• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Load ELF vmlinux file for the kexec_file_load syscall.
4  *
5  * Copyright (C) 2004  Adam Litke (agl@us.ibm.com)
6  * Copyright (C) 2004  IBM Corp.
7  * Copyright (C) 2005  R Sharada (sharada@in.ibm.com)
8  * Copyright (C) 2006  Mohan Kumar M (mohan@in.ibm.com)
9  * Copyright (C) 2016  IBM Corporation
10  *
11  * Based on kexec-tools' kexec-elf-exec.c and kexec-elf-ppc64.c.
12  * Heavily modified for the kernel by
13  * Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>.
14  */
15 
16 #define pr_fmt(fmt)	"kexec_elf: " fmt
17 
18 #include <linux/elf.h>
19 #include <linux/kexec.h>
20 #include <linux/module.h>
21 #include <linux/slab.h>
22 #include <linux/types.h>
23 
elf_is_elf_file(const struct elfhdr * ehdr)24 static inline bool elf_is_elf_file(const struct elfhdr *ehdr)
25 {
26 	return memcmp(ehdr->e_ident, ELFMAG, SELFMAG) == 0;
27 }
28 
elf64_to_cpu(const struct elfhdr * ehdr,uint64_t value)29 static uint64_t elf64_to_cpu(const struct elfhdr *ehdr, uint64_t value)
30 {
31 	if (ehdr->e_ident[EI_DATA] == ELFDATA2LSB)
32 		value = le64_to_cpu(value);
33 	else if (ehdr->e_ident[EI_DATA] == ELFDATA2MSB)
34 		value = be64_to_cpu(value);
35 
36 	return value;
37 }
38 
elf32_to_cpu(const struct elfhdr * ehdr,uint32_t value)39 static uint32_t elf32_to_cpu(const struct elfhdr *ehdr, uint32_t value)
40 {
41 	if (ehdr->e_ident[EI_DATA] == ELFDATA2LSB)
42 		value = le32_to_cpu(value);
43 	else if (ehdr->e_ident[EI_DATA] == ELFDATA2MSB)
44 		value = be32_to_cpu(value);
45 
46 	return value;
47 }
48 
elf16_to_cpu(const struct elfhdr * ehdr,uint16_t value)49 static uint16_t elf16_to_cpu(const struct elfhdr *ehdr, uint16_t value)
50 {
51 	if (ehdr->e_ident[EI_DATA] == ELFDATA2LSB)
52 		value = le16_to_cpu(value);
53 	else if (ehdr->e_ident[EI_DATA] == ELFDATA2MSB)
54 		value = be16_to_cpu(value);
55 
56 	return value;
57 }
58 
59 /**
60  * elf_is_ehdr_sane - check that it is safe to use the ELF header
61  * @buf_len:	size of the buffer in which the ELF file is loaded.
62  */
elf_is_ehdr_sane(const struct elfhdr * ehdr,size_t buf_len)63 static bool elf_is_ehdr_sane(const struct elfhdr *ehdr, size_t buf_len)
64 {
65 	if (ehdr->e_phnum > 0 && ehdr->e_phentsize != sizeof(struct elf_phdr)) {
66 		pr_debug("Bad program header size.\n");
67 		return false;
68 	} else if (ehdr->e_shnum > 0 &&
69 		   ehdr->e_shentsize != sizeof(struct elf_shdr)) {
70 		pr_debug("Bad section header size.\n");
71 		return false;
72 	} else if (ehdr->e_ident[EI_VERSION] != EV_CURRENT ||
73 		   ehdr->e_version != EV_CURRENT) {
74 		pr_debug("Unknown ELF version.\n");
75 		return false;
76 	}
77 
78 	if (ehdr->e_phoff > 0 && ehdr->e_phnum > 0) {
79 		size_t phdr_size;
80 
81 		/*
82 		 * e_phnum is at most 65535 so calculating the size of the
83 		 * program header cannot overflow.
