1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * linux/fs/binfmt_elf.c
4 *
5 * These are the functions used to load ELF format executables as used
6 * on SVr4 machines. Information on the format may be found in the book
7 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8 * Tools".
9 *
10 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
11 */
12
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/fs.h>
16 #include <linux/log2.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/errno.h>
20 #include <linux/signal.h>
21 #include <linux/binfmts.h>
22 #include <linux/string.h>
23 #include <linux/file.h>
24 #include <linux/slab.h>
25 #include <linux/personality.h>
26 #include <linux/elfcore.h>
27 #include <linux/init.h>
28 #include <linux/highuid.h>
29 #include <linux/compiler.h>
30 #include <linux/highmem.h>
31 #include <linux/hugetlb.h>
32 #include <linux/pagemap.h>
33 #include <linux/vmalloc.h>
34 #include <linux/security.h>
35 #include <linux/random.h>
36 #include <linux/elf.h>
37 #include <linux/elf-randomize.h>
38 #include <linux/utsname.h>
39 #include <linux/coredump.h>
40 #include <linux/sched.h>
41 #include <linux/sched/coredump.h>
42 #include <linux/sched/task_stack.h>
43 #include <linux/sched/cputime.h>
44 #include <linux/sizes.h>
45 #include <linux/types.h>
46 #include <linux/cred.h>
47 #include <linux/dax.h>
48 #include <linux/uaccess.h>
49 #include <linux/rseq.h>
50 #include <asm/param.h>
51 #include <asm/page.h>
52
53 #ifndef ELF_COMPAT
54 #define ELF_COMPAT 0
55 #endif
56
57 #ifndef user_long_t
58 #define user_long_t long
59 #endif
60 #ifndef user_siginfo_t
61 #define user_siginfo_t siginfo_t
62 #endif
63
64 /* That's for binfmt_elf_fdpic to deal with */
65 #ifndef elf_check_fdpic
66 #define elf_check_fdpic(ex) false
67 #endif
68
69 static int load_elf_binary(struct linux_binprm *bprm);
70
71 #ifdef CONFIG_USELIB
72 static int load_elf_library(struct file *);
73 #else
74 #define load_elf_library NULL
75 #endif
76
77 /*
78 * If we don't support core dumping, then supply a NULL so we
79 * don't even try.
80 */
81 #ifdef CONFIG_ELF_CORE
82 static int elf_core_dump(struct coredump_params *cprm);
83 #else
84 #define elf_core_dump NULL
85 #endif
86
87 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
88
89 #ifndef ELF_CORE_EFLAGS
90 #define ELF_CORE_EFLAGS 0
91 #endif
92
93 #define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1))
94 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
95 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
96
97 static struct linux_binfmt elf_format = {
98 .module = THIS_MODULE,
99 .load_binary = load_elf_binary,
100 .load_shlib = load_elf_library,
101 #ifdef CONFIG_COREDUMP
102 .core_dump = elf_core_dump,
103 /* init_elf_binfmt() overrides .min_coredump with the correct emulated page-size. */
104 .min_coredump = PAGE_SIZE,
105 #endif
106 };
107
108 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
109
set_brk(unsigned long start,unsigned long end,int prot)110 static int set_brk(unsigned long start, unsigned long end, int prot)
111 {
112 start = ELF_PAGEALIGN(start);
113 end = ELF_PAGEALIGN(end);
114 if (end > start) {
115 /*
116 * Map the last of the bss segment.
117 * If the header is requesting these pages to be
118 * executable, honour that (ppc32 needs this).
119 */
120 int error = vm_brk_flags(start, end - start,
121 prot & PROT_EXEC ? VM_EXEC : 0);
122 if (error)
123 return error;
124 }
125 current->mm->start_brk = current->mm->brk = end;
126 return 0;
127 }
128
129 /* We need to explicitly zero any fractional pages
130 after the data section (i.e. bss). This would
131 contain the junk from the file that should not
132 be in memory
133 */
padzero(unsigned long elf_bss)134 static int padzero(unsigned long elf_bss)
135 {
136 unsigned long nbyte;
137
138 nbyte = ELF_PAGEOFFSET(elf_bss);
139 if (nbyte) {
140 nbyte = ELF_MIN_ALIGN - nbyte;
141 if (clear_user((void __user *) elf_bss, nbyte))
142 return -EFAULT;
143 }
144 return 0;
145 }
146
147 /* Let's use some macros to make this stack manipulation a little clearer */
148 #ifdef CONFIG_STACK_GROWSUP
149 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
150 #define STACK_ROUND(sp, items) \
151 ((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
152 #define STACK_ALLOC(sp, len) ({ \
153 elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
154 old_sp; })
155 #else
156 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
157 #define STACK_ROUND(sp, items) \
158 (((unsigned long) (sp - items)) &~ 15UL)
159 #define STACK_ALLOC(sp, len) (sp -= len)
160 #endif
161
162 #ifndef ELF_BASE_PLATFORM
163 /*
164 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
165 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
166 * will be copied to the user stack in the same manner as AT_PLATFORM.
167 */
168 #define ELF_BASE_PLATFORM NULL
169 #endif
170
171 static int
create_elf_tables(struct linux_binprm * bprm,const struct elfhdr * exec,unsigned long interp_load_addr,unsigned long e_entry,unsigned long phdr_addr)172 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
173 unsigned long interp_load_addr,
174 unsigned long e_entry, unsigned long phdr_addr)
175 {
176 struct mm_struct *mm = current->mm;
177 unsigned long p = bprm->p;
178 int argc = bprm->argc;
179 int envc = bprm->envc;
180 elf_addr_t __user *sp;
181 elf_addr_t __user *u_platform;
182 elf_addr_t __user *u_base_platform;
183 elf_addr_t __user *u_rand_bytes;
184 const char *k_platform = ELF_PLATFORM;
185 const char *k_base_platform = ELF_BASE_PLATFORM;
186 unsigned char k_rand_bytes[16];
187 int items;
188 elf_addr_t *elf_info;
189 elf_addr_t flags = 0;
190 int ei_index;
191 const struct cred *cred = current_cred();
192 struct vm_area_struct *vma;
193
194 /*
195 * In some cases (e.g. Hyper-Threading), we want to avoid L1
196 * evictions by the processes running on the same package. One
197 * thing we can do is to shuffle the initial stack for them.
198 */
199
200 p = arch_align_stack(p);
201
202 /*
203 * If this architecture has a platform capability string, copy it
204 * to userspace. In some cases (Sparc), this info is impossible
205 * for userspace to get any other way, in others (i386) it is
206 * merely difficult.
207 */
208 u_platform = NULL;
209 if (k_platform) {
210 size_t len = strlen(k_platform) + 1;
211
212 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
213 if (copy_to_user(u_platform, k_platform, len))
214 return -EFAULT;
215 }
216
217 /*
218 * If this architecture has a "base" platform capability
219 * string, copy it to userspace.
220 */
221 u_base_platform = NULL;
222 if (k_base_platform) {
223 size_t len = strlen(k_base_platform) + 1;
224
225 u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
226 if (copy_to_user(u_base_platform, k_base_platform, len))
227 return -EFAULT;
228 }
229
230 /*
231 * Generate 16 random bytes for userspace PRNG seeding.
232 */
233 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
234 u_rand_bytes = (elf_addr_t __user *)
235 STACK_ALLOC(p, sizeof(k_rand_bytes));
236 if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
237 return -EFAULT;
238
239 /* Create the ELF interpreter info */
240 elf_info = (elf_addr_t *)mm->saved_auxv;
241 /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
242 #define NEW_AUX_ENT(id, val) \
243 do { \
244 *elf_info++ = id; \
245 *elf_info++ = val; \
246 } while (0)
247
248 #ifdef ARCH_DLINFO
249 /*
250 * ARCH_DLINFO must come first so PPC can do its special alignment of
251 * AUXV.
252 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
253 * ARCH_DLINFO changes
254 */
255 ARCH_DLINFO;
256 #endif
257 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
258 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
259 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
260 NEW_AUX_ENT(AT_PHDR, phdr_addr);
261 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
262 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
263 NEW_AUX_ENT(AT_BASE, interp_load_addr);
264 if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
265 flags |= AT_FLAGS_PRESERVE_ARGV0;
266 NEW_AUX_ENT(AT_FLAGS, flags);
267 NEW_AUX_ENT(AT_ENTRY, e_entry);
268 NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
269 NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
270 NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
271 NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
272 NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
273 NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
274 #ifdef ELF_HWCAP2
275 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
276 #endif
277 NEW_AUX_ENT(AT_EXECFN, bprm->exec);
278 if (k_platform) {
279 NEW_AUX_ENT(AT_PLATFORM,
280 (elf_addr_t)(unsigned long)u_platform);
281 }
282 if (k_base_platform) {
283 NEW_AUX_ENT(AT_BASE_PLATFORM,
284 (elf_addr_t)(unsigned long)u_base_platform);
285 }
286 if (bprm->have_execfd) {
287 NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
288 }
289 #ifdef CONFIG_RSEQ
290 NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
291 NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
292 #endif
293 #undef NEW_AUX_ENT
294 /* AT_NULL is zero; clear the rest too */
295 memset(elf_info, 0, (char *)mm->saved_auxv +
296 sizeof(mm->saved_auxv) - (char *)elf_info);
297
298 /* And advance past the AT_NULL entry. */
299 elf_info += 2;
300
301 ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
302 sp = STACK_ADD(p, ei_index);
303
304 items = (argc + 1) + (envc + 1) + 1;
305 bprm->p = STACK_ROUND(sp, items);
306
307 /* Point sp at the lowest address on the stack */
308 #ifdef CONFIG_STACK_GROWSUP
309 sp = (elf_addr_t __user *)bprm->p - items - ei_index;
310 bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
311 #else
312 sp = (elf_addr_t __user *)bprm->p;
313 #endif
314
315
316 /*
317 * Grow the stack manually; some architectures have a limit on how
318 * far ahead a user-space access may be in order to grow the stack.
