**argv Rewrites (was Re: Kmem security)

[Guy Harris]

>Does the kernel now make a copy of the memory for the process and keep
>a pristine version in kmem?

In most UNIX systems, the kernel makes a copy in "kmem" (i.e., into some
portion of the kernel's address space) when an "exec" is done, because
when the "exec" is done the address space containing the arguments to
the "exec" call will be blown away, and then copies the arguments back
into the new address space once that address space has been set up.

As of some version of S5 (the precise version is probably dependent on
what platform you're talking about), the kernel also stores 80 or so
characters of argument in the U area of the process, which is generally
kernel-only stuff, and "ps" uses that.  It essentially glues the
arguments together with spaces between them, putting the result into one
string, truncating at 80 characters.

Systems not using that trick generally get the arguments by rummaging
through the process's stack, picking up the arguments that were copied
back in as part of the "exec".  The process can, of course, overwrite
them; if "ps" gets the arguments from there, it'll pick up the new
values, but if it gets them from the U area, it won't.