Lines Matching +full:protect +full:- +full:exec
1 // SPDX-License-Identifier: GPL-2.0-only
3 * linux/fs/exec.c
9 * #!-checking implemented by tytso.
12 * Demand-loading implemented 01.12.91 - no need to read anything but
14 * "current->executable", and page faults do the actual loading. Clean.
17 * was less than 2 hours work to get demand-loading completely implemented.
20 * current->executable is only used by the procfs. This allows a dispatch
91 insert ? list_add(&fmt->lh, &formats) :
92 list_add_tail(&fmt->lh, &formats);
101 list_del(&fmt->lh);
109 module_put(fmt->module);
114 return (path->mnt->mnt_flags & MNT_NOEXEC) ||
115 (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC);
150 error = -EACCES;
151 if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) ||
152 path_noexec(&file->f_path))
155 error = -ENOEXEC;
159 if (!fmt->load_shlib)
161 if (!try_module_get(fmt->module))
164 error = fmt->load_shlib(file);
167 if (error != -ENOEXEC)
180 * The nascent bprm->mm is not visible until exec_mmap() but it can
181 * use a lot of memory, account these pages in current->mm temporary
182 * for oom_badness()->get_mm_rss(). Once exec succeeds or fails, we
187 struct mm_struct *mm = current->mm;
188 long diff = (long)(pages - bprm->vma_pages);
193 bprm->vma_pages = pages;
201 struct vm_area_struct *vma = bprm->vma;
202 struct mm_struct *mm = bprm->mm;
214 * We are doing an exec(). 'current' is the process
215 * doing the exec and 'mm' is the new process's mm.
242 flush_cache_page(bprm->vma, pos, page_to_pfn(page));
249 struct mm_struct *mm = bprm->mm;
251 bprm->vma = vma = vm_area_alloc(mm);
253 return -ENOMEM;
257 err = -EINTR;
276 vma->vm_end = STACK_TOP_MAX;
277 vma->vm_start = vma->vm_end - PAGE_SIZE;
279 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
285 mm->stack_vm = mm->total_vm = 1;
287 bprm->p = vma->vm_end - sizeof(void *);
294 bprm->vma = NULL;
315 page = bprm->page[pos / PAGE_SIZE];
320 bprm->page[pos / PAGE_SIZE] = page;
332 if (bprm->page[i]) {
333 __free_page(bprm->page[i]);
334 bprm->page[i] = NULL;
353 bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *);
359 return len <= bprm->p;
375 bprm->mm = mm = mm_alloc();
376 err = -ENOMEM;
380 /* Save current stack limit for all calculations made during exec. */
381 task_lock(current->group_leader);
382 bprm->rlim_stack = current->signal->rlim[RLIMIT_STACK];
383 task_unlock(current->group_leader);
393 bprm->mm = NULL;
421 return ERR_PTR(-EFAULT);
428 return ERR_PTR(-EFAULT);
448 return -EFAULT;
451 return -E2BIG;
455 return -ERESTARTNOHAND;
471 return -E2BIG;
473 return -ERESTARTNOHAND;
483 /* Avoid a pathological bprm->p. */
484 if (bprm->p < limit)
485 return -E2BIG;
486 bprm->argmin = bprm->p - limit;
493 return bprm->p < bprm->argmin;
500 * Calculate bprm->argmin from:
501 * - _STK_LIM
502 * - ARG_MAX
503 * - bprm->rlim_stack.rlim_cur
504 * - bprm->argc
505 * - bprm->envc
506 * - bprm->p