319 */
320 if (mmap_write_lock_killable(mm))
321 return -EINTR;
322 vma = find_extend_vma_locked(mm, bprm->p);
323 mmap_write_unlock(mm);
324 if (!vma)
325 return -EFAULT;
326
327 /* Now, let's put argc (and argv, envp if appropriate) on the stack */
328 if (put_user(argc, sp++))
329 return -EFAULT;
330
331 /* Populate list of argv pointers back to argv strings. */
332 p = mm->arg_end = mm->arg_start;
333 while (argc-- > 0) {
334 size_t len;
335 if (put_user((elf_addr_t)p, sp++))
336 return -EFAULT;
337 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
338 if (!len || len > MAX_ARG_STRLEN)
339 return -EINVAL;
340 p += len;
341 }
342 if (put_user(0, sp++))
343 return -EFAULT;
344 mm->arg_end = p;
345
346 /* Populate list of envp pointers back to envp strings. */
347 mm->env_end = mm->env_start = p;
348 while (envc-- > 0) {
349 size_t len;
350 if (put_user((elf_addr_t)p, sp++))
351 return -EFAULT;
352 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
353 if (!len || len > MAX_ARG_STRLEN)
354 return -EINVAL;
355 p += len;
356 }
357 if (put_user(0, sp++))
358 return -EFAULT;
359 mm->env_end = p;
360
361 /* Put the elf_info on the stack in the right place. */
362 if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
363 return -EFAULT;
364 return 0;
365 }
366
elf_map(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)367 static unsigned long elf_map(struct file *filep, unsigned long addr,
368 const struct elf_phdr *eppnt, int prot, int type,
369 unsigned long total_size)
370 {
371 unsigned long map_addr;
372 unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
373 unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
374 addr = ELF_PAGESTART(addr);
375 size = ELF_PAGEALIGN(size);
376
377 /* mmap() will return -EINVAL if given a zero size, but a
378 * segment with zero filesize is perfectly valid */
379 if (!size)
380 return addr;
381
382 /*
383 * total_size is the size of the ELF (interpreter) image.
384 * The _first_ mmap needs to know the full size, otherwise
385 * randomization might put this image into an overlapping
386 * position with the ELF binary image. (since size < total_size)
387 * So we first map the 'big' image - and unmap the remainder at
388 * the end. (which unmap is needed for ELF images with holes.)
389 */
390 if (total_size) {
391 total_size = ELF_PAGEALIGN(total_size);
392 map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
393 if (!BAD_ADDR(map_addr))
394 vm_munmap(map_addr+size, total_size-size);
395 } else
396 map_addr = vm_mmap(filep, addr, size, prot, type, off);
397
398 if ((type & MAP_FIXED_NOREPLACE) &&
399 PTR_ERR((void *)map_addr) == -EEXIST)
400 pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
401 task_pid_nr(current), current->comm, (void *)addr);
402
403 return(map_addr);
404 }
405
total_mapping_size(const struct elf_phdr * phdr,int nr)406 static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
407 {
408 elf_addr_t min_addr = -1;
409 elf_addr_t max_addr = 0;
410 bool pt_load = false;
411 int i;
412
413 for (i = 0; i < nr; i++) {
414 if (phdr[i].p_type == PT_LOAD) {
415 min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr));
416 max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz);
417 pt_load = true;
418 }
419 }
420 return pt_load ? (max_addr - min_addr) : 0;
421 }
422
elf_read(struct file * file,void * buf,size_t len,loff_t pos)423 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
424 {
425 ssize_t rv;
426
427 rv = kernel_read(file, buf, len, &pos);
428 if (unlikely(rv != len)) {
429 return (rv < 0) ? rv : -EIO;
430 }
431 return 0;
432 }
433
maximum_alignment(struct elf_phdr * cmds,int nr)434 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
435 {
436 unsigned long alignment = 0;
437 int i;
438
439 for (i = 0; i < nr; i++) {
440 if (cmds[i].p_type == PT_LOAD) {
441 unsigned long p_align = cmds[i].p_align;
442
443 /* skip non-power of two alignments as invalid */
444 if (!is_power_of_2(p_align))
445 continue;
446 alignment = max(alignment, p_align);
447 }
448 }
449
450 /* ensure we align to at least one page */
451 return ELF_PAGEALIGN(alignment);
452 }
453
454 /**
455 * load_elf_phdrs() - load ELF program headers
456 * @elf_ex: ELF header of the binary whose program headers should be loaded
457 * @elf_file: the opened ELF binary file
458 *
459 * Loads ELF program headers from the binary file elf_file, which has the ELF
460 * header pointed to by elf_ex, into a newly allocated array. The caller is
461 * responsible for freeing the allocated data. Returns NULL upon failure.
462 */
load_elf_phdrs(const struct elfhdr * elf_ex,struct file * elf_file)463 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
464 struct file *elf_file)
465 {
466 struct elf_phdr *elf_phdata = NULL;
467 int retval = -1;
468 unsigned int size;
469
470 /*
471 * If the size of this structure has changed, then punt, since
472 * we will be doing the wrong thing.
473 */
474 if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
475 goto out;
476
477 /* Sanity check the number of program headers... */
478 /* ...and their total size. */
479 size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
480 if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
481 goto out;
482
483 elf_phdata = kmalloc(size, GFP_KERNEL);
484 if (!elf_phdata)
485 goto out;
486
487 /* Read in the program headers */
488 retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
489
490 out:
491 if (retval) {
492 kfree(elf_phdata);
493 elf_phdata = NULL;
494 }
495 return elf_phdata;
496 }
497
498 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE
499
500 /**
501 * struct arch_elf_state - arch-specific ELF loading state
502 *
503 * This structure is used to preserve architecture specific data during
504 * the loading of an ELF file, throughout the checking of architecture
505 * specific ELF headers & through to the point where the ELF load is
506 * known to be proceeding (ie. SET_PERSONALITY).
507 *
508 * This implementation is a dummy for architectures which require no
509 * specific state.
510 */
511 struct arch_elf_state {
512 };
513
514 #define INIT_ARCH_ELF_STATE {}
515
516 /**
517 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
518 * @ehdr: The main ELF header
519 * @phdr: The program header to check
520 * @elf: The open ELF file
521 * @is_interp: True if the phdr is from the interpreter of the ELF being
522 * loaded, else false.
523 * @state: Architecture-specific state preserved throughout the process
524 * of loading the ELF.
525 *
526 * Inspects the program header phdr to validate its correctness and/or
527 * suitability for the system. Called once per ELF program header in the
528 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
529 * interpreter.
530 *
531 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
532 * with that return code.
533 */
arch_elf_pt_proc(struct elfhdr * ehdr,struct elf_phdr * phdr,struct file * elf,bool is_interp,struct arch_elf_state * state)534 static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
535 struct elf_phdr *phdr,
536 struct file *elf, bool is_interp,
537 struct arch_elf_state *state)
538 {
539 /* Dummy implementation, always proceed */
540 return 0;
541 }
542
543 /**
544 * arch_check_elf() - check an ELF executable
545 * @ehdr: The main ELF header
546 * @has_interp: True if the ELF has an interpreter, else false.
547 * @interp_ehdr: The interpreter's ELF header
548 * @state: Architecture-specific state preserved throughout the process
549 * of loading the ELF.
550 *
551 * Provides a final opportunity for architecture code to reject the loading
552 * of the ELF & cause an exec syscall to return an error. This is called after
553 * all program headers to be checked by arch_elf_pt_proc have been.
554 *
555 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
556 * with that return code.
