Backout last revision, it's broken. Try pkg_add redhat_base-8.0p7 on i386

to see; page fault trap in linux_elf_probe (char *itp is being passed as NULL
and then "if (itp[0])" attempts to dereference it).  deraadt@ "trash it asap"

1 files changed, 33 insertions, 29 deletions

diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c
index b775939c82b..5b11805837d 100644
--- a/sys/kern/exec_elf.c
+++ b/sys/kern/exec_elf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: exec_elf.c,v 1.51 2006/01/06 06:46:04 tedu Exp $	*/
+/*	$OpenBSD: exec_elf.c,v 1.52 2006/01/07 04:18:47 aaron Exp $	*/
 
 /*
  * Copyright (c) 1996 Per Fogelstrom
@@ -36,7 +36,6 @@
 #include <sys/kernel.h>
 #include <sys/proc.h>
 #include <sys/malloc.h>
-#include <sys/pool.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
 #include <sys/vnode.h>
@@ -394,7 +393,7 @@ ELFNAME(load_file)(struct proc *p, char *path, struct exec_package *epp,
 	}
 
 	phsize = eh.e_phnum * sizeof(Elf_Phdr);
-	ph = malloc(phsize, M_TEMP, M_WAITOK);
+	ph = (Elf_Phdr *)malloc(phsize, M_TEMP, M_WAITOK);
 
 	if ((error = ELFNAME(read_from)(p, nd.ni_vp, eh.e_phoff, (caddr_t)ph,
 	    phsize)) != 0)
@@ -515,7 +514,7 @@ bad1:
 	VOP_CLOSE(nd.ni_vp, FREAD, p->p_ucred, p);
 bad:
 	if (ph != NULL)
-		free(ph, M_TEMP);
+		free((char *)ph, M_TEMP);
 
 	*last = addr;
 	vput(nd.ni_vp);
@@ -538,7 +537,7 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp)
 	Elf_Phdr *ph, *pp;
 	Elf_Addr phdr = 0;
 	int error, i;
-	char *interp = NULL;
+	char interp[MAXPATHLEN];
 	u_long pos = 0, phsize;
 	u_int8_t os = OOS_NULL;
 
@@ -565,7 +564,7 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp)
 	 * from the file
 	 */
 	phsize = eh->e_phnum * sizeof(Elf_Phdr);
-	ph = malloc(phsize, M_TEMP, M_WAITOK);
+	ph = (Elf_Phdr *)malloc(phsize, M_TEMP, M_WAITOK);
 
 	if ((error = ELFNAME(read_from)(p, epp->ep_vp, eh->e_phoff, (caddr_t)ph,
 	    phsize)) != 0)
@@ -574,16 +573,16 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp)
 	epp->ep_tsize = ELFDEFNNAME(NO_ADDR);
 	epp->ep_dsize = ELFDEFNNAME(NO_ADDR);
 
+	interp[0] = '\0';
+
 	for (i = 0; i < eh->e_phnum; i++) {
 		pp = &ph[i];
 		if (pp->p_type == PT_INTERP) {
-			if (pp->p_filesz >= MAXPATHLEN)
+			if (pp->p_filesz >= sizeof(interp))
 				goto bad;
-			interp = pool_get(&namei_pool, PR_WAITOK);
 			if ((error = ELFNAME(read_from)(p, epp->ep_vp,
-			    pp->p_offset, interp, pp->p_filesz)) != 0) {
+			    pp->p_offset, (caddr_t)interp, pp->p_filesz)) != 0)
 				goto bad;
-			}
 			break;
 		}
 	}
@@ -601,7 +600,7 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp)
 	 *
 	 * Probe functions would normally see if the interpreter (if any)
 	 * exists. Emulation packages may possibly replace the interpreter in
-	 * *interp with a changed path (/emul/xxx/<path>), and also
+	 * interp[] with a changed path (/emul/xxx/<path>), and also
 	 * set the ep_emul field in the exec package structure.
 	 */
 	error = ENOEXEC;
@@ -717,17 +716,21 @@ native:
 	if (epp->ep_tsize == ELFDEFNNAME(NO_ADDR))
 		epp->ep_tsize = 0;
 
