1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * linux/fs/binfmt_elf.c 4 * 5 * These are the functions used to load ELF format executables as used 6 * on SVr4 machines. Information on the format may be found in the book 7 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support 8 * Tools". 9 * 10 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com). 11 */ 12 13 #include <linux/module.h> 14 #include <linux/kernel.h> 15 #include <linux/fs.h> 16 #include <linux/log2.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/errno.h> 20 #include <linux/signal.h> 21 #include <linux/binfmts.h> 22 #include <linux/string.h> 23 #include <linux/file.h> 24 #include <linux/slab.h> 25 #include <linux/personality.h> 26 #include <linux/elfcore.h> 27 #include <linux/init.h> 28 #include <linux/highuid.h> 29 #include <linux/compiler.h> 30 #include <linux/highmem.h> 31 #include <linux/hugetlb.h> 32 #include <linux/pagemap.h> 33 #include <linux/vmalloc.h> 34 #include <linux/security.h> 35 #include <linux/random.h> 36 #include <linux/elf.h> 37 #include <linux/elf-randomize.h> 38 #include <linux/utsname.h> 39 #include <linux/coredump.h> 40 #include <linux/sched.h> 41 #include <linux/sched/coredump.h> 42 #include <linux/sched/task_stack.h> 43 #include <linux/sched/cputime.h> 44 #include <linux/sizes.h> 45 #include <linux/types.h> 46 #include <linux/cred.h> 47 #include <linux/dax.h> 48 #include <linux/uaccess.h> 49 #include <linux/rseq.h> 50 #include <asm/param.h> 51 #include <asm/page.h> 52 53 #ifndef ELF_COMPAT 54 #define ELF_COMPAT 0 55 #endif 56 57 #ifndef user_long_t 58 #define user_long_t long 59 #endif 60 #ifndef user_siginfo_t 61 #define user_siginfo_t siginfo_t 62 #endif 63 64 /* That's for binfmt_elf_fdpic to deal with */ 65 #ifndef elf_check_fdpic 66 #define elf_check_fdpic(ex) false 67 #endif 68 69 static int load_elf_binary(struct linux_binprm *bprm); 70 71 /* 72 * If we don't support core dumping, then supply a NULL so we 73 * don't even try. 74 */ 75 #ifdef CONFIG_ELF_CORE 76 static int elf_core_dump(struct coredump_params *cprm); 77 #else 78 #define elf_core_dump NULL 79 #endif 80 81 #if ELF_EXEC_PAGESIZE > PAGE_SIZE 82 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE 83 #else 84 #define ELF_MIN_ALIGN PAGE_SIZE 85 #endif 86 87 #ifndef ELF_CORE_EFLAGS 88 #define ELF_CORE_EFLAGS 0 89 #endif 90 91 #define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1)) 92 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1)) 93 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1)) 94 95 static struct linux_binfmt elf_format = { 96 .module = THIS_MODULE, 97 .load_binary = load_elf_binary, 98 #ifdef CONFIG_COREDUMP 99 .core_dump = elf_core_dump, 100 .min_coredump = ELF_EXEC_PAGESIZE, 101 #endif 102 }; 103 104 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE)) 105 106 /* 107 * We need to explicitly zero any trailing portion of the page that follows 108 * p_filesz when it ends before the page ends (e.g. bss), otherwise this 109 * memory will contain the junk from the file that should not be present. 110 */ 111 static int padzero(unsigned long address) 112 { 113 unsigned long nbyte; 114 115 nbyte = ELF_PAGEOFFSET(address); 116 if (nbyte) { 117 nbyte = ELF_MIN_ALIGN - nbyte; 118 if (clear_user((void __user *)address, nbyte)) 119 return -EFAULT; 120 } 121 return 0; 122 } 123 124 /* Let's use some macros to make this stack manipulation a little clearer */ 125 #ifdef CONFIG_STACK_GROWSUP 126 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items)) 127 #define STACK_ROUND(sp, items) \ 128 ((15 + (unsigned long) ((sp) + (items))) &~ 15UL) 129 #define STACK_ALLOC(sp, len) ({ \ 130 elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \ 131 old_sp; }) 132 #else 133 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items)) 134 #define STACK_ROUND(sp, items) \ 135 (((unsigned long) (sp - items)) &~ 15UL) 136 #define STACK_ALLOC(sp, len) (sp -= len) 137 #endif 138 139 #ifndef ELF_BASE_PLATFORM 140 /* 141 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture. 142 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value 143 * will be copied to the user stack in the same manner as AT_PLATFORM. 144 */ 145 #define ELF_BASE_PLATFORM NULL 146 #endif 147 148 static int 149 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, 150 unsigned long interp_load_addr, 151 unsigned long e_entry, unsigned long phdr_addr) 152 { 153 struct mm_struct *mm = current->mm; 154 unsigned long p = bprm->p; 155 int argc = bprm->argc; 156 int envc = bprm->envc; 157 elf_addr_t __user *sp; 158 elf_addr_t __user *u_platform; 159 elf_addr_t __user *u_base_platform; 160 elf_addr_t __user *u_rand_bytes; 161 const char *k_platform = ELF_PLATFORM; 162 const char *k_base_platform = ELF_BASE_PLATFORM; 163 unsigned char k_rand_bytes[16]; 164 int items; 165 elf_addr_t *elf_info; 166 elf_addr_t flags = 0; 167 int ei_index; 168 const struct cred *cred = current_cred(); 169 struct vm_area_struct *vma; 170 171 /* 172 * In some cases (e.g. Hyper-Threading), we want to avoid L1 173 * evictions by the processes running on the same package. One 174 * thing we can do is to shuffle the initial stack for them. 175 */ 176 177 p = arch_align_stack(p); 178 179 /* 180 * If this architecture has a platform capability string, copy it 181 * to userspace. In some cases (Sparc), this info is impossible 182 * for userspace to get any other way, in others (i386) it is 183 * merely difficult. 184 */ 185 u_platform = NULL; 186 if (k_platform) { 187 size_t len = strlen(k_platform) + 1; 188 189 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len); 190 if (copy_to_user(u_platform, k_platform, len)) 191 return -EFAULT; 192 } 193 194 /* 195 * If this architecture has a "base" platform capability 196 * string, copy it to userspace. 197 */ 198 u_base_platform = NULL; 199 if (k_base_platform) { 200 size_t len = strlen(k_base_platform) + 1; 201 202 u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len); 203 if (copy_to_user(u_base_platform, k_base_platform, len)) 204 return -EFAULT; 205 } 206 207 /* 208 * Generate 16 random bytes for userspace PRNG seeding. 209 */ 210 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes)); 211 u_rand_bytes = (elf_addr_t __user *) 212 STACK_ALLOC(p, sizeof(k_rand_bytes)); 213 if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes))) 214 return -EFAULT; 215 216 /* Create the ELF interpreter info */ 217 elf_info = (elf_addr_t *)mm->saved_auxv; 218 /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */ 219 #define NEW_AUX_ENT(id, val) \ 220 do { \ 221 *elf_info++ = id; \ 222 *elf_info++ = val; \ 223 } while (0) 224 225 #ifdef ARCH_DLINFO 226 /* 227 * ARCH_DLINFO must come first so PPC can do its special alignment of 228 * AUXV. 229 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in 230 * ARCH_DLINFO changes 231 */ 232 ARCH_DLINFO; 233 #endif 234 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP); 235 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE); 236 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC); 237 NEW_AUX_ENT(AT_PHDR, phdr_addr); 238 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr)); 239 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum); 240 NEW_AUX_ENT(AT_BASE, interp_load_addr); 241 if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0) 242 flags |= AT_FLAGS_PRESERVE_ARGV0; 243 NEW_AUX_ENT(AT_FLAGS, flags); 244 NEW_AUX_ENT(AT_ENTRY, e_entry); 245 NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid)); 246 NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); 247 NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); 248 NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); 249 NEW_AUX_ENT(AT_SECURE, bprm->secureexec); 250 NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes); 251 #ifdef ELF_HWCAP2 252 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2); 253 #endif 254 #ifdef ELF_HWCAP3 255 NEW_AUX_ENT(AT_HWCAP3, ELF_HWCAP3); 