Looks like split of execve(2) syscall created bugs

Maxim Sobolev sobomax at FreeBSD.org
Sat Jan 29 06:20:26 PST 2005


Hi DF'ers!

I am working on eliminating stackgap in FreeBSD's linuxlator following 
DF's footsteps and fond that there is potential bug has been introduced 
into execve(). The problem is that DF now first checks if argv[0] is 
NULL, then replaces it with pathname and then proceeds with scanning 
other arguments instead of stopping there. According to the comment in 
the code, such behaviour has been introduced to make shell scripts 
working. However there are two problems with this approach:

1. According to the POSIX, execve() should pass arguments list 
unmodified to the newly created process. This means that if I invoke 
execve with argv[0] being NULL, the new image should see argc == 0 and 
argv[0] = NULL. DF in this case will copy the new image path as argv[0] 
and new image will see see it as argv[0]/argc == 1.

2. In some cases, the new logic will result in bogus arguments passed to 
the new image or EFAULT when first argument is NULL. This will happen 
due to the bug in routine which copies arguments from the user space 
into the kernel space. It assumes that both argv[0] and argv[1] are 
NULL, while only former is required to be to stop processing.

The proper fix is to move special handling of argv[0] == NULL case into 
imgact_shell.c where it belongs.

-Maxim





More information about the Bugs mailing list