1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * linux/fs/binfmt_elf.c
4 *
5 * These are the functions used to load ELF format executables as used
6 * on SVr4 machines. Information on the format may be found in the book
7 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8 * Tools".
9 *
10 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
11 */
12
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/fs.h>
16 #include <linux/log2.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/errno.h>
20 #include <linux/signal.h>
21 #include <linux/binfmts.h>
22 #include <linux/string.h>
23 #include <linux/file.h>
24 #include <linux/slab.h>
25 #include <linux/personality.h>
26 #include <linux/elfcore.h>
27 #include <linux/init.h>
28 #include <linux/highuid.h>
29 #include <linux/compiler.h>
30 #include <linux/highmem.h>
31 #include <linux/hugetlb.h>
32 #include <linux/pagemap.h>
33 #include <linux/vmalloc.h>
34 #include <linux/security.h>
35 #include <linux/random.h>
36 #include <linux/elf.h>
37 #include <linux/elf-randomize.h>
38 #include <linux/utsname.h>
39 #include <linux/coredump.h>
40 #include <linux/sched.h>
41 #include <linux/sched/coredump.h>
42 #include <linux/sched/task_stack.h>
43 #include <linux/sched/cputime.h>
44 #include <linux/sizes.h>
45 #include <linux/types.h>
46 #include <linux/cred.h>
47 #include <linux/dax.h>
48 #include <linux/uaccess.h>
49 #include <linux/rseq.h>
50 #include <asm/param.h>
51 #include <asm/page.h>
52
53 #ifndef ELF_COMPAT
54 #define ELF_COMPAT 0
55 #endif
56
57 #ifndef user_long_t
58 #define user_long_t long
59 #endif
60 #ifndef user_siginfo_t
61 #define user_siginfo_t siginfo_t
62 #endif
63
64 /* That's for binfmt_elf_fdpic to deal with */
65 #ifndef elf_check_fdpic
66 #define elf_check_fdpic(ex) false
67 #endif
68
69 static int load_elf_binary(struct linux_binprm *bprm);
70
71 #ifdef CONFIG_USELIB
72 static int load_elf_library(struct file *);
73 #else
74 #define load_elf_library NULL
75 #endif
76
77 /*
78 * If we don't support core dumping, then supply a NULL so we
79 * don't even try.
80 */
81 #ifdef CONFIG_ELF_CORE
82 static int elf_core_dump(struct coredump_params *cprm);
83 #else
84 #define elf_core_dump NULL
85 #endif
86
87 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
88
89 #ifndef ELF_CORE_EFLAGS
90 #define ELF_CORE_EFLAGS 0
91 #endif
92
93 #define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1))
94 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
95 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
96
97 static struct linux_binfmt elf_format = {
98 .module = THIS_MODULE,
99 .load_binary = load_elf_binary,
100 .load_shlib = load_elf_library,
101 #ifdef CONFIG_COREDUMP
102 .core_dump = elf_core_dump,
103 /* init_elf_binfmt() overrides .min_coredump with the correct emulated page-size. */
104 .min_coredump = PAGE_SIZE,
105 #endif
106 };
107
108 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
109
110 /*
111 * We need to explicitly zero any trailing portion of the page that follows
112 * p_filesz when it ends before the page ends (e.g. bss), otherwise this
113 * memory will contain the junk from the file that should not be present.
114 */
padzero(unsigned long address)115 static int padzero(unsigned long address)
116 {
117 unsigned long nbyte;
118
119 nbyte = ELF_PAGEOFFSET(address);
120 if (nbyte) {
121 nbyte = ELF_MIN_ALIGN - nbyte;
122 if (clear_user((void __user *)address, nbyte))
123 return -EFAULT;
124 }
125 return 0;
126 }
127
128 /* Let's use some macros to make this stack manipulation a little clearer */
129 #ifdef CONFIG_STACK_GROWSUP
130 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
131 #define STACK_ROUND(sp, items) \
132 ((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
133 #define STACK_ALLOC(sp, len) ({ \
134 elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
135 old_sp; })
136 #else
137 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
138 #define STACK_ROUND(sp, items) \
139 (((unsigned long) (sp - items)) &~ 15UL)
140 #define STACK_ALLOC(sp, len) (sp -= len)
141 #endif
142
143 #ifndef ELF_BASE_PLATFORM
144 /*
145 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
146 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
147 * will be copied to the user stack in the same manner as AT_PLATFORM.
148 */
149 #define ELF_BASE_PLATFORM NULL
150 #endif
151
152 static int
create_elf_tables(struct linux_binprm * bprm,const struct elfhdr * exec,unsigned long interp_load_addr,unsigned long e_entry,unsigned long phdr_addr)153 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
154 unsigned long interp_load_addr,
155 unsigned long e_entry, unsigned long phdr_addr)
156 {
157 struct mm_struct *mm = current->mm;
158 unsigned long p = bprm->p;
159 int argc = bprm->argc;
160 int envc = bprm->envc;
161 elf_addr_t __user *sp;
162 elf_addr_t __user *u_platform;
163 elf_addr_t __user *u_base_platform;
164 elf_addr_t __user *u_rand_bytes;
165 const char *k_platform = ELF_PLATFORM;
166 const char *k_base_platform = ELF_BASE_PLATFORM;
167 unsigned char k_rand_bytes[16];
168 int items;
169 elf_addr_t *elf_info;
170 elf_addr_t flags = 0;
171 int ei_index;
172 const struct cred *cred = current_cred();
173 struct vm_area_struct *vma;
174
175 /*
176 * In some cases (e.g. Hyper-Threading), we want to avoid L1
177 * evictions by the processes running on the same package. One
178 * thing we can do is to shuffle the initial stack for them.
179 */
180
181 p = arch_align_stack(p);
182
183 /*
184 * If this architecture has a platform capability string, copy it
185 * to userspace. In some cases (Sparc), this info is impossible
186 * for userspace to get any other way, in others (i386) it is
187 * merely difficult.
188 */
189 u_platform = NULL;
190 if (k_platform) {
191 size_t len = strlen(k_platform) + 1;
192
193 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
194 if (copy_to_user(u_platform, k_platform, len))
195 return -EFAULT;
196 }
197
198 /*
199 * If this architecture has a "base" platform capability
200 * string, copy it to userspace.
201 */
202 u_base_platform = NULL;
203 if (k_base_platform) {
204 size_t len = strlen(k_base_platform) + 1;
205
206 u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
207 if (copy_to_user(u_base_platform, k_base_platform, len))
208 return -EFAULT;
209 }
210
211 /*
212 * Generate 16 random bytes for userspace PRNG seeding.
213 */
214 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
215 u_rand_bytes = (elf_addr_t __user *)
216 STACK_ALLOC(p, sizeof(k_rand_bytes));
217 if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
218 return -EFAULT;
219
220 /* Create the ELF interpreter info */
221 elf_info = (elf_addr_t *)mm->saved_auxv;
222 /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
223 #define NEW_AUX_ENT(id, val) \
224 do { \
225 *elf_info++ = id; \
226 *elf_info++ = val; \
227 } while (0)
228
229 #ifdef ARCH_DLINFO
230 /*
231 * ARCH_DLINFO must come first so PPC can do its special alignment of
232 * AUXV.
233 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
234 * ARCH_DLINFO changes
235 */
236 ARCH_DLINFO;
237 #endif
238 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
239 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
240 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
241 NEW_AUX_ENT(AT_PHDR, phdr_addr);
242 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
243 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
244 NEW_AUX_ENT(AT_BASE, interp_load_addr);
245 if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
246 flags |= AT_FLAGS_PRESERVE_ARGV0;
247 NEW_AUX_ENT(AT_FLAGS, flags);
248 NEW_AUX_ENT(AT_ENTRY, e_entry);
249 NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
250 NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
251 NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
252 NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
253 NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
254 NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
255 #ifdef ELF_HWCAP2
256 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
257 #endif
258 NEW_AUX_ENT(AT_EXECFN, bprm->exec);
259 if (k_platform) {
260 NEW_AUX_ENT(AT_PLATFORM,
261 (elf_addr_t)(unsigned long)u_platform);
262 }
263 if (k_base_platform) {
264 NEW_AUX_ENT(AT_BASE_PLATFORM,
265 (elf_addr_t)(unsigned long)u_base_platform);
266 }
267 if (bprm->have_execfd) {
268 NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
269 }
270 #ifdef CONFIG_RSEQ
271 NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
272 NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
273 #endif
274 #undef NEW_AUX_ENT
275 /* AT_NULL is zero; clear the rest too */
276 memset(elf_info, 0, (char *)mm->saved_auxv +
277 sizeof(mm->saved_auxv) - (char *)elf_info);
278
279 /* And advance past the AT_NULL entry. */
280 elf_info += 2;
281
282 ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
283 sp = STACK_ADD(p, ei_index);
284
285 items = (argc + 1) + (envc + 1) + 1;
286 bprm->p = STACK_ROUND(sp, items);
287
288 /* Point sp at the lowest address on the stack */
289 #ifdef CONFIG_STACK_GROWSUP
290 sp = (elf_addr_t __user *)bprm->p - items - ei_index;
291 bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
292 #else
293 sp = (elf_addr_t __user *)bprm->p;
294 #endif
295
296
297 /*
298 * Grow the stack manually; some architectures have a limit on how
299 * far ahead a user-space access may be in order to grow the stack.
