DragonFly BSD
DragonFly bugs List (threaded) for 2005-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Looks like split of execve(2) syscall created bugs


From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 29 Jan 2005 12:49:09 -0800 (PST)

:>     You'll have to be more specific about case (2).  What in the codebase
:>     are you refering to, file and line ?
:
:Trunk as of several hours ago, sys/kern/kern_exec.c function 
:exec_copyin_args() around line 700. The code there fetches pointer to 
:argv[0] from userspace, checks if it's NULL and puts first argument 
:instead of it. Then it increases userspace pointer by one and fetches 
:the next pointer *unconditionally*, so that in the case when argv[0] is 
:NULL you may get some invalid (e.g. junk but non-NULL pointer) and get 
:EFAULT for no reason. The same code ignores argv being NULL - see my 
:follow-up. FreeBSD code in this case explicitly returns EFAULT.
:
:-Maxim

    That looks pretty straightforward.  The code has changed very little
    from FreeBSD.  I'll do the first part of the cleanup but for the moment
    I think we should leave the argv[0] NULL check in the common code rather
    then just having it in the script code.

					-Matt
					Matthew Dillon 
					<dillon@xxxxxxxxxxxxx>



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]