256 #endif 257 #ifdef ELF_HWCAP4 258 NEW_AUX_ENT(AT_HWCAP4, ELF_HWCAP4); 259 #endif 260 NEW_AUX_ENT(AT_EXECFN, bprm->exec); 261 if (k_platform) { 262 NEW_AUX_ENT(AT_PLATFORM, 263 (elf_addr_t)(unsigned long)u_platform); 264 } 265 if (k_base_platform) { 266 NEW_AUX_ENT(AT_BASE_PLATFORM, 267 (elf_addr_t)(unsigned long)u_base_platform); 268 } 269 if (bprm->have_execfd) { 270 NEW_AUX_ENT(AT_EXECFD, bprm->execfd); 271 } 272 #ifdef CONFIG_RSEQ 273 NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end)); 274 NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq)); 275 #endif 276 #undef NEW_AUX_ENT 277 /* AT_NULL is zero; clear the rest too */ 278 memset(elf_info, 0, (char *)mm->saved_auxv + 279 sizeof(mm->saved_auxv) - (char *)elf_info); 280 281 /* And advance past the AT_NULL entry. */ 282 elf_info += 2; 283 284 ei_index = elf_info - (elf_addr_t *)mm->saved_auxv; 285 sp = STACK_ADD(p, ei_index); 286 287 items = (argc + 1) + (envc + 1) + 1; 288 bprm->p = STACK_ROUND(sp, items); 289 290 /* Point sp at the lowest address on the stack */ 291 #ifdef CONFIG_STACK_GROWSUP 292 sp = (elf_addr_t __user *)bprm->p - items - ei_index; 293 bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */ 294 #else 295 sp = (elf_addr_t __user *)bprm->p; 296 #endif 297 298 299 /* 300 * Grow the stack manually; some architectures have a limit on how 301 * far ahead a user-space access may be in order to grow the stack. 302 */ 303 if (mmap_write_lock_killable(mm)) 304 return -EINTR; 305 vma = find_extend_vma_locked(mm, bprm->p); 306 mmap_write_unlock(mm); 307 if (!vma) 308 return -EFAULT; 309 310 /* Now, let's put argc (and argv, envp if appropriate) on the stack */ 311 if (put_user(argc, sp++)) 312 return -EFAULT; 313 314 /* Populate list of argv pointers back to argv strings. */ 315 p = mm->arg_end = mm->arg_start; 316 while (argc-- > 0) { 317 size_t len; 318 if (put_user((elf_addr_t)p, sp++)) 319 return -EFAULT; 320 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN); 321 if (!len || len > MAX_ARG_STRLEN) 322 return -EINVAL; 323 p += len; 324 } 325 if (put_user(0, sp++)) 326 return -EFAULT; 327 mm->arg_end = p; 328 329 /* Populate list of envp pointers back to envp strings. */ 330 mm->env_end = mm->env_start = p; 331 while (envc-- > 0) { 332 size_t len; 333 if (put_user((elf_addr_t)p, sp++)) 334 return -EFAULT; 335 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN); 336 if (!len || len > MAX_ARG_STRLEN) 337 return -EINVAL; 338 p += len; 339 } 340 if (put_user(0, sp++)) 341 return -EFAULT; 342 mm->env_end = p; 343 344 /* Put the elf_info on the stack in the right place. */ 345 if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t))) 346 return -EFAULT; 347 return 0; 348 } 349 350 /* 351 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset" 352 * into memory at "addr". (Note that p_filesz is rounded up to the 353 * next page, so any extra bytes from the file must be wiped.) 354 */ 355 static unsigned long elf_map(struct file *filep, unsigned long addr, 356 const struct elf_phdr *eppnt, int prot, int type, 357 unsigned long total_size) 358 { 359 unsigned long map_addr; 360 unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr); 361 unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr); 362 addr = ELF_PAGESTART(addr); 363 size = ELF_PAGEALIGN(size); 364 365 /* mmap() will return -EINVAL if given a zero size, but a 366 * segment with zero filesize is perfectly valid */ 367 if (!size) 368 return addr; 369 370 /* 371 * total_size is the size of the ELF (interpreter) image. 372 * The _first_ mmap needs to know the full size, otherwise 373 * randomization might put this image into an overlapping 374 * position with the ELF binary image. (since size < total_size) 375 * So we first map the 'big' image - and unmap the remainder at 376 * the end. (which unmap is needed for ELF images with holes.) 377 */ 378 if (total_size) { 379 total_size = ELF_PAGEALIGN(total_size); 380 map_addr = vm_mmap(filep, addr, total_size, prot, type, off); 381 if (!BAD_ADDR(map_addr)) 382 vm_munmap(map_addr+size, total_size-size); 383 } else 384 map_addr = vm_mmap(filep, addr, size, prot, type, off); 385 386 if ((type & MAP_FIXED_NOREPLACE) && 387 PTR_ERR((void *)map_addr) == -EEXIST) 388 pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n", 389 task_pid_nr(current), current->comm, (void *)addr); 390 391 return(map_addr); 392 } 393 394 /* 395 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset" 396 * into memory at "addr". Memory from "p_filesz" through "p_memsz" 397 * rounded up to the next page is zeroed. 398 */ 399 static unsigned long elf_load(struct file *filep, unsigned long addr, 400 const struct elf_phdr *eppnt, int prot, int type, 401 unsigned long total_size) 402 { 403 unsigned long zero_start, zero_end; 404 unsigned long map_addr; 405 406 if (eppnt->p_filesz) { 407 map_addr = elf_map(filep, addr, eppnt, prot, type, total_size); 408 if (BAD_ADDR(map_addr)) 409 return map_addr; 410 if (eppnt->p_memsz > eppnt->p_filesz) { 411 zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) + 412 eppnt->p_filesz; 413 zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) + 414 eppnt->p_memsz; 415 416 /* 417 * Zero the end of the last mapped page but ignore 418 * any errors if the segment isn't writable. 419 */ 420 if (padzero(zero_start) && (prot & PROT_WRITE)) 421 return -EFAULT; 422 } 423 } else { 424 map_addr = zero_start = ELF_PAGESTART(addr); 425 zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) + 426 eppnt->p_memsz; 427 } 428 if (eppnt->p_memsz > eppnt->p_filesz) { 429 /* 430 * Map the last of the segment. 431 * If the header is requesting these pages to be 432 * executable, honour that (ppc32 needs this). 433 */ 434 int error; 435 436 zero_start = ELF_PAGEALIGN(zero_start); 437 zero_end = ELF_PAGEALIGN(zero_end); 438 439 error = vm_brk_flags(zero_start, zero_end - zero_start, 440 prot & PROT_EXEC ? VM_EXEC : 0); 441 if (error) 442 map_addr = error; 443 } 444 return map_addr; 445 } 446 447 448 static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr) 449 { 450 elf_addr_t min_addr = -1; 451 elf_addr_t max_addr = 0; 452 bool pt_load = false; 453 int i; 454 455 for (i = 0; i < nr; i++) { 456 if (phdr[i].p_type == PT_LOAD) { 457 min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr)); 458 max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz); 459 pt_load = true; 460 } 461 } 462 return pt_load ? (max_addr - min_addr) : 0; 463 } 464 465 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos) 466 { 467 ssize_t rv; 468 469 rv = kernel_read(file, buf, len, &pos); 470 if (unlikely(rv != len)) { 471 return (rv < 0) ? rv : -EIO; 472 } 473 return 0; 474 } 475 476 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr) 477 { 478 unsigned long alignment = 0; 479 int i; 480 481 for (i = 0; i < nr; i++) { 482 if (cmds[i].p_type == PT_LOAD) { 483 unsigned long p_align = cmds[i].p_align; 484 485 /* skip non-power of two alignments as invalid */ 486 if (!is_power_of_2(p_align)) 487 continue; 488 alignment = max(alignment, p_align); 489 } 490 } 491 492 /* ensure we align to at least one page */ 493 return ELF_PAGEALIGN(alignment); 494 } 495 496 /** 497 * load_elf_phdrs() - load ELF program headers 498 * @elf_ex: ELF header of the binary whose program headers should be loaded 499 * @elf_file: the opened ELF binary file 500 * 501 * Loads ELF program headers from the binary file elf_file, which has the ELF 502 * header pointed to by elf_ex, into a newly allocated array. The caller is 503 * responsible for freeing the allocated data. Returns NULL upon failure. 504 */ 505 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex, 506 struct file *elf_file) 507 { 508 struct elf_phdr *elf_phdata = NULL; 509 int retval = -1; 510 unsigned int size; 511 512 /* 513 * If the size of this structure has changed, then punt, since 514 * we will be doing the wrong thing. 