1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * linux/fs/binfmt_elf.c
4 *
5 * These are the functions used to load ELF format executables as used
6 * on SVr4 machines. Information on the format may be found in the book
7 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8 * Tools".
9 *
10 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
11 */
12
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/fs.h>
16 #include <linux/log2.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/errno.h>
20 #include <linux/signal.h>
21 #include <linux/binfmts.h>
22 #include <linux/string.h>
23 #include <linux/file.h>
24 #include <linux/slab.h>
25 #include <linux/personality.h>
26 #include <linux/elfcore.h>
27 #include <linux/init.h>
28 #include <linux/highuid.h>
29 #include <linux/compiler.h>
30 #include <linux/highmem.h>
31 #include <linux/hugetlb.h>
32 #include <linux/pagemap.h>
33 #include <linux/vmalloc.h>
34 #include <linux/security.h>
35 #include <linux/random.h>
36 #include <linux/elf.h>
37 #include <linux/elf-randomize.h>
38 #include <linux/utsname.h>
39 #include <linux/coredump.h>
40 #include <linux/sched.h>
41 #include <linux/sched/coredump.h>
42 #include <linux/sched/task_stack.h>
43 #include <linux/sched/cputime.h>
44 #include <linux/sizes.h>
45 #include <linux/types.h>
46 #include <linux/cred.h>
47 #include <linux/dax.h>
48 #include <linux/uaccess.h>
49 #include <linux/rseq.h>
50 #include <asm/param.h>
51 #include <asm/page.h>
52
53 #ifndef ELF_COMPAT
54 #define ELF_COMPAT 0
55 #endif
56
57 #ifndef user_long_t
58 #define user_long_t long
59 #endif
60 #ifndef user_siginfo_t
61 #define user_siginfo_t siginfo_t
62 #endif
63
64 /* That's for binfmt_elf_fdpic to deal with */
65 #ifndef elf_check_fdpic
66 #define elf_check_fdpic(ex) false
67 #endif
68
69 static int load_elf_binary(struct linux_binprm *bprm);
70
71 /*
72 * If we don't support core dumping, then supply a NULL so we
73 * don't even try.
74 */
75 #ifdef CONFIG_ELF_CORE
76 static int elf_core_dump(struct coredump_params *cprm);
77 #else
78 #define elf_core_dump NULL
79 #endif
80
81 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
82 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
83 #else
84 #define ELF_MIN_ALIGN PAGE_SIZE
85 #endif
86
87 #ifndef ELF_CORE_EFLAGS
88 #define ELF_CORE_EFLAGS 0
89 #endif
90
91 #define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1))
92 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
93 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
94
95 static struct linux_binfmt elf_format = {
96 .module = THIS_MODULE,
97 .load_binary = load_elf_binary,
98 #ifdef CONFIG_COREDUMP
99 .core_dump = elf_core_dump,
100 .min_coredump = ELF_EXEC_PAGESIZE,
101 #endif
102 };
103
104 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
105
106 /*
107 * We need to explicitly zero any trailing portion of the page that follows
108 * p_filesz when it ends before the page ends (e.g. bss), otherwise this
109 * memory will contain the junk from the file that should not be present.
110 */
padzero(unsigned long address)111 static int padzero(unsigned long address)
112 {
113 unsigned long nbyte;
114
115 nbyte = ELF_PAGEOFFSET(address);
116 if (nbyte) {
117 nbyte = ELF_MIN_ALIGN - nbyte;
118 if (clear_user((void __user *)address, nbyte))
119 return -EFAULT;
120 }
121 return 0;
122 }
123
124 /* Let's use some macros to make this stack manipulation a little clearer */
125 #ifdef CONFIG_STACK_GROWSUP
126 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
127 #define STACK_ROUND(sp, items) \
128 ((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
129 #define STACK_ALLOC(sp, len) ({ \
130 elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
131 old_sp; })
132 #else
133 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
134 #define STACK_ROUND(sp, items) \
135 (((unsigned long) (sp - items)) &~ 15UL)
136 #define STACK_ALLOC(sp, len) (sp -= len)
137 #endif
138
139 #ifndef ELF_BASE_PLATFORM
140 /*
141 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
142 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
143 * will be copied to the user stack in the same manner as AT_PLATFORM.
144 */
145 #define ELF_BASE_PLATFORM NULL
146 #endif
147
148 static int
create_elf_tables(struct linux_binprm * bprm,const struct elfhdr * exec,unsigned long interp_load_addr,unsigned long e_entry,unsigned long phdr_addr)149 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
150 unsigned long interp_load_addr,
151 unsigned long e_entry, unsigned long phdr_addr)
152 {
153 struct mm_struct *mm = current->mm;
154 unsigned long p = bprm->p;
155 int argc = bprm->argc;
156 int envc = bprm->envc;
157 elf_addr_t __user *sp;
158 elf_addr_t __user *u_platform;
159 elf_addr_t __user *u_base_platform;
160 elf_addr_t __user *u_rand_bytes;
161 const char *k_platform = ELF_PLATFORM;
162 const char *k_base_platform = ELF_BASE_PLATFORM;
163 unsigned char k_rand_bytes[16];
164 int items;
165 elf_addr_t *elf_info;
166 elf_addr_t flags = 0;
167 int ei_index;
168 const struct cred *cred = current_cred();
169 struct vm_area_struct *vma;
170
171 /*
172 * In some cases (e.g. Hyper-Threading), we want to avoid L1
173 * evictions by the processes running on the same package. One
174 * thing we can do is to shuffle the initial stack for them.
175 */
176
177 p = arch_align_stack(p);
178
179 /*
180 * If this architecture has a platform capability string, copy it
181 * to userspace. In some cases (Sparc), this info is impossible
182 * for userspace to get any other way, in others (i386) it is
183 * merely difficult.
184 */
185 u_platform = NULL;
186 if (k_platform) {
187 size_t len = strlen(k_platform) + 1;
188
189 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
190 if (copy_to_user(u_platform, k_platform, len))
191 return -EFAULT;
192 }
193
194 /*
195 * If this architecture has a "base" platform capability
196 * string, copy it to userspace.
197 */
198 u_base_platform = NULL;
199 if (k_base_platform) {
200 size_t len = strlen(k_base_platform) + 1;
201
202 u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
203 if (copy_to_user(u_base_platform, k_base_platform, len))
204 return -EFAULT;
205 }
206
207 /*
208 * Generate 16 random bytes for userspace PRNG seeding.
209 */
210 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
211 u_rand_bytes = (elf_addr_t __user *)
212 STACK_ALLOC(p, sizeof(k_rand_bytes));
213 if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
214 return -EFAULT;
215
216 /* Create the ELF interpreter info */
217 elf_info = (elf_addr_t *)mm->saved_auxv;
218 /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
219 #define NEW_AUX_ENT(id, val) \
220 do { \
221 *elf_info++ = id; \
222 *elf_info++ = val; \
223 } while (0)
224
225 #ifdef ARCH_DLINFO
226 /*
227 * ARCH_DLINFO must come first so PPC can do its special alignment of
228 * AUXV.
229 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
230 * ARCH_DLINFO changes
231 */
232 ARCH_DLINFO;
233 #endif
234 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
235 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
236 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
237 NEW_AUX_ENT(AT_PHDR, phdr_addr);
238 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
239 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
240 NEW_AUX_ENT(AT_BASE, interp_load_addr);
241 if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
242 flags |= AT_FLAGS_PRESERVE_ARGV0;
243 NEW_AUX_ENT(AT_FLAGS, flags);
244 NEW_AUX_ENT(AT_ENTRY, e_entry);
245 NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
246 NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
247 NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
248 NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
249 NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
250 NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
251 #ifdef ELF_HWCAP2
252 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
253 #endif
254 #ifdef ELF_HWCAP3
255 NEW_AUX_ENT(AT_HWCAP3, ELF_HWCAP3);
256 #endif
257 #ifdef ELF_HWCAP4
258 NEW_AUX_ENT(AT_HWCAP4, ELF_HWCAP4);
259 #endif
260 NEW_AUX_ENT(AT_EXECFN, bprm->exec);
261 if (k_platform) {
262 NEW_AUX_ENT(AT_PLATFORM,
263 (elf_addr_t)(unsigned long)u_platform);
264 }
265 if (k_base_platform) {
266 NEW_AUX_ENT(AT_BASE_PLATFORM,
267 (elf_addr_t)(unsigned long)u_base_platform);
268 }
269 if (bprm->have_execfd) {
270 NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
271 }
272 #ifdef CONFIG_RSEQ
273 NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
274 NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
275 #endif
276 #undef NEW_AUX_ENT
277 /* AT_NULL is zero; clear the rest too */
278 memset(elf_info, 0, (char *)mm->saved_auxv +
279 sizeof(mm->saved_auxv) - (char *)elf_info);
280
281 /* And advance past the AT_NULL entry. */
282 elf_info += 2;
283
284 ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
285 sp = STACK_ADD(p, ei_index);
286
287 items = (argc + 1) + (envc + 1) + 1;
288 bprm->p = STACK_ROUND(sp, items);
289
290 /* Point sp at the lowest address on the stack */
291 #ifdef CONFIG_STACK_GROWSUP
292 sp = (elf_addr_t __user *)bprm->p - items - ei_index;
293 bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
294 #else
295 sp = (elf_addr_t __user *)bprm->p;
296 #endif
297
298
299 /*
300 * Grow the stack manually; some architectures have a limit on how
301 * far ahead a user-space access may be in order to grow the stack.
