Kernel: Enable SMAP protection during the execve() syscall

The userspace execve() wrapper now measures all the strings and puts them in a neat and tidy structure on the stack. This way we know exactly how much to copy in the kernel, and we don't have to use the SMAP-violating validate_read_str(). :^)
2025-07-25 18:07:34 +00:00 · 2020-01-10 12:20:36 +01:00 · 2020-01-10 12:20:36 +01:00 · 952bb95baa
commit 952bb95baa
parent bf9f36bf22
4 changed files with 78 additions and 38 deletions
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@ -909,50 +909,49 @@ int Process::exec(String path, Vector<String> arguments, Vector<String> environm
    return 0;
 }
-int Process::sys$execve(const char* filename, const char** argv, const char** envp)
+int Process::sys$execve(const Syscall::SC_execve_params* user_params)
 {
    SmapDisabler disabler;
    // NOTE: Be extremely careful with allocating any kernel memory in exec().
    //       On success, the kernel stack will be lost.
-    if (!validate_read_str(filename))
+    Syscall::SC_execve_params params;
    if (!validate_read_typed(user_params))
        return -EFAULT;
-    if (!*filename)
+    copy_from_user(&params, user_params, sizeof(params));
    if (params.arguments.length > ARG_MAX || params.environment.length > ARG_MAX)
        return -E2BIG;
    if (!validate_read(params.path.characters, params.path.length))
        return -EFAULT;
    if (params.path.length == 0)
        return -ENOENT;
    if (argv) {
        if (!validate_read_typed(argv))
            return -EFAULT;
        for (size_t i = 0; argv[i]; ++i) {
            if (!validate_read_str(argv[i]))
                return -EFAULT;
        }
    }
    if (envp) {
        if (!validate_read_typed(envp))
            return -EFAULT;
        for (size_t i = 0; envp[i]; ++i) {
            if (!validate_read_str(envp[i]))
                return -EFAULT;
        }
    }
-    String path(filename);
+    auto copy_user_strings = [&](const auto& list, auto& output) {
        if (!list.length)
            return true;
        if (!validate_read_typed(list.strings, list.length))
            return false;
        Vector<Syscall::SyscallString, 32> strings;
        strings.resize(list.length);
        copy_from_user(strings.data(), list.strings, list.length * sizeof(Syscall::SyscallString));
        for (size_t i = 0; i < list.length; ++i) {
            if (!validate_read(strings[i].characters, strings[i].length))
                return false;
            output.append(copy_string_from_user(strings[i].characters, strings[i].length));
        }
        return true;
    };
    Vector<String> arguments;
-    Vector<String> environment;
+    if (!copy_user_strings(params.arguments, arguments))
-    {
+        return -EFAULT;
        auto parts = path.split('/');
        if (argv) {
            for (size_t i = 0; argv[i]; ++i) {
                arguments.append(argv[i]);
            }
        } else {
            arguments.append(parts.last());
        }
-        if (envp) {
+    Vector<String> environment;
-            for (size_t i = 0; envp[i]; ++i)
+    if (!copy_user_strings(params.environment, environment))
-                environment.append(envp[i]);
+        return -EFAULT;
-        }
+
-    }
+    auto path = copy_string_from_user(params.path.characters, params.path.length);
    int rc = exec(move(path), move(arguments), move(environment));
    ASSERT(rc < 0); // We should never continue after a successful exec!
--- a/Kernel/Process.h
+++ b/Kernel/Process.h
@ -155,7 +155,7 @@ public:
    int sys$ttyname_r(int fd, char*, ssize_t);
    int sys$ptsname_r(int fd, char*, ssize_t);
    pid_t sys$fork(RegisterDump&);
-    int sys$execve(const char* filename, const char** argv, const char** envp);
+    int sys$execve(const Syscall::SC_execve_params*);
    int sys$getdtablesize();
    int sys$dup(int oldfd);
    int sys$dup2(int oldfd, int newfd);
--- a/Kernel/Syscall.h
+++ b/Kernel/Syscall.h
@ -300,6 +300,22 @@ struct SC_set_mmap_name_params {
    size_t name_length;
 };
 struct SyscallString {
    const char* characters { nullptr };
    size_t length { 0 };
 };
 struct SyscallStringList {
    SyscallString* strings { nullptr };
    size_t length { 0 };
 };
 struct SC_execve_params {
    SyscallString path;
    SyscallStringList arguments;
    SyscallStringList environment;
 };
 void initialize();
 int sync();
--- a/Libraries/LibC/unistd.cpp
+++ b/Libraries/LibC/unistd.cpp
@ -2,6 +2,7 @@
 #include <AK/String.h>
 #include <AK/Vector.h>
 #include <Kernel/Syscall.h>
 #include <alloca.h>
 #include <assert.h>
 #include <errno.h>
 #include <fcntl.h>
@ -49,7 +50,31 @@ int execv(const char* path, char* const argv[])
 int execve(const char* filename, char* const argv[], char* const envp[])
 {
-    int rc = syscall(SC_execve, filename, argv, envp);
+    size_t arg_count = 0;
    for (size_t i = 0; argv[i]; ++i)
        ++arg_count;
    size_t env_count = 0;
    for (size_t i = 0; envp[i]; ++i)
        ++env_count;
    auto copy_strings = [&](auto& vec, size_t count, auto& output) {
        output.length = count;
        for (size_t i = 0; vec[i]; ++i) {
            output.strings[i].characters = vec[i];
            output.strings[i].length = strlen(vec[i]);
        }
    };
    Syscall::SC_execve_params params;
    params.arguments.strings = (Syscall::SyscallString*)alloca(arg_count * sizeof(Syscall::SyscallString));
    params.environment.strings = (Syscall::SyscallString*)alloca(env_count * sizeof(Syscall::SyscallString));
    params.path = { filename, strlen(filename) };
    copy_strings(argv, arg_count, params.arguments);
    copy_strings(envp, env_count, params.environment);
    int rc = syscall(SC_execve, &params);
    __RETURN_WITH_ERRNO(rc, rc, -1);
 }