515 */ 516 if (elf_ex->e_phentsize != sizeof(struct elf_phdr)) 517 goto out; 518 519 /* Sanity check the number of program headers... */ 520 /* ...and their total size. */ 521 size = sizeof(struct elf_phdr) * elf_ex->e_phnum; 522 if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN) 523 goto out; 524 525 elf_phdata = kmalloc(size, GFP_KERNEL); 526 if (!elf_phdata) 527 goto out; 528 529 /* Read in the program headers */ 530 retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff); 531 532 out: 533 if (retval) { 534 kfree(elf_phdata); 535 elf_phdata = NULL; 536 } 537 return elf_phdata; 538 } 539 540 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE 541 542 /** 543 * struct arch_elf_state - arch-specific ELF loading state 544 * 545 * This structure is used to preserve architecture specific data during 546 * the loading of an ELF file, throughout the checking of architecture 547 * specific ELF headers & through to the point where the ELF load is 548 * known to be proceeding (ie. SET_PERSONALITY). 549 * 550 * This implementation is a dummy for architectures which require no 551 * specific state. 552 */ 553 struct arch_elf_state { 554 }; 555 556 #define INIT_ARCH_ELF_STATE {} 557 558 /** 559 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header 560 * @ehdr: The main ELF header 561 * @phdr: The program header to check 562 * @elf: The open ELF file 563 * @is_interp: True if the phdr is from the interpreter of the ELF being 564 * loaded, else false. 565 * @state: Architecture-specific state preserved throughout the process 566 * of loading the ELF. 567 * 568 * Inspects the program header phdr to validate its correctness and/or 569 * suitability for the system. Called once per ELF program header in the 570 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its 571 * interpreter. 572 * 573 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load 574 * with that return code. 575 */ 576 static inline int arch_elf_pt_proc(struct elfhdr *ehdr, 577 struct elf_phdr *phdr, 578 struct file *elf, bool is_interp, 579 struct arch_elf_state *state) 580 { 581 /* Dummy implementation, always proceed */ 582 return 0; 583 } 584 585 /** 586 * arch_check_elf() - check an ELF executable 587 * @ehdr: The main ELF header 588 * @has_interp: True if the ELF has an interpreter, else false. 589 * @interp_ehdr: The interpreter's ELF header 590 * @state: Architecture-specific state preserved throughout the process 591 * of loading the ELF. 592 * 593 * Provides a final opportunity for architecture code to reject the loading 594 * of the ELF & cause an exec syscall to return an error. This is called after 595 * all program headers to be checked by arch_elf_pt_proc have been. 596 * 597 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load 598 * with that return code. 599 */ 600 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp, 601 struct elfhdr *interp_ehdr, 602 struct arch_elf_state *state) 603 { 604 /* Dummy implementation, always proceed */ 605 return 0; 606 } 607 608 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */ 609 610 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state, 611 bool has_interp, bool is_interp) 612 { 613 int prot = 0; 614 615 if (p_flags & PF_R) 616 prot |= PROT_READ; 617 if (p_flags & PF_W) 618 prot |= PROT_WRITE; 619 if (p_flags & PF_X) 620 prot |= PROT_EXEC; 621 622 return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp); 623 } 624 625 /* This is much more generalized than the library routine read function, 626 so we keep this separate. Technically the library read function 627 is only provided so that we can read a.out libraries that have 628 an ELF header */ 629 630 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, 631 struct file *interpreter, 632 unsigned long no_base, struct elf_phdr *interp_elf_phdata, 633 struct arch_elf_state *arch_state) 634 { 635 struct elf_phdr *eppnt; 636 unsigned long load_addr = 0; 637 int load_addr_set = 0; 638 unsigned long error = ~0UL; 639 unsigned long total_size; 640 int i; 641 642 /* First of all, some simple consistency checks */ 643 if (interp_elf_ex->e_type != ET_EXEC && 644 interp_elf_ex->e_type != ET_DYN) 645 goto out; 646 if (!elf_check_arch(interp_elf_ex) || 647 elf_check_fdpic(interp_elf_ex)) 648 goto out; 649 if (!interpreter->f_op->mmap) 650 goto out; 651 652 total_size = total_mapping_size(interp_elf_phdata, 653 interp_elf_ex->e_phnum); 654 if (!total_size) { 655 error = -EINVAL; 656 goto out; 657 } 658 659 eppnt = interp_elf_phdata; 660 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) { 661 if (eppnt->p_type == PT_LOAD) { 662 int elf_type = MAP_PRIVATE; 663 int elf_prot = make_prot(eppnt->p_flags, arch_state, 664 true, true); 665 unsigned long vaddr = 0; 666 unsigned long k, map_addr; 667 668 vaddr = eppnt->p_vaddr; 669 if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) 670 elf_type |= MAP_FIXED; 671 else if (no_base && interp_elf_ex->e_type == ET_DYN) 672 load_addr = -vaddr; 673 674 map_addr = elf_load(interpreter, load_addr + vaddr, 675 eppnt, elf_prot, elf_type, total_size); 676 total_size = 0; 677 error = map_addr; 678 if (BAD_ADDR(map_addr)) 679 goto out; 680 681 if (!load_addr_set && 682 interp_elf_ex->e_type == ET_DYN) { 683 load_addr = map_addr - ELF_PAGESTART(vaddr); 684 load_addr_set = 1; 685 } 686 687 /* 688 * Check to see if the section's size will overflow the 689 * allowed task size. Note that p_filesz must always be 690 * <= p_memsize so it's only necessary to check p_memsz. 691 */ 692 k = load_addr + eppnt->p_vaddr; 693 if (BAD_ADDR(k) || 694 eppnt->p_filesz > eppnt->p_memsz || 695 eppnt->p_memsz > TASK_SIZE || 696 TASK_SIZE - eppnt->p_memsz < k) { 697 error = -ENOMEM; 698 goto out; 699 } 700 } 701 } 702 703 error = load_addr; 704 out: 705 return error; 706 } 707 708 /* 709 * These are the functions used to load ELF style executables and shared 710 * libraries. There is no binary dependent code anywhere else. 711 */ 712 713 static int parse_elf_property(const char *data, size_t *off, size_t datasz, 714 struct arch_elf_state *arch, 715 bool have_prev_type, u32 *prev_type) 716 { 717 size_t o, step; 718 const struct gnu_property *pr; 719 int ret; 720 721 if (*off == datasz) 722 return -ENOENT; 723 724 if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN)) 725 return -EIO; 726 o = *off; 727 datasz -= *off; 728 729 if (datasz < sizeof(*pr)) 730 return -ENOEXEC; 731 pr = (const struct gnu_property *)(data + o); 732 o += sizeof(*pr); 733 datasz -= sizeof(*pr); 734 735 if (pr->pr_datasz > datasz) 736 return -ENOEXEC; 737 738 WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN); 739 step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN); 740 if (step > datasz) 741 return -ENOEXEC; 742 743 /* Properties are supposed to be unique and sorted on pr_type: */ 744 if (have_prev_type && pr->pr_type <= *prev_type) 745 return -ENOEXEC; 746 *prev_type = pr->pr_type; 747 748 ret = arch_parse_elf_property(pr->pr_type, data + o, 749 pr->pr_datasz, ELF_COMPAT, arch); 750 if (ret) 751 return ret; 752 753 *off = o + step; 754 return 0; 755 } 756 757 #define NOTE_DATA_SZ SZ_1K 758 #define NOTE_NAME_SZ (sizeof(NN_GNU_PROPERTY_TYPE_0)) 759 760 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr, 761 struct arch_elf_state *arch) 762 { 763 union { 764 struct elf_note nhdr; 765 char data[NOTE_DATA_SZ]; 766 } note; 767 loff_t pos; 768 ssize_t n; 769 size_t off, datasz; 770 int ret; 771 bool have_prev_type; 772 u32 prev_type; 773 774 if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr) 775 return 0; 776 777 /* load_elf_binary() shouldn't call us unless this is true... */ 778 if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY)) 779 return -ENOEXEC; 780 781 /* If the properties are crazy large, that's too bad (for now): */ 782 if (phdr->p_filesz > sizeof(note)) 783 return -ENOEXEC; 784 785 pos = phdr->p_offset; 786 n = kernel_read(f, ¬e, phdr->p_filesz, &pos); 787 788 BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ); 789 if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ) 790 return -EIO; 791 792 if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 || 793 note.nhdr.n_namesz != NOTE_NAME_SZ || 794 strncmp(note.data + sizeof(note.nhdr), 795 NN_GNU_PROPERTY_TYPE_0, n - sizeof(note.nhdr))) 796 return -ENOEXEC; 797 798 off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ, 799 ELF_GNU_PROPERTY_ALIGN); 800 if (off > n) 801 return -ENOEXEC; 802 803 if (note.nhdr.n_descsz > n - off) 804 return -ENOEXEC; 805 datasz = off + note.nhdr.n_descsz; 806 807 have_prev_type = false; 808 do { 809 ret = parse_elf_property(note.data, &off, datasz, arch, 810 have_prev_type, &prev_type); 811 have_prev_type = true; 812 } while (!ret); 813 814 return ret == -ENOENT ? 