302 */
303 if (mmap_write_lock_killable(mm))
304 return -EINTR;
305 vma = find_extend_vma_locked(mm, bprm->p);
306 mmap_write_unlock(mm);
307 if (!vma)
308 return -EFAULT;
309
310 /* Now, let's put argc (and argv, envp if appropriate) on the stack */
311 if (put_user(argc, sp++))
312 return -EFAULT;
313
314 /* Populate list of argv pointers back to argv strings. */
315 p = mm->arg_end = mm->arg_start;
316 while (argc-- > 0) {
317 size_t len;
318 if (put_user((elf_addr_t)p, sp++))
319 return -EFAULT;
320 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
321 if (!len || len > MAX_ARG_STRLEN)
322 return -EINVAL;
323 p += len;
324 }
325 if (put_user(0, sp++))
326 return -EFAULT;
327 mm->arg_end = p;
328
329 /* Populate list of envp pointers back to envp strings. */
330 mm->env_end = mm->env_start = p;
331 while (envc-- > 0) {
332 size_t len;
333 if (put_user((elf_addr_t)p, sp++))
334 return -EFAULT;
335 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
336 if (!len || len > MAX_ARG_STRLEN)
337 return -EINVAL;
338 p += len;
339 }
340 if (put_user(0, sp++))
341 return -EFAULT;
342 mm->env_end = p;
343
344 /* Put the elf_info on the stack in the right place. */
345 if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
346 return -EFAULT;
347 return 0;
348 }
349
350 /*
351 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
352 * into memory at "addr". (Note that p_filesz is rounded up to the
353 * next page, so any extra bytes from the file must be wiped.)
354 */
elf_map(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)355 static unsigned long elf_map(struct file *filep, unsigned long addr,
356 const struct elf_phdr *eppnt, int prot, int type,
357 unsigned long total_size)
358 {
359 unsigned long map_addr;
360 unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
361 unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
362 addr = ELF_PAGESTART(addr);
363 size = ELF_PAGEALIGN(size);
364
365 /* mmap() will return -EINVAL if given a zero size, but a
366 * segment with zero filesize is perfectly valid */
367 if (!size)
368 return addr;
369
370 /*
371 * total_size is the size of the ELF (interpreter) image.
372 * The _first_ mmap needs to know the full size, otherwise
373 * randomization might put this image into an overlapping
374 * position with the ELF binary image. (since size < total_size)
375 * So we first map the 'big' image - and unmap the remainder at
376 * the end. (which unmap is needed for ELF images with holes.)
377 */
378 if (total_size) {
379 total_size = ELF_PAGEALIGN(total_size);
380 map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
381 if (!BAD_ADDR(map_addr))
382 vm_munmap(map_addr+size, total_size-size);
383 } else
384 map_addr = vm_mmap(filep, addr, size, prot, type, off);
385
386 if ((type & MAP_FIXED_NOREPLACE) &&
387 PTR_ERR((void *)map_addr) == -EEXIST)
388 pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
389 task_pid_nr(current), current->comm, (void *)addr);
390
391 return(map_addr);
392 }
393
394 /*
395 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
396 * into memory at "addr". Memory from "p_filesz" through "p_memsz"
397 * rounded up to the next page is zeroed.
398 */
elf_load(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)399 static unsigned long elf_load(struct file *filep, unsigned long addr,
400 const struct elf_phdr *eppnt, int prot, int type,
401 unsigned long total_size)
402 {
403 unsigned long zero_start, zero_end;
404 unsigned long map_addr;
405
406 if (eppnt->p_filesz) {
407 map_addr = elf_map(filep, addr, eppnt, prot, type, total_size);
408 if (BAD_ADDR(map_addr))
409 return map_addr;
410 if (eppnt->p_memsz > eppnt->p_filesz) {
411 zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
412 eppnt->p_filesz;
413 zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
414 eppnt->p_memsz;
415
416 /*
417 * Zero the end of the last mapped page but ignore
418 * any errors if the segment isn't writable.
419 */
420 if (padzero(zero_start) && (prot & PROT_WRITE))
421 return -EFAULT;
422 }
423 } else {
424 map_addr = zero_start = ELF_PAGESTART(addr);
425 zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) +
426 eppnt->p_memsz;
427 }
428 if (eppnt->p_memsz > eppnt->p_filesz) {
429 /*
430 * Map the last of the segment.
431 * If the header is requesting these pages to be
432 * executable, honour that (ppc32 needs this).
433 */
434 int error;
435
436 zero_start = ELF_PAGEALIGN(zero_start);
437 zero_end = ELF_PAGEALIGN(zero_end);
438
439 error = vm_brk_flags(zero_start, zero_end - zero_start,
440 prot & PROT_EXEC ? VM_EXEC : 0);
441 if (error)
442 map_addr = error;
443 }
444 return map_addr;
445 }
446
447
total_mapping_size(const struct elf_phdr * phdr,int nr)448 static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
449 {
450 elf_addr_t min_addr = -1;
451 elf_addr_t max_addr = 0;
452 bool pt_load = false;
453 int i;
454
455 for (i = 0; i < nr; i++) {
456 if (phdr[i].p_type == PT_LOAD) {
457 min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr));
458 max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz);
459 pt_load = true;
460 }
461 }
462 return pt_load ? (max_addr - min_addr) : 0;
463 }
464
elf_read(struct file * file,void * buf,size_t len,loff_t pos)465 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
466 {
467 ssize_t rv;
468
469 rv = kernel_read(file, buf, len, &pos);
470 if (unlikely(rv != len)) {
471 return (rv < 0) ? rv : -EIO;
472 }
473 return 0;
474 }
475
maximum_alignment(struct elf_phdr * cmds,int nr)476 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
477 {
478 unsigned long alignment = 0;
479 int i;
480
481 for (i = 0; i < nr; i++) {
482 if (cmds[i].p_type == PT_LOAD) {
483 unsigned long p_align = cmds[i].p_align;
484
485 /* skip non-power of two alignments as invalid */
486 if (!is_power_of_2(p_align))
487 continue;
488 alignment = max(alignment, p_align);
489 }
490 }
491
492 /* ensure we align to at least one page */
493 return ELF_PAGEALIGN(alignment);
494 }
495
496 /**
497 * load_elf_phdrs() - load ELF program headers
498 * @elf_ex: ELF header of the binary whose program headers should be loaded
499 * @elf_file: the opened ELF binary file
500 *
501 * Loads ELF program headers from the binary file elf_file, which has the ELF
502 * header pointed to by elf_ex, into a newly allocated array. The caller is
503 * responsible for freeing the allocated data. Returns NULL upon failure.
504 */
load_elf_phdrs(const struct elfhdr * elf_ex,struct file * elf_file)505 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
506 struct file *elf_file)
507 {
508 struct elf_phdr *elf_phdata = NULL;
509 int retval = -1;
510 unsigned int size;
511
512 /*
513 * If the size of this structure has changed, then punt, since
514 * we will be doing the wrong thing.
515 */
516 if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
517 goto out;
518
519 /* Sanity check the number of program headers... */
520 /* ...and their total size. */
521 size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
522 if (size == 0 || size > 65536)
523 goto out;
524
525 elf_phdata = kmalloc(size, GFP_KERNEL);
526 if (!elf_phdata)
527 goto out;
528
529 /* Read in the program headers */
530 retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
531
532 out:
533 if (retval) {
534 kfree(elf_phdata);
535 elf_phdata = NULL;
536 }
537 return elf_phdata;
538 }
539
540 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE
541
542 /**
543 * struct arch_elf_state - arch-specific ELF loading state
544 *
545 * This structure is used to preserve architecture specific data during
546 * the loading of an ELF file, throughout the checking of architecture
547 * specific ELF headers & through to the point where the ELF load is
548 * known to be proceeding (ie. SET_PERSONALITY).
549 *
550 * This implementation is a dummy for architectures which require no
551 * specific state.
552 */
553 struct arch_elf_state {
554 };
555
556 #define INIT_ARCH_ELF_STATE {}
557
558 /**
559 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
560 * @ehdr: The main ELF header
561 * @phdr: The program header to check
562 * @elf: The open ELF file
563 * @is_interp: True if the phdr is from the interpreter of the ELF being
564 * loaded, else false.