-	epp->ep_interp = interp;
-	epp->ep_entry = eh->e_entry;
-
 	/*
 	 * Check if we found a dynamically linked binary and arrange to load
 	 * it's interpreter when the exec file is released.
 	 */
-	if (interp) {
+	if (interp[0]) {
+		char *ip;
 		struct elf_args *ap;
 
-		ap = malloc(sizeof(struct elf_args), M_TEMP, M_WAITOK);
+		ip = (char *)malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
+		ap = (struct elf_args *)
+		    malloc(sizeof(struct elf_args), M_TEMP, M_WAITOK);
+
+		bcopy(interp, ip, MAXPATHLEN);
+		epp->ep_interp = ip;
+		epp->ep_interp_pos = pos;
 
 		ap->arg_phaddr = phdr;
 		ap->arg_phentsize = eh->e_phentsize;
@@ -736,7 +739,10 @@ native:
 		ap->arg_os = os;
 
 		epp->ep_emul_arg = ap;
-		epp->ep_interp_pos = pos;
+		epp->ep_entry = eh->e_entry; /* keep check_exec() happy */
+	} else {
+		epp->ep_interp = NULL;
+		epp->ep_entry = eh->e_entry;
 	}
 
 #if defined(COMPAT_SVR4) && defined(i386)
@@ -748,14 +754,12 @@ native:
 		    epp->ep_vp, 0, VM_PROT_READ);
 #endif
 
-	free(ph, M_TEMP);
+	free((char *)ph, M_TEMP);
 	vn_marktext(epp->ep_vp);
 	return (exec_setup_stack(p, epp));
 
 bad:
-	if (interp)
-		pool_put(&namei_pool, interp);
-	free(ph, M_TEMP);
+	free((char *)ph, M_TEMP);
 	kill_vmcmds(&epp->ep_vmcmds);
 	return (ENOEXEC);
 }
@@ -777,12 +781,12 @@ ELFNAME2(exec,fixup)(struct proc *p, struct exec_package *epp)
 		return (0);
 	}
 
-	interp = epp->ep_interp;
-	ap = epp->ep_emul_arg;
+	interp = (char *)epp->ep_interp;
+	ap = (struct elf_args *)epp->ep_emul_arg;
 
 	if ((error = ELFNAME(load_file)(p, interp, epp, ap, &pos)) != 0) {
-		free(ap, M_TEMP);
-		pool_put(&namei_pool, interp);
+		free((char *)ap, M_TEMP);
+		free((char *)interp, M_TEMP);
 		kill_vmcmds(&epp->ep_vmcmds);
 		return (error);
 	}
@@ -832,8 +836,8 @@ ELFNAME2(exec,fixup)(struct proc *p, struct exec_package *epp)
 
 		error = copyout(ai, epp->ep_emul_argp, sizeof ai);
 	}
-	free(ap, M_TEMP);
-	pool_put(&namei_pool, interp);
+	free((char *)ap, M_TEMP);
+	free((char *)interp, M_TEMP);
 	return (error);
 }
 
@@ -859,7 +863,7 @@ ELFNAME(os_pt_note)(struct proc *p, struct exec_package *epp, Elf_Ehdr *eh,
 	int error;
 
 	phsize = eh->e_phnum * sizeof(Elf_Phdr);
-	hph = malloc(phsize, M_TEMP, M_WAITOK);
+	hph = (Elf_Phdr *)malloc(phsize, M_TEMP, M_WAITOK);
 	if ((error = ELFNAME(read_from)(p, epp->ep_vp, eh->e_phoff,
 	    (caddr_t)hph, phsize)) != 0)
 		goto out1;
@@ -870,7 +874,7 @@ ELFNAME(os_pt_note)(struct proc *p, struct exec_package *epp, Elf_Ehdr *eh,
 		    ph->p_filesz < sizeof(Elf_Note) + name_size)
 			continue;
 
-		np = malloc(ph->p_filesz, M_TEMP, M_WAITOK);
+		np = (Elf_Note *)malloc(ph->p_filesz, M_TEMP, M_WAITOK);
 		if ((error = ELFNAME(read_from)(p, epp->ep_vp, ph->p_offset,
 		    (caddr_t)np, ph->p_filesz)) != 0)
 			goto out2;