0 : ret; 815 } 816 817 static int load_elf_binary(struct linux_binprm *bprm) 818 { 819 struct file *interpreter = NULL; /* to shut gcc up */ 820 unsigned long load_bias = 0, phdr_addr = 0; 821 int first_pt_load = 1; 822 unsigned long error; 823 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; 824 struct elf_phdr *elf_property_phdata = NULL; 825 unsigned long elf_brk; 826 bool brk_moved = false; 827 int retval, i; 828 unsigned long elf_entry; 829 unsigned long e_entry; 830 unsigned long interp_load_addr = 0; 831 unsigned long start_code, end_code, start_data, end_data; 832 unsigned long reloc_func_desc __maybe_unused = 0; 833 int executable_stack = EXSTACK_DEFAULT; 834 struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf; 835 struct elfhdr *interp_elf_ex = NULL; 836 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE; 837 struct mm_struct *mm; 838 struct pt_regs *regs; 839 840 retval = -ENOEXEC; 841 /* First of all, some simple consistency checks */ 842 if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0) 843 goto out; 844 845 if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN) 846 goto out; 847 if (!elf_check_arch(elf_ex)) 848 goto out; 849 if (elf_check_fdpic(elf_ex)) 850 goto out; 851 if (!bprm->file->f_op->mmap) 852 goto out; 853 854 elf_phdata = load_elf_phdrs(elf_ex, bprm->file); 855 if (!elf_phdata) 856 goto out; 857 858 elf_ppnt = elf_phdata; 859 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) { 860 char *elf_interpreter; 861 862 if (elf_ppnt->p_type == PT_GNU_PROPERTY) { 863 elf_property_phdata = elf_ppnt; 864 continue; 865 } 866 867 if (elf_ppnt->p_type != PT_INTERP) 868 continue; 869 870 /* 871 * This is the program interpreter used for shared libraries - 872 * for now assume that this is an a.out format binary. 873 */ 874 retval = -ENOEXEC; 875 if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2) 876 goto out_free_ph; 877 878 retval = -ENOMEM; 879 elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL); 880 if (!elf_interpreter) 881 goto out_free_ph; 882 883 retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz, 884 elf_ppnt->p_offset); 885 if (retval < 0) 886 goto out_free_interp; 887 /* make sure path is NULL terminated */ 888 retval = -ENOEXEC; 889 if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0') 890 goto out_free_interp; 891 892 interpreter = open_exec(elf_interpreter); 893 kfree(elf_interpreter); 894 retval = PTR_ERR(interpreter); 895 if (IS_ERR(interpreter)) 896 goto out_free_ph; 897 898 /* 899 * If the binary is not readable then enforce mm->dumpable = 0 900 * regardless of the interpreter's permissions. 901 */ 902 would_dump(bprm, interpreter); 903 904 interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL); 905 if (!interp_elf_ex) { 906 retval = -ENOMEM; 907 goto out_free_file; 908 } 909 910 /* Get the exec headers */ 911 retval = elf_read(interpreter, interp_elf_ex, 912 sizeof(*interp_elf_ex), 0); 913 if (retval < 0) 914 goto out_free_dentry; 915 916 break; 917 918 out_free_interp: 919 kfree(elf_interpreter); 920 goto out_free_ph; 921 } 922 923 elf_ppnt = elf_phdata; 924 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) 925 switch (elf_ppnt->p_type) { 926 case PT_GNU_STACK: 927 if (elf_ppnt->p_flags & PF_X) 928 executable_stack = EXSTACK_ENABLE_X; 929 else 930 executable_stack = EXSTACK_DISABLE_X; 931 break; 932 933 case PT_LOPROC ... PT_HIPROC: 934 retval = arch_elf_pt_proc(elf_ex, elf_ppnt, 935 bprm->file, false, 936 &arch_state); 937 if (retval) 938 goto out_free_dentry; 939 break; 940 } 941 942 /* Some simple consistency checks for the interpreter */ 943 if (interpreter) { 944 retval = -ELIBBAD; 945 /* Not an ELF interpreter */ 946 if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0) 947 goto out_free_dentry; 948 /* Verify the interpreter has a valid arch */ 949 if (!elf_check_arch(interp_elf_ex) || 950 elf_check_fdpic(interp_elf_ex)) 951 goto out_free_dentry; 952 953 /* Load the interpreter program headers */ 954 interp_elf_phdata = load_elf_phdrs(interp_elf_ex, 955 interpreter); 956 if (!interp_elf_phdata) 957 goto out_free_dentry; 958 959 /* Pass PT_LOPROC..PT_HIPROC headers to arch code */ 960 elf_property_phdata = NULL; 961 elf_ppnt = interp_elf_phdata; 962 for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++) 963 switch (elf_ppnt->p_type) { 964 case PT_GNU_PROPERTY: 965 elf_property_phdata = elf_ppnt; 966 break; 967 968 case PT_LOPROC ... PT_HIPROC: 969 retval = arch_elf_pt_proc(interp_elf_ex, 970 elf_ppnt, interpreter, 971 true, &arch_state); 972 if (retval) 973 goto out_free_dentry; 974 break; 975 } 976 } 977 978 retval = parse_elf_properties(interpreter ?: bprm->file, 979 elf_property_phdata, &arch_state); 980 if (retval) 981 goto out_free_dentry; 982 983 /* 984 * Allow arch code to reject the ELF at this point, whilst it's 985 * still possible to return an error to the code that invoked 986 * the exec syscall. 987 */ 988 retval = arch_check_elf(elf_ex, 989 !!interpreter, interp_elf_ex, 990 &arch_state); 991 if (retval) 992 goto out_free_dentry; 993 994 /* Flush all traces of the currently running executable */ 995 retval = begin_new_exec(bprm); 996 if (retval) 997 goto out_free_dentry; 998 999 /* Do this immediately, since STACK_TOP as used in setup_arg_pages 1000 may depend on the personality. */ 1001 SET_PERSONALITY2(*elf_ex, &arch_state); 1002 if (elf_read_implies_exec(*elf_ex, executable_stack)) 1003 current->personality |= READ_IMPLIES_EXEC; 1004 1005 const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); 1006 if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) 1007 current->flags |= PF_RANDOMIZE; 1008 1009 setup_new_exec(bprm); 1010 1011 /* Do this so that we can load the interpreter, if need be. We will 1012 change some of these later */ 1013 retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP), 1014 executable_stack); 1015 if (retval < 0) 1016 goto out_free_dentry; 1017 1018 elf_brk = 0; 1019 1020 start_code = ~0UL; 1021 end_code = 0; 1022 start_data = 0; 1023 end_data = 0; 1024 1025 /* Now we do a little grungy work by mmapping the ELF image into 1026 the correct location in memory. */ 1027 for(i = 0, elf_ppnt = elf_phdata; 1028 i < elf_ex->e_phnum; i++, elf_ppnt++) { 1029 int elf_prot, elf_flags; 1030 unsigned long k, vaddr; 1031 unsigned long total_size = 0; 1032 unsigned long alignment; 1033 1034 if (elf_ppnt->p_type != PT_LOAD) 1035 continue; 1036 1037 elf_prot = make_prot(elf_ppnt->p_flags, &arch_state, 1038 !!interpreter, false); 1039 1040 elf_flags = MAP_PRIVATE; 1041 1042 vaddr = elf_ppnt->p_vaddr; 1043 /* 1044 * The first time through the loop, first_pt_load is true: 1045 * layout will be calculated. Once set, use MAP_FIXED since 1046 * we know we've already safely mapped the entire region with 1047 * MAP_FIXED_NOREPLACE in the once-per-binary logic following. 1048 */ 1049 if (!first_pt_load) { 1050 elf_flags |= MAP_FIXED; 1051 } else if (elf_ex->e_type == ET_EXEC) { 1052 /* 1053 * This logic is run once for the first LOAD Program 1054 * Header for ET_EXEC binaries. No special handling 1055 * is needed. 