565 * @state: Architecture-specific state preserved throughout the process
566 * of loading the ELF.
567 *
568 * Inspects the program header phdr to validate its correctness and/or
569 * suitability for the system. Called once per ELF program header in the
570 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
571 * interpreter.
572 *
573 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
574 * with that return code.
575 */
arch_elf_pt_proc(struct elfhdr * ehdr,struct elf_phdr * phdr,struct file * elf,bool is_interp,struct arch_elf_state * state)576 static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
577 struct elf_phdr *phdr,
578 struct file *elf, bool is_interp,
579 struct arch_elf_state *state)
580 {
581 /* Dummy implementation, always proceed */
582 return 0;
583 }
584
585 /**
586 * arch_check_elf() - check an ELF executable
587 * @ehdr: The main ELF header
588 * @has_interp: True if the ELF has an interpreter, else false.
589 * @interp_ehdr: The interpreter's ELF header
590 * @state: Architecture-specific state preserved throughout the process
591 * of loading the ELF.
592 *
593 * Provides a final opportunity for architecture code to reject the loading
594 * of the ELF & cause an exec syscall to return an error. This is called after
595 * all program headers to be checked by arch_elf_pt_proc have been.
596 *
597 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
598 * with that return code.
599 */
arch_check_elf(struct elfhdr * ehdr,bool has_interp,struct elfhdr * interp_ehdr,struct arch_elf_state * state)600 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
601 struct elfhdr *interp_ehdr,
602 struct arch_elf_state *state)
603 {
604 /* Dummy implementation, always proceed */
605 return 0;
606 }
607
608 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
609
make_prot(u32 p_flags,struct arch_elf_state * arch_state,bool has_interp,bool is_interp)610 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
611 bool has_interp, bool is_interp)
612 {
613 int prot = 0;
614
615 if (p_flags & PF_R)
616 prot |= PROT_READ;
617 if (p_flags & PF_W)
618 prot |= PROT_WRITE;
619 if (p_flags & PF_X)
620 prot |= PROT_EXEC;
621
622 return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
623 }
624
625 /* This is much more generalized than the library routine read function,
626 so we keep this separate. Technically the library read function
627 is only provided so that we can read a.out libraries that have
628 an ELF header */
629
load_elf_interp(struct elfhdr * interp_elf_ex,struct file * interpreter,unsigned long no_base,struct elf_phdr * interp_elf_phdata,struct arch_elf_state * arch_state)630 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
631 struct file *interpreter,
632 unsigned long no_base, struct elf_phdr *interp_elf_phdata,
633 struct arch_elf_state *arch_state)
634 {
635 struct elf_phdr *eppnt;
636 unsigned long load_addr = 0;
637 int load_addr_set = 0;
638 unsigned long error = ~0UL;
639 unsigned long total_size;
640 int i;
641
642 /* First of all, some simple consistency checks */
643 if (interp_elf_ex->e_type != ET_EXEC &&
644 interp_elf_ex->e_type != ET_DYN)
645 goto out;
646 if (!elf_check_arch(interp_elf_ex) ||
647 elf_check_fdpic(interp_elf_ex))
648 goto out;
649 if (!can_mmap_file(interpreter))
650 goto out;
651
652 total_size = total_mapping_size(interp_elf_phdata,
653 interp_elf_ex->e_phnum);
654 if (!total_size) {
655 error = -EINVAL;
656 goto out;
657 }
658
659 eppnt = interp_elf_phdata;
660 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
661 if (eppnt->p_type == PT_LOAD) {
662 int elf_type = MAP_PRIVATE;
663 int elf_prot = make_prot(eppnt->p_flags, arch_state,
664 true, true);
665 unsigned long vaddr = 0;
666 unsigned long k, map_addr;
667
668 vaddr = eppnt->p_vaddr;
669 if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
670 elf_type |= MAP_FIXED;
671 else if (no_base && interp_elf_ex->e_type == ET_DYN)
672 load_addr = -vaddr;
673
674 map_addr = elf_load(interpreter, load_addr + vaddr,
675 eppnt, elf_prot, elf_type, total_size);
676 total_size = 0;
677 error = map_addr;
678 if (BAD_ADDR(map_addr))
679 goto out;
680
681 if (!load_addr_set &&
682 interp_elf_ex->e_type == ET_DYN) {
683 load_addr = map_addr - ELF_PAGESTART(vaddr);
684 load_addr_set = 1;
685 }
686
687 /*
688 * Check to see if the section's size will overflow the
689 * allowed task size. Note that p_filesz must always be
690 * <= p_memsize so it's only necessary to check p_memsz.
691 */
692 k = load_addr + eppnt->p_vaddr;
693 if (BAD_ADDR(k) ||
694 eppnt->p_filesz > eppnt->p_memsz ||
695 eppnt->p_memsz > TASK_SIZE ||
696 TASK_SIZE - eppnt->p_memsz < k) {
697 error = -ENOMEM;
698 goto out;
699 }
700 }
701 }
702
703 error = load_addr;
704 out:
705 return error;
706 }
707
708 /*
709 * These are the functions used to load ELF style executables and shared
710 * libraries. There is no binary dependent code anywhere else.
711 */
712
parse_elf_property(const char * data,size_t * off,size_t datasz,struct arch_elf_state * arch,bool have_prev_type,u32 * prev_type)713 static int parse_elf_property(const char *data, size_t *off, size_t datasz,
714 struct arch_elf_state *arch,
715 bool have_prev_type, u32 *prev_type)
716 {
717 size_t o, step;
718 const struct gnu_property *pr;
719 int ret;
720
721 if (*off == datasz)
722 return -ENOENT;
723
724 if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
725 return -EIO;
726 o = *off;
727 datasz -= *off;
728
729 if (datasz < sizeof(*pr))
730 return -ENOEXEC;
731 pr = (const struct gnu_property *)(data + o);
732 o += sizeof(*pr);
733 datasz -= sizeof(*pr);
734
735 if (pr->pr_datasz > datasz)
736 return -ENOEXEC;
737
738 WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
739 step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
740 if (step > datasz)
741 return -ENOEXEC;
742
743 /* Properties are supposed to be unique and sorted on pr_type: */
744 if (have_prev_type && pr->pr_type <= *prev_type)
745 return -ENOEXEC;
746 *prev_type = pr->pr_type;
747
748 ret = arch_parse_elf_property(pr->pr_type, data + o,
749 pr->pr_datasz, ELF_COMPAT, arch);
750 if (ret)
751 return ret;
752
753 *off = o + step;
754 return 0;
755 }
756
757 #define NOTE_DATA_SZ SZ_1K
758 #define NOTE_NAME_SZ (sizeof(NN_GNU_PROPERTY_TYPE_0))
759
parse_elf_properties(struct file * f,const struct elf_phdr * phdr,struct arch_elf_state * arch)760 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
761 struct arch_elf_state *arch)
762 {
763 union {
764 struct elf_note nhdr;
765 char data[NOTE_DATA_SZ];
766 } note;
767 loff_t pos;
768 ssize_t n;
769 size_t off, datasz;
770 int ret;
771 bool have_prev_type;
772 u32 prev_type;
773
774 if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
775 return 0;
776
777 /* load_elf_binary() shouldn't call us unless this is true... */
778 if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
779 return -ENOEXEC;
780
781 /* If the properties are crazy large, that's too bad (for now): */
782 if (phdr->p_filesz > sizeof(note))
783 return -ENOEXEC;
784
785 pos = phdr->p_offset;
786 n = kernel_read(f, ¬e, phdr->p_filesz, &pos);
787
788 BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
789 if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
790 return -EIO;
791
792 if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
793 note.nhdr.n_namesz != NOTE_NAME_SZ ||
794 strncmp(note.data + sizeof(note.nhdr),
795 NN_GNU_PROPERTY_TYPE_0, n - sizeof(note.nhdr)))
796 return -ENOEXEC;
797
798 off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
799 ELF_GNU_PROPERTY_ALIGN);
800 if (off > n)
801 return -ENOEXEC;
802
803 if (note.nhdr.n_descsz > n - off)
804 return -ENOEXEC;
805 datasz = off + note.nhdr.n_descsz;
806
807 have_prev_type = false;
808 do {
809 ret = parse_elf_property(note.data, &off, datasz, arch,
810 have_prev_type, &prev_type);
811 have_prev_type = true;
812 } while (!ret);
813
814 return ret == -ENOENT ? 0 : ret;
815 }
816
load_elf_binary(struct linux_binprm * bprm)817 static int load_elf_binary(struct linux_binprm *bprm)
818 {
819 struct file *interpreter = NULL; /* to shut gcc up */
820 unsigned long load_bias = 0, phdr_addr = 0;
821 int first_pt_load = 1;
822 unsigned long error;
823 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
824 struct elf_phdr *elf_property_phdata = NULL;
825 unsigned long elf_brk;
826 bool brk_moved = false;
827 int retval, i;
828 unsigned long elf_entry;
829 unsigned long e_entry;
830 unsigned long interp_load_addr = 0;
831 unsigned long start_code, end_code, start_data, end_data;
832 unsigned long reloc_func_desc __maybe_unused = 0;
833 int executable_stack = EXSTACK_DEFAULT;
834 struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
835 struct elfhdr *interp_elf_ex = NULL;
836 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
837 struct mm_struct *mm;
838 struct pt_regs *regs;
839
840 retval = -ENOEXEC;
841 /* First of all, some simple consistency checks */
842 if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
843 goto out;
844
845 if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
846 goto out;
847 if (!elf_check_arch(elf_ex))
848 goto out;
849 if (elf_check_fdpic(elf_ex))
850 goto out;
851 if (!can_mmap_file(bprm->file))
852 goto out;
853
854 elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
855 if (!elf_phdata)
856 goto out;
857
858 elf_ppnt = elf_phdata;
859 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
860 char *elf_interpreter;
861
862 if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
863 elf_property_phdata = elf_ppnt;
864 continue;
865 }
866
867 if (elf_ppnt->p_type != PT_INTERP)
868 continue;
869
870 /*
871 * This is the program interpreter used for shared libraries -
872 * for now assume that this is an a.out format binary.