300 */
301 if (mmap_write_lock_killable(mm))
302 return -EINTR;
303 vma = find_extend_vma_locked(mm, bprm->p);
304 mmap_write_unlock(mm);
305 if (!vma)
306 return -EFAULT;
307
308 /* Now, let's put argc (and argv, envp if appropriate) on the stack */
309 if (put_user(argc, sp++))
310 return -EFAULT;
311
312 /* Populate list of argv pointers back to argv strings. */
313 p = mm->arg_end = mm->arg_start;
314 while (argc-- > 0) {
315 size_t len;
316 if (put_user((elf_addr_t)p, sp++))
317 return -EFAULT;
318 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
319 if (!len || len > MAX_ARG_STRLEN)
320 return -EINVAL;
321 p += len;
322 }
323 if (put_user(0, sp++))
324 return -EFAULT;
325 mm->arg_end = p;
326
327 /* Populate list of envp pointers back to envp strings. */
328 mm->env_end = mm->env_start = p;
329 while (envc-- > 0) {
330 size_t len;
331 if (put_user((elf_addr_t)p, sp++))
332 return -EFAULT;
333 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
334 if (!len || len > MAX_ARG_STRLEN)
335 return -EINVAL;
336 p += len;
337 }
338 if (put_user(0, sp++))
339 return -EFAULT;
340 mm->env_end = p;
341
342 /* Put the elf_info on the stack in the right place. */
343 if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
344 return -EFAULT;
345 return 0;
346 }
347
348 /*
349 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
350 * into memory at "addr". (Note that p_filesz is rounded up to the
351 * next page, so any extra bytes from the file must be wiped.)
352 */
elf_map(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)353 static unsigned long elf_map(struct file *filep, unsigned long addr,
354 const struct elf_phdr *eppnt, int prot, int type,
355 unsigned long total_size)
356 {
357 unsigned long map_addr;
358 unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
359 unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
360 addr = ELF_PAGESTART(addr);
361 size = ELF_PAGEALIGN(size);
362
363 /* mmap() will return -EINVAL if given a zero size, but a
364 * segment with zero filesize is perfectly valid */
365 if (!size)
366 return addr;
367
368 /*
369 * total_size is the size of the ELF (interpreter) image.
370 * The _first_ mmap needs to know the full size, otherwise
371 * randomization might put this image into an overlapping
372 * position with the ELF binary image. (since size < total_size)
373 * So we first map the 'big' image - and unmap the remainder at
374 * the end. (which unmap is needed for ELF images with holes.)
375 */
376 if (total_size) {
377 total_size = ELF_PAGEALIGN(total_size);
378 map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
379 if (!BAD_ADDR(map_addr))
380 vm_munmap(map_addr+size, total_size-size);
381 } else
382 map_addr = vm_mmap(filep, addr, size, prot, type, off);
383
384 if ((type & MAP_FIXED_NOREPLACE) &&
385 PTR_ERR((void *)map_addr) == -EEXIST)
386 pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
387 task_pid_nr(current), current->comm, (void *)addr);
388
389 return(map_addr);
390 }
391
392 /*
393 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
394 * into memory at "addr". Memory from "p_filesz" through "p_memsz"
395 * rounded up to the next page is zeroed.
396 */
elf_load(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)397 static unsigned long elf_load(struct file *filep, unsigned long addr,
398 const struct elf_phdr *eppnt, int prot, int type,
399 unsigned long total_size)
400 {
401 unsigned long zero_start, zero_end;
402 unsigned long map_addr;
403
404 if (eppnt->p_filesz) {
405 map_addr = elf_map(filep, addr, eppnt, prot, type, total_size);
406 if (BAD_ADDR(map_addr))
407 return map_addr;
408 if (eppnt->p_memsz > eppnt->p_filesz) {
409 zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
410 eppnt->p_filesz;
411 zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
412 eppnt->p_memsz;
413
414 /*
415 * Zero the end of the last mapped page but ignore
416 * any errors if the segment isn't writable.
417 */
418 if (padzero(zero_start) && (prot & PROT_WRITE))
419 return -EFAULT;
420 }
421 } else {
422 map_addr = zero_start = ELF_PAGESTART(addr);
423 zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) +
424 eppnt->p_memsz;
425 }
426 if (eppnt->p_memsz > eppnt->p_filesz) {
427 /*
428 * Map the last of the segment.
429 * If the header is requesting these pages to be
430 * executable, honour that (ppc32 needs this).
431 */
432 int error;
433
434 zero_start = ELF_PAGEALIGN(zero_start);
435 zero_end = ELF_PAGEALIGN(zero_end);
436
437 error = vm_brk_flags(zero_start, zero_end - zero_start,
438 prot & PROT_EXEC ? VM_EXEC : 0);
439 if (error)
440 map_addr = error;
441 }
442 return map_addr;
443 }
444
445
total_mapping_size(const struct elf_phdr * phdr,int nr)446 static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
447 {
448 elf_addr_t min_addr = -1;
449 elf_addr_t max_addr = 0;
450 bool pt_load = false;
451 int i;
452
453 for (i = 0; i < nr; i++) {
454 if (phdr[i].p_type == PT_LOAD) {
455 min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr));
456 max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz);
457 pt_load = true;
458 }
459 }
460 return pt_load ? (max_addr - min_addr) : 0;
461 }
462
elf_read(struct file * file,void * buf,size_t len,loff_t pos)463 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
464 {
465 ssize_t rv;
466
467 rv = kernel_read(file, buf, len, &pos);
468 if (unlikely(rv != len)) {
469 return (rv < 0) ? rv : -EIO;
470 }
471 return 0;
472 }
473
maximum_alignment(struct elf_phdr * cmds,int nr)474 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
475 {
476 unsigned long alignment = 0;
477 int i;
478
479 for (i = 0; i < nr; i++) {
480 if (cmds[i].p_type == PT_LOAD) {
481 unsigned long p_align = cmds[i].p_align;
482
483 /* skip non-power of two alignments as invalid */
484 if (!is_power_of_2(p_align))
485 continue;
486 alignment = max(alignment, p_align);
487 }
488 }
489
490 /* ensure we align to at least one page */
491 return ELF_PAGEALIGN(alignment);
492 }
493
494 /**
495 * load_elf_phdrs() - load ELF program headers
496 * @elf_ex: ELF header of the binary whose program headers should be loaded
497 * @elf_file: the opened ELF binary file
498 *
499 * Loads ELF program headers from the binary file elf_file, which has the ELF
500 * header pointed to by elf_ex, into a newly allocated array. The caller is
501 * responsible for freeing the allocated data. Returns NULL upon failure.
502 */
load_elf_phdrs(const struct elfhdr * elf_ex,struct file * elf_file)503 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
504 struct file *elf_file)
505 {
506 struct elf_phdr *elf_phdata = NULL;
507 int retval = -1;
508 unsigned int size;
509
510 /*
511 * If the size of this structure has changed, then punt, since
512 * we will be doing the wrong thing.
513 */
514 if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
515 goto out;
516
517 /* Sanity check the number of program headers... */
518 /* ...and their total size. */
519 size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
520 if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
521 goto out;
522
523 elf_phdata = kmalloc(size, GFP_KERNEL);
524 if (!elf_phdata)
525 goto out;
526
527 /* Read in the program headers */
528 retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
529
530 out:
531 if (retval) {
532 kfree(elf_phdata);
533 elf_phdata = NULL;
534 }
535 return elf_phdata;
536 }
537
538 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE
539
540 /**
541 * struct arch_elf_state - arch-specific ELF loading state
542 *
543 * This structure is used to preserve architecture specific data during
544 * the loading of an ELF file, throughout the checking of architecture
545 * specific ELF headers & through to the point where the ELF load is
546 * known to be proceeding (ie. SET_PERSONALITY).
547 *
548 * This implementation is a dummy for architectures which require no
549 * specific state.
550 */
551 struct arch_elf_state {
552 };
553
554 #define INIT_ARCH_ELF_STATE {}
555
556 /**
557 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
558 * @ehdr: The main ELF header
559 * @phdr: The program header to check
560 * @elf: The open ELF file
561 * @is_interp: True if the phdr is from the interpreter of the ELF being
562 * loaded, else false.
563 * @state: Architecture-specific state preserved throughout the process
564 * of loading the ELF.
565 *
566 * Inspects the program header phdr to validate its correctness and/or
567 * suitability for the system. Called once per ELF program header in the
568 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
569 * interpreter.
570 *
571 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
572 * with that return code.
