From d807f41cc31248f3b16b002b1fbfbeea53bf0599 Mon Sep 17 00:00:00 2001
From: kn <kn@openbsd.org>
Date: Fri, 20 Oct 2023 19:55:49 +0000
Subject: [PATCH] Adopt MI re-upgrade prevention

In comparison to MI boot which only cares about /bsd.upgrade's x bit,
octeon rdboot just wants a regular file.

Require and strip u+x before execution to prevent sysupgrade(8) loops.

OK kettenis
---
 sys/arch/octeon/stand/rdboot/cmd.c    |  6 +++++-
 sys/arch/octeon/stand/rdboot/rdboot.c | 20 ++++++++++++++------
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/sys/arch/octeon/stand/rdboot/cmd.c b/sys/arch/octeon/stand/rdboot/cmd.c
index c9790bb8920..6bdbf0bd999 100644
--- a/sys/arch/octeon/stand/rdboot/cmd.c
+++ b/sys/arch/octeon/stand/rdboot/cmd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cmd.c,v 1.3 2019/08/01 04:52:56 visa Exp $	*/
+/*	$OpenBSD: cmd.c,v 1.4 2023/10/20 19:55:49 kn Exp $	*/
 
 /*
  * Copyright (c) 1997-1999 Michael Shalayeff
@@ -501,6 +501,10 @@ upgrade(void)
 		return 0;
 	if (stat(path, &sb) == 0 && S_ISREG(sb.st_mode))
 		ret = 1;
+	if ((sb.st_mode & S_IXUSR) == 0) {
+		printf("/bsd.upgrade is not u+x\n");
+		ret = 0;
+	}
 	disk_close();
 
 	return ret;
diff --git a/sys/arch/octeon/stand/rdboot/rdboot.c b/sys/arch/octeon/stand/rdboot/rdboot.c
index 850279c42a4..9db44ddd53d 100644
--- a/sys/arch/octeon/stand/rdboot/rdboot.c
+++ b/sys/arch/octeon/stand/rdboot/rdboot.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rdboot.c,v 1.8 2020/12/09 18:10:19 krw Exp $	*/
+/*	$OpenBSD: rdboot.c,v 1.9 2023/10/20 19:55:49 kn Exp $	*/
 
 /*
  * Copyright (c) 2019-2020 Visa Hankala
@@ -47,17 +47,17 @@
 #define KERNEL		"/bsd"
 
 int	loadrandom(void);
-void	kexec(void);
+void	kexec(int);
 
 struct cmd_state cmd;
 int octbootfd = -1;
-const char version[] = "1.3";
+const char version[] = "1.4";
 
 int
 main(void)
 {
 	char rootdev[PATH_MAX];
-	int fd, hasboot;
+	int fd, hasboot, isupgrade = 0;
 
 	fd = open(_PATH_CONSOLE, O_RDWR);
 	login_tty(fd);
@@ -91,6 +91,7 @@ main(void)
 	if (upgrade()) {
 		strlcpy(cmd.image, "/bsd.upgrade", sizeof(cmd.image));
 		printf("upgrade detected: switching to %s\n", cmd.image);
+		isupgrade = 1;
 	}
 
 	hasboot = read_conf();
@@ -105,7 +106,7 @@ main(void)
 		if (loadrandom() == 0)
 			cmd.boothowto |= RB_GOODRANDOM;
 
-		kexec();
+		kexec(isupgrade);
 
 		hasboot = 0;
 		strlcpy(cmd.image, KERNEL, sizeof(cmd.image));
@@ -163,7 +164,7 @@ loadrandom(void)
 }
 
 void
-kexec(void)
+kexec(int isupgrade)
 {
 	struct octboot_kexec_args kargs;
 	struct stat sb;
@@ -189,6 +190,13 @@ kexec(void)
 		goto load_failed;
 	}
 
+	/* Prevent re-upgrade: chmod a-x bsd.upgrade */
+	if (isupgrade) {
+		sb.st_mode &= ~(S_IXUSR|S_IXGRP|S_IXOTH);
+		if (fchmod(fd, sb.st_mode) == -1)
+			printf("fchmod a-x %s: failed\n", path);
+	}
+
 	kimg = malloc(sb.st_size);
 	if (kimg == NULL)
 		goto load_failed;
-- 
2.20.1