Apply by doing
cd /usr/src/sys/kern
patch -p0 < fdalloc.patch
Then rebuild the kernel you use.
Index: kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.17
retrieving revision 1.21
diff -u -r1.17 -r1.21
--- kern_exec.c 1998/02/20 14:45:16 1.17
+++ kern_exec.c 1998/07/02 09:03:42 1.21
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_exec.c,v 1.17 1998/02/20 14:45:16 niklas Exp $ */
+/* $OpenBSD: kern_exec.c,v 1.21 1998/07/02 09:03:42 deraadt Exp $ */
/* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */
/*-
@@ -456,6 +456,8 @@
* MNT_NOEXEC and P_TRACED have already been used to disable s[ug]id.
*/
if ((attr.va_mode & (VSUID | VSGID))) {
+ int i;
+
#ifdef KTRACE
/*
* If process is being ktraced, turn off - unless
@@ -474,6 +476,38 @@
p->p_ucred->cr_gid = attr.va_gid;
p->p_flag |= P_SUGID;
p->p_flag |= P_SUGIDEXEC;
+
+ /*
+ * XXX For setuid processes, attempt to ensure that
+ * stdin, stdout, and stderr are already allocated.
+ * We do not want userland to accidentally allocate
+ * descriptors in this range which has implied meaning
+ * to libc.
+ */
+ for (i = 0; i < 3; i++) {
+ extern struct fileops vnops;
+ struct nameidata nd;
+ struct file *fp;
+ int indx;
+
+ if (p->p_fd->fd_ofiles[i] == NULL) {
+ if ((error = falloc(p, &fp, &indx)) != 0)
+ continue;
+ NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE,
+ "/dev/null", p);
+ if ((error = vn_open(&nd, FREAD, 0)) != 0) {
+ ffree(fp);
+ p->p_fd->fd_ofiles[indx] = NULL;
+ break;
+ }
+ fp->f_flag = FREAD;
+ fp->f_type = DTYPE_VNODE;
+ fp->f_ops = &vnops;
+ fp->f_data = (caddr_t)nd.ni_vp;
+ VOP_UNLOCK(nd.ni_vp, 0, p);
+ }
+ }
+
} else
p->p_flag &= ~P_SUGID;
p->p_cred->p_svuid = p->p_ucred->cr_uid;