557 */
arch_check_elf(struct elfhdr * ehdr,bool has_interp,struct elfhdr * interp_ehdr,struct arch_elf_state * state)558 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
559 struct elfhdr *interp_ehdr,
560 struct arch_elf_state *state)
561 {
562 /* Dummy implementation, always proceed */
563 return 0;
564 }
565
566 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
567
make_prot(u32 p_flags,struct arch_elf_state * arch_state,bool has_interp,bool is_interp)568 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
569 bool has_interp, bool is_interp)
570 {
571 int prot = 0;
572
573 if (p_flags & PF_R)
574 prot |= PROT_READ;
575 if (p_flags & PF_W)
576 prot |= PROT_WRITE;
577 if (p_flags & PF_X)
578 prot |= PROT_EXEC;
579
580 return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
581 }
582
583 /* This is much more generalized than the library routine read function,
584 so we keep this separate. Technically the library read function
585 is only provided so that we can read a.out libraries that have
586 an ELF header */
587
load_elf_interp(struct elfhdr * interp_elf_ex,struct file * interpreter,unsigned long no_base,struct elf_phdr * interp_elf_phdata,struct arch_elf_state * arch_state)588 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
589 struct file *interpreter,
590 unsigned long no_base, struct elf_phdr *interp_elf_phdata,
591 struct arch_elf_state *arch_state)
592 {
593 struct elf_phdr *eppnt;
594 unsigned long load_addr = 0;
595 int load_addr_set = 0;
596 unsigned long last_bss = 0, elf_bss = 0;
597 int bss_prot = 0;
598 unsigned long error = ~0UL;
599 unsigned long total_size;
600 int i;
601
602 /* First of all, some simple consistency checks */
603 if (interp_elf_ex->e_type != ET_EXEC &&
604 interp_elf_ex->e_type != ET_DYN)
605 goto out;
606 if (!elf_check_arch(interp_elf_ex) ||
607 elf_check_fdpic(interp_elf_ex))
608 goto out;
609 if (!interpreter->f_op->mmap)
610 goto out;
611
612 total_size = total_mapping_size(interp_elf_phdata,
613 interp_elf_ex->e_phnum);
614 if (!total_size) {
615 error = -EINVAL;
616 goto out;
617 }
618
619 eppnt = interp_elf_phdata;
620 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
621 if (eppnt->p_type == PT_LOAD) {
622 int elf_type = MAP_PRIVATE;
623 int elf_prot = make_prot(eppnt->p_flags, arch_state,
624 true, true);
625 unsigned long vaddr = 0;
626 unsigned long k, map_addr;
627
628 vaddr = eppnt->p_vaddr;
629 if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
630 elf_type |= MAP_FIXED;
631 else if (no_base && interp_elf_ex->e_type == ET_DYN)
632 load_addr = -vaddr;
633
634 map_addr = elf_map(interpreter, load_addr + vaddr,
635 eppnt, elf_prot, elf_type, total_size);
636 total_size = 0;
637 error = map_addr;
638 if (BAD_ADDR(map_addr))
639 goto out;
640
641 if (!load_addr_set &&
642 interp_elf_ex->e_type == ET_DYN) {
643 load_addr = map_addr - ELF_PAGESTART(vaddr);
644 load_addr_set = 1;
645 }
646
647 /*
648 * Check to see if the section's size will overflow the
649 * allowed task size. Note that p_filesz must always be
650 * <= p_memsize so it's only necessary to check p_memsz.
651 */
652 k = load_addr + eppnt->p_vaddr;
653 if (BAD_ADDR(k) ||
654 eppnt->p_filesz > eppnt->p_memsz ||
655 eppnt->p_memsz > TASK_SIZE ||
656 TASK_SIZE - eppnt->p_memsz < k) {
657 error = -ENOMEM;
658 goto out;
659 }
660
661 /*
662 * Find the end of the file mapping for this phdr, and
663 * keep track of the largest address we see for this.
664 */
665 k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
666 if (k > elf_bss)
667 elf_bss = k;
668
669 /*
670 * Do the same thing for the memory mapping - between
671 * elf_bss and last_bss is the bss section.
672 */
673 k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
674 if (k > last_bss) {
675 last_bss = k;
676 bss_prot = elf_prot;
677 }
678 }
679 }
680
681 /*
682 * Now fill out the bss section: first pad the last page from
683 * the file up to the page boundary, and zero it from elf_bss
684 * up to the end of the page.
685 */
686 if (padzero(elf_bss)) {
687 error = -EFAULT;
688 goto out;
689 }
690 /*
691 * Next, align both the file and mem bss up to the page size,
692 * since this is where elf_bss was just zeroed up to, and where
693 * last_bss will end after the vm_brk_flags() below.
694 */
695 elf_bss = ELF_PAGEALIGN(elf_bss);
696 last_bss = ELF_PAGEALIGN(last_bss);
697 /* Finally, if there is still more bss to allocate, do it. */
698 if (last_bss > elf_bss) {
699 error = vm_brk_flags(elf_bss, last_bss - elf_bss,
700 bss_prot & PROT_EXEC ? VM_EXEC : 0);
701 if (error)
702 goto out;
703 }
704
705 error = load_addr;
706 out:
707 return error;
708 }
709
710 /*
711 * These are the functions used to load ELF style executables and shared
712 * libraries. There is no binary dependent code anywhere else.
713 */
714
parse_elf_property(const char * data,size_t * off,size_t datasz,struct arch_elf_state * arch,bool have_prev_type,u32 * prev_type)715 static int parse_elf_property(const char *data, size_t *off, size_t datasz,
716 struct arch_elf_state *arch,
717 bool have_prev_type, u32 *prev_type)
718 {
719 size_t o, step;
720 const struct gnu_property *pr;
721 int ret;
722
723 if (*off == datasz)
724 return -ENOENT;
725
726 if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
727 return -EIO;
728 o = *off;
729 datasz -= *off;
730
731 if (datasz < sizeof(*pr))
732 return -ENOEXEC;
733 pr = (const struct gnu_property *)(data + o);
734 o += sizeof(*pr);
735 datasz -= sizeof(*pr);
736
737 if (pr->pr_datasz > datasz)
738 return -ENOEXEC;
739
740 WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
741 step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
742 if (step > datasz)
743 return -ENOEXEC;
744
745 /* Properties are supposed to be unique and sorted on pr_type: */
746 if (have_prev_type && pr->pr_type <= *prev_type)
747 return -ENOEXEC;
748 *prev_type = pr->pr_type;
749
750 ret = arch_parse_elf_property(pr->pr_type, data + o,
751 pr->pr_datasz, ELF_COMPAT, arch);
752 if (ret)
753 return ret;
754
755 *off = o + step;
756 return 0;
757 }
758
759 #define NOTE_DATA_SZ SZ_1K
760 #define GNU_PROPERTY_TYPE_0_NAME "GNU"
761 #define NOTE_NAME_SZ (sizeof(GNU_PROPERTY_TYPE_0_NAME))
762
parse_elf_properties(struct file * f,const struct elf_phdr * phdr,struct arch_elf_state * arch)763 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
764 struct arch_elf_state *arch)
765 {
766 union {
767 struct elf_note nhdr;
768 char data[NOTE_DATA_SZ];
769 } note;
770 loff_t pos;
771 ssize_t n;
772 size_t off, datasz;
773 int ret;
774 bool have_prev_type;
775 u32 prev_type;
776
777 if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
778 return 0;
779
780 /* load_elf_binary() shouldn't call us unless this is true... */
781 if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
782 return -ENOEXEC;
783
784 /* If the properties are crazy large, that's too bad (for now): */
785 if (phdr->p_filesz > sizeof(note))
786 return -ENOEXEC;
787
788 pos = phdr->p_offset;
789 n = kernel_read(f, ¬e, phdr->p_filesz, &pos);
790
791 BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
792 if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
793 return -EIO;
794
795 if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
796 note.nhdr.n_namesz != NOTE_NAME_SZ ||
797 strncmp(note.data + sizeof(note.nhdr),
798 GNU_PROPERTY_TYPE_0_NAME, n - sizeof(note.nhdr)))
799 return -ENOEXEC;
800
801 off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
802 ELF_GNU_PROPERTY_ALIGN);
803 if (off > n)
804 return -ENOEXEC;
805
806 if (note.nhdr.n_descsz > n - off)
807 return -ENOEXEC;
808 datasz = off + note.nhdr.n_descsz;
809
810 have_prev_type = false;
811 do {
812 ret = parse_elf_property(note.data, &off, datasz, arch,
813 have_prev_type, &prev_type);
814 have_prev_type = true;
815 } while (!ret);
816
817 return ret == -ENOENT ? 0 : ret;
818 }
819
load_elf_binary(struct linux_binprm * bprm)820 static int load_elf_binary(struct linux_binprm *bprm)
821 {
822 struct file *interpreter = NULL; /* to shut gcc up */
823 unsigned long load_bias = 0, phdr_addr = 0;
824 int first_pt_load = 1;
825 unsigned long error;
826 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
827 struct elf_phdr *elf_property_phdata = NULL;
828 unsigned long elf_bss, elf_brk;
829 int bss_prot = 0;
830 int retval, i;
831 unsigned long elf_entry;
832 unsigned long e_entry;
833 unsigned long interp_load_addr = 0;
834 unsigned long start_code, end_code, start_data, end_data;
835 unsigned long reloc_func_desc __maybe_unused = 0;
836 int executable_stack = EXSTACK_DEFAULT;
837 struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
838 struct elfhdr *interp_elf_ex = NULL;
839 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
840 struct mm_struct *mm;
841 struct pt_regs *regs;
842
843 retval = -ENOEXEC;
844 /* First of all, some simple consistency checks */
845 if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
846 goto out;
847
848 if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
849 goto out;
850 if (!elf_check_arch(elf_ex))
851 goto out;
852 if (elf_check_fdpic(elf_ex))
853 goto out;
854 if (!bprm->file->f_op->mmap)
855 goto out;
856
857 elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
858 if (!elf_phdata)
859 goto out;
860
861 elf_ppnt = elf_phdata;
862 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
863 char *elf_interpreter;
864
865 if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
866 elf_property_phdata = elf_ppnt;
867 continue;
868 }
869
870 if (elf_ppnt->p_type != PT_INTERP)
871 continue;
872
873 /*
874 * This is the program interpreter used for shared libraries -
875 * for now assume that this is an a.out format binary.