84 		 */
85 		phdr_size = sizeof(struct elf_phdr) * ehdr->e_phnum;
86 
87 		/* Sanity check the program header table location. */
88 		if (ehdr->e_phoff + phdr_size < ehdr->e_phoff) {
89 			pr_debug("Program headers at invalid location.\n");
90 			return false;
91 		} else if (ehdr->e_phoff + phdr_size > buf_len) {
92 			pr_debug("Program headers truncated.\n");
93 			return false;
94 		}
95 	}
96 
97 	if (ehdr->e_shoff > 0 && ehdr->e_shnum > 0) {
98 		size_t shdr_size;
99 
100 		/*
101 		 * e_shnum is at most 65536 so calculating
102 		 * the size of the section header cannot overflow.
103 		 */
104 		shdr_size = sizeof(struct elf_shdr) * ehdr->e_shnum;
105 
106 		/* Sanity check the section header table location. */
107 		if (ehdr->e_shoff + shdr_size < ehdr->e_shoff) {
108 			pr_debug("Section headers at invalid location.\n");
109 			return false;
110 		} else if (ehdr->e_shoff + shdr_size > buf_len) {
111 			pr_debug("Section headers truncated.\n");
112 			return false;
113 		}
114 	}
115 
116 	return true;
117 }
118 
elf_read_ehdr(const char * buf,size_t len,struct elfhdr * ehdr)119 static int elf_read_ehdr(const char *buf, size_t len, struct elfhdr *ehdr)
120 {
121 	struct elfhdr *buf_ehdr;
122 
123 	if (len < sizeof(*buf_ehdr)) {
124 		pr_debug("Buffer is too small to hold ELF header.\n");
125 		return -ENOEXEC;
126 	}
127 
128 	memset(ehdr, 0, sizeof(*ehdr));
129 	memcpy(ehdr->e_ident, buf, sizeof(ehdr->e_ident));
130 	if (!elf_is_elf_file(ehdr)) {
131 		pr_debug("No ELF header magic.\n");
132 		return -ENOEXEC;
133 	}
134 
135 	if (ehdr->e_ident[EI_CLASS] != ELF_CLASS) {
136 		pr_debug("Not a supported ELF class.\n");
137 		return -ENOEXEC;
138 	} else  if (ehdr->e_ident[EI_DATA] != ELFDATA2LSB &&
139 		ehdr->e_ident[EI_DATA] != ELFDATA2MSB) {
140 		pr_debug("Not a supported ELF data format.\n");
141 		return -ENOEXEC;
142 	}
143 
144 	buf_ehdr = (struct elfhdr *) buf;
145 	if (elf16_to_cpu(ehdr, buf_ehdr->e_ehsize) != sizeof(*buf_ehdr)) {
146 		pr_debug("Bad ELF header size.\n");
147 		return -ENOEXEC;
148 	}
149 
150 	ehdr->e_type      = elf16_to_cpu(ehdr, buf_ehdr->e_type);
151 	ehdr->e_machine   = elf16_to_cpu(ehdr, buf_ehdr->e_machine);
152 	ehdr->e_version   = elf32_to_cpu(ehdr, buf_ehdr->e_version);
153 	ehdr->e_flags     = elf32_to_cpu(ehdr, buf_ehdr->e_flags);
154 	ehdr->e_phentsize = elf16_to_cpu(ehdr, buf_ehdr->e_phentsize);
155 	ehdr->e_phnum     = elf16_to_cpu(ehdr, buf_ehdr->e_phnum);
156 	ehdr->e_shentsize = elf16_to_cpu(ehdr, buf_ehdr->e_shentsize);
157 	ehdr->e_shnum     = elf16_to_cpu(ehdr, buf_ehdr->e_shnum);
158 	ehdr->e_shstrndx  = elf16_to_cpu(ehdr, buf_ehdr->e_shstrndx);
159 
160 	switch (ehdr->e_ident[EI_CLASS]) {
161 	case ELFCLASS64:
162 		ehdr->e_entry = elf64_to_cpu(ehdr, buf_ehdr->e_entry);
163 		ehdr->e_phoff = elf64_to_cpu(ehdr, buf_ehdr->e_phoff);
164 		ehdr->e_shoff = elf64_to_cpu(ehdr, buf_ehdr->e_shoff);
165 		break;
166 
167 	case ELFCLASS32:
168 		ehdr->e_entry = elf32_to_cpu(ehdr, buf_ehdr->e_entry);
169 		ehdr->e_phoff = elf32_to_cpu(ehdr, buf_ehdr->e_phoff);
170 		ehdr->e_shoff = elf32_to_cpu(ehdr, buf_ehdr->e_shoff);
171 		break;
172 
173 	default:
174 		pr_debug("Unknown ELF class.\n");
175 		return -EINVAL;
176 	}
177 
178 	return elf_is_ehdr_sane(ehdr, len) ? 0 : -ENOEXEC;
179 }
180 
181 /**
182  * elf_is_phdr_sane - check that it is safe to use the program header
183  * @buf_len:	size of the buffer in which the ELF file is loaded.