873 */
874 retval = -ENOEXEC;
875 if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
876 goto out_free_ph;
877
878 retval = -ENOMEM;
879 elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
880 if (!elf_interpreter)
881 goto out_free_ph;
882
883 retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
884 elf_ppnt->p_offset);
885 if (retval < 0)
886 goto out_free_interp;
887 /* make sure path is NULL terminated */
888 retval = -ENOEXEC;
889 if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
890 goto out_free_interp;
891
892 interpreter = open_exec(elf_interpreter);
893 kfree(elf_interpreter);
894 retval = PTR_ERR(interpreter);
895 if (IS_ERR(interpreter))
896 goto out_free_ph;
897
898 /*
899 * If the binary is not readable then enforce mm->dumpable = 0
900 * regardless of the interpreter's permissions.
901 */
902 would_dump(bprm, interpreter);
903
904 interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
905 if (!interp_elf_ex) {
906 retval = -ENOMEM;
907 goto out_free_file;
908 }
909
910 /* Get the exec headers */
911 retval = elf_read(interpreter, interp_elf_ex,
912 sizeof(*interp_elf_ex), 0);
913 if (retval < 0)
914 goto out_free_dentry;
915
916 break;
917
918 out_free_interp:
919 kfree(elf_interpreter);
920 goto out_free_ph;
921 }
922
923 elf_ppnt = elf_phdata;
924 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
925 switch (elf_ppnt->p_type) {
926 case PT_GNU_STACK:
927 if (elf_ppnt->p_flags & PF_X)
928 executable_stack = EXSTACK_ENABLE_X;
929 else
930 executable_stack = EXSTACK_DISABLE_X;
931 break;
932
933 case PT_LOPROC ... PT_HIPROC:
934 retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
935 bprm->file, false,
936 &arch_state);
937 if (retval)
938 goto out_free_dentry;
939 break;
940 }
941
942 /* Some simple consistency checks for the interpreter */
943 if (interpreter) {
944 retval = -ELIBBAD;
945 /* Not an ELF interpreter */
946 if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
947 goto out_free_dentry;
948 /* Verify the interpreter has a valid arch */
949 if (!elf_check_arch(interp_elf_ex) ||
950 elf_check_fdpic(interp_elf_ex))
951 goto out_free_dentry;
952
953 /* Load the interpreter program headers */
954 interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
955 interpreter);
956 if (!interp_elf_phdata)
957 goto out_free_dentry;
958
959 /* Pass PT_LOPROC..PT_HIPROC headers to arch code */
960 elf_property_phdata = NULL;
961 elf_ppnt = interp_elf_phdata;
962 for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
963 switch (elf_ppnt->p_type) {
964 case PT_GNU_PROPERTY:
965 elf_property_phdata = elf_ppnt;
966 break;
967
968 case PT_LOPROC ... PT_HIPROC:
969 retval = arch_elf_pt_proc(interp_elf_ex,
970 elf_ppnt, interpreter,
971 true, &arch_state);
972 if (retval)
973 goto out_free_dentry;
974 break;
975 }
976 }
977
978 retval = parse_elf_properties(interpreter ?: bprm->file,
979 elf_property_phdata, &arch_state);
980 if (retval)
981 goto out_free_dentry;
982
983 /*
984 * Allow arch code to reject the ELF at this point, whilst it's
985 * still possible to return an error to the code that invoked
986 * the exec syscall.
987 */
988 retval = arch_check_elf(elf_ex,
989 !!interpreter, interp_elf_ex,
990 &arch_state);
991 if (retval)
992 goto out_free_dentry;
993
994 /* Flush all traces of the currently running executable */
995 retval = begin_new_exec(bprm);
996 if (retval)
997 goto out_free_dentry;
998
999 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
1000 may depend on the personality. */
1001 SET_PERSONALITY2(*elf_ex, &arch_state);
1002 if (elf_read_implies_exec(*elf_ex, executable_stack))
1003 current->personality |= READ_IMPLIES_EXEC;
1004
1005 const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
1006 if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
1007 current->flags |= PF_RANDOMIZE;
1008
1009 setup_new_exec(bprm);
1010
1011 /* Do this so that we can load the interpreter, if need be. We will
1012 change some of these later */
1013 retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1014 executable_stack);
1015 if (retval < 0)
1016 goto out_free_dentry;
1017
1018 elf_brk = 0;
1019
1020 start_code = ~0UL;
1021 end_code = 0;
1022 start_data = 0;
1023 end_data = 0;
1024
1025 /* Now we do a little grungy work by mmapping the ELF image into
1026 the correct location in memory. */
1027 for(i = 0, elf_ppnt = elf_phdata;
1028 i < elf_ex->e_phnum; i++, elf_ppnt++) {
1029 int elf_prot, elf_flags;
1030 unsigned long k, vaddr;
1031 unsigned long total_size = 0;
1032 unsigned long alignment;
1033
1034 if (elf_ppnt->p_type != PT_LOAD)
1035 continue;
1036
1037 elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1038 !!interpreter, false);
1039
1040 elf_flags = MAP_PRIVATE;
1041
1042 vaddr = elf_ppnt->p_vaddr;
1043 /*
1044 * The first time through the loop, first_pt_load is true:
1045 * layout will be calculated. Once set, use MAP_FIXED since
1046 * we know we've already safely mapped the entire region with
1047 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1048 */
1049 if (!first_pt_load) {
1050 elf_flags |= MAP_FIXED;
1051 } else if (elf_ex->e_type == ET_EXEC) {
1052 /*
1053 * This logic is run once for the first LOAD Program
1054 * Header for ET_EXEC binaries. No special handling
1055 * is needed.
1056 */
1057 elf_flags |= MAP_FIXED_NOREPLACE;
1058 } else if (elf_ex->e_type == ET_DYN) {
1059 /*
1060 * This logic is run once for the first LOAD Program
1061 * Header for ET_DYN binaries to calculate the
1062 * randomization (load_bias) for all the LOAD
1063 * Program Headers.
1064 */
1065
1066 /*
1067 * Calculate the entire size of the ELF mapping
1068 * (total_size), used for the initial mapping,
1069 * due to load_addr_set which is set to true later
1070 * once the initial mapping is performed.
1071 *
1072 * Note that this is only sensible when the LOAD
1073 * segments are contiguous (or overlapping). If
1074 * used for LOADs that are far apart, this would
1075 * cause the holes between LOADs to be mapped,
1076 * running the risk of having the mapping fail,
1077 * as it would be larger than the ELF file itself.
1078 *
1079 * As a result, only ET_DYN does this, since
1080 * some ET_EXEC (e.g. ia64) may have large virtual
1081 * memory holes between LOADs.
1082 *
1083 */
1084 total_size = total_mapping_size(elf_phdata,
1085 elf_ex->e_phnum);
1086 if (!total_size) {
1087 retval = -EINVAL;
1088 goto out_free_dentry;
1089 }
1090
1091 /* Calculate any requested alignment. */
1092 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1093
1094 /**
1095 * DOC: PIE handling
1096 *
1097 * There are effectively two types of ET_DYN ELF
1098 * binaries: programs (i.e. PIE: ET_DYN with
1099 * PT_INTERP) and loaders (i.e. static PIE: ET_DYN
1100 * without PT_INTERP, usually the ELF interpreter
1101 * itself). Loaders must be loaded away from programs
1102 * since the program may otherwise collide with the
1103 * loader (especially for ET_EXEC which does not have
1104 * a randomized position).