573 */
arch_elf_pt_proc(struct elfhdr * ehdr,struct elf_phdr * phdr,struct file * elf,bool is_interp,struct arch_elf_state * state)574 static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
575 struct elf_phdr *phdr,
576 struct file *elf, bool is_interp,
577 struct arch_elf_state *state)
578 {
579 /* Dummy implementation, always proceed */
580 return 0;
581 }
582
583 /**
584 * arch_check_elf() - check an ELF executable
585 * @ehdr: The main ELF header
586 * @has_interp: True if the ELF has an interpreter, else false.
587 * @interp_ehdr: The interpreter's ELF header
588 * @state: Architecture-specific state preserved throughout the process
589 * of loading the ELF.
590 *
591 * Provides a final opportunity for architecture code to reject the loading
592 * of the ELF & cause an exec syscall to return an error. This is called after
593 * all program headers to be checked by arch_elf_pt_proc have been.
594 *
595 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
596 * with that return code.
597 */
arch_check_elf(struct elfhdr * ehdr,bool has_interp,struct elfhdr * interp_ehdr,struct arch_elf_state * state)598 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
599 struct elfhdr *interp_ehdr,
600 struct arch_elf_state *state)
601 {
602 /* Dummy implementation, always proceed */
603 return 0;
604 }
605
606 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
607
make_prot(u32 p_flags,struct arch_elf_state * arch_state,bool has_interp,bool is_interp)608 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
609 bool has_interp, bool is_interp)
610 {
611 int prot = 0;
612
613 if (p_flags & PF_R)
614 prot |= PROT_READ;
615 if (p_flags & PF_W)
616 prot |= PROT_WRITE;
617 if (p_flags & PF_X)
618 prot |= PROT_EXEC;
619
620 return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
621 }
622
623 /* This is much more generalized than the library routine read function,
624 so we keep this separate. Technically the library read function
625 is only provided so that we can read a.out libraries that have
626 an ELF header */
627
load_elf_interp(struct elfhdr * interp_elf_ex,struct file * interpreter,unsigned long no_base,struct elf_phdr * interp_elf_phdata,struct arch_elf_state * arch_state)628 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
629 struct file *interpreter,
630 unsigned long no_base, struct elf_phdr *interp_elf_phdata,
631 struct arch_elf_state *arch_state)
632 {
633 struct elf_phdr *eppnt;
634 unsigned long load_addr = 0;
635 int load_addr_set = 0;
636 unsigned long error = ~0UL;
637 unsigned long total_size;
638 int i;
639
640 /* First of all, some simple consistency checks */
641 if (interp_elf_ex->e_type != ET_EXEC &&
642 interp_elf_ex->e_type != ET_DYN)
643 goto out;
644 if (!elf_check_arch(interp_elf_ex) ||
645 elf_check_fdpic(interp_elf_ex))
646 goto out;
647 if (!interpreter->f_op->mmap)
648 goto out;
649
650 total_size = total_mapping_size(interp_elf_phdata,
651 interp_elf_ex->e_phnum);
652 if (!total_size) {
653 error = -EINVAL;
654 goto out;
655 }
656
657 eppnt = interp_elf_phdata;
658 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
659 if (eppnt->p_type == PT_LOAD) {
660 int elf_type = MAP_PRIVATE;
661 int elf_prot = make_prot(eppnt->p_flags, arch_state,
662 true, true);
663 unsigned long vaddr = 0;
664 unsigned long k, map_addr;
665
666 vaddr = eppnt->p_vaddr;
667 if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
668 elf_type |= MAP_FIXED;
669 else if (no_base && interp_elf_ex->e_type == ET_DYN)
670 load_addr = -vaddr;
671
672 map_addr = elf_load(interpreter, load_addr + vaddr,
673 eppnt, elf_prot, elf_type, total_size);
674 total_size = 0;
675 error = map_addr;
676 if (BAD_ADDR(map_addr))
677 goto out;
678
679 if (!load_addr_set &&
680 interp_elf_ex->e_type == ET_DYN) {
681 load_addr = map_addr - ELF_PAGESTART(vaddr);
682 load_addr_set = 1;
683 }
684
685 /*
686 * Check to see if the section's size will overflow the
687 * allowed task size. Note that p_filesz must always be
688 * <= p_memsize so it's only necessary to check p_memsz.
689 */
690 k = load_addr + eppnt->p_vaddr;
691 if (BAD_ADDR(k) ||
692 eppnt->p_filesz > eppnt->p_memsz ||
693 eppnt->p_memsz > TASK_SIZE ||
694 TASK_SIZE - eppnt->p_memsz < k) {
695 error = -ENOMEM;
696 goto out;
697 }
698 }
699 }
700
701 error = load_addr;
702 out:
703 return error;
704 }
705
706 /*
707 * These are the functions used to load ELF style executables and shared
708 * libraries. There is no binary dependent code anywhere else.
709 */
710
parse_elf_property(const char * data,size_t * off,size_t datasz,struct arch_elf_state * arch,bool have_prev_type,u32 * prev_type)711 static int parse_elf_property(const char *data, size_t *off, size_t datasz,
712 struct arch_elf_state *arch,
713 bool have_prev_type, u32 *prev_type)
714 {
715 size_t o, step;
716 const struct gnu_property *pr;
717 int ret;
718
719 if (*off == datasz)
720 return -ENOENT;
721
722 if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
723 return -EIO;
724 o = *off;
725 datasz -= *off;
726
727 if (datasz < sizeof(*pr))
728 return -ENOEXEC;
729 pr = (const struct gnu_property *)(data + o);
730 o += sizeof(*pr);
731 datasz -= sizeof(*pr);
732
733 if (pr->pr_datasz > datasz)
734 return -ENOEXEC;
735
736 WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
737 step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
738 if (step > datasz)
739 return -ENOEXEC;
740
741 /* Properties are supposed to be unique and sorted on pr_type: */
742 if (have_prev_type && pr->pr_type <= *prev_type)
743 return -ENOEXEC;
744 *prev_type = pr->pr_type;
745
746 ret = arch_parse_elf_property(pr->pr_type, data + o,
747 pr->pr_datasz, ELF_COMPAT, arch);
748 if (ret)
749 return ret;
750
751 *off = o + step;
752 return 0;
753 }
754
755 #define NOTE_DATA_SZ SZ_1K
756 #define GNU_PROPERTY_TYPE_0_NAME "GNU"
757 #define NOTE_NAME_SZ (sizeof(GNU_PROPERTY_TYPE_0_NAME))
758
parse_elf_properties(struct file * f,const struct elf_phdr * phdr,struct arch_elf_state * arch)759 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
760 struct arch_elf_state *arch)
761 {
762 union {
763 struct elf_note nhdr;
764 char data[NOTE_DATA_SZ];
765 } note;
766 loff_t pos;
767 ssize_t n;
768 size_t off, datasz;
769 int ret;
770 bool have_prev_type;
771 u32 prev_type;
772
773 if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
774 return 0;
775
776 /* load_elf_binary() shouldn't call us unless this is true... */
777 if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
778 return -ENOEXEC;
779
780 /* If the properties are crazy large, that's too bad (for now): */
781 if (phdr->p_filesz > sizeof(note))
782 return -ENOEXEC;
783
784 pos = phdr->p_offset;
785 n = kernel_read(f, ¬e, phdr->p_filesz, &pos);
786
787 BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
788 if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
789 return -EIO;
790
791 if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
792 note.nhdr.n_namesz != NOTE_NAME_SZ ||
793 strncmp(note.data + sizeof(note.nhdr),
794 GNU_PROPERTY_TYPE_0_NAME, n - sizeof(note.nhdr)))
795 return -ENOEXEC;
796
797 off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
798 ELF_GNU_PROPERTY_ALIGN);
799 if (off > n)
800 return -ENOEXEC;
801
802 if (note.nhdr.n_descsz > n - off)
803 return -ENOEXEC;
804 datasz = off + note.nhdr.n_descsz;
805
806 have_prev_type = false;
807 do {
808 ret = parse_elf_property(note.data, &off, datasz, arch,
809 have_prev_type, &prev_type);
810 have_prev_type = true;
811 } while (!ret);
812
813 return ret == -ENOENT ? 0 : ret;
814 }
815
load_elf_binary(struct linux_binprm * bprm)816 static int load_elf_binary(struct linux_binprm *bprm)
817 {
818 struct file *interpreter = NULL; /* to shut gcc up */
819 unsigned long load_bias = 0, phdr_addr = 0;
820 int first_pt_load = 1;
821 unsigned long error;
822 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
823 struct elf_phdr *elf_property_phdata = NULL;
824 unsigned long elf_brk;
825 bool brk_moved = false;
826 int retval, i;
827 unsigned long elf_entry;
828 unsigned long e_entry;
829 unsigned long interp_load_addr = 0;
830 unsigned long start_code, end_code, start_data, end_data;
831 unsigned long reloc_func_desc __maybe_unused = 0;
832 int executable_stack = EXSTACK_DEFAULT;
833 struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
834 struct elfhdr *interp_elf_ex = NULL;
835 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
836 struct mm_struct *mm;
837 struct pt_regs *regs;
838
839 retval = -ENOEXEC;
840 /* First of all, some simple consistency checks */
841 if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
842 goto out;
843
844 if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
845 goto out;
846 if (!elf_check_arch(elf_ex))
847 goto out;
848 if (elf_check_fdpic(elf_ex))
849 goto out;
850 if (!bprm->file->f_op->mmap)
851 goto out;
852
853 elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
854 if (!elf_phdata)
855 goto out;
856
857 elf_ppnt = elf_phdata;
858 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
859 char *elf_interpreter;
860
861 if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
862 elf_property_phdata = elf_ppnt;
863 continue;
864 }
865
866 if (elf_ppnt->p_type != PT_INTERP)
867 continue;
868
869 /*
870 * This is the program interpreter used for shared libraries -
871 * for now assume that this is an a.out format binary.