1056 */ 1057 elf_flags |= MAP_FIXED_NOREPLACE; 1058 } else if (elf_ex->e_type == ET_DYN) { 1059 /* 1060 * This logic is run once for the first LOAD Program 1061 * Header for ET_DYN binaries to calculate the 1062 * randomization (load_bias) for all the LOAD 1063 * Program Headers. 1064 */ 1065 1066 /* 1067 * Calculate the entire size of the ELF mapping 1068 * (total_size), used for the initial mapping, 1069 * due to load_addr_set which is set to true later 1070 * once the initial mapping is performed. 1071 * 1072 * Note that this is only sensible when the LOAD 1073 * segments are contiguous (or overlapping). If 1074 * used for LOADs that are far apart, this would 1075 * cause the holes between LOADs to be mapped, 1076 * running the risk of having the mapping fail, 1077 * as it would be larger than the ELF file itself. 1078 * 1079 * As a result, only ET_DYN does this, since 1080 * some ET_EXEC (e.g. ia64) may have large virtual 1081 * memory holes between LOADs. 1082 * 1083 */ 1084 total_size = total_mapping_size(elf_phdata, 1085 elf_ex->e_phnum); 1086 if (!total_size) { 1087 retval = -EINVAL; 1088 goto out_free_dentry; 1089 } 1090 1091 /* Calculate any requested alignment. */ 1092 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum); 1093 1094 /** 1095 * DOC: PIE handling 1096 * 1097 * There are effectively two types of ET_DYN ELF 1098 * binaries: programs (i.e. PIE: ET_DYN with 1099 * PT_INTERP) and loaders (i.e. static PIE: ET_DYN 1100 * without PT_INTERP, usually the ELF interpreter 1101 * itself). Loaders must be loaded away from programs 1102 * since the program may otherwise collide with the 1103 * loader (especially for ET_EXEC which does not have 1104 * a randomized position). 1105 * 1106 * For example, to handle invocations of 1107 * "./ld.so someprog" to test out a new version of 1108 * the loader, the subsequent program that the 1109 * loader loads must avoid the loader itself, so 1110 * they cannot share the same load range. Sufficient 1111 * room for the brk must be allocated with the 1112 * loader as well, since brk must be available with 1113 * the loader. 1114 * 1115 * Therefore, programs are loaded offset from 1116 * ELF_ET_DYN_BASE and loaders are loaded into the 1117 * independently randomized mmap region (0 load_bias 1118 * without MAP_FIXED nor MAP_FIXED_NOREPLACE). 1119 * 1120 * See below for "brk" handling details, which is 1121 * also affected by program vs loader and ASLR. 1122 */ 1123 if (interpreter) { 1124 /* On ET_DYN with PT_INTERP, we do the ASLR. */ 1125 load_bias = ELF_ET_DYN_BASE; 1126 if (current->flags & PF_RANDOMIZE) 1127 load_bias += arch_mmap_rnd(); 1128 /* Adjust alignment as requested. */ 1129 if (alignment) 1130 load_bias &= ~(alignment - 1); 1131 elf_flags |= MAP_FIXED_NOREPLACE; 1132 } else { 1133 /* 1134 * For ET_DYN without PT_INTERP, we rely on 1135 * the architectures's (potentially ASLR) mmap 1136 * base address (via a load_bias of 0). 1137 * 1138 * When a large alignment is requested, we 1139 * must do the allocation at address "0" right 1140 * now to discover where things will load so 1141 * that we can adjust the resulting alignment. 1142 * In this case (load_bias != 0), we can use 1143 * MAP_FIXED_NOREPLACE to make sure the mapping 1144 * doesn't collide with anything. 1145 */ 1146 if (alignment > ELF_MIN_ALIGN) { 1147 load_bias = elf_load(bprm->file, 0, elf_ppnt, 1148 elf_prot, elf_flags, total_size); 1149 if (BAD_ADDR(load_bias)) { 1150 retval = IS_ERR_VALUE(load_bias) ? 1151 PTR_ERR((void*)load_bias) : -EINVAL; 1152 goto out_free_dentry; 1153 } 1154 vm_munmap(load_bias, total_size); 1155 /* Adjust alignment as requested. */ 1156 if (alignment) 1157 load_bias &= ~(alignment - 1); 1158 elf_flags |= MAP_FIXED_NOREPLACE; 1159 } else 1160 load_bias = 0; 1161 } 1162 1163 /* 1164 * Since load_bias is used for all subsequent loading 1165 * calculations, we must lower it by the first vaddr 1166 * so that the remaining calculations based on the 1167 * ELF vaddrs will be correctly offset. The result 1168 * is then page aligned. 1169 */ 1170 load_bias = ELF_PAGESTART(load_bias - vaddr); 1171 } 1172 1173 error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt, 1174 elf_prot, elf_flags, total_size); 1175 if (BAD_ADDR(error)) { 1176 retval = IS_ERR_VALUE(error) ? 1177 PTR_ERR((void*)error) : -EINVAL; 1178 goto out_free_dentry; 1179 } 1180 1181 if (first_pt_load) { 1182 first_pt_load = 0; 1183 if (elf_ex->e_type == ET_DYN) { 1184 load_bias += error - 1185 ELF_PAGESTART(load_bias + vaddr); 1186 reloc_func_desc = load_bias; 1187 } 1188 } 1189 1190 /* 1191 * Figure out which segment in the file contains the Program 1192 * Header table, and map to the associated memory address. 1193 */ 1194 if (elf_ppnt->p_offset <= elf_ex->e_phoff && 1195 elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) { 1196 phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset + 1197 elf_ppnt->p_vaddr; 1198 } 1199 1200 k = elf_ppnt->p_vaddr; 1201 if ((elf_ppnt->p_flags & PF_X) && k < start_code) 1202 start_code = k; 1203 if (start_data < k) 1204 start_data = k; 1205 1206 /* 1207 * Check to see if the section's size will overflow the 1208 * allowed task size. Note that p_filesz must always be 1209 * <= p_memsz so it is only necessary to check p_memsz. 1210 */ 1211 if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz || 1212 elf_ppnt->p_memsz > TASK_SIZE || 1213 TASK_SIZE - elf_ppnt->p_memsz < k) { 1214 /* set_brk can never work. Avoid overflows. */ 1215 retval = -EINVAL; 1216 goto out_free_dentry; 1217 } 1218 1219 k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz; 1220 1221 if ((elf_ppnt->p_flags & PF_X) && end_code < k) 1222 end_code = k; 1223 if (end_data < k) 1224 end_data = k; 1225 k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz; 1226 if (k > elf_brk) 1227 elf_brk = k; 1228 } 1229 1230 e_entry = elf_ex->e_entry + load_bias; 1231 phdr_addr += load_bias; 1232 elf_brk += load_bias; 1233 start_code += load_bias; 1234 end_code += load_bias; 1235 start_data += load_bias; 1236 end_data += load_bias; 1237 1238 if (interpreter) { 1239 elf_entry = load_elf_interp(interp_elf_ex, 1240 interpreter, 1241 load_bias, interp_elf_phdata, 1242 &arch_state); 1243 if (!IS_ERR_VALUE(elf_entry)) { 1244 /* 1245 * load_elf_interp() returns relocation 1246 * adjustment 1247 */ 1248 interp_load_addr = elf_entry; 1249 elf_entry += interp_elf_ex->e_entry; 1250 } 1251 if (BAD_ADDR(elf_entry)) { 1252 retval = IS_ERR_VALUE(elf_entry) ? 1253 (int)elf_entry : -EINVAL; 1254 goto out_free_dentry; 1255 } 1256 reloc_func_desc = interp_load_addr; 1257 1258 exe_file_allow_write_access(interpreter); 1259 fput(interpreter); 1260 1261 kfree(interp_elf_ex); 1262 kfree(interp_elf_phdata); 1263 } else { 1264 elf_entry = e_entry; 1265 if (BAD_ADDR(elf_entry)) { 1266 retval = -EINVAL; 1267 goto out_free_dentry; 1268 } 1269 } 1270 1271 kfree(elf_phdata); 1272 1273 set_binfmt(&elf_format); 1274 1275 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES 1276 retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter); 1277 if (retval < 0) 1278 goto out; 1279 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */ 1280 1281 retval = create_elf_tables(bprm, elf_ex, interp_load_addr, 1282 e_entry, phdr_addr); 1283 if (retval < 0) 1284 goto out; 1285 1286 mm = current->mm; 1287 mm->end_code = end_code; 1288 mm->start_code = start_code; 1289 mm->start_data = start_data; 1290 mm->end_data = end_data; 1291 mm->start_stack = bprm->p; 1292 1293 /** 1294 * DOC: "brk" handling 1295 * 1296 * For architectures with ELF randomization, when executing a 1297 * loader directly (i.e. static PIE: ET_DYN without PT_INTERP), 1298 * move the brk area out of the mmap region and into the unused 1299 * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide 1300 * early with the stack growing down or other regions being put 1301 * into the mmap region by the kernel (e.g. vdso). 