1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * binfmt_misc.c 4 * 5 * Copyright (C) 1997 Richard Günther 6 * 7 * binfmt_misc detects binaries via a magic or filename extension and invokes 8 * a specified wrapper. See Documentation/admin-guide/binfmt-misc.rst for more details. 9 */ 10 11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 12 13 #include <linux/kernel.h> 14 #include <linux/module.h> 15 #include <linux/init.h> 16 #include <linux/sched/mm.h> 17 #include <linux/magic.h> 18 #include <linux/binfmts.h> 19 #include <linux/slab.h> 20 #include <linux/ctype.h> 21 #include <linux/string_helpers.h> 22 #include <linux/file.h> 23 #include <linux/pagemap.h> 24 #include <linux/namei.h> 25 #include <linux/mount.h> 26 #include <linux/fs_context.h> 27 #include <linux/syscalls.h> 28 #include <linux/fs.h> 29 #include <linux/uaccess.h> 30 31 #include "internal.h" 32 33 #ifdef DEBUG 34 # define USE_DEBUG 1 35 #else 36 # define USE_DEBUG 0 37 #endif 38 39 enum { 40 VERBOSE_STATUS = 1 /* make it zero to save 400 bytes kernel memory */ 41 }; 42 43 static LIST_HEAD(entries); 44 static int enabled = 1; 45 46 enum {Enabled, Magic}; 47 #define MISC_FMT_PRESERVE_ARGV0 (1UL << 31) 48 #define MISC_FMT_OPEN_BINARY (1UL << 30) 49 #define MISC_FMT_CREDENTIALS (1UL << 29) 50 #define MISC_FMT_OPEN_FILE (1UL << 28) 51 52 typedef struct { 53 struct list_head list; 54 unsigned long flags; /* type, status, etc. */ 55 int offset; /* offset of magic */ 56 int size; /* size of magic/mask */ 57 char *magic; /* magic or filename extension */ 58 char *mask; /* mask, NULL for exact match */ 59 const char *interpreter; /* filename of interpreter */ 60 char *name; 61 struct dentry *dentry; 62 struct file *interp_file; 63 refcount_t users; /* sync removal with load_misc_binary() */ 64 } Node; 65 66 static DEFINE_RWLOCK(entries_lock); 67 static struct file_system_type bm_fs_type; 68 69 /* 70 * Max length of the register string. Determined by: 71 * - 7 delimiters 72 * - name: ~50 bytes 73 * - type: 1 byte 74 * - offset: 3 bytes (has to be smaller than BINPRM_BUF_SIZE) 75 * - magic: 128 bytes (512 in escaped form) 76 * - mask: 128 bytes (512 in escaped form) 77 * - interp: ~50 bytes 78 * - flags: 5 bytes 79 * Round that up a bit, and then back off to hold the internal data 80 * (like struct Node). 81 */ 82 #define MAX_REGISTER_LENGTH 1920 83 84 /** 85 * search_binfmt_handler - search for a binary handler for @bprm 86 * @misc: handle to binfmt_misc instance 87 * @bprm: binary for which we are looking for a handler 88 * 89 * Search for a binary type handler for @bprm in the list of registered binary 90 * type handlers. 91 * 92 * Return: binary type list entry on success, NULL on failure 93 */ search_binfmt_handler(struct linux_binprm * bprm)94 static Node *search_binfmt_handler(struct linux_binprm *bprm) 95 { 96 char *p = strrchr(bprm->interp, '.'); 97 Node *e; 98 99 /* Walk all the registered handlers. */ 100 list_for_each_entry(e, &entries, list) { 101 char *s; 102 int j; 103 104 /* Make sure this one is currently enabled. */ 105 if (!test_bit(Enabled, &e->flags)) 106 continue; 107 108 /* Do matching based on extension if applicable. */ 109 if (!test_bit(Magic, &e->flags)) { 110 if (p && !strcmp(e->magic, p + 1)) 111 return e; 112 continue; 113 } 114 115 /* Do matching based on magic & mask. */ 116 s = bprm->buf + e->offset; 117 if (e->mask) { 118 for (j = 0; j < e->size; j++) 119 if ((*s++ ^ e->magic[j]) & e->mask[j]) 120 break; 121 } else { 122 for (j = 0; j < e->size; j++) 123 if ((*s++ ^ e->magic[j])) 124 break; 125 } 126 if (j == e->size) 127 return e; 128 } 129 130 return NULL; 131 } 132 133 /** 134 * get_binfmt_handler - try to find a binary type handler 135 * @misc: handle to binfmt_misc instance 136 * @bprm: binary for which we are looking for a handler 137 * 138 * Try to find a binfmt handler for the binary type. If one is found take a 139 * reference to protect against removal via bm_{entry,status}_write(). 