516 * - the remaining binfmt code will not run out of stack space,
517 * - the program will have a reasonable amount of stack left
521 limit = min(limit, bprm->rlim_stack.rlim_cur / 4);
528 if (bprm->argc < 0 || bprm->envc < 0)
529 return -E2BIG;
543 if (check_add_overflow(max(bprm->argc, 1), bprm->envc, &ptr_size) ||
545 return -E2BIG;
547 return -E2BIG;
548 limit -= ptr_size;
566 while (argc-- > 0) {
571 ret = -EFAULT;
580 ret = -E2BIG;
585 pos = bprm->p;
587 bprm->p -= len;
595 ret = -ERESTARTNOHAND;
608 offset -= bytes_to_copy;
609 pos -= bytes_to_copy;
610 str -= bytes_to_copy;
611 len -= bytes_to_copy;
618 ret = -E2BIG;
633 ret = -EFAULT;
654 unsigned long pos = bprm->p;
657 return -EFAULT;
659 return -E2BIG;
663 bprm->p -= len;
665 return -E2BIG;
672 pos -= bytes_to_copy;
673 arg -= bytes_to_copy;
674 len -= bytes_to_copy;
678 return -E2BIG;
691 while (argc-- > 0) {
696 return -ERESTARTNOHAND;
714 struct mm_struct *mm = current->mm;
715 struct vm_area_struct *vma = bprm->vma;
727 stack_base = bprm->rlim_stack.rlim_max;
732 if (current->flags & PF_RANDOMIZE)
736 if (vma->vm_end - vma->vm_start > stack_base)
737 return -ENOMEM;
739 stack_base = PAGE_ALIGN(stack_top - stack_base);
741 stack_shift = vma->vm_start - stack_base;
742 mm->arg_start = bprm->p - stack_shift;
743 bprm->p = vma->vm_end - stack_shift;
749 unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
750 return -ENOMEM;
752 stack_shift = vma->vm_end - stack_top;
754 bprm->p -= stack_shift;
755 mm->arg_start = bprm->p;
758 if (bprm->loader)
759 bprm->loader -= stack_shift;
760 bprm->exec -= stack_shift;
763 return -EINTR;
776 vm_flags |= mm->def_flags;
779 vma_iter_init(&vmi, mm, vma->vm_start);
782 ret = mprotect_fixup(&vmi, &tlb, vma, &prev, vma->vm_start, vma->vm_end,
792 bprm->file);
811 stack_size = vma->vm_end - vma->vm_start;
816 rlim_stack = bprm->rlim_stack.rlim_cur & PAGE_MASK;
821 stack_base = vma->vm_start + stack_expand;
823 stack_base = vma->vm_end - stack_expand;
825 current->mm->start_stack = bprm->p;
828 ret = -EFAULT;
848 stop = bprm->p >> PAGE_SHIFT;
851 for (index = MAX_ARG_PAGES - 1; index >= stop; index--) {
852 unsigned int offset = index == stop ? bprm->p & ~PAGE_MASK : 0;
853 char *src = kmap_local_page(bprm->page[index]) + offset;
854 sp -= PAGE_SIZE - offset;
855 if (copy_to_user((void *) sp, src, PAGE_SIZE - offset) != 0)
856 ret = -EFAULT;
862 bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE;
889 return ERR_PTR(-EINVAL);
901 * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is
902 * an invariant that all non-regular files error out before we get here.
904 if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) ||
905 path_noexec(&file->f_path))
906 return ERR_PTR(-EACCES);
916 * open_exec - Open a path name for execution
963 old_mm = current->mm;
966 ret = down_write_killable(&tsk->signal->exec_update_lock);
974 * out and die instead of going through with the exec.
