do_execve(): lock vnode when needed.

Code after exec_fail_dealloc label expects that the image vnode is locked if present. When copyout() of the strings or auxv vectors fails, goto to the error handling did not relocked the vnode as required. The copyout() can be made failing e.g. by creating an ELF image with PT_GNU_STACK segment disabling the write. Reported by: Jonathan Stuart <n0t.jcs@gmail.com> (found by fuzzing) Sponsored by: The FreeBSD Foundation MFC after: 3 days
svn path=/head/; revision=343890
2019-02-08 04:06:48 +00:00 · 2019-02-08 04:06:48 +00:00 · 6f26dd50c3 · 2020-12-20 02:59:44 +00:00
commit 6f26dd50c3
parent c0a248ef93
1 changed files with 3 additions and 1 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -696,8 +696,10 @@ do_execve(struct thread *td, struct image_args *args, struct mac *mac_p)
 	else
 		error = suword(--stack_base, imgp->args->argc) == 0 ?
 		    0 : EFAULT;
-	if (error != 0)
+	if (error != 0) {
+		vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
 		goto exec_fail_dealloc;
+	}

 	if (args->fdp != NULL) {
 		/* Install a brand new file descriptor table. */