kernel: reject empty argv (argv[0] == nil) in sysexec()

when executing a script, we did advance argp0 unconditionally
to replace argv[0] with the script name. this fails when
argv[] is empty, then we'd advance argp0 past the nil terminator.

the alternative would be to *not* advance if *argp0 == nil, but that
would require another validaddr() check for a case that is unlikely
to have been anticipated in most programs being invoked as
libc's ARGBEGIN macro assumes argv[0] being non-nil as it also
unconditionally advances the argv pointer.

to keep us sane, we now reject an empty argv[]. on entry, we
verify that argv[] is valid for at least two elements:
- the program name argv[0], has to be non-nil
- the first potential nil terminator in argv[1]

when argv[0] == nil, we throw Ebadarg "bad arg in system call"

1 files changed, 5 insertions, 3 deletions

diff --git a/sys/src/9/port/sysproc.c b/sys/src/9/port/sysproc.c
index 65f83b9bc..8b990806c 100644
--- a/sys/src/9/port/sysproc.c
+++ b/sys/src/9/port/sysproc.c
@@ -255,6 +255,10 @@ sysexec(va_list list)
 	file0 = va_arg(list, char*);
 	validaddr((uintptr)file0, 1, 0);
 	argp0 = va_arg(list, char**);
+	evenaddr((uintptr)argp0);
+	validaddr((uintptr)argp0, 2*BY2WD, 0);
+	if(*argp0 == nil)
+		error(Ebadarg);
 	file0 = validnamedup(file0, 1);
 	if(waserror()){
 		free(file0);
@@ -351,9 +355,7 @@ sysexec(va_list list)
 		}
 	}
 	argp = argp0;
-	evenaddr((uintptr)argp);
-	validaddr((uintptr)argp, BY2WD, 0);
-	while(*argp){
+	while(*argp != nil){
 		a = *argp++;
 		if(((uintptr)argp&(BY2PG-1)) < BY2WD)
 			validaddr((uintptr)argp, BY2WD, 0);