From 7325e85b7c832f763beb3daddda416e292acdfe1 Mon Sep 17 00:00:00 2001
From: maxv <maxv>
Date: Fri, 20 Mar 2015 20:36:27 +0000
Subject: [PATCH] Zero-fill the ELF auxiliary vectors. Otherwise, on 64bit
 systems, the padding between a_v and a_type contains kernel garbage,
 therefore exposed to userland.

Original report by uebayasi@
---
 sys/compat/linux/common/linux_exec_elf32.c     | 6 ++++--
 sys/compat/linux32/common/linux32_exec_elf32.c | 6 ++++--
 sys/compat/netbsd32/netbsd32_exec_elf32.c      | 6 ++++--
 sys/compat/svr4_32/svr4_32_exec_elf32.c        | 8 ++++++--
 sys/kern/exec_elf.c                            | 6 ++++--
 5 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/sys/compat/linux/common/linux_exec_elf32.c b/sys/compat/linux/common/linux_exec_elf32.c
index 2755108501b5a..cd601f6fbc9bf 100644
--- a/sys/compat/linux/common/linux_exec_elf32.c
+++ b/sys/compat/linux/common/linux_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_exec_elf32.c,v 1.91 2014/04/15 17:29:00 maxv Exp $	*/
+/*	$NetBSD: linux_exec_elf32.c,v 1.92 2015/03/20 20:36:27 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.91 2014/04/15 17:29:00 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.92 2015/03/20 20:36:27 maxv Exp $");
 
 #ifndef ELFSIZE
 /* XXX should die */
@@ -391,6 +391,8 @@ ELFNAME2(linux,copyargs)(struct lwp *l, struct exec_package *pack,
 
 	a = ai;
 
+	memset(ai, 0, sizeof(ai));
+
 	/*
 	 * Push extra arguments used by glibc on the stack.
 	 */
diff --git a/sys/compat/linux32/common/linux32_exec_elf32.c b/sys/compat/linux32/common/linux32_exec_elf32.c
index c0db216a96dd7..24399aa6ae63a 100644
--- a/sys/compat/linux32/common/linux32_exec_elf32.c
+++ b/sys/compat/linux32/common/linux32_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_exec_elf32.c,v 1.17 2014/02/23 16:07:40 njoly Exp $ */
+/*	$NetBSD: linux32_exec_elf32.c,v 1.18 2015/03/20 20:36:27 maxv Exp $ */
 
 /*-                     
  * Copyright (c) 1995, 1998, 2000, 2001,2006 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_exec_elf32.c,v 1.17 2014/02/23 16:07:40 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_exec_elf32.c,v 1.18 2015/03/20 20:36:27 maxv Exp $");
 
 #define	ELFSIZE		32
 
@@ -119,6 +119,8 @@ linux32_elf32_copyargs(struct lwp *l, struct exec_package *pack,
 
 	a = ai;
 
+	memset(ai, 0, sizeof(ai));
+
 	/*
 	 * Push extra arguments on the stack needed by dynamically
 	 * linked binaries and static binaries as well.
diff --git a/sys/compat/netbsd32/netbsd32_exec_elf32.c b/sys/compat/netbsd32/netbsd32_exec_elf32.c
index 29b264ed5e74d..a25d26b5fd851 100644
--- a/sys/compat/netbsd32/netbsd32_exec_elf32.c
+++ b/sys/compat/netbsd32/netbsd32_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_exec_elf32.c,v 1.38 2014/10/24 21:08:36 christos Exp $	*/
+/*	$NetBSD: netbsd32_exec_elf32.c,v 1.39 2015/03/20 20:36:27 maxv Exp $	*/
 /*	from: NetBSD: exec_aout.c,v 1.15 1996/09/26 23:34:46 cgd Exp */
 
 /*
@@ -57,7 +57,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.38 2014/10/24 21:08:36 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.39 2015/03/20 20:36:27 maxv Exp $");
 
 #define	ELFSIZE		32
 
@@ -141,6 +141,8 @@ netbsd32_elf32_copyargs(struct lwp *l, struct exec_package *pack,
 
 	a = ai;
 
+	memset(ai, 0, sizeof(ai));
+
 	/*
 	 * Push extra arguments on the stack needed by dynamically
 	 * linked binaries
diff --git a/sys/compat/svr4_32/svr4_32_exec_elf32.c b/sys/compat/svr4_32/svr4_32_exec_elf32.c
index df20a66f2cc5a..515746ce590ed 100644
--- a/sys/compat/svr4_32/svr4_32_exec_elf32.c
+++ b/sys/compat/svr4_32/svr4_32_exec_elf32.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_exec_elf32.c,v 1.23 2014/04/09 11:40:03 maxv Exp $	 */
+/*	$NetBSD: svr4_32_exec_elf32.c,v 1.24 2015/03/20 20:36:27 maxv Exp $	 */
 
 /*-
  * Copyright (c) 1994 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_exec_elf32.c,v 1.23 2014/04/09 11:40:03 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_exec_elf32.c,v 1.24 2015/03/20 20:36:27 maxv Exp $");
 
 #define	ELFSIZE		32				/* XXX should die */
 
@@ -81,6 +81,8 @@ svr4_32_copyargs(struct lwp *l, struct exec_package *pack, struct ps_strings *ar
 
 	a = ai;
 
+	memset(ai, 0, sizeof(ai));
+
 	/*
 	 * Push extra arguments on the stack needed by dynamically
 	 * linked binaries
@@ -200,6 +202,8 @@ svr4_32_copyargs(struct lwp *l, struct exec_package *pack, struct ps_strings *ar
 
 	a = ai;
 
+	memset(ai, 0, sizeof(ai));
+
 	/*
 	 * Push extra arguments on the stack needed by dynamically
 	 * linked binaries
diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c
index 982080fdab96d..6929b1e8586a5 100644
--- a/sys/kern/exec_elf.c
+++ b/sys/kern/exec_elf.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: exec_elf.c,v 1.70 2014/08/17 23:03:58 chs Exp $	*/
+/*	$NetBSD: exec_elf.c,v 1.71 2015/03/20 20:36:28 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.70 2014/08/17 23:03:58 chs Exp $");
+__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.71 2015/03/20 20:36:28 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_pax.h"
@@ -178,6 +178,8 @@ elf_copyargs(struct lwp *l, struct exec_package *pack,
 	a = ai;
 	execname = NULL;
 
+	memset(ai, 0, sizeof(ai));
+
 	/*
 	 * Push extra arguments on the stack needed by dynamically
 	 * linked binaries