872 */
873 retval = -ENOEXEC;
874 if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
875 goto out_free_ph;
876
877 retval = -ENOMEM;
878 elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
879 if (!elf_interpreter)
880 goto out_free_ph;
881
882 retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
883 elf_ppnt->p_offset);
884 if (retval < 0)
885 goto out_free_interp;
886 /* make sure path is NULL terminated */
887 retval = -ENOEXEC;
888 if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
889 goto out_free_interp;
890
891 interpreter = open_exec(elf_interpreter);
892 kfree(elf_interpreter);
893 retval = PTR_ERR(interpreter);
894 if (IS_ERR(interpreter))
895 goto out_free_ph;
896
897 /*
898 * If the binary is not readable then enforce mm->dumpable = 0
899 * regardless of the interpreter's permissions.
900 */
901 would_dump(bprm, interpreter);
902
903 interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
904 if (!interp_elf_ex) {
905 retval = -ENOMEM;
906 goto out_free_file;
907 }
908
909 /* Get the exec headers */
910 retval = elf_read(interpreter, interp_elf_ex,
911 sizeof(*interp_elf_ex), 0);
912 if (retval < 0)
913 goto out_free_dentry;
914
915 break;
916
917 out_free_interp:
918 kfree(elf_interpreter);
919 goto out_free_ph;
920 }
921
922 elf_ppnt = elf_phdata;
923 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
924 switch (elf_ppnt->p_type) {
925 case PT_GNU_STACK:
926 if (elf_ppnt->p_flags & PF_X)
927 executable_stack = EXSTACK_ENABLE_X;
928 else
929 executable_stack = EXSTACK_DISABLE_X;
930 break;
931
932 case PT_LOPROC ... PT_HIPROC:
933 retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
934 bprm->file, false,
935 &arch_state);
936 if (retval)
937 goto out_free_dentry;
938 break;
939 }
940
941 /* Some simple consistency checks for the interpreter */
942 if (interpreter) {
943 retval = -ELIBBAD;
944 /* Not an ELF interpreter */
945 if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
946 goto out_free_dentry;
947 /* Verify the interpreter has a valid arch */
948 if (!elf_check_arch(interp_elf_ex) ||
949 elf_check_fdpic(interp_elf_ex))
950 goto out_free_dentry;
951
952 /* Load the interpreter program headers */
953 interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
954 interpreter);
955 if (!interp_elf_phdata)
956 goto out_free_dentry;
957
958 /* Pass PT_LOPROC..PT_HIPROC headers to arch code */
959 elf_property_phdata = NULL;
960 elf_ppnt = interp_elf_phdata;
961 for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
962 switch (elf_ppnt->p_type) {
963 case PT_GNU_PROPERTY:
964 elf_property_phdata = elf_ppnt;
965 break;
966
967 case PT_LOPROC ... PT_HIPROC:
968 retval = arch_elf_pt_proc(interp_elf_ex,
969 elf_ppnt, interpreter,
970 true, &arch_state);
971 if (retval)
972 goto out_free_dentry;
973 break;
974 }
975 }
976
977 retval = parse_elf_properties(interpreter ?: bprm->file,
978 elf_property_phdata, &arch_state);
979 if (retval)
980 goto out_free_dentry;
981
982 /*
983 * Allow arch code to reject the ELF at this point, whilst it's
984 * still possible to return an error to the code that invoked
985 * the exec syscall.
986 */
987 retval = arch_check_elf(elf_ex,
988 !!interpreter, interp_elf_ex,
989 &arch_state);
990 if (retval)
991 goto out_free_dentry;
992
993 /* Flush all traces of the currently running executable */
994 retval = begin_new_exec(bprm);
995 if (retval)
996 goto out_free_dentry;
997
998 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
999 may depend on the personality. */
1000 SET_PERSONALITY2(*elf_ex, &arch_state);
1001 if (elf_read_implies_exec(*elf_ex, executable_stack))
1002 current->personality |= READ_IMPLIES_EXEC;
1003
1004 const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
1005 if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
1006 current->flags |= PF_RANDOMIZE;
1007
1008 setup_new_exec(bprm);
1009
1010 /* Do this so that we can load the interpreter, if need be. We will
1011 change some of these later */
1012 retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1013 executable_stack);
1014 if (retval < 0)
1015 goto out_free_dentry;
1016
1017 elf_brk = 0;
1018
1019 start_code = ~0UL;
1020 end_code = 0;
1021 start_data = 0;
1022 end_data = 0;
1023
1024 /* Now we do a little grungy work by mmapping the ELF image into
1025 the correct location in memory. */
1026 for(i = 0, elf_ppnt = elf_phdata;
1027 i < elf_ex->e_phnum; i++, elf_ppnt++) {
1028 int elf_prot, elf_flags;
1029 unsigned long k, vaddr;
1030 unsigned long total_size = 0;
1031 unsigned long alignment;
1032
1033 if (elf_ppnt->p_type != PT_LOAD)
1034 continue;
1035
1036 elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1037 !!interpreter, false);
1038
1039 elf_flags = MAP_PRIVATE;
1040
1041 vaddr = elf_ppnt->p_vaddr;
1042 /*
1043 * The first time through the loop, first_pt_load is true:
1044 * layout will be calculated. Once set, use MAP_FIXED since
1045 * we know we've already safely mapped the entire region with
1046 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1047 */
1048 if (!first_pt_load) {
1049 elf_flags |= MAP_FIXED;
1050 } else if (elf_ex->e_type == ET_EXEC) {
1051 /*
1052 * This logic is run once for the first LOAD Program
1053 * Header for ET_EXEC binaries. No special handling
1054 * is needed.
1055 */
1056 elf_flags |= MAP_FIXED_NOREPLACE;
1057 } else if (elf_ex->e_type == ET_DYN) {
1058 /*
1059 * This logic is run once for the first LOAD Program
1060 * Header for ET_DYN binaries to calculate the
1061 * randomization (load_bias) for all the LOAD
1062 * Program Headers.
1063 */
1064
1065 /*
1066 * Calculate the entire size of the ELF mapping
1067 * (total_size), used for the initial mapping,
1068 * due to load_addr_set which is set to true later
1069 * once the initial mapping is performed.
1070 *
1071 * Note that this is only sensible when the LOAD
1072 * segments are contiguous (or overlapping). If
1073 * used for LOADs that are far apart, this would
1074 * cause the holes between LOADs to be mapped,
1075 * running the risk of having the mapping fail,
1076 * as it would be larger than the ELF file itself.
1077 *
1078 * As a result, only ET_DYN does this, since
1079 * some ET_EXEC (e.g. ia64) may have large virtual
1080 * memory holes between LOADs.
1081 *
1082 */
1083 total_size = total_mapping_size(elf_phdata,
1084 elf_ex->e_phnum);
1085 if (!total_size) {
1086 retval = -EINVAL;
1087 goto out_free_dentry;
1088 }
1089
1090 /* Calculate any requested alignment. */
1091 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1092
1093 /**
1094 * DOC: PIE handling
1095 *
1096 * There are effectively two types of ET_DYN ELF
1097 * binaries: programs (i.e. PIE: ET_DYN with
1098 * PT_INTERP) and loaders (i.e. static PIE: ET_DYN
1099 * without PT_INTERP, usually the ELF interpreter
1100 * itself). Loaders must be loaded away from programs
1101 * since the program may otherwise collide with the
1102 * loader (especially for ET_EXEC which does not have
1103 * a randomized position).
1104 *
1105 * For example, to handle invocations of
1106 * "./ld.so someprog" to test out a new version of
1107 * the loader, the subsequent program that the
1108 * loader loads must avoid the loader itself, so
1109 * they cannot share the same load range. Sufficient
1110 * room for the brk must be allocated with the
1111 * loader as well, since brk must be available with
1112 * the loader.
1113 *
1114 * Therefore, programs are loaded offset from
1115 * ELF_ET_DYN_BASE and loaders are loaded into the
1116 * independently randomized mmap region (0 load_bias
1117 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1118 *
1119 * See below for "brk" handling details, which is
1120 * also affected by program vs loader and ASLR.