184  */
elf_is_phdr_sane(const struct elf_phdr * phdr,size_t buf_len)185 static bool elf_is_phdr_sane(const struct elf_phdr *phdr, size_t buf_len)
186 {
187 
188 	if (phdr->p_offset + phdr->p_filesz < phdr->p_offset) {
189 		pr_debug("ELF segment location wraps around.\n");
190 		return false;
191 	} else if (phdr->p_offset + phdr->p_filesz > buf_len) {
192 		pr_debug("ELF segment not in file.\n");
193 		return false;
194 	} else if (phdr->p_paddr + phdr->p_memsz < phdr->p_paddr) {
195 		pr_debug("ELF segment address wraps around.\n");
196 		return false;
197 	}
198 
199 	return true;
200 }
201 
elf_read_phdr(const char * buf,size_t len,struct kexec_elf_info * elf_info,int idx)202 static int elf_read_phdr(const char *buf, size_t len,
203 			 struct kexec_elf_info *elf_info,
204 			 int idx)
205 {
206 	/* Override the const in proghdrs, we are the ones doing the loading. */
207 	struct elf_phdr *phdr = (struct elf_phdr *) &elf_info->proghdrs[idx];
208 	const struct elfhdr *ehdr = elf_info->ehdr;
209 	const char *pbuf;
210 	struct elf_phdr *buf_phdr;
211 
212 	pbuf = buf + elf_info->ehdr->e_phoff + (idx * sizeof(*buf_phdr));
213 	buf_phdr = (struct elf_phdr *) pbuf;
214 
215 	phdr->p_type   = elf32_to_cpu(elf_info->ehdr, buf_phdr->p_type);
216 	phdr->p_flags  = elf32_to_cpu(elf_info->ehdr, buf_phdr->p_flags);
217 
218 	switch (ehdr->e_ident[EI_CLASS]) {
219 	case ELFCLASS64:
220 		phdr->p_offset = elf64_to_cpu(ehdr, buf_phdr->p_offset);
221 		phdr->p_paddr  = elf64_to_cpu(ehdr, buf_phdr->p_paddr);
222 		phdr->p_vaddr  = elf64_to_cpu(ehdr, buf_phdr->p_vaddr);
223 		phdr->p_filesz = elf64_to_cpu(ehdr, buf_phdr->p_filesz);
224 		phdr->p_memsz  = elf64_to_cpu(ehdr, buf_phdr->p_memsz);
225 		phdr->p_align  = elf64_to_cpu(ehdr, buf_phdr->p_align);
226 		break;
227 
228 	case ELFCLASS32:
229 		phdr->p_offset = elf32_to_cpu(ehdr, buf_phdr->p_offset);
230 		phdr->p_paddr  = elf32_to_cpu(ehdr, buf_phdr->p_paddr);
231 		phdr->p_vaddr  = elf32_to_cpu(ehdr, buf_phdr->p_vaddr);
232 		phdr->p_filesz = elf32_to_cpu(ehdr, buf_phdr->p_filesz);
233 		phdr->p_memsz  = elf32_to_cpu(ehdr, buf_phdr->p_memsz);
234 		phdr->p_align  = elf32_to_cpu(ehdr, buf_phdr->p_align);
235 		break;
236 
237 	default:
238 		pr_debug("Unknown ELF class.\n");
239 		return -EINVAL;
240 	}
241 
242 	return elf_is_phdr_sane(phdr, len) ? 0 : -ENOEXEC;
243 }
244 
245 /**
246  * elf_read_phdrs - read the program headers from the buffer
247  *
248  * This function assumes that the program header table was checked for sanity.
