1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * linux/fs/binfmt_elf.c
4 *
5 * These are the functions used to load ELF format executables as used
6 * on SVr4 machines. Information on the format may be found in the book
7 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8 * Tools".
9 *
10 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
11 */
12
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/fs.h>
16 #include <linux/log2.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/errno.h>
20 #include <linux/signal.h>
21 #include <linux/binfmts.h>
22 #include <linux/string.h>
23 #include <linux/file.h>
24 #include <linux/slab.h>
25 #include <linux/personality.h>
26 #include <linux/elfcore.h>
27 #include <linux/init.h>
28 #include <linux/highuid.h>
29 #include <linux/compiler.h>
30 #include <linux/highmem.h>
31 #include <linux/hugetlb.h>
32 #include <linux/pagemap.h>
33 #include <linux/vmalloc.h>
34 #include <linux/security.h>
35 #include <linux/random.h>
36 #include <linux/elf.h>
37 #include <linux/elf-randomize.h>
38 #include <linux/utsname.h>
39 #include <linux/coredump.h>
40 #include <linux/sched.h>
41 #include <linux/sched/coredump.h>
42 #include <linux/sched/task_stack.h>
43 #include <linux/sched/cputime.h>
44 #include <linux/sizes.h>
45 #include <linux/types.h>
46 #include <linux/cred.h>
47 #include <linux/dax.h>
48 #include <linux/uaccess.h>
49 #include <linux/rseq.h>
50 #include <asm/param.h>
51 #include <asm/page.h>
52
53 #ifndef ELF_COMPAT
54 #define ELF_COMPAT 0
55 #endif
56
57 #ifndef user_long_t
58 #define user_long_t long
59 #endif
60 #ifndef user_siginfo_t
61 #define user_siginfo_t siginfo_t
62 #endif
63
64 /* That's for binfmt_elf_fdpic to deal with */
65 #ifndef elf_check_fdpic
66 #define elf_check_fdpic(ex) false
67 #endif
68
69 static int load_elf_binary(struct linux_binprm *bprm);
70
71 /*
72 * If we don't support core dumping, then supply a NULL so we
73 * don't even try.
74 */
75 #ifdef CONFIG_ELF_CORE
76 static int elf_core_dump(struct coredump_params *cprm);
77 #else
78 #define elf_core_dump NULL
79 #endif
80
81 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
82 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
83 #else
84 #define ELF_MIN_ALIGN PAGE_SIZE
85 #endif
86
87 #ifndef ELF_CORE_EFLAGS
88 #define ELF_CORE_EFLAGS 0
89 #endif
90
91 #define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1))
92 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
93 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
94
95 static struct linux_binfmt elf_format = {
96 .module = THIS_MODULE,
97 .load_binary = load_elf_binary,
98 #ifdef CONFIG_COREDUMP
99 .core_dump = elf_core_dump,
100 .min_coredump = ELF_EXEC_PAGESIZE,
101 #endif
102 };
103
104 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
105
106 /*
107 * We need to explicitly zero any trailing portion of the page that follows
108 * p_filesz when it ends before the page ends (e.g. bss), otherwise this
109 * memory will contain the junk from the file that should not be present.
110 */
padzero(unsigned long address)111 static int padzero(unsigned long address)
112 {
113 unsigned long nbyte;
114
115 nbyte = ELF_PAGEOFFSET(address);
116 if (nbyte) {
117 nbyte = ELF_MIN_ALIGN - nbyte;
118 if (clear_user((void __user *)address, nbyte))
119 return -EFAULT;
120 }
121 return 0;
122 }
123
124 /* Let's use some macros to make this stack manipulation a little clearer */
125 #ifdef CONFIG_STACK_GROWSUP
126 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
127 #define STACK_ROUND(sp, items) \
128 ((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
129 #define STACK_ALLOC(sp, len) ({ \
130 elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
131 old_sp; })
132 #else
133 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
134 #define STACK_ROUND(sp, items) \
135 (((unsigned long) (sp - items)) &~ 15UL)
136 #define STACK_ALLOC(sp, len) (sp -= len)
137 #endif
138
139 #ifndef ELF_BASE_PLATFORM
140 /*
141 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
142 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
143 * will be copied to the user stack in the same manner as AT_PLATFORM.
144 */
145 #define ELF_BASE_PLATFORM NULL
146 #endif
147
148 static int
create_elf_tables(struct linux_binprm * bprm,const struct elfhdr * exec,unsigned long interp_load_addr,unsigned long e_entry,unsigned long phdr_addr)149 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
150 unsigned long interp_load_addr,
151 unsigned long e_entry, unsigned long phdr_addr)
152 {
153 struct mm_struct *mm = current->mm;
154 unsigned long p = bprm->p;
155 int argc = bprm->argc;
156 int envc = bprm->envc;
157 elf_addr_t __user *sp;
158 elf_addr_t __user *u_platform;
159 elf_addr_t __user *u_base_platform;
160 elf_addr_t __user *u_rand_bytes;
161 const char *k_platform = ELF_PLATFORM;
162 const char *k_base_platform = ELF_BASE_PLATFORM;
163 unsigned char k_rand_bytes[16];
164 int items;
165 elf_addr_t *elf_info;
166 elf_addr_t flags = 0;
167 int ei_index;
168 const struct cred *cred = current_cred();
169 struct vm_area_struct *vma;
170
171 /*
172 * In some cases (e.g. Hyper-Threading), we want to avoid L1
173 * evictions by the processes running on the same package. One
174 * thing we can do is to shuffle the initial stack for them.
175 */
176
177 p = arch_align_stack(p);
178
179 /*
180 * If this architecture has a platform capability string, copy it
181 * to userspace. In some cases (Sparc), this info is impossible
182 * for userspace to get any other way, in others (i386) it is
183 * merely difficult.
184 */
185 u_platform = NULL;
186 if (k_platform) {
187 size_t len = strlen(k_platform) + 1;
188
189 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
190 if (copy_to_user(u_platform, k_platform, len))
191 return -EFAULT;
192 }
193
194 /*
195 * If this architecture has a "base" platform capability
196 * string, copy it to userspace.
197 */
198 u_base_platform = NULL;
199 if (k_base_platform) {
200 size_t len = strlen(k_base_platform) + 1;
201
202 u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
203 if (copy_to_user(u_base_platform, k_base_platform, len))
204 return -EFAULT;
205 }
206
207 /*
208 * Generate 16 random bytes for userspace PRNG seeding.
209 */
210 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
211 u_rand_bytes = (elf_addr_t __user *)
212 STACK_ALLOC(p, sizeof(k_rand_bytes));
213 if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
214 return -EFAULT;
215
216 /* Create the ELF interpreter info */
217 elf_info = (elf_addr_t *)mm->saved_auxv;
218 /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
219 #define NEW_AUX_ENT(id, val) \
220 do { \
221 *elf_info++ = id; \
222 *elf_info++ = val; \
223 } while (0)
224
225 #ifdef ARCH_DLINFO
226 /*
227 * ARCH_DLINFO must come first so PPC can do its special alignment of
228 * AUXV.
229 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
230 * ARCH_DLINFO changes
231 */
232 ARCH_DLINFO;
233 #endif
234 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
235 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
236 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
237 NEW_AUX_ENT(AT_PHDR, phdr_addr);
238 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
239 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
240 NEW_AUX_ENT(AT_BASE, interp_load_addr);
241 if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
242 flags |= AT_FLAGS_PRESERVE_ARGV0;
243 NEW_AUX_ENT(AT_FLAGS, flags);
244 NEW_AUX_ENT(AT_ENTRY, e_entry);
245 NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
246 NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
247 NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
248 NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
249 NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
250 NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
251 #ifdef ELF_HWCAP2
252 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
253 #endif
254 #ifdef ELF_HWCAP3
255 NEW_AUX_ENT(AT_HWCAP3, ELF_HWCAP3);
256 #endif
257 #ifdef ELF_HWCAP4
258 NEW_AUX_ENT(AT_HWCAP4, ELF_HWCAP4);
259 #endif
260 NEW_AUX_ENT(AT_EXECFN, bprm->exec);
261 if (k_platform) {
262 NEW_AUX_ENT(AT_PLATFORM,
263 (elf_addr_t)(unsigned long)u_platform);
264 }
265 if (k_base_platform) {
266 NEW_AUX_ENT(AT_BASE_PLATFORM,
267 (elf_addr_t)(unsigned long)u_base_platform);
268 }
269 if (bprm->have_execfd) {
270 NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
271 }
272 #ifdef CONFIG_RSEQ
273 NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
274 NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
275 #endif
276 #undef NEW_AUX_ENT
277 /* AT_NULL is zero; clear the rest too */
278 memset(elf_info, 0, (char *)mm->saved_auxv +
279 sizeof(mm->saved_auxv) - (char *)elf_info);
280
281 /* And advance past the AT_NULL entry. */
282 elf_info += 2;
283
284 ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
285 sp = STACK_ADD(p, ei_index);
286
287 items = (argc + 1) + (envc + 1) + 1;
288 bprm->p = STACK_ROUND(sp, items);
289
290 /* Point sp at the lowest address on the stack */
291 #ifdef CONFIG_STACK_GROWSUP
292 sp = (elf_addr_t __user *)bprm->p - items - ei_index;
293 bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
294 #else
295 sp = (elf_addr_t __user *)bprm->p;
296 #endif
297
298
299 /*
300 * Grow the stack manually; some architectures have a limit on how
301 * far ahead a user-space access may be in order to grow the stack.