876 */
877 retval = -ENOEXEC;
878 if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
879 goto out_free_ph;
880
881 retval = -ENOMEM;
882 elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
883 if (!elf_interpreter)
884 goto out_free_ph;
885
886 retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
887 elf_ppnt->p_offset);
888 if (retval < 0)
889 goto out_free_interp;
890 /* make sure path is NULL terminated */
891 retval = -ENOEXEC;
892 if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
893 goto out_free_interp;
894
895 interpreter = open_exec(elf_interpreter);
896 kfree(elf_interpreter);
897 retval = PTR_ERR(interpreter);
898 if (IS_ERR(interpreter))
899 goto out_free_ph;
900
901 /*
902 * If the binary is not readable then enforce mm->dumpable = 0
903 * regardless of the interpreter's permissions.
904 */
905 would_dump(bprm, interpreter);
906
907 interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
908 if (!interp_elf_ex) {
909 retval = -ENOMEM;
910 goto out_free_file;
911 }
912
913 /* Get the exec headers */
914 retval = elf_read(interpreter, interp_elf_ex,
915 sizeof(*interp_elf_ex), 0);
916 if (retval < 0)
917 goto out_free_dentry;
918
919 break;
920
921 out_free_interp:
922 kfree(elf_interpreter);
923 goto out_free_ph;
924 }
925
926 elf_ppnt = elf_phdata;
927 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
928 switch (elf_ppnt->p_type) {
929 case PT_GNU_STACK:
930 if (elf_ppnt->p_flags & PF_X)
931 executable_stack = EXSTACK_ENABLE_X;
932 else
933 executable_stack = EXSTACK_DISABLE_X;
934 break;
935
936 case PT_LOPROC ... PT_HIPROC:
937 retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
938 bprm->file, false,
939 &arch_state);
940 if (retval)
941 goto out_free_dentry;
942 break;
943 }
944
945 /* Some simple consistency checks for the interpreter */
946 if (interpreter) {
947 retval = -ELIBBAD;
948 /* Not an ELF interpreter */
949 if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
950 goto out_free_dentry;
951 /* Verify the interpreter has a valid arch */
952 if (!elf_check_arch(interp_elf_ex) ||
953 elf_check_fdpic(interp_elf_ex))
954 goto out_free_dentry;
955
956 /* Load the interpreter program headers */
957 interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
958 interpreter);
959 if (!interp_elf_phdata)
960 goto out_free_dentry;
961
962 /* Pass PT_LOPROC..PT_HIPROC headers to arch code */
963 elf_property_phdata = NULL;
964 elf_ppnt = interp_elf_phdata;
965 for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
966 switch (elf_ppnt->p_type) {
967 case PT_GNU_PROPERTY:
968 elf_property_phdata = elf_ppnt;
969 break;
970
971 case PT_LOPROC ... PT_HIPROC:
972 retval = arch_elf_pt_proc(interp_elf_ex,
973 elf_ppnt, interpreter,
974 true, &arch_state);
975 if (retval)
976 goto out_free_dentry;
977 break;
978 }
979 }
980
981 retval = parse_elf_properties(interpreter ?: bprm->file,
982 elf_property_phdata, &arch_state);
983 if (retval)
984 goto out_free_dentry;
985
986 /*
987 * Allow arch code to reject the ELF at this point, whilst it's
988 * still possible to return an error to the code that invoked
989 * the exec syscall.
990 */
991 retval = arch_check_elf(elf_ex,
992 !!interpreter, interp_elf_ex,
993 &arch_state);
994 if (retval)
995 goto out_free_dentry;
996
997 /* Flush all traces of the currently running executable */
998 retval = begin_new_exec(bprm);
999 if (retval)
1000 goto out_free_dentry;
1001
1002 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
1003 may depend on the personality. */
1004 SET_PERSONALITY2(*elf_ex, &arch_state);
1005 if (elf_read_implies_exec(*elf_ex, executable_stack))
1006 current->personality |= READ_IMPLIES_EXEC;
1007
1008 if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1009 current->flags |= PF_RANDOMIZE;
1010
1011 setup_new_exec(bprm);
1012
1013 /* Do this so that we can load the interpreter, if need be. We will
1014 change some of these later */
1015 retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1016 executable_stack);
1017 if (retval < 0)
1018 goto out_free_dentry;
1019
1020 elf_bss = 0;
1021 elf_brk = 0;
1022
1023 start_code = ~0UL;
1024 end_code = 0;
1025 start_data = 0;
1026 end_data = 0;
1027
1028 /* Now we do a little grungy work by mmapping the ELF image into
1029 the correct location in memory. */
1030 for(i = 0, elf_ppnt = elf_phdata;
1031 i < elf_ex->e_phnum; i++, elf_ppnt++) {
1032 int elf_prot, elf_flags;
1033 unsigned long k, vaddr;
1034 unsigned long total_size = 0;
1035 unsigned long alignment;
1036
1037 if (elf_ppnt->p_type != PT_LOAD)
1038 continue;
1039
1040 if (unlikely (elf_brk > elf_bss)) {
1041 unsigned long nbyte;
1042
1043 /* There was a PT_LOAD segment with p_memsz > p_filesz
1044 before this one. Map anonymous pages, if needed,
1045 and clear the area. */
1046 retval = set_brk(elf_bss + load_bias,
1047 elf_brk + load_bias,
1048 bss_prot);
1049 if (retval)
1050 goto out_free_dentry;
1051 nbyte = ELF_PAGEOFFSET(elf_bss);
1052 if (nbyte) {
1053 nbyte = ELF_MIN_ALIGN - nbyte;
1054 if (nbyte > elf_brk - elf_bss)
1055 nbyte = elf_brk - elf_bss;
1056 if (clear_user((void __user *)elf_bss +
1057 load_bias, nbyte)) {
1058 /*
1059 * This bss-zeroing can fail if the ELF
1060 * file specifies odd protections. So
1061 * we don't check the return value
1062 */
1063 }
1064 }
1065 }
1066
1067 elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1068 !!interpreter, false);
1069
1070 elf_flags = MAP_PRIVATE;
1071
1072 vaddr = elf_ppnt->p_vaddr;
1073 /*
1074 * The first time through the loop, first_pt_load is true:
1075 * layout will be calculated. Once set, use MAP_FIXED since
1076 * we know we've already safely mapped the entire region with
1077 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1078 */
1079 if (!first_pt_load) {
1080 elf_flags |= MAP_FIXED;
1081 } else if (elf_ex->e_type == ET_EXEC) {
1082 /*
1083 * This logic is run once for the first LOAD Program
1084 * Header for ET_EXEC binaries. No special handling
1085 * is needed.
1086 */
1087 elf_flags |= MAP_FIXED_NOREPLACE;
1088 } else if (elf_ex->e_type == ET_DYN) {
1089 /*
1090 * This logic is run once for the first LOAD Program
1091 * Header for ET_DYN binaries to calculate the
1092 * randomization (load_bias) for all the LOAD
1093 * Program Headers.
1094 *
1095 * There are effectively two types of ET_DYN
1096 * binaries: programs (i.e. PIE: ET_DYN with INTERP)
1097 * and loaders (ET_DYN without INTERP, since they
1098 * _are_ the ELF interpreter). The loaders must
1099 * be loaded away from programs since the program
1100 * may otherwise collide with the loader (especially
1101 * for ET_EXEC which does not have a randomized
1102 * position). For example to handle invocations of
1103 * "./ld.so someprog" to test out a new version of
1104 * the loader, the subsequent program that the
1105 * loader loads must avoid the loader itself, so
1106 * they cannot share the same load range. Sufficient
1107 * room for the brk must be allocated with the
1108 * loader as well, since brk must be available with
1109 * the loader.