978 up_write(&tsk->signal->exec_update_lock);
987 active_mm = tsk->active_mm;
988 tsk->active_mm = mm;
989 tsk->mm = mm;
1009 setmax_mm_hiwater_rss(&tsk->signal->maxrss, old_mm);
1020 struct signal_struct *sig = tsk->signal;
1021 struct sighand_struct *oldsighand = tsk->sighand;
1022 spinlock_t *lock = &oldsighand->siglock;
1031 if ((sig->flags & SIGNAL_GROUP_EXIT) || sig->group_exec_task) {
1037 return -EAGAIN;
1040 sig->group_exec_task = tsk;
1041 sig->notify_count = zap_other_threads(tsk);
1043 sig->notify_count--;
1045 while (sig->notify_count) {
1061 struct task_struct *leader = tsk->group_leader;
1068 * exit_notify() can't miss ->group_exec_task
1070 sig->notify_count = -1;
1071 if (likely(leader->exit_state))
1082 * The only record we have of the real-time age of a
1085 * from sister threads now dead. But in this non-leader
1086 * exec, nothing survives from the original leader thread,
1091 tsk->start_time = leader->start_time;
1092 tsk->start_boottime = leader->start_boottime;
1096 * An exec() starts a new thread group with the
1110 list_replace_rcu(&leader->tasks, &tsk->tasks);
1111 list_replace_init(&leader->sibling, &tsk->sibling);
1113 tsk->group_leader = tsk;
1114 leader->group_leader = tsk;
1116 tsk->exit_signal = SIGCHLD;
1117 leader->exit_signal = -1;
1119 BUG_ON(leader->exit_state != EXIT_ZOMBIE);
1120 leader->exit_state = EXIT_DEAD;
1122 * We are going to release_task()->ptrace_unlink() silently,
1126 if (unlikely(leader->ptrace))
1127 __wake_up_parent(leader, leader->parent);
1134 sig->group_exec_task = NULL;
1135 sig->notify_count = 0;
1139 tsk->exit_signal = SIGCHLD;
1147 sig->group_exec_task = NULL;
1148 sig->notify_count = 0;
1150 return -EAGAIN;
1162 struct sighand_struct *oldsighand = me->sighand;
1164 if (refcount_read(&oldsighand->count) != 1) {
1167 * This ->sighand is shared with the CLONE_SIGHAND
1172 return -ENOMEM;
1174 refcount_set(&newsighand->count, 1);
1177 spin_lock(&oldsighand->siglock);
1178 memcpy(newsighand->action, oldsighand->action,
1179 sizeof(newsighand->action));
1180 rcu_assign_pointer(me->sighand, newsighand);
1181 spin_unlock(&oldsighand->siglock);
1190 * This is unlocked -- the string will always be NUL-terminated, but
1193 void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec)
1195 size_t len = min(strlen(buf), sizeof(tsk->comm) - 1);
1198 memcpy(tsk->comm, buf, len);
1199 memset(&tsk->comm[len], 0, sizeof(tsk->comm) - len);
1200 perf_event_comm(tsk, exec);
1220 * This tracepoint marks the point before flushing the old exec where
1223 * the current task has successfully switched to the new exec.
1230 bprm->point_of_no_return = true;
1250 * Must be called _before_ exec_mmap() as bprm->mm is
1254 retval = set_mm_exe_file(bprm->mm, bprm->file);
1258 /* If the binary is not readable then enforce mm->dumpable=0 */
1259 would_dump(bprm, bprm->file);
1260 if (bprm->have_execfd)
1261 would_dump(bprm, bprm->executable);
1267 retval = exec_mmap(bprm->mm);
1271 bprm->mm = NULL;
1278 spin_lock_irq(&me->sighand->siglock);
1280 spin_unlock_irq(&me->sighand->siglock);
1292 me->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC |
1295 me->personality &= ~bprm->per_clear;
1302 * trying to access the should-be-closed file descriptors of a process
1303 * undergoing exec(2).
1305 do_close_on_exec(me->files);
1307 if (bprm->secureexec) {
1309 me->pdeath_signal = 0;
1318 if (bprm->rlim_stack.rlim_cur > _STK_LIM)
1319 bprm->rlim_stack.rlim_cur = _STK_LIM;
1322 me->sas_ss_sp = me->sas_ss_size = 0;
1327 * bprm->secureexec instead.
