1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * binfmt_misc.c
4 *
5 * Copyright (C) 1997 Richard Günther
6 *
7 * binfmt_misc detects binaries via a magic or filename extension and invokes
8 * a specified wrapper. See Documentation/admin-guide/binfmt-misc.rst for more details.
9 */
10
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
13 #include <linux/kernel.h>
14 #include <linux/module.h>
15 #include <linux/init.h>
16 #include <linux/sched/mm.h>
17 #include <linux/magic.h>
18 #include <linux/binfmts.h>
19 #include <linux/slab.h>
20 #include <linux/ctype.h>
21 #include <linux/string_helpers.h>
22 #include <linux/file.h>
23 #include <linux/pagemap.h>
24 #include <linux/namei.h>
25 #include <linux/mount.h>
26 #include <linux/fs_context.h>
27 #include <linux/syscalls.h>
28 #include <linux/fs.h>
29 #include <linux/uaccess.h>
30
31 #include "internal.h"
32
33 #ifdef DEBUG
34 # define USE_DEBUG 1
35 #else
36 # define USE_DEBUG 0
37 #endif
38
39 enum {
40 VERBOSE_STATUS = 1 /* make it zero to save 400 bytes kernel memory */
41 };
42
43 static LIST_HEAD(entries);
44 static int enabled = 1;
45
46 enum {Enabled, Magic};
47 #define MISC_FMT_PRESERVE_ARGV0 (1UL << 31)
48 #define MISC_FMT_OPEN_BINARY (1UL << 30)
49 #define MISC_FMT_CREDENTIALS (1UL << 29)
50 #define MISC_FMT_OPEN_FILE (1UL << 28)
51
52 typedef struct {
53 struct list_head list;
54 unsigned long flags; /* type, status, etc. */
55 int offset; /* offset of magic */
56 int size; /* size of magic/mask */
57 char *magic; /* magic or filename extension */
58 char *mask; /* mask, NULL for exact match */
59 const char *interpreter; /* filename of interpreter */
60 char *name;
61 struct dentry *dentry;
62 struct file *interp_file;
63 refcount_t users; /* sync removal with load_misc_binary() */
64 } Node;
65
66 static DEFINE_RWLOCK(entries_lock);
67 static struct file_system_type bm_fs_type;
68
69 /*
70 * Max length of the register string. Determined by:
71 * - 7 delimiters
72 * - name: ~50 bytes
73 * - type: 1 byte
74 * - offset: 3 bytes (has to be smaller than BINPRM_BUF_SIZE)
75 * - magic: 128 bytes (512 in escaped form)
76 * - mask: 128 bytes (512 in escaped form)
77 * - interp: ~50 bytes
78 * - flags: 5 bytes
79 * Round that up a bit, and then back off to hold the internal data
80 * (like struct Node).
81 */
82 #define MAX_REGISTER_LENGTH 1920
83
84 /**
85 * search_binfmt_handler - search for a binary handler for @bprm
86 * @misc: handle to binfmt_misc instance
87 * @bprm: binary for which we are looking for a handler
88 *
89 * Search for a binary type handler for @bprm in the list of registered binary
90 * type handlers.
91 *
92 * Return: binary type list entry on success, NULL on failure
93 */
search_binfmt_handler(struct linux_binprm * bprm)94 static Node *search_binfmt_handler(struct linux_binprm *bprm)
95 {
96 char *p = strrchr(bprm->interp, '.');
97 Node *e;
98
99 /* Walk all the registered handlers. */
100 list_for_each_entry(e, &entries, list) {
101 char *s;
102 int j;
103
104 /* Make sure this one is currently enabled. */
105 if (!test_bit(Enabled, &e->flags))
106 continue;
107
108 /* Do matching based on extension if applicable. */
109 if (!test_bit(Magic, &e->flags)) {
110 if (p && !strcmp(e->magic, p + 1))
111 return e;
112 continue;
113 }
114
115 /* Do matching based on magic & mask. */
116 s = bprm->buf + e->offset;
117 if (e->mask) {
118 for (j = 0; j < e->size; j++)
119 if ((*s++ ^ e->magic[j]) & e->mask[j])
120 break;
121 } else {
122 for (j = 0; j < e->size; j++)
123 if ((*s++ ^ e->magic[j]))
124 break;
125 }
126 if (j == e->size)
127 return e;
128 }
129
130 return NULL;
131 }
132
133 /**
134 * get_binfmt_handler - try to find a binary type handler
135 * @misc: handle to binfmt_misc instance
136 * @bprm: binary for which we are looking for a handler
137 *
138 * Try to find a binfmt handler for the binary type. If one is found take a
139 * reference to protect against removal via bm_{entry,status}_write().