302 */
303 if (mmap_write_lock_killable(mm))
304 return -EINTR;
305 vma = find_extend_vma_locked(mm, bprm->p);
306 mmap_write_unlock(mm);
307 if (!vma)
308 return -EFAULT;
309
310 /* Now, let's put argc (and argv, envp if appropriate) on the stack */
311 if (put_user(argc, sp++))
312 return -EFAULT;
313
314 /* Populate list of argv pointers back to argv strings. */
315 p = mm->arg_end = mm->arg_start;
316 while (argc-- > 0) {
317 size_t len;
318 if (put_user((elf_addr_t)p, sp++))
319 return -EFAULT;
320 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
321 if (!len || len > MAX_ARG_STRLEN)
322 return -EINVAL;
323 p += len;
324 }
325 if (put_user(0, sp++))
326 return -EFAULT;
327 mm->arg_end = p;
328
329 /* Populate list of envp pointers back to envp strings. */
330 mm->env_end = mm->env_start = p;
331 while (envc-- > 0) {
332 size_t len;
333 if (put_user((elf_addr_t)p, sp++))
334 return -EFAULT;
335 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
336 if (!len || len > MAX_ARG_STRLEN)
337 return -EINVAL;
338 p += len;
339 }
340 if (put_user(0, sp++))
341 return -EFAULT;
342 mm->env_end = p;
343
344 /* Put the elf_info on the stack in the right place. */
345 if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
346 return -EFAULT;
347 return 0;
348 }
349
350 /*
351 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
352 * into memory at "addr". (Note that p_filesz is rounded up to the
353 * next page, so any extra bytes from the file must be wiped.)
354 */
elf_map(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)355 static unsigned long elf_map(struct file *filep, unsigned long addr,
356 const struct elf_phdr *eppnt, int prot, int type,
357 unsigned long total_size)
358 {
359 unsigned long map_addr;
360 unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
361 unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
362 addr = ELF_PAGESTART(addr);
363 size = ELF_PAGEALIGN(size);
364
365 /* mmap() will return -EINVAL if given a zero size, but a
366 * segment with zero filesize is perfectly valid */
367 if (!size)
368 return addr;
369
370 /*
371 * total_size is the size of the ELF (interpreter) image.
372 * The _first_ mmap needs to know the full size, otherwise
373 * randomization might put this image into an overlapping
374 * position with the ELF binary image. (since size < total_size)
375 * So we first map the 'big' image - and unmap the remainder at
376 * the end. (which unmap is needed for ELF images with holes.)
377 */
378 if (total_size) {
379 total_size = ELF_PAGEALIGN(total_size);
380 map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
381 if (!BAD_ADDR(map_addr))
382 vm_munmap(map_addr+size, total_size-size);
383 } else
384 map_addr = vm_mmap(filep, addr, size, prot, type, off);
385
386 if ((type & MAP_FIXED_NOREPLACE) &&
387 PTR_ERR((void *)map_addr) == -EEXIST)
388 pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
389 task_pid_nr(current), current->comm, (void *)addr);
390
391 return(map_addr);
392 }
393
394 /*
395 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
396 * into memory at "addr". Memory from "p_filesz" through "p_memsz"
397 * rounded up to the next page is zeroed.
398 */
elf_load(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)399 static unsigned long elf_load(struct file *filep, unsigned long addr,
400 const struct elf_phdr *eppnt, int prot, int type,
401 unsigned long total_size)
402 {
403 unsigned long zero_start, zero_end;
404 unsigned long map_addr;
405
406 if (eppnt->p_filesz) {
407 map_addr = elf_map(filep, addr, eppnt, prot, type, total_size);
408 if (BAD_ADDR(map_addr))
409 return map_addr;
410 if (eppnt->p_memsz > eppnt->p_filesz) {
411 zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
412 eppnt->p_filesz;
413 zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
414 eppnt->p_memsz;
415
416 /*
417 * Zero the end of the last mapped page but ignore
418 * any errors if the segment isn't writable.
419 */
420 if (padzero(zero_start) && (prot & PROT_WRITE))
421 return -EFAULT;
422 }
423 } else {
424 map_addr = zero_start = ELF_PAGESTART(addr);
425 zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) +
426 eppnt->p_memsz;
427 }
428 if (eppnt->p_memsz > eppnt->p_filesz) {
429 /*
430 * Map the last of the segment.
431 * If the header is requesting these pages to be
432 * executable, honour that (ppc32 needs this).
433 */
434 int error;
435
436 zero_start = ELF_PAGEALIGN(zero_start);
437 zero_end = ELF_PAGEALIGN(zero_end);
438
439 error = vm_brk_flags(zero_start, zero_end - zero_start,
440 prot & PROT_EXEC ? VM_EXEC : 0);
441 if (error)
442 map_addr = error;
443 }
444 return map_addr;
445 }
446
447
total_mapping_size(const struct elf_phdr * phdr,int nr)448 static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
449 {
450 elf_addr_t min_addr = -1;
451 elf_addr_t max_addr = 0;
452 bool pt_load = false;
453 int i;
454
455 for (i = 0; i < nr; i++) {
456 if (phdr[i].p_type == PT_LOAD) {
457 min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr));
458 max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz);
459 pt_load = true;
460 }
461 }
462 return pt_load ? (max_addr - min_addr) : 0;
463 }
464
elf_read(struct file * file,void * buf,size_t len,loff_t pos)465 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
466 {
467 ssize_t rv;
468
469 rv = kernel_read(file, buf, len, &pos);
470 if (unlikely(rv != len)) {
471 return (rv < 0) ? rv : -EIO;
472 }
473 return 0;
474 }
475
maximum_alignment(struct elf_phdr * cmds,int nr)476 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
477 {
478 unsigned long alignment = 0;
479 int i;
480
481 for (i = 0; i < nr; i++) {
482 if (cmds[i].p_type == PT_LOAD) {
483 unsigned long p_align = cmds[i].p_align;
484
485 /* skip non-power of two alignments as invalid */
486 if (!is_power_of_2(p_align))
487 continue;
488 alignment = max(alignment, p_align);
489 }
490 }
491
492 /* ensure we align to at least one page */
493 return ELF_PAGEALIGN(alignment);
494 }
495
496 /**
497 * load_elf_phdrs() - load ELF program headers
498 * @elf_ex: ELF header of the binary whose program headers should be loaded
499 * @elf_file: the opened ELF binary file
500 *
501 * Loads ELF program headers from the binary file elf_file, which has the ELF
502 * header pointed to by elf_ex, into a newly allocated array. The caller is
503 * responsible for freeing the allocated data. Returns NULL upon failure.
504 */
load_elf_phdrs(const struct elfhdr * elf_ex,struct file * elf_file)505 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
506 struct file *elf_file)
507 {
508 struct elf_phdr *elf_phdata = NULL;
509 int retval = -1;
510 unsigned int size;
511
512 /*
513 * If the size of this structure has changed, then punt, since
514 * we will be doing the wrong thing.
515 */
516 if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
517 goto out;
518
519 /* Sanity check the number of program headers... */
520 /* ...and their total size. */
521 size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
522 if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
523 goto out;
524
525 elf_phdata = kmalloc(size, GFP_KERNEL);
526 if (!elf_phdata)
527 goto out;
528
529 /* Read in the program headers */
530 retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
531
532 out:
533 if (retval) {
534 kfree(elf_phdata);
535 elf_phdata = NULL;
536 }
537 return elf_phdata;
538 }
539
540 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE
541
542 /**
543 * struct arch_elf_state - arch-specific ELF loading state
544 *
545 * This structure is used to preserve architecture specific data during
546 * the loading of an ELF file, throughout the checking of architecture
547 * specific ELF headers & through to the point where the ELF load is
548 * known to be proceeding (ie. SET_PERSONALITY).
549 *
550 * This implementation is a dummy for architectures which require no
551 * specific state.
552 */
553 struct arch_elf_state {
554 };
555
556 #define INIT_ARCH_ELF_STATE {}
557
558 /**
559 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
560 * @ehdr: The main ELF header
561 * @phdr: The program header to check
562 * @elf: The open ELF file
563 * @is_interp: True if the phdr is from the interpreter of the ELF being
564 * loaded, else false.
