If sufficiently bad things happen during a call to kern_execve(), it is

possible for do_execve() to call exit1() rather than returning. As a result, the sequence "allocate memory; call kern_execve; free memory" can end up leaking memory. This commit documents this astonishing behaviour and adds a call to exec_free_args() before the exit1() call in do_execve(). Since all the users of kern_execve() in the tree use exec_free_args() to free the command-line arguments after kern_execve() returns, this should be safe, and it fixes the memory leak which can otherwise occur. Submitted by: Peter Holm MFC after: 3 days Security: Local denial of service
svn path=/head/; revision=150854
2005-10-03 12:49:54 +00:00 · 2005-10-03 12:49:54 +00:00 · 33812c066d · 2020-12-20 02:59:44 +00:00
commit 33812c066d
parent c48b03fb69
1 changed files with 8 additions and 0 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -230,6 +230,13 @@ __mac_execve(td, uap)
 #endif
 }

+/*
+ * XXX: kern_execve has the astonishing property of not always
+ * returning to the caller.  If sufficiently bad things happen during
+ * the call to do_execve(), it can end up calling exit1(); as a result,
+ * callers must avoid doing anything which they might need to undo
+ * (e.g., allocating memory).
+ */
 int
 kern_execve(td, args, mac_p)
 	struct thread *td;
@ -782,6 +789,7 @@ do_execve(td, args, mac_p)
 			mac_vnode_label_free(interplabel);
 #endif
 		VFS_UNLOCK_GIANT(vfslocked);
+		exec_free_args(args);
 		exit1(td, W_EXITCODE(0, SIGABRT));
 		/* NOT REACHED */
 		error = 0;