1302 * 1303 * In the CONFIG_COMPAT_BRK case, though, everything is turned 1304 * off because we're not allowed to move the brk at all. 1305 */ 1306 if (!IS_ENABLED(CONFIG_COMPAT_BRK) && 1307 IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && 1308 elf_ex->e_type == ET_DYN && !interpreter) { 1309 elf_brk = ELF_ET_DYN_BASE; 1310 /* This counts as moving the brk, so let brk(2) know. */ 1311 brk_moved = true; 1312 } 1313 mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk); 1314 1315 if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) { 1316 /* 1317 * If we didn't move the brk to ELF_ET_DYN_BASE (above), 1318 * leave a gap between .bss and brk. 1319 */ 1320 if (!brk_moved) 1321 mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; 1322 1323 mm->brk = mm->start_brk = arch_randomize_brk(mm); 1324 brk_moved = true; 1325 } 1326 1327 #ifdef compat_brk_randomized 1328 if (brk_moved) 1329 current->brk_randomized = 1; 1330 #endif 1331 1332 if (current->personality & MMAP_PAGE_ZERO) { 1333 /* Why this, you ask??? Well SVr4 maps page 0 as read-only, 1334 and some applications "depend" upon this behavior. 1335 Since we do not have the power to recompile these, we 1336 emulate the SVr4 behavior. Sigh. */ 1337 error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC, 1338 MAP_FIXED | MAP_PRIVATE, 0); 1339 1340 retval = do_mseal(0, PAGE_SIZE, 0); 1341 if (retval) 1342 pr_warn_ratelimited("pid=%d, couldn't seal address 0, ret=%d.\n", 1343 task_pid_nr(current), retval); 1344 } 1345 1346 regs = current_pt_regs(); 1347 #ifdef ELF_PLAT_INIT 1348 /* 1349 * The ABI may specify that certain registers be set up in special 1350 * ways (on i386 %edx is the address of a DT_FINI function, for 1351 * example. In addition, it may also specify (eg, PowerPC64 ELF) 1352 * that the e_entry field is the address of the function descriptor 1353 * for the startup routine, rather than the address of the startup 1354 * routine itself. This macro performs whatever initialization to 1355 * the regs structure is required as well as any relocations to the 1356 * function descriptor entries when executing dynamically links apps. 1357 */ 1358 ELF_PLAT_INIT(regs, reloc_func_desc); 1359 #endif 1360 1361 finalize_exec(bprm); 1362 START_THREAD(elf_ex, regs, elf_entry, bprm->p); 1363 retval = 0; 1364 out: 1365 return retval; 1366 1367 /* error cleanup */ 1368 out_free_dentry: 1369 kfree(interp_elf_ex); 1370 kfree(interp_elf_phdata); 1371 out_free_file: 1372 exe_file_allow_write_access(interpreter); 1373 if (interpreter) 1374 fput(interpreter); 1375 out_free_ph: 1376 kfree(elf_phdata); 1377 goto out; 1378 } 1379 1380 #ifdef CONFIG_ELF_CORE 1381 /* 1382 * ELF core dumper 1383 * 1384 * Modelled on fs/exec.c:aout_core_dump() 1385 * Jeremy Fitzhardinge <jeremy@sw.oz.au> 1386 */ 1387 1388 /* An ELF note in memory */ 1389 struct memelfnote 1390 { 1391 const char *name; 1392 int type; 1393 unsigned int datasz; 1394 void *data; 1395 }; 1396 1397 static int notesize(struct memelfnote *en) 1398 { 1399 int sz; 1400 1401 sz = sizeof(struct elf_note); 1402 sz += roundup(strlen(en->name) + 1, 4); 1403 sz += roundup(en->datasz, 4); 1404 1405 return sz; 1406 } 1407 1408 static int writenote(struct memelfnote *men, struct coredump_params *cprm) 1409 { 1410 struct elf_note en; 1411 en.n_namesz = strlen(men->name) + 1; 1412 en.n_descsz = men->datasz; 1413 en.n_type = men->type; 1414 1415 return dump_emit(cprm, &en, sizeof(en)) && 1416 dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) && 1417 dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4); 1418 } 1419 1420 static void fill_elf_header(struct elfhdr *elf, int segs, 1421 u16 machine, u32 flags) 1422 { 1423 memset(elf, 0, sizeof(*elf)); 1424 1425 memcpy(elf->e_ident, ELFMAG, SELFMAG); 1426 elf->e_ident[EI_CLASS] = ELF_CLASS; 1427 elf->e_ident[EI_DATA] = ELF_DATA; 1428 elf->e_ident[EI_VERSION] = EV_CURRENT; 1429 elf->e_ident[EI_OSABI] = ELF_OSABI; 1430 1431 elf->e_type = ET_CORE; 1432 elf->e_machine = machine; 1433 elf->e_version = EV_CURRENT; 1434 elf->e_phoff = sizeof(struct elfhdr); 1435 elf->e_flags = flags; 1436 elf->e_ehsize = sizeof(struct elfhdr); 1437 elf->e_phentsize = sizeof(struct elf_phdr); 1438 elf->e_phnum = segs; 1439 } 1440 1441 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset) 1442 { 1443 phdr->p_type = PT_NOTE; 1444 phdr->p_offset = offset; 1445 phdr->p_vaddr = 0; 1446 phdr->p_paddr = 0; 1447 phdr->p_filesz = sz; 1448 phdr->p_memsz = 0; 1449 phdr->p_flags = 0; 1450 phdr->p_align = 4; 1451 } 1452 1453 static void fill_note(struct memelfnote *note, const char *name, int type, 1454 unsigned int sz, void *data) 1455 { 1456 note->name = name; 1457 note->type = type; 1458 note->datasz = sz; 1459 note->data = data; 1460 } 1461 1462 /* 1463 * fill up all the fields in prstatus from the given task struct, except 1464 * registers which need to be filled up separately. 1465 */ 1466 static void fill_prstatus(struct elf_prstatus_common *prstatus, 1467 struct task_struct *p, long signr) 1468 { 1469 prstatus->pr_info.si_signo = prstatus->pr_cursig = signr; 1470 prstatus->pr_sigpend = p->pending.signal.sig[0]; 1471 prstatus->pr_sighold = p->blocked.sig[0]; 1472 rcu_read_lock(); 1473 prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent)); 1474 rcu_read_unlock(); 1475 prstatus->pr_pid = task_pid_vnr(p); 1476 prstatus->pr_pgrp = task_pgrp_vnr(p); 1477 prstatus->pr_sid = task_session_vnr(p); 1478 if (thread_group_leader(p)) { 1479 struct task_cputime cputime; 1480 1481 /* 1482 * This is the record for the group leader. It shows the 1483 * group-wide total, not its individual thread total. 1484 */ 1485 thread_group_cputime(p, &cputime); 1486 prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime); 1487 prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime); 1488 } else { 1489 u64 utime, stime; 1490 1491 task_cputime(p, &utime, &stime); 1492 prstatus->pr_utime = ns_to_kernel_old_timeval(utime); 1493 prstatus->pr_stime = ns_to_kernel_old_timeval(stime); 1494 } 1495 1496 prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime); 1497 prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime); 1498 } 1499 1500 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, 1501 struct mm_struct *mm) 1502 { 1503 const struct cred *cred; 1504 unsigned int i, len; 1505 unsigned int state; 1506 1507 /* first copy the parameters from user space */ 1508 memset(psinfo, 0, sizeof(struct elf_prpsinfo)); 1509 1510 len = mm->arg_end - mm->arg_start; 1511 if (len >= ELF_PRARGSZ) 1512 len = ELF_PRARGSZ-1; 1513 if (copy_from_user(&psinfo->pr_psargs, 1514 (const char __user *)mm->arg_start, len)) 1515 return -EFAULT; 1516 for(i = 0; i < len; i++) 1517 if (psinfo->pr_psargs[i] == 0) 1518 psinfo->pr_psargs[i] = ' '; 1519 psinfo->pr_psargs[len] = 0; 1520 1521 rcu_read_lock(); 1522 psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent)); 1523 rcu_read_unlock(); 1524 psinfo->pr_pid = task_pid_vnr(p); 1525 psinfo->pr_pgrp = task_pgrp_vnr(p); 1526 psinfo->pr_sid = task_session_vnr(p); 1527 1528 state = READ_ONCE(p->__state); 1529 i = state ? ffz(~state) + 1 : 0; 1530 psinfo->pr_state = i; 1531 psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i]; 1532 psinfo->pr_zomb = psinfo->pr_sname == 'Z'; 1533 psinfo->pr_nice = task_nice(p); 1534 psinfo->pr_flag = p->flags; 1535 rcu_read_lock(); 1536 cred = __task_cred(p); 1537 SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid)); 1538 SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid)); 1539 rcu_read_unlock(); 1540 get_task_comm(psinfo->pr_fname, p); 1541 1542 return 0; 1543 } 1544 1545 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) 1546 { 1547 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; 1548 int i = 0; 1549 do 1550 i += 2; 1551 while (auxv[i - 2] != AT_NULL); 1552 fill_note(note, NN_AUXV, NT_AUXV, i * sizeof(elf_addr_t), auxv); 1553 } 1554 1555 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, 1556 const kernel_siginfo_t *siginfo) 1557 { 1558 copy_siginfo_to_external(csigdata, siginfo); 1559 fill_note(note, NN_SIGINFO, NT_SIGINFO, sizeof(*csigdata), csigdata); 1560 } 1561 1562 /* 1563 * Format of NT_FILE note: 1564 * 1565 * long count -- how many files are mapped 1566 * long page_size -- units for file_ofs 1567 * array of [COUNT] elements of 1568 * long start 1569 * long end 1570 * long file_ofs 1571 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL... 1572 */ 1573 static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm) 1574 { 1575 unsigned count, size, names_ofs, remaining, n; 1576 user_long_t *data; 1577 user_long_t *start_end_ofs; 1578 char *name_base, *name_curpos; 1579 int i; 1580 1581 /* *Estimated* file count and total data size needed */ 1582 count = cprm->vma_count; 1583 if (count > UINT_MAX / 64) 1584 return -EINVAL; 1585 size = count * 64; 1586 1587 names_ofs = (2 + 3 * count) * sizeof(data[0]); 1588 alloc: 1589 /* paranoia check */ 1590 if (size >= core_file_note_size_limit) { 1591 pr_warn_once("coredump Note size too large: %u (does kernel.core_file_note_size_limit sysctl need adjustment?