1110 *
1111 * Therefore, programs are loaded offset from
1112 * ELF_ET_DYN_BASE and loaders are loaded into the
1113 * independently randomized mmap region (0 load_bias
1114 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1115 */
1116 if (interpreter) {
1117 load_bias = ELF_ET_DYN_BASE;
1118 if (current->flags & PF_RANDOMIZE)
1119 load_bias += arch_mmap_rnd();
1120 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1121 if (alignment)
1122 load_bias &= ~(alignment - 1);
1123 elf_flags |= MAP_FIXED_NOREPLACE;
1124 } else
1125 load_bias = 0;
1126
1127 /*
1128 * Since load_bias is used for all subsequent loading
1129 * calculations, we must lower it by the first vaddr
1130 * so that the remaining calculations based on the
1131 * ELF vaddrs will be correctly offset. The result
1132 * is then page aligned.
1133 */
1134 load_bias = ELF_PAGESTART(load_bias - vaddr);
1135
1136 /*
1137 * Calculate the entire size of the ELF mapping
1138 * (total_size), used for the initial mapping,
1139 * due to load_addr_set which is set to true later
1140 * once the initial mapping is performed.
1141 *
1142 * Note that this is only sensible when the LOAD
1143 * segments are contiguous (or overlapping). If
1144 * used for LOADs that are far apart, this would
1145 * cause the holes between LOADs to be mapped,
1146 * running the risk of having the mapping fail,
1147 * as it would be larger than the ELF file itself.
1148 *
1149 * As a result, only ET_DYN does this, since
1150 * some ET_EXEC (e.g. ia64) may have large virtual
1151 * memory holes between LOADs.
1152 *
1153 */
1154 total_size = total_mapping_size(elf_phdata,
1155 elf_ex->e_phnum);
1156 if (!total_size) {
1157 retval = -EINVAL;
1158 goto out_free_dentry;
1159 }
1160 }
1161
1162 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
1163 elf_prot, elf_flags, total_size);
1164 if (BAD_ADDR(error)) {
1165 retval = IS_ERR_VALUE(error) ?
1166 PTR_ERR((void*)error) : -EINVAL;
1167 goto out_free_dentry;
1168 }
1169
1170 if (first_pt_load) {
1171 first_pt_load = 0;
1172 if (elf_ex->e_type == ET_DYN) {
1173 load_bias += error -
1174 ELF_PAGESTART(load_bias + vaddr);
1175 reloc_func_desc = load_bias;
1176 }
1177 }
1178
1179 /*
1180 * Figure out which segment in the file contains the Program
1181 * Header table, and map to the associated memory address.
1182 */
1183 if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
1184 elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
1185 phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
1186 elf_ppnt->p_vaddr;
1187 }
1188
1189 k = elf_ppnt->p_vaddr;
1190 if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1191 start_code = k;
1192 if (start_data < k)
1193 start_data = k;
1194
1195 /*
1196 * Check to see if the section's size will overflow the
1197 * allowed task size. Note that p_filesz must always be
1198 * <= p_memsz so it is only necessary to check p_memsz.
1199 */
1200 if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1201 elf_ppnt->p_memsz > TASK_SIZE ||
1202 TASK_SIZE - elf_ppnt->p_memsz < k) {
1203 /* set_brk can never work. Avoid overflows. */
1204 retval = -EINVAL;
1205 goto out_free_dentry;
1206 }
1207
1208 k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1209
1210 if (k > elf_bss)
1211 elf_bss = k;
1212 if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1213 end_code = k;
1214 if (end_data < k)
1215 end_data = k;
1216 k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1217 if (k > elf_brk) {
1218 bss_prot = elf_prot;
1219 elf_brk = k;
1220 }
1221 }
1222
1223 e_entry = elf_ex->e_entry + load_bias;
1224 phdr_addr += load_bias;
1225 elf_bss += load_bias;
1226 elf_brk += load_bias;
1227 start_code += load_bias;
1228 end_code += load_bias;
1229 start_data += load_bias;
1230 end_data += load_bias;
1231
1232 /* Calling set_brk effectively mmaps the pages that we need
1233 * for the bss and break sections. We must do this before
1234 * mapping in the interpreter, to make sure it doesn't wind
1235 * up getting placed where the bss needs to go.
1236 */
1237 retval = set_brk(elf_bss, elf_brk, bss_prot);
1238 if (retval)
1239 goto out_free_dentry;
1240 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
1241 retval = -EFAULT; /* Nobody gets to see this, but.. */
1242 goto out_free_dentry;
1243 }
1244
1245 if (interpreter) {
1246 elf_entry = load_elf_interp(interp_elf_ex,
1247 interpreter,
1248 load_bias, interp_elf_phdata,
1249 &arch_state);
1250 if (!IS_ERR_VALUE(elf_entry)) {
1251 /*
1252 * load_elf_interp() returns relocation
1253 * adjustment
1254 */
1255 interp_load_addr = elf_entry;
1256 elf_entry += interp_elf_ex->e_entry;
1257 }
1258 if (BAD_ADDR(elf_entry)) {
1259 retval = IS_ERR_VALUE(elf_entry) ?
1260 (int)elf_entry : -EINVAL;
1261 goto out_free_dentry;
1262 }
1263 reloc_func_desc = interp_load_addr;
1264
1265 allow_write_access(interpreter);
1266 fput(interpreter);
1267
1268 kfree(interp_elf_ex);
1269 kfree(interp_elf_phdata);
1270 } else {
1271 elf_entry = e_entry;
1272 if (BAD_ADDR(elf_entry)) {
1273 retval = -EINVAL;
1274 goto out_free_dentry;
1275 }
1276 }
1277
1278 kfree(elf_phdata);
1279
1280 set_binfmt(&elf_format);
1281
1282 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1283 retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1284 if (retval < 0)
1285 goto out;
1286 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1287
1288 retval = create_elf_tables(bprm, elf_ex, interp_load_addr,
1289 e_entry, phdr_addr);
1290 if (retval < 0)
1291 goto out;
1292
1293 mm = current->mm;
1294 mm->end_code = end_code;
1295 mm->start_code = start_code;
1296 mm->start_data = start_data;
1297 mm->end_data = end_data;
1298 mm->start_stack = bprm->p;
1299
1300 if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
1301 /*
1302 * For architectures with ELF randomization, when executing
1303 * a loader directly (i.e. no interpreter listed in ELF
1304 * headers), move the brk area out of the mmap region
1305 * (since it grows up, and may collide early with the stack
1306 * growing down), and into the unused ELF_ET_DYN_BASE region.
1307 */
1308 if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1309 elf_ex->e_type == ET_DYN && !interpreter) {
1310 mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
1311 }
1312
1313 mm->brk = mm->start_brk = arch_randomize_brk(mm);
1314 #ifdef compat_brk_randomized
1315 current->brk_randomized = 1;
1316 #endif
1317 }
1318
1319 if (current->personality & MMAP_PAGE_ZERO) {
1320 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
1321 and some applications "depend" upon this behavior.
1322 Since we do not have the power to recompile these, we
1323 emulate the SVr4 behavior. Sigh. */
1324 error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1325 MAP_FIXED | MAP_PRIVATE, 0);
1326 }
1327
1328 regs = current_pt_regs();
1329 #ifdef ELF_PLAT_INIT
1330 /*
1331 * The ABI may specify that certain registers be set up in special
1332 * ways (on i386 %edx is the address of a DT_FINI function, for
1333 * example. In addition, it may also specify (eg, PowerPC64 ELF)
1334 * that the e_entry field is the address of the function descriptor
1335 * for the startup routine, rather than the address of the startup
1336 * routine itself. This macro performs whatever initialization to
1337 * the regs structure is required as well as any relocations to the
1338 * function descriptor entries when executing dynamically links apps.