140 * 141 * Return: binary type list entry on success, NULL on failure 142 */ get_binfmt_handler(struct linux_binprm * bprm)143 static Node *get_binfmt_handler(struct linux_binprm *bprm) 144 { 145 Node *e; 146 147 read_lock(&entries_lock); 148 e = search_binfmt_handler(bprm); 149 if (e) 150 refcount_inc(&e->users); 151 read_unlock(&entries_lock); 152 return e; 153 } 154 155 /** 156 * put_binfmt_handler - put binary handler node 157 * @e: node to put 158 * 159 * Free node syncing with load_misc_binary() and defer final free to 160 * load_misc_binary() in case it is using the binary type handler we were 161 * requested to remove. 162 */ put_binfmt_handler(Node * e)163 static void put_binfmt_handler(Node *e) 164 { 165 if (refcount_dec_and_test(&e->users)) { 166 if (e->flags & MISC_FMT_OPEN_FILE) 167 filp_close(e->interp_file, NULL); 168 kfree(e); 169 } 170 } 171 172 /* 173 * the loader itself 174 */ load_misc_binary(struct linux_binprm * bprm)175 static int load_misc_binary(struct linux_binprm *bprm) 176 { 177 Node *fmt; 178 struct file *interp_file = NULL; 179 int retval; 180 181 retval = -ENOEXEC; 182 if (!enabled) 183 return retval; 184 185 fmt = get_binfmt_handler(bprm); 186 if (!fmt) 187 return retval; 188 189 /* Need to be able to load the file after exec */ 190 retval = -ENOENT; 191 if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE) 192 goto ret; 193 194 if (fmt->flags & MISC_FMT_PRESERVE_ARGV0) { 195 bprm->interp_flags |= BINPRM_FLAGS_PRESERVE_ARGV0; 196 } else { 197 retval = remove_arg_zero(bprm); 198 if (retval) 199 goto ret; 200 } 201 202 if (fmt->flags & MISC_FMT_OPEN_BINARY) 203 bprm->have_execfd = 1; 204 205 /* make argv[1] be the path to the binary */ 206 retval = copy_string_kernel(bprm->interp, bprm); 207 if (retval < 0) 208 goto ret; 209 bprm->argc++; 210 211 /* add the interp as argv[0] */ 212 retval = copy_string_kernel(fmt->interpreter, bprm); 213 if (retval < 0) 214 goto ret; 215 bprm->argc++; 216 217 /* Update interp in case binfmt_script needs it. */ 218 retval = bprm_change_interp(fmt->interpreter, bprm); 219 if (retval < 0) 220 goto ret; 221 222 if (fmt->flags & MISC_FMT_OPEN_FILE) { 223 interp_file = file_clone_open(fmt->interp_file); 224 if (!IS_ERR(interp_file)) 225 deny_write_access(interp_file); 226 } else { 227 interp_file = open_exec(fmt->interpreter); 228 } 229 retval = PTR_ERR(interp_file); 230 if (IS_ERR(interp_file)) 231 goto ret; 232 233 bprm->interpreter = interp_file; 234 if (fmt->flags & MISC_FMT_CREDENTIALS) 235 bprm->execfd_creds = 1; 236 237 retval = 0; 238 ret: 239 240 /* 241 * If we actually put the node here all concurrent calls to 242 * load_misc_binary() will have finished. We also know 243 * that for the refcount to be zero ->evict_inode() must have removed 244 * the node to be deleted from the list. All that is left for us is to 245 * close and free. 246 */ 247 put_binfmt_handler(fmt); 248 249 return retval; 250 } 251 252 /* Command parsers */ 253 254 /* 255 * parses and copies one argument enclosed in del from *sp to *dp, 256 * recognising the \x special. 257 * returns pointer to the copied argument or NULL in case of an 258 * error (and sets err) or null argument length. 