\n", 1592 size); 1593 return -EINVAL; 1594 } 1595 size = round_up(size, PAGE_SIZE); 1596 /* 1597 * "size" can be 0 here legitimately. 1598 * Let it ENOMEM and omit NT_FILE section which will be empty anyway. 1599 */ 1600 data = kvmalloc(size, GFP_KERNEL); 1601 if (ZERO_OR_NULL_PTR(data)) 1602 return -ENOMEM; 1603 1604 start_end_ofs = data + 2; 1605 name_base = name_curpos = ((char *)data) + names_ofs; 1606 remaining = size - names_ofs; 1607 count = 0; 1608 for (i = 0; i < cprm->vma_count; i++) { 1609 struct core_vma_metadata *m = &cprm->vma_meta[i]; 1610 struct file *file; 1611 const char *filename; 1612 1613 file = m->file; 1614 if (!file) 1615 continue; 1616 filename = file_path(file, name_curpos, remaining); 1617 if (IS_ERR(filename)) { 1618 if (PTR_ERR(filename) == -ENAMETOOLONG) { 1619 kvfree(data); 1620 size = size * 5 / 4; 1621 goto alloc; 1622 } 1623 continue; 1624 } 1625 1626 /* file_path() fills at the end, move name down */ 1627 /* n = strlen(filename) + 1: */ 1628 n = (name_curpos + remaining) - filename; 1629 remaining = filename - name_curpos; 1630 memmove(name_curpos, filename, n); 1631 name_curpos += n; 1632 1633 *start_end_ofs++ = m->start; 1634 *start_end_ofs++ = m->end; 1635 *start_end_ofs++ = m->pgoff; 1636 count++; 1637 } 1638 1639 /* Now we know exact count of files, can store it */ 1640 data[0] = count; 1641 data[1] = PAGE_SIZE; 1642 /* 1643 * Count usually is less than mm->map_count, 1644 * we need to move filenames down. 1645 */ 1646 n = cprm->vma_count - count; 1647 if (n != 0) { 1648 unsigned shift_bytes = n * 3 * sizeof(data[0]); 1649 memmove(name_base - shift_bytes, name_base, 1650 name_curpos - name_base); 1651 name_curpos -= shift_bytes; 1652 } 1653 1654 size = name_curpos - (char *)data; 1655 fill_note(note, NN_FILE, NT_FILE, size, data); 1656 return 0; 1657 } 1658 1659 #include <linux/regset.h> 1660 1661 struct elf_thread_core_info { 1662 struct elf_thread_core_info *next; 1663 struct task_struct *task; 1664 struct elf_prstatus prstatus; 1665 struct memelfnote notes[]; 1666 }; 1667 1668 struct elf_note_info { 1669 struct elf_thread_core_info *thread; 1670 struct memelfnote psinfo; 1671 struct memelfnote signote; 1672 struct memelfnote auxv; 1673 struct memelfnote files; 1674 user_siginfo_t csigdata; 1675 size_t size; 1676 int thread_notes; 1677 }; 1678 1679 #ifdef CORE_DUMP_USE_REGSET 1680 /* 1681 * When a regset has a writeback hook, we call it on each thread before 1682 * dumping user memory. On register window machines, this makes sure the 1683 * user memory backing the register data is up to date before we read it. 1684 */ 1685 static void do_thread_regset_writeback(struct task_struct *task, 1686 const struct user_regset *regset) 1687 { 1688 if (regset->writeback) 1689 regset->writeback(task, regset, 1); 1690 } 1691 1692 #ifndef PRSTATUS_SIZE 1693 #define PRSTATUS_SIZE sizeof(struct elf_prstatus) 1694 #endif 1695 1696 #ifndef SET_PR_FPVALID 1697 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1) 1698 #endif 1699 1700 static int fill_thread_core_info(struct elf_thread_core_info *t, 1701 const struct user_regset_view *view, 1702 long signr, struct elf_note_info *info) 1703 { 1704 unsigned int note_iter, view_iter; 1705 1706 /* 1707 * NT_PRSTATUS is the one special case, because the regset data 1708 * goes into the pr_reg field inside the note contents, rather 1709 * than being the whole note contents. We fill the regset in here. 1710 * We assume that regset 0 is NT_PRSTATUS. 1711 */ 1712 fill_prstatus(&t->prstatus.common, t->task, signr); 1713 regset_get(t->task, &view->regsets[0], 1714 sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg); 1715 1716 fill_note(&t->notes[0], NN_PRSTATUS, NT_PRSTATUS, 1717 PRSTATUS_SIZE, &t->prstatus); 1718 info->size += notesize(&t->notes[0]); 1719 1720 do_thread_regset_writeback(t->task, &view->regsets[0]); 1721 1722 /* 1723 * Each other regset might generate a note too. For each regset 1724 * that has no core_note_type or is inactive, skip it. 1725 */ 1726 note_iter = 1; 1727 for (view_iter = 1; view_iter < view->n; ++view_iter) { 1728 const struct user_regset *regset = &view->regsets[view_iter]; 1729 int note_type = regset->core_note_type; 1730 bool is_fpreg = note_type == NT_PRFPREG; 1731 void *data; 1732 int ret; 1733 1734 do_thread_regset_writeback(t->task, regset); 1735 if (!note_type) // not for coredumps 1736 continue; 1737 if (regset->active && regset->active(t->task, regset) <= 0) 1738 continue; 1739 1740 ret = regset_get_alloc(t->task, regset, ~0U, &data); 1741 if (ret < 0) 1742 continue; 1743 1744 if (WARN_ON_ONCE(note_iter >= info->thread_notes)) 1745 break; 1746 1747 if (is_fpreg) 1748 SET_PR_FPVALID(&t->prstatus); 1749 1750 fill_note(&t->notes[note_iter], is_fpreg ? NN_PRFPREG : "LINUX", 1751 note_type, ret, data); 1752 1753 info->size += notesize(&t->notes[note_iter]); 1754 note_iter++; 1755 } 1756 1757 return 1; 1758 } 1759 #else 1760 static int fill_thread_core_info(struct elf_thread_core_info *t, 1761 const struct user_regset_view *view, 1762 long signr, struct elf_note_info *info) 1763 { 1764 struct task_struct *p = t->task; 1765 elf_fpregset_t *fpu; 1766 1767 fill_prstatus(&t->prstatus.common, p, signr); 1768 elf_core_copy_task_regs(p, &t->prstatus.pr_reg); 1769 1770 fill_note(&t->notes[0], NN_PRSTATUS, NT_PRSTATUS, sizeof(t->prstatus), 1771 &(t->prstatus)); 1772 info->size += notesize(&t->notes[0]); 1773 1774 fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL); 1775 if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) { 1776 kfree(fpu); 1777 return 1; 1778 } 1779 1780 t->prstatus.pr_fpvalid = 1; 1781 fill_note(&t->notes[1], NN_PRFPREG, NT_PRFPREG, sizeof(*fpu), fpu); 1782 info->size += notesize(&t->notes[1]); 1783 1784 return 1; 1785 } 1786 #endif 1787 1788 static int fill_note_info(struct elfhdr *elf, int phdrs, 1789 struct elf_note_info *info, 1790 struct coredump_params *cprm) 1791 { 1792 struct task_struct *dump_task = current; 1793 const struct user_regset_view *view; 1794 struct elf_thread_core_info *t; 1795 struct elf_prpsinfo *psinfo; 1796 struct core_thread *ct; 1797 1798 psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL); 1799 if (!psinfo) 1800 return 0; 1801 fill_note(&info->psinfo, NN_PRPSINFO, NT_PRPSINFO, sizeof(*psinfo), psinfo); 1802 1803 #ifdef CORE_DUMP_USE_REGSET 1804 view = task_user_regset_view(dump_task); 1805 1806 /* 1807 * Figure out how many notes we're going to need for each thread. 1808 */ 1809 info->thread_notes = 0; 1810 for (int i = 0; i < view->n; ++i) 1811 if (view->regsets[i].core_note_type != 0) 1812 ++info->thread_notes; 1813 1814 /* 1815 * Sanity check. We rely on regset 0 being in NT_PRSTATUS, 1816 * since it is our one special case. 1817 */ 1818 if (unlikely(info->thread_notes == 0) || 1819 unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) { 1820 WARN_ON(1); 1821 return 0; 1822 } 1823 1824 /* 1825 * Initialize the ELF file header. 