1339 */
1340 ELF_PLAT_INIT(regs, reloc_func_desc);
1341 #endif
1342
1343 finalize_exec(bprm);
1344 START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1345 retval = 0;
1346 out:
1347 return retval;
1348
1349 /* error cleanup */
1350 out_free_dentry:
1351 kfree(interp_elf_ex);
1352 kfree(interp_elf_phdata);
1353 out_free_file:
1354 allow_write_access(interpreter);
1355 if (interpreter)
1356 fput(interpreter);
1357 out_free_ph:
1358 kfree(elf_phdata);
1359 goto out;
1360 }
1361
1362 #ifdef CONFIG_USELIB
1363 /* This is really simpleminded and specialized - we are loading an
1364 a.out library that is given an ELF header. */
load_elf_library(struct file * file)1365 static int load_elf_library(struct file *file)
1366 {
1367 struct elf_phdr *elf_phdata;
1368 struct elf_phdr *eppnt;
1369 unsigned long elf_bss, bss, len;
1370 int retval, error, i, j;
1371 struct elfhdr elf_ex;
1372
1373 error = -ENOEXEC;
1374 retval = elf_read(file, &elf_ex, sizeof(elf_ex), 0);
1375 if (retval < 0)
1376 goto out;
1377
1378 if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
1379 goto out;
1380
1381 /* First of all, some simple consistency checks */
1382 if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 ||
1383 !elf_check_arch(&elf_ex) || !file->f_op->mmap)
1384 goto out;
1385 if (elf_check_fdpic(&elf_ex))
1386 goto out;
1387
1388 /* Now read in all of the header information */
1389
1390 j = sizeof(struct elf_phdr) * elf_ex.e_phnum;
1391 /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
1392
1393 error = -ENOMEM;
1394 elf_phdata = kmalloc(j, GFP_KERNEL);
1395 if (!elf_phdata)
1396 goto out;
1397
1398 eppnt = elf_phdata;
1399 error = -ENOEXEC;
1400 retval = elf_read(file, eppnt, j, elf_ex.e_phoff);
1401 if (retval < 0)
1402 goto out_free_ph;
1403
1404 for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
1405 if ((eppnt + i)->p_type == PT_LOAD)
1406 j++;
1407 if (j != 1)
1408 goto out_free_ph;
1409
1410 while (eppnt->p_type != PT_LOAD)
1411 eppnt++;
1412
1413 /* Now use mmap to map the library into memory. */
1414 error = vm_mmap(file,
1415 ELF_PAGESTART(eppnt->p_vaddr),
1416 (eppnt->p_filesz +
1417 ELF_PAGEOFFSET(eppnt->p_vaddr)),
1418 PROT_READ | PROT_WRITE | PROT_EXEC,
1419 MAP_FIXED_NOREPLACE | MAP_PRIVATE,
1420 (eppnt->p_offset -
1421 ELF_PAGEOFFSET(eppnt->p_vaddr)));
1422 if (error != ELF_PAGESTART(eppnt->p_vaddr))
1423 goto out_free_ph;
1424
1425 elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
1426 if (padzero(elf_bss)) {
1427 error = -EFAULT;
1428 goto out_free_ph;
1429 }
1430
1431 len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
1432 bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
1433 if (bss > len) {
1434 error = vm_brk(len, bss - len);
1435 if (error)
1436 goto out_free_ph;
1437 }
1438 error = 0;
1439
1440 out_free_ph:
1441 kfree(elf_phdata);
1442 out:
1443 return error;
1444 }
1445 #endif /* #ifdef CONFIG_USELIB */
1446
1447 #ifdef CONFIG_ELF_CORE
1448 /*
1449 * ELF core dumper
1450 *
1451 * Modelled on fs/exec.c:aout_core_dump()
1452 * Jeremy Fitzhardinge <jeremy@sw.oz.au>
1453 */
1454
1455 /* An ELF note in memory */
1456 struct memelfnote
1457 {
1458 const char *name;
1459 int type;
1460 unsigned int datasz;
1461 void *data;
1462 };
1463
notesize(struct memelfnote * en)1464 static int notesize(struct memelfnote *en)
1465 {
1466 int sz;
1467
1468 sz = sizeof(struct elf_note);
1469 sz += roundup(strlen(en->name) + 1, 4);
1470 sz += roundup(en->datasz, 4);
1471
1472 return sz;
1473 }
1474
writenote(struct memelfnote * men,struct coredump_params * cprm)1475 static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1476 {
1477 struct elf_note en;
1478 en.n_namesz = strlen(men->name) + 1;
1479 en.n_descsz = men->datasz;
1480 en.n_type = men->type;
1481
1482 return dump_emit(cprm, &en, sizeof(en)) &&
1483 dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1484 dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1485 }
1486
fill_elf_header(struct elfhdr * elf,int segs,u16 machine,u32 flags)1487 static void fill_elf_header(struct elfhdr *elf, int segs,
1488 u16 machine, u32 flags)
1489 {
1490 memset(elf, 0, sizeof(*elf));
1491
1492 memcpy(elf->e_ident, ELFMAG, SELFMAG);
1493 elf->e_ident[EI_CLASS] = ELF_CLASS;
1494 elf->e_ident[EI_DATA] = ELF_DATA;
1495 elf->e_ident[EI_VERSION] = EV_CURRENT;
1496 elf->e_ident[EI_OSABI] = ELF_OSABI;
1497
1498 elf->e_type = ET_CORE;
1499 elf->e_machine = machine;
1500 elf->e_version = EV_CURRENT;
1501 elf->e_phoff = sizeof(struct elfhdr);
1502 elf->e_flags = flags;
1503 elf->e_ehsize = sizeof(struct elfhdr);
1504 elf->e_phentsize = sizeof(struct elf_phdr);
1505 elf->e_phnum = segs;
1506 }
1507
fill_elf_note_phdr(struct elf_phdr * phdr,int sz,loff_t offset)1508 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1509 {
1510 phdr->p_type = PT_NOTE;
1511 phdr->p_offset = offset;
1512 phdr->p_vaddr = 0;
1513 phdr->p_paddr = 0;
1514 phdr->p_filesz = sz;
1515 phdr->p_memsz = 0;
1516 phdr->p_flags = 0;
1517 phdr->p_align = 4;
1518 }
1519
fill_note(struct memelfnote * note,const char * name,int type,unsigned int sz,void * data)1520 static void fill_note(struct memelfnote *note, const char *name, int type,
1521 unsigned int sz, void *data)
1522 {
1523 note->name = name;
1524 note->type = type;
1525 note->datasz = sz;
1526 note->data = data;
1527 }
1528
1529 /*
1530 * fill up all the fields in prstatus from the given task struct, except
1531 * registers which need to be filled up separately.
1532 */
fill_prstatus(struct elf_prstatus_common * prstatus,struct task_struct * p,long signr)1533 static void fill_prstatus(struct elf_prstatus_common *prstatus,
1534 struct task_struct *p, long signr)
1535 {
1536 prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1537 prstatus->pr_sigpend = p->pending.signal.sig[0];
1538 prstatus->pr_sighold = p->blocked.sig[0];
1539 rcu_read_lock();
1540 prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1541 rcu_read_unlock();
1542 prstatus->pr_pid = task_pid_vnr(p);
1543 prstatus->pr_pgrp = task_pgrp_vnr(p);
1544 prstatus->pr_sid = task_session_vnr(p);
1545 if (thread_group_leader(p)) {
1546 struct task_cputime cputime;
1547
1548 /*
1549 * This is the record for the group leader. It shows the
1550 * group-wide total, not its individual thread total.
1551 */
1552 thread_group_cputime(p, &cputime);
1553 prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1554 prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1555 } else {
1556 u64 utime, stime;
1557
1558 task_cputime(p, &utime, &stime);
1559 prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1560 prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1561 }
1562
1563 prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1564 prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1565 }
1566
fill_psinfo(struct elf_prpsinfo * psinfo,struct task_struct * p,struct mm_struct * mm)1567 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1568 struct mm_struct *mm)
1569 {
1570 const struct cred *cred;
1571 unsigned int i, len;
1572 unsigned int state;
1573
1574 /* first copy the parameters from user space */
1575 memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1576
1577 len = mm->arg_end - mm->arg_start;
1578 if (len >= ELF_PRARGSZ)
1579 len = ELF_PRARGSZ-1;
1580 if (copy_from_user(&psinfo->pr_psargs,
1581 (const char __user *)mm->arg_start, len))
1582 return -EFAULT;
1583 for(i = 0; i < len; i++)
1584 if (psinfo->pr_psargs[i] == 0)
1585 psinfo->pr_psargs[i] = ' ';
1586 psinfo->pr_psargs[len] = 0;
1587
1588 rcu_read_lock();
1589 psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1590 rcu_read_unlock();
1591 psinfo->pr_pid = task_pid_vnr(p);
1592 psinfo->pr_pgrp = task_pgrp_vnr(p);
1593 psinfo->pr_sid = task_session_vnr(p);
1594
1595 state = READ_ONCE(p->__state);
1596 i = state ? ffz(~state) + 1 : 0;
1597 psinfo->pr_state = i;
1598 psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1599 psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1600 psinfo->pr_nice = task_nice(p);
1601 psinfo->pr_flag = p->flags;
1602 rcu_read_lock();
1603 cred = __task_cred(p);
1604 SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1605 SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1606 rcu_read_unlock();
1607 get_task_comm(psinfo->pr_fname, p);
1608
1609 return 0;
1610 }
1611
fill_auxv_note(struct memelfnote * note,struct mm_struct * mm)1612 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1613 {
1614 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1615 int i = 0;
1616 do
1617 i += 2;
1618 while (auxv[i - 2] != AT_NULL);
1619 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
1620 }
1621
fill_siginfo_note(struct memelfnote * note,user_siginfo_t * csigdata,const kernel_siginfo_t * siginfo)1622 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1623 const kernel_siginfo_t *siginfo)
1624 {
1625 copy_siginfo_to_external(csigdata, siginfo);
1626 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
1627 }
1628
1629 #define MAX_FILE_NOTE_SIZE (4*1024*1024)
1630 /*
1631 * Format of NT_FILE note:
1632 *
1633 * long count -- how many files are mapped
1634 * long page_size -- units for file_ofs
1635 * array of [COUNT] elements of
1636 * long start
1637 * long end
1638 * long file_ofs
1639 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1640 */
fill_files_note(struct memelfnote * note,struct coredump_params * cprm)1641 static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
1642 {
1643 unsigned count, size, names_ofs, remaining, n;
1644 user_long_t *data;
1645 user_long_t *start_end_ofs;
1646 char *name_base, *name_curpos;
1647 int i;
1648
1649 /* *Estimated* file count and total data size needed */
1650 count = cprm->vma_count;
1651 if (count > UINT_MAX / 64)
1652 return -EINVAL;
1653 size = count * 64;
1654
1655 names_ofs = (2 + 3 * count) * sizeof(data[0]);
1656 alloc:
1657 if (size >= MAX_FILE_NOTE_SIZE) /* paranoia check */
1658 return -EINVAL;
1659 size = round_up(size, PAGE_SIZE);
1660 /*
1661 * "size" can be 0 here legitimately.