565 * @state: Architecture-specific state preserved throughout the process
566 * of loading the ELF.
567 *
568 * Inspects the program header phdr to validate its correctness and/or
569 * suitability for the system. Called once per ELF program header in the
570 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
571 * interpreter.
572 *
573 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
574 * with that return code.
575 */
arch_elf_pt_proc(struct elfhdr * ehdr,struct elf_phdr * phdr,struct file * elf,bool is_interp,struct arch_elf_state * state)576 static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
577 struct elf_phdr *phdr,
578 struct file *elf, bool is_interp,
579 struct arch_elf_state *state)
580 {
581 /* Dummy implementation, always proceed */
582 return 0;
583 }
584
585 /**
586 * arch_check_elf() - check an ELF executable
587 * @ehdr: The main ELF header
588 * @has_interp: True if the ELF has an interpreter, else false.
589 * @interp_ehdr: The interpreter's ELF header
590 * @state: Architecture-specific state preserved throughout the process
591 * of loading the ELF.
592 *
593 * Provides a final opportunity for architecture code to reject the loading
594 * of the ELF & cause an exec syscall to return an error. This is called after
595 * all program headers to be checked by arch_elf_pt_proc have been.
596 *
597 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
598 * with that return code.
599 */
arch_check_elf(struct elfhdr * ehdr,bool has_interp,struct elfhdr * interp_ehdr,struct arch_elf_state * state)600 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
601 struct elfhdr *interp_ehdr,
602 struct arch_elf_state *state)
603 {
604 /* Dummy implementation, always proceed */
605 return 0;
606 }
607
608 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
609
make_prot(u32 p_flags,struct arch_elf_state * arch_state,bool has_interp,bool is_interp)610 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
611 bool has_interp, bool is_interp)
612 {
613 int prot = 0;
614
615 if (p_flags & PF_R)
616 prot |= PROT_READ;
617 if (p_flags & PF_W)
618 prot |= PROT_WRITE;
619 if (p_flags & PF_X)
620 prot |= PROT_EXEC;
621
622 return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
623 }
624
625 /* This is much more generalized than the library routine read function,
626 so we keep this separate. Technically the library read function
627 is only provided so that we can read a.out libraries that have
628 an ELF header */
629
load_elf_interp(struct elfhdr * interp_elf_ex,struct file * interpreter,unsigned long no_base,struct elf_phdr * interp_elf_phdata,struct arch_elf_state * arch_state)630 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
631 struct file *interpreter,
632 unsigned long no_base, struct elf_phdr *interp_elf_phdata,
633 struct arch_elf_state *arch_state)
634 {
635 struct elf_phdr *eppnt;
636 unsigned long load_addr = 0;
637 int load_addr_set = 0;
638 unsigned long error = ~0UL;
639 unsigned long total_size;
640 int i;
641
642 /* First of all, some simple consistency checks */
643 if (interp_elf_ex->e_type != ET_EXEC &&
644 interp_elf_ex->e_type != ET_DYN)
645 goto out;
646 if (!elf_check_arch(interp_elf_ex) ||
647 elf_check_fdpic(interp_elf_ex))
648 goto out;
649 if (!interpreter->f_op->mmap)
650 goto out;
651
652 total_size = total_mapping_size(interp_elf_phdata,
653 interp_elf_ex->e_phnum);
654 if (!total_size) {
655 error = -EINVAL;
656 goto out;
657 }
658
659 eppnt = interp_elf_phdata;
660 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
661 if (eppnt->p_type == PT_LOAD) {
662 int elf_type = MAP_PRIVATE;
663 int elf_prot = make_prot(eppnt->p_flags, arch_state,
664 true, true);
665 unsigned long vaddr = 0;
666 unsigned long k, map_addr;
667
668 vaddr = eppnt->p_vaddr;
669 if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
670 elf_type |= MAP_FIXED;
671 else if (no_base && interp_elf_ex->e_type == ET_DYN)
672 load_addr = -vaddr;
673
674 map_addr = elf_load(interpreter, load_addr + vaddr,
675 eppnt, elf_prot, elf_type, total_size);
676 total_size = 0;
677 error = map_addr;
678 if (BAD_ADDR(map_addr))
679 goto out;
680
681 if (!load_addr_set &&
682 interp_elf_ex->e_type == ET_DYN) {
683 load_addr = map_addr - ELF_PAGESTART(vaddr);
684 load_addr_set = 1;
685 }
686
687 /*
688 * Check to see if the section's size will overflow the
689 * allowed task size. Note that p_filesz must always be
690 * <= p_memsize so it's only necessary to check p_memsz.
691 */
692 k = load_addr + eppnt->p_vaddr;
693 if (BAD_ADDR(k) ||
694 eppnt->p_filesz > eppnt->p_memsz ||
695 eppnt->p_memsz > TASK_SIZE ||
696 TASK_SIZE - eppnt->p_memsz < k) {
697 error = -ENOMEM;
698 goto out;
699 }
700 }
701 }
702
703 error = load_addr;
704 out:
705 return error;
706 }
707
708 /*
709 * These are the functions used to load ELF style executables and shared
710 * libraries. There is no binary dependent code anywhere else.
711 */
712
parse_elf_property(const char * data,size_t * off,size_t datasz,struct arch_elf_state * arch,bool have_prev_type,u32 * prev_type)713 static int parse_elf_property(const char *data, size_t *off, size_t datasz,
714 struct arch_elf_state *arch,
715 bool have_prev_type, u32 *prev_type)
716 {
717 size_t o, step;
718 const struct gnu_property *pr;
719 int ret;
720
721 if (*off == datasz)
722 return -ENOENT;
723
724 if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
725 return -EIO;
726 o = *off;
727 datasz -= *off;
728
729 if (datasz < sizeof(*pr))
730 return -ENOEXEC;
731 pr = (const struct gnu_property *)(data + o);
732 o += sizeof(*pr);
733 datasz -= sizeof(*pr);
734
735 if (pr->pr_datasz > datasz)
736 return -ENOEXEC;
737
738 WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
739 step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
740 if (step > datasz)
741 return -ENOEXEC;
742
743 /* Properties are supposed to be unique and sorted on pr_type: */
744 if (have_prev_type && pr->pr_type <= *prev_type)
745 return -ENOEXEC;
746 *prev_type = pr->pr_type;
747
748 ret = arch_parse_elf_property(pr->pr_type, data + o,
749 pr->pr_datasz, ELF_COMPAT, arch);
750 if (ret)
751 return ret;
752
753 *off = o + step;
754 return 0;
755 }
756
757 #define NOTE_DATA_SZ SZ_1K
758 #define NOTE_NAME_SZ (sizeof(NN_GNU_PROPERTY_TYPE_0))
759
parse_elf_properties(struct file * f,const struct elf_phdr * phdr,struct arch_elf_state * arch)760 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
761 struct arch_elf_state *arch)
762 {
763 union {
764 struct elf_note nhdr;
765 char data[NOTE_DATA_SZ];
766 } note;
767 loff_t pos;
768 ssize_t n;
769 size_t off, datasz;
770 int ret;
771 bool have_prev_type;
772 u32 prev_type;
773
774 if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
775 return 0;
776
777 /* load_elf_binary() shouldn't call us unless this is true... */
778 if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
779 return -ENOEXEC;
780
781 /* If the properties are crazy large, that's too bad (for now): */
782 if (phdr->p_filesz > sizeof(note))
783 return -ENOEXEC;
784
785 pos = phdr->p_offset;
786 n = kernel_read(f, ¬e, phdr->p_filesz, &pos);
787
788 BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
789 if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
790 return -EIO;
791
792 if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
793 note.nhdr.n_namesz != NOTE_NAME_SZ ||
794 strncmp(note.data + sizeof(note.nhdr),
795 NN_GNU_PROPERTY_TYPE_0, n - sizeof(note.nhdr)))
796 return -ENOEXEC;
797
798 off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
799 ELF_GNU_PROPERTY_ALIGN);
800 if (off > n)
801 return -ENOEXEC;
802
803 if (note.nhdr.n_descsz > n - off)
804 return -ENOEXEC;
805 datasz = off + note.nhdr.n_descsz;
806
807 have_prev_type = false;
808 do {
809 ret = parse_elf_property(note.data, &off, datasz, arch,
810 have_prev_type, &prev_type);
811 have_prev_type = true;
812 } while (!ret);
813
814 return ret == -ENOENT ? 0 : ret;
815 }
816
load_elf_binary(struct linux_binprm * bprm)817 static int load_elf_binary(struct linux_binprm *bprm)
818 {
819 struct file *interpreter = NULL; /* to shut gcc up */
820 unsigned long load_bias = 0, phdr_addr = 0;
821 int first_pt_load = 1;
822 unsigned long error;
823 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
824 struct elf_phdr *elf_property_phdata = NULL;
825 unsigned long elf_brk;
826 bool brk_moved = false;
827 int retval, i;
828 unsigned long elf_entry;
829 unsigned long e_entry;
830 unsigned long interp_load_addr = 0;
831 unsigned long start_code, end_code, start_data, end_data;
832 unsigned long reloc_func_desc __maybe_unused = 0;
833 int executable_stack = EXSTACK_DEFAULT;
834 struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
835 struct elfhdr *interp_elf_ex = NULL;
836 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
837 struct mm_struct *mm;
838 struct pt_regs *regs;
839
840 retval = -ENOEXEC;
841 /* First of all, some simple consistency checks */
842 if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
843 goto out;
844
845 if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
846 goto out;
847 if (!elf_check_arch(elf_ex))
848 goto out;
849 if (elf_check_fdpic(elf_ex))
850 goto out;
851 if (!bprm->file->f_op->mmap)
852 goto out;
853
854 elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
855 if (!elf_phdata)
856 goto out;
857
858 elf_ppnt = elf_phdata;
859 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
860 char *elf_interpreter;
861
862 if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
863 elf_property_phdata = elf_ppnt;
864 continue;
865 }
866
867 if (elf_ppnt->p_type != PT_INTERP)
868 continue;
869
870 /*
871 * This is the program interpreter used for shared libraries -
872 * for now assume that this is an a.out format binary.