1121 */
1122 if (interpreter) {
1123 /* On ET_DYN with PT_INTERP, we do the ASLR. */
1124 load_bias = ELF_ET_DYN_BASE;
1125 if (current->flags & PF_RANDOMIZE)
1126 load_bias += arch_mmap_rnd();
1127 /* Adjust alignment as requested. */
1128 if (alignment)
1129 load_bias &= ~(alignment - 1);
1130 elf_flags |= MAP_FIXED_NOREPLACE;
1131 } else {
1132 /*
1133 * For ET_DYN without PT_INTERP, we rely on
1134 * the architectures's (potentially ASLR) mmap
1135 * base address (via a load_bias of 0).
1136 *
1137 * When a large alignment is requested, we
1138 * must do the allocation at address "0" right
1139 * now to discover where things will load so
1140 * that we can adjust the resulting alignment.
1141 * In this case (load_bias != 0), we can use
1142 * MAP_FIXED_NOREPLACE to make sure the mapping
1143 * doesn't collide with anything.
1144 */
1145 if (alignment > ELF_MIN_ALIGN) {
1146 load_bias = elf_load(bprm->file, 0, elf_ppnt,
1147 elf_prot, elf_flags, total_size);
1148 if (BAD_ADDR(load_bias)) {
1149 retval = IS_ERR_VALUE(load_bias) ?
1150 PTR_ERR((void*)load_bias) : -EINVAL;
1151 goto out_free_dentry;
1152 }
1153 vm_munmap(load_bias, total_size);
1154 /* Adjust alignment as requested. */
1155 if (alignment)
1156 load_bias &= ~(alignment - 1);
1157 elf_flags |= MAP_FIXED_NOREPLACE;
1158 } else
1159 load_bias = 0;
1160 }
1161
1162 /*
1163 * Since load_bias is used for all subsequent loading
1164 * calculations, we must lower it by the first vaddr
1165 * so that the remaining calculations based on the
1166 * ELF vaddrs will be correctly offset. The result
1167 * is then page aligned.
1168 */
1169 load_bias = ELF_PAGESTART(load_bias - vaddr);
1170 }
1171
1172 error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt,
1173 elf_prot, elf_flags, total_size);
1174 if (BAD_ADDR(error)) {
1175 retval = IS_ERR_VALUE(error) ?
1176 PTR_ERR((void*)error) : -EINVAL;
1177 goto out_free_dentry;
1178 }
1179
1180 if (first_pt_load) {
1181 first_pt_load = 0;
1182 if (elf_ex->e_type == ET_DYN) {
1183 load_bias += error -
1184 ELF_PAGESTART(load_bias + vaddr);
1185 reloc_func_desc = load_bias;
1186 }
1187 }
1188
1189 /*
1190 * Figure out which segment in the file contains the Program
1191 * Header table, and map to the associated memory address.
1192 */
1193 if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
1194 elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
1195 phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
1196 elf_ppnt->p_vaddr;
1197 }
1198
1199 k = elf_ppnt->p_vaddr;
1200 if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1201 start_code = k;
1202 if (start_data < k)
1203 start_data = k;
1204
1205 /*
1206 * Check to see if the section's size will overflow the
1207 * allowed task size. Note that p_filesz must always be
1208 * <= p_memsz so it is only necessary to check p_memsz.
1209 */
1210 if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1211 elf_ppnt->p_memsz > TASK_SIZE ||
1212 TASK_SIZE - elf_ppnt->p_memsz < k) {
1213 /* set_brk can never work. Avoid overflows. */
1214 retval = -EINVAL;
1215 goto out_free_dentry;
1216 }
1217
1218 k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1219
1220 if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1221 end_code = k;
1222 if (end_data < k)
1223 end_data = k;
1224 k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1225 if (k > elf_brk)
1226 elf_brk = k;
1227 }
1228
1229 e_entry = elf_ex->e_entry + load_bias;
1230 phdr_addr += load_bias;
1231 elf_brk += load_bias;
1232 start_code += load_bias;
1233 end_code += load_bias;
1234 start_data += load_bias;
1235 end_data += load_bias;
1236
1237 if (interpreter) {
1238 elf_entry = load_elf_interp(interp_elf_ex,
1239 interpreter,
1240 load_bias, interp_elf_phdata,
1241 &arch_state);
1242 if (!IS_ERR_VALUE(elf_entry)) {
1243 /*
1244 * load_elf_interp() returns relocation
1245 * adjustment
1246 */
1247 interp_load_addr = elf_entry;
1248 elf_entry += interp_elf_ex->e_entry;
1249 }
1250 if (BAD_ADDR(elf_entry)) {
1251 retval = IS_ERR_VALUE(elf_entry) ?
1252 (int)elf_entry : -EINVAL;
1253 goto out_free_dentry;
1254 }
1255 reloc_func_desc = interp_load_addr;
1256
1257 allow_write_access(interpreter);
1258 fput(interpreter);
1259
1260 kfree(interp_elf_ex);
1261 kfree(interp_elf_phdata);
1262 } else {
1263 elf_entry = e_entry;
1264 if (BAD_ADDR(elf_entry)) {
1265 retval = -EINVAL;
1266 goto out_free_dentry;
1267 }
1268 }
1269
1270 kfree(elf_phdata);
1271
1272 set_binfmt(&elf_format);
1273
1274 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1275 retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1276 if (retval < 0)
1277 goto out;
1278 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1279
1280 retval = create_elf_tables(bprm, elf_ex, interp_load_addr,
1281 e_entry, phdr_addr);
1282 if (retval < 0)
1283 goto out;
1284
1285 mm = current->mm;
1286 mm->end_code = end_code;
1287 mm->start_code = start_code;
1288 mm->start_data = start_data;
1289 mm->end_data = end_data;
1290 mm->start_stack = bprm->p;
1291
1292 /**
1293 * DOC: "brk" handling
1294 *
1295 * For architectures with ELF randomization, when executing a
1296 * loader directly (i.e. static PIE: ET_DYN without PT_INTERP),
1297 * move the brk area out of the mmap region and into the unused
1298 * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide
1299 * early with the stack growing down or other regions being put
1300 * into the mmap region by the kernel (e.g. vdso).
1301 *
1302 * In the CONFIG_COMPAT_BRK case, though, everything is turned
1303 * off because we're not allowed to move the brk at all.
1304 */
1305 if (!IS_ENABLED(CONFIG_COMPAT_BRK) &&
1306 IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1307 elf_ex->e_type == ET_DYN && !interpreter) {
1308 elf_brk = ELF_ET_DYN_BASE;
1309 /* This counts as moving the brk, so let brk(2) know. */
1310 brk_moved = true;
1311 }
1312 mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk);
1313
1314 if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) {
1315 /*
1316 * If we didn't move the brk to ELF_ET_DYN_BASE (above),
1317 * leave a gap between .bss and brk.
1318 */
1319 if (!brk_moved)
1320 mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
1321
1322 mm->brk = mm->start_brk = arch_randomize_brk(mm);
1323 brk_moved = true;
1324 }
1325
1326 #ifdef compat_brk_randomized
1327 if (brk_moved)
1328 current->brk_randomized = 1;
1329 #endif
1330
1331 if (current->personality & MMAP_PAGE_ZERO) {
1332 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
1333 and some applications "depend" upon this behavior.
1334 Since we do not have the power to recompile these, we
1335 emulate the SVr4 behavior. Sigh. */
1336 error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1337 MAP_FIXED | MAP_PRIVATE, 0);
1338
1339 retval = do_mseal(0, PAGE_SIZE, 0);
1340 if (retval)
1341 pr_warn_ratelimited("pid=%d, couldn't seal address 0, ret=%d.\n",
1342 task_pid_nr(current), retval);
1343 }
1344
1345 regs = current_pt_regs();
1346 #ifdef ELF_PLAT_INIT
1347 /*
1348 * The ABI may specify that certain registers be set up in special
1349 * ways (on i386 %edx is the address of a DT_FINI function, for
1350 * example. In addition, it may also specify (eg, PowerPC64 ELF)
1351 * that the e_entry field is the address of the function descriptor
1352 * for the startup routine, rather than the address of the startup
1353 * routine itself. This macro performs whatever initialization to
1354 * the regs structure is required as well as any relocations to the
1355 * function descriptor entries when executing dynamically links apps.
