From 5d9e07ccdda8224e7f7e52eda0c1d5aa495ad533 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 3 Jun 2014 19:03:11 +0000
Subject: [PATCH] Fix sendmail improper close-on-exec flag handling. [SA-14:11]

Fix ktrace memory disclosure. [SA-14:12]

Fix incorrect error handling in PAM policy parser. [SA-14:13]

Fix triple-fault when executing from a threaded process. [EN-14:06]

Approved by:	so


git-svn-id: svn://svn.freebsd.org/base/releng/9.1@267018 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                    | 14 ++++++++++++++
 contrib/sendmail/src/conf.c |  4 ++--
 sys/conf/newvers.sh         |  2 +-
 sys/kern/kern_exec.c        |  9 +++++++++
 sys/kern/kern_ktrace.c      |  1 +
 sys/sys/proc.h              |  1 +
 sys/vm/vm_map.c             |  4 +++-
 7 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/UPDATING b/UPDATING
index 5313d128..6d082208 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,20 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20140603:	p14	FreeBSD-SA-14:11.sendmail
+			FreeBSD-SA-14:12.ktrace
+			FreeBSD-SA-14:13.pam
+			FreeBSD-EN-14:06.exec
+
+	Fix sendmail improper close-on-exec flag handling. [SA-14:11]
+
+	Fix ktrace memory disclosure. [SA-14:12]
+
+	Fix incorrect error handling in PAM policy parser. [SA-14:13]
+
+	Fix triple-fault when executing from a threaded process.
+	[EN-14:06]
+
 20140513:	p13	FreeBSD-EN-14:03.pkg
 			FreeBSD-EN-14:04.kldxref
 			FreeBSD-EN-14:05.ciss
diff --git a/contrib/sendmail/src/conf.c b/contrib/sendmail/src/conf.c
index ffc6f205..8b1538c6 100644
--- a/contrib/sendmail/src/conf.c
+++ b/contrib/sendmail/src/conf.c
@@ -5256,8 +5256,8 @@ closefd_walk(lowest, fd)
 */
 
 void
-sm_close_on_exec(highest, lowest)
-	int highest, lowest;
+sm_close_on_exec(lowest, highest)
+	int lowest, highest;
 {
 #if HASFDWALK
 	(void) fdwalk(closefd_walk, &lowest);
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 0c858cc9..cb698e18 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.1"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 1bb6a115..e5175f88 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -280,6 +280,7 @@ kern_execve(td, args, mac_p)
 	struct mac *mac_p;
 {
 	struct proc *p = td->td_proc;
+	struct vmspace *oldvmspace;
 	int error;
 
 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -296,6 +297,8 @@ kern_execve(td, args, mac_p)
 		PROC_UNLOCK(p);
 	}
 
+	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+	oldvmspace = td->td_proc->p_vmspace;
 	error = do_execve(td, args, mac_p);
 
 	if (p->p_flag & P_HADTHREADS) {
@@ -310,6 +313,12 @@ kern_execve(td, args, mac_p)
 			thread_single_end();
 		PROC_UNLOCK(p);
 	}
+	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+		KASSERT(td->td_proc->p_vmspace != oldvmspace,
+		    ("oldvmspace still used"));
+		vmspace_free(oldvmspace);
+		td->td_pflags &= ~TDP_EXECVMSPC;
+	}
 
 	return (error);
 }
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index a070ef26..7718bcdf 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -119,6 +119,7 @@ static int data_lengths[] = {
 	0,					/* KTR_SYSCTL */
 	sizeof(struct ktr_proc_ctor),		/* KTR_PROCCTOR */
 	0,					/* KTR_PROCDTOR */
+	0,					/* unused */
 	sizeof(struct ktr_fault),		/* KTR_FAULT */
 	sizeof(struct ktr_faultend),		/* KTR_FAULTEND */
 };
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 3d0d88e1..e0e619ce 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -968,4 +968,5 @@ curthread_pflags_restore(int save)
 
 #endif	/* _KERNEL */
 
+#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
 #endif	/* !_SYS_PROC_H_ */
diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 4f40e15a..644bbe7d 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -3631,6 +3631,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser)
 	struct vmspace *oldvmspace = p->p_vmspace;
 	struct vmspace *newvmspace;
 
+	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+	    ("vmspace_exec recursed"));
 	newvmspace = vmspace_alloc(minuser, maxuser);
 	if (newvmspace == NULL)
 		return (ENOMEM);
@@ -3647,7 +3649,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser)
 	PROC_VMSPACE_UNLOCK(p);
 	if (p == curthread->td_proc)
 		pmap_activate(curthread);
-	vmspace_free(oldvmspace);
+	curthread->td_pflags |= TDP_EXECVMSPC;
 	return (0);
 }
 
-- 
2.42.0