140 *
141 * Return: binary type list entry on success, NULL on failure
142 */
get_binfmt_handler(struct linux_binprm * bprm)143 static Node *get_binfmt_handler(struct linux_binprm *bprm)
144 {
145 Node *e;
146
147 read_lock(&entries_lock);
148 e = search_binfmt_handler(bprm);
149 if (e)
150 refcount_inc(&e->users);
151 read_unlock(&entries_lock);
152 return e;
153 }
154
155 /**
156 * put_binfmt_handler - put binary handler node
157 * @e: node to put
158 *
159 * Free node syncing with load_misc_binary() and defer final free to
160 * load_misc_binary() in case it is using the binary type handler we were
161 * requested to remove.
162 */
put_binfmt_handler(Node * e)163 static void put_binfmt_handler(Node *e)
164 {
165 if (refcount_dec_and_test(&e->users)) {
166 if (e->flags & MISC_FMT_OPEN_FILE)
167 filp_close(e->interp_file, NULL);
168 kfree(e);
169 }
170 }
171
172 /*
173 * the loader itself
174 */
load_misc_binary(struct linux_binprm * bprm)175 static int load_misc_binary(struct linux_binprm *bprm)
176 {
177 Node *fmt;
178 struct file *interp_file = NULL;
179 int retval;
180
181 retval = -ENOEXEC;
182 if (!enabled)
183 return retval;
184
185 fmt = get_binfmt_handler(bprm);
186 if (!fmt)
187 return retval;
188
189 /* Need to be able to load the file after exec */
190 retval = -ENOENT;
191 if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
192 goto ret;
193
194 if (fmt->flags & MISC_FMT_PRESERVE_ARGV0) {
195 bprm->interp_flags |= BINPRM_FLAGS_PRESERVE_ARGV0;
196 } else {
197 retval = remove_arg_zero(bprm);
198 if (retval)
199 goto ret;
200 }
201
202 if (fmt->flags & MISC_FMT_OPEN_BINARY)
203 bprm->have_execfd = 1;
204
205 /* make argv[1] be the path to the binary */
206 retval = copy_string_kernel(bprm->interp, bprm);
207 if (retval < 0)
208 goto ret;
209 bprm->argc++;
210
211 /* add the interp as argv[0] */
212 retval = copy_string_kernel(fmt->interpreter, bprm);
213 if (retval < 0)
214 goto ret;
215 bprm->argc++;
216
217 /* Update interp in case binfmt_script needs it. */
218 retval = bprm_change_interp(fmt->interpreter, bprm);
219 if (retval < 0)
220 goto ret;
221
222 if (fmt->flags & MISC_FMT_OPEN_FILE) {
223 interp_file = file_clone_open(fmt->interp_file);
224 if (!IS_ERR(interp_file))
225 deny_write_access(interp_file);
226 } else {
227 interp_file = open_exec(fmt->interpreter);
228 }
229 retval = PTR_ERR(interp_file);
230 if (IS_ERR(interp_file))
231 goto ret;
232
233 bprm->interpreter = interp_file;
234 if (fmt->flags & MISC_FMT_CREDENTIALS)
235 bprm->execfd_creds = 1;
236
237 retval = 0;
238 ret:
239
240 /*
241 * If we actually put the node here all concurrent calls to
242 * load_misc_binary() will have finished. We also know
243 * that for the refcount to be zero ->evict_inode() must have removed
244 * the node to be deleted from the list. All that is left for us is to
245 * close and free.
246 */
247 put_binfmt_handler(fmt);
248
249 return retval;
250 }
251
252 /* Command parsers */
253
254 /*
255 * parses and copies one argument enclosed in del from *sp to *dp,
256 * recognising the \x special.
257 * returns pointer to the copied argument or NULL in case of an
258 * error (and sets err) or null argument length.