1356 */
1357 ELF_PLAT_INIT(regs, reloc_func_desc);
1358 #endif
1359
1360 finalize_exec(bprm);
1361 START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1362 retval = 0;
1363 out:
1364 return retval;
1365
1366 /* error cleanup */
1367 out_free_dentry:
1368 kfree(interp_elf_ex);
1369 kfree(interp_elf_phdata);
1370 out_free_file:
1371 allow_write_access(interpreter);
1372 if (interpreter)
1373 fput(interpreter);
1374 out_free_ph:
1375 kfree(elf_phdata);
1376 goto out;
1377 }
1378
1379 #ifdef CONFIG_USELIB
1380 /* This is really simpleminded and specialized - we are loading an
1381 a.out library that is given an ELF header. */
load_elf_library(struct file * file)1382 static int load_elf_library(struct file *file)
1383 {
1384 struct elf_phdr *elf_phdata;
1385 struct elf_phdr *eppnt;
1386 int retval, error, i, j;
1387 struct elfhdr elf_ex;
1388
1389 error = -ENOEXEC;
1390 retval = elf_read(file, &elf_ex, sizeof(elf_ex), 0);
1391 if (retval < 0)
1392 goto out;
1393
1394 if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
1395 goto out;
1396
1397 /* First of all, some simple consistency checks */
1398 if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 ||
1399 !elf_check_arch(&elf_ex) || !file->f_op->mmap)
1400 goto out;
1401 if (elf_check_fdpic(&elf_ex))
1402 goto out;
1403
1404 /* Now read in all of the header information */
1405
1406 j = sizeof(struct elf_phdr) * elf_ex.e_phnum;
1407 /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
1408
1409 error = -ENOMEM;
1410 elf_phdata = kmalloc(j, GFP_KERNEL);
1411 if (!elf_phdata)
1412 goto out;
1413
1414 eppnt = elf_phdata;
1415 error = -ENOEXEC;
1416 retval = elf_read(file, eppnt, j, elf_ex.e_phoff);
1417 if (retval < 0)
1418 goto out_free_ph;
1419
1420 for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
1421 if ((eppnt + i)->p_type == PT_LOAD)
1422 j++;
1423 if (j != 1)
1424 goto out_free_ph;
1425
1426 while (eppnt->p_type != PT_LOAD)
1427 eppnt++;
1428
1429 /* Now use mmap to map the library into memory. */
1430 error = elf_load(file, ELF_PAGESTART(eppnt->p_vaddr),
1431 eppnt,
1432 PROT_READ | PROT_WRITE | PROT_EXEC,
1433 MAP_FIXED_NOREPLACE | MAP_PRIVATE,
1434 0);
1435
1436 if (error != ELF_PAGESTART(eppnt->p_vaddr))
1437 goto out_free_ph;
1438
1439 error = 0;
1440
1441 out_free_ph:
1442 kfree(elf_phdata);
1443 out:
1444 return error;
1445 }
1446 #endif /* #ifdef CONFIG_USELIB */
1447
1448 #ifdef CONFIG_ELF_CORE
1449 /*
1450 * ELF core dumper
1451 *
1452 * Modelled on fs/exec.c:aout_core_dump()
1453 * Jeremy Fitzhardinge <jeremy@sw.oz.au>
1454 */
1455
1456 /* An ELF note in memory */
1457 struct memelfnote
1458 {
1459 const char *name;
1460 int type;
1461 unsigned int datasz;
1462 void *data;
1463 };
1464
notesize(struct memelfnote * en)1465 static int notesize(struct memelfnote *en)
1466 {
1467 int sz;
1468
1469 sz = sizeof(struct elf_note);
1470 sz += roundup(strlen(en->name) + 1, 4);
1471 sz += roundup(en->datasz, 4);
1472
1473 return sz;
1474 }
1475
writenote(struct memelfnote * men,struct coredump_params * cprm)1476 static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1477 {
1478 struct elf_note en;
1479 en.n_namesz = strlen(men->name) + 1;
1480 en.n_descsz = men->datasz;
1481 en.n_type = men->type;
1482
1483 return dump_emit(cprm, &en, sizeof(en)) &&
1484 dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1485 dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1486 }
1487
fill_elf_header(struct elfhdr * elf,int segs,u16 machine,u32 flags)1488 static void fill_elf_header(struct elfhdr *elf, int segs,
1489 u16 machine, u32 flags)
1490 {
1491 memset(elf, 0, sizeof(*elf));
1492
1493 memcpy(elf->e_ident, ELFMAG, SELFMAG);
1494 elf->e_ident[EI_CLASS] = ELF_CLASS;
1495 elf->e_ident[EI_DATA] = ELF_DATA;
1496 elf->e_ident[EI_VERSION] = EV_CURRENT;
1497 elf->e_ident[EI_OSABI] = ELF_OSABI;
1498
1499 elf->e_type = ET_CORE;
1500 elf->e_machine = machine;
1501 elf->e_version = EV_CURRENT;
1502 elf->e_phoff = sizeof(struct elfhdr);
1503 elf->e_flags = flags;
1504 elf->e_ehsize = sizeof(struct elfhdr);
1505 elf->e_phentsize = sizeof(struct elf_phdr);
1506 elf->e_phnum = segs;
1507 }
1508
fill_elf_note_phdr(struct elf_phdr * phdr,int sz,loff_t offset)1509 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1510 {
1511 phdr->p_type = PT_NOTE;
1512 phdr->p_offset = offset;
1513 phdr->p_vaddr = 0;
1514 phdr->p_paddr = 0;
1515 phdr->p_filesz = sz;
1516 phdr->p_memsz = 0;
1517 phdr->p_flags = 0;
1518 phdr->p_align = 4;
1519 }
1520
fill_note(struct memelfnote * note,const char * name,int type,unsigned int sz,void * data)1521 static void fill_note(struct memelfnote *note, const char *name, int type,
1522 unsigned int sz, void *data)
1523 {
1524 note->name = name;
1525 note->type = type;
1526 note->datasz = sz;
1527 note->data = data;
1528 }
1529
1530 /*
1531 * fill up all the fields in prstatus from the given task struct, except
1532 * registers which need to be filled up separately.
1533 */
fill_prstatus(struct elf_prstatus_common * prstatus,struct task_struct * p,long signr)1534 static void fill_prstatus(struct elf_prstatus_common *prstatus,
1535 struct task_struct *p, long signr)
1536 {
1537 prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1538 prstatus->pr_sigpend = p->pending.signal.sig[0];
1539 prstatus->pr_sighold = p->blocked.sig[0];
1540 rcu_read_lock();
1541 prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1542 rcu_read_unlock();
1543 prstatus->pr_pid = task_pid_vnr(p);
1544 prstatus->pr_pgrp = task_pgrp_vnr(p);
1545 prstatus->pr_sid = task_session_vnr(p);
1546 if (thread_group_leader(p)) {
1547 struct task_cputime cputime;
1548
1549 /*
1550 * This is the record for the group leader. It shows the
1551 * group-wide total, not its individual thread total.
1552 */
1553 thread_group_cputime(p, &cputime);
1554 prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1555 prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1556 } else {
1557 u64 utime, stime;
1558
1559 task_cputime(p, &utime, &stime);
1560 prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1561 prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1562 }
1563
1564 prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1565 prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1566 }
1567
fill_psinfo(struct elf_prpsinfo * psinfo,struct task_struct * p,struct mm_struct * mm)1568 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1569 struct mm_struct *mm)
1570 {
1571 const struct cred *cred;
1572 unsigned int i, len;
1573 unsigned int state;
1574
1575 /* first copy the parameters from user space */
1576 memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1577
1578 len = mm->arg_end - mm->arg_start;
1579 if (len >= ELF_PRARGSZ)
1580 len = ELF_PRARGSZ-1;
1581 if (copy_from_user(&psinfo->pr_psargs,
1582 (const char __user *)mm->arg_start, len))
1583 return -EFAULT;
1584 for(i = 0; i < len; i++)
1585 if (psinfo->pr_psargs[i] == 0)
1586 psinfo->pr_psargs[i] = ' ';
1587 psinfo->pr_psargs[len] = 0;
1588
1589 rcu_read_lock();
1590 psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1591 rcu_read_unlock();
1592 psinfo->pr_pid = task_pid_vnr(p);
1593 psinfo->pr_pgrp = task_pgrp_vnr(p);
1594 psinfo->pr_sid = task_session_vnr(p);
1595
1596 state = READ_ONCE(p->__state);
1597 i = state ? ffz(~state) + 1 : 0;
1598 psinfo->pr_state = i;
1599 psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1600 psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1601 psinfo->pr_nice = task_nice(p);
1602 psinfo->pr_flag = p->flags;
1603 rcu_read_lock();
1604 cred = __task_cred(p);
1605 SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1606 SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1607 rcu_read_unlock();
1608 get_task_comm(psinfo->pr_fname, p);
1609
1610 return 0;
1611 }
1612
fill_auxv_note(struct memelfnote * note,struct mm_struct * mm)1613 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1614 {
1615 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1616 int i = 0;
1617 do
1618 i += 2;
1619 while (auxv[i - 2] != AT_NULL);
1620 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
1621 }
1622
fill_siginfo_note(struct memelfnote * note,user_siginfo_t * csigdata,const kernel_siginfo_t * siginfo)1623 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1624 const kernel_siginfo_t *siginfo)
1625 {
1626 copy_siginfo_to_external(csigdata, siginfo);
1627 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
1628 }
1629
1630 /*
1631 * Format of NT_FILE note:
1632 *
1633 * long count -- how many files are mapped
1634 * long page_size -- units for file_ofs
1635 * array of [COUNT] elements of
1636 * long start
1637 * long end
1638 * long file_ofs
1639 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1640 */
fill_files_note(struct memelfnote * note,struct coredump_params * cprm)1641 static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
1642 {
1643 unsigned count, size, names_ofs, remaining, n;
1644 user_long_t *data;
1645 user_long_t *start_end_ofs;
1646 char *name_base, *name_curpos;
1647 int i;
1648
1649 /* *Estimated* file count and total data size needed */
1650 count = cprm->vma_count;
1651 if (count > UINT_MAX / 64)
1652 return -EINVAL;
1653 size = count * 64;
1654
1655 names_ofs = (2 + 3 * count) * sizeof(data[0]);
1656 alloc:
1657 /* paranoia check */
1658 if (size >= core_file_note_size_limit) {
1659 pr_warn_once("coredump Note size too large: %u (does kernel.core_file_note_size_limit sysctl need adjustment?\n",
1660 size);
1661 return -EINVAL;
1662 }
1663 size = round_up(size, PAGE_SIZE);
1664 /*
1665 * "size" can be 0 here legitimately.