873 */
874 retval = -ENOEXEC;
875 if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
876 goto out_free_ph;
877
878 retval = -ENOMEM;
879 elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
880 if (!elf_interpreter)
881 goto out_free_ph;
882
883 retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
884 elf_ppnt->p_offset);
885 if (retval < 0)
886 goto out_free_interp;
887 /* make sure path is NULL terminated */
888 retval = -ENOEXEC;
889 if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
890 goto out_free_interp;
891
892 interpreter = open_exec(elf_interpreter);
893 kfree(elf_interpreter);
894 retval = PTR_ERR(interpreter);
895 if (IS_ERR(interpreter))
896 goto out_free_ph;
897
898 /*
899 * If the binary is not readable then enforce mm->dumpable = 0
900 * regardless of the interpreter's permissions.
901 */
902 would_dump(bprm, interpreter);
903
904 interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
905 if (!interp_elf_ex) {
906 retval = -ENOMEM;
907 goto out_free_file;
908 }
909
910 /* Get the exec headers */
911 retval = elf_read(interpreter, interp_elf_ex,
912 sizeof(*interp_elf_ex), 0);
913 if (retval < 0)
914 goto out_free_dentry;
915
916 break;
917
918 out_free_interp:
919 kfree(elf_interpreter);
920 goto out_free_ph;
921 }
922
923 elf_ppnt = elf_phdata;
924 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
925 switch (elf_ppnt->p_type) {
926 case PT_GNU_STACK:
927 if (elf_ppnt->p_flags & PF_X)
928 executable_stack = EXSTACK_ENABLE_X;
929 else
930 executable_stack = EXSTACK_DISABLE_X;
931 break;
932
933 case PT_LOPROC ... PT_HIPROC:
934 retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
935 bprm->file, false,
936 &arch_state);
937 if (retval)
938 goto out_free_dentry;
939 break;
940 }
941
942 /* Some simple consistency checks for the interpreter */
943 if (interpreter) {
944 retval = -ELIBBAD;
945 /* Not an ELF interpreter */
946 if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
947 goto out_free_dentry;
948 /* Verify the interpreter has a valid arch */
949 if (!elf_check_arch(interp_elf_ex) ||
950 elf_check_fdpic(interp_elf_ex))
951 goto out_free_dentry;
952
953 /* Load the interpreter program headers */
954 interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
955 interpreter);
956 if (!interp_elf_phdata)
957 goto out_free_dentry;
958
959 /* Pass PT_LOPROC..PT_HIPROC headers to arch code */
960 elf_property_phdata = NULL;
961 elf_ppnt = interp_elf_phdata;
962 for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
963 switch (elf_ppnt->p_type) {
964 case PT_GNU_PROPERTY:
965 elf_property_phdata = elf_ppnt;
966 break;
967
968 case PT_LOPROC ... PT_HIPROC:
969 retval = arch_elf_pt_proc(interp_elf_ex,
970 elf_ppnt, interpreter,
971 true, &arch_state);
972 if (retval)
973 goto out_free_dentry;
974 break;
975 }
976 }
977
978 retval = parse_elf_properties(interpreter ?: bprm->file,
979 elf_property_phdata, &arch_state);
980 if (retval)
981 goto out_free_dentry;
982
983 /*
984 * Allow arch code to reject the ELF at this point, whilst it's
985 * still possible to return an error to the code that invoked
986 * the exec syscall.
987 */
988 retval = arch_check_elf(elf_ex,
989 !!interpreter, interp_elf_ex,
990 &arch_state);
991 if (retval)
992 goto out_free_dentry;
993
994 /* Flush all traces of the currently running executable */
995 retval = begin_new_exec(bprm);
996 if (retval)
997 goto out_free_dentry;
998
999 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
1000 may depend on the personality. */
1001 SET_PERSONALITY2(*elf_ex, &arch_state);
1002 if (elf_read_implies_exec(*elf_ex, executable_stack))
1003 current->personality |= READ_IMPLIES_EXEC;
1004
1005 const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
1006 if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
1007 current->flags |= PF_RANDOMIZE;
1008
1009 setup_new_exec(bprm);
1010
1011 /* Do this so that we can load the interpreter, if need be. We will
1012 change some of these later */
1013 retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1014 executable_stack);
1015 if (retval < 0)
1016 goto out_free_dentry;
1017
1018 elf_brk = 0;
1019
1020 start_code = ~0UL;
1021 end_code = 0;
1022 start_data = 0;
1023 end_data = 0;
1024
1025 /* Now we do a little grungy work by mmapping the ELF image into
1026 the correct location in memory. */
1027 for(i = 0, elf_ppnt = elf_phdata;
1028 i < elf_ex->e_phnum; i++, elf_ppnt++) {
1029 int elf_prot, elf_flags;
1030 unsigned long k, vaddr;
1031 unsigned long total_size = 0;
1032 unsigned long alignment;
1033
1034 if (elf_ppnt->p_type != PT_LOAD)
1035 continue;
1036
1037 elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1038 !!interpreter, false);
1039
1040 elf_flags = MAP_PRIVATE;
1041
1042 vaddr = elf_ppnt->p_vaddr;
1043 /*
1044 * The first time through the loop, first_pt_load is true:
1045 * layout will be calculated. Once set, use MAP_FIXED since
1046 * we know we've already safely mapped the entire region with
1047 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1048 */
1049 if (!first_pt_load) {
1050 elf_flags |= MAP_FIXED;
1051 } else if (elf_ex->e_type == ET_EXEC) {
1052 /*
1053 * This logic is run once for the first LOAD Program
1054 * Header for ET_EXEC binaries. No special handling
1055 * is needed.
1056 */
1057 elf_flags |= MAP_FIXED_NOREPLACE;
1058 } else if (elf_ex->e_type == ET_DYN) {
1059 /*
1060 * This logic is run once for the first LOAD Program
1061 * Header for ET_DYN binaries to calculate the
1062 * randomization (load_bias) for all the LOAD
1063 * Program Headers.
1064 */
1065
1066 /*
1067 * Calculate the entire size of the ELF mapping
1068 * (total_size), used for the initial mapping,
1069 * due to load_addr_set which is set to true later
1070 * once the initial mapping is performed.
1071 *
1072 * Note that this is only sensible when the LOAD
1073 * segments are contiguous (or overlapping). If
1074 * used for LOADs that are far apart, this would
1075 * cause the holes between LOADs to be mapped,
1076 * running the risk of having the mapping fail,
1077 * as it would be larger than the ELF file itself.
1078 *
1079 * As a result, only ET_DYN does this, since
1080 * some ET_EXEC (e.g. ia64) may have large virtual
1081 * memory holes between LOADs.
1082 *
1083 */
1084 total_size = total_mapping_size(elf_phdata,
1085 elf_ex->e_phnum);
1086 if (!total_size) {
1087 retval = -EINVAL;
1088 goto out_free_dentry;
1089 }
1090
1091 /* Calculate any requested alignment. */
1092 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1093
1094 /**
1095 * DOC: PIE handling
1096 *
1097 * There are effectively two types of ET_DYN ELF
1098 * binaries: programs (i.e. PIE: ET_DYN with
1099 * PT_INTERP) and loaders (i.e. static PIE: ET_DYN
1100 * without PT_INTERP, usually the ELF interpreter
1101 * itself). Loaders must be loaded away from programs
1102 * since the program may otherwise collide with the
1103 * loader (especially for ET_EXEC which does not have
1104 * a randomized position).
