If sufficiently bad things happen during a call to kern_execve(), it is
possible for do_execve() to call exit1() rather than returning. As a result, the sequence "allocate memory; call kern_execve; free memory" can end up leaking memory. This commit documents this astonishing behaviour and adds a call to exec_free_args() before the exit1() call in do_execve(). Since all the users of kern_execve() in the tree use exec_free_args() to free the command-line arguments after kern_execve() returns, this should be safe, and it fixes the memory leak which can otherwise occur. Submitted by: Peter Holm MFC after: 3 days Security: Local denial of service
This commit is contained in:
parent
c48b03fb69
commit
33812c066d
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=150854
@ -230,6 +230,13 @@ __mac_execve(td, uap)
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* XXX: kern_execve has the astonishing property of not always
|
||||
* returning to the caller. If sufficiently bad things happen during
|
||||
* the call to do_execve(), it can end up calling exit1(); as a result,
|
||||
* callers must avoid doing anything which they might need to undo
|
||||
* (e.g., allocating memory).
|
||||
*/
|
||||
int
|
||||
kern_execve(td, args, mac_p)
|
||||
struct thread *td;
|
||||
@ -782,6 +789,7 @@ do_execve(td, args, mac_p)
|
||||
mac_vnode_label_free(interplabel);
|
||||
#endif
|
||||
VFS_UNLOCK_GIANT(vfslocked);
|
||||
exec_free_args(args);
|
||||
exit1(td, W_EXITCODE(0, SIGABRT));
|
||||
/* NOT REACHED */
|
||||
error = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user