259 */ scanarg(char * s,char del)260 static char *scanarg(char *s, char del) 261 { 262 char c; 263 264 while ((c = *s++) != del) { 265 if (c == '\\' && *s == 'x') { 266 s++; 267 if (!isxdigit(*s++)) 268 return NULL; 269 if (!isxdigit(*s++)) 270 return NULL; 271 } 272 } 273 s[-1] ='\0'; 274 return s; 275 } 276 check_special_flags(char * sfs,Node * e)277 static char *check_special_flags(char *sfs, Node *e) 278 { 279 char *p = sfs; 280 int cont = 1; 281 282 /* special flags */ 283 while (cont) { 284 switch (*p) { 285 case 'P': 286 pr_debug("register: flag: P (preserve argv0)\n"); 287 p++; 288 e->flags |= MISC_FMT_PRESERVE_ARGV0; 289 break; 290 case 'O': 291 pr_debug("register: flag: O (open binary)\n"); 292 p++; 293 e->flags |= MISC_FMT_OPEN_BINARY; 294 break; 295 case 'C': 296 pr_debug("register: flag: C (preserve creds)\n"); 297 p++; 298 /* this flags also implies the 299 open-binary flag */ 300 e->flags |= (MISC_FMT_CREDENTIALS | 301 MISC_FMT_OPEN_BINARY); 302 break; 303 case 'F': 304 pr_debug("register: flag: F: open interpreter file now\n"); 305 p++; 306 e->flags |= MISC_FMT_OPEN_FILE; 307 break; 308 default: 309 cont = 0; 310 } 311 } 312 313 return p; 314 } 315 316 /* 317 * This registers a new binary format, it recognises the syntax 318 * ':name:type:offset:magic:mask:interpreter:flags' 319 * where the ':' is the IFS, that can be chosen with the first char 320 */ create_entry(const char __user * buffer,size_t count)321 static Node *create_entry(const char __user *buffer, size_t count) 322 { 323 Node *e; 324 int memsize, err; 325 char *buf, *p; 326 char del; 327 328 pr_debug("register: received %zu bytes\n", count); 329 330 /* some sanity checks */ 331 err = -EINVAL; 332 if ((count < 11) || (count > MAX_REGISTER_LENGTH)) 333 goto out; 334 335 err = -ENOMEM; 336 memsize = sizeof(Node) + count + 8; 337 e = kmalloc(memsize, GFP_KERNEL); 338 if (!e) 339 goto out; 340 341 p = buf = (char *)e + sizeof(Node); 342 343 memset(e, 0, sizeof(Node)); 344 if (copy_from_user(buf, buffer, count)) 345 goto efault; 346 347 del = *p++; /* delimeter */ 348 349 pr_debug("register: delim: %#x {%c}\n", del, del); 350 351 /* Pad the buffer with the delim to simplify parsing below. */ 352 memset(buf + count, del, 8); 353 354 /* Parse the 'name' field. */ 355 e->name = p; 356 p = strchr(p, del); 357 if (!p) 358 goto einval; 359 *p++ = '\0'; 360 if (!e->name[0] || 361 !strcmp(e->name, ".") || 362 !strcmp(e->name, "..") || 363 strchr(e->name, '/')) 364 goto einval; 365 366 pr_debug("register: name: {%s}\n", e->name); 367 368 /* Parse the 'type' field. */ 369 switch (*p++) { 370 case 'E': 371 pr_debug("register: type: E (extension)\n"); 372 e->flags = 1 << Enabled; 373 break; 374 case 'M': 375 pr_debug("register: type: M (magic)\n"); 376 e->flags = (1 << Enabled) | (1 << Magic); 377 break; 378 default: 379 goto einval; 380 } 381 if (*p++ != del) 382 goto einval; 383 384 if (test_bit(Magic, &e->flags)) { 385 /* Handle the 'M' (magic) format. */ 386 char *s; 387 388 /* Parse the 'offset' field. */ 389 s = strchr(p, del); 390 if (!s) 391 goto einval; 392 *s = '\0'; 393 if (p != s) { 394 int r = kstrtoint(p, 10, &e->offset); 395 if (r != 0 || e->offset < 0) 396 goto einval; 397 } 398 p = s; 399 if (*p++) 400 goto einval; 401 pr_debug("register: offset: %#x\n", e->offset); 402 403 /* Parse the 'magic' field. */ 404 e->magic = p; 405 p = scanarg(p, del); 406 if (!p) 407 goto einval; 408 if (!e->magic[0]) 409 goto einval; 410 if (USE_DEBUG) 411 print_hex_dump_bytes( 412 KBUILD_MODNAME ": register: magic[raw]: ", 413 DUMP_PREFIX_NONE, e->magic, p - e->magic); 414 415 /* Parse the 'mask' field. */ 416 e->mask = p; 417 p = scanarg(p, del); 418 if (!p) 419 goto einval; 420 if (!e->mask[0]) { 421 e->mask = NULL; 422 pr_debug("register: mask[raw]: none\n"); 423 } else if (USE_DEBUG) 424 print_hex_dump_bytes( 425 KBUILD_MODNAME ": register: mask[raw]: ", 426 DUMP_PREFIX_NONE, e->mask, p - e->mask); 427 428 /* 429 * Decode the magic & mask fields. 