1105 *
1106 * For example, to handle invocations of
1107 * "./ld.so someprog" to test out a new version of
1108 * the loader, the subsequent program that the
1109 * loader loads must avoid the loader itself, so
1110 * they cannot share the same load range. Sufficient
1111 * room for the brk must be allocated with the
1112 * loader as well, since brk must be available with
1113 * the loader.
1114 *
1115 * Therefore, programs are loaded offset from
1116 * ELF_ET_DYN_BASE and loaders are loaded into the
1117 * independently randomized mmap region (0 load_bias
1118 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1119 *
1120 * See below for "brk" handling details, which is
1121 * also affected by program vs loader and ASLR.
1122 */
1123 if (interpreter) {
1124 /* On ET_DYN with PT_INTERP, we do the ASLR. */
1125 load_bias = ELF_ET_DYN_BASE;
1126 if (current->flags & PF_RANDOMIZE)
1127 load_bias += arch_mmap_rnd();
1128 /* Adjust alignment as requested. */
1129 if (alignment)
1130 load_bias &= ~(alignment - 1);
1131 elf_flags |= MAP_FIXED_NOREPLACE;
1132 } else {
1133 /*
1134 * For ET_DYN without PT_INTERP, we rely on
1135 * the architectures's (potentially ASLR) mmap
1136 * base address (via a load_bias of 0).
1137 *
1138 * When a large alignment is requested, we
1139 * must do the allocation at address "0" right
1140 * now to discover where things will load so
1141 * that we can adjust the resulting alignment.
1142 * In this case (load_bias != 0), we can use
1143 * MAP_FIXED_NOREPLACE to make sure the mapping
1144 * doesn't collide with anything.
1145 */
1146 if (alignment > ELF_MIN_ALIGN) {
1147 load_bias = elf_load(bprm->file, 0, elf_ppnt,
1148 elf_prot, elf_flags, total_size);
1149 if (BAD_ADDR(load_bias)) {
1150 retval = IS_ERR_VALUE(load_bias) ?
1151 PTR_ERR((void*)load_bias) : -EINVAL;
1152 goto out_free_dentry;
1153 }
1154 vm_munmap(load_bias, total_size);
1155 /* Adjust alignment as requested. */
1156 if (alignment)
1157 load_bias &= ~(alignment - 1);
1158 elf_flags |= MAP_FIXED_NOREPLACE;
1159 } else
1160 load_bias = 0;
1161 }
1162
1163 /*
1164 * Since load_bias is used for all subsequent loading
1165 * calculations, we must lower it by the first vaddr
1166 * so that the remaining calculations based on the
1167 * ELF vaddrs will be correctly offset. The result
1168 * is then page aligned.
1169 */
1170 load_bias = ELF_PAGESTART(load_bias - vaddr);
1171 }
1172
1173 error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt,
1174 elf_prot, elf_flags, total_size);
1175 if (BAD_ADDR(error)) {
1176 retval = IS_ERR_VALUE(error) ?
1177 PTR_ERR((void*)error) : -EINVAL;
1178 goto out_free_dentry;
1179 }
1180
1181 if (first_pt_load) {
1182 first_pt_load = 0;
1183 if (elf_ex->e_type == ET_DYN) {
1184 load_bias += error -
1185 ELF_PAGESTART(load_bias + vaddr);
1186 reloc_func_desc = load_bias;
1187 }
1188 }
1189
1190 /*
1191 * Figure out which segment in the file contains the Program
1192 * Header table, and map to the associated memory address.
1193 */
1194 if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
1195 elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
1196 phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
1197 elf_ppnt->p_vaddr;
1198 }
1199
1200 k = elf_ppnt->p_vaddr;
1201 if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1202 start_code = k;
1203 if (start_data < k)
1204 start_data = k;
1205
1206 /*
1207 * Check to see if the section's size will overflow the
1208 * allowed task size. Note that p_filesz must always be
1209 * <= p_memsz so it is only necessary to check p_memsz.
1210 */
1211 if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1212 elf_ppnt->p_memsz > TASK_SIZE ||
1213 TASK_SIZE - elf_ppnt->p_memsz < k) {
1214 /* set_brk can never work. Avoid overflows. */
1215 retval = -EINVAL;
1216 goto out_free_dentry;
1217 }
1218
1219 k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1220
1221 if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1222 end_code = k;
1223 if (end_data < k)
1224 end_data = k;
1225 k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1226 if (k > elf_brk)
1227 elf_brk = k;
1228 }
1229
1230 e_entry = elf_ex->e_entry + load_bias;
1231 phdr_addr += load_bias;
1232 elf_brk += load_bias;
1233 start_code += load_bias;
1234 end_code += load_bias;
1235 start_data += load_bias;
1236 end_data += load_bias;
1237
1238 if (interpreter) {
1239 elf_entry = load_elf_interp(interp_elf_ex,
1240 interpreter,
1241 load_bias, interp_elf_phdata,
1242 &arch_state);
1243 if (!IS_ERR_VALUE(elf_entry)) {
1244 /*
1245 * load_elf_interp() returns relocation
1246 * adjustment
1247 */
1248 interp_load_addr = elf_entry;
1249 elf_entry += interp_elf_ex->e_entry;
1250 }
1251 if (BAD_ADDR(elf_entry)) {
1252 retval = IS_ERR_VALUE(elf_entry) ?
1253 (int)elf_entry : -EINVAL;
1254 goto out_free_dentry;
1255 }
1256 reloc_func_desc = interp_load_addr;
1257
1258 exe_file_allow_write_access(interpreter);
1259 fput(interpreter);
1260
1261 kfree(interp_elf_ex);
1262 kfree(interp_elf_phdata);
1263 } else {
1264 elf_entry = e_entry;
1265 if (BAD_ADDR(elf_entry)) {
1266 retval = -EINVAL;
1267 goto out_free_dentry;
1268 }
1269 }
1270
1271 kfree(elf_phdata);
1272
1273 set_binfmt(&elf_format);
1274
1275 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1276 retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1277 if (retval < 0)
1278 goto out;
1279 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1280
1281 retval = create_elf_tables(bprm, elf_ex, interp_load_addr,
1282 e_entry, phdr_addr);
1283 if (retval < 0)
1284 goto out;
1285
1286 mm = current->mm;
1287 mm->end_code = end_code;
1288 mm->start_code = start_code;
1289 mm->start_data = start_data;
1290 mm->end_data = end_data;
1291 mm->start_stack = bprm->p;
1292
1293 /**
1294 * DOC: "brk" handling
1295 *
1296 * For architectures with ELF randomization, when executing a
1297 * loader directly (i.e. static PIE: ET_DYN without PT_INTERP),
1298 * move the brk area out of the mmap region and into the unused
1299 * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide
1300 * early with the stack growing down or other regions being put
1301 * into the mmap region by the kernel (e.g. vdso).
1302 *
1303 * In the CONFIG_COMPAT_BRK case, though, everything is turned
1304 * off because we're not allowed to move the brk at all.
1305 */
1306 if (!IS_ENABLED(CONFIG_COMPAT_BRK) &&
1307 IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1308 elf_ex->e_type == ET_DYN && !interpreter) {
1309 elf_brk = ELF_ET_DYN_BASE;
1310 /* This counts as moving the brk, so let brk(2) know. */
1311 brk_moved = true;
1312 }
1313 mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk);
1314
1315 if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) {
1316 /*
1317 * If we didn't move the brk to ELF_ET_DYN_BASE (above),
1318 * leave a gap between .bss and brk.
1319 */
1320 if (!brk_moved)
1321 mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
1322
1323 mm->brk = mm->start_brk = arch_randomize_brk(mm);
1324 brk_moved = true;
1325 }
1326
1327 #ifdef compat_brk_randomized
1328 if (brk_moved)
1329 current->brk_randomized = 1;
1330 #endif
1331
1332 if (current->personality & MMAP_PAGE_ZERO) {
1333 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
1334 and some applications "depend" upon this behavior.
1335 Since we do not have the power to recompile these, we
1336 emulate the SVr4 behavior. Sigh. */
1337 error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1338 MAP_FIXED | MAP_PRIVATE, 0);
1339
1340 retval = do_mseal(0, PAGE_SIZE, 0);
1341 if (retval)
1342 pr_warn_ratelimited("pid=%d, couldn't seal address 0, ret=%d.\n",
1343 task_pid_nr(current), retval);
1344 }
1345
1346 regs = current_pt_regs();
1347 #ifdef ELF_PLAT_INIT
1348 /*
1349 * The ABI may specify that certain registers be set up in special
1350 * ways (on i386 %edx is the address of a DT_FINI function, for
1351 * example. In addition, it may also specify (eg, PowerPC64 ELF)
1352 * that the e_entry field is the address of the function descriptor
1353 * for the startup routine, rather than the address of the startup
1354 * routine itself. This macro performs whatever initialization to
1355 * the regs structure is required as well as any relocations to the
1356 * function descriptor entries when executing dynamically links apps.