259 */
scanarg(char * s,char del)260 static char *scanarg(char *s, char del)
261 {
262 char c;
263
264 while ((c = *s++) != del) {
265 if (c == '\\' && *s == 'x') {
266 s++;
267 if (!isxdigit(*s++))
268 return NULL;
269 if (!isxdigit(*s++))
270 return NULL;
271 }
272 }
273 s[-1] ='\0';
274 return s;
275 }
276
check_special_flags(char * sfs,Node * e)277 static char *check_special_flags(char *sfs, Node *e)
278 {
279 char *p = sfs;
280 int cont = 1;
281
282 /* special flags */
283 while (cont) {
284 switch (*p) {
285 case 'P':
286 pr_debug("register: flag: P (preserve argv0)\n");
287 p++;
288 e->flags |= MISC_FMT_PRESERVE_ARGV0;
289 break;
290 case 'O':
291 pr_debug("register: flag: O (open binary)\n");
292 p++;
293 e->flags |= MISC_FMT_OPEN_BINARY;
294 break;
295 case 'C':
296 pr_debug("register: flag: C (preserve creds)\n");
297 p++;
298 /* this flags also implies the
299 open-binary flag */
300 e->flags |= (MISC_FMT_CREDENTIALS |
301 MISC_FMT_OPEN_BINARY);
302 break;
303 case 'F':
304 pr_debug("register: flag: F: open interpreter file now\n");
305 p++;
306 e->flags |= MISC_FMT_OPEN_FILE;
307 break;
308 default:
309 cont = 0;
310 }
311 }
312
313 return p;
314 }
315
316 /*
317 * This registers a new binary format, it recognises the syntax
318 * ':name:type:offset:magic:mask:interpreter:flags'
319 * where the ':' is the IFS, that can be chosen with the first char
320 */
create_entry(const char __user * buffer,size_t count)321 static Node *create_entry(const char __user *buffer, size_t count)
322 {
323 Node *e;
324 int memsize, err;
325 char *buf, *p;
326 char del;
327
328 pr_debug("register: received %zu bytes\n", count);
329
330 /* some sanity checks */
331 err = -EINVAL;
332 if ((count < 11) || (count > MAX_REGISTER_LENGTH))
333 goto out;
334
335 err = -ENOMEM;
336 memsize = sizeof(Node) + count + 8;
337 e = kmalloc(memsize, GFP_KERNEL);
338 if (!e)
339 goto out;
340
341 p = buf = (char *)e + sizeof(Node);
342
343 memset(e, 0, sizeof(Node));
344 if (copy_from_user(buf, buffer, count))
345 goto efault;
346
347 del = *p++; /* delimeter */
348
349 pr_debug("register: delim: %#x {%c}\n", del, del);
350
351 /* Pad the buffer with the delim to simplify parsing below. */
352 memset(buf + count, del, 8);
353
354 /* Parse the 'name' field. */
355 e->name = p;
356 p = strchr(p, del);
357 if (!p)
358 goto einval;
359 *p++ = '\0';
360 if (!e->name[0] ||
361 !strcmp(e->name, ".") ||
362 !strcmp(e->name, "..") ||
363 strchr(e->name, '/'))
364 goto einval;
365
366 pr_debug("register: name: {%s}\n", e->name);
367
368 /* Parse the 'type' field. */
369 switch (*p++) {
370 case 'E':
371 pr_debug("register: type: E (extension)\n");
372 e->flags = 1 << Enabled;
373 break;
374 case 'M':
375 pr_debug("register: type: M (magic)\n");
376 e->flags = (1 << Enabled) | (1 << Magic);
377 break;
378 default:
379 goto einval;
380 }
381 if (*p++ != del)
382 goto einval;
383
384 if (test_bit(Magic, &e->flags)) {
385 /* Handle the 'M' (magic) format. */
386 char *s;
387
388 /* Parse the 'offset' field. */
389 s = strchr(p, del);
390 if (!s)
391 goto einval;
392 *s = '\0';
393 if (p != s) {
394 int r = kstrtoint(p, 10, &e->offset);
395 if (r != 0 || e->offset < 0)
396 goto einval;
397 }
398 p = s;
399 if (*p++)
400 goto einval;
401 pr_debug("register: offset: %#x\n", e->offset);
402
403 /* Parse the 'magic' field. */
404 e->magic = p;
405 p = scanarg(p, del);
406 if (!p)
407 goto einval;
408 if (!e->magic[0])
409 goto einval;
410 if (USE_DEBUG)
411 print_hex_dump_bytes(
412 KBUILD_MODNAME ": register: magic[raw]: ",
413 DUMP_PREFIX_NONE, e->magic, p - e->magic);
414
415 /* Parse the 'mask' field. */
416 e->mask = p;
417 p = scanarg(p, del);
418 if (!p)
419 goto einval;
420 if (!e->mask[0]) {
421 e->mask = NULL;
422 pr_debug("register: mask[raw]: none\n");
423 } else if (USE_DEBUG)
424 print_hex_dump_bytes(
425 KBUILD_MODNAME ": register: mask[raw]: ",
426 DUMP_PREFIX_NONE, e->mask, p - e->mask);
427
428 /*
429 * Decode the magic & mask fields.
