cache ps_auxinfo inside the kernel, to avoid codedump() reading the

copy on userland stack which points at an illicit region.
ok kettenis, deraadt

diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c
index 4657d9f..3cca0a1 100644 (file)
--- a/sys/kern/exec_elf.c
+++ b/sys/kern/exec_elf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exec_elf.c,v 1.175 2022/11/14 17:25:00 visa Exp $     */
+/*     $OpenBSD: exec_elf.c,v 1.176 2022/11/23 11:00:27 mbuhl Exp $    */
 
 /*
  * Copyright (c) 1996 Per Fogelstrom
@@ -1221,9 +1221,6 @@ coredump_walk_elf(vaddr_t start, vaddr_t realend, vaddr_t end, vm_prot_t prot,
 int
 coredump_notes_elf(struct proc *p, void *iocookie, size_t *sizep)
 {
-       struct ps_strings pss;
-       struct iovec iov;
-       struct uio uio;
        struct elfcore_procinfo cpi;
        Elf_Note nhdr;
        struct process *pr = p->p_p;
@@ -1282,23 +1279,7 @@ coredump_notes_elf(struct proc *p, void *iocookie, size_t *sizep)
        /* Second, write an NT_OPENBSD_AUXV note. */
        notesize = sizeof(nhdr) + elfround(sizeof("OpenBSD")) +
            elfround(ELF_AUX_WORDS * sizeof(char *));
-       if (iocookie) {
-               iov.iov_base = &pss;
-               iov.iov_len = sizeof(pss);
-               uio.uio_iov = &iov;
-               uio.uio_iovcnt = 1;
-               uio.uio_offset = (off_t)pr->ps_strings;
-               uio.uio_resid = sizeof(pss);
-               uio.uio_segflg = UIO_SYSSPACE;
-               uio.uio_rw = UIO_READ;
-               uio.uio_procp = NULL;
-
-               error = uvm_io(&p->p_vmspace->vm_map, &uio, 0);
-               if (error)
-                       return (error);
-
-               if (pss.ps_envstr == NULL)
-                       return (EIO);
+       if (iocookie && pr->ps_auxinfo) {
 
                nhdr.namesz = sizeof("OpenBSD");
                nhdr.descsz = ELF_AUX_WORDS * sizeof(char *);
@@ -1315,7 +1296,7 @@ coredump_notes_elf(struct proc *p, void *iocookie, size_t *sizep)
                        return (error);
 
                error = coredump_write(iocookie, UIO_USERSPACE,
-                   pss.ps_envstr + pss.ps_nenvstr + 1, nhdr.descsz);
+                   (caddr_t)pr->ps_auxinfo, nhdr.descsz);
                if (error)
                        return (error);
        }

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index e92587a..ca0ed3c 100644 (file)
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_exec.c,v 1.239 2022/11/17 18:53:12 deraadt Exp $ */
+/*     $OpenBSD: kern_exec.c,v 1.240 2022/11/23 11:00:27 mbuhl Exp $   */
 /*     $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $  */
 
 /*-
@@ -492,6 +492,8 @@ sys_execve(struct proc *p, void *v, register_t *retval)
        if (!copyargs(&pack, &arginfo, stack, argp))
                goto exec_abort;
 
+       pr->ps_auxinfo = (vaddr_t)pack.ep_auxinfo;
+
        /* copy out the process's ps_strings structure */
        if (copyout(&arginfo, (char *)pr->ps_strings, sizeof(arginfo)))
                goto exec_abort;

diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 01fa10b..b458510 100644 (file)
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: proc.h,v 1.334 2022/07/23 22:10:59 cheloha Exp $      */
+/*     $OpenBSD: proc.h,v 1.335 2022/11/23 11:00:27 mbuhl Exp $        */
 /*     $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $       */
 
 /*-
@@ -215,6 +215,7 @@ struct process {
        char    ps_comm[_MAXCOMLEN];    /* command name, incl NUL */
 
        vaddr_t ps_strings;             /* User pointers to argv/env */
+       vaddr_t ps_auxinfo;             /* User pointer to auxinfo */
        vaddr_t ps_timekeep;            /* User pointer to timekeep */
        vaddr_t ps_sigcode;             /* [I] User pointer to signal code */
        vaddr_t ps_sigcoderet;          /* [I] User ptr to sigreturn retPC */