430 * Note: while we might have accepted embedded NUL bytes from 431 * above, the unescape helpers here will stop at the first one 432 * it encounters. 433 */ 434 e->size = string_unescape_inplace(e->magic, UNESCAPE_HEX); 435 if (e->mask && 436 string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) 437 goto einval; 438 if (e->size > BINPRM_BUF_SIZE || 439 BINPRM_BUF_SIZE - e->size < e->offset) 440 goto einval; 441 pr_debug("register: magic/mask length: %i\n", e->size); 442 if (USE_DEBUG) { 443 print_hex_dump_bytes( 444 KBUILD_MODNAME ": register: magic[decoded]: ", 445 DUMP_PREFIX_NONE, e->magic, e->size); 446 447 if (e->mask) { 448 int i; 449 char *masked = kmalloc(e->size, GFP_KERNEL); 450 451 print_hex_dump_bytes( 452 KBUILD_MODNAME ": register: mask[decoded]: ", 453 DUMP_PREFIX_NONE, e->mask, e->size); 454 455 if (masked) { 456 for (i = 0; i < e->size; ++i) 457 masked[i] = e->magic[i] & e->mask[i]; 458 print_hex_dump_bytes( 459 KBUILD_MODNAME ": register: magic[masked]: ", 460 DUMP_PREFIX_NONE, masked, e->size); 461 462 kfree(masked); 463 } 464 } 465 } 466 } else { 467 /* Handle the 'E' (extension) format. */ 468 469 /* Skip the 'offset' field. */ 470 p = strchr(p, del); 471 if (!p) 472 goto einval; 473 *p++ = '\0'; 474 475 /* Parse the 'magic' field. */ 476 e->magic = p; 477 p = strchr(p, del); 478 if (!p) 479 goto einval; 480 *p++ = '\0'; 481 if (!e->magic[0] || strchr(e->magic, '/')) 482 goto einval; 483 pr_debug("register: extension: {%s}\n", e->magic); 484 485 /* Skip the 'mask' field. */ 486 p = strchr(p, del); 487 if (!p) 488 goto einval; 489 *p++ = '\0'; 490 } 491 492 /* Parse the 'interpreter' field. */ 493 e->interpreter = p; 494 p = strchr(p, del); 495 if (!p) 496 goto einval; 497 *p++ = '\0'; 498 if (!e->interpreter[0]) 499 goto einval; 500 pr_debug("register: interpreter: {%s}\n", e->interpreter); 501 502 /* Parse the 'flags' field. */ 503 p = check_special_flags(p, e); 504 if (*p == '\n') 505 p++; 506 if (p != buf + count) 507 goto einval; 508 509 return e; 510 511 out: 512 return ERR_PTR(err); 513 514 efault: 515 kfree(e); 516 return ERR_PTR(-EFAULT); 517 einval: 518 kfree(e); 519 return ERR_PTR(-EINVAL); 520 } 521 522 /* 523 * Set status of entry/binfmt_misc: 524 * '1' enables, '0' disables and '-1' clears entry/binfmt_misc 525 */ parse_command(const char __user * buffer,size_t count)526 static int parse_command(const char __user *buffer, size_t count) 527 { 528 char s[4]; 529 530 if (count > 3) 531 return -EINVAL; 532 if (copy_from_user(s, buffer, count)) 533 return -EFAULT; 534 if (!count) 535 return 0; 536 if (s[count - 1] == '\n') 537 count--; 538 if (count == 1 && s[0] == '0') 539 return 1; 540 if (count == 1 && s[0] == '1') 541 return 2; 542 if (count == 2 && s[0] == '-' && s[1] == '1') 543 return 3; 544 return -EINVAL; 545 } 546 547 /* generic stuff */ 548 entry_status(Node * e,char * page)549 static void entry_status(Node *e, char *page) 550 { 551 char *dp = page; 552 const char *status = "disabled"; 553 554 if (test_bit(Enabled, &e->flags)) 555 status = "enabled"; 556 557 if (!VERBOSE_STATUS) { 558 sprintf(page, "%s\n", status); 559 return; 560 } 561 562 dp += sprintf(dp, "%s\ninterpreter %s\n", status, e->interpreter); 563 564 /* print the special flags */ 565 dp += sprintf(dp, "flags: "); 566 if (e->flags & MISC_FMT_PRESERVE_ARGV0) 567 *dp++ = 'P'; 568 if (e->flags & MISC_FMT_OPEN_BINARY) 569 *dp++ = 'O'; 570 if (e->flags & MISC_FMT_CREDENTIALS) 571 *dp++ = 'C'; 572 if (e->flags & MISC_FMT_OPEN_FILE) 573 *dp++ = 'F'; 574 *dp++ = '\n'; 575 576 if (!test_bit(Magic, &e->flags)) { 577 sprintf(dp, "extension .