1357 */
1358 ELF_PLAT_INIT(regs, reloc_func_desc);
1359 #endif
1360
1361 finalize_exec(bprm);
1362 START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1363 retval = 0;
1364 out:
1365 return retval;
1366
1367 /* error cleanup */
1368 out_free_dentry:
1369 kfree(interp_elf_ex);
1370 kfree(interp_elf_phdata);
1371 out_free_file:
1372 exe_file_allow_write_access(interpreter);
1373 if (interpreter)
1374 fput(interpreter);
1375 out_free_ph:
1376 kfree(elf_phdata);
1377 goto out;
1378 }
1379
1380 #ifdef CONFIG_ELF_CORE
1381 /*
1382 * ELF core dumper
1383 *
1384 * Modelled on fs/exec.c:aout_core_dump()
1385 * Jeremy Fitzhardinge <jeremy@sw.oz.au>
1386 */
1387
1388 /* An ELF note in memory */
1389 struct memelfnote
1390 {
1391 const char *name;
1392 int type;
1393 unsigned int datasz;
1394 void *data;
1395 };
1396
notesize(struct memelfnote * en)1397 static int notesize(struct memelfnote *en)
1398 {
1399 int sz;
1400
1401 sz = sizeof(struct elf_note);
1402 sz += roundup(strlen(en->name) + 1, 4);
1403 sz += roundup(en->datasz, 4);
1404
1405 return sz;
1406 }
1407
writenote(struct memelfnote * men,struct coredump_params * cprm)1408 static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1409 {
1410 struct elf_note en;
1411 en.n_namesz = strlen(men->name) + 1;
1412 en.n_descsz = men->datasz;
1413 en.n_type = men->type;
1414
1415 return dump_emit(cprm, &en, sizeof(en)) &&
1416 dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1417 dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1418 }
1419
fill_elf_header(struct elfhdr * elf,int segs,u16 machine,u32 flags)1420 static void fill_elf_header(struct elfhdr *elf, int segs,
1421 u16 machine, u32 flags)
1422 {
1423 memset(elf, 0, sizeof(*elf));
1424
1425 memcpy(elf->e_ident, ELFMAG, SELFMAG);
1426 elf->e_ident[EI_CLASS] = ELF_CLASS;
1427 elf->e_ident[EI_DATA] = ELF_DATA;
1428 elf->e_ident[EI_VERSION] = EV_CURRENT;
1429 elf->e_ident[EI_OSABI] = ELF_OSABI;
1430
1431 elf->e_type = ET_CORE;
1432 elf->e_machine = machine;
1433 elf->e_version = EV_CURRENT;
1434 elf->e_phoff = sizeof(struct elfhdr);
1435 elf->e_flags = flags;
1436 elf->e_ehsize = sizeof(struct elfhdr);
1437 elf->e_phentsize = sizeof(struct elf_phdr);
1438 elf->e_phnum = segs;
1439 }
1440
fill_elf_note_phdr(struct elf_phdr * phdr,int sz,loff_t offset)1441 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1442 {
1443 phdr->p_type = PT_NOTE;
1444 phdr->p_offset = offset;
1445 phdr->p_vaddr = 0;
1446 phdr->p_paddr = 0;
1447 phdr->p_filesz = sz;
1448 phdr->p_memsz = 0;
1449 phdr->p_flags = 0;
1450 phdr->p_align = 4;
1451 }
1452
fill_note(struct memelfnote * note,const char * name,int type,unsigned int sz,void * data)1453 static void fill_note(struct memelfnote *note, const char *name, int type,
1454 unsigned int sz, void *data)
1455 {
1456 note->name = name;
1457 note->type = type;
1458 note->datasz = sz;
1459 note->data = data;
1460 }
1461
1462 /*
1463 * fill up all the fields in prstatus from the given task struct, except
1464 * registers which need to be filled up separately.
1465 */
fill_prstatus(struct elf_prstatus_common * prstatus,struct task_struct * p,long signr)1466 static void fill_prstatus(struct elf_prstatus_common *prstatus,
1467 struct task_struct *p, long signr)
1468 {
1469 prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1470 prstatus->pr_sigpend = p->pending.signal.sig[0];
1471 prstatus->pr_sighold = p->blocked.sig[0];
1472 rcu_read_lock();
1473 prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1474 rcu_read_unlock();
1475 prstatus->pr_pid = task_pid_vnr(p);
1476 prstatus->pr_pgrp = task_pgrp_vnr(p);
1477 prstatus->pr_sid = task_session_vnr(p);
1478 if (thread_group_leader(p)) {
1479 struct task_cputime cputime;
1480
1481 /*
1482 * This is the record for the group leader. It shows the
1483 * group-wide total, not its individual thread total.
1484 */
1485 thread_group_cputime(p, &cputime);
1486 prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1487 prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1488 } else {
1489 u64 utime, stime;
1490
1491 task_cputime(p, &utime, &stime);
1492 prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1493 prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1494 }
1495
1496 prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1497 prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1498 }
1499
fill_psinfo(struct elf_prpsinfo * psinfo,struct task_struct * p,struct mm_struct * mm)1500 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1501 struct mm_struct *mm)
1502 {
1503 const struct cred *cred;
1504 unsigned int i, len;
1505 unsigned int state;
1506
1507 /* first copy the parameters from user space */
1508 memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1509
1510 len = mm->arg_end - mm->arg_start;
1511 if (len >= ELF_PRARGSZ)
1512 len = ELF_PRARGSZ-1;
1513 if (copy_from_user(&psinfo->pr_psargs,
1514 (const char __user *)mm->arg_start, len))
1515 return -EFAULT;
1516 for(i = 0; i < len; i++)
1517 if (psinfo->pr_psargs[i] == 0)
1518 psinfo->pr_psargs[i] = ' ';
1519 psinfo->pr_psargs[len] = 0;
1520
1521 rcu_read_lock();
1522 psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1523 rcu_read_unlock();
1524 psinfo->pr_pid = task_pid_vnr(p);
1525 psinfo->pr_pgrp = task_pgrp_vnr(p);
1526 psinfo->pr_sid = task_session_vnr(p);
1527
1528 state = READ_ONCE(p->__state);
1529 i = state ? ffz(~state) + 1 : 0;
1530 psinfo->pr_state = i;
1531 psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1532 psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1533 psinfo->pr_nice = task_nice(p);
1534 psinfo->pr_flag = p->flags;
1535 rcu_read_lock();
1536 cred = __task_cred(p);
1537 SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1538 SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1539 rcu_read_unlock();
1540 get_task_comm(psinfo->pr_fname, p);
1541
1542 return 0;
1543 }
1544
fill_auxv_note(struct memelfnote * note,struct mm_struct * mm)1545 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1546 {
1547 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1548 int i = 0;
1549 do
1550 i += 2;
1551 while (auxv[i - 2] != AT_NULL);
1552 fill_note(note, NN_AUXV, NT_AUXV, i * sizeof(elf_addr_t), auxv);
1553 }
1554
fill_siginfo_note(struct memelfnote * note,user_siginfo_t * csigdata,const kernel_siginfo_t * siginfo)1555 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1556 const kernel_siginfo_t *siginfo)
1557 {
1558 copy_siginfo_to_external(csigdata, siginfo);
1559 fill_note(note, NN_SIGINFO, NT_SIGINFO, sizeof(*csigdata), csigdata);
1560 }
1561
1562 /*
1563 * Format of NT_FILE note:
1564 *
1565 * long count -- how many files are mapped
1566 * long page_size -- units for file_ofs
1567 * array of [COUNT] elements of
1568 * long start
1569 * long end
1570 * long file_ofs
1571 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1572 */
fill_files_note(struct memelfnote * note,struct coredump_params * cprm)1573 static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
1574 {
1575 unsigned count, size, names_ofs, remaining, n;
1576 user_long_t *data;
1577 user_long_t *start_end_ofs;
1578 char *name_base, *name_curpos;
1579 int i;
1580
1581 /* *Estimated* file count and total data size needed */
1582 count = cprm->vma_count;
1583 if (count > UINT_MAX / 64)
1584 return -EINVAL;
1585 size = count * 64;
1586
1587 names_ofs = (2 + 3 * count) * sizeof(data[0]);
1588 alloc:
1589 /* paranoia check */
1590 if (size >= core_file_note_size_limit) {
1591 pr_warn_once("coredump Note size too large: %u (does kernel.core_file_note_size_limit sysctl need adjustment?\n",
1592 size);
1593 return -EINVAL;
1594 }
1595 size = round_up(size, PAGE_SIZE);
1596 /*
1597 * "size" can be 0 here legitimately.
