From: kn <kn@openbsd.org>
Date: Fri, 20 Oct 2023 19:58:16 +0000 (+0000)
Subject: Adopt MI re-upgrade prevention
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3f0bb8e92bd22b3bfcb5c04d94d3a322bcd6eab7;p=openbsd

Adopt MI re-upgrade prevention

In comparison to MI boot which only cares about /bsd.upgrade's x bit,
powerpc64 rdboot just wants a regular file.

Require and strip u+x before execution to prevent sysupgrade(8) loops.

OK kettenis
---

diff --git a/sys/arch/powerpc64/stand/rdboot/cmd.c b/sys/arch/powerpc64/stand/rdboot/cmd.c
index ed93604aae1..21f326a2dde 100644
--- a/sys/arch/powerpc64/stand/rdboot/cmd.c
+++ b/sys/arch/powerpc64/stand/rdboot/cmd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cmd.c,v 1.1 2020/07/16 19:48:58 kettenis Exp $	*/
+/*	$OpenBSD: cmd.c,v 1.2 2023/10/20 19:58:16 kn Exp $	*/
 
 /*
  * Copyright (c) 1997-1999 Michael Shalayeff
@@ -501,6 +501,10 @@ upgrade(void)
 		return 0;
 	if (stat(path, &sb) == 0 && S_ISREG(sb.st_mode))
 		ret = 1;
+	if ((sb.st_mode & S_IXUSR) == 0) {
+		printf("/bsd.upgrade is not u+x\n");
+		ret = 0;
+	}
 	disk_close();
 
 	return ret;
diff --git a/sys/arch/powerpc64/stand/rdboot/rdboot.c b/sys/arch/powerpc64/stand/rdboot/rdboot.c
index 5dc0d58c9c0..5b9254afd78 100644
--- a/sys/arch/powerpc64/stand/rdboot/rdboot.c
+++ b/sys/arch/powerpc64/stand/rdboot/rdboot.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rdboot.c,v 1.3 2020/12/09 18:10:19 krw Exp $	*/
+/*	$OpenBSD: rdboot.c,v 1.4 2023/10/20 19:58:16 kn Exp $	*/
 
 /*
  * Copyright (c) 2019-2020 Visa Hankala
@@ -47,17 +47,17 @@
 #define KERNEL		"/bsd"
 
 int	loadrandom(void);
-void	kexec(void);
+void	kexec(int);
 
 struct cmd_state cmd;
 int kexecfd = -1;
-const char version[] = "0.2";
+const char version[] = "0.3";
 
 int
 main(void)
 {
 	u_char bootduid[8];
-	int fd, hasboot;
+	int fd, hasboot, isupgrade = 0;
 
 	fd = open(_PATH_CONSOLE, O_RDWR);
 	login_tty(fd);
@@ -89,6 +89,7 @@ main(void)
 	if (upgrade()) {
 		strlcpy(cmd.image, "/bsd.upgrade", sizeof(cmd.image));
 		printf("upgrade detected: switching to %s\n", cmd.image);
+		isupgrade = 1;
 	}
 
 	hasboot = read_conf();
@@ -103,7 +104,7 @@ main(void)
 		if (loadrandom() == 0)
 			cmd.boothowto |= RB_GOODRANDOM;
 
-		kexec();
+		kexec(isupgrade);
 
 		hasboot = 0;
 		strlcpy(cmd.image, KERNEL, sizeof(cmd.image));
@@ -161,7 +162,7 @@ loadrandom(void)
 }
 
 void
-kexec(void)
+kexec(int isupgrade)
 {
 	struct kexec_args kargs;
 	struct stat sb;
@@ -185,6 +186,13 @@ kexec(void)
 		goto load_failed;
 	}
 
+	/* Prevent re-upgrade: chmod a-x bsd.upgrade */
+	if (isupgrade) {
+		sb.st_mode &= ~(S_IXUSR|S_IXGRP|S_IXOTH);
+		if (fchmod(fd, sb.st_mode) == -1)
+			printf("fchmod a-x %s: failed\n", path);
+	}
+
 	kimg = malloc(sb.st_size);
 	if (kimg == NULL)
 		goto load_failed;