430 * Note: while we might have accepted embedded NUL bytes from
431 * above, the unescape helpers here will stop at the first one
432 * it encounters.
433 */
434 e->size = string_unescape_inplace(e->magic, UNESCAPE_HEX);
435 if (e->mask &&
436 string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
437 goto einval;
438 if (e->size > BINPRM_BUF_SIZE ||
439 BINPRM_BUF_SIZE - e->size < e->offset)
440 goto einval;
441 pr_debug("register: magic/mask length: %i\n", e->size);
442 if (USE_DEBUG) {
443 print_hex_dump_bytes(
444 KBUILD_MODNAME ": register: magic[decoded]: ",
445 DUMP_PREFIX_NONE, e->magic, e->size);
446
447 if (e->mask) {
448 int i;
449 char *masked = kmalloc(e->size, GFP_KERNEL);
450
451 print_hex_dump_bytes(
452 KBUILD_MODNAME ": register: mask[decoded]: ",
453 DUMP_PREFIX_NONE, e->mask, e->size);
454
455 if (masked) {
456 for (i = 0; i < e->size; ++i)
457 masked[i] = e->magic[i] & e->mask[i];
458 print_hex_dump_bytes(
459 KBUILD_MODNAME ": register: magic[masked]: ",
460 DUMP_PREFIX_NONE, masked, e->size);
461
462 kfree(masked);
463 }
464 }
465 }
466 } else {
467 /* Handle the 'E' (extension) format. */
468
469 /* Skip the 'offset' field. */
470 p = strchr(p, del);
471 if (!p)
472 goto einval;
473 *p++ = '\0';
474
475 /* Parse the 'magic' field. */
476 e->magic = p;
477 p = strchr(p, del);
478 if (!p)
479 goto einval;
480 *p++ = '\0';
481 if (!e->magic[0] || strchr(e->magic, '/'))
482 goto einval;
483 pr_debug("register: extension: {%s}\n", e->magic);
484
485 /* Skip the 'mask' field. */
486 p = strchr(p, del);
487 if (!p)
488 goto einval;
489 *p++ = '\0';
490 }
491
492 /* Parse the 'interpreter' field. */
493 e->interpreter = p;
494 p = strchr(p, del);
495 if (!p)
496 goto einval;
497 *p++ = '\0';
498 if (!e->interpreter[0])
499 goto einval;
500 pr_debug("register: interpreter: {%s}\n", e->interpreter);
501
502 /* Parse the 'flags' field. */
503 p = check_special_flags(p, e);
504 if (*p == '\n')
505 p++;
506 if (p != buf + count)
507 goto einval;
508
509 return e;
510
511 out:
512 return ERR_PTR(err);
513
514 efault:
515 kfree(e);
516 return ERR_PTR(-EFAULT);
517 einval:
518 kfree(e);
519 return ERR_PTR(-EINVAL);
520 }
521
522 /*
523 * Set status of entry/binfmt_misc:
524 * '1' enables, '0' disables and '-1' clears entry/binfmt_misc
525 */
parse_command(const char __user * buffer,size_t count)526 static int parse_command(const char __user *buffer, size_t count)
527 {
528 char s[4];
529
530 if (count > 3)
531 return -EINVAL;
532 if (copy_from_user(s, buffer, count))
533 return -EFAULT;
534 if (!count)
535 return 0;
536 if (s[count - 1] == '\n')
537 count--;
538 if (count == 1 && s[0] == '0')
539 return 1;
540 if (count == 1 && s[0] == '1')
541 return 2;
542 if (count == 2 && s[0] == '-' && s[1] == '1')
543 return 3;
544 return -EINVAL;
545 }
546
547 /* generic stuff */
548
entry_status(Node * e,char * page)549 static void entry_status(Node *e, char *page)
550 {
551 char *dp = page;
552 const char *status = "disabled";
553
554 if (test_bit(Enabled, &e->flags))
555 status = "enabled";
556
557 if (!VERBOSE_STATUS) {
558 sprintf(page, "%s\n", status);
559 return;
560 }
561
562 dp += sprintf(dp, "%s\ninterpreter %s\n", status, e->interpreter);
563
564 /* print the special flags */
565 dp += sprintf(dp, "flags: ");
566 if (e->flags & MISC_FMT_PRESERVE_ARGV0)
567 *dp++ = 'P';
568 if (e->flags & MISC_FMT_OPEN_BINARY)
569 *dp++ = 'O';
570 if (e->flags & MISC_FMT_CREDENTIALS)
571 *dp++ = 'C';
572 if (e->flags & MISC_FMT_OPEN_FILE)
573 *dp++ = 'F';
574 *dp++ = '\n';
575