249  * Use elf_is_ehdr_sane() if it wasn't.
250  */
elf_read_phdrs(const char * buf,size_t len,struct kexec_elf_info * elf_info)251 static int elf_read_phdrs(const char *buf, size_t len,
252 			  struct kexec_elf_info *elf_info)
253 {
254 	size_t phdr_size, i;
255 	const struct elfhdr *ehdr = elf_info->ehdr;
256 
257 	/*
258 	 * e_phnum is at most 65535 so calculating the size of the
259 	 * program header cannot overflow.
260 	 */
261 	phdr_size = sizeof(struct elf_phdr) * ehdr->e_phnum;
262 
263 	elf_info->proghdrs = kzalloc(phdr_size, GFP_KERNEL);
264 	if (!elf_info->proghdrs)
265 		return -ENOMEM;
266 
267 	for (i = 0; i < ehdr->e_phnum; i++) {
268 		int ret;
269 
270 		ret = elf_read_phdr(buf, len, elf_info, i);
271 		if (ret) {
272 			kfree(elf_info->proghdrs);
273 			elf_info->proghdrs = NULL;
274 			return ret;
275 		}
276 	}
277 
278 	return 0;
279 }
280 
281 /**
282  * elf_read_from_buffer - read ELF file and sets up ELF header and ELF info
283  * @buf:	Buffer to read ELF file from.
284  * @len:	Size of @buf.
285  * @ehdr:	Pointer to existing struct which will be populated.
286  * @elf_info:	Pointer to existing struct which will be populated.
287  *
288  * This function allows reading ELF files with different byte order than
289  * the kernel, byte-swapping the fields as needed.
290  *
291  * Return:
292  * On success returns 0, and the caller should call
293  * kexec_free_elf_info(elf_info) to free the memory allocated for the section
294  * and program headers.
295  */
elf_read_from_buffer(const char * buf,size_t len,struct elfhdr * ehdr,struct kexec_elf_info * elf_info)296 static int elf_read_from_buffer(const char *buf, size_t len,
297 				struct elfhdr *ehdr,
298 				struct kexec_elf_info *elf_info)
299 {
300 	int ret;
301 
302 	ret = elf_read_ehdr(buf, len, ehdr);
303 	if (ret)
304 		return ret;
305 
306 	elf_info->buffer = buf;
307 	elf_info->ehdr = ehdr;
308 	if (ehdr->e_phoff > 0 && ehdr->e_phnum > 0) {
309 		ret = elf_read_phdrs(buf, len, elf_info);
310 		if (ret)
311 			return ret;
312 	}
313 	return 0;
314 }
315 
316 /**
317  * kexec_free_elf_info - free memory allocated by elf_read_from_buffer
318  */
kexec_free_elf_info(struct kexec_elf_info * elf_info)319 void kexec_free_elf_info(struct kexec_elf_info *elf_info)
320 {
321 	kfree(elf_info->proghdrs);
322 	memset(elf_info, 0, sizeof(*elf_info));
323 }
324 /**
325  * kexec_build_elf_info - read ELF executable and check that we can use it
326  */
kexec_build_elf_info(const char * buf,size_t len,struct elfhdr * ehdr,struct kexec_elf_info * elf_info)327 int kexec_build_elf_info(const char *buf, size_t len, struct elfhdr *ehdr,
328 			       struct kexec_elf_info *elf_info)
329 {
330 	int i;
331 	int ret;
332 
333 	ret = elf_read_from_buffer(buf, len, ehdr, elf_info);
334 	if (ret)
335 		return ret;
336 
337 	/* Big endian vmlinux has type ET_DYN. */
338 	if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN) {
339 		pr_err("Not an ELF executable.\n");
340 		goto error;
341 	} else if (!elf_info->proghdrs) {
342 		pr_err("No ELF program header.\n");
343 		goto error;
344 	}
345 
346 	for (i = 0; i < ehdr->e_phnum; i++) {
347 		/*
348 		 * Kexec does not support loading interpreters.