1105 *
1106 * For example, to handle invocations of
1107 * "./ld.so someprog" to test out a new version of
1108 * the loader, the subsequent program that the
1109 * loader loads must avoid the loader itself, so
1110 * they cannot share the same load range. Sufficient
1111 * room for the brk must be allocated with the
1112 * loader as well, since brk must be available with
1113 * the loader.
1114 *
1115 * Therefore, programs are loaded offset from
1116 * ELF_ET_DYN_BASE and loaders are loaded into the
1117 * independently randomized mmap region (0 load_bias
1118 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1119 *
1120 * See below for "brk" handling details, which is
1121 * also affected by program vs loader and ASLR.
1122 */
1123 if (interpreter) {
1124 /* On ET_DYN with PT_INTERP, we do the ASLR. */
1125 load_bias = ELF_ET_DYN_BASE;
1126 if (current->flags & PF_RANDOMIZE)
1127 load_bias += arch_mmap_rnd();
1128 /* Adjust alignment as requested. */
1129 if (alignment)
1130 load_bias &= ~(alignment - 1);
1131 elf_flags |= MAP_FIXED_NOREPLACE;
1132 } else {
1133 /*
1134 * For ET_DYN without PT_INTERP, we rely on
1135 * the architectures's (potentially ASLR) mmap
1136 * base address (via a load_bias of 0).
1137 *
1138 * When a large alignment is requested, we
1139 * must do the allocation at address "0" right
1140 * now to discover where things will load so
1141 * that we can adjust the resulting alignment.
1142 * In this case (load_bias != 0), we can use
1143 * MAP_FIXED_NOREPLACE to make sure the mapping
1144 * doesn't collide with anything.
1145 */
1146 if (alignment > ELF_MIN_ALIGN) {
1147 load_bias = elf_load(bprm->file, 0, elf_ppnt,
1148 elf_prot, elf_flags, total_size);
1149 if (BAD_ADDR(load_bias)) {
1150 retval = IS_ERR_VALUE(load_bias) ?
1151 PTR_ERR((void*)load_bias) : -EINVAL;
1152 goto out_free_dentry;
1153 }
1154 vm_munmap(load_bias, total_size);
1155 /* Adjust alignment as requested. */
1156 if (alignment)
1157 load_bias &= ~(alignment - 1);
1158 elf_flags |= MAP_FIXED_NOREPLACE;
1159 } else
1160 load_bias = 0;
1161 }
1162
1163 /*
1164 * Since load_bias is used for all subsequent loading
1165 * calculations, we must lower it by the first vaddr
1166 * so that the remaining calculations based on the
1167 * ELF vaddrs will be correctly offset. The result
1168 * is then page aligned.
1169 */
1170 load_bias = ELF_PAGESTART(load_bias - vaddr);
1171 }
1172
1173 error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt,
1174 elf_prot, elf_flags, total_size);
1175 if (BAD_ADDR(error)) {
1176 retval = IS_ERR_VALUE(error) ?
1177 PTR_ERR((void*)error) : -EINVAL;
1178 goto out_free_dentry;
1179 }
1180
1181 if (first_pt_load) {
1182 first_pt_load = 0;
1183 if (elf_ex->e_type == ET_DYN) {
1184 load_bias += error -
1185 ELF_PAGESTART(load_bias + vaddr);
1186 reloc_func_desc = load_bias;
1187 }
1188 }
1189
1190 /*
1191 * Figure out which segment in the file contains the Program
1192 * Header table, and map to the associated memory address.
1193 */
1194 if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
1195 elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
1196 phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
1197 elf_ppnt->p_vaddr;
1198 }
1199
1200 k = elf_ppnt->p_vaddr;
1201 if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1202 start_code = k;
1203 if (start_data < k)
1204 start_data = k;
1205
1206 /*
1207 * Check to see if the section's size will overflow the
1208 * allowed task size. Note that p_filesz must always be
1209 * <= p_memsz so it is only necessary to check p_memsz.
1210 */
1211 if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1212 elf_ppnt->p_memsz > TASK_SIZE ||
1213 TASK_SIZE - elf_ppnt->p_memsz < k) {
1214 /* set_brk can never work. Avoid overflows. */
1215 retval = -EINVAL;
1216 goto out_free_dentry;
1217 }
1218
1219 k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1220
1221 if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1222 end_code = k;
1223 if (end_data < k)
1224 end_data = k;
1225 k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1226 if (k > elf_brk)
1227 elf_brk = k;
1228 }
1229
1230 e_entry = elf_ex->e_entry + load_bias;
1231 phdr_addr += load_bias;
1232 elf_brk += load_bias;
1233 start_code += load_bias;
1234 end_code += load_bias;
1235 start_data += load_bias;
1236 end_data += load_bias;
1237
1238 if (interpreter) {
1239 elf_entry = load_elf_interp(interp_elf_ex,
1240 interpreter,
1241 load_bias, interp_elf_phdata,
1242 &arch_state);
1243 if (!IS_ERR_VALUE(elf_entry)) {
1244 /*
1245 * load_elf_interp() returns relocation
1246 * adjustment
1247 */
1248 interp_load_addr = elf_entry;
1249 elf_entry += interp_elf_ex->e_entry;
1250 }
1251 if (BAD_ADDR(elf_entry)) {
1252 retval = IS_ERR_VALUE(elf_entry) ?
1253 (int)elf_entry : -EINVAL;
1254 goto out_free_dentry;
1255 }
1256 reloc_func_desc = interp_load_addr;
1257
1258 exe_file_allow_write_access(interpreter);
1259 fput(interpreter);
1260
1261 kfree(interp_elf_ex);
1262 kfree(interp_elf_phdata);
1263 } else {
1264 elf_entry = e_entry;
1265 if (BAD_ADDR(elf_entry)) {
1266 retval = -EINVAL;
1267 goto out_free_dentry;
1268 }
1269 }
1270
1271 kfree(elf_phdata);
1272
1273 set_binfmt(&elf_format);
1274
1275 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1276 retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1277 if (retval < 0)
1278 goto out;
1279 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1280
1281 retval = create_elf_tables(bprm, elf_ex, interp_load_addr,
1282 e_entry, phdr_addr);
1283 if (retval < 0)
1284 goto out;
1285
1286 mm = current->mm;
1287 mm->end_code = end_code;
1288 mm->start_code = start_code;
1289 mm->start_data = start_data;
1290 mm->end_data = end_data;
1291 mm->start_stack = bprm->p;
1292
1293 /**
1294 * DOC: "brk" handling
1295 *
1296 * For architectures with ELF randomization, when executing a
1297 * loader directly (i.e. static PIE: ET_DYN without PT_INTERP),
1298 * move the brk area out of the mmap region and into the unused
1299 * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide
1300 * early with the stack growing down or other regions being put
1301 * into the mmap region by the kernel (e.g. vdso).
1302 *
1303 * In the CONFIG_COMPAT_BRK case, though, everything is turned
1304 * off because we're not allowed to move the brk at all.
1305 */
1306 if (!IS_ENABLED(CONFIG_COMPAT_BRK) &&
1307 IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1308 elf_ex->e_type == ET_DYN && !interpreter) {
1309 elf_brk = ELF_ET_DYN_BASE;
1310 /* This counts as moving the brk, so let brk(2) know. */
1311 brk_moved = true;
1312 }
1313 mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk);
1314
1315 if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) {
1316 /*
1317 * If we didn't move the brk to ELF_ET_DYN_BASE (above),
1318 * leave a gap between .bss and brk.
1319 */
1320 if (!brk_moved)
1321 mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
1322
1323 mm->brk = mm->start_brk = arch_randomize_brk(mm);
1324 brk_moved = true;
1325 }
1326
1327 #ifdef compat_brk_randomized
1328 if (brk_moved)
1329 current->brk_randomized = 1;
1330 #endif
1331
1332 if (current->personality & MMAP_PAGE_ZERO) {
1333 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
1334 and some applications "depend" upon this behavior.
1335 Since we do not have the power to recompile these, we
1336 emulate the SVr4 behavior. Sigh. */
1337 error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1338 MAP_FIXED | MAP_PRIVATE, 0);
1339
1340 retval = do_mseal(0, PAGE_SIZE, 0);
1341 if (retval)
1342 pr_warn_ratelimited("pid=%d, couldn't seal address 0, ret=%d.\n",
1343 task_pid_nr(current), retval);
1344 }
1345
1346 regs = current_pt_regs();
1347 #ifdef ELF_PLAT_INIT
1348 /*
1349 * The ABI may specify that certain registers be set up in special
1350 * ways (on i386 %edx is the address of a DT_FINI function, for
1351 * example. In addition, it may also specify (eg, PowerPC64 ELF)
1352 * that the e_entry field is the address of the function descriptor
1353 * for the startup routine, rather than the address of the startup
1354 * routine itself. This macro performs whatever initialization to
1355 * the regs structure is required as well as any relocations to the
1356 * function descriptor entries when executing dynamically links apps.