1598 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1599 */
1600 data = kvmalloc(size, GFP_KERNEL);
1601 if (ZERO_OR_NULL_PTR(data))
1602 return -ENOMEM;
1603
1604 start_end_ofs = data + 2;
1605 name_base = name_curpos = ((char *)data) + names_ofs;
1606 remaining = size - names_ofs;
1607 count = 0;
1608 for (i = 0; i < cprm->vma_count; i++) {
1609 struct core_vma_metadata *m = &cprm->vma_meta[i];
1610 struct file *file;
1611 const char *filename;
1612
1613 file = m->file;
1614 if (!file)
1615 continue;
1616 filename = file_path(file, name_curpos, remaining);
1617 if (IS_ERR(filename)) {
1618 if (PTR_ERR(filename) == -ENAMETOOLONG) {
1619 kvfree(data);
1620 size = size * 5 / 4;
1621 goto alloc;
1622 }
1623 continue;
1624 }
1625
1626 /* file_path() fills at the end, move name down */
1627 /* n = strlen(filename) + 1: */
1628 n = (name_curpos + remaining) - filename;
1629 remaining = filename - name_curpos;
1630 memmove(name_curpos, filename, n);
1631 name_curpos += n;
1632
1633 *start_end_ofs++ = m->start;
1634 *start_end_ofs++ = m->end;
1635 *start_end_ofs++ = m->pgoff;
1636 count++;
1637 }
1638
1639 /* Now we know exact count of files, can store it */
1640 data[0] = count;
1641 data[1] = PAGE_SIZE;
1642 /*
1643 * Count usually is less than mm->map_count,
1644 * we need to move filenames down.
1645 */
1646 n = cprm->vma_count - count;
1647 if (n != 0) {
1648 unsigned shift_bytes = n * 3 * sizeof(data[0]);
1649 memmove(name_base - shift_bytes, name_base,
1650 name_curpos - name_base);
1651 name_curpos -= shift_bytes;
1652 }
1653
1654 size = name_curpos - (char *)data;
1655 fill_note(note, NN_FILE, NT_FILE, size, data);
1656 return 0;
1657 }
1658
1659 #include <linux/regset.h>
1660
1661 struct elf_thread_core_info {
1662 struct elf_thread_core_info *next;
1663 struct task_struct *task;
1664 struct elf_prstatus prstatus;
1665 struct memelfnote notes[];
1666 };
1667
1668 struct elf_note_info {
1669 struct elf_thread_core_info *thread;
1670 struct memelfnote psinfo;
1671 struct memelfnote signote;
1672 struct memelfnote auxv;
1673 struct memelfnote files;
1674 user_siginfo_t csigdata;
1675 size_t size;
1676 int thread_notes;
1677 };
1678
1679 #ifdef CORE_DUMP_USE_REGSET
1680 /*
1681 * When a regset has a writeback hook, we call it on each thread before
1682 * dumping user memory. On register window machines, this makes sure the
1683 * user memory backing the register data is up to date before we read it.
1684 */
do_thread_regset_writeback(struct task_struct * task,const struct user_regset * regset)1685 static void do_thread_regset_writeback(struct task_struct *task,
1686 const struct user_regset *regset)
1687 {
1688 if (regset->writeback)
1689 regset->writeback(task, regset, 1);
1690 }
1691
1692 #ifndef PRSTATUS_SIZE
1693 #define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1694 #endif
1695
1696 #ifndef SET_PR_FPVALID
1697 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1698 #endif
1699
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1700 static int fill_thread_core_info(struct elf_thread_core_info *t,
1701 const struct user_regset_view *view,
1702 long signr, struct elf_note_info *info)
1703 {
1704 unsigned int note_iter, view_iter;
1705
1706 /*
1707 * NT_PRSTATUS is the one special case, because the regset data
1708 * goes into the pr_reg field inside the note contents, rather
1709 * than being the whole note contents. We fill the regset in here.
1710 * We assume that regset 0 is NT_PRSTATUS.
1711 */
1712 fill_prstatus(&t->prstatus.common, t->task, signr);
1713 regset_get(t->task, &view->regsets[0],
1714 sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1715
1716 fill_note(&t->notes[0], NN_PRSTATUS, NT_PRSTATUS,
1717 PRSTATUS_SIZE, &t->prstatus);
1718 info->size += notesize(&t->notes[0]);
1719
1720 do_thread_regset_writeback(t->task, &view->regsets[0]);
1721
1722 /*
1723 * Each other regset might generate a note too. For each regset
1724 * that has no core_note_type or is inactive, skip it.
1725 */
1726 note_iter = 1;
1727 for (view_iter = 1; view_iter < view->n; ++view_iter) {
1728 const struct user_regset *regset = &view->regsets[view_iter];
1729 int note_type = regset->core_note_type;
1730 bool is_fpreg = note_type == NT_PRFPREG;
1731 void *data;
1732 int ret;
1733
1734 do_thread_regset_writeback(t->task, regset);
1735 if (!note_type) // not for coredumps
1736 continue;
1737 if (regset->active && regset->active(t->task, regset) <= 0)
1738 continue;
1739
1740 ret = regset_get_alloc(t->task, regset, ~0U, &data);
1741 if (ret < 0)
1742 continue;
1743
1744 if (WARN_ON_ONCE(note_iter >= info->thread_notes))
1745 break;
1746
1747 if (is_fpreg)
1748 SET_PR_FPVALID(&t->prstatus);
1749
1750 fill_note(&t->notes[note_iter], is_fpreg ? NN_PRFPREG : "LINUX",
1751 note_type, ret, data);
1752
1753 info->size += notesize(&t->notes[note_iter]);
1754 note_iter++;
1755 }
1756
1757 return 1;
1758 }
1759 #else
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1760 static int fill_thread_core_info(struct elf_thread_core_info *t,
1761 const struct user_regset_view *view,
1762 long signr, struct elf_note_info *info)
1763 {
1764 struct task_struct *p = t->task;
1765 elf_fpregset_t *fpu;
1766
1767 fill_prstatus(&t->prstatus.common, p, signr);
1768 elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1769
1770 fill_note(&t->notes[0], NN_PRSTATUS, NT_PRSTATUS, sizeof(t->prstatus),
1771 &(t->prstatus));
1772 info->size += notesize(&t->notes[0]);
1773
1774 fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL);
1775 if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) {
1776 kfree(fpu);
1777 return 1;
1778 }
1779
1780 t->prstatus.pr_fpvalid = 1;
1781 fill_note(&t->notes[1], NN_PRFPREG, NT_PRFPREG, sizeof(*fpu), fpu);
1782 info->size += notesize(&t->notes[1]);
1783
1784 return 1;
1785 }
1786 #endif
1787
fill_note_info(struct elfhdr * elf,int phdrs,struct elf_note_info * info,struct coredump_params * cprm)1788 static int fill_note_info(struct elfhdr *elf, int phdrs,
1789 struct elf_note_info *info,
1790 struct coredump_params *cprm)
1791 {
1792 struct task_struct *dump_task = current;
1793 const struct user_regset_view *view;
1794 struct elf_thread_core_info *t;
1795 struct elf_prpsinfo *psinfo;
1796 struct core_thread *ct;
1797
1798 psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1799 if (!psinfo)
1800 return 0;
1801 fill_note(&info->psinfo, NN_PRPSINFO, NT_PRPSINFO, sizeof(*psinfo), psinfo);
1802
1803 #ifdef CORE_DUMP_USE_REGSET
1804 view = task_user_regset_view(dump_task);
1805
1806 /*
1807 * Figure out how many notes we're going to need for each thread.
1808 */
1809 info->thread_notes = 0;
1810 for (int i = 0; i < view->n; ++i)
1811 if (view->regsets[i].core_note_type != 0)
1812 ++info->thread_notes;
1813
1814 /*
1815 * Sanity check. We rely on regset 0 being in NT_PRSTATUS,
1816 * since it is our one special case.
1817 */
1818 if (unlikely(info->thread_notes == 0) ||
1819 unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1820 WARN_ON(1);
1821 return 0;
1822 }
1823
1824 /*
1825 * Initialize the ELF file header.
1826 */
1827 fill_elf_header(elf, phdrs,
1828 view->e_machine, view->e_flags);
1829 #else
1830 view = NULL;
1831 info->thread_notes = 2;
1832 fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
1833 #endif
1834
1835 /*
1836 * Allocate a structure for each thread.
