Fix sendmail improper close-on-exec flag handling. [SA-14:11]

Fix ktrace memory disclosure. [SA-14:12]

Fix triple-fault when executing from a threaded process. [EN-14:06]

Approved by:	so

7 files changed, 28 insertions, 4 deletions

diff --git a/UPDATING b/UPDATING
index 82fa6d85c9f1..37bc3403e089 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20140603:	p11	FreeBSD-SA-14:11.sendmail
+			FreeBSD-SA-14:12.ktrace
+			FreeBSD-EN-14:06.exec
+
+	Fix sendmail improper close-on-exec flag handling. [SA-14:11]
+
+	Fix ktrace memory disclosure. [SA-14:12]
+
+	Fix triple-fault when executing from a threaded process.
+	[EN-14:06]
+
 20140513:	p10	FreeBSD-EN-14:03.pkg
 			FreeBSD-EN-14:04.kldxref
 
diff --git a/contrib/sendmail/src/conf.c b/contrib/sendmail/src/conf.c
index edfa0c2bf664..3d5ff95d2896 100644
--- a/contrib/sendmail/src/conf.c
+++ b/contrib/sendmail/src/conf.c
@@ -5265,8 +5265,8 @@ closefd_walk(lowest, fd)
 */
 
 void
-sm_close_on_exec(highest, lowest)
-	int highest, lowest;
+sm_close_on_exec(lowest, highest)
+	int lowest, highest;
 {
 #if HASFDWALK
 	(void) fdwalk(closefd_walk, &lowest);
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 92c74374888b..2f33cc0d0853 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 1f50d1121e1d..bf0c9c4f2896 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -278,6 +278,7 @@ kern_execve(td, args, mac_p)
 	struct mac *mac_p;
 {
 	struct proc *p = td->td_proc;
+	struct vmspace *oldvmspace;
 	int error;
 
 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -294,6 +295,8 @@ kern_execve(td, args, mac_p)
 		PROC_UNLOCK(p);
 	}
 
+	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+	oldvmspace = td->td_proc->p_vmspace;
 	error = do_execve(td, args, mac_p);
 
 	if (p->p_flag & P_HADTHREADS) {
@@ -308,6 +311,12 @@ kern_execve(td, args, mac_p)
 			thread_single_end();
 		PROC_UNLOCK(p);
 	}
+	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+		KASSERT(td->td_proc->p_vmspace != oldvmspace,
+		    ("oldvmspace still used"));
+		vmspace_free(oldvmspace);
+		td->td_pflags &= ~TDP_EXECVMSPC;
+	}
 
 	return (error);
 }
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 84fc1843894c..aa50fa4f09e2 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -117,6 +117,7 @@ static int data_lengths[] = {
 	0,					/* KTR_SYSCTL */
 	sizeof(struct ktr_proc_ctor),		/* KTR_PROCCTOR */
 	0,					/* KTR_PROCDTOR */
+	0,					/* unused */
 	sizeof(struct ktr_fault),		/* KTR_FAULT */
 	sizeof(struct ktr_faultend),		/* KTR_FAULTEND */
 };
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index eadd418beaf6..73fdc47a513b 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -938,4 +938,5 @@ curthread_pflags_restore(int save)
 
 #endif	/* _KERNEL */
 
+#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
 #endif	/* !_SYS_PROC_H_ */
diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 18442afc4518..aa7a7e99ca5f 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -3521,6 +3521,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser)
 	struct vmspace *oldvmspace = p->p_vmspace;
 	struct vmspace *newvmspace;
 
+	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+	    ("vmspace_exec recursed"));
 	newvmspace = vmspace_alloc(minuser, maxuser);
 	if (newvmspace == NULL)
 		return (ENOMEM);
@@ -3537,7 +3539,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser)
 	PROC_VMSPACE_UNLOCK(p);
 	if (p == curthread->td_proc)
 		pmap_activate(curthread);
-	vmspace_free(oldvmspace);
+	curthread->td_pflags |= TDP_EXECVMSPC;
 	return (0);
 }