1662 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1663 */
1664 data = kvmalloc(size, GFP_KERNEL);
1665 if (ZERO_OR_NULL_PTR(data))
1666 return -ENOMEM;
1667
1668 start_end_ofs = data + 2;
1669 name_base = name_curpos = ((char *)data) + names_ofs;
1670 remaining = size - names_ofs;
1671 count = 0;
1672 for (i = 0; i < cprm->vma_count; i++) {
1673 struct core_vma_metadata *m = &cprm->vma_meta[i];
1674 struct file *file;
1675 const char *filename;
1676
1677 file = m->file;
1678 if (!file)
1679 continue;
1680 filename = file_path(file, name_curpos, remaining);
1681 if (IS_ERR(filename)) {
1682 if (PTR_ERR(filename) == -ENAMETOOLONG) {
1683 kvfree(data);
1684 size = size * 5 / 4;
1685 goto alloc;
1686 }
1687 continue;
1688 }
1689
1690 /* file_path() fills at the end, move name down */
1691 /* n = strlen(filename) + 1: */
1692 n = (name_curpos + remaining) - filename;
1693 remaining = filename - name_curpos;
1694 memmove(name_curpos, filename, n);
1695 name_curpos += n;
1696
1697 *start_end_ofs++ = m->start;
1698 *start_end_ofs++ = m->end;
1699 *start_end_ofs++ = m->pgoff;
1700 count++;
1701 }
1702
1703 /* Now we know exact count of files, can store it */
1704 data[0] = count;
1705 data[1] = PAGE_SIZE;
1706 /*
1707 * Count usually is less than mm->map_count,
1708 * we need to move filenames down.
1709 */
1710 n = cprm->vma_count - count;
1711 if (n != 0) {
1712 unsigned shift_bytes = n * 3 * sizeof(data[0]);
1713 memmove(name_base - shift_bytes, name_base,
1714 name_curpos - name_base);
1715 name_curpos -= shift_bytes;
1716 }
1717
1718 size = name_curpos - (char *)data;
1719 fill_note(note, "CORE", NT_FILE, size, data);
1720 return 0;
1721 }
1722
1723 #include <linux/regset.h>
1724
1725 struct elf_thread_core_info {
1726 struct elf_thread_core_info *next;
1727 struct task_struct *task;
1728 struct elf_prstatus prstatus;
1729 struct memelfnote notes[];
1730 };
1731
1732 struct elf_note_info {
1733 struct elf_thread_core_info *thread;
1734 struct memelfnote psinfo;
1735 struct memelfnote signote;
1736 struct memelfnote auxv;
1737 struct memelfnote files;
1738 user_siginfo_t csigdata;
1739 size_t size;
1740 int thread_notes;
1741 };
1742
1743 #ifdef CORE_DUMP_USE_REGSET
1744 /*
1745 * When a regset has a writeback hook, we call it on each thread before
1746 * dumping user memory. On register window machines, this makes sure the
1747 * user memory backing the register data is up to date before we read it.
1748 */
do_thread_regset_writeback(struct task_struct * task,const struct user_regset * regset)1749 static void do_thread_regset_writeback(struct task_struct *task,
1750 const struct user_regset *regset)
1751 {
1752 if (regset->writeback)
1753 regset->writeback(task, regset, 1);
1754 }
1755
1756 #ifndef PRSTATUS_SIZE
1757 #define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1758 #endif
1759
1760 #ifndef SET_PR_FPVALID
1761 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1762 #endif
1763
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1764 static int fill_thread_core_info(struct elf_thread_core_info *t,
1765 const struct user_regset_view *view,
1766 long signr, struct elf_note_info *info)
1767 {
1768 unsigned int note_iter, view_iter;
1769
1770 /*
1771 * NT_PRSTATUS is the one special case, because the regset data
1772 * goes into the pr_reg field inside the note contents, rather
1773 * than being the whole note contents. We fill the regset in here.
1774 * We assume that regset 0 is NT_PRSTATUS.
1775 */
1776 fill_prstatus(&t->prstatus.common, t->task, signr);
1777 regset_get(t->task, &view->regsets[0],
1778 sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1779
1780 fill_note(&t->notes[0], "CORE", NT_PRSTATUS,
1781 PRSTATUS_SIZE, &t->prstatus);
1782 info->size += notesize(&t->notes[0]);
1783
1784 do_thread_regset_writeback(t->task, &view->regsets[0]);
1785
1786 /*
1787 * Each other regset might generate a note too. For each regset
1788 * that has no core_note_type or is inactive, skip it.
1789 */
1790 note_iter = 1;
1791 for (view_iter = 1; view_iter < view->n; ++view_iter) {
1792 const struct user_regset *regset = &view->regsets[view_iter];
1793 int note_type = regset->core_note_type;
1794 bool is_fpreg = note_type == NT_PRFPREG;
1795 void *data;
1796 int ret;
1797
1798 do_thread_regset_writeback(t->task, regset);
1799 if (!note_type) // not for coredumps
1800 continue;
1801 if (regset->active && regset->active(t->task, regset) <= 0)
1802 continue;
1803
1804 ret = regset_get_alloc(t->task, regset, ~0U, &data);
1805 if (ret < 0)
1806 continue;
1807
1808 if (WARN_ON_ONCE(note_iter >= info->thread_notes))
1809 break;
1810
1811 if (is_fpreg)
1812 SET_PR_FPVALID(&t->prstatus);
1813
1814 fill_note(&t->notes[note_iter], is_fpreg ? "CORE" : "LINUX",
1815 note_type, ret, data);
1816
1817 info->size += notesize(&t->notes[note_iter]);
1818 note_iter++;
1819 }
1820
1821 return 1;
1822 }
1823 #else
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1824 static int fill_thread_core_info(struct elf_thread_core_info *t,
1825 const struct user_regset_view *view,
1826 long signr, struct elf_note_info *info)
1827 {
1828 struct task_struct *p = t->task;
1829 elf_fpregset_t *fpu;
1830
1831 fill_prstatus(&t->prstatus.common, p, signr);
1832 elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1833
1834 fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus),
1835 &(t->prstatus));
1836 info->size += notesize(&t->notes[0]);
1837
1838 fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL);
1839 if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) {
1840 kfree(fpu);
1841 return 1;
1842 }
1843
1844 t->prstatus.pr_fpvalid = 1;
1845 fill_note(&t->notes[1], "CORE", NT_PRFPREG, sizeof(*fpu), fpu);
1846 info->size += notesize(&t->notes[1]);
1847
1848 return 1;
1849 }
1850 #endif
1851
fill_note_info(struct elfhdr * elf,int phdrs,struct elf_note_info * info,struct coredump_params * cprm)1852 static int fill_note_info(struct elfhdr *elf, int phdrs,
1853 struct elf_note_info *info,
1854 struct coredump_params *cprm)
1855 {
1856 struct task_struct *dump_task = current;
1857 const struct user_regset_view *view;
1858 struct elf_thread_core_info *t;
1859 struct elf_prpsinfo *psinfo;
1860 struct core_thread *ct;
1861
1862 psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1863 if (!psinfo)
1864 return 0;
1865 fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
1866
1867 #ifdef CORE_DUMP_USE_REGSET
1868 view = task_user_regset_view(dump_task);
1869
1870 /*
1871 * Figure out how many notes we're going to need for each thread.
1872 */
1873 info->thread_notes = 0;
1874 for (int i = 0; i < view->n; ++i)
1875 if (view->regsets[i].core_note_type != 0)
1876 ++info->thread_notes;
1877
1878 /*
1879 * Sanity check. We rely on regset 0 being in NT_PRSTATUS,
1880 * since it is our one special case.
1881 */
1882 if (unlikely(info->thread_notes == 0) ||
1883 unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1884 WARN_ON(1);
1885 return 0;
1886 }
1887
1888 /*
1889 * Initialize the ELF file header.
1890 */
1891 fill_elf_header(elf, phdrs,
1892 view->e_machine, view->e_flags);
1893 #else
1894 view = NULL;
1895 info->thread_notes = 2;
1896 fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
1897 #endif
1898
1899 /*
1900 * Allocate a structure for each thread.
