If sufficiently bad things happen during a call to kern_execve(), it is

possible for do_execve() to call exit1() rather than returning.  As a
result, the sequence "allocate memory; call kern_execve; free memory"
can end up leaking memory.

This commit documents this astonishing behaviour and adds a call to
exec_free_args() before the exit1() call in do_execve().  Since all
the users of kern_execve() in the tree use exec_free_args() to free
the command-line arguments after kern_execve() returns, this should
be safe, and it fixes the memory leak which can otherwise occur.

Submitted by:	Peter Holm
MFC after:	3 days
Security:	Local denial of service

1 files changed, 8 insertions, 0 deletions

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 689f88d..b84343f 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -230,6 +230,13 @@ __mac_execve(td, uap)
 #endif
 }
 
+/*
+ * XXX: kern_execve has the astonishing property of not always
+ * returning to the caller.  If sufficiently bad things happen during
+ * the call to do_execve(), it can end up calling exit1(); as a result,
+ * callers must avoid doing anything which they might need to undo
+ * (e.g., allocating memory).
+ */
 int
 kern_execve(td, args, mac_p)
 	struct thread *td;
@@ -782,6 +789,7 @@ exec_fail:
 			mac_vnode_label_free(interplabel);
 #endif
 		VFS_UNLOCK_GIANT(vfslocked);
+		exec_free_args(args);
 		exit1(td, W_EXITCODE(0, SIGABRT));
 		/* NOT REACHED */
 		error = 0;