349 		 * In addition this check keeps us from attempting
350 		 * to kexec ordinay executables.
351 		 */
352 		if (elf_info->proghdrs[i].p_type == PT_INTERP) {
353 			pr_err("Requires an ELF interpreter.\n");
354 			goto error;
355 		}
356 	}
357 
358 	return 0;
359 error:
360 	kexec_free_elf_info(elf_info);
361 	return -ENOEXEC;
362 }
363 
364 
kexec_elf_probe(const char * buf,unsigned long len)365 int kexec_elf_probe(const char *buf, unsigned long len)
366 {
367 	struct elfhdr ehdr;
368 	struct kexec_elf_info elf_info;
369 	int ret;
370 
371 	ret = kexec_build_elf_info(buf, len, &ehdr, &elf_info);
372 	if (ret)
373 		return ret;
374 
375 	kexec_free_elf_info(&elf_info);
376 
377 	return elf_check_arch(&ehdr) ? 0 : -ENOEXEC;
378 }
379 
380 /**
381  * kexec_elf_load - load ELF executable image
382  * @lowest_load_addr:	On return, will be the address where the first PT_LOAD
383  *			section will be loaded in memory.
384  *
385  * Return:
386  * 0 on success, negative value on failure.
387  */
kexec_elf_load(struct kimage * image,struct elfhdr * ehdr,struct kexec_elf_info * elf_info,struct kexec_buf * kbuf,unsigned long * lowest_load_addr)388 int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr,
389 			 struct kexec_elf_info *elf_info,
390 			 struct kexec_buf *kbuf,
391 			 unsigned long *lowest_load_addr)
392 {
393 	unsigned long lowest_addr = UINT_MAX;
394 	int ret;
395 	size_t i;
396 
397 	/* Read in the PT_LOAD segments. */
398 	for (i = 0; i < ehdr->e_phnum; i++) {
399 		unsigned long load_addr;
400 		size_t size;
401 		const struct elf_phdr *phdr;
402 
403 		phdr = &elf_info->proghdrs[i];
404 		if (phdr->p_type != PT_LOAD)
405 			continue;
406 
407 		size = phdr->p_filesz;
408 		if (size > phdr->p_memsz)
409 			size = phdr->p_memsz;
410 
411 		kbuf->buffer = (void *) elf_info->buffer + phdr->p_offset;
412 		kbuf->bufsz = size;
413 		kbuf->memsz = phdr->p_memsz;
414 		kbuf->buf_align = phdr->p_align;
415 		kbuf->buf_min = phdr->p_paddr;
416 		kbuf->mem = KEXEC_BUF_MEM_UNKNOWN;
417 		ret = kexec_add_buffer(kbuf);
418 		if (ret)
419 			goto out;
420 		load_addr = kbuf->mem;
421 
422 		if (load_addr < lowest_addr)
423 			lowest_addr = load_addr;
424 	}
425 
426 	*lowest_load_addr = lowest_addr;
427 	ret = 0;
428  out:
429 	return ret;
430 }
431