1666 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1667 */
1668 data = kvmalloc(size, GFP_KERNEL);
1669 if (ZERO_OR_NULL_PTR(data))
1670 return -ENOMEM;
1671
1672 start_end_ofs = data + 2;
1673 name_base = name_curpos = ((char *)data) + names_ofs;
1674 remaining = size - names_ofs;
1675 count = 0;
1676 for (i = 0; i < cprm->vma_count; i++) {
1677 struct core_vma_metadata *m = &cprm->vma_meta[i];
1678 struct file *file;
1679 const char *filename;
1680
1681 file = m->file;
1682 if (!file)
1683 continue;
1684 filename = file_path(file, name_curpos, remaining);
1685 if (IS_ERR(filename)) {
1686 if (PTR_ERR(filename) == -ENAMETOOLONG) {
1687 kvfree(data);
1688 size = size * 5 / 4;
1689 goto alloc;
1690 }
1691 continue;
1692 }
1693
1694 /* file_path() fills at the end, move name down */
1695 /* n = strlen(filename) + 1: */
1696 n = (name_curpos + remaining) - filename;
1697 remaining = filename - name_curpos;
1698 memmove(name_curpos, filename, n);
1699 name_curpos += n;
1700
1701 *start_end_ofs++ = m->start;
1702 *start_end_ofs++ = m->end;
1703 *start_end_ofs++ = m->pgoff;
1704 count++;
1705 }
1706
1707 /* Now we know exact count of files, can store it */
1708 data[0] = count;
1709 data[1] = PAGE_SIZE;
1710 /*
1711 * Count usually is less than mm->map_count,
1712 * we need to move filenames down.
1713 */
1714 n = cprm->vma_count - count;
1715 if (n != 0) {
1716 unsigned shift_bytes = n * 3 * sizeof(data[0]);
1717 memmove(name_base - shift_bytes, name_base,
1718 name_curpos - name_base);
1719 name_curpos -= shift_bytes;
1720 }
1721
1722 size = name_curpos - (char *)data;
1723 fill_note(note, "CORE", NT_FILE, size, data);
1724 return 0;
1725 }
1726
1727 #include <linux/regset.h>
1728
1729 struct elf_thread_core_info {
1730 struct elf_thread_core_info *next;
1731 struct task_struct *task;
1732 struct elf_prstatus prstatus;
1733 struct memelfnote notes[];
1734 };
1735
1736 struct elf_note_info {
1737 struct elf_thread_core_info *thread;
1738 struct memelfnote psinfo;
1739 struct memelfnote signote;
1740 struct memelfnote auxv;
1741 struct memelfnote files;
1742 user_siginfo_t csigdata;
1743 size_t size;
1744 int thread_notes;
1745 };
1746
1747 #ifdef CORE_DUMP_USE_REGSET
1748 /*
1749 * When a regset has a writeback hook, we call it on each thread before
1750 * dumping user memory. On register window machines, this makes sure the
1751 * user memory backing the register data is up to date before we read it.
1752 */
do_thread_regset_writeback(struct task_struct * task,const struct user_regset * regset)1753 static void do_thread_regset_writeback(struct task_struct *task,
1754 const struct user_regset *regset)
1755 {
1756 if (regset->writeback)
1757 regset->writeback(task, regset, 1);
1758 }
1759
1760 #ifndef PRSTATUS_SIZE
1761 #define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1762 #endif
1763
1764 #ifndef SET_PR_FPVALID
1765 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1766 #endif
1767
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1768 static int fill_thread_core_info(struct elf_thread_core_info *t,
1769 const struct user_regset_view *view,
1770 long signr, struct elf_note_info *info)
1771 {
1772 unsigned int note_iter, view_iter;
1773
1774 /*
1775 * NT_PRSTATUS is the one special case, because the regset data
1776 * goes into the pr_reg field inside the note contents, rather
1777 * than being the whole note contents. We fill the regset in here.
1778 * We assume that regset 0 is NT_PRSTATUS.
1779 */
1780 fill_prstatus(&t->prstatus.common, t->task, signr);
1781 regset_get(t->task, &view->regsets[0],
1782 sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1783
1784 fill_note(&t->notes[0], "CORE", NT_PRSTATUS,
1785 PRSTATUS_SIZE, &t->prstatus);
1786 info->size += notesize(&t->notes[0]);
1787
1788 do_thread_regset_writeback(t->task, &view->regsets[0]);
1789
1790 /*
1791 * Each other regset might generate a note too. For each regset
1792 * that has no core_note_type or is inactive, skip it.
1793 */
1794 note_iter = 1;
1795 for (view_iter = 1; view_iter < view->n; ++view_iter) {
1796 const struct user_regset *regset = &view->regsets[view_iter];
1797 int note_type = regset->core_note_type;
1798 bool is_fpreg = note_type == NT_PRFPREG;
1799 void *data;
1800 int ret;
1801
1802 do_thread_regset_writeback(t->task, regset);
1803 if (!note_type) // not for coredumps
1804 continue;
1805 if (regset->active && regset->active(t->task, regset) <= 0)
1806 continue;
1807
1808 ret = regset_get_alloc(t->task, regset, ~0U, &data);
1809 if (ret < 0)
1810 continue;
1811
1812 if (WARN_ON_ONCE(note_iter >= info->thread_notes))
1813 break;
1814
1815 if (is_fpreg)
1816 SET_PR_FPVALID(&t->prstatus);
1817
1818 fill_note(&t->notes[note_iter], is_fpreg ? "CORE" : "LINUX",
1819 note_type, ret, data);
1820
1821 info->size += notesize(&t->notes[note_iter]);
1822 note_iter++;
1823 }
1824
1825 return 1;
1826 }
1827 #else
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1828 static int fill_thread_core_info(struct elf_thread_core_info *t,
1829 const struct user_regset_view *view,
1830 long signr, struct elf_note_info *info)
1831 {
1832 struct task_struct *p = t->task;
1833 elf_fpregset_t *fpu;
1834
1835 fill_prstatus(&t->prstatus.common, p, signr);
1836 elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1837
1838 fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus),
1839 &(t->prstatus));
1840 info->size += notesize(&t->notes[0]);
1841
1842 fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL);
1843 if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) {
1844 kfree(fpu);
1845 return 1;
1846 }
1847
1848 t->prstatus.pr_fpvalid = 1;
1849 fill_note(&t->notes[1], "CORE", NT_PRFPREG, sizeof(*fpu), fpu);
1850 info->size += notesize(&t->notes[1]);
1851
1852 return 1;
1853 }
1854 #endif
1855
fill_note_info(struct elfhdr * elf,int phdrs,struct elf_note_info * info,struct coredump_params * cprm)1856 static int fill_note_info(struct elfhdr *elf, int phdrs,
1857 struct elf_note_info *info,
1858 struct coredump_params *cprm)
1859 {
1860 struct task_struct *dump_task = current;
1861 const struct user_regset_view *view;
1862 struct elf_thread_core_info *t;
1863 struct elf_prpsinfo *psinfo;
1864 struct core_thread *ct;
1865
1866 psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1867 if (!psinfo)
1868 return 0;
1869 fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
1870
1871 #ifdef CORE_DUMP_USE_REGSET
1872 view = task_user_regset_view(dump_task);
1873
1874 /*
1875 * Figure out how many notes we're going to need for each thread.
1876 */
1877 info->thread_notes = 0;
1878 for (int i = 0; i < view->n; ++i)
1879 if (view->regsets[i].core_note_type != 0)
1880 ++info->thread_notes;
1881
1882 /*
1883 * Sanity check. We rely on regset 0 being in NT_PRSTATUS,
1884 * since it is our one special case.
1885 */
1886 if (unlikely(info->thread_notes == 0) ||
1887 unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1888 WARN_ON(1);
1889 return 0;
1890 }
1891
1892 /*
1893 * Initialize the ELF file header.
1894 */
1895 fill_elf_header(elf, phdrs,
1896 view->e_machine, view->e_flags);
1897 #else
1898 view = NULL;
1899 info->thread_notes = 2;
1900 fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
1901 #endif
1902
1903 /*
1904 * Allocate a structure for each thread.