1357 */
1358 ELF_PLAT_INIT(regs, reloc_func_desc);
1359 #endif
1360
1361 finalize_exec(bprm);
1362 START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1363 retval = 0;
1364 out:
1365 return retval;
1366
1367 /* error cleanup */
1368 out_free_dentry:
1369 kfree(interp_elf_ex);
1370 kfree(interp_elf_phdata);
1371 out_free_file:
1372 exe_file_allow_write_access(interpreter);
1373 if (interpreter)
1374 fput(interpreter);
1375 out_free_ph:
1376 kfree(elf_phdata);
1377 goto out;
1378 }
1379
1380 #ifdef CONFIG_ELF_CORE
1381 /*
1382 * ELF core dumper
1383 *
1384 * Modelled on fs/exec.c:aout_core_dump()
1385 * Jeremy Fitzhardinge <jeremy@sw.oz.au>
1386 */
1387
1388 /* An ELF note in memory */
1389 struct memelfnote
1390 {
1391 const char *name;
1392 int type;
1393 unsigned int datasz;
1394 void *data;
1395 };
1396
notesize(struct memelfnote * en)1397 static int notesize(struct memelfnote *en)
1398 {
1399 int sz;
1400
1401 sz = sizeof(struct elf_note);
1402 sz += roundup(strlen(en->name) + 1, 4);
1403 sz += roundup(en->datasz, 4);
1404
1405 return sz;
1406 }
1407
writenote(struct memelfnote * men,struct coredump_params * cprm)1408 static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1409 {
1410 struct elf_note en;
1411 en.n_namesz = strlen(men->name) + 1;
1412 en.n_descsz = men->datasz;
1413 en.n_type = men->type;
1414
1415 return dump_emit(cprm, &en, sizeof(en)) &&
1416 dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1417 dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1418 }
1419
fill_elf_header(struct elfhdr * elf,int segs,u16 machine,u32 flags)1420 static void fill_elf_header(struct elfhdr *elf, int segs,
1421 u16 machine, u32 flags)
1422 {
1423 memset(elf, 0, sizeof(*elf));
1424
1425 memcpy(elf->e_ident, ELFMAG, SELFMAG);
1426 elf->e_ident[EI_CLASS] = ELF_CLASS;
1427 elf->e_ident[EI_DATA] = ELF_DATA;
1428 elf->e_ident[EI_VERSION] = EV_CURRENT;
1429 elf->e_ident[EI_OSABI] = ELF_OSABI;
1430
1431 elf->e_type = ET_CORE;
1432 elf->e_machine = machine;
1433 elf->e_version = EV_CURRENT;
1434 elf->e_phoff = sizeof(struct elfhdr);
1435 elf->e_flags = flags;
1436 elf->e_ehsize = sizeof(struct elfhdr);
1437 elf->e_phentsize = sizeof(struct elf_phdr);
1438 elf->e_phnum = segs;
1439 }
1440
fill_elf_note_phdr(struct elf_phdr * phdr,int sz,loff_t offset)1441 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1442 {
1443 phdr->p_type = PT_NOTE;
1444 phdr->p_offset = offset;
1445 phdr->p_vaddr = 0;
1446 phdr->p_paddr = 0;
1447 phdr->p_filesz = sz;
1448 phdr->p_memsz = 0;
1449 phdr->p_flags = 0;
1450 phdr->p_align = 4;
1451 }
1452
__fill_note(struct memelfnote * note,const char * name,int type,unsigned int sz,void * data)1453 static void __fill_note(struct memelfnote *note, const char *name, int type,
1454 unsigned int sz, void *data)
1455 {
1456 note->name = name;
1457 note->type = type;
1458 note->datasz = sz;
1459 note->data = data;
1460 }
1461
1462 #define fill_note(note, type, sz, data) \
1463 __fill_note(note, NN_ ## type, NT_ ## type, sz, data)
1464
1465 /*
1466 * fill up all the fields in prstatus from the given task struct, except
1467 * registers which need to be filled up separately.
1468 */
fill_prstatus(struct elf_prstatus_common * prstatus,struct task_struct * p,long signr)1469 static void fill_prstatus(struct elf_prstatus_common *prstatus,
1470 struct task_struct *p, long signr)
1471 {
1472 prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1473 prstatus->pr_sigpend = p->pending.signal.sig[0];
1474 prstatus->pr_sighold = p->blocked.sig[0];
1475 rcu_read_lock();
1476 prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1477 rcu_read_unlock();
1478 prstatus->pr_pid = task_pid_vnr(p);
1479 prstatus->pr_pgrp = task_pgrp_vnr(p);
1480 prstatus->pr_sid = task_session_vnr(p);
1481 if (thread_group_leader(p)) {
1482 struct task_cputime cputime;
1483
1484 /*
1485 * This is the record for the group leader. It shows the
1486 * group-wide total, not its individual thread total.
1487 */
1488 thread_group_cputime(p, &cputime);
1489 prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1490 prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1491 } else {
1492 u64 utime, stime;
1493
1494 task_cputime(p, &utime, &stime);
1495 prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1496 prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1497 }
1498
1499 prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1500 prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1501 }
1502
fill_psinfo(struct elf_prpsinfo * psinfo,struct task_struct * p,struct mm_struct * mm)1503 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1504 struct mm_struct *mm)
1505 {
1506 const struct cred *cred;
1507 unsigned int i, len;
1508 unsigned int state;
1509
1510 /* first copy the parameters from user space */
1511 memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1512
1513 len = mm->arg_end - mm->arg_start;
1514 if (len >= ELF_PRARGSZ)
1515 len = ELF_PRARGSZ-1;
1516 if (copy_from_user(&psinfo->pr_psargs,
1517 (const char __user *)mm->arg_start, len))
1518 return -EFAULT;
1519 for(i = 0; i < len; i++)
1520 if (psinfo->pr_psargs[i] == 0)
1521 psinfo->pr_psargs[i] = ' ';
1522 psinfo->pr_psargs[len] = 0;
1523
1524 rcu_read_lock();
1525 psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1526 rcu_read_unlock();
1527 psinfo->pr_pid = task_pid_vnr(p);
1528 psinfo->pr_pgrp = task_pgrp_vnr(p);
1529 psinfo->pr_sid = task_session_vnr(p);
1530
1531 state = READ_ONCE(p->__state);
1532 i = state ? ffz(~state) + 1 : 0;
1533 psinfo->pr_state = i;
1534 psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1535 psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1536 psinfo->pr_nice = task_nice(p);
1537 psinfo->pr_flag = p->flags;
1538 rcu_read_lock();
1539 cred = __task_cred(p);
1540 SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1541 SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1542 rcu_read_unlock();
1543 get_task_comm(psinfo->pr_fname, p);
1544
1545 return 0;
1546 }
1547
fill_auxv_note(struct memelfnote * note,struct mm_struct * mm)1548 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1549 {
1550 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1551 int i = 0;
1552 do
1553 i += 2;
1554 while (auxv[i - 2] != AT_NULL);
1555 fill_note(note, AUXV, i * sizeof(elf_addr_t), auxv);
1556 }
1557
fill_siginfo_note(struct memelfnote * note,user_siginfo_t * csigdata,const kernel_siginfo_t * siginfo)1558 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1559 const kernel_siginfo_t *siginfo)
1560 {
1561 copy_siginfo_to_external(csigdata, siginfo);
1562 fill_note(note, SIGINFO, sizeof(*csigdata), csigdata);
1563 }
1564
1565 /*
1566 * Format of NT_FILE note:
1567 *
1568 * long count -- how many files are mapped
1569 * long page_size -- units for file_ofs
1570 * array of [COUNT] elements of
1571 * long start
1572 * long end
1573 * long file_ofs
1574 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1575 */
fill_files_note(struct memelfnote * note,struct coredump_params * cprm)1576 static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
1577 {
1578 unsigned count, size, names_ofs, remaining, n;
1579 user_long_t *data;
1580 user_long_t *start_end_ofs;
1581 char *name_base, *name_curpos;
1582 int i;
1583
1584 /* *Estimated* file count and total data size needed */
1585 count = cprm->vma_count;
1586 if (count > UINT_MAX / 64)
1587 return -EINVAL;
1588 size = count * 64;
1589
1590 names_ofs = (2 + 3 * count) * sizeof(data[0]);
1591 alloc:
1592 /* paranoia check */
1593 if (size >= core_file_note_size_limit) {
1594 pr_warn_once("coredump Note size too large: %u (does kernel.core_file_note_size_limit sysctl need adjustment?\n",
1595 size);
1596 return -EINVAL;
1597 }
1598 size = round_up(size, PAGE_SIZE);
1599 /*
1600 * "size" can be 0 here legitimately.