1837 */
1838 info->thread = kzalloc(offsetof(struct elf_thread_core_info,
1839 notes[info->thread_notes]),
1840 GFP_KERNEL);
1841 if (unlikely(!info->thread))
1842 return 0;
1843
1844 info->thread->task = dump_task;
1845 for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) {
1846 t = kzalloc(offsetof(struct elf_thread_core_info,
1847 notes[info->thread_notes]),
1848 GFP_KERNEL);
1849 if (unlikely(!t))
1850 return 0;
1851
1852 t->task = ct->task;
1853 t->next = info->thread->next;
1854 info->thread->next = t;
1855 }
1856
1857 /*
1858 * Now fill in each thread's information.
1859 */
1860 for (t = info->thread; t != NULL; t = t->next)
1861 if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info))
1862 return 0;
1863
1864 /*
1865 * Fill in the two process-wide notes.
1866 */
1867 fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1868 info->size += notesize(&info->psinfo);
1869
1870 fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo);
1871 info->size += notesize(&info->signote);
1872
1873 fill_auxv_note(&info->auxv, current->mm);
1874 info->size += notesize(&info->auxv);
1875
1876 if (fill_files_note(&info->files, cprm) == 0)
1877 info->size += notesize(&info->files);
1878
1879 return 1;
1880 }
1881
1882 /*
1883 * Write all the notes for each thread. When writing the first thread, the
1884 * process-wide notes are interleaved after the first thread-specific note.
1885 */
write_note_info(struct elf_note_info * info,struct coredump_params * cprm)1886 static int write_note_info(struct elf_note_info *info,
1887 struct coredump_params *cprm)
1888 {
1889 bool first = true;
1890 struct elf_thread_core_info *t = info->thread;
1891
1892 do {
1893 int i;
1894
1895 if (!writenote(&t->notes[0], cprm))
1896 return 0;
1897
1898 if (first && !writenote(&info->psinfo, cprm))
1899 return 0;
1900 if (first && !writenote(&info->signote, cprm))
1901 return 0;
1902 if (first && !writenote(&info->auxv, cprm))
1903 return 0;
1904 if (first && info->files.data &&
1905 !writenote(&info->files, cprm))
1906 return 0;
1907
1908 for (i = 1; i < info->thread_notes; ++i)
1909 if (t->notes[i].data &&
1910 !writenote(&t->notes[i], cprm))
1911 return 0;
1912
1913 first = false;
1914 t = t->next;
1915 } while (t);
1916
1917 return 1;
1918 }
1919
free_note_info(struct elf_note_info * info)1920 static void free_note_info(struct elf_note_info *info)
1921 {
1922 struct elf_thread_core_info *threads = info->thread;
1923 while (threads) {
1924 unsigned int i;
1925 struct elf_thread_core_info *t = threads;
1926 threads = t->next;
1927 WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1928 for (i = 1; i < info->thread_notes; ++i)
1929 kvfree(t->notes[i].data);
1930 kfree(t);
1931 }
1932 kfree(info->psinfo.data);
1933 kvfree(info->files.data);
1934 }
1935
fill_extnum_info(struct elfhdr * elf,struct elf_shdr * shdr4extnum,elf_addr_t e_shoff,int segs)1936 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
1937 elf_addr_t e_shoff, int segs)
1938 {
1939 elf->e_shoff = e_shoff;
1940 elf->e_shentsize = sizeof(*shdr4extnum);
1941 elf->e_shnum = 1;
1942 elf->e_shstrndx = SHN_UNDEF;
1943
1944 memset(shdr4extnum, 0, sizeof(*shdr4extnum));
1945
1946 shdr4extnum->sh_type = SHT_NULL;
1947 shdr4extnum->sh_size = elf->e_shnum;
1948 shdr4extnum->sh_link = elf->e_shstrndx;
1949 shdr4extnum->sh_info = segs;
1950 }
1951
1952 /*
1953 * Actual dumper
1954 *
1955 * This is a two-pass process; first we find the offsets of the bits,
1956 * and then they are actually written out. If we run out of core limit
1957 * we just truncate.
1958 */
elf_core_dump(struct coredump_params * cprm)1959 static int elf_core_dump(struct coredump_params *cprm)
1960 {
1961 int has_dumped = 0;
1962 int segs, i;
1963 struct elfhdr elf;
1964 loff_t offset = 0, dataoff;
1965 struct elf_note_info info = { };
1966 struct elf_phdr *phdr4note = NULL;
1967 struct elf_shdr *shdr4extnum = NULL;
1968 Elf_Half e_phnum;
1969 elf_addr_t e_shoff;
1970
1971 /*
1972 * The number of segs are recored into ELF header as 16bit value.
1973 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
1974 */
1975 segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
1976
1977 /* for notes section */
1978 segs++;
1979
1980 /* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
1981 * this, kernel supports extended numbering. Have a look at
1982 * include/linux/elf.h for further information. */
1983 e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
1984
1985 /*
1986 * Collect all the non-memory information about the process for the
1987 * notes. This also sets up the file header.
1988 */
1989 if (!fill_note_info(&elf, e_phnum, &info, cprm))
1990 goto end_coredump;
1991
1992 has_dumped = 1;
1993
1994 offset += sizeof(elf); /* ELF header */
1995 offset += segs * sizeof(struct elf_phdr); /* Program headers */
1996
1997 /* Write notes phdr entry */
1998 {
1999 size_t sz = info.size;
2000
2001 /* For cell spufs and x86 xstate */
2002 sz += elf_coredump_extra_notes_size();
2003
2004 phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2005 if (!phdr4note)
2006 goto end_coredump;
2007
2008 fill_elf_note_phdr(phdr4note, sz, offset);
2009 offset += sz;
2010 }
2011
2012 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2013
2014 offset += cprm->vma_data_size;
2015 offset += elf_core_extra_data_size(cprm);
2016 e_shoff = offset;
2017
2018 if (e_phnum == PN_XNUM) {
2019 shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2020 if (!shdr4extnum)
2021 goto end_coredump;
2022 fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2023 }
2024
2025 offset = dataoff;
2026
2027 if (!dump_emit(cprm, &elf, sizeof(elf)))
2028 goto end_coredump;
2029
2030 if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2031 goto end_coredump;
2032
2033 /* Write program headers for segments dump */
2034 for (i = 0; i < cprm->vma_count; i++) {
2035 struct core_vma_metadata *meta = cprm->vma_meta + i;
2036 struct elf_phdr phdr;
2037
2038 phdr.p_type = PT_LOAD;
2039 phdr.p_offset = offset;
2040 phdr.p_vaddr = meta->start;
2041 phdr.p_paddr = 0;
2042 phdr.p_filesz = meta->dump_size;
2043 phdr.p_memsz = meta->end - meta->start;
2044 offset += phdr.p_filesz;
2045 phdr.p_flags = 0;
2046 if (meta->flags & VM_READ)
2047 phdr.p_flags |= PF_R;
2048 if (meta->flags & VM_WRITE)
2049 phdr.p_flags |= PF_W;
2050 if (meta->flags & VM_EXEC)
2051 phdr.p_flags |= PF_X;
2052 phdr.p_align = ELF_EXEC_PAGESIZE;
2053
2054 if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2055 goto end_coredump;
2056 }
2057
2058 if (!elf_core_write_extra_phdrs(cprm, offset))
2059 goto end_coredump;
2060
2061 /* write out the notes section */
2062 if (!write_note_info(&info, cprm))
2063 goto end_coredump;
2064
2065 /* For cell spufs and x86 xstate */
2066 if (elf_coredump_extra_notes_write(cprm))
2067 goto end_coredump;
2068
2069 /* Align to page */
2070 dump_skip_to(cprm, dataoff);
2071
2072 for (i = 0; i < cprm->vma_count; i++) {
2073 struct core_vma_metadata *meta = cprm->vma_meta + i;
2074
2075 if (!dump_user_range(cprm, meta->start, meta->dump_size))
2076 goto end_coredump;
2077 }
2078
2079 if (!elf_core_write_extra_data(cprm))
2080 goto end_coredump;
2081
2082 if (e_phnum == PN_XNUM) {
2083 if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2084 goto end_coredump;
2085 }
2086
2087 end_coredump:
2088 free_note_info(&info);
2089 kfree(shdr4extnum);
2090 kfree(phdr4note);
2091 return has_dumped;
2092 }
2093
2094 #endif /* CONFIG_ELF_CORE */
2095
init_elf_binfmt(void)2096 static int __init init_elf_binfmt(void)
2097 {
2098 register_binfmt(&elf_format);
2099 return 0;
2100 }
2101
exit_elf_binfmt(void)2102 static void __exit exit_elf_binfmt(void)
2103 {
2104 /* Remove the COFF and ELF loaders. */
2105 unregister_binfmt(&elf_format);
2106 }
2107
2108 core_initcall(init_elf_binfmt);
2109 module_exit(exit_elf_binfmt);
2110
2111 #ifdef CONFIG_BINFMT_ELF_KUNIT_TEST
2112 #include "tests/binfmt_elf_kunit.c"
2113 #endif
2114