From 9e9bb7c93583404b33bc79d1e22137c8ac58afe2 Mon Sep 17 00:00:00 2001 From: cperciva Date: Mon, 3 Oct 2005 12:49:54 +0000 Subject: If sufficiently bad things happen during a call to kern_execve(), it is possible for do_execve() to call exit1() rather than returning. As a result, the sequence "allocate memory; call kern_execve; free memory" can end up leaking memory. This commit documents this astonishing behaviour and adds a call to exec_free_args() before the exit1() call in do_execve(). Since all the users of kern_execve() in the tree use exec_free_args() to free the command-line arguments after kern_execve() returns, this should be safe, and it fixes the memory leak which can otherwise occur. Submitted by: Peter Holm MFC after: 3 days Security: Local denial of service --- sys/kern/kern_exec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 689f88d..b84343f 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -230,6 +230,13 @@ __mac_execve(td, uap) #endif } +/* + * XXX: kern_execve has the astonishing property of not always + * returning to the caller. If sufficiently bad things happen during + * the call to do_execve(), it can end up calling exit1(); as a result, + * callers must avoid doing anything which they might need to undo + * (e.g., allocating memory). + */ int kern_execve(td, args, mac_p) struct thread *td; @@ -782,6 +789,7 @@ exec_fail: mac_vnode_label_free(interplabel); #endif VFS_UNLOCK_GIANT(vfslocked); + exec_free_args(args); exit1(td, W_EXITCODE(0, SIGABRT)); /* NOT REACHED */ error = 0; -- cgit v1.1