doing anything which they might need to undo + * (e.g., allocating memory). + */ int kern_execve(td, args, mac_p) struct thread *td; @@ -782,6 +789,7 @@ exec_fail: mac_vnode_label_free(interplabel); #endif VFS_UNLOCK_GIANT(vfslocked); + exec_free_args(args); exit1(td, W_EXITCODE(0, SIGABRT)); /* NOT REACHED */ error = 0; |