1329 if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||
1332 set_dumpable(current->mm, suid_dumpable);
1334 set_dumpable(current->mm, SUID_DUMP_USER);
1343 if (bprm->comm_from_dentry) {
1353 __set_task_comm(me, smp_load_acquire(&bprm->file->f_path.dentry->d_name.name),
1357 __set_task_comm(me, kbasename(bprm->filename), true);
1360 /* An exec changes our domain. We are no longer part of the thread
1362 WRITE_ONCE(me->self_exec_id, me->self_exec_id + 1);
1365 retval = set_cred_ucounts(bprm->cred);
1374 commit_creds(bprm->cred);
1375 bprm->cred = NULL;
1383 if (get_dumpable(me->mm) != SUID_DUMP_USER)
1393 if (bprm->have_execfd) {
1397 fd_install(retval, bprm->executable);
1398 bprm->executable = NULL;
1399 bprm->execfd = retval;
1404 up_write(&me->signal->exec_update_lock);
1405 if (!bprm->cred)
1406 mutex_unlock(&me->signal->cred_guard_mutex);
1419 bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
1421 /* Ensure mm->user_ns contains the executable */
1422 user_ns = old = bprm->mm->user_ns;
1425 user_ns = user_ns->parent;
1428 bprm->mm->user_ns = get_user_ns(user_ns);
1440 arch_pick_mmap_layout(me->mm, &bprm->rlim_stack);
1448 me->mm->task_size = TASK_SIZE;
1449 up_write(&me->signal->exec_update_lock);
1450 mutex_unlock(&me->signal->cred_guard_mutex);
1458 task_lock(current->group_leader);
1459 current->signal->rlim[RLIMIT_STACK] = bprm->rlim_stack;
1460 task_unlock(current->group_leader);
1465 * Prepare credentials and lock ->cred_guard_mutex.
1467 * Or, if exec fails before, free_bprm() should release ->cred
1472 if (mutex_lock_interruptible(¤t->signal->cred_guard_mutex))
1473 return -ERESTARTNOINTR;
1475 bprm->cred = prepare_exec_creds();
1476 if (likely(bprm->cred))
1479 mutex_unlock(¤t->signal->cred_guard_mutex);
1480 return -ENOMEM;
1494 if (bprm->mm) {
1496 mmput(bprm->mm);
1499 if (bprm->cred) {
1500 mutex_unlock(¤t->signal->cred_guard_mutex);
1501 abort_creds(bprm->cred);
1503 do_close_execat(bprm->file);
1504 if (bprm->executable)
1505 fput(bprm->executable);
1507 if (bprm->interp != bprm->filename)
1508 kfree(bprm->interp);
1509 kfree(bprm->fdpath);
1517 int retval = -ENOMEM;
1526 return ERR_PTR(-ENOMEM);
1529 bprm->file = file;
1531 if (fd == AT_FDCWD || filename->name[0] == '/') {
1532 bprm->filename = filename->name;
1534 if (filename->name[0] == '\0') {
1535 bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d", fd);
1536 bprm->comm_from_dentry = 1;
1538 bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d/%s",
1539 fd, filename->name);
1541 if (!bprm->fdpath)
1546 * inaccessible after exec. This allows the code in exec to
1554 bprm->interp_flags |= BINPRM_FLAGS_PATH_INACCESSIBLE;
1556 bprm->filename = bprm->fdpath;
1558 bprm->interp = bprm->filename;
1568 * - security_bprm_check()
1569 * - security_bprm_creds_from_file()
1570 * - security_bprm_committing_creds()
1571 * - security_bprm_committed_creds()
1573 bprm->is_check = !!(flags & AT_EXECVE_CHECK);
1587 if (bprm->interp != bprm->filename)
1588 kfree(bprm->interp);
1589 bprm->interp = kstrdup(interp, GFP_KERNEL);
1590 if (!bprm->interp)
1591 return -ENOMEM;
1598 * - the caller must hold ->cred_guard_mutex to protect against
1599 * PTRACE_ATTACH or seccomp thread-sync
1606 if (p->ptrace)
1607 bprm->unsafe |= LSM_UNSAFE_PTRACE;
1614 bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS;
1618 * suid exec because the differently privileged task
1623 spin_lock(&p->fs->lock);
1626 if (t->fs == p->fs)
1632 if (p->fs->users > n_fs)
1633 bprm->unsafe |= LSM_UNSAFE_SHARE;
1635 p->fs->in_exec = 1;
1636 spin_unlock(&p->fs->lock);
1649 if (!mnt_may_suid(file->f_path.mnt))
1655 mode = READ_ONCE(inode->i_mode);
1665 mode = inode->i_mode;
1671 /* Did the exec bit vanish out from under us? Give up. */
1676 if (!vfsuid_has_mapping(bprm->cred->user_ns, vfsuid) ||
1677 !vfsgid_has_mapping(bprm->cred->user_ns, vfsgid))
1681 bprm->per_clear |= PER_CLEAR_ON_SETID;
1682 bprm->cred->euid = vfsuid_into_kuid(vfsuid);
1686 bprm->per_clear |= PER_CLEAR_ON_SETID;
1687 bprm->cred->egid = vfsgid_into_kgid(vfsgid);
1692 * Compute brpm->cred based upon the final binary.