576 if (!test_bit(Magic, &e->flags)) {
577 sprintf(dp, "extension .%s\n", e->magic);
578 } else {
579 dp += sprintf(dp, "offset %i\nmagic ", e->offset);
580 dp = bin2hex(dp, e->magic, e->size);
581 if (e->mask) {
582 dp += sprintf(dp, "\nmask ");
583 dp = bin2hex(dp, e->mask, e->size);
584 }
585 *dp++ = '\n';
586 *dp = '\0';
587 }
588 }
589
bm_get_inode(struct super_block * sb,int mode)590 static struct inode *bm_get_inode(struct super_block *sb, int mode)
591 {
592 struct inode *inode = new_inode(sb);
593
594 if (inode) {
595 inode->i_ino = get_next_ino();
596 inode->i_mode = mode;
597 inode->i_atime = inode->i_mtime = inode_set_ctime_current(inode);
598 }
599 return inode;
600 }
601
602 /**
603 * bm_evict_inode - cleanup data associated with @inode
604 * @inode: inode to which the data is attached
605 *
606 * Cleanup the binary type handler data associated with @inode if a binary type
607 * entry is removed or the filesystem is unmounted and the super block is
608 * shutdown.
609 *
610 * If the ->evict call was not caused by a super block shutdown but by a write
611 * to remove the entry or all entries via bm_{entry,status}_write() the entry
612 * will have already been removed from the list. We keep the list_empty() check
613 * to make that explicit.
614 */
bm_evict_inode(struct inode * inode)615 static void bm_evict_inode(struct inode *inode)
616 {
617 Node *e = inode->i_private;
618
619 clear_inode(inode);
620
621 if (e) {
622 write_lock(&entries_lock);
623 if (!list_empty(&e->list))
624 list_del_init(&e->list);
625 write_unlock(&entries_lock);
626 put_binfmt_handler(e);
627 }
628 }
629
630 /**
631 * unlink_binfmt_dentry - remove the dentry for the binary type handler
632 * @dentry: dentry associated with the binary type handler
633 *
634 * Do the actual filesystem work to remove a dentry for a registered binary
635 * type handler. Since binfmt_misc only allows simple files to be created
636 * directly under the root dentry of the filesystem we ensure that we are
637 * indeed passed a dentry directly beneath the root dentry, that the inode
638 * associated with the root dentry is locked, and that it is a regular file we
639 * are asked to remove.
640 */
unlink_binfmt_dentry(struct dentry * dentry)641 static void unlink_binfmt_dentry(struct dentry *dentry)
642 {
643 struct dentry *parent = dentry->d_parent;
644 struct inode *inode, *parent_inode;
645
646 /* All entries are immediate descendants of the root dentry. */
647 if (WARN_ON_ONCE(dentry->d_sb->s_root != parent))
648 return;
649
650 /* We only expect to be called on regular files. */
651 inode = d_inode(dentry);
652 if (WARN_ON_ONCE(!S_ISREG(inode->i_mode)))
653 return;
654
655 /* The parent inode must be locked. */
656 parent_inode = d_inode(parent);
657 if (WARN_ON_ONCE(!inode_is_locked(parent_inode)))
658 return;
659
660 if (simple_positive(dentry)) {
661 dget(dentry);
662 simple_unlink(parent_inode, dentry);
663 d_delete(dentry);
664 dput(dentry);
665 }
666 }
667
668 /**
669 * remove_binfmt_handler - remove a binary type handler
670 * @misc: handle to binfmt_misc instance
671 * @e: binary type handler to remove
672 *
673 * Remove a binary type handler from the list of binary type handlers and
674 * remove its associated dentry. This is called from
675 * binfmt_{entry,status}_write(). In the future, we might want to think about
676 * adding a proper ->unlink() method to binfmt_misc instead of forcing caller's
677 * to use writes to files in order to delete binary type handlers. But it has
678 * worked for so long that it's not a pressing issue.