1905 */
1906 info->thread = kzalloc(offsetof(struct elf_thread_core_info,
1907 notes[info->thread_notes]),
1908 GFP_KERNEL);
1909 if (unlikely(!info->thread))
1910 return 0;
1911
1912 info->thread->task = dump_task;
1913 for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) {
1914 t = kzalloc(offsetof(struct elf_thread_core_info,
1915 notes[info->thread_notes]),
1916 GFP_KERNEL);
1917 if (unlikely(!t))
1918 return 0;
1919
1920 t->task = ct->task;
1921 t->next = info->thread->next;
1922 info->thread->next = t;
1923 }
1924
1925 /*
1926 * Now fill in each thread's information.
1927 */
1928 for (t = info->thread; t != NULL; t = t->next)
1929 if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info))
1930 return 0;
1931
1932 /*
1933 * Fill in the two process-wide notes.
1934 */
1935 fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1936 info->size += notesize(&info->psinfo);
1937
1938 fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo);
1939 info->size += notesize(&info->signote);
1940
1941 fill_auxv_note(&info->auxv, current->mm);
1942 info->size += notesize(&info->auxv);
1943
1944 if (fill_files_note(&info->files, cprm) == 0)
1945 info->size += notesize(&info->files);
1946
1947 return 1;
1948 }
1949
1950 /*
1951 * Write all the notes for each thread. When writing the first thread, the
1952 * process-wide notes are interleaved after the first thread-specific note.
1953 */
write_note_info(struct elf_note_info * info,struct coredump_params * cprm)1954 static int write_note_info(struct elf_note_info *info,
1955 struct coredump_params *cprm)
1956 {
1957 bool first = true;
1958 struct elf_thread_core_info *t = info->thread;
1959
1960 do {
1961 int i;
1962
1963 if (!writenote(&t->notes[0], cprm))
1964 return 0;
1965
1966 if (first && !writenote(&info->psinfo, cprm))
1967 return 0;
1968 if (first && !writenote(&info->signote, cprm))
1969 return 0;
1970 if (first && !writenote(&info->auxv, cprm))
1971 return 0;
1972 if (first && info->files.data &&
1973 !writenote(&info->files, cprm))
1974 return 0;
1975
1976 for (i = 1; i < info->thread_notes; ++i)
1977 if (t->notes[i].data &&
1978 !writenote(&t->notes[i], cprm))
1979 return 0;
1980
1981 first = false;
1982 t = t->next;
1983 } while (t);
1984
1985 return 1;
1986 }
1987
free_note_info(struct elf_note_info * info)1988 static void free_note_info(struct elf_note_info *info)
1989 {
1990 struct elf_thread_core_info *threads = info->thread;
1991 while (threads) {
1992 unsigned int i;
1993 struct elf_thread_core_info *t = threads;
1994 threads = t->next;
1995 WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1996 for (i = 1; i < info->thread_notes; ++i)
1997 kvfree(t->notes[i].data);
1998 kfree(t);
1999 }
2000 kfree(info->psinfo.data);
2001 kvfree(info->files.data);
2002 }
2003
fill_extnum_info(struct elfhdr * elf,struct elf_shdr * shdr4extnum,elf_addr_t e_shoff,int segs)2004 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
2005 elf_addr_t e_shoff, int segs)
2006 {
2007 elf->e_shoff = e_shoff;
2008 elf->e_shentsize = sizeof(*shdr4extnum);
2009 elf->e_shnum = 1;
2010 elf->e_shstrndx = SHN_UNDEF;
2011
2012 memset(shdr4extnum, 0, sizeof(*shdr4extnum));
2013
2014 shdr4extnum->sh_type = SHT_NULL;
2015 shdr4extnum->sh_size = elf->e_shnum;
2016 shdr4extnum->sh_link = elf->e_shstrndx;
2017 shdr4extnum->sh_info = segs;
2018 }
2019
2020 /*
2021 * Actual dumper
2022 *
2023 * This is a two-pass process; first we find the offsets of the bits,
2024 * and then they are actually written out. If we run out of core limit
2025 * we just truncate.
2026 */
elf_core_dump(struct coredump_params * cprm)2027 static int elf_core_dump(struct coredump_params *cprm)
2028 {
2029 int has_dumped = 0;
2030 int segs, i;
2031 struct elfhdr elf;
2032 loff_t offset = 0, dataoff;
2033 struct elf_note_info info = { };
2034 struct elf_phdr *phdr4note = NULL;
2035 struct elf_shdr *shdr4extnum = NULL;
2036 Elf_Half e_phnum;
2037 elf_addr_t e_shoff;
2038
2039 /*
2040 * The number of segs are recored into ELF header as 16bit value.
2041 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
2042 */
2043 segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
2044
2045 /* for notes section */
2046 segs++;
2047
2048 /* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
2049 * this, kernel supports extended numbering. Have a look at
2050 * include/linux/elf.h for further information. */
2051 e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
2052
2053 /*
2054 * Collect all the non-memory information about the process for the
2055 * notes. This also sets up the file header.
2056 */
2057 if (!fill_note_info(&elf, e_phnum, &info, cprm))
2058 goto end_coredump;
2059
2060 has_dumped = 1;
2061
2062 offset += sizeof(elf); /* ELF header */
2063 offset += segs * sizeof(struct elf_phdr); /* Program headers */
2064
2065 /* Write notes phdr entry */
2066 {
2067 size_t sz = info.size;
2068
2069 /* For cell spufs and x86 xstate */
2070 sz += elf_coredump_extra_notes_size();
2071
2072 phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2073 if (!phdr4note)
2074 goto end_coredump;
2075
2076 fill_elf_note_phdr(phdr4note, sz, offset);
2077 offset += sz;
2078 }
2079
2080 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2081
2082 offset += cprm->vma_data_size;
2083 offset += elf_core_extra_data_size(cprm);
2084 e_shoff = offset;
2085
2086 if (e_phnum == PN_XNUM) {
2087 shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2088 if (!shdr4extnum)
2089 goto end_coredump;
2090 fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2091 }
2092
2093 offset = dataoff;
2094
2095 if (!dump_emit(cprm, &elf, sizeof(elf)))
2096 goto end_coredump;
2097
2098 if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2099 goto end_coredump;
2100
2101 /* Write program headers for segments dump */
2102 for (i = 0; i < cprm->vma_count; i++) {
2103 struct core_vma_metadata *meta = cprm->vma_meta + i;
2104 struct elf_phdr phdr;
2105
2106 phdr.p_type = PT_LOAD;
2107 phdr.p_offset = offset;
2108 phdr.p_vaddr = meta->start;
2109 phdr.p_paddr = 0;
2110 phdr.p_filesz = meta->dump_size;
2111 phdr.p_memsz = meta->end - meta->start;
2112 offset += phdr.p_filesz;
2113 phdr.p_flags = 0;
2114 if (meta->flags & VM_READ)
2115 phdr.p_flags |= PF_R;
2116 if (meta->flags & VM_WRITE)
2117 phdr.p_flags |= PF_W;
2118 if (meta->flags & VM_EXEC)
2119 phdr.p_flags |= PF_X;
2120 phdr.p_align = ELF_EXEC_PAGESIZE;
2121
2122 if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2123 goto end_coredump;
2124 }
2125
2126 if (!elf_core_write_extra_phdrs(cprm, offset))
2127 goto end_coredump;
2128
2129 /* write out the notes section */
2130 if (!write_note_info(&info, cprm))
2131 goto end_coredump;
2132
2133 /* For cell spufs and x86 xstate */
2134 if (elf_coredump_extra_notes_write(cprm))
2135 goto end_coredump;
2136
2137 /* Align to page */
2138 dump_skip_to(cprm, dataoff);
2139
2140 for (i = 0; i < cprm->vma_count; i++) {
2141 struct core_vma_metadata *meta = cprm->vma_meta + i;
2142
2143 if (!dump_user_range(cprm, meta->start, meta->dump_size))
2144 goto end_coredump;
2145 }
2146
2147 if (!elf_core_write_extra_data(cprm))
2148 goto end_coredump;
2149
2150 if (e_phnum == PN_XNUM) {
2151 if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2152 goto end_coredump;
2153 }
2154
2155 end_coredump:
2156 free_note_info(&info);
2157 kfree(shdr4extnum);
2158 kfree(phdr4note);
2159 return has_dumped;
2160 }
2161
2162 #endif /* CONFIG_ELF_CORE */
2163
init_elf_binfmt(void)2164 static int __init init_elf_binfmt(void)
2165 {
2166 elf_format.min_coredump = ELF_EXEC_PAGESIZE;
2167 register_binfmt(&elf_format);
2168 return 0;
2169 }
2170
exit_elf_binfmt(void)2171 static void __exit exit_elf_binfmt(void)
2172 {
2173 /* Remove the COFF and ELF loaders. */
2174 unregister_binfmt(&elf_format);
2175 }
2176
2177 core_initcall(init_elf_binfmt);
2178 module_exit(exit_elf_binfmt);
2179
2180 #ifdef CONFIG_BINFMT_ELF_KUNIT_TEST
2181 #include "tests/binfmt_elf_kunit.c"
2182 #endif
2183