1697 struct file *file = bprm->execfd_creds ? bprm->executable : bprm->file;
1713 memset(bprm->buf, 0, BINPRM_BUF_SIZE);
1714 return kernel_read(bprm->file, bprm->buf, BINPRM_BUF_SIZE, &pos);
1718 * Arguments are '\0' separated strings found at the location bprm->p
1719 * points to; chop off the first by relocating brpm->p to right after
1728 if (!bprm->argc)
1732 offset = bprm->p & ~PAGE_MASK;
1733 page = get_arg_page(bprm, bprm->p, 0);
1735 return -EFAULT;
1739 offset++, bprm->p++)
1746 bprm->p++;
1747 bprm->argc--;
1771 if (!try_module_get(fmt->module))
1775 retval = fmt->load_binary(bprm);
1779 if (bprm->point_of_no_return || (retval != -ENOEXEC)) {
1786 return -ENOEXEC;
1796 old_pid = current->pid;
1798 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
1803 struct file *exec;
1805 return -ELOOP;
1810 if (!bprm->interpreter)
1813 exec = bprm->file;
1814 bprm->file = bprm->interpreter;
1815 bprm->interpreter = NULL;
1817 exe_file_allow_write_access(exec);
1818 if (unlikely(bprm->have_execfd)) {
1819 if (bprm->executable) {
1820 fput(exec);
1821 return -ENOEXEC;
1823 bprm->executable = exec;
1825 fput(exec);
1846 * where setuid-ness is evaluated.
1849 current->in_execve = 1;
1854 /* Set the unchanging part of bprm->cred */
1856 if (retval || bprm->is_check)
1865 current->fs->in_exec = 0;
1866 current->in_execve = 0;
1880 if (bprm->point_of_no_return && !fatal_signal_pending(current))
1884 current->fs->in_exec = 0;
1885 current->in_execve = 0;
1907 if ((current->flags & PF_NPROC_EXCEEDED) &&
1909 retval = -EAGAIN;
1915 current->flags &= ~PF_NPROC_EXCEEDED;
1926 bprm->argc = retval;
1931 bprm->envc = retval;
1937 retval = copy_string_kernel(bprm->filename, bprm);
1940 bprm->exec = bprm->p;
1942 retval = copy_strings(bprm->envc, envp, bprm);
1946 retval = copy_strings(bprm->argc, argv, bprm);
1956 if (bprm->argc == 0) {
1960 bprm->argc = 1;
1963 current->comm, bprm->filename);
1983 /* It is non-sense for kernel threads to call execve */
1984 if (WARN_ON_ONCE(current->flags & PF_KTHREAD))
1985 return -EINVAL;
1999 retval = -EINVAL;
2002 bprm->argc = retval;
2007 bprm->envc = retval;
2013 retval = copy_string_kernel(bprm->filename, bprm);
2016 bprm->exec = bprm->p;
2018 retval = copy_strings_kernel(bprm->envc, envp, bprm);
2022 retval = copy_strings_kernel(bprm->argc, argv, bprm);
2089 struct mm_struct *mm = current->mm;
2091 if (mm->binfmt)
2092 module_put(mm->binfmt->module);
2094 mm->binfmt = new;
2096 __module_get(new->module);
2101 * set_dumpable stores three-value SUID_DUMP_* into mm->flags.
2108 set_mask_bits(&mm->flags, MMF_DUMPABLE_MASK, value);