679 */
remove_binfmt_handler(Node * e)680 static void remove_binfmt_handler(Node *e)
681 {
682 write_lock(&entries_lock);
683 list_del_init(&e->list);
684 write_unlock(&entries_lock);
685 unlink_binfmt_dentry(e->dentry);
686 }
687
688 /* /<entry> */
689
690 static ssize_t
bm_entry_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)691 bm_entry_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
692 {
693 Node *e = file_inode(file)->i_private;
694 ssize_t res;
695 char *page;
696
697 page = (char *) __get_free_page(GFP_KERNEL);
698 if (!page)
699 return -ENOMEM;
700
701 entry_status(e, page);
702
703 res = simple_read_from_buffer(buf, nbytes, ppos, page, strlen(page));
704
705 free_page((unsigned long) page);
706 return res;
707 }
708
bm_entry_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)709 static ssize_t bm_entry_write(struct file *file, const char __user *buffer,
710 size_t count, loff_t *ppos)
711 {
712 struct inode *inode = file_inode(file);
713 Node *e = inode->i_private;
714 int res = parse_command(buffer, count);
715
716 switch (res) {
717 case 1:
718 /* Disable this handler. */
719 clear_bit(Enabled, &e->flags);
720 break;
721 case 2:
722 /* Enable this handler. */
723 set_bit(Enabled, &e->flags);
724 break;
725 case 3:
726 /* Delete this handler. */
727 inode = d_inode(inode->i_sb->s_root);
728 inode_lock(inode);
729
730 /*
731 * In order to add new element or remove elements from the list
732 * via bm_{entry,register,status}_write() inode_lock() on the
733 * root inode must be held.
734 * The lock is exclusive ensuring that the list can't be
735 * modified. Only load_misc_binary() can access but does so
736 * read-only. So we only need to take the write lock when we
737 * actually remove the entry from the list.
738 */
739 if (!list_empty(&e->list))
740 remove_binfmt_handler(e);
741
742 inode_unlock(inode);
743 break;
744 default:
745 return res;
746 }
747
748 return count;
749 }
750
751 static const struct file_operations bm_entry_operations = {
752 .read = bm_entry_read,
753 .write = bm_entry_write,
754 .llseek = default_llseek,
755 };
756
757 /* /register */
758
bm_register_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)759 static ssize_t bm_register_write(struct file *file, const char __user *buffer,
760 size_t count, loff_t *ppos)
761 {
762 Node *e;
763 struct inode *inode;
764 struct super_block *sb = file_inode(file)->i_sb;
765 struct dentry *root = sb->s_root, *dentry;
766 int err = 0;
767 struct file *f = NULL;
768
769 e = create_entry(buffer, count);
770
771 if (IS_ERR(e))
772 return PTR_ERR(e);
773
774 if (e->flags & MISC_FMT_OPEN_FILE) {
775 f = open_exec(e->interpreter);
776 if (IS_ERR(f)) {
777 pr_notice("register: failed to install interpreter file %s\n",
778 e->interpreter);
779 kfree(e);
780 return PTR_ERR(f);
781 }
782 e->interp_file = f;
783 }
784
785 inode_lock(d_inode(root));
786 dentry = lookup_one_len(e->name, root, strlen(e->name));
787 err = PTR_ERR(dentry);
788 if (IS_ERR(dentry))
789 goto out;
790
791 err = -EEXIST;
792 if (d_really_is_positive(dentry))
793 goto out2;
794
795 inode = bm_get_inode(sb, S_IFREG | 0644);
796
797 err = -ENOMEM;
798 if (!inode)
799 goto out2;
800
801 refcount_set(&e->users, 1);
802 e->dentry = dget(dentry);
803 inode->i_private = e;
804 inode->i_fop = &bm_entry_operations;
805
806 d_instantiate(dentry, inode);
807 write_lock(&entries_lock);
808 list_add(&e->list, &entries);
809 write_unlock(&entries_lock);
810
811 err = 0;
812 out2:
813 dput(dentry);
814 out:
815 inode_unlock(d_inode(root));
816
817 if (err) {
818 if (f)
819 filp_close(f, NULL);
820 kfree(e);
821 return err;
822 }
823 return count;