%s\n", e->magic); 578 } else { 579 dp += sprintf(dp, "offset %i\nmagic ", e->offset); 580 dp = bin2hex(dp, e->magic, e->size); 581 if (e->mask) { 582 dp += sprintf(dp, "\nmask "); 583 dp = bin2hex(dp, e->mask, e->size); 584 } 585 *dp++ = '\n'; 586 *dp = '\0'; 587 } 588 } 589 bm_get_inode(struct super_block * sb,int mode)590 static struct inode *bm_get_inode(struct super_block *sb, int mode) 591 { 592 struct inode *inode = new_inode(sb); 593 594 if (inode) { 595 inode->i_ino = get_next_ino(); 596 inode->i_mode = mode; 597 inode->i_atime = inode->i_mtime = inode_set_ctime_current(inode); 598 } 599 return inode; 600 } 601 602 /** 603 * bm_evict_inode - cleanup data associated with @inode 604 * @inode: inode to which the data is attached 605 * 606 * Cleanup the binary type handler data associated with @inode if a binary type 607 * entry is removed or the filesystem is unmounted and the super block is 608 * shutdown. 609 * 610 * If the ->evict call was not caused by a super block shutdown but by a write 611 * to remove the entry or all entries via bm_{entry,status}_write() the entry 612 * will have already been removed from the list. We keep the list_empty() check 613 * to make that explicit. 614 */ bm_evict_inode(struct inode * inode)615 static void bm_evict_inode(struct inode *inode) 616 { 617 Node *e = inode->i_private; 618 619 clear_inode(inode); 620 621 if (e) { 622 write_lock(&entries_lock); 623 if (!list_empty(&e->list)) 624 list_del_init(&e->list); 625 write_unlock(&entries_lock); 626 put_binfmt_handler(e); 627 } 628 } 629 630 /** 631 * unlink_binfmt_dentry - remove the dentry for the binary type handler 632 * @dentry: dentry associated with the binary type handler 633 * 634 * Do the actual filesystem work to remove a dentry for a registered binary 635 * type handler. Since binfmt_misc only allows simple files to be created 636 * directly under the root dentry of the filesystem we ensure that we are 637 * indeed passed a dentry directly beneath the root dentry, that the inode 638 * associated with the root dentry is locked, and that it is a regular file we 639 * are asked to remove. 640 */ unlink_binfmt_dentry(struct dentry * dentry)641 static void unlink_binfmt_dentry(struct dentry *dentry) 642 { 643 struct dentry *parent = dentry->d_parent; 644 struct inode *inode, *parent_inode; 645 646 /* All entries are immediate descendants of the root dentry. */ 647 if (WARN_ON_ONCE(dentry->d_sb->s_root != parent)) 648 return; 649 650 /* We only expect to be called on regular files. */ 651 inode = d_inode(dentry); 652 if (WARN_ON_ONCE(!S_ISREG(inode->i_mode))) 653 return; 654 655 /* The parent inode must be locked. */ 656 parent_inode = d_inode(parent); 657 if (WARN_ON_ONCE(!inode_is_locked(parent_inode))) 658 return; 659 660 if (simple_positive(dentry)) { 661 dget(dentry); 662 simple_unlink(parent_inode, dentry); 663 d_delete(dentry); 664 dput(dentry); 665 } 666 } 667 668 /** 669 * remove_binfmt_handler - remove a binary type handler 670 * @misc: handle to binfmt_misc instance 671 * @e: binary type handler to remove 672 * 673 * Remove a binary type handler from the list of binary type handlers and 674 * remove its associated dentry. This is called from 675 * binfmt_{entry,status}_write(). In the future, we might want to think about 676 * adding a proper ->unlink() method to binfmt_misc instead of forcing caller's 677 * to use writes to files in order to delete binary type handlers. But it has 678 * worked for so long that it's not a pressing issue. 