1826 */ 1827 fill_elf_header(elf, phdrs, 1828 view->e_machine, view->e_flags); 1829 #else 1830 view = NULL; 1831 info->thread_notes = 2; 1832 fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS); 1833 #endif 1834 1835 /* 1836 * Allocate a structure for each thread. 1837 */ 1838 info->thread = kzalloc(offsetof(struct elf_thread_core_info, 1839 notes[info->thread_notes]), 1840 GFP_KERNEL); 1841 if (unlikely(!info->thread)) 1842 return 0; 1843 1844 info->thread->task = dump_task; 1845 for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) { 1846 t = kzalloc(offsetof(struct elf_thread_core_info, 1847 notes[info->thread_notes]), 1848 GFP_KERNEL); 1849 if (unlikely(!t)) 1850 return 0; 1851 1852 t->task = ct->task; 1853 t->next = info->thread->next; 1854 info->thread->next = t; 1855 } 1856 1857 /* 1858 * Now fill in each thread's information. 1859 */ 1860 for (t = info->thread; t != NULL; t = t->next) 1861 if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info)) 1862 return 0; 1863 1864 /* 1865 * Fill in the two process-wide notes. 1866 */ 1867 fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm); 1868 info->size += notesize(&info->psinfo); 1869 1870 fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo); 1871 info->size += notesize(&info->signote); 1872 1873 fill_auxv_note(&info->auxv, current->mm); 1874 info->size += notesize(&info->auxv); 1875 1876 if (fill_files_note(&info->files, cprm) == 0) 1877 info->size += notesize(&info->files); 1878 1879 return 1; 1880 } 1881 1882 /* 1883 * Write all the notes for each thread. When writing the first thread, the 1884 * process-wide notes are interleaved after the first thread-specific note. 1885 */ 1886 static int write_note_info(struct elf_note_info *info, 1887 struct coredump_params *cprm) 1888 { 1889 bool first = true; 1890 struct elf_thread_core_info *t = info->thread; 1891 1892 do { 1893 int i; 1894 1895 if (!writenote(&t->notes[0], cprm)) 1896 return 0; 1897 1898 if (first && !writenote(&info->psinfo, cprm)) 1899 return 0; 1900 if (first && !writenote(&info->signote, cprm)) 1901 return 0; 1902 if (first && !writenote(&info->auxv, cprm)) 1903 return 0; 1904 if (first && info->files.data && 1905 !writenote(&info->files, cprm)) 1906 return 0; 1907 1908 for (i = 1; i < info->thread_notes; ++i) 1909 if (t->notes[i].data && 1910 !writenote(&t->notes[i], cprm)) 1911 return 0; 1912 1913 first = false; 1914 t = t->next; 1915 } while (t); 1916 1917 return 1; 1918 } 1919 1920 static void free_note_info(struct elf_note_info *info) 1921 { 1922 struct elf_thread_core_info *threads = info->thread; 1923 while (threads) { 1924 unsigned int i; 1925 struct elf_thread_core_info *t = threads; 1926 threads = t->next; 1927 WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus); 1928 for (i = 1; i < info->thread_notes; ++i) 1929 kvfree(t->notes[i].data); 1930 kfree(t); 1931 } 1932 kfree(info->psinfo.data); 1933 kvfree(info->files.data); 1934 } 1935 1936 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, 1937 elf_addr_t e_shoff, int segs) 1938 { 1939 elf->e_shoff = e_shoff; 1940 elf->e_shentsize = sizeof(*shdr4extnum); 1941 elf->e_shnum = 1; 1942 elf->e_shstrndx = SHN_UNDEF; 1943 1944 memset(shdr4extnum, 0, sizeof(*shdr4extnum)); 1945 1946 shdr4extnum->sh_type = SHT_NULL; 1947 shdr4extnum->sh_size = elf->e_shnum; 1948 shdr4extnum->sh_link = elf->e_shstrndx; 1949 shdr4extnum->sh_info = segs; 1950 } 1951 1952 /* 1953 * Actual dumper 1954 * 1955 * This is a two-pass process; first we find the offsets of the bits, 1956 * and then they are actually written out. If we run out of core limit 1957 * we just truncate. 1958 */ 1959 static int elf_core_dump(struct coredump_params *cprm) 1960 { 1961 int has_dumped = 0; 1962 int segs, i; 1963 struct elfhdr elf; 1964 loff_t offset = 0, dataoff; 1965 struct elf_note_info info = { }; 1966 struct elf_phdr *phdr4note = NULL; 1967 struct elf_shdr *shdr4extnum = NULL; 1968 Elf_Half e_phnum; 1969 elf_addr_t e_shoff; 1970 1971 /* 1972 * The number of segs are recored into ELF header as 16bit value. 1973 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here. 1974 */ 1975 segs = cprm->vma_count + elf_core_extra_phdrs(cprm); 1976 1977 /* for notes section */ 1978 segs++; 1979 1980 /* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid 1981 * this, kernel supports extended numbering. Have a look at 1982 * include/linux/elf.h for further information. */ 1983 e_phnum = segs > PN_XNUM ? PN_XNUM : segs; 1984 1985 /* 1986 * Collect all the non-memory information about the process for the 1987 * notes. This also sets up the file header. 1988 */ 1989 if (!fill_note_info(&elf, e_phnum, &info, cprm)) 1990 goto end_coredump; 1991 1992 has_dumped = 1; 1993 1994 offset += sizeof(elf); /* ELF header */ 1995 offset += segs * sizeof(struct elf_phdr); /* Program headers */ 1996 1997 /* Write notes phdr entry */ 1998 { 1999 size_t sz = info.size; 2000 2001 /* For cell spufs and x86 xstate */ 2002 sz += elf_coredump_extra_notes_size(); 2003 2004 phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL); 2005 if (!phdr4note) 2006 goto end_coredump; 2007 2008 fill_elf_note_phdr(phdr4note, sz, offset); 2009 offset += sz; 2010 } 2011 2012 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); 2013 2014 offset += cprm->vma_data_size; 2015 offset += elf_core_extra_data_size(cprm); 2016 e_shoff = offset; 2017 2018 if (e_phnum == PN_XNUM) { 2019 shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL); 2020 if (!shdr4extnum) 2021 goto end_coredump; 2022 fill_extnum_info(&elf, shdr4extnum, e_shoff, segs); 2023 } 2024 2025 offset = dataoff; 2026 2027 if (!dump_emit(cprm, &elf, sizeof(elf))) 2028 goto end_coredump; 2029 2030 if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note))) 2031 goto end_coredump; 2032 2033 /* Write program headers for segments dump */ 2034 for (i = 0; i < cprm->vma_count; i++) { 2035 struct core_vma_metadata *meta = cprm->vma_meta + i; 2036 struct elf_phdr phdr; 2037 2038 phdr.p_type = PT_LOAD; 2039 phdr.p_offset = offset; 2040 phdr.p_vaddr = meta->start; 2041 phdr.p_paddr = 0; 2042 phdr.p_filesz = meta->dump_size; 2043 phdr.p_memsz = meta->end - meta->start; 2044 offset += phdr.p_filesz; 2045 phdr.p_flags = 0; 2046 if (meta->flags & VM_READ) 2047 phdr.p_flags |= PF_R; 2048 if (meta->flags & VM_WRITE) 2049 phdr.p_flags |= PF_W; 2050 if (meta->flags & VM_EXEC) 2051 phdr.p_flags |= PF_X; 2052 phdr.p_align = ELF_EXEC_PAGESIZE; 2053 2054 if (!dump_emit(cprm, &phdr, sizeof(phdr))) 2055 goto end_coredump; 2056 } 2057 2058 if (!elf_core_write_extra_phdrs(cprm, offset)) 2059 goto end_coredump; 2060 2061 /* write out the notes section */ 2062 if (!write_note_info(&info, cprm)) 2063 goto end_coredump; 2064 2065 /* For cell spufs and x86 xstate */ 2066 if (elf_coredump_extra_notes_write(cprm)) 2067 goto end_coredump; 2068 2069 /* Align to page */ 2070 dump_skip_to(cprm, dataoff); 2071 2072 for (i = 0; i < cprm->vma_count; i++) { 2073 struct core_vma_metadata *meta = cprm->vma_meta + i; 2074 2075 if (!dump_user_range(cprm, meta->start, meta->dump_size)) 2076 goto end_coredump; 2077 } 2078 2079 if (!elf_core_write_extra_data(cprm)) 2080 goto end_coredump; 2081 2082 if (e_phnum == PN_XNUM) { 2083 if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum))) 2084 goto end_coredump; 2085 } 2086 2087 end_coredump: 2088 free_note_info(&info); 2089 kfree(shdr4extnum); 2090 kfree(phdr4note); 2091 return has_dumped; 2092 } 2093 2094 #endif /* CONFIG_ELF_CORE */ 2095 2096 static int __init init_elf_binfmt(void) 2097 { 2098 register_binfmt(&elf_format); 2099 return 0; 2100 } 2101 2102 static void __exit exit_elf_binfmt(void) 2103 { 2104 /* Remove the COFF and ELF loaders. */ 2105 unregister_binfmt(&elf_format); 2106 } 2107 2108 core_initcall(init_elf_binfmt); 2109 module_exit(exit_elf_binfmt); 2110 2111 #ifdef CONFIG_BINFMT_ELF_KUNIT_TEST 2112 #include "tests/binfmt_elf_kunit.c" 2113 #endif 2114