824 }
825
826 static const struct file_operations bm_register_operations = {
827 .write = bm_register_write,
828 .llseek = noop_llseek,
829 };
830
831 /* /status */
832
833 static ssize_t
bm_status_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)834 bm_status_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
835 {
836 char *s = enabled ? "enabled\n" : "disabled\n";
837
838 return simple_read_from_buffer(buf, nbytes, ppos, s, strlen(s));
839 }
840
bm_status_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)841 static ssize_t bm_status_write(struct file *file, const char __user *buffer,
842 size_t count, loff_t *ppos)
843 {
844 int res = parse_command(buffer, count);
845 Node *e, *next;
846 struct inode *inode;
847
848 switch (res) {
849 case 1:
850 /* Disable all handlers. */
851 enabled = 0;
852 break;
853 case 2:
854 /* Enable all handlers. */
855 enabled = 1;
856 break;
857 case 3:
858 /* Delete all handlers. */
859 inode = d_inode(file_inode(file)->i_sb->s_root);
860 inode_lock(inode);
861
862 /*
863 * In order to add new element or remove elements from the list
864 * via bm_{entry,register,status}_write() inode_lock() on the
865 * root inode must be held.
866 * The lock is exclusive ensuring that the list can't be
867 * modified. Only load_misc_binary() can access but does so
868 * read-only. So we only need to take the write lock when we
869 * actually remove the entry from the list.
870 */
871 list_for_each_entry_safe(e, next, &entries, list)
872 remove_binfmt_handler(e);
873
874 inode_unlock(inode);
875 break;
876 default:
877 return res;
878 }
879
880 return count;
881 }
882
883 static const struct file_operations bm_status_operations = {
884 .read = bm_status_read,
885 .write = bm_status_write,
886 .llseek = default_llseek,
887 };
888
889 /* Superblock handling */
890
891 static const struct super_operations s_ops = {
892 .statfs = simple_statfs,
893 .evict_inode = bm_evict_inode,
894 };
895
bm_fill_super(struct super_block * sb,struct fs_context * fc)896 static int bm_fill_super(struct super_block *sb, struct fs_context *fc)
897 {
898 int err;
899 static const struct tree_descr bm_files[] = {
900 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
901 [3] = {"register", &bm_register_operations, S_IWUSR},
902 /* last one */ {""}
903 };
904
905 err = simple_fill_super(sb, BINFMTFS_MAGIC, bm_files);
906 if (!err)
907 sb->s_op = &s_ops;
908 return err;
909 }
910
bm_get_tree(struct fs_context * fc)911 static int bm_get_tree(struct fs_context *fc)
912 {
913 return get_tree_single(fc, bm_fill_super);
914 }
915
916 static const struct fs_context_operations bm_context_ops = {
917 .get_tree = bm_get_tree,
918 };
919
bm_init_fs_context(struct fs_context * fc)920 static int bm_init_fs_context(struct fs_context *fc)
921 {
922 fc->ops = &bm_context_ops;
923 return 0;
924 }
925
926 static struct linux_binfmt misc_format = {
927 .module = THIS_MODULE,
928 .load_binary = load_misc_binary,
929 };
930
931 static struct file_system_type bm_fs_type = {
932 .owner = THIS_MODULE,
933 .name = "binfmt_misc",
934 .init_fs_context = bm_init_fs_context,
935 .kill_sb = kill_litter_super,
936 };
937 MODULE_ALIAS_FS("binfmt_misc");
938
init_misc_binfmt(void)939 static int __init init_misc_binfmt(void)
940 {
941 int err = register_filesystem(&bm_fs_type);
942 if (!err)
943 insert_binfmt(&misc_format);
944 return err;
945 }
946
exit_misc_binfmt(void)947 static void __exit exit_misc_binfmt(void)
948 {
949 unregister_binfmt(&misc_format);
950 unregister_filesystem(&bm_fs_type);
951 }
952
953 core_initcall(init_misc_binfmt);
954 module_exit(exit_misc_binfmt);
955 MODULE_LICENSE("GPL");
956