1601 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1602 */
1603 data = kvmalloc(size, GFP_KERNEL);
1604 if (ZERO_OR_NULL_PTR(data))
1605 return -ENOMEM;
1606
1607 start_end_ofs = data + 2;
1608 name_base = name_curpos = ((char *)data) + names_ofs;
1609 remaining = size - names_ofs;
1610 count = 0;
1611 for (i = 0; i < cprm->vma_count; i++) {
1612 struct core_vma_metadata *m = &cprm->vma_meta[i];
1613 struct file *file;
1614 const char *filename;
1615
1616 file = m->file;
1617 if (!file)
1618 continue;
1619 filename = file_path(file, name_curpos, remaining);
1620 if (IS_ERR(filename)) {
1621 if (PTR_ERR(filename) == -ENAMETOOLONG) {
1622 kvfree(data);
1623 size = size * 5 / 4;
1624 goto alloc;
1625 }
1626 continue;
1627 }
1628
1629 /* file_path() fills at the end, move name down */
1630 /* n = strlen(filename) + 1: */
1631 n = (name_curpos + remaining) - filename;
1632 remaining = filename - name_curpos;
1633 memmove(name_curpos, filename, n);
1634 name_curpos += n;
1635
1636 *start_end_ofs++ = m->start;
1637 *start_end_ofs++ = m->end;
1638 *start_end_ofs++ = m->pgoff;
1639 count++;
1640 }
1641
1642 /* Now we know exact count of files, can store it */
1643 data[0] = count;
1644 data[1] = PAGE_SIZE;
1645 /*
1646 * Count usually is less than mm->map_count,
1647 * we need to move filenames down.
1648 */
1649 n = cprm->vma_count - count;
1650 if (n != 0) {
1651 unsigned shift_bytes = n * 3 * sizeof(data[0]);
1652 memmove(name_base - shift_bytes, name_base,
1653 name_curpos - name_base);
1654 name_curpos -= shift_bytes;
1655 }
1656
1657 size = name_curpos - (char *)data;
1658 fill_note(note, FILE, size, data);
1659 return 0;
1660 }
1661
1662 #include <linux/regset.h>
1663
1664 struct elf_thread_core_info {
1665 struct elf_thread_core_info *next;
1666 struct task_struct *task;
1667 struct elf_prstatus prstatus;
1668 struct memelfnote notes[];
1669 };
1670
1671 struct elf_note_info {
1672 struct elf_thread_core_info *thread;
1673 struct memelfnote psinfo;
1674 struct memelfnote signote;
1675 struct memelfnote auxv;
1676 struct memelfnote files;
1677 user_siginfo_t csigdata;
1678 size_t size;
1679 int thread_notes;
1680 };
1681
1682 #ifdef CORE_DUMP_USE_REGSET
1683 /*
1684 * When a regset has a writeback hook, we call it on each thread before
1685 * dumping user memory. On register window machines, this makes sure the
1686 * user memory backing the register data is up to date before we read it.
1687 */
do_thread_regset_writeback(struct task_struct * task,const struct user_regset * regset)1688 static void do_thread_regset_writeback(struct task_struct *task,
1689 const struct user_regset *regset)
1690 {
1691 if (regset->writeback)
1692 regset->writeback(task, regset, 1);
1693 }
1694
1695 #ifndef PRSTATUS_SIZE
1696 #define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1697 #endif
1698
1699 #ifndef SET_PR_FPVALID
1700 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1701 #endif
1702
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1703 static int fill_thread_core_info(struct elf_thread_core_info *t,
1704 const struct user_regset_view *view,
1705 long signr, struct elf_note_info *info)
1706 {
1707 unsigned int note_iter, view_iter;
1708
1709 /*
1710 * NT_PRSTATUS is the one special case, because the regset data
1711 * goes into the pr_reg field inside the note contents, rather
1712 * than being the whole note contents. We fill the regset in here.
1713 * We assume that regset 0 is NT_PRSTATUS.
1714 */
1715 fill_prstatus(&t->prstatus.common, t->task, signr);
1716 regset_get(t->task, &view->regsets[0],
1717 sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1718
1719 fill_note(&t->notes[0], PRSTATUS, PRSTATUS_SIZE, &t->prstatus);
1720 info->size += notesize(&t->notes[0]);
1721
1722 do_thread_regset_writeback(t->task, &view->regsets[0]);
1723
1724 /*
1725 * Each other regset might generate a note too. For each regset
1726 * that has no core_note_type or is inactive, skip it.
1727 */
1728 note_iter = 1;
1729 for (view_iter = 1; view_iter < view->n; ++view_iter) {
1730 const struct user_regset *regset = &view->regsets[view_iter];
1731 int note_type = regset->core_note_type;
1732 const char *note_name = regset->core_note_name;
1733 bool is_fpreg = note_type == NT_PRFPREG;
1734 void *data;
1735 int ret;
1736
1737 do_thread_regset_writeback(t->task, regset);
1738 if (!note_type) // not for coredumps
1739 continue;
1740 if (regset->active && regset->active(t->task, regset) <= 0)
1741 continue;
1742
1743 ret = regset_get_alloc(t->task, regset, ~0U, &data);
1744 if (ret < 0)
1745 continue;
1746
1747 if (WARN_ON_ONCE(note_iter >= info->thread_notes))
1748 break;
1749
1750 if (is_fpreg)
1751 SET_PR_FPVALID(&t->prstatus);
1752
1753 /* There should be a note name, but if not, guess: */
1754 if (WARN_ON_ONCE(!note_name))
1755 note_name = "LINUX";
1756 else
1757 /* Warn on non-legacy-compatible names, for now. */
1758 WARN_ON_ONCE(strcmp(note_name,
1759 is_fpreg ? "CORE" : "LINUX"));
1760
1761 __fill_note(&t->notes[note_iter], note_name, note_type,
1762 ret, data);
1763
1764 info->size += notesize(&t->notes[note_iter]);
1765 note_iter++;
1766 }
1767
1768 return 1;
1769 }
1770 #else
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1771 static int fill_thread_core_info(struct elf_thread_core_info *t,
1772 const struct user_regset_view *view,
1773 long signr, struct elf_note_info *info)
1774 {
1775 struct task_struct *p = t->task;
1776 elf_fpregset_t *fpu;
1777
1778 fill_prstatus(&t->prstatus.common, p, signr);
1779 elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1780
1781 fill_note(&t->notes[0], PRSTATUS, sizeof(t->prstatus), &t->prstatus);
1782 info->size += notesize(&t->notes[0]);
1783
1784 fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL);
1785 if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) {
1786 kfree(fpu);
1787 return 1;
1788 }
1789
1790 t->prstatus.pr_fpvalid = 1;
1791 fill_note(&t->notes[1], PRFPREG, sizeof(*fpu), fpu);
1792 info->size += notesize(&t->notes[1]);
1793
1794 return 1;
1795 }
1796 #endif
1797
fill_note_info(struct elfhdr * elf,int phdrs,struct elf_note_info * info,struct coredump_params * cprm)1798 static int fill_note_info(struct elfhdr *elf, int phdrs,
1799 struct elf_note_info *info,
1800 struct coredump_params *cprm)
1801 {
1802 struct task_struct *dump_task = current;
1803 const struct user_regset_view *view;
1804 struct elf_thread_core_info *t;
1805 struct elf_prpsinfo *psinfo;
1806 struct core_thread *ct;
1807
1808 psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1809 if (!psinfo)
1810 return 0;
1811 fill_note(&info->psinfo, PRPSINFO, sizeof(*psinfo), psinfo);
1812
1813 #ifdef CORE_DUMP_USE_REGSET
1814 view = task_user_regset_view(dump_task);
1815
1816 /*
1817 * Figure out how many notes we're going to need for each thread.
1818 */
1819 info->thread_notes = 0;
1820 for (int i = 0; i < view->n; ++i)
1821 if (view->regsets[i].core_note_type != 0)
1822 ++info->thread_notes;
1823
1824 /*
1825 * Sanity check. We rely on regset 0 being in NT_PRSTATUS,
1826 * since it is our one special case.
1827 */
1828 if (unlikely(info->thread_notes == 0) ||
1829 unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1830 WARN_ON(1);
1831 return 0;
1832 }
1833
1834 /*
1835 * Initialize the ELF file header.
1836 */
1837 fill_elf_header(elf, phdrs,
1838 view->e_machine, view->e_flags);
1839 #else
1840 view = NULL;
1841 info->thread_notes = 2;
1842 fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
1843 #endif
1844
1845 /*
1846 * Allocate a structure for each thread.