679 */ remove_binfmt_handler(Node * e)680 static void remove_binfmt_handler(Node *e) 681 { 682 write_lock(&entries_lock); 683 list_del_init(&e->list); 684 write_unlock(&entries_lock); 685 unlink_binfmt_dentry(e->dentry); 686 } 687 688 /* /<entry> */ 689 690 static ssize_t bm_entry_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)691 bm_entry_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) 692 { 693 Node *e = file_inode(file)->i_private; 694 ssize_t res; 695 char *page; 696 697 page = (char *) __get_free_page(GFP_KERNEL); 698 if (!page) 699 return -ENOMEM; 700 701 entry_status(e, page); 702 703 res = simple_read_from_buffer(buf, nbytes, ppos, page, strlen(page)); 704 705 free_page((unsigned long) page); 706 return res; 707 } 708 bm_entry_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)709 static ssize_t bm_entry_write(struct file *file, const char __user *buffer, 710 size_t count, loff_t *ppos) 711 { 712 struct inode *inode = file_inode(file); 713 Node *e = inode->i_private; 714 int res = parse_command(buffer, count); 715 716 switch (res) { 717 case 1: 718 /* Disable this handler. */ 719 clear_bit(Enabled, &e->flags); 720 break; 721 case 2: 722 /* Enable this handler. */ 723 set_bit(Enabled, &e->flags); 724 break; 725 case 3: 726 /* Delete this handler. */ 727 inode = d_inode(inode->i_sb->s_root); 728 inode_lock(inode); 729 730 /* 731 * In order to add new element or remove elements from the list 732 * via bm_{entry,register,status}_write() inode_lock() on the 733 * root inode must be held. 734 * The lock is exclusive ensuring that the list can't be 735 * modified. Only load_misc_binary() can access but does so 736 * read-only. So we only need to take the write lock when we 737 * actually remove the entry from the list. 738 */ 739 if (!list_empty(&e->list)) 740 remove_binfmt_handler(e); 741 742 inode_unlock(inode); 743 break; 744 default: 745 return res; 746 } 747 748 return count; 749 } 750 751 static const struct file_operations bm_entry_operations = { 752 .read = bm_entry_read, 753 .write = bm_entry_write, 754 .llseek = default_llseek, 755 }; 756 757 /* /register */ 758 bm_register_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)759 static ssize_t bm_register_write(struct file *file, const char __user *buffer, 760 size_t count, loff_t *ppos) 761 { 762 Node *e; 763 struct inode *inode; 764 struct super_block *sb = file_inode(file)->i_sb; 765 struct dentry *root = sb->s_root, *dentry; 766 int err = 0; 767 struct file *f = NULL; 768 769 e = create_entry(buffer, count); 770 771 if (IS_ERR(e)) 772 return PTR_ERR(e); 773 774 if (e->flags & MISC_FMT_OPEN_FILE) { 775 f = open_exec(e->interpreter); 776 if (IS_ERR(f)) { 777 pr_notice("register: failed to install interpreter file %s\n", 778 e->interpreter); 779 kfree(e); 780 return PTR_ERR(f); 781 } 782 e->interp_file = f; 783 } 784 785 inode_lock(d_inode(root)); 786 dentry = lookup_one_len(e->name, root, strlen(e->name)); 787 err = PTR_ERR(dentry); 788 if (IS_ERR(dentry)) 789 goto out; 790 791 err = -EEXIST; 792 if (d_really_is_positive(dentry)) 793 goto out2; 794 795 inode = bm_get_inode(sb, S_IFREG | 0644); 796 797 err = -ENOMEM; 798 if (!inode) 799 goto out2; 800 801 refcount_set(&e->users, 1); 802 e->dentry = dget(dentry); 803 inode->i_private = e; 804 inode->i_fop = &bm_entry_operations; 805 806 d_instantiate(dentry, inode); 807 write_lock(&entries_lock); 808 list_add(&e->list, &entries); 809 write_unlock(&entries_lock); 810 811 err = 0; 812 out2: 813 dput(dentry); 814 out: 815 inode_unlock(d_inode(root)); 816 817 if (err) { 818 if (f) 819 filp_close(f, NULL); 820 kfree(e); 821 return err; 822 } 823 return count; 