1901 */
1902 info->thread = kzalloc(offsetof(struct elf_thread_core_info,
1903 notes[info->thread_notes]),
1904 GFP_KERNEL);
1905 if (unlikely(!info->thread))
1906 return 0;
1907
1908 info->thread->task = dump_task;
1909 for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) {
1910 t = kzalloc(offsetof(struct elf_thread_core_info,
1911 notes[info->thread_notes]),
1912 GFP_KERNEL);
1913 if (unlikely(!t))
1914 return 0;
1915
1916 t->task = ct->task;
1917 t->next = info->thread->next;
1918 info->thread->next = t;
1919 }
1920
1921 /*
1922 * Now fill in each thread's information.
1923 */
1924 for (t = info->thread; t != NULL; t = t->next)
1925 if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info))
1926 return 0;
1927
1928 /*
1929 * Fill in the two process-wide notes.
1930 */
1931 fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1932 info->size += notesize(&info->psinfo);
1933
1934 fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo);
1935 info->size += notesize(&info->signote);
1936
1937 fill_auxv_note(&info->auxv, current->mm);
1938 info->size += notesize(&info->auxv);
1939
1940 if (fill_files_note(&info->files, cprm) == 0)
1941 info->size += notesize(&info->files);
1942
1943 return 1;
1944 }
1945
1946 /*
1947 * Write all the notes for each thread. When writing the first thread, the
1948 * process-wide notes are interleaved after the first thread-specific note.
1949 */
write_note_info(struct elf_note_info * info,struct coredump_params * cprm)1950 static int write_note_info(struct elf_note_info *info,
1951 struct coredump_params *cprm)
1952 {
1953 bool first = true;
1954 struct elf_thread_core_info *t = info->thread;
1955
1956 do {
1957 int i;
1958
1959 if (!writenote(&t->notes[0], cprm))
1960 return 0;
1961
1962 if (first && !writenote(&info->psinfo, cprm))
1963 return 0;
1964 if (first && !writenote(&info->signote, cprm))
1965 return 0;
1966 if (first && !writenote(&info->auxv, cprm))
1967 return 0;
1968 if (first && info->files.data &&
1969 !writenote(&info->files, cprm))
1970 return 0;
1971
1972 for (i = 1; i < info->thread_notes; ++i)
1973 if (t->notes[i].data &&
1974 !writenote(&t->notes[i], cprm))
1975 return 0;
1976
1977 first = false;
1978 t = t->next;
1979 } while (t);
1980
1981 return 1;
1982 }
1983
free_note_info(struct elf_note_info * info)1984 static void free_note_info(struct elf_note_info *info)
1985 {
1986 struct elf_thread_core_info *threads = info->thread;
1987 while (threads) {
1988 unsigned int i;
1989 struct elf_thread_core_info *t = threads;
1990 threads = t->next;
1991 WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1992 for (i = 1; i < info->thread_notes; ++i)
1993 kfree(t->notes[i].data);
1994 kfree(t);
1995 }
1996 kfree(info->psinfo.data);
1997 kvfree(info->files.data);
1998 }
1999
fill_extnum_info(struct elfhdr * elf,struct elf_shdr * shdr4extnum,elf_addr_t e_shoff,int segs)2000 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
2001 elf_addr_t e_shoff, int segs)
2002 {
2003 elf->e_shoff = e_shoff;
2004 elf->e_shentsize = sizeof(*shdr4extnum);
2005 elf->e_shnum = 1;
2006 elf->e_shstrndx = SHN_UNDEF;
2007
2008 memset(shdr4extnum, 0, sizeof(*shdr4extnum));
2009
2010 shdr4extnum->sh_type = SHT_NULL;
2011 shdr4extnum->sh_size = elf->e_shnum;
2012 shdr4extnum->sh_link = elf->e_shstrndx;
2013 shdr4extnum->sh_info = segs;
2014 }
2015
2016 /*
2017 * Actual dumper
2018 *
2019 * This is a two-pass process; first we find the offsets of the bits,
2020 * and then they are actually written out. If we run out of core limit
2021 * we just truncate.
2022 */
elf_core_dump(struct coredump_params * cprm)2023 static int elf_core_dump(struct coredump_params *cprm)
2024 {
2025 int has_dumped = 0;
2026 int segs, i;
2027 struct elfhdr elf;
2028 loff_t offset = 0, dataoff;
2029 struct elf_note_info info = { };
2030 struct elf_phdr *phdr4note = NULL;
2031 struct elf_shdr *shdr4extnum = NULL;
2032 Elf_Half e_phnum;
2033 elf_addr_t e_shoff;
2034
2035 /*
2036 * The number of segs are recored into ELF header as 16bit value.
2037 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
2038 */
2039 segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
2040
2041 /* for notes section */
2042 segs++;
2043
2044 /* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
2045 * this, kernel supports extended numbering. Have a look at
2046 * include/linux/elf.h for further information. */
2047 e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
2048
2049 /*
2050 * Collect all the non-memory information about the process for the
2051 * notes. This also sets up the file header.
2052 */
2053 if (!fill_note_info(&elf, e_phnum, &info, cprm))
2054 goto end_coredump;
2055
2056 has_dumped = 1;
2057
2058 offset += sizeof(elf); /* ELF header */
2059 offset += segs * sizeof(struct elf_phdr); /* Program headers */
2060
2061 /* Write notes phdr entry */
2062 {
2063 size_t sz = info.size;
2064
2065 /* For cell spufs */
2066 sz += elf_coredump_extra_notes_size();
2067
2068 phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2069 if (!phdr4note)
2070 goto end_coredump;
2071
2072 fill_elf_note_phdr(phdr4note, sz, offset);
2073 offset += sz;
2074 }
2075
2076 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2077
2078 offset += cprm->vma_data_size;
2079 offset += elf_core_extra_data_size(cprm);
2080 e_shoff = offset;
2081
2082 if (e_phnum == PN_XNUM) {
2083 shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2084 if (!shdr4extnum)
2085 goto end_coredump;
2086 fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2087 }
2088
2089 offset = dataoff;
2090
2091 if (!dump_emit(cprm, &elf, sizeof(elf)))
2092 goto end_coredump;
2093
2094 if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2095 goto end_coredump;
2096
2097 /* Write program headers for segments dump */
2098 for (i = 0; i < cprm->vma_count; i++) {
2099 struct core_vma_metadata *meta = cprm->vma_meta + i;
2100 struct elf_phdr phdr;
2101
2102 phdr.p_type = PT_LOAD;
2103 phdr.p_offset = offset;
2104 phdr.p_vaddr = meta->start;
2105 phdr.p_paddr = 0;
2106 phdr.p_filesz = meta->dump_size;
2107 phdr.p_memsz = meta->end - meta->start;
2108 offset += phdr.p_filesz;
2109 phdr.p_flags = 0;
2110 if (meta->flags & VM_READ)
2111 phdr.p_flags |= PF_R;
2112 if (meta->flags & VM_WRITE)
2113 phdr.p_flags |= PF_W;
2114 if (meta->flags & VM_EXEC)
2115 phdr.p_flags |= PF_X;
2116 phdr.p_align = ELF_EXEC_PAGESIZE;
2117
2118 if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2119 goto end_coredump;
2120 }
2121
2122 if (!elf_core_write_extra_phdrs(cprm, offset))
2123 goto end_coredump;
2124
2125 /* write out the notes section */
2126 if (!write_note_info(&info, cprm))
2127 goto end_coredump;
2128
2129 /* For cell spufs */
2130 if (elf_coredump_extra_notes_write(cprm))
2131 goto end_coredump;
2132
2133 /* Align to page */
2134 dump_skip_to(cprm, dataoff);
2135
2136 for (i = 0; i < cprm->vma_count; i++) {
2137 struct core_vma_metadata *meta = cprm->vma_meta + i;
2138
2139 if (!dump_user_range(cprm, meta->start, meta->dump_size))
2140 goto end_coredump;
2141 }
2142
2143 if (!elf_core_write_extra_data(cprm))
2144 goto end_coredump;
2145
2146 if (e_phnum == PN_XNUM) {
2147 if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2148 goto end_coredump;
2149 }
2150
2151 end_coredump:
2152 free_note_info(&info);
2153 kfree(shdr4extnum);
2154 kfree(phdr4note);
2155 return has_dumped;
2156 }
2157
2158 #endif /* CONFIG_ELF_CORE */
2159
init_elf_binfmt(void)2160 static int __init init_elf_binfmt(void)
2161 {
2162 elf_format.min_coredump = ELF_EXEC_PAGESIZE;
2163 register_binfmt(&elf_format);
2164 return 0;
2165 }
2166
exit_elf_binfmt(void)2167 static void __exit exit_elf_binfmt(void)
2168 {
2169 /* Remove the COFF and ELF loaders. */
2170 unregister_binfmt(&elf_format);
2171 }
2172
2173 core_initcall(init_elf_binfmt);
2174 module_exit(exit_elf_binfmt);
2175
2176 #ifdef CONFIG_BINFMT_ELF_KUNIT_TEST
2177 #include "binfmt_elf_test.c"
2178 #endif
2179