1847 */
1848 info->thread = kzalloc(offsetof(struct elf_thread_core_info,
1849 notes[info->thread_notes]),
1850 GFP_KERNEL);
1851 if (unlikely(!info->thread))
1852 return 0;
1853
1854 info->thread->task = dump_task;
1855 for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) {
1856 t = kzalloc(offsetof(struct elf_thread_core_info,
1857 notes[info->thread_notes]),
1858 GFP_KERNEL);
1859 if (unlikely(!t))
1860 return 0;
1861
1862 t->task = ct->task;
1863 t->next = info->thread->next;
1864 info->thread->next = t;
1865 }
1866
1867 /*
1868 * Now fill in each thread's information.
1869 */
1870 for (t = info->thread; t != NULL; t = t->next)
1871 if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info))
1872 return 0;
1873
1874 /*
1875 * Fill in the two process-wide notes.
1876 */
1877 fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1878 info->size += notesize(&info->psinfo);
1879
1880 fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo);
1881 info->size += notesize(&info->signote);
1882
1883 fill_auxv_note(&info->auxv, current->mm);
1884 info->size += notesize(&info->auxv);
1885
1886 if (fill_files_note(&info->files, cprm) == 0)
1887 info->size += notesize(&info->files);
1888
1889 return 1;
1890 }
1891
1892 /*
1893 * Write all the notes for each thread. When writing the first thread, the
1894 * process-wide notes are interleaved after the first thread-specific note.
1895 */
write_note_info(struct elf_note_info * info,struct coredump_params * cprm)1896 static int write_note_info(struct elf_note_info *info,
1897 struct coredump_params *cprm)
1898 {
1899 bool first = true;
1900 struct elf_thread_core_info *t = info->thread;
1901
1902 do {
1903 int i;
1904
1905 if (!writenote(&t->notes[0], cprm))
1906 return 0;
1907
1908 if (first && !writenote(&info->psinfo, cprm))
1909 return 0;
1910 if (first && !writenote(&info->signote, cprm))
1911 return 0;
1912 if (first && !writenote(&info->auxv, cprm))
1913 return 0;
1914 if (first && info->files.data &&
1915 !writenote(&info->files, cprm))
1916 return 0;
1917
1918 for (i = 1; i < info->thread_notes; ++i)
1919 if (t->notes[i].data &&
1920 !writenote(&t->notes[i], cprm))
1921 return 0;
1922
1923 first = false;
1924 t = t->next;
1925 } while (t);
1926
1927 return 1;
1928 }
1929
free_note_info(struct elf_note_info * info)1930 static void free_note_info(struct elf_note_info *info)
1931 {
1932 struct elf_thread_core_info *threads = info->thread;
1933 while (threads) {
1934 unsigned int i;
1935 struct elf_thread_core_info *t = threads;
1936 threads = t->next;
1937 WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1938 for (i = 1; i < info->thread_notes; ++i)
1939 kvfree(t->notes[i].data);
1940 kfree(t);
1941 }
1942 kfree(info->psinfo.data);
1943 kvfree(info->files.data);
1944 }
1945
fill_extnum_info(struct elfhdr * elf,struct elf_shdr * shdr4extnum,elf_addr_t e_shoff,int segs)1946 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
1947 elf_addr_t e_shoff, int segs)
1948 {
1949 elf->e_shoff = e_shoff;
1950 elf->e_shentsize = sizeof(*shdr4extnum);
1951 elf->e_shnum = 1;
1952 elf->e_shstrndx = SHN_UNDEF;
1953
1954 memset(shdr4extnum, 0, sizeof(*shdr4extnum));
1955
1956 shdr4extnum->sh_type = SHT_NULL;
1957 shdr4extnum->sh_size = elf->e_shnum;
1958 shdr4extnum->sh_link = elf->e_shstrndx;
1959 shdr4extnum->sh_info = segs;
1960 }
1961
1962 /*
1963 * Actual dumper
1964 *
1965 * This is a two-pass process; first we find the offsets of the bits,
1966 * and then they are actually written out. If we run out of core limit
1967 * we just truncate.
1968 */
elf_core_dump(struct coredump_params * cprm)1969 static int elf_core_dump(struct coredump_params *cprm)
1970 {
1971 int has_dumped = 0;
1972 int segs, i;
1973 struct elfhdr elf;
1974 loff_t offset = 0, dataoff;
1975 struct elf_note_info info = { };
1976 struct elf_phdr *phdr4note = NULL;
1977 struct elf_shdr *shdr4extnum = NULL;
1978 Elf_Half e_phnum;
1979 elf_addr_t e_shoff;
1980
1981 /*
1982 * The number of segs are recored into ELF header as 16bit value.
1983 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
1984 */
1985 segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
1986
1987 /* for notes section */
1988 segs++;
1989
1990 /* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
1991 * this, kernel supports extended numbering. Have a look at
1992 * include/linux/elf.h for further information. */
1993 e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
1994
1995 /*
1996 * Collect all the non-memory information about the process for the
1997 * notes. This also sets up the file header.
1998 */
1999 if (!fill_note_info(&elf, e_phnum, &info, cprm))
2000 goto end_coredump;
2001
2002 has_dumped = 1;
2003
2004 offset += sizeof(elf); /* ELF header */
2005 offset += segs * sizeof(struct elf_phdr); /* Program headers */
2006
2007 /* Write notes phdr entry */
2008 {
2009 size_t sz = info.size;
2010
2011 /* For cell spufs and x86 xstate */
2012 sz += elf_coredump_extra_notes_size();
2013
2014 phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2015 if (!phdr4note)
2016 goto end_coredump;
2017
2018 fill_elf_note_phdr(phdr4note, sz, offset);
2019 offset += sz;
2020 }
2021
2022 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2023
2024 offset += cprm->vma_data_size;
2025 offset += elf_core_extra_data_size(cprm);
2026 e_shoff = offset;
2027
2028 if (e_phnum == PN_XNUM) {
2029 shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2030 if (!shdr4extnum)
2031 goto end_coredump;
2032 fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2033 }
2034
2035 offset = dataoff;
2036
2037 if (!dump_emit(cprm, &elf, sizeof(elf)))
2038 goto end_coredump;
2039
2040 if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2041 goto end_coredump;
2042
2043 /* Write program headers for segments dump */
2044 for (i = 0; i < cprm->vma_count; i++) {
2045 struct core_vma_metadata *meta = cprm->vma_meta + i;
2046 struct elf_phdr phdr;
2047
2048 phdr.p_type = PT_LOAD;
2049 phdr.p_offset = offset;
2050 phdr.p_vaddr = meta->start;
2051 phdr.p_paddr = 0;
2052 phdr.p_filesz = meta->dump_size;
2053 phdr.p_memsz = meta->end - meta->start;
2054 offset += phdr.p_filesz;
2055 phdr.p_flags = 0;
2056 if (meta->flags & VM_READ)
2057 phdr.p_flags |= PF_R;
2058 if (meta->flags & VM_WRITE)
2059 phdr.p_flags |= PF_W;
2060 if (meta->flags & VM_EXEC)
2061 phdr.p_flags |= PF_X;
2062 phdr.p_align = ELF_EXEC_PAGESIZE;
2063
2064 if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2065 goto end_coredump;
2066 }
2067
2068 if (!elf_core_write_extra_phdrs(cprm, offset))
2069 goto end_coredump;
2070
2071 /* write out the notes section */
2072 if (!write_note_info(&info, cprm))
2073 goto end_coredump;
2074
2075 /* For cell spufs and x86 xstate */
2076 if (elf_coredump_extra_notes_write(cprm))
2077 goto end_coredump;
2078
2079 /* Align to page */
2080 dump_skip_to(cprm, dataoff);
2081
2082 for (i = 0; i < cprm->vma_count; i++) {
2083 struct core_vma_metadata *meta = cprm->vma_meta + i;
2084
2085 if (!dump_user_range(cprm, meta->start, meta->dump_size))
2086 goto end_coredump;
2087 }
2088
2089 if (!elf_core_write_extra_data(cprm))
2090 goto end_coredump;
2091
2092 if (e_phnum == PN_XNUM) {
2093 if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2094 goto end_coredump;
2095 }
2096
2097 end_coredump:
2098 free_note_info(&info);
2099 kfree(shdr4extnum);
2100 kfree(phdr4note);
2101 return has_dumped;
2102 }
2103
2104 #endif /* CONFIG_ELF_CORE */
2105
init_elf_binfmt(void)2106 static int __init init_elf_binfmt(void)
2107 {
2108 register_binfmt(&elf_format);
2109 return 0;
2110 }
2111
exit_elf_binfmt(void)2112 static void __exit exit_elf_binfmt(void)
2113 {
2114 /* Remove the COFF and ELF loaders. */
2115 unregister_binfmt(&elf_format);
2116 }
2117
2118 core_initcall(init_elf_binfmt);
2119 module_exit(exit_elf_binfmt);
2120
2121 #ifdef CONFIG_BINFMT_ELF_KUNIT_TEST
2122 #include "tests/binfmt_elf_kunit.c"
2123 #endif
2124