824 } 825 826 static const struct file_operations bm_register_operations = { 827 .write = bm_register_write, 828 .llseek = noop_llseek, 829 }; 830 831 /* /status */ 832 833 static ssize_t bm_status_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)834 bm_status_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) 835 { 836 char *s = enabled ? "enabled\n" : "disabled\n"; 837 838 return simple_read_from_buffer(buf, nbytes, ppos, s, strlen(s)); 839 } 840 bm_status_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)841 static ssize_t bm_status_write(struct file *file, const char __user *buffer, 842 size_t count, loff_t *ppos) 843 { 844 int res = parse_command(buffer, count); 845 Node *e, *next; 846 struct inode *inode; 847 848 switch (res) { 849 case 1: 850 /* Disable all handlers. */ 851 enabled = 0; 852 break; 853 case 2: 854 /* Enable all handlers. */ 855 enabled = 1; 856 break; 857 case 3: 858 /* Delete all handlers. */ 859 inode = d_inode(file_inode(file)->i_sb->s_root); 860 inode_lock(inode); 861 862 /* 863 * In order to add new element or remove elements from the list 864 * via bm_{entry,register,status}_write() inode_lock() on the 865 * root inode must be held. 866 * The lock is exclusive ensuring that the list can't be 867 * modified. Only load_misc_binary() can access but does so 868 * read-only. So we only need to take the write lock when we 869 * actually remove the entry from the list. 870 */ 871 list_for_each_entry_safe(e, next, &entries, list) 872 remove_binfmt_handler(e); 873 874 inode_unlock(inode); 875 break; 876 default: 877 return res; 878 } 879 880 return count; 881 } 882 883 static const struct file_operations bm_status_operations = { 884 .read = bm_status_read, 885 .write = bm_status_write, 886 .llseek = default_llseek, 887 }; 888 889 /* Superblock handling */ 890 891 static const struct super_operations s_ops = { 892 .statfs = simple_statfs, 893 .evict_inode = bm_evict_inode, 894 }; 895 bm_fill_super(struct super_block * sb,struct fs_context * fc)896 static int bm_fill_super(struct super_block *sb, struct fs_context *fc) 897 { 898 int err; 899 static const struct tree_descr bm_files[] = { 900 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO}, 901 [3] = {"register", &bm_register_operations, S_IWUSR}, 902 /* last one */ {""} 903 }; 904 905 err = simple_fill_super(sb, BINFMTFS_MAGIC, bm_files); 906 if (!err) 907 sb->s_op = &s_ops; 908 return err; 909 } 910 bm_get_tree(struct fs_context * fc)911 static int bm_get_tree(struct fs_context *fc) 912 { 913 return get_tree_single(fc, bm_fill_super); 914 } 915 916 static const struct fs_context_operations bm_context_ops = { 917 .get_tree = bm_get_tree, 918 }; 919 bm_init_fs_context(struct fs_context * fc)920 static int bm_init_fs_context(struct fs_context *fc) 921 { 922 fc->ops = &bm_context_ops; 923 return 0; 924 } 925 926 static struct linux_binfmt misc_format = { 927 .module = THIS_MODULE, 928 .load_binary = load_misc_binary, 929 }; 930 931 static struct file_system_type bm_fs_type = { 932 .owner = THIS_MODULE, 933 .name = "binfmt_misc", 934 .init_fs_context = bm_init_fs_context, 935 .kill_sb = kill_litter_super, 936 }; 937 MODULE_ALIAS_FS("binfmt_misc"); 938 init_misc_binfmt(void)939 static int __init init_misc_binfmt(void) 940 { 941 int err = register_filesystem(&bm_fs_type); 942 if (!err) 943 insert_binfmt(&misc_format); 944 return err; 945 } 946 exit_misc_binfmt(void)947 static void __exit exit_misc_binfmt(void) 948 { 949 unregister_binfmt(&misc_format); 950 unregister_filesystem(&bm_fs_type); 951 } 952 953 core_initcall(init_misc_binfmt); 954 module_exit(exit_